FORUMS
Remove All Ads from XDA

[MOD][HOW TO]Make your favorite kernel adbd insecure to run ADB as root on /system

2,357 posts
Thanks Meter: 5,572
 
By nijel8, Senior Member on 1st January 2014, 05:00 PM
Post Reply Email Thread
Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"

The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:

Quote:
Originally Posted by HEXcube

The real reason behind adb root or insecure adb is the adb daemon in the device running at root permissions. In pre-Android 4.1 versions, this is usually decided by some initialisation script(like init.rc) at boot time. The script checks for value in default.prop,local.propand other environment variables.
If it finds build.prop,default.prop or local.prop property file with ro.secure=0 adbd is allowed to run as root. You'll get adb root and hence will be able to do commands like adb remount,adb root and adb shell's prompt'll be # by default. The user may be displayed as [email protected] or [email protected] adb GUIs like Android Commander and QtADB will get to work in Root mode.
But,if it's ro.secure=1, adb daemon is made to work in secure mode, and adb won't change to root mode on issuing adb root command. However, if su binary is present in $PATH, u can still call su command from adb shell. But, it's not enough for Android Commander to get Root Access. It is possible to attain adb root through any one of the following methods:
1.For CyanoGenMod based ROMs there is an option in Settings->Developer Settings->Root access to control root access. Choose ADB only or Apps and ADB in options to get adb root.
2.Else use adbd Insecure app by chainfire if you have a rooted device. This is useful, especially for Android 4.1+ devices.
3.Or, you may manually edit default.prop to set it's value to 0, but original default.prop will be restored from boot partition everytime you reboot(this is the reason why adb Insecure cannot permanently do adb root, though there is an option to repeat the rooting procedure everytime the device boots). This method is called temporary adb root. On pre-Android 4.0 ROMs default.prop file was located in / directory. I read that from Android 4.x this file is in ramdisk and so more difficult to edit. But Android 4.0 has local.prop which is easier to modify than default.prop( See method 5)
4.For permanent adb root, you'll have to extract boot.img, change default.prop, repack and then flash it back to device.
5. In Android 4.0 there's local.prop file in /data partition. Setting ro.secure=0 in this file will do adb root permanently. Else you can set another property ro.kernel.qemu=1 in the same file. But, this value makes the system think that it is running in an android emulator. Many exploits and root methods set this property temporarily to gain root. But, it may cause side effects if used permanently. Setting ro.secure=0 is recommended. Do this command in terminal app or adb shell:
echo ro.secure=0 >/data/local.prop
or you can manually copy a local.prop file with ro.secure=0 as it's content to /data.
6.Note that method 3,4 and 5 won't work in Android 4.0 Jelly Bean onwards. According to Dan Rosenburg(drjbliss in XDA),the researcher who discovered adb root emulator exploit and many other exploits, Jelly Bean doesn't parse any property files to set the ownership of adb daemon. The stock adbd will have to be replaced with an insecure one to gain adb root. But still,as adbd is located in /sbin whose contents are reloaded everytime on reboot from boot.img, it won't be permanent.
7. For permanent adb root, you may flash an insecure boot.img(one that contains and insecure adbd)
8. If you're really desperate and can't get adb root to work with any of the above methods use an exploit. Most of the adb based rooting methods utilise some exploit to make the adb daemon run as root. By studying the exploit and implementing it you could gain adb root atleast temporarily.I'm not recommending this method but as a last resort you could try them.
Acknowledgements: Thanks to Dan Rosenberg for explaining the reasons behind adb root, especially the one in Jelly Bean.

Original thread: Can't get ADB Root Access in certain ROMs?

So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.

How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):
Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;

Warnings:

I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!

Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.

The usual stuff:

I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...

All the credits goes for the developers created the great tools used for this mod.

If you think it's useful fill free to say THEM and me thanks.
The Following 26 Users Say Thank You to nijel8 For This Useful Post: [ View ] Gift nijel8 Ad-Free
 
 
Modding.MyMind
10th January 2014, 06:31 AM |#2  
Guest
Thanks Meter: 0
 
More
@nijel8

Thanks for sharing this. I will test this out on my device. If successful I would like to share this over in the One SV forums.

I never even considered this idea smh lol.

Edit: confirmed working
The Following User Says Thank You to For This Useful Post: [ View ] Gift Ad-Free
3rd February 2014, 05:08 AM |#3  
Senior Member
Thanks Meter: 66
 
More
Thanks so much for sharing this. I too use adb a lot and need an insecure kernel.




Success. Nexus 5 and I changed Franco kernel to insecure.

Franco kernels used to be insecure but none thus far have been on the N5. Any reason behind this?
3rd February 2014, 08:58 PM |#4  
nijel8's Avatar
OP Senior Member
All over US
Thanks Meter: 5,572
 
Donate to Me
More
Quote:
Originally Posted by Fuzzy13

Thanks so much for sharing this. I too use adb a lot and need an insecure kernel.




Success. Nexus 5 and I changed Franco kernel to insecure.

Franco kernels used to be insecure but none thus far have been on the N5. Any reason behind this?

My guess is devs play it safe so average Joe don't mess with /system... ha-ha
btw is "adb logcat" working for you?
The Following User Says Thank You to nijel8 For This Useful Post: [ View ] Gift nijel8 Ad-Free
13th February 2014, 06:54 PM |#5  
bombadier's Avatar
Senior Member
Flag The Burgh
Thanks Meter: 3,008
 
Donate to Me
More
Only problem with the adbd from chainfires ADB Insecure is that it breaks adb wireless,any solution ?
23rd November 2015, 09:04 AM |#6  
Paschalis's Avatar
Senior Member
Thanks Meter: 51
 
Donate to Me
More
Quote:
Originally Posted by nijel8

Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"

The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:



Original thread: Can't get ADB Root Access in certain ROMs?

So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.

How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):

Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;

Warnings:

I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!

Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.

The usual stuff:

I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...

All the credits goes for the developers created the great tools used for this mod.

If you think it's useful fill free to say THEM and me thanks.



Some time ago I 've tried to do this for a Nexus6, running Marshmallow.
Android has tighten up security, so I got bootloops.

Anyone has managed to do this?

Thank you!
14th December 2015, 04:13 AM |#7  
Senior Member
Thanks Meter: 479
 
More
Quote:
Originally Posted by nijel8

Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"

The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:



Original thread: Can't get ADB Root Access in certain ROMs?

So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.

How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):

Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;

Warnings:

I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!

Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.

The usual stuff:

I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...

All the credits goes for the developers created the great tools used for this mod.

If you think it's useful fill free to say THEM and me thanks.

Can this work with Note 3 N900 (exynos kernel) sir? Or just only for snapdragon chipsrt kernel? Thanks sir!
7th December 2016, 05:13 AM |#8  
Senior Member
Thanks Meter: 60
 
Donate to Me
More
does this work on locked bootloader devices?
a custom kernel exists for my devices (G928A) with AdB Insecure , but its got a few qwirks that need worked out ( that require fully rooting the device )
all im looking for is insecure Adb, ( which I have tried to change ro.secure=0 and adb.secure=0 both with Echo commands in shell) for temporary adb root on the device

how did ManIT make his custom kernel undetectable/passable by the bootloader but with modifications?

if this will work ... then I will just edit an image pulled from the devices current boot.img and do the same adb insecure edit to the ramdisk.. to update the root flash kernel... shes a bit dated.... and there isn't one for marshmallow specific one yet.

I was also reading about a filler file due to block sizing when repacking the image ... so I created a copy file and edited the contents till it zipped back to within 1kb of data... will this be detected and flagged at boot?

help please
28th October 2018, 12:00 PM |#9  
Junior Member
Thanks Meter: 2
 
More
Great tutorial.
I did it by following the steps in your post.
Thank you for clear and precise explanation.
Post Reply Subscribe to Thread

Tags
adb, adbd, insecure, root, system

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes