[Root/Write Protection Bypass] Droid Ultra/Maxx/Mini

Search This thread

jcase

Retired Forum Moderator / Senior Recognized Develo
Feb 20, 2010
6,331
15,768
Sequim WA
Warning:
I will not be responsible for damage to your device(s) by using this exploit. Antivirus software and Play services will likely detect this as potentially malicious. It is an exploit, deal with it or don't use it. Do not mirror these applications without my permission!


PwnMyMoto is a replacement for my previously released MotoRoot. PwnMyMoto exploits three vulnerabilities, to gain root access, then to gain write to system. This is a traditional root, and doesn't use any 'hackery' to maintain su access unlike MotoRoot.

First we use bug 9695860 (aka second masterkey) to gain system user, then it uses a symlink attack to gain root access. After gaining root we exploit a flaw in the bootloader, allowing us to bypass the write protection applied to system. In the process we remove stock recovery, so OTAs will not be a worry.

Install PwnMyMoto by running:
adb install -r PwnMyMoto-<version and model go here>.apk

Then run PwnMyMoto, depending on the current root status of your phone it will reboot 2 or 3 times, after the last reboot it will uninstall it self and su will be installed on the actual system partition. Please install SuperSu from the market after this step is done.

We have two (ok more but were not going into that) boot modes. First is normal, which boots regular Android, and in this case boots with system write protected. Second is recovery mode, normally it boots recovery without write protection. Our exploit will hijack recovery bootmode and boot Android without write protection.

After running this exploit, if you boot normally /system will be write protected. If you boot to "recovery", Android will boot without write protection. If you wish to edit system, you must boot into "recovery" to do so, any changes made will stick and will work in either bootmode. My suggestion is to make your changes in "recovery" and run the device day to day in normal mode, until we are certain "recovery" mode will be 100% stable for day to day use.

The exploit will uninstall itself after successful exploitation.

To see if write protection is applied, you can run:
adb shell getprop ro.boot.write_protect
If it returns '1' then write protection is applied to /system, if it returns '0' then no write protection has been applied.

In the future we will have a replacement recovery, but at this time it is still in development. Enjoy.

Change Log:

1.4.3 allows detection of failed su installation (0 size su) and reinstallation)

1.4.1 adds reliability, and fixes issues for users when improper permissions are applied to su (Preventing updates).

1.2 - Bug fix for devices which had recieved OTAs.

If you used 1.1 and have a problem with recovery coming back, run the following command:
adb shell su -c "dd if=/dev/block/platform/msm_sdcc.1/by-name/boot of=/dev/block/platform/msm_sdcc.1/by-name/recovery"

1.1 - initial release
 

Attachments

  • PwnMyMoto-1.4.3-Droid.apk
    309.2 KB · Views: 134,490
Last edited:

Dr. Carpenter

Member
Mar 15, 2011
49
21
OK, not sure what's going on now... The first time I ran it, the button said something like Click to root, now this time it said Boot into WP bypass. Hit it and same thing, back to the no command screen for a while and then a reboot. I was previously rooted, but based on the OP, that shouldn't make a difference. Back up now, and the app is still installed (it uninstalled the first time), still says the same thing.
 

mistermojorizin

Senior Member
Dec 21, 2011
814
174
If you are running into an issue where it is booting into normal recovery, come find me on IRC. I think 1.1 fixed the bug but if it didn't i need to release 1.2/

first of all, thanks so much, and i apologize for the noob questions below, but i'd like some clarification if possible (perhaps a video would be helpful like on your previous releases).

1) does it matter which version of your moto root app and SU we are currently using?

2) what do you mean in the OP by normal mode and recovery mode? I mean i've used custom recovery and normal (adb) mode, but when you say "recovery mode" will have write access, does that mean you will have write access only while you are in recovery? I think it means that you get into regular android operating system (that is adb), but through some extra boot/recovery step. This is confusing.

3) which custom recovery is the stock recovery being replaced with?

4) how do we tell it to boot in "recovery mode" or "normal mode"?

5) which version of supersu should we use? is the regular one OK?

6) which IRC are you referring to in the above quote?
 

jcase

Retired Forum Moderator / Senior Recognized Develo
Feb 20, 2010
6,331
15,768
Sequim WA
Version 1.2 should work on devices that had taken the OTA, 1.1 didn't reflash the recovery partition with boot for them.

a manual fix for those that used 1.1 is a single command

adb shell su -c "dd if=/dev/block/platform/msm_sdcc.1/by-name/boot of=/dev/block/platform/msm_sdcc.1/by-name/recovery"
 
  • Like
Reactions: murhaava1

bigv5150

Senior Member
Jan 8, 2011
1,275
360
So am I to understand that in order to install this apk you have to use adb. Because it doesn't install like a normal apk it says that a signed version is already installed. Which is the other apk 1.1 if so this sucks I nuked my computer last night no adb. Will the 1.2 version allow me to install the apk normally over the 1.1

Never mind I see that its 1.2 now and it did install no problem and deleted itself and I have root. However like mistermojo I am confused as to how to get r/w I know how to get into recovery but once there do you just reboot and then you have r/w a little clarification would be appreciated. Thank you for the exploit and especially it being an apk since my computer took a **** last night.
 
Last edited:

mbh87

Senior Member
Jun 16, 2010
6,500
1,028
Idaho
So am I to understand that in order to install this apk you have to use adb. Because it doesn't install like a normal apk it says that a signed version is already installed. Which is the other apk 1.1 if so this sucks I nuked my computer last night no adb. Will the 1.2 version allow me to install the apk normally over the 1.1

Never mind I see that its 1.2 now and it did install no problem and deleted itself and I have root. However like mistermojo I am confused as to how to get r/w I know how to get into recovery but once there do you just reboot and then you have r/w a little clarification would be appreciated. Thank you for the exploit and especially it being an apk since my computer took a **** last night.

Ok I can't get into stock recovery when I get into fastboot and choose recovery it goes to a black screen and like it is off I can get back into fast boot or just boot the phone normal but no recovery.
recovery is over written with this method. simply use an app that reboots to recovery and the phone will boot normally only write protection will be disabled.
 
  • Like
Reactions: mistermojorizin

asuhoops8628

Senior Member
Nov 9, 2011
359
61
Bigv

power off your phone

Press vol - and power key at the same time for 3 secs and release

You should be in the fastboot. Press vol - until you highlight recovery.

Press vol + to select and boot to android with write protect turned off
 
  • Like
Reactions: Andrew C

bigv5150

Senior Member
Jan 8, 2011
1,275
360
Bigv

power off your phone

Press vol - and power key at the same time for 3 secs and release

You should be in the fastboot. Press vol - until you highlight recovery.

Press vol + to select and boot to android with write protect turned off

Got it my dumbas was pushing power not + and I was just turning the screen off not rebooting into recovery or normal power up thanks for the help. It sucks not being to run adb to check for write permission. But I was able to modify the media file in the ui and change the effect tick so I know it works.
 

theycallmerayj

Senior Member
Aug 11, 2010
192
26
first of all, thanks so much, and i apologize for the noob questions below, but i'd like some clarification if possible (perhaps a video would be helpful like on your previous releases).

1) does it matter which version of your moto root app and SU we are currently using?

2) what do you mean in the OP by normal mode and recovery mode? I mean i've used custom recovery and normal (adb) mode, but when you say "recovery mode" will have write access, does that mean you will have write access only while you are in recovery? I think it means that you get into regular android operating system (that is adb), but through some extra boot/recovery step. This is confusing.

3) which custom recovery is the stock recovery being replaced with?

4) how do we tell it to boot in "recovery mode" or "normal mode"?

5) which version of supersu should we use? is the regular one OK?

6) which IRC are you referring to in the above quote?

Basically what is going on is if you go to fastboot mode vol - and power at the same time you have the option to boot into recovery, however it isn't actually booting into a normal or custom recovery where you can flash it boots normally but has no write protection so that you can write to the system. Then once you write you can reboot normally. Is that correct jcase?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 52
    Warning:
    I will not be responsible for damage to your device(s) by using this exploit. Antivirus software and Play services will likely detect this as potentially malicious. It is an exploit, deal with it or don't use it. Do not mirror these applications without my permission!


    PwnMyMoto is a replacement for my previously released MotoRoot. PwnMyMoto exploits three vulnerabilities, to gain root access, then to gain write to system. This is a traditional root, and doesn't use any 'hackery' to maintain su access unlike MotoRoot.

    First we use bug 9695860 (aka second masterkey) to gain system user, then it uses a symlink attack to gain root access. After gaining root we exploit a flaw in the bootloader, allowing us to bypass the write protection applied to system. In the process we remove stock recovery, so OTAs will not be a worry.

    Install PwnMyMoto by running:
    adb install -r PwnMyMoto-<version and model go here>.apk

    Then run PwnMyMoto, depending on the current root status of your phone it will reboot 2 or 3 times, after the last reboot it will uninstall it self and su will be installed on the actual system partition. Please install SuperSu from the market after this step is done.

    We have two (ok more but were not going into that) boot modes. First is normal, which boots regular Android, and in this case boots with system write protected. Second is recovery mode, normally it boots recovery without write protection. Our exploit will hijack recovery bootmode and boot Android without write protection.

    After running this exploit, if you boot normally /system will be write protected. If you boot to "recovery", Android will boot without write protection. If you wish to edit system, you must boot into "recovery" to do so, any changes made will stick and will work in either bootmode. My suggestion is to make your changes in "recovery" and run the device day to day in normal mode, until we are certain "recovery" mode will be 100% stable for day to day use.

    The exploit will uninstall itself after successful exploitation.

    To see if write protection is applied, you can run:
    adb shell getprop ro.boot.write_protect
    If it returns '1' then write protection is applied to /system, if it returns '0' then no write protection has been applied.

    In the future we will have a replacement recovery, but at this time it is still in development. Enjoy.

    Change Log:

    1.4.3 allows detection of failed su installation (0 size su) and reinstallation)

    1.4.1 adds reliability, and fixes issues for users when improper permissions are applied to su (Preventing updates).

    1.2 - Bug fix for devices which had recieved OTAs.

    If you used 1.1 and have a problem with recovery coming back, run the following command:
    adb shell su -c "dd if=/dev/block/platform/msm_sdcc.1/by-name/boot of=/dev/block/platform/msm_sdcc.1/by-name/recovery"

    1.1 - initial release
    6
    Dear People,

    Stop taking OTAs to rooted devices unless you are sure of how to handle it. Im getting 5-10 PMs, EMails, Tweets a day from people taking the OTA on rooted devices, then asking for help. It is time that is hard to spare.

    Instead,

    reflash factory firmware,
    take OTA
    re-root
    6
    Will you Please add a section below this on front page. to explain how to unroot so everyone can take the OTA update. The web is lighting up with questions. When the ota occurs it bootloops simple fix was to wipe Dalvik and Cache to stop it from doing this. Jcase please add a unroot section below.

    unrooting is beyond the scope of this post, users should learn a) not to take OTAs to rooted devices and b) learn to do research themselves . If someone wants to link me to a comprehensive posting on returning to stock, I will add that to the post.
    6
    wow, holy sh*t. people wernt kidding when they said the new droids would be hard to crack. thanks some complicated stuff, i cant imagine how you guys cooked this up. brilliant.

    All packed into a single little button on an app:D It is actually ridiculously simple
    4
    12.7.7 was the only update and it wasn't an update for everyone a lot of devises came with it

    Sent from my XT1080 using XDA Premium 4 mobile app

    ---------- Post added at 08:01 AM ---------- Previous post was at 08:00 AM ----------



    Is this the only way to get stock recovery back?

    Sent from my XT1080 using XDA Premium 4 mobile app
    No, just flash the recovery image out of the stock firmware. This was taken from the stock firmware here http://sbfdownload.droid-developers....X-160-OBK_TA-14-7-7-release-keys-CFC.xml.zip.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone