FORUMS
Remove All Ads from XDA

[Hack] Root Phones ("exploit needless" method)

127 posts
Thanks Meter: 358
 
By Doc_cheilvenerdi.org, Senior Member on 25th November 2011, 10:21 PM
Post Reply Email Thread
[Hack] Root Phones ("exploit needless" method)


How I root any ROM on (almost?) any Android Phone


My Phone simply needs to fullfill one requirement:

I MUST be able to flash the recovery.img standalone!


Chapter One: unpack, edit and repack recovery.img

I will use these Linux programs:

...the former splits the recovery.img into kernel and ramdisk...
...the latter repack all togheteher...

...For example I'll try these commands on a clockworkmod recovery from an HTC desire (I download 5.0.2.0-bravo from ClockWorkMod)...

Linux Side:
Code:
[email protected] $ split_bootimg.pl recovery-clockwork-5.0.2.0-bravo.img
Page size: 2048 (0x00000800)
Kernel size: 1831224 (0x001bf138)
Ramdisk size: 1291948 (0x0013b6ac)
Second size: 0 (0x00000000)
Board name: 
Command line: no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5
Writing recovery-clockwork-5.0.2.0-bravo.img-kernel ... complete.
Writing recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz ... complete.
[email protected] $
I write down parameters needed later on:
  • Page Size = 2048
  • Command line = 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5'

HexEditing Lookout of recovery.img header:
Code:
[email protected] $ hexedit recovery-clockwork-5.0.2.0-bravo.img

00000000   41 4E 44 52  4F 49 44 21  38 F1 1B 00  00 80 00 20  ANDROID!8......
00000010   AC B6 13 00  00 00 00 21  00 00 00 00  00 00 F0 20  .......!.......
00000020   00 01 00 20  00 08 00 00  00 00 00 00  00 00 00 00  ... ............
00000030   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
00000040   6E 6F 5F 63  6F 6E 73 6F  6C 65 5F 73  75 73 70 65  no_console_suspe
00000050   6E 64 3D 31  20 6D 73 6D  73 64 63 63  5F 73 64 69  nd=1 msmsdcc_sdi
00000060   6F 69 72 71  3D 31 20 77  69 72 65 2E  73 65 61 72  oirq=1 wire.sear
00000070   63 68 5F 63  6F 75 6E 74  3D 35 00 00  00 00 00 00  ch_count=5......
I use the highlighted address ordered as follows:
  • base = 0x20000000

Now I simply repack alltoghether.. just to check new file vs old one:
Code:
[email protected] $ mkbootimg --kernel recovery-clockwork-5.0.2.0-bravo.img-kernel --ramdisk recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz --base 0x20000000 --pagesize 2048 --cmdline 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5' -o recovery_new.img
[email protected] $
[email protected] $ diff recovery-clockwork-5.0.2.0-bravo.img recovery_new.img 
[email protected] $
No warnings, binary files don't differ...


Editing ramdisk:
Code:
[email protected] $ mkdir ramdisk
[email protected] $ cd ramdisk/
[email protected] $ gunzip -c ../recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz | cpio -i
4294 blocks
[email protected] $ ls -l
totale 144
drwxrwx--x 2 doc doc  4096 23 nov 23.56 data
-rw-r--r-- 1 doc doc  2615 23 nov 23.56 default.prop
drwxr-xr-x 2 doc doc  4096 23 nov 23.56 dev
drwxr-xr-x 2 doc doc  4096 23 nov 23.56 etc
-rwxr-x--- 1 doc doc 94372 23 nov 23.56 init
-rwxr-x--- 1 doc doc   691 23 nov 23.56 init.rc
drwxr-xr-x 2 doc doc  4096 23 nov 23.56 proc
drwxr-xr-x 3 doc doc  4096 23 nov 23.56 res
drwxr-x--- 2 doc doc  4096 23 nov 23.56 sbin
drwxr-xr-x 2 doc doc  4096 23 nov 23.56 sys
drwxr-xr-x 3 doc doc  4096 23 nov 23.56 system
drwxr-xr-x 2 doc doc  4096 23 nov 23.56 tmp
-rw-r--r-- 1 doc doc     0 23 nov 23.56 ueventd.goldfish.rc
-rw-r--r-- 1 doc doc  4027 23 nov 23.56 ueventd.rc
[email protected] $
I'm going to modify one line of default.prop from
Code:
...
ro.secure=1
...
to
Code:
...
ro.secure=0
...
WARNING: clockworkmod recoveries could already have ro.secure set to 0

Repack ramdisk:
Code:
[email protected] $ find . | cpio -o -H newc | gzip > ../recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz 
4295 blocks
[email protected] $ cd ..
[email protected] $
Repack recovery.img (as showed before):
Code:
[email protected] $ mkbootimg --kernel recovery-clockwork-5.0.2.0-bravo.img-kernel --ramdisk recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz --base 0x20000000 --pagesize 2048 --cmdline 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5' -o recovery_new.img
[email protected] $

Chapter Two: flash recovery.img to phone
I own a Samsung Galaxy Next, so I need to create an Odin Ready Archive and so on...
Different phone brands need different flash methods, I bet...


Chapter Three: Rooting

I need android sdk and I try android debug bridge...

...on a not rooted phone:
Code:
(i686) [email protected] $ adb shell
$ su
Permission denied
$
...and on a rooted one:
Code:
(i686) [email protected] $ adb shell
$ su
#
Now, starting the phone in recovewry mode with ro.secure=0, connecting with "adb shell" I find:
Code:
[email protected] $ adb shell
#
Already a root shell! No exploit needed!

