Wednesday, September 9, 2009

1 click root for android until there is a security patch

***NOTE: All credit goes to the devs, I am not responsible for bricking your phone.

Also, this may not work if you have ugraded to the next update!

As is customary with these kind of posts, some disclaimers:

  1. This could be dangerous.
  2. This should only be used if you know what you are doing.
  3. Although this technique will work for any currently shipping android phone, this specific APK will works easiest with phones that are compatible withcyanogen’s 1.4 recovery image for the HTC Dream/Magic (32B).. There are instructions posted below for how to download a recovery.img that will work for other phones to your SD card, and how to use this apk to root those phones as well – it’s just not one-click… it’s more like some typing and 1-click so it might take you 30 seconds longer to do)

Now, some credit:

  1. Zinx did all the work on this

UPDATE: The “Recovery Flasher” is no longer in the market. This is entirely understandable and we as a community have no real right to be upset about this (their market, their rules – and after inspecting it they determined that the app violates them). So… Consider yourself lucky if you were one of the several thousand people who got it before it was taken down – and if not… there are plenty of mirrors to get it from posted here. (Android by design allows you to install applications from a variety of locations – you aren’t locked down to just one provider like on some fruity phones). So please don’t have a knee-jerk reaction and get mad at Google for this – they are still very much hacker-friendly (just search the market for applications that only work on rooted phones and you’ll realize that they are pretty laissez-faire in the market).

Flashing your recovery image:

based on Android logo and a perverted sense of humorAlthough the exploit itself can be used to execute anything as root, the prepackaged APK is designed to flash your recovery image with an updated one that allows installing modified updates signed with a publicly available key The reason for this is pretty simple: It’s the easiest way to enable you to install some modified image. It also enables you to use nandroid to backup (and restore) your entire phone to your sd card, and basically gives you what you need to be one of the cool kids andinstall custom android roms at will

Install the APK

The application has been uploaded to the market, and that’s the fastest place to get it from. Open up the Market and search for “Recovery Flasher” and download it from there,

In your settings, under software, tell it to allow untrusted sources. (necessary since the APK isn’t available in the market). Then, from the browser on your phone download the “recovery flasher 0.1 APK” from here: Install it… and open it up.

Download from one of these mirrors

It looks like this:

recovery flasher From here:

  1. click on “backup recovery image”
  2. click on “Flash Cyanogen Recovery 1.4″

(in mine there is the option to restore my previous one since I already backed that thing up)

Test that it worked

Power your phone down. Reboot into “recovery mode”. On all phones I’m aware of, you do this by holding down “Home” and “Power” when turning it on. When you see something like this:

cyanogen's recovery modeFrom here, you can install any of the custom roms using the instructions above. I highly recommend you use the “nandroid backup” button at this point.


Known issues:

  • EVERY TIME YOU REBOOT YOUR PHONE INTO NORMAL ANDROID IT UNDOES WHAT YOU JUST DID. Every time android boots, it reflashes the recovery partition with the default one from a file stored in your phone. For safety reasons, we are not replacing this file – just flashing the partition directly. So if you boot to recovery mode, then boot back into your normal mode, and then boot back into recovery mode – you will see a triangle with an exclamation point and only 3 options. DO NOT WIPE YOUR DATA IF YOU ONLY SEE 3 OPTIONS AND AN EXCLAMATION POINT If you only see three options, reboot your phone into normal android mode and re-run the “Recovery Flasher” application – and THEN boot into recovery mode and you will see all the options.
  • If your phone doesn’t work with cyanogen 1.4’s image (which I believe are 32A HTC Sapphires [Rogers HTC Magic, etc]) you should not use this as-is – see my instructions for those phones at the bottom.. If recovery fails to boot, you should be able to pull the battery and reboot into the normal phone and then open the recovery flasher app again and “restore” your backed up recovery.img – but no promises… This is all done at your own risk.
  • The exploit used (CVE-2009-2692) in this hack is already patched. The kernel was patched upstream on August 11th, so it is likely that an update will be pushed out from T-mobile VERY quickly to help prevent malicious people from using this same exploit.
  • Apologies in advance to anyone who has to work quickly and work hard to patch this exploit in the wild. (Although it should be noted that if you just shipped phones that weren’t neutered in the first place, it would save us all a lot of work and help us all be on the same team… but that’s a topic for another post.)

No comments:

Post a Comment