Easy Rooting for MIDx024

[lfom]

Background

steev's found out that init.rc runs a shell script called "install-recovery.sh" during boot with root privileges. The file is located in /etc which is also writable, so even with stock Android one should be able to copy files to this folder. More info in steev's initial post here. His solution requires that Python for Android to be installed, so I decided to create a "simpler" solution that only requires adb or terminal.

This RootKit has su and Superuser.apk, both from signed package from adroidsu.com website. Should work with any MIDx024 (7024, 8024, 1024) tablet with Froyo installed. May work with other models if the requirements in the original thread by steev are met.

PS: it seems that AllDro2 derived custom ROMs do not allow writing to /etc, so you cannot use this. Anyway, most custom ROMs already come with root activated so it's not a bid deal.
PS2: I will check steev's suggestion for debuggered method and add an universal build if it works on both Froyo and Gingerbread.


Installation

1. Using Terminal Emulator
- download file, unzip contents to a folder (for instance, /sdcard/RootKit - it will hold 4 files: install-recovery.sh, patch2.sh, su and Superuser.apk");
- Open Terminal Emulator and run these commands, using ENTER/RETURN at the end of every line, replacing "/sdcard/RootKit" with the path to the downloaded files:

cp /sdcard/RootKit/* /etc/
chmod 777 /etc/install-recovery.sh

- close Terminal Emulator and reboot.

2. Using adb
- download file, unzip contents to a folder (for instance, a folder "RootKit" where you can call adb from)
- Use these adb commands, replacing "RootKit" with the actual folder name containing the downloaded files:

adb push RootKit /etc/
adb shell chmod 777 /etc/install-recovery.sh

- remove USB and reboot tablet.

If all goes OK, you will see Superuser app in your apps drawer and a 0 bytes "logrooting.txt" in /etc folder (you can delete it as root now). If it doesn't work, logrooting.txt should help to find out the problem. Superuser.apk is installed in the /system partition, so it will remain even after a factory reset or "SD card init". Enjoy!


V1.0
Download link: RootKit - Minus.com
MD5 2B:18:14:92:ED:96:31:B7:9E:88:27:C5:5C:BB:13:40

PS: this version has only 3 files (no patch2.sh) and logrooting.txt is written in root folder.


V1.1
Download link: http://min.us/lbkxrWvFDv5A1Y
MD5 8B:FF:20:B6:34:2F:C0:A0:40:13:21:BD:4C:28:90:75

Changelog
- fixed busybox fixing
- logrooting.txt moved to /etc for cleanness and easy deletion
- after installation, security hole is patched (install-recovery.sh can be modified only with root privileges)
- security patch displayed in dmesg.

V1.2
Download link: http://min.us/lUK0F1CU2bOOe
MD5 26:1EC:08:2D:0A:5D:1A:AA:2E:08:62:A8:EE:A9:38

Changelog
- Updated su (3.0.3) and Superuser.apk (3.0.6)
- security patch updated with steev's tip


Props to steev for the idea and the logging mechanism.

 

[steev]

Cool.

I don't think /etc is writable on the urbetter gingerbread builds, at least not on the Alldro2 firmware.

However, /system/bin is writable and the file /system/bin/debuggerd gets run as root by init.rc.
So you can place your own script there.

 

[lfom]

Cool.

I don't think /etc is writable on the urbetter gingerbread builds, at least not on the Alldro2 firmware.

However, /system/bin is writable and the file /system/bin/debuggerd gets run as root by init.rc.
So you can place your own script there.

Hmmm, I think it is. I should release a new version of my CFW soon with the system enhancements you've added to your latest version (if it's OK with you, of course) so I will be able to test this. But here it seems that /etc is drwxrwxrwx. Actually, I think it's a big security hole, so I will add a patch that will make install-recovery.sh writable by root only.

 

[lfom]

I don't think /etc is writable on the urbetter gingerbread builds, at least not on the Alldro2 firmware.

True. I was using another firmware and probably one of the patches I used made /etc writable. I have added the info, and also a new version that patches the security hole after enabling root.

 

[steev]

Hmmm, I think it is. I should release a new version of my CFW soon with the system enhancements you've added to your latest version (if it's OK with you, of course) so I will be able to test this. But here it seems that /etc is drwxrwxrwx. Actually, I think it's a big security hole, so I will add a patch that will make install-recovery.sh writable by root only.

/etc is a symlink (shortcut) to /system/etc

Symlinks always appear to be 777 for some reason, so that may have confused you, but really they have the same permissions as the file they point to.
/system/etc is 777 on Froyo, 755 (or something like that) on Alldro2 Gingerbread

And sure if you like any of the changes I made to my firmware, feel free to use them in your own.

 

[steev]

Unfortunately, your patch doesn't fully close the security hole.

Since everyone has write permission to /system/etc, they can still rename or delete the file with "mv -f" or "rm -f"

A possible solution is the change the permissions of /system/etc to 1777.
The 1 sets the Sticky bit, which prevents users from renaming or deleting files that don't belong to them.

Something like this should do it:

sed -i -e 's:0777:1777:g' /init.rc

(replaces all occurrences of '0777' with '1777' in /init.rc)

 

[lfom]

I will go back to Froyo in order to test HMDI with sounda and I will take a look into it. Thanks!

 

[lfom]

Unfortunately, your patch doesn't fully close the security hole.

Since everyone has write permission to /system/etc, they can still rename or delete the file with "mv -f" or "rm -f"

Even if "install-recovery.sh" is owned by root?

I will try setting it to 1744 (just the file) and see if it works...

 

[jonataapolinario]

Hi all!
Im net to android world, and i did the root but after root the usb dont works. in the PC it appear as Unknown device.
I tryed with Z4Root and with this method, and both gives the same.

another thing i dont know if its right. When i try to ping( in an application and in the console, the same) it retrieves me "operation not permitted". when i do "su" in the console and then ping, it works. its right i need to "su" before do root executions? and how can i "su" to enter in that other application? or my superuser is not running corretly?

My device is an coby kyros 1024 4Gb.
Thanks

 

[steev]

Even if "install-recovery.sh" is owned by root?

I will try setting it to 1744 (just the file) and see if it works...

Yes, you can do this to test:

$ su
(now we're root)
# mkdir /test
# chmod 777 /test
# touch /test/owned_by_root
# chown 0:0 /test/owned_by_root
# chmod 0744 /test/owned_by_root
# exit
(now we're user)
$ touch /test/malicious_script
$ mv -f /test/malicious_script /test/owned_by_root
(owned_by_root overwritten by malicious_script)

Now try with "chmod 1777 /test", it doesn't work

Also, my fix was bad since it changes the permissions of files other than /etc, just put a chmod 1777 /etc in your install-recovery.sh

 

[lfom]

Hi all!
Im net to android world, and i did the root but after root the usb dont works. in the PC it appear as Unknown device.
I tryed with Z4Root and with this method, and both gives the same.

another thing i dont know if its right. When i try to ping( in an application and in the console, the same) it retrieves me "operation not permitted". when i do "su" in the console and then ping, it works. its right i need to "su" before do root executions? and how can i "su" to enter in that other application? or my superuser is not running corretly?

Sorry, I missed you post... Yes, that's exactly what su is supposed to be used for: running certain apps that need superuser privileges. But I don't think it would interfere with USB. By any chances you changed your USB from device to host mode in Settings? If yes, you must change it back so the computer can 'see' the tablet.