20 minutes about rooting Android

Transcript

1. 20 minutes about rooting Android devices Paying tribute to old

   school hackers Aleksander Piotrowski @pelotasplus

2. Why to root your device?

3. None

4. Why to root your device? • su ◦ superuser ◦

   superSu • custom recovery ◦ twrp, clockworkmod recovery, • ...

5. Why to root your device? • ... • install full

   Linux distribution, i.e. Debian • install Android build from AOSP • customize boot image • create full backups • create custom ROMs • install apps on SD Card • use phone as a tether or wireless router

6. The process - nowadays

7. The process - nowadays • fastboot oem unlock • flash

   boot and other (recovery) images • flash su • reboot ;-)

8. CF-(Auto-)Root

9. Jorrit Jongma • @ChainfireXDA • Netherlands • superSU • thousands

   of pet projects

10. CF-Auto-Root • stock firmwares • just adds su • a

    bit more in non-Auto version

11. CF-Auto-Root • crafted boot image • user has to unlock

    bootloader • and install new boot image • after starting with crafted boot image • some files are changes ◦ SELinux policies ◦ su • recovery is not changed
12. None
13. None
14. None

15. The process - back in the day

16. The process - back in the day • find a

    bug in the kernel • … or in Android itself • write an exploit, so that it can ... • flash custom recovery image • install su binary

17. Rooting G1

18. • https://twitter.com/koush • gplus.to/koush • USA • ClockworkMod & cyanogenmod

    • DeskSMS • Vysor • ion • AndroidAsync • ~ 11/2008 Koushik Dutta
19. None

20. Rooting G1 with … a keyboard • old enough version

    was needed • but easily can flash it back if has newer one • start the phone, and… • … type in: <enter> <enter> t e l n e t d • telnet deamon was just started • can connect using terminal program from Market

21. Rage Against The Cage

22. Sebastian Krahmer • http://c-skills.blogspot.com/ • Switzerland • hacks everything •

    likes Miguel de Icaza ;-) • Aug, 2010
23. None

24. Fork bomb

25. Fork bomb • DoS attack • a process continually replicates

    itself to deplete available system resources causing resource starvation and slowing or crashing the system • in 1978 an early variant of a fork bomb called wabbit was reported to run on a System/360 • before in 1969 a RABBITS reported on a Burroughs 5500

26. 1978 System/360

27. Burroughs 5500 1969

28. Rooting Android with … adbd phone adbd notebook adb tcp/ip

    usb as root fork

29. /* don't listen on a port (default 5037) and don't

    run as root if we are running in secure mode */ if (secure) { ... /* then switch user and group to "shell" */ setgid(AID_SHELL); setuid(AID_SHELL); ... } not checking return value

30. Rooting Android with … adbd • setuid drops root process

    count • and increases shell user count • all that within global Android process limit RLIMIT_NPROC • spawn many shell user processes to reach the limit • and then do yet another adb call • … to see setuid failing • and adbd being run as root user

31. /* don't listen on a port (default 5037) and don't

    run as root if we are running in secure mode */ if (should_drop_privileges()) { drop_capabilities_bounding_set_if_needed(); /* then switch user and group to "shell" */ if (setgid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setgid"; } if (setuid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setuid"; }

32. Towelroot

33. • @geohot__ • on his plate ◦ iPhone 2007 ◦

    PlayStation 2009 ◦ Android 2014 • around kernel bug discovered by Pinkie Pie • one click-root tool • Jun, 2014 George Hotz
34. None
35. None

36. http://tinyhack.com/2014/07/07/exploiting-the-futex-bug- and-uncovering-towelroot/ http://static.lwn.net/images/conf/rtlws11/papers/proc/p10. pdf

37. None
38. None

39. static int futex_requeue(u32 __user *uaddr1, unsigned int flags, u32 __user

    *uaddr2, int nr_wake, int nr_requeue, u32 *cmpval, int requeue_pi) { union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT; int drop_count = 0, task_count = 0, ret; struct futex_pi_state *pi_state = NULL; struct futex_hash_bucket *hb1, *hb2; struct futex_q *this, *next; if (requeue_pi) { /* + * Requeue PI only works on two distinct uaddrs. This + * check is only valid for private futexes. See below. + */ + if (uaddr1 == uaddr2) + return -EINVAL;

40. Towelroot • kernel bug • super smart guy to find

    a super smart way to exploit it • some structure in kernel that we can tweak a bit • a syscall to connect kernel space with userland • payload to be executed