How The Droid Was Rooted

Eclair’s Creamy Center:
How The Droid Was Rooted
Michael Goffin
CarolinaCon 2010
Can you hear me now?
• RIT Graduate 2006
• Computer Science House Alumni
• Hack or Halo and ShmooCon staff
• member of 0x90 and DroidDev
What we’ll cover
• Definitions
• Rooting timeline
• Post-rooting progress
• How to root your phone
• Droid Specs:
• CDMA dual band (800/1900 MHz); CDMA2000 1xRTT/1xEV-DO
rev.0/1xEV-DO rev.A
• 3.7-inch screen with 854×480 (16:9 widescreen) capacitive
• 5 megapixel camera with autofocus and LED flash and video
• 600 MHz ARM Cortex A8 Processor (underclocked to 550)
• 256 MB RAM / 512 MB ROM
• 16G microSD
• GPS, Wi-Fi, 3.5mm HeadPhone Jack
• Talk Time: 420 minutes
• Standby Time: 450 hours
• Android Open Source Project
• Odex
• Java VM on Android is a Dalvik VM (designed
for processor/memory-constrained devices)
• consumes DEX files (Java files rendered by DX)
• files loaded into VM then classes optimized by
• Optimization results in an ODEX’d file
• Deodex
• de-odexing a file to hack on the code
• done using deodexerent
Why root the Droid?
• Overclocking
• Installing apps which require escalated privileges
• Theming
• Wireless tethering
• Backported apps from other Android devices
(Milestone, Nexus One, etc.)
• Control over OTA updates
• Mixing and matching featuresets from different
Android versions
Key Dates
• Release of Droid - 11/6
• Finding official 2.0.1 - 12/7
• First root - 12/8
• First local root - 12/8
• Simplified rooting process - 12/9
• Custom Payload Instructions - 12/10
• Official OTA Rollout of 2.0.1 – 12/11
Where we started
• A small group of us met on in early November
• Created a private IRC channel, Google
Waves, and reached out to other sites
• started looking for potential exploits
Where we started
• [mbm] found this gem in the Android
verifier.c – this section is a signature check to verify everything from
the start to the eocd which marks the end of the file
for (i = 4; i < eocd_size-3; ++i) {
if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b &&
eocd[i+2] == 0x05 && eocd[i+1] == 0x06) {
// if the sequence $50 $4b $05 $06 appears anywhere after
// the real one, minzip will find the later (wrong) one,
// which could be exploitable. Fail verification if
// this sequence occurs anywhere after the real one.
LOGE("EOCD marker occurs after start of EOCD\n");
• For those interested in the patch that was
eventually submitted to Google:
Where we started
• Waiting game for the official to
come out so we can work with it
• [mbm] to the rescue!!
Game on
• Zinx Verituse used the official
to craft a custom using the
• The goal was to create an that
the phone would accept as a standard
update file, but inject an su binary to gain
root access
Game on
• Process involves (30k’ view):
1. Create a non-zip file of all 0’s the same size as the (donor file)
2. Building a payload zip file
3. Concatenate payload to non-zip into an file
4. Adjust offsets
5. Append signature from donor to end of your
6. For any file you want from donor copy out the relevant
7. Use dd to take the donor in and out it to your
Game on
• The detailed process can be found here:
• Zinx wrote Volez to make this easier:
First Root Posted
• Zinx posted the first root to
• first root process gave us root through
ADB shell
• required plugging into a computer
First Local Root Posted
• Same day, I posted instructions for getting
local root on the phone without the need
for a computer
• Goal was to get access for developers to
start porting their “root required” apps in
the Google Market to the Droid
First Local Root Posted
• Process involves (again, 30k’ view):
1. Root droid using Zinx’ process
2. Download a special su binary used in previous Android
rooted installs
3. Use ADB to push su binary to /data/local/ (writable
user folder)
4. Remount /system on the phone to be rw
5. `mv /system/bin/su /system/bin/osu`
6. `cat /data/local/su > /system/bin/su`
7. `chmod 6755 /system/bin/su`
8. Run `sync` then `reboot`
End result is being able to execute `su` from a terminal
emulator directly on the phone
First Local Root Posted
• Detailed, but outdated instructions can be
found here:
Simplified Rooting Process
• Easier process was posted the day after:
• was fitted with special su
binary and Superuser.apk from Cyanogen to
manage applications attempting to use
escalated privileges
Enter group!
