24

Or, how do I root my device without a rooter?

Rooting instructions for Android devices that I have seen are typically of the following form:

  1. Download Gingerbreak.apk
  2. Run Gingerbreak, click “root device”
  3. Observe that Superuser.apk has been magically installed, possibly along with busybox and other things, and enjoy your rooty goodness.

What I am wanting to know is this: how does the rooting actually happen? What does Gingerbreak do?

I understand the end result of rooting:

  • su is present and working
  • Superuser.apk is installed and controls access to su
  • Various utilities are present, provided by BusyBox (optional?)

I also think I understand the basic idea of how Gingerbreak gets started — it exploits some local privilege escalation vulnerability and uses its new-found powers to deploy Superuser and whatever else is necessary.

So, unless I am wrong in some of the understanding I laid out above, the core of thing I want to know is what the root installer does to deploy and activate Superuser. It seems that just putting Superuser.apk in the right place wouldn't be enough — how does it get allowed root access? How does it get hooked up to moderate that access for other applications?

What does Gingerbreak do post-exploit to enable and secure root access?

Michael Ekstrand
  • 479
  • 3
  • 9

2 Answers2

16

What the APK and exploit do (usually) is as follows:

  • The APK puts the right files in the right place to run the exploit
  • The APK runs the exploit
  • The exploit attempts to attain root access
  • If it succeeds, the exploit remounts /system as read-write and runs the installer script
  • The installer script attempts to install the su binary and superuser APK, and reboots

As an example, this page details how the rageagainstthecage exploit attempts to gain elevated privileges.

Sparx
  • 10,892
  • 6
  • 33
  • 43
10

After much digging, I finally figured it out. I was wrong about where the magic is - it is not in the installer script; all that has to do is put the su and Superuser.apk binaries in the right place and set their permissions. So it really is as simple as dropping files in place and setting permissions. No magic wiring.

The magic happens in the su binary (see the source and also this question). I was (incorrectly) thinking that su was a standard su, and that things were somehow wired up to moderate access to that binary through Superuser.apk.

Wrong. What actually happens is far simpler: Superuser provides a custom implementation of su that authenticates access through Superuser and its authorized application database.

So the process of rooting is as simple as @Sparx said. The deployed software contains the magic.

Community
  • 1
Michael Ekstrand
  • 479
  • 3
  • 9