23 September 2010

Rooting Android

Graph of typical Operating System placement on...Image via WikipediaRooting enables an Android phone owner to do interesting things with his hardware. Let me write a few: performing whole-system backups, upgrading the operating system found on the device, removing clutter from the default install, even underclocking and overclocking become possible. These procedures are especially attractive when the phone manufacturer decides to no longer support the device with any software updates.
Unfortunately, doing such a procedure usually voids any warranty you may have on your phone, so all responsibility rests on your shoulders.

OK, why the name rooting? On UNIX-like operating systems like *BSDs and Linuxes such as Android, root denotes the do-all super-user on the machine. That means it can modify almost any file, anywhere. Getting this privilege level is therefore essential for manipulating protected files! A modern operating system has methods for entering such a privileged state but they are missing on Android. To make matters worse, the OS by design limits non-privileged code from attemting any other privilege escalation methods. All is not lost, however, since operating systems are usually so big, that there's bound to be some weak code, which can be exploited to cut the flow of normal execution and execute the exploit's code instead.

Here enters an exploit. It exploits some specific functionality of the OS' kernel which has been vulnerably implemented. Such code is found all the time by security researchers, hobby hackers and also malevolent crackers, but more importantly more or less quickly patched by software authors. Because security software updates are relatively unneeded on Android due to the isolationist application model, updates for phones are rare or even non-existent and usually focus on improved functionality.

That should be enough backround information, onto a specific procedure! My HTC Tattoo uses Linux version 2.6.29, which is rather old and vulnerable. An exploit exists for it! Good, now a would be hacker also needs a shell to run this program in. The application model on Android doesn't run software stored as native processor code but the software developer kit for Android does. Once you have it extracted, open a terminal, navigate to that folder and connect your phone to the PC in debugging mode. To see if the phone is accessible run:
./adb devices
This should give you a serial number and a "running" status. Cool, now you can upload the compiled exploit file (find it on xda-developers) to your phone:
./adb shell "mkdir /data/local/bin"
./adb push path/on/PC/to/m7 /data/local/bin/m7
./adb shell "chmod 755 /data/local/bin/m7"
Now you can enter a full shell running on your phone and actually execute the exploit:
./adb shell
cd /data/local/bin
while ./m7 ; do : ; done
After a while you should be greeted by a # sign, the tell-tale mark of full privilege! But nothing works. That is because the way you got to the root shell is highly non-standard and the interpreter knows not where to look for commands you type in. To remedy this, type:
# export LD_LIBRARY_PATH=/system/lib
# export PATH=/system/bin
# id
The last command should confirm you are root with user id zero. Congrats! But know that what you have just accomplished is just a temporary root. It will only work for this shell session.

To have a permanent privilege escalation mