Is there a way for WiFi-tethering without root access.
I mean before Froyo.
I have HTC Hero 2.1, and frankly, I don't want to root it for security reasons.
Answer
Here is the ultimate answer:
First, on your phone, install a terminal-emulator from Android market, then run
cat /proc/cpuinfo
which will show you the detailed processor information of your phone (ARM5 in my case).
Afterwards, you need to install an ARM5 cross-compiler environment on your Linux box (download Ubuntu and VirtualBox if you are a Windows/Mac-freak and don't have a Linux box), in order to compile native code for your phone.
You do this in order to be able to start a privilege escalation attack ON YOUR PHONE.
So, next, you need to cross-compile a privilege-escalation attack for ARM5 (HTC Hero microprocessor). For that, use the RageAgainstTheCage attack made by Sebastian Krahmer of Suse Linux Berlin (in binary only), reverse-engineered here:
http://pastebin.com/fXsGij3N
A precompiled version is available here http://cmw.22aaf3.com/common/rageagainstthecage-arm5.zip
Download the Android SDK starter kit from Google.
Install the appropriate Android Platform SDK (version 2.1 for me).
http://developer.android.com/sdk/index.html
Then, download the superuser (su) package:
http://cmw.22aaf3.com/common/su-2.3.6.2-efgh.zip
Put all, the superuser package, the su program, and the RageAgainstTheCage exploit in the same folder as adb (a program to connect to your android phone from the Android SDK). You need to enable USB-Debugging, and switch of internet sharing.
Next, you transmit the file rageagainstthecage.bin to folder /data/local/tmp on your phone (initially, as normal user, you have write access only to the sdcard and the temp folder, but this is sufficient)
adb push rageagainstthecage.bin /data/local/tmp/
Then you start a shell on your phone:
adb shell
And change ownership on rageagainstthecage.bin to all
chmod 755 /data/local/tmp/rageagainstthecage.bin
Next, you start rageagainstthecage on your phone as normal user
/data/local/tmp/rageagainstthecage
When the exploit finished, your adb connection should terminate.
If it doesn't type
exit
adb kill-server
adb start-server
Now connect again to your phone:
adb shell
ADB shell now runs with escalated privileges (root). So now, remount the file system so you can write on the system partition.
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
exit
Now push su and superuser to your phone (remember, you have write access now)
adb push su /system/xbin/
adb push Superuser.apk /system/app/
And then change ownership on su to all
adb shell chmod 4755 /system/xbin/su
Next download and install one of all those free tether apps that require you to root your phone. Start superuser.
Now start your tether app. A popup will appear, which will ask you whether you want to grant this app root access. Say yes, and check remember.
Now switch of your phone and restart. When it has restarted, everything is back to normal, no more root privileges. But su is still there and executable for everyone. So, when logged in, start the wifi tether app. Since you checked remember in the superuser app, it will use su to switch this application to root, which means it will now run fine, with only the tether app with root privileges :)
Next, connect with your Linux box to your brand-new working Android WIFI hotspot. After you're sure it works, don't forget to put access restrictions for the hotspot in place.
BTW, if you use your escalated privileges to export some apk packages for reverse-engineering, you will notice that android lacks the cp command.
You can circumvent that restriction by using cat (copy-cat) instead:
cat /data/app/superuser.apk >> /sdcard/Downloads/superuser.apk
;-)
No comments:
Post a Comment