[Root/Write Protection Bypass] MotoX (no unlock needed)

Search This thread

jcase

Retired Forum Moderator / Senior Recognized Develo
Feb 20, 2010
6,331
15,768
263
Sequim WA
The latest OTAs patch this exploit

The "Camera patch" patches the vulnerability we use to gain system user, and pwnmymoto will no longer work on devices with this update.


Warning:
I will not be responsible for damage to your device(s) by using this exploit. Antivirus software and Play services will likely detect this as potentially
malicious. It is an exploit, deal with it or don't use it. Do not mirror these applications without my permission!


Change Log:
1.4.3 detects failed su installation (0 size su) and allows reinstallation
1.4.1 adds reliability, and fixes issues for users when improper permissions are applied to su (Preventing updates).



PwnMyMoto is a replacement for my previously released MotoRoot. PwnMyMoto exploits three vulnerabilities, to gain root access, then to gain write to system. This is a traditional root, and doesn't use any 'hackery' to maintain su access unlike MotoRoot.

First we use bug 9695860 (aka second masterkey) to gain system user, then it uses a symlink attack to gain root access. After gaining root we exploit a flaw in the bootloader, allowing us to bypass the write protection applied to system. In the process we remove stock recovery, so OTAs will not be a worry.

Install PwnMyMoto by running:
adb install -r PwnMyMoto-<version and model go here>.apk

Then run PwnMyMoto, depending on the current root status of your phone it will reboot 2 or 3 times, after the last reboot it will uninstall it self and su will be installed on the actual system partition. Please install SuperSu from the market after this step is done.

We have two (ok more but were not going into that) boot modes. First is normal, which boots regular Android, and in this case boots with system write protected. Second is recovery mode, normally it boots recovery without write protection. Our exploit will hijack recovery bootmode and boot Android without write protection.

After running this exploit, if you boot normally /system will be write protected. If you boot to "recovery", Android will boot without write protection. If you wish to edit system, you must boot into "recovery" to do so, any changes made will stick and will work in either bootmode. My suggestion is to make your changes in "recovery" and run the device day to day in normal mode, until we are certain "recovery" mode will be 100% stable for day to day use.

The exploit will uninstall itself after successful exploitation.

To see if write protection is applied, you can run:
adb shell getprop ro.boot.write_protect
If it returns '1' then write protection is applied to /system, if it returns '0' then no write protection has been applied.

In the future we will have a replacement recovery, but at this time it is still in development. Enjoy.
 

Attachments

  • PwnMyMoto-1.4.3-Movistar-IHateToolKits.apk
    309.2 KB · Views: 31,314
  • PwnMyMoto-1.4.3-Mexico-IHateToolKits.apk
    309.2 KB · Views: 19,978
  • PwnMyMoto-1.4.3-Brazil-IHateToolKits.apk
    309.2 KB · Views: 36,831
  • PwnMyMoto-1.4.3-Sprint-IHateToolKits.apk
    309.2 KB · Views: 16,824
  • PwnMyMoto-1.4.3-Rogers-IHateToolKits.apk
    309.2 KB · Views: 6,655
  • PwnMyMoto-1.4.3-Verizon-IHateToolKits.apk
    309.2 KB · Views: 71,024
  • PwnMyMoto-1.4.3-USCellular-IHateToolKits.apk
    309.2 KB · Views: 13,509
  • PwnMyMoto-1.4.3-TMobile-IHateToolKits.apk
    309.2 KB · Views: 12,396
  • PwnMyMoto-1.4.3-ATT-IHateToolKits.apk
    309.2 KB · Views: 43,904
Last edited:

jonathanphx1

Senior Member
Apr 7, 2010
1,216
970
0
Your the man jcase, thanks a bunch I still remember back to the Eris days when you Rick Rolled a bunch of us on a ROM you put out. Lol thanks again for this exploit.

jonathanphx1
 

madquack

Senior Member
May 12, 2010
704
383
93
I am in no way trying to reverse engineer your tool, as I don't have a fraction of the knowledge required to do so, however, I am becoming increasingly ripping apart things like this similar to Dan Rosenberg numerous tools. All I've got to say is dex2jar sucks donkey **** for helping me understand these things on a lower level!

The beer is flowing I hope everyone has a good night!

:good::beer:
 

Rask40

Senior Member
Aug 24, 2013
91
10
0
So for my stupid question of the day - how does one boot into recovery on this phone? Is it Power-Up or some other combination? Presuming I need to be in "recovery" to get xposed to stick.

Answered my own question. Fastboot is Power-Down.
 
Last edited:

jcase

Retired Forum Moderator / Senior Recognized Develo
Feb 20, 2010
6,331
15,768
263
Sequim WA
I am in no way trying to reverse engineer your tool, as I don't have a fraction of the knowledge required to do so, however, I am becoming increasingly ripping apart things like this similar to Dan Rosenberg numerous tools. All I've got to say is dex2jar sucks donkey **** for helping me understand these things on a lower level!

The beer is flowing I hope everyone has a good night!

:good::beer:

No obfuscation was done to the Dex, not hiding anything. Try smali

Sent from my GT-I9505G using XDA Premium 4 mobile app
 

rmead01

Senior Member
Sep 6, 2012
1,157
265
0
Installed no issues. This is fantastic. Just curious if there is a way to reverse it in case we needed to go to the stock recovery for any reason?

Sent from my XT1058 using xda app-developers app
 

bso44

Senior Member
Oct 2, 2010
3,405
853
243
Do we have to use adb to install this or can we use any method to put the apk on the sdcard and install it from there?
 

Verttex

Senior Member
Oct 12, 2012
293
122
0
Dallas
Thanks jcase, working great. Was a bit scared after the 3rd reboot that it was in a boot-loop but it stopped and haven't noticed any significant changes battery, performance, or screen wise.
 

COLJ04

Senior Member
Aug 30, 2012
82
17
0
Also guys you can use exposed to get advance boot menu and choose recovery or use any of the boot apps to achieve without the volume/power hassles.

Cole
Moto X+
 

thepolishguy

Senior Member
Dec 3, 2009
1,250
190
93
Ivanhoe CA
I used the thanks button. But I wanted to say thank you as well. Working great.

And for others - I did not uninstall RootMyMoto first. I just installed PwnMyMoto and it took care of the rest including uninstalling RootMyMoto.
 

htowngator

Senior Member
Mar 31, 2008
998
117
0
Thanks jcase, working great. Was a bit scared after the 3rd reboot that it was in a boot-loop but it stopped and haven't noticed any significant changes battery, performance, or screen wise.

have you tried your fix yet for wireless tethering with the permanent write solution?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 142
    The latest OTAs patch this exploit

    The "Camera patch" patches the vulnerability we use to gain system user, and pwnmymoto will no longer work on devices with this update.


    Warning:
    I will not be responsible for damage to your device(s) by using this exploit. Antivirus software and Play services will likely detect this as potentially
    malicious. It is an exploit, deal with it or don't use it. Do not mirror these applications without my permission!


    Change Log:
    1.4.3 detects failed su installation (0 size su) and allows reinstallation
    1.4.1 adds reliability, and fixes issues for users when improper permissions are applied to su (Preventing updates).



    PwnMyMoto is a replacement for my previously released MotoRoot. PwnMyMoto exploits three vulnerabilities, to gain root access, then to gain write to system. This is a traditional root, and doesn't use any 'hackery' to maintain su access unlike MotoRoot.

    First we use bug 9695860 (aka second masterkey) to gain system user, then it uses a symlink attack to gain root access. After gaining root we exploit a flaw in the bootloader, allowing us to bypass the write protection applied to system. In the process we remove stock recovery, so OTAs will not be a worry.

    Install PwnMyMoto by running:
    adb install -r PwnMyMoto-<version and model go here>.apk

    Then run PwnMyMoto, depending on the current root status of your phone it will reboot 2 or 3 times, after the last reboot it will uninstall it self and su will be installed on the actual system partition. Please install SuperSu from the market after this step is done.

    We have two (ok more but were not going into that) boot modes. First is normal, which boots regular Android, and in this case boots with system write protected. Second is recovery mode, normally it boots recovery without write protection. Our exploit will hijack recovery bootmode and boot Android without write protection.

    After running this exploit, if you boot normally /system will be write protected. If you boot to "recovery", Android will boot without write protection. If you wish to edit system, you must boot into "recovery" to do so, any changes made will stick and will work in either bootmode. My suggestion is to make your changes in "recovery" and run the device day to day in normal mode, until we are certain "recovery" mode will be 100% stable for day to day use.

    The exploit will uninstall itself after successful exploitation.

    To see if write protection is applied, you can run:
    adb shell getprop ro.boot.write_protect
    If it returns '1' then write protection is applied to /system, if it returns '0' then no write protection has been applied.

    In the future we will have a replacement recovery, but at this time it is still in development. Enjoy.
    11
    Figure I should add that this does not allow usage of custom kernels at this time because everything is still signature checked.
    7
    Tutorial has been posted for those interested in keeping root.

    http://forum.xda-developers.com/showthread.php?p=46093725#post46093725
    7
    Any chance you can give a more detailed description of how to accomplish this. I understand most of it but have a few questions.

    1. what does "keep" root mean?
    2. will any root keeper app work or will I need to determine which ones perform what you have described?
    3. "executing the hidden su" will the app do this or can we just execute the su apk?
    4. how do we overwrite new recovery with new boot?
    5. what does copy boot over recovery again mean?
    6. what does unhiding/restoring root properly mean? I assume the app would be doing this portion.

    That's a lot of questions and I'm not to sure if this was a description of how I could do this or what the app will need to do but any more advice/explanation would be greatly appreciated.

    I figured this out last night and informed jcase about it. I'll be home in about an hour. I'll write a tutorial for it then.

    Sent from my XT1058 using XDA Premium 4 mobile app
    4
    I am in no way trying to reverse engineer your tool, as I don't have a fraction of the knowledge required to do so, however, I am becoming increasingly ripping apart things like this similar to Dan Rosenberg numerous tools. All I've got to say is dex2jar sucks donkey **** for helping me understand these things on a lower level!

    The beer is flowing I hope everyone has a good night!

    :good::beer:

    No obfuscation was done to the Dex, not hiding anything. Try smali

    Sent from my GT-I9505G using XDA Premium 4 mobile app
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone