RootingDevices¶
About root¶
Having root access on your computer empowers you to control your computer. Having users in control of their own computers is not a security vulnerability.
If you don't have root access, then you are locked out of your own computer, and this can be a very serious problem as you also have data in it, your data.
For instance if you can't copy your data outside and inside of the device, then you're stuck, and dependent on the software that is installed on that computer to use your data.
In general, root is also required for being able to use any network protocol you wish or want to design as the tun/tap interface or other mechanism to send RAW packets requires root: It really enables you to use net neutrality and Internet design principles in practice.
Some applications like USB mountr that makes use of the hardware features like the USB OTG to expose an USB iso over mass storage over the USB port require root. So it's a good idea to enable users to easily become root in Replicant.
However it's a good security practice not to give root access to programs that don't need it, or to people that you don't trust, as it could give them full control of the system.
And even if you trust programs enough, they could have vulnerabilities which enable an attacker to get root access.
So once the user is in control and has root, it's then a good idea not to have any vulnerabilities that could enable attackers to get root once they have code running in your computer.
Introduction¶
Many Android distributions that are shipped on the devices took away the ability for users to become root.
Because of that it's sometime necessary to become root within such distributions.
For instance it can enable you to backup and migrate your data from the stock Android distribution to Replicant, or enable to backup the stock OS, etc.
While running the stock distribution is not interesting per se if it's not fully free software, it can still be useful to do reverse engineering for instance.
Root exploits¶
Vulnerability names | CVE | Affected software and versions | Free software implementation | Status |
---|---|---|---|---|
Towelroot | CVE-2014-3153 | Linux 3.5 to 3.15 | GPLv3 version, improved from github | Not yet tested |
* iovyroot * Pipe-iovec root |
CVE-2015-1805 | Linux 2.6x to 3.15 | * None of the 4 implementations on github were under a free software license | |
Ping-Pong Root | CVE-2015-3636 | Linux ? to 4.1 | ||
Dirty COW | CVE-2016-5195 | Linux 2.6.13 to 4.9 | * List of some free and nonfree implementations For the free implementations: * GPLv3 (?) implementation in Go * GPLv3 implementations in C++ and Go * MIT implementation in crystal |
|
* MIT implementation in C | Uses assembly (x86_64 only at this time) | |||
* LGPLv3(+?) implementation in C | Tried 'cowpy', but it didn't work on I9100G: * Tried replacing /system/bin/run-as from /system which is ro says "Done" but binary not changed * Tried replacing /system.prop from / which is probably rw, says "Done" but binary not changed |
Stock OS¶
Device | Android version | Kernel version | Status |
---|---|---|---|
GT-I9100G_CHN_CHN | 2.3.5 | 2.6.35.7 se.infra@SEI-30#2 | Failed |
Nexus 5 | 6.0.1 | 3.4.0-gcf10b7e | Failed. Tried cowpy with (tried replacing /default.prop wich is root:root 644). Compiled on top of Replicant 6.0 |
Motivations¶
A common use case is making a full backup of the device without relying on nonfree and non-redistributable software. This needs to be done for a variety of use cases:- For people working on Replicant having a backup of the stock OS can be useful for reverse engineering. For instance work to make xgoldmon work with Replicant (XMMProtocolInterfaces) often requires to do comparisons between the stock OS and Replicant.
- In a free software user groups, we bought several smartphones (GT-I9300, Nexus 5, Pinephone) to enable people to become familiar with the installation of distributions on smartphones. Having complete backups enable to restore to the stock OS to do installations. This free software user group got several devices. For the GT-I9300 we resorted to hardware methods [1] to boot on a Parabola microSD and we did the complete backup this way. But for the Nexus 5 we probably need to find free software root exploits to do the full backup.
1 https://redmine.replicant.us/projects/replicant/wiki/Exynos4Bootrom#Loading-a-bootloader-from-SD
References¶
Updated by Denis 'GNUtoo' Carikli over 2 years ago · 33 revisions