Thursday, July 15, 2010

android trickery


Anonymous said...

It works on G1, Milestone. Thanks for the PoC.

Morgul said...

Saw this recently used to root the DroidX, kudos!

In a related vein, it looks like the Motorola Backflip has the same vulnerability, however it does not have /etc/firmware.

Looking at the code (which I only partially follow, admittedly) I'm unsure why /etc/firmware is required. (I am assuming it's how one would use the firmware subsystem as the vector for attack.)

Could you give an explanation/some pointers on what I might try to exploit this on the Backflip? (What about using /dev/ashmem instead of the firmware subsystem?)



Anonymous said...


Stilger said...

Hi. Looks like this worked on the Droid X but does not seem to work on the Backflip because of the lack of /etc/firmware. Any ideas?

Anonymous said...

After testing on Milestone, several conditions could be reduced/relaxed:

1. /tmp can be used instead of /sqlite_stmt_jourals. They are both world writable.

2. Changing for(;;); to exit(...) works. Perhaps the code was borrowed from other exploit?

3. The exploid rootshell will be triggered by hotplug event after it has been setup properly. Thus sleep(3) can be removed.

Anonymous said...

This also works on the Devour.

Unknown said...

will this work on the devour and any more info on the backflip

Anonymous said...

Does this work on the X10? (not mini or mini pro)

Anonymous said...

Works also on HTC Hero (1.5). Thanks !

Unknown said...


I've been trying, with little success, to get this working on the Wildfire.

I've changed the block device for system remount to /dev/mtdblock3, but still have no luck with actually copying self to /system/bin/rootshell

Furthermore, once the exploit has been run, certain hotplug actions cause an instant reboot and, obviously, abd disconnection. Any help would be gratefully received.



K6FCC said...

The root does not work on my motorola I1.. I keep on getting permission denied when I run


Please help !

Thank you.
Khalil Ladjevardi
Los Angeles

K6FCC said...

The root for Motorola does not seem to work

I tried running ./exploid but end up with permission denied.

Please help !!

Thanks !

Anonymous said...

Thank you!!! You often have interesting posts! They put me in good spirits )

Anonymous said...

Hi - I am really delighted to discover this. great job!