Upgrade to Pro — share decks privately, control downloads, hide ads and more …

20 minutes about rooting Android

20 minutes about rooting Android

A few words about rooting Android. Paying tribute to old school hackers. Towelroot, Rage Against The Cage, rooting G1 with just typing in right command using keyboard.

Aleksander Piotrowski

November 28, 2015
Tweet

More Decks by Aleksander Piotrowski

Other Decks in Technology

Transcript

  1. 20 minutes about rooting Android devices Paying tribute to old

    school hackers Aleksander Piotrowski @pelotasplus
  2. Why to root your device? • su ◦ superuser ◦

    superSu • custom recovery ◦ twrp, clockworkmod recovery, • ...
  3. Why to root your device? • ... • install full

    Linux distribution, i.e. Debian • install Android build from AOSP • customize boot image • create full backups • create custom ROMs • install apps on SD Card • use phone as a tether or wireless router
  4. The process - nowadays • fastboot oem unlock • flash

    boot and other (recovery) images • flash su • reboot ;-)
  5. CF-Auto-Root • crafted boot image • user has to unlock

    bootloader • and install new boot image • after starting with crafted boot image • some files are changes ◦ SELinux policies ◦ su • recovery is not changed
  6. The process - back in the day • find a

    bug in the kernel • … or in Android itself • write an exploit, so that it can ... • flash custom recovery image • install su binary
  7. • https://twitter.com/koush • gplus.to/koush • USA • ClockworkMod & cyanogenmod

    • DeskSMS • Vysor • ion • AndroidAsync • ~ 11/2008 Koushik Dutta
  8. Rooting G1 with … a keyboard • old enough version

    was needed • but easily can flash it back if has newer one • start the phone, and… • … type in: <enter> <enter> t e l n e t d • telnet deamon was just started • can connect using terminal program from Market
  9. Fork bomb • DoS attack • a process continually replicates

    itself to deplete available system resources causing resource starvation and slowing or crashing the system • in 1978 an early variant of a fork bomb called wabbit was reported to run on a System/360 • before in 1969 a RABBITS reported on a Burroughs 5500
  10. /* don't listen on a port (default 5037) and don't

    run as root if we are running in secure mode */ if (secure) { ... /* then switch user and group to "shell" */ setgid(AID_SHELL); setuid(AID_SHELL); ... } not checking return value
  11. Rooting Android with … adbd • setuid drops root process

    count • and increases shell user count • all that within global Android process limit RLIMIT_NPROC • spawn many shell user processes to reach the limit • and then do yet another adb call • … to see setuid failing • and adbd being run as root user
  12. /* don't listen on a port (default 5037) and don't

    run as root if we are running in secure mode */ if (should_drop_privileges()) { drop_capabilities_bounding_set_if_needed(); /* then switch user and group to "shell" */ if (setgid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setgid"; } if (setuid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setuid"; }
  13. • @geohot__ • on his plate ◦ iPhone 2007 ◦

    PlayStation 2009 ◦ Android 2014 • around kernel bug discovered by Pinkie Pie • one click-root tool • Jun, 2014 George Hotz
  14. static int futex_requeue(u32 __user *uaddr1, unsigned int flags, u32 __user

    *uaddr2, int nr_wake, int nr_requeue, u32 *cmpval, int requeue_pi) { union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT; int drop_count = 0, task_count = 0, ret; struct futex_pi_state *pi_state = NULL; struct futex_hash_bucket *hb1, *hb2; struct futex_q *this, *next; if (requeue_pi) { /* + * Requeue PI only works on two distinct uaddrs. This + * check is only valid for private futexes. See below. + */ + if (uaddr1 == uaddr2) + return -EINVAL;
  15. Towelroot • kernel bug • super smart guy to find

    a super smart way to exploit it • some structure in kernel that we can tweak a bit • a syscall to connect kernel space with userland • payload to be executed