Thursday, September 28, 2017

How does rooting work?


Or, how do I root my device without a rooter?


Rooting instructions for Android devices that I have seen are typically of the following form:



  1. Download Gingerbreak.apk

  2. Run Gingerbreak, click “root device”

  3. Observe that Superuser.apk has been magically installed, possibly along with busybox and other things, and enjoy your rooty goodness.


What I am wanting to know is this: how does the rooting actually happen? What does Gingerbreak do?


I understand the end result of rooting:




  • su is present and working

  • Superuser.apk is installed and controls access to su

  • Various utilities are present, provided by BusyBox (optional?)


I also think I understand the basic idea of how Gingerbreak gets started — it exploits some local privilege escalation vulnerability and uses its new-found powers to deploy Superuser and whatever else is necessary.


So, unless I am wrong in some of the understanding I laid out above, the core of thing I want to know is what the root installer does to deploy and activate Superuser. It seems that just putting Superuser.apk in the right place wouldn't be enough — how does it get allowed root access? How does it get hooked up to moderate that access for other applications?


What does Gingerbreak do post-exploit to enable and secure root access?



Answer



After much digging, I finally figured it out. I was wrong about where the magic is - it is not in the installer script; all that has to do is put the su and Superuser.apk binaries in the right place and set their permissions. So it really is as simple as dropping files in place and setting permissions. No magic wiring.



The magic happens in the su binary (see the source and also this question). I was (incorrectly) thinking that su was a standard su, and that things were somehow wired up to moderate access to that binary through Superuser.apk.


Wrong. What actually happens is far simpler: Superuser provides a custom implementation of su that authenticates access through Superuser and its authorized application database.


So the process of rooting is as simple as @Sparx said. The deployed software contains the magic.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...