How Rooting Works -- A Technical Explanation of the Android Rooting Process (http://seasonofcode.com/posts/how- rooting-works-a-technical-explanation-of- the-android-rooting-process.html) By Chuan ji | Oct19, 2011. | Tags: Android (http://seasonofcode.com/tag/android.htm), Featured (http://seasonofcode.corn/tag/featured.html) ‘Comments (33) (http://seasonofcode.com/posts/how-rooting-works-a-technical-explanation-of-the-android-rooting- process.htmltdisqus, thread) [have always been curious how rooting actually worked behind the scenes. After recently acquiring a new Eee Pad Slider, a Honeycomb ae tablet that so far no one has been able to root, the frustration of being locked out of this amazing piece of hardware with so much potential led me to finally sit down and figure out what exactly rooting means, what it entails from a technical perspective, and how hackers out in the wild are approaching the rooting of a new device. Although all this information is out there, | have not been able to find a good article that had both the level of technical detail that | wanted and an appropriate introduction to the big picture, and so | decided to write my own. This is NOT a noob-friendly guide to rooting a particular Android device. Rather, it is a general explanation of how stock Android ROMs try to prevent unprivileged access, how hackers attack this problem and how rooting software leverage various exploits to defeat these security mechanisms, I. The Goal Let us first take a step back and consider exactly what we mean by rooting. Forget flashing custorn ROMs, enabling WiFi tethering or installing Superuser.apk; fundamentally, rooting is about obtaining root access to the underlying Linux systern beneath Android and thus gaining absolutecontrol over the software that is running on the device. Things that require root access on a typical Linux system — mounting and unmounting file systems, starting your favorite SSH or HTTP or DHCP or DNS or proxy servers, killing system processes, chroot-ing, etc., — require root access on Android as well. Being able to run arbitrary commands as the root user allows you to do absolutely anything on a Linux / Android system, and this is real goal of rooting. Stock OEM Android builds typically do not allow users to execute arbitrary code as root. This, essentially means that you as a user are granted only limited control over your own device; you can make your device do task X only if the manufacturer explicitly decided to allow it and shipped a program to do it. You will not be able to use third-party apps to accomplish a task that your manufacturer does not wish you to do. Wifi tethering is a good example of this. Cell phone carriers obviously do not want you to tether your phone without paying them additional charges. Therefore, many phones come pre-packaged with their own proprietary WiFi tethering apps that demand extraneous fees. But without root access, you will not be able to install a free alternative like Wireless Tether For Root Users (http://code.google.com/p/android-wifi-tether/). Why this is accepted practice in the industry is a mystery to me. The only difference between cell phones, tablets and computers is their form factor; but while a PC vendor would fail spectacularly if they tried to prevent users from running arbitrary programs on their machines, cell phone vendors are clearly not judged along the same lines. But such arguments would belong to another article. Il. The Enemy: Protection Mechanisms On A Stock OEM Android ROM 1. Bootloader and Recovery The bootloader, the first piece of code executed when your device is powered on, is responsible for loading the Android OS and the recovery system and flashing a new ROM. People refer to some bootloaders as "unlocked" if a user can flash and boot arbitrary ROMs without hacking; unfortunately, many Android devices have locked bootloaders that you would have to hack around in order to make them do anything other than boot the stock ROM, A Samsung smartphone | had used some months ago had an unlocked bootloader; | could press a certain combination of hardware keys on the phone, connect it to my computer, and flash any custom ROM onto it using, Samsung's utilities without having to circumvent any protection mechanisms. The same is not true for my Motorola Droid 2 Global; the bootloader, as far as I know, cannot be hacked. The Eee Pad Slider, on the other hand, is an interesting beast; as with other nVidia Tegra 2 based devices, its bootloader is controllable through the nvflash utility, but only if you know the secure boot key (SBK) of the device. (The SBK is a private AES key used to encrypt the commands sent to the bootloader; the bootloader will only accept the command if it has been encrypted by the particular key of the device.) Currently, as the SBK of the Eee Pad Slider is not publicly known, the bootloader remains inaccessible.System recovery is the second piece of low-level code on board any Android device. It is separate from the Android userland and is typically located on its own partition; itis usually booted by the bootloader when you press a certain combination of hardware keys. It is important to understand that itis a totally independent program; Linux and the Android userland is not loaded when you boot into recovery, and any high-level concept such as root does not exist here. It is simple program that really is a very primitive OS, and it has absolute control over the system and will do anything you want as long as the code to do itis built in. Stock recovery varies with the manufacturer, but often includes functionalities like reformatting the /data partition (factory reset) and flashing an update ROM ( update. 7p , located at the root of the external microSD card) signed by the manufacturer. Note | said signed by the manufacturer; typically its not possible to flash custom update files unless you obtain the private key of the manufacturer and sign your custom update with it, which is both impossible for most and illegal under certain jurisdictions. However, since recovery is stored in a partition just like /system, /data and /cache (more about that later), you can replace it with a custom recovery if you have root access in Linux / Android. Most people do just that upon rooting their device; ClockworkMod Recovery (http://www.clockworkmod.com/) is a popular third-party recovery image, and allows you to flash arbitrary ROMs, backup and restore partitions, and lots of other magic. 2. ADB ADB (see the official documentation for ADB (http://developer.android.com/guide/developing/tools/adb.html)) allows a PC or a Mac to connect to an Android device and perform certain operations. One such operation is to launch a simple shell on the device, using the command adb shell . The real question is what user do the commands executed by that shell process run as. It turns out that it depends on the value of an Android system property, named ro. secure . (You can view the value of this property by typing getprop ro.secure either through an ADB shell or on a terminal emulator on the device, If ro. secure=6 , an ADB shell will run commands as the root user on the device. But if ro, secure: , a9 ADB shell will run commands as an unprivileged user on the device. Guess what ro. secure is set to on almost every stock OEM Android build. But can we change the value of ro, secure ona system? The answer is no, as implied by the ro in the name of the property. The value of this property is set at boot time from the default .prop file in the root directory. The contents of the root directory are essentially copied from a partition in the internal storage on boot, but you cannot write to the partition if you are not already root. In other words, this property denies root access via ADB, and the only way you could change itis by gaining root access in the first place. Thus, it is secure. 3. Android UI On an Android system, all Android applications that you can see or interact with directly arerunning as_un_privileged users in sandboxes. Logically, a program running as an unprivileged user cannot start another program that is run as the privileged user; otherwise any program can simply start another copy of itself in privileged mode and gain privileged access to everything. On the other hand, a program running as root can start another program as root or as an unprivileged user. On Linux, privilege escalation is usually accomplished via the su and sudo programs; they are often the only programs in the system that are able to execute the system call setuid(9) that changes the current program from running as an unprivileged user to running as root. Apps that label themselves as requiring root are in reality just executing other programs (often just native binaries packaged with the app) through su . Unsurprisingly, stock OEM ROMs never come with these su . You cannot just download it or copy it over either; it needs to have its SUID bit set, which indicates to the system that the programs this allowed to escalate its runtime privileges to root. But of course, if you are not root, you cannot set the SUID bit on a program. To summarize, what this means is that any program that you can interact with on Android (and hence running in unprivileged mode) is unable to either 1) gain privileged access and execute in privileged mode, or 2) start another program that executes in privileged mode. If this holds, the Android system by itself is pretty much immune to privilege escalation attempts. We will see the loophole exploited by on-device rooting applications in the next section. Ill. Fighting the System So how the hell do you root an Android? Well, from the security mechanisms described above, we can figure out how to attack each component in turn. If your device happens to have an unlocked bootloader, you're pretty much done. An example is the Samsung phone that | had had. Since the bootloader allowed the flashing of arbitrary ROMs, somebody essentially pulled the stock ROM from the phone (using dd), added su, and repackaged it into a modified ROM. All| as a user needed to do was to power off the phone, press a certain combination of hardware keys to start the phone in flashing mode, and use Samsung's utilities to flash the modified ROM onto the phone. Believe it or not, certain manufacturers don't actually set ro.secure to 1. If that is the case, rooting is even easier; just plug the phone into your computer and run ADB, and you now have a shell that can execute any program as root. You can then mount /system as read-write, install su and all your dreams have come true, But many other Android devices have locked bootloaders and ro.secure set. As explained above, they should not be root-able because you can only interact with unprivileged programs on the system and they cannot help you execute any privileged code. So what's the solution?We know that a number of important programs, including low-level system services, must run as root even on Android in order to access hardware resources. Typing ps on an Android shell (either via ADB or a terminal emulator on the device) will give you an idea. These programs are started by the init process, the first process started by the kernel (| often feel that the kernel andthe init process are kind of analogous to Adam and Eve — the kernel spawns init ina particular fashion, and init then goes on and spawns all other processes) which has to run as root because it needs to start other privileged system processes. Now here's the key insight: if you can hack / trick one of these systern processes running in privileged mode to execute your arbitrary code, you have just gained privileged access to the system, This how all one-click-root methods work, including z4root, gingerbreak, and so on. If you are truly curious, | highly recommend this excellent presentation on the various exploits used by current rooting tools (http://jon. oberheide.org/files/bsides11-dontrootrobots,pdf), but the details are not as relevant here as the simple idea behind them. That idea is that there are vulnerabilities in the system processes running as root in the background that, if exploited, will allow us to execute arbitrary code as root, Well, that "arbitrary code" is most certainly a piece of code that mounts /system in read-write mode and installs a copy of su permanently on the system, so that from then on we don't need to jump through the hoops to run the programs we really wanted to run in the first place. Since Android is open source as is Linux, what people have done is to scrutinize and reason about the source code of the various system services until they find a security hole they can leverage. This becomes increasingly hard as Google and the maintainers of the various pieces of code fix those particular vulnerabilities when they are discovered and published, which means that the exploits will eventually become obsolete with newer devices. But the good news is that manufacturers are not stupid enough to push OTA updates to fix a vulnerability just to prevent rooting as itis very expensive for them; in addition, devices in the market are always lagging behind the newest software releases. Thus, it takes quite some time before these rooting tools are rendered useless by new patches, and by then hopefully other exploits would have been discovered. IV. See It In Action! To see all of this in action, you are invited to check out my follow-up article: Android Rooting: A Developer's Guide (/posts/android-rooting-a-developer-s-guide.html), which explains how | applied this stuff to figure out how to root an actual device. By ChuanJi | Oct 19,2011. | Tags: Android (http://seasonofcode.com/tag/android.html), Featured (http://seasonofcade.com/tagifeatured.html)Comments (33) (httpi//seasonofcode.com/posts/how-rooting-works-a-technicalexplanation-of-the-android-roating- process.htmlidisqus thread) | Permalink (http//seasonofcode.com/posts/how-rooting-works-a-technical-explanation-of-the-android-rooting- process.htm}) About the author | am a software engineer by profession and a passionate technology geek in my free time, Check out my bio (/pages/about.htmi), or find me on Google+ (https://plus.google.corn/115396580584561637180). 33Comments season of code @ Login ~ @ Recommend 3 & Share Sort by Best ~ @ Join the discussion. . =_ nisar = 4 yoors @ ThankU so much....this was xtremly informative... u dnt mind pls mail me links to the reference articles u had gone through... Thnx in advance 9 + Reply + Share > mdo mdo - 2 years ago does it mean that rooting might disapear in the near or far future ? no root=no freedom ; no freedom=los which means android is dieing 3 + Reply + Share > SMM - 2montis ago @ Really nice info. | have got a Samsung phone (Samsung Galaxy Core Prime Value Edition = (s1v-G3641H)) for which I couldn't find a modified ROM in order to root it. You mentioned that rooting a Samsung is essentially ‘pulling the stock ROM from the phone (using dd), adding su, and repackaging it into a modified ROM’. I'm considering doing this myself (knowing and accepting the risks). Can you guide me further about this process? 1 + Reply + Share» Udit » 2years a0 Awesome compilation! Great work! Thanks a lot! 1 + Reply + Share» Aldrich + 3 yoors age ‘Awesome article! Thank you for sharing thisudtor - 3 yea boooom! nice! clear as day ‘ago i can now proceed further and get that black-belt in ADB and Busybox commands, i'm tired of using other people's tools for my rooting experiment, i want to root via the "father" of Android my way... :D thank you very much sir! 1 + Reply + Share > 3 hoursago diyoyo «42 Thanks for this article, The link to the follow up article does not seem to be working, though... could you post a new link please ? Thanks. + Reply + Share» BravoZuluMaster © a mority 299 Great article. | have rooted countless android tablets and phones but failed to understand on the technical level what was going on. Thank you! + Reply + Share > nebun - 6 months a0 Ab ! finally ..| understood . Thank you very much Cj. + Reply » Share > Bavani Sankar - 9 months ago OMGII! THANKS A LOTI! + Reply - Share > ng00mixalot - a yearago Mind. Blown!!! + Reply + Share > Jim Jin « a year ago Excellent article, even if it's 3 years later. | now do get how this rooting works. Still, | wonder if Google and the maintainers care about allowing root in some manner. It seems to me that there'd be more interesting creations with root permissions as a possibility. Locking it down seems stifling (and makes me wonder if the coders responsible for dealing with these vulnerabilities are crying internally.) But maybe not Juzer Awesome article! Thanks for sharing this invaluable knowledge! + Reply + Share > S3yearsago raghavan - 3 yeasago an excellent article. thank you. + Reply + Share >Rebecca « 3 years ago My anti virus says my device has been rooted and flags it as a security issue but | can't find how to resolve this. I've only downloaded appear from Googlemail play store. Oddly it wasn't flagged when | installed something new so sm baffled as to how it happened. Amy suggestions? Many thanks + Reply + Share > gauray 3 years ago awesome article...!! + Reply + Share > Ghassan - Syoasago Thanks heaps! This is the information | was looking for since a long time. Now I'ma proceed to rooting :D + Reply + Share» shantanu - Syearsago Very helpful article + Reply + Share > Alex « 5 years ago thank you very much!! + Reply + Share > luke + 3 years ago thank you this is very helpfull + Reply - Share > bklynjava 9 years a0 Good write up Thanks!!! + Reply + Share > skiwarz © 9 yearsago Awesome, Thank you. + Reply + Share > Harsha + 9 years a90 awesome stuff + Reply + Share > Sid - Syearsago Hey am i am in need of your help... kindly pls dont ignore this.... will u help me out in installing the android in N810... i ve got no idea wre am supposed to start. + Reply + Share >Thag - 3 yea Excellent overview, thanks very much. + Share > sk3ptic - 3 years.ago Nice article | just got into rooting and was confused into | read this article, + Share> linux kernel hacker - > I wish | had found this page earlier! | am an experienced unix systems programmer and have been involved with linux development from its beginnings, but | am a latecomer to the android world. To me the term rooting simply meant installing a program su with 4755 permissions, but this seemed like a chicken-and-egg problem on a locked down device. Searching on the web felt like a jungle where 99% of the pages were like “to root, download and flash this file", which were really ugly. Eventually | figured out everything but ended up spending a large amount of time in the process, Pages like this need to be highlighted on xda-developer forums etc. Thank you for the great writeup! + Reply + Share> Steve» 4 yo Thanks, I've been trying to find a sensible level explanation of this but thus far I've either seen stupidly technical or ludicrously simple. Just right :D Joy - 4 years ‘Amazing article . Just be more informative if you could put up and video link for tutorial how to just start coding into su mode or how to use adb would be really helpful . cause people like me who like to get started with custom roms . Want to get started with ‘somepoint but they have no knowledge and no source of information :) if you can please doit:) + Reply + Share> Jim Reid « 4 yeor this is a very excellent article on rooting. | am in the same boat as it appears you are. | have purchased a Asus Slider and would lke to root it, | have an Android phone and have rooted it successfully but can't seem to get anything to root the slider. Ihave tried 4Zroot and RazorClaw and both said it rooted but really didn't. I'l have to look into Gingerbreak and see what it does but apparently you have and it didn't work either. So my final question is: Have you found a way to root your slider? Curious minds want to know. + Share >meash « 4 years ago good info thanks + Reply + Share> bob - 4 years ago thanks, you just stopped me wasting my time on ADB + Reply + Share > cforcode - 4 yoorsago Very nice and informative writeup! Thanks! + Reply + Share > ALSO ON SEASON OF CODE Waar THS? Announcing AsciiDocLIVE The Most Popular Fonts On The Web: A 4comments + a year ago Study ‘Avail cli— The site has been fixed - very sorry 1 comment 2 years ago for the inconvenience. Avail Shannon — Thanks, | was looking for just these stats. © 2015 Chuan Ji