Take a look to /system:
Code:
# mount
...
/dev/block/mmcblk0p3 /system ext4 rw,relatime,barrier=1,data=ordered 0 0
...
WOW! already "read-write" mounted... (if not mounted I can easily remount it "rw"... I'm root!)


Now, having su binary, Superuser.apk and busybox in the linux working directory:

Linux side:
Code:
[email protected] $ adb push su /system/xbin
417 KB/s (22228 bytes in 0.051s)
[email protected] $ adb push su /system/bin
529 KB/s (22228 bytes in 0.041s)
[email protected] $ adb push busybox /system/xbin
5061 KB/s (1674712 bytes in 0.323s)
[email protected] $
Anyway it should be better to make a backup of old su binary before overwriting it (adb pull /system/bin/su su-old)

"adb shell":
Code:
# chown root.shell /system/bin/su
# chmod 06755 /system/bin/su
# chown root.shell /system/xbin/su
# chmod 06755 /system/xbin/su
# chmod 04755 /system/xbin/busybox
#
WARNINNG: ordered commands

Linux:
Code:
[email protected] $ adb push com.noshufou.android.su-1.apk /system/app/Superuser.apk
5198 KB/s (843503 bytes in 0.158s)
[email protected] $
"adb shell":
Code:
# chmod 644 /system/app/Superuser.apk
#




THAT'S ALL FOLKS!


reboot system now!

...

Code:
[email protected] $ adb shell
$ su
#
Enjoy!




...no exploit needed...
...
...Simply Linux Way of Hacking!...
The Following 7 Users Say Thank You to Doc_cheilvenerdi.org For This Useful Post: [ View ] Gift Doc_cheilvenerdi.org Ad-Free
11th April 2012, 06:36 AM |#2  
roofrider's Avatar
Senior Member
Bangalore, IN
Thanks Meter: 927
 
More
Doc,

I dont get any command line: ...
in stock recovery/boot image.

can i just edit the default.prop of stock recovery img and flash it as PDA? or one package?
also does this not work when done to the boot.img?
11th April 2012, 09:02 PM |#3  
Doc_cheilvenerdi.org's Avatar
OP Senior Member
Flag Ferrara - Ravenna
Thanks Meter: 358
 
More
Quote:
Originally Posted by roofrider

...I dont get any command line: ...
in stock recovery/boot image.

Command Line is optional, and usually - for example - you don't get anyone on Samsung Galxy Phone... for the HTC used in the example, instead, there was one, needed to tune the boot parameters on runtime...

Quote:

can i just edit the default.prop of stock recovery img and flash it as PDA? or one package?

Surely you can! This Thread is exactly what you said: "change one file in stock recovery image"... all the rest is explanation on how I did it...

Quote:

also does this not work when done to the boot.img?

Loud and Clear! Boot works in the same way but I prefer not to unsecure the system too much... cause any app could gain root privileges without asking for whenever she wants...
...whilst I'm the only one who decide to enter Recovery Mode...
The Following 2 Users Say Thank You to Doc_cheilvenerdi.org For This Useful Post: [ View ] Gift Doc_cheilvenerdi.org Ad-Free
14th September 2012, 07:24 AM |#4  
Junior Member
Thanks Meter: 0
 
More
Thumbs up
Hi.

Even I can read on /tmp/recovery.log:
Code:
[property list]
ro.secure=0
ro.allow.mock.location=0
I get a normal user prompt on adb shell when phone is recovery boot.

So I guess I need some more tunning for make this work on a Samsung Galaxy Mini.

Thanks anyway. I've learnt how to build images with this post
14th September 2012, 09:58 PM |#5  
Doc_cheilvenerdi.org's Avatar
OP Senior Member
Flag Ferrara - Ravenna
Thanks Meter: 358
 
More
Smile Galaxi Mini too!
Quote:
Originally Posted by XiR_

Hi.

Even I can read on /tmp/recovery.log:

Code:
[property list]
ro.secure=0
ro.allow.mock.location=0
I get a normal user prompt on adb shell when phone is recovery boot.

So I guess I need some more tunning for make this work on a Samsung Galaxy Mini.

Thanks anyway. I've learnt how to build images with this post

I own a Galaxy Mini too and I just get the same issue while testing Gingerbread 2.3.6 S5570XWKTN; my previous release was S5570XIKQC (2.3.4) where I got easy superuser rights on connection...

Maybe there is something more to check for...

Actually I have two simple workarounds to root, anyway, the working system as explained above:
  1. I flash an old Recovery (2.3.4)! no real need to bump to 2.3.6 other then "on working system" (here there is my one: CODE_S5570XIKQC_recovery.tar.md5)
  2. I flash (my current option) a CWM based recovery (here there is my one, freshly compiled from Mebitek Cyanogen 7.2 Unofficial Source: CODE_S5570CYANO_recovery.tar.md5 - CWM 5.0.2.8)



2.3.6 XWKTN
Testing Gb 2.3.6 XWKTN I got another unusual issue (unconfirmed on the network...):
After root, when I power on the phone I get the binaries

/system/xbin/su
/system/xbin/busybox

always deleted...

I workarounded it modifying the boot image:

I changed permissions of

/sbin

folder

Code:
# ls -l /
...
drwxr-xr-x    2 root     root             0 Jan  1  1970 sbin
...
to give every user "exec rights" on it, then I put there both binaries!

Eh eh... I know that the system PATH first look there for commands:
Code:
# set | grep ^PATH
PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
#


Last:
I also put in 2.3.6 recovery /sbin folder the last "su" binary (source from GitHub)...
On execution I get "SegFault", but Root privileges Anyway:
Code:
$ su
Segmentation Fault
#
...amazing...
The Following User Says Thank You to Doc_cheilvenerdi.org For This Useful Post: [ View ] Gift Doc_cheilvenerdi.org Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes