Upgrade to Pro — share decks privately, control downloads, hide ads and more …

20 minutes about rooting Android

20 minutes about rooting Android

A few words about rooting Android. Paying tribute to old school hackers. Towelroot, Rage Against The Cage, rooting G1 with just typing in right command using keyboard.

F3f71a3003c496bb78fac5736288373b?s=128

Aleksander Piotrowski

November 28, 2015
Tweet

Transcript

  1. 20 minutes about rooting Android devices Paying tribute to old

    school hackers Aleksander Piotrowski @pelotasplus
  2. Why to root your device?

  3. None
  4. Why to root your device? • su ◦ superuser ◦

    superSu • custom recovery ◦ twrp, clockworkmod recovery, • ...
  5. Why to root your device? • ... • install full

    Linux distribution, i.e. Debian • install Android build from AOSP • customize boot image • create full backups • create custom ROMs • install apps on SD Card • use phone as a tether or wireless router
  6. The process - nowadays

  7. The process - nowadays • fastboot oem unlock • flash

    boot and other (recovery) images • flash su • reboot ;-)
  8. CF-(Auto-)Root

  9. Jorrit Jongma • @ChainfireXDA • Netherlands • superSU • thousands

    of pet projects
  10. CF-Auto-Root • stock firmwares • just adds su • a

    bit more in non-Auto version
  11. CF-Auto-Root • crafted boot image • user has to unlock

    bootloader • and install new boot image • after starting with crafted boot image • some files are changes ◦ SELinux policies ◦ su • recovery is not changed
  12. None
  13. None
  14. None
  15. The process - back in the day

  16. The process - back in the day • find a

    bug in the kernel • … or in Android itself • write an exploit, so that it can ... • flash custom recovery image • install su binary
  17. Rooting G1

  18. • https://twitter.com/koush • gplus.to/koush • USA • ClockworkMod & cyanogenmod

    • DeskSMS • Vysor • ion • AndroidAsync • ~ 11/2008 Koushik Dutta
  19. None
  20. Rooting G1 with … a keyboard • old enough version

    was needed • but easily can flash it back if has newer one • start the phone, and… • … type in: <enter> <enter> t e l n e t d • telnet deamon was just started • can connect using terminal program from Market
  21. Rage Against The Cage

  22. Sebastian Krahmer • http://c-skills.blogspot.com/ • Switzerland • hacks everything •

    likes Miguel de Icaza ;-) • Aug, 2010
  23. None
  24. Fork bomb

  25. Fork bomb • DoS attack • a process continually replicates

    itself to deplete available system resources causing resource starvation and slowing or crashing the system • in 1978 an early variant of a fork bomb called wabbit was reported to run on a System/360 • before in 1969 a RABBITS reported on a Burroughs 5500
  26. 1978 System/360

  27. Burroughs 5500 1969

  28. Rooting Android with … adbd phone adbd notebook adb tcp/ip

    usb as root fork
  29. /* don't listen on a port (default 5037) and don't

    run as root if we are running in secure mode */ if (secure) { ... /* then switch user and group to "shell" */ setgid(AID_SHELL); setuid(AID_SHELL); ... } not checking return value
  30. Rooting Android with … adbd • setuid drops root process

    count • and increases shell user count • all that within global Android process limit RLIMIT_NPROC • spawn many shell user processes to reach the limit • and then do yet another adb call • … to see setuid failing • and adbd being run as root user
  31. /* don't listen on a port (default 5037) and don't

    run as root if we are running in secure mode */ if (should_drop_privileges()) { drop_capabilities_bounding_set_if_needed(); /* then switch user and group to "shell" */ if (setgid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setgid"; } if (setuid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setuid"; }
  32. Towelroot

  33. • @geohot__ • on his plate ◦ iPhone 2007 ◦

    PlayStation 2009 ◦ Android 2014 • around kernel bug discovered by Pinkie Pie • one click-root tool • Jun, 2014 George Hotz
  34. None
  35. None
  36. http://tinyhack.com/2014/07/07/exploiting-the-futex-bug- and-uncovering-towelroot/ http://static.lwn.net/images/conf/rtlws11/papers/proc/p10. pdf

  37. None
  38. None
  39. static int futex_requeue(u32 __user *uaddr1, unsigned int flags, u32 __user

    *uaddr2, int nr_wake, int nr_requeue, u32 *cmpval, int requeue_pi) { union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT; int drop_count = 0, task_count = 0, ret; struct futex_pi_state *pi_state = NULL; struct futex_hash_bucket *hb1, *hb2; struct futex_q *this, *next; if (requeue_pi) { /* + * Requeue PI only works on two distinct uaddrs. This + * check is only valid for private futexes. See below. + */ + if (uaddr1 == uaddr2) + return -EINVAL;
  40. Towelroot • kernel bug • super smart guy to find

    a super smart way to exploit it • some structure in kernel that we can tweak a bit • a syscall to connect kernel space with userland • payload to be executed