A couple years ago, it was easy to root any device: Install KingRoot, KingoRoot, or a similar app, hit the large ROOT button, and let it do the rest. After 5 minutes or so, a green "Root Succeeded!" prompt will pop up, and we can choose to keep the root app, or uninstall it and install a clean root manager app like SuperSU/Superuser.
How do they work? Why aren't they working anymore? And if they work, should I use them or not?
Answer
I had this question a few months ago, and I found this answer through some research, so I thought to share my research in this site by answering my question, considering the fake information online. (For example, the official KingoRoot site says that it can root Android Oreo which is completely wrong information)
How do the rooting apps work?
There are quite a lot of rooting apps, KingRoot, KingoRoot, Z4Root, Root Genius, Universal Androot to name a few popular/used to be popular apps. All of them use exploits/vulnerabilities/loopholes in the Android OS to give themselves privileges reserved to the system apps or even the Android OS itself. And then they mount as read/write the directory named /system which houses the processes required to get the system running and the system apps, and place a binary named su in a place of the directory, namely /system/bin/su. If some app requires root, the app executes that binary, and you see a prompt whether to allow or decline root access.
The exploits/vulnerabilities that get discovered are given an CVEID, and then detailed in the CVE website, and fixed in the Android Security Bulletins. An example is the infamous DirtyC0W vulnerability which was given the CVEID CVE-2016-5195, which plagued and still plague the older Linux kernels. Almost all of the apps mentioned above exploit this vulnerability.
Why are the rooting apps not working anymore?
As referenced in the Bulletins above, Google fixes a series of issues in Android every month. So the scope of the vulnerabilities is highly decreasing. All the vulnerabilities the rooting apps uses to date were fixed in the security patches somewhere around 2018 January.
But there can be issues some manufacturers forgot to patch! What about them?
On Android 6.0.0 or newer, that will just cause the device to not boot anymore. To understand the reason for this, we have to look at a concept named Chain of Trust.
Chain of Trust, abbreviated CoT, is a security mechanism that was introduced to protect the Android OS from viruses and unauthorized modifications. It works like a chain of hardware and software, where each part verifies the next part. On a step-by-step basis:
- When you power on the device, a hardware function (sometimes called Boot ROM) starts. The Boot ROM is burned into the hardware and cannot be changed.
- The Boot ROM verifies the first software in the CoT, the bootloader which is a raw binary blob, sometimes called the preloader. (Also the Boot ROM sometimes loads and uses special custom partitions/binaries depending on the vendor) If the bootloader does not pass the verifications, the device shuts down. If it passes, the Boot ROM runs the bootloader.
- The bootloader checks the options passed to it by the Boot ROM, and selects the appropriate boot mode. The usual boot modes which exist on almost every device are the normal Android boot, Recovery and Fastboot/Download.
If the bootloader is locked it verifies if the next part of CoT to run is intact, and if it is, the bootloader runs it. If it is not, it can shut down, reboot, or get stuck in a special bootloader mode depending on the device model.
If the bootloader is unlocked it does not verify the next part of CoT but directly loads it.
- The next part is called the boot partition. It handles the way to boot the system itself. In Android versions on/newer than 6.0.0 (Lollipop), it also verifies if the system is intact, and if it is modified, it shuts down.
As mentioned first, these root apps exploit the vulnerabilities to modify /system, which is verified by the boot partition as mentioned in Stage 4 above. So any modification will cause the device not to boot. This state is commonly referred to as a "soft-brick", which can only be fixed by a re-flash.
So the newer devices require the bootloader to be unlocked if you want to root your device. These devices are rooted by flashing a recovery with more options than the normal recovery (like TWRP, ClockWorkMod), usually referred to as a custom recovery, and using that to modify the boot partition (and disable the system verification). It is also possible to directly modify the boot partition without a custom recovery.
Some manufacturers give a way to unlock the bootloader, and some of them don't. The popular devices with locked bootloades (for an example US carrier locked Samsung S devices) tends to be exploited by the Android modding community.
My device is still Android 5.1.1 or older! Should I use these to root?
Most of those older devices are possible to root by the rooting apps. So, you could. Should you? That depends on your preferences. Root access grants the power over everything in the OS, and with root access, it usually doesn't take even a microsecond to make sure that your device won't ever boot again. It is very probable that the rooting apps ever won't do that, but, they could. Also, with root an app could access everything your device does, and everything it holds in its memory including your credit card information, passwords, etc. If that sounds like a serious privacy threat to you, maybe don't use the root apps. If you don't care about that, you can try them.
If you are savvy enough, there are the sources of almost all the exploits those root apps uses. You can try to search them up by CVEID, look for them in Git, compile and run them and try to get a root shell, and you will be able to install the su binary and the other dependencies yourself.
Also, KingoRoot has been known for sending highly sensitive data like IMEI and Serial Number to their servers. The chances are they will never use them, but, that's your decision in the end. And KingRoot is known for installing a backdoor in its SDK which allowed some apps to get root access unauthorized by the user.
Conclusion
The era of the rooting apps is long gone. The rooting apps doesn't work anymore and if you use them on newer Android versions you risk soft-bricking your device and probably losing all your data. If you use them on supported Android versions they would work most of the time, but there are privacy and security concerns you should consider before going on.
I hope my research would help someone in the future who gets the same problem as me. :)
No comments:
Post a Comment