BE CAREFUL This was only tested on DHD with SFR official image
Android version: 2.3.3
HTC Sense version: 2.1
Baseband version: 12.54.60.2SU_26.09.04.11_M2
Kernel version: 2.6.35.10-gg0956377 htc-kernel@and18-0#1
Compile date: Tue Mar 29 06:10:15 CST 2001
Firmware version: 2.36.163.13
Navigator version: WebKit/533.1
Get GingerBreak
Get Busybox
root@mypc:~# adb push GingerBreak /data/local/tmp root@mypc:~# adb push busybox /data/local/tmp root@mypc:~# adb shell $ chmod 755 GingerBreak</code> $ chmod 755 busybox $ cd /data/local/tmp $ ./GingerBreak [**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak [**] (C) 2010-2011 The Android Exploid Crew. All rights reserved. [**] Kudos to jenzi, the #brownpants-party, the Open Source folks, [**] Zynamics for ARM skills and Onkel Budi [**] donate to 7-4-3-C@web.de if you like [**] Exploit may take a while! [+] Plain Gingerbread mode! [+] Found system: 0xafd17fd5 strcmp: 0xafd38065 [+] Found PT_DYNAMIC of size 232 (29 entries) [+] Found GOT: 0x00014360 [+] Using device /devices/platform/goldfish_mmc.0 [*] vold: 1231 GOT start: 0x00014360 GOT end: 0x000143a0 [*] vold: 1231 idx: -3072 fault addr: 0x000132b4 [+] fault address in range (0x000132b4,idx=-3072) [+] Calculated idx: -2005 [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [-] sendmsg() failed? [*] vold: 11216 idx: -0002005 [*] vold: 11216 idx: -0002004 [*] vold: 11216 idx: -0002003 [*] vold: 11216 idx: -0002002 [*] vold: 11216 idx: -0002001 [*] vold: 11216 idx: -0002000 [*] vold: 11216 idx: -0001999 [*] vold: 11216 idx: -0001998 [*] vold: 11216 idx: -0001997 [*] vold: 11216 idx: -0001996 [!] dance forever my only one # ls boomsh sh GingerBreak busybox # ls -l -rwx--x--x shell shell 16830 2011-06-24 09:56 boomsh -rws--x--x root root 82840 2011-06-24 09:56 sh -rwxr-xr-x shell shell 16830 2011-04-21 13:40 GingerBreak -rwxr-xr-x shell shell 1926944 2010-03-23 01:29 busybox # mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,relatime,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 /dev/block/mmcblk0p25 /system ext3 ro,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0 none /acct cgroup rw,relatime,cpuacct 0 0 tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0 tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0 tmpfs /app-cache tmpfs rw,relatime,size=8192k,mode=755,gid=1000 0 0 none /dev/cpuctl cgroup rw,relatime,cpu 0 0 /sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0 /data/d /data/d debugfs rw,relatime 0 0 htcfs /data/htcfs fuse.htcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0 /dev/block/vold/179:65 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/vold/179:65 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0 /dev/block/dm-0 /mnt/asec/net.osmand-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-1 /mnt/asec/menion.android.locus-2 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-2 /mnt/asec/com.bitsmedia.android.muslimpro-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-3 /mnt/asec/android.androidVNC-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-4 /mnt/asec/q.and-2 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-5 /mnt/asec/com.guidedways.iQuran-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-6 /mnt/asec/com.smartersoft.alshamelaad-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-7 /mnt/asec/com.tof.myquran-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-8 /mnt/asec/com.skype.raider-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-9 /mnt/asec/org.connectbot-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-10 /mnt/asec/com.google.zxing.client.android-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/dm-11 /mnt/asec/com.rue89-1 vfat ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
Installing a root kit will help you gain temprary root again without having to run GingerBreak again. This is a faster and safer way to get root.
Before running GingerBreak, you can display the mounted partitions
# mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,relatime,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 /dev/block/mmcblk0p25 /system ext3 ro,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p26 /data ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
You can notice that the /system partition is mount on read only, which means you have no mean to write to it, unless you get root access and remount it. Also the other partitions are mounted read+write, so you can write to them. This was what we did when copying GingerBreak to /data/loacl/tmp.
After running GingerBreak, you can display the mounted partitions again
# mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,relatime,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 /dev/block/mmcblk0p25 /system ext3 ro,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
As you can see the partition /data was remounted on by GingerBreak while removing the nosuid flag. This will allow you, to put a root kit, which means a program which will grant you root access, like su.
On Linux systems, granting root access is matter of getting read+execution rights on a suid tagged, root owned, program. For example
# ls -l -rwx--x--x shell shell 16830 2011-06-24 09:56 boomsh -rws--x--x root root 82840 2011-06-24 09:56 sh -rwxr-xr-x shell shell 16830 2011-04-21 13:40 GingerBreak -rwxr-xr-x shell shell 1926944 2010-03-23 01:29 busybox
Here, the sh program is set suid and is considered as a root kit. Run a terminal, enter /data/local/tmp and run sh, you will get a root shell.
All this is nice, but once rebooted you device, the partition /data is mounted upon system startup with nosuid flag, and you will no more be able to gain root access by running /data/local/tmp/sh.
So, the solution may be to put it in /system partition. For this you will need to remount it on read+write.
# mount -t ext3 -o remount,rw /dev/block/mmcblk0p25 /system # mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,relatime,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 /dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0 /dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
# /data/local/tmp/busybox cp /data/local/tmp/sh /system/bin/mysh # chown root.shell /system/bin/mysh # chmod 6755 /system/bin/mysh # ls -l /system/bin/mysh -rwsr-sr-x root root 82840 2011-06-24 09:56 /system/bin/mysh
This looks really great, BUT, it does not work:(. You will notice that upon the next reboot, your /system/bin/mysh was removed. It seems like the partition /dev/block/mmcblk0p25 is intialized upon each reboot. Now we need to figure out, which, hidden partion, is used to reinitialize it? TO BE CONTINUED