• original group from IRC with some other
developers from other sites created
• Sholes was the codename of the Droid
• yes, we hosted
• goal was to start customizing the phone
and continuing exploit research for when
Google patched
Enter group!
• First project released: sprecovery
• modified recovery to replace the one
currently on the Droid
• would allow us to easily run custom
updates, ROMs, and other changes into
the phone off of the SD card
• written by SirPsychoS
Enter group!
• Second project: SholesMod
• custom ROM installed using sprecovery
• custom kernel modifications
• ported applications
• shell enhancements
• developed and tested by all of the
SholesMod group
Enter group!
• Third project: SMUpdater
• app put in the Google Market
• automated the downloading of latest
ROM versions onto SD card and installing
• will install sprecovery, root the phone,
and install the ROM
• written by Camel
• put in market for $5 as a donation to
the team, but also put on site for free
• $25k in 2-3 weeks
Enter group!
• Group continued backporting
• Focus shifted to overclocking
• Released ROM with 600/800/1000mHz
• Configured using SetCPU app through
• Added AdamZ’s Smoked Glass theme
• Backported 2.1 applications
• 2.1 is still not officially released as of
writing this, but sounds like 3/19
Breaking News!!
[Verizon] spokesperson Thomas Pica said in
an email [on 3/18], "The Android 2.1
upgrade for the Droid by Motorola was
deployed to a small number of Verizon
Wireless test users as scheduled. It is
expected the broader phased rollout to all
Droid by Motorola users will take place, but
not just yet. No date scheduled yet."
There Goes group!
• Issues arose within and the site
and source was taken down by server
• Luckily we were using Mercurial so we
all had source
• Another great reason to use a
distributed SCM!
• Group decided to refund everyone their
money from purchasing the app and move
forward with a free app, and site donation
Enter DroidMod group!
• SMUpdater was discontinued
• New site
• New members joined to increase
bandwidth and support for increased
• Camel created DMUpdater 1.0
• Group created a new ROM to go out with
• more apps backported
• Download from site only until we can get
it in the Market
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
Using DroidMod
More on the DroidMod group
• Open IRC channel on freenode: #droidmod
• Moved from Mercurial to git
• Currently working on compiling the 2.6.32
kernel for the Droid
• New DroidMod coming soon!
What others are doing
• Lots of ROMs coming out with custom
themes, kernels, apps, etc.
• Overclocking exceeding 1200/1300
• Koush recently ported Cyanogenmod from
the Nexus over to the Droid
• 360 degree rotation
Summary of URLs
AOSP Git Repo:
Committed patch for exploit:,12807
Guessed URL for update:
First root process:
First local root process:
Credit where it’s due
[mbm] - finding original exploit in code, guessing update URL that
made this possible
Zinx Verituse - put together original payload, and tool, and
posted the first rooting
Cyanogen - Superuser.apk
mjxg - local root
SirPsychoS - recovery mod
koush - Cyanogen mod ported to Droid
Camel - Original SholesMod Updater and new DroidMod Updater
Contributors to DroidMod and advancement of the droid hacking
[mbm], SirPsychoS, humancyborg, m0nkee, mjxg, Orgg, Randomcity,
trevorj, angel12, birdman, Camel, forkup, planb, unicron, votetrev,
vulcan, xeudoxus, gandhip, Ronen, visbits, electrofunk, koush, takeda
Thank you
Slides will be available on my website:

similar documents