A Chairde
I am wondering if anyone can help me. I have heard there are Rooting methods on Android devices not involving third party software on the device, could you tell me what they are, and what phones support them. I have read the XDA Developers book, and the closest I have come is the Google Nexus phone on Chapter 8, Unlockable device, but still needs to load Busybox APK, and SuperUser binaries.
This question revolves around sound forensic techniques, I believe XRY load tools into RAM when using physical extraction.
Any help / pointers would be greatly appreciated
crumdub12 said:
A Chairde
I am wondering if anyone can help me. I have heard there are Rooting methods on Android devices not involving third party software on the device, could you tell me what they are, and what phones support them. I have read the XDA Developers book, and the closest I have come is the Google Nexus phone on Chapter 8, Unlockable device, but still needs to load Busybox APK, and SuperUser binaries.
This question revolves around sound forensic techniques, I believe XRY load tools into RAM when using physical extraction.
Any help / pointers would be greatly appreciated
Click to expand...
Click to collapse
By default, Android doesn't have the ability to substitute the current user for the root user, which is why the 'su' binary has to be installed. By adding a particular line to '/data/local.prop', you can trick the ADB into thinking it's communicating with an emulator, which would temporarily give the ADB elevated permissions, but most of the techniques needed to do so require other binaries that Android doesn't have by default, hence the need for Busybox.
XRY physical extraction, on the other hand, doesn't communicate with Android at all, so there are no "root" permissions to be gained. It relies more on very low level communication with the hardware itself and extracting raw data (i.e. ones and zeros). Highly specialized software would then be needed to translate that data into a more human readable format.
So, to answer your question...
As far as I'm aware, there is no way to achieve permanent "root" permissions on Android without (at the very minimum) installing the 'su' binary.
soupmagnet said:
By default, Android doesn't have the ability to substitute the current user for the root user, which is why the 'su' binary has to be installed. By adding a particular line to '/data/local.prop', you can trick the ADB into thinking it's communicating with an emulator, which would temporarily give the ADB elevated permissions, but most of the techniques needed to do so require other binaries that Android doesn't have by default, hence the need for Busybox.
XRY physical extraction, on the other hand, doesn't communicate with Android at all, so there are no "root" permissions to be gained. It relies more on very low level communication with the hardware itself and extracting raw data (i.e. ones and zeros). Highly specialized software would then be needed to translate that data into a more human readable format.
So, to answer your question...
As far as I'm aware, there is no way to achieve permanent "root" permissions on Android without (at the very minimum) installing the 'su' binary.
Click to expand...
Click to collapse
SoupMagnet,
You answered my question fully, you are a legend !!
Related
I am working on a mobile application that is subject to certain regulatory requirements. Because of this, I'm a required to detect on start-up of my application if there is any possibility that the phone has been rooted. If so, I must completely disable the application and not allow it to start up at all.
I've seen many methods to detect a rooted phone, however none seems very definitive especially if you were trying to hide that you had rooted it.
I do have the ability to store the approved devices (and possibly associated IDs) in some external database and retrieve it at application startup.
Are there any systems properties that can't be "spoofed" with a rooted device or possibly some other method to definitively determine if a device has been rooted that are at least nearly "unhackable"?
As I understand it, the semi-definitive definition of a rooted phone is one with su.exe available. But, this would be very easy to hack.
The closest I can think of would be to calculate the md5sum of files in /system. Perhaps the md5sum of *all* files in /system or the md5sum of the whole filesystem. Then, compare this to a list of known-good values for the OS version and device.
This would require all "official" versions of the OS for *all* supported devices to be pre-calculated and stored somewhere. And further require that the storage of those values couldn't be faked. If they were on the phone, they could be swapped-out by a malicious user.
This could still be hacked, but it would be a whole level of magnitude harder than most approaches.
To be honest, such a requirement sounds like an app who's security needs are high enough that you might not want to allow it to be installed on generic hardware.
Would you have a similar requirement if the app were deployed on Windows? I don't think it's a solvable problem there at all.
Actually you're suggestion is probably very sound. Because of the regulatory concerns, we have to know exactly what devices we're supporting and we can store the MD5 sums on a server or actually we could store it inside our application and MD5 sum that as well (that would pretty much ensure they couldn't change it). Even if it was possible to install the app on a new device, we need to make sure it's approved.
Do you have any idea how we could run an MD5 sum on a non-rooted Android device on the /system folder programmatically?
We're not planning on supporting any Windows devices at any point in the near future, so that's not really a concern.
I haven't had a non-rooted Android phone since a couple days after buying my G1. But, I suspect the md5sum executable is there. Although, for your need, you would need to verify that the md5sum executable itself was unmodified.
You could probably use dd to stream the raw filesystem through md5sum. It's been too long since I played around at that level to give you detailed directions. I'd look into dd and md5sum via google.
Like I said, you'd still need to confirm those two executables were unmodified. Maybe do one of a: bundle your own copy of them or b: implement the md5sum algorithm in your app.
I'm new to Android and have a few question that didn't get answered by trying to Google it. I have bought my first Android phone (A Samsung Galaxy S2, after years of being a Symbian fanboy), but have not received it yet.
1. Does everything run on top of Dalvik JVM? At the bottom is the Linux kernel. Then there is a Linux process which runs Dalvik VM. Could for instance Sun's JVM run on a Linux process of its own or another Linux application?
2. Can C/C++ Linux program run on Android? Though compiled for ARM. Android has NDK (Native Development Kit) which allows it to run C/C++ applications inside Android applications, but I'm wondering about running C/C++ applications directly on Android. BusyBox is coded in C, but runs on Android. Is it running directly on the kernel's linux process or within an Android application on Dalvik?
3. The latter(Q2) would indicate that not everything run on top of Dalvik. Otherwise C/C++ programs would not run.
4. Android uses ADB (Android Debug Bridge) for its CLI magic. BusyBox uses Ash. Can one install bash as the default shell, with full GNU Core Utilities commands? Some forum posts indicate that it is possible to install an ARM re-compiled bash version.
5. Android can be rooted by installing applications like Super User or BusyBox that would let the user execute applications as root. That would indicate that there exist a root user, in addition to the actual user. Is this similar to how it is on Linux? Can I define a password for the root user so that no applications can run root directly?
Edit: Seems each application is a different user on the system.
6. Are all user data stored in the database SQLite that are stored on the phone? User data is accessible through different applications, but how does Android determine access rights to it?
7. I have read that Android applications run on their own Linux process and are assigned a unique user ID. Does this mean that we can run ps to see all running processes or does it act like the Sun JVM just showing each VM process? However looks like different applications can run in the same process. Can these be distinguished or do we just the the once process.
8, Is the camera application (that some have made modifications of) a Google app or Samsung app? Just wondering since the former would allow such modified versions to run on other than Samsung phones, but given that different phones have different camera specs I don't see how this could go well.
9. Can the codes typed in the dialer be executed through a shell instead (adb)?
10. Can I get an overview of permissions given to applications? Can they be revoked after once granted?
i have question,too.thanks
Ill Be back with most of your answers. Im on my phone. Ill be at a comp in few.
Sent from my Incredible using Tapatalk
I'm also wondering about how the methods of rooting works.
Some offers rooting by means of a modified kernel.
Another method entails using programs like SuperOneClick or GingerBreak.
Can anyone describe to me what exactly does these methods do?
In order to have root I guess the user root needs to be created/activated/enabled on the phone. Also programs like su and Superuser needs to be installed, perhaps with Busybox.
Those are the methods for root, but I want to know what needs to be done on the phone in order to root it.
Can I root my device (Samsung Galaxy S2) manually without any modified kernels or special programs?
DJViking said:
10. Can I get an overview of permissions given to applications? Can they be revoked after once granted?
Click to expand...
Click to collapse
You can see the permissions an app has through Settings->Apps->Manage Apps i think. There are also apps on the market summarising that.
Revoking or granting only certain permissions is not available natively.
I believe they are working on that in cyanogenmod.
Revoking a needed permission will usually make the app in question crash.
DJViking said:
8, Is the camera application (that some have made modifications of) a Google app or Samsung app? Just wondering since the former would allow such modified versions to run on other than Samsung phones, but given that different phones have different camera specs I don't see how this could go well.
Click to expand...
Click to collapse
If you have a samsung device, the camera app will be from samsung.
It is not impossible to have the google camera app running on your device, it might need some tinkering though (see cyanogenmod).
DJViking said:
7. I have read that Android applications run on their own Linux process and are assigned a unique user ID. Does this mean that we can run ps to see all running processes or does it act like the Sun JVM just showing each VM process? However looks like different applications can run in the same process. Can these be distinguished or do we just the the once process.
Click to expand...
Click to collapse
Yes you can, here is the about from running "ps" on my i9000 : http://pastie.org/2089555
Only apps from the same developer ( meaning signed with the same signature), can be run in the same process. This is not default and only happens when the developer requests it. This is not very common.
DJViking said:
6. Are all user data stored in the database SQLite that are stored on the phone? User data is accessible through different applications, but how does Android determine access rights to it?
Click to expand...
Click to collapse
Through the android permission system.
PHP:
<uses-permission android:name="android.permission.READ_SMS"></uses-permission>
<uses-permission android:name="android.permission.WRITE_SMS"></uses-permission>
will be needed to read and write from/to the sms database.
I am a NOOB, but I like myself just fine. The video for NOOBs is funny, but IMHO, should be a bit more serious.
I'm one of those people experiencing issues with GPS and TTFF being excessively long on the MT. Cry.
If I run MyPhoneExplorer, I can see the system file structure, and I believe I can move files to the phone. I believe I can do the same with SwiFTP.
Can one drop replacement GPS libraries for example into the SYSTEM and SYSTEM/HW sub-directories using a program like MPE, or an FTP program like SwiFTP without rooting, and would they be honored on the next reboot?
Would I be mangling some check-sum or other that determines the integrity of the system loaded?
I'm one of those users that doesn't really want to root if not necessary, but I wonder if doing some mod like the above - would doing so lay subsequent update pushes from VMUSA to waste?
Also, I'd really like if possible to flag some programs not to load, unless I explicitly ask them to load via the U.I. with intent. I suppose I'd have to root to do something like that. Perhaps with Ginger-Break? Would doing this make subsequent updates problematic?
Any information regarding my constraints and options to effect both of the above would be very appreciated. Thanks.
There are ways to mount the various partitions from a host machine (e.g. Linux) while it is in the "emergency" flash mode, which would permit what you want to do. Doing this is quite dangerous - at least as much as rooting the device and perhaps more-so.
I appreciate the response.
OK, if I were to root via Gingerbreak and install the files that way, then un-root, would my system then appear to be (to an update provided by Motorola or VMUSA) as something which couldn't be updated?
In other-words would rooting put me on a path to having to use specially modified updates?
Thanks.
Depends on what you change.
In GENERAL no, the update will come through. The major risk is that it crashes on install as some part of what you changed is a dependency but is not reloaded. This is rare, but can happen.
So.... root, install Clockwork, and make an immediate Nandroid backup BEFORE you screw with anything. That SHOULD allow you to un-hose yourself if you get in trouble.
Good day,
I am new to the forum so please forgive me if this is not the right place to ask.
I have been reading through some of the threads on the forum and is curious to know if there is a way to load custom kernel libraries or device drivers onto the phone.
If there is a way, is there a correct procedure? For example to load a custom device driver / kernel library, do I also have to have an entry in the registry? Does the dll file have to be in /Windows?
Thanks in advance.
Good questions. There's been only a little research on this so far. I can tell you waht I've found, though:
For a stock ROM, nobody has managed it yet, but it might be possible. You'll need to have your DLL signed, and the certificate added to the Code Integrity store on the phone (just mailing yourself the .cer is insufficient! That will put it in the wrong store). You'll probalby want the DLL to be in \Windows, although I'm not sure it's needed. You almost certainly will need to add registry entries; the current drivers seem to have them.
Good day,
thanks for your reply. And thanks for all the good research you have done.
So at the moment, the software approach is not working but for custom roms, is it possible to include custom device drivers / kernel libraries in them?
Thank you.
mousefish321 said:
Good day,
thanks for your reply. And thanks for all the good research you have done.
So at the moment, the software approach is not working but for custom roms, is it possible to include custom device drivers / kernel libraries in them?
Thank you.
Click to expand...
Click to collapse
Well, it's possible. The HD2 Multitouch driver is an example that its somehow possible. Should be the same for the other devices (espacially HTC first gens)...
But don't know what you're getting at? Why would you need a custom driver?
Good day,
well, I just think that having a driver that acts like HTCUtility would make things convenient.
As for file operations, besides the application that Heathcliff has created (WP7RootTool), are there other applications that can do write operations to the /Windows folder?
What are the things that needs to be done before we can write to that folder?
Thank you.
Any app with Elevated or TCB privileges can write to \Windows, I think. Using HtcRoot project or WP7 Root Tools works (both elevate apps to TCB permissions, though using different methods). Also, using an OEM driver, such as HtcProvisionDrv or HtcFileUtility, works (although those two particular drivers were crippled in the 4.x firmware).
Good day,
thanks for the information. I tried the HtcRoot tool and it works. Thanks for the tool and the source that allows me to know how it works.
Can I assume that I would be able to have write access to the Certificate and Code Integrity store also?
I am also curious as to the workings of HTCFileUtility. A quick search on this turns up little information on its workings.
Furthermore, is there a guide to inserting custom certificates to the root Certificate and Code Integrity store? I have tried downloading the Certificates.zip file in http://forum.xda-developers.com/showthread.php?t=1236027 and test rom files in http://forum.xda-developers.com/showthread.php?t=1248799 hoping that they will shed some light but is unable to download them.
Any help is appreciated. Thank you.
Yes, installing your own cert into Code Integrity is possible (in several ways, actually, but I did it using HtcRoot just as an exercise). The certificates are actually stored in the registry, so any tool that can write to HKLM can add them. I believe that WP7 Root Tools will also let you choose the store for adding a certificate if you "open" the cert from the Root Tools filebrowser.
Although I don't know exactly how HtcFileUtility works, here's the basics. It's a software driver that exposes an interface - probably an IOCTL - which apps can use to perform filesystem operations. Since it runs with TCB permissions (it's probably kernel mode, though I haven't actually checked, but it's definitely in TCB) it can perform any operation that the filesystem supports. Of course, that doesn't mean that it exposes all those operations through the IOCTL... but it exposes enough of them for a pretty solid filebrowser implementation (that's how TouchXplorer and Advanced Explorer worked, although they used an OEM COM DLL that called into the driver rather than doing the IOCTL themselves).
The new version of it has very limited operations permitted; it will only list files in a few folders and so forth. It does still "work" within those limitations - Connection Setup, for example, uses it to check the folder that we use for interop-unlock on HTC - but it isn't useful for a general-purpose browser anymore.
It would be great to even figure out how to roll back the OEM drivers to earlier versions. For example, I've got WP7 Root Tools installed on my HD7, but I don't want to install HTC updates because they'll break my drivers such that if something ever goes wrong I won't be able to re-install Root Tools, or if a new hack is found (or developed; I'm working on some stuff with HtcRoot still) I won't be able to run it on my phone. Being able to use the advantages of the new firmware (Internet Sharing, compass in managed apps, hopefully an end to the damn music player freezing between songs...) while still having hackable OEM drivers would be reallllly nice...
Good day,
thanks for the information.
I noticed in the HTCRoot project thread where you mentioned that "It is not a true handle (no handle table, no handle data) but everything that checks for tokens also checks for this const value, and appears to pretty much skip all remaining permissions checks if it finds it".
Would you mind sharing some of the function names so that I could take a look at the code where the checking occurs?
Thanks.
This is something I have been wondering for a while and after searching the forums and Google I have not been able to find a clear answer. As a long time Linux user the idea of running your system as root all the time is appalling. It is a huge security risk. But for some reason that is really the only way to gain root access on an Android device (as far as i am aware). Apps like SuperSU allow you to pick the apps that are allowed to run as root, but there is no password or verification that the entity approving the access actually has the authority to do so. I hear all the time that rooting your phone is a trade-off between customizability and security, but every Linux system has a root user and it is incredibly secure when properly administered. What is the reason for the difference?
From what I have read, it sounds like part of the issue has to do with Android handling users differently. I would love to be able to maintain a more limited root function on my devices. Thanks.
funkbuqet said:
This is something I have been wondering for a while and after searching the forums and Google I have not been able to find a clear answer. As a long time Linux user the idea of running your system as root all the time is appalling. It is a huge security risk. But for some reason that is really the only way to gain root access on an Android device (as far as i am aware). Apps like SuperSU allow you to pick the apps that are allowed to run as root, but there is no password or verification that the entity approving the access actually has the authority to do so. I hear all the time that rooting your phone is a trade-off between customizability and security, but every Linux system has a root user and it is incredibly secure when properly administered. What is the reason for the difference?
From what I have read, it sounds like part of the issue has to do with Android handling users differently. I would love to be able to maintain a more limited root function on my devices. Thanks.
Click to expand...
Click to collapse
You can set a passcode with SuperSU....
Thanks for the reply. That is good to know. Does that really fill the security gap though? I guess if I set My non-background root permissions to expire every 15 minutes that does help for apps that do not need to run as root in the background.
I am more referring to the distinction between regular user land and the root user. Titanium Backup for example; If I want it to be able to run a full backup (including system apps and settings) of my phone every night I have to give it permanent root permissions. That root permission applies to both the automatic process and anything that I as a user (or any entity that can get control of TB) to act as root as well. Ideally there would be 2 separate instances of the program; the back-up process (a daemon perhaps) initiated by the root user and a second available in regular user space. This sort of thing is common on Linux systems.
My knowledge of Android is not particularly deep. I cannot tell if there is actually a separate root user or how user/group permissions work. It seems that the Android framework is designed around the user not having root access. Which is a bit confusing for an OS that prides itself on customization and "Be together not the same". I can't imagine buying a desktop PC that didn't allow me to have system level (root) access. Why should it be any different on a mobile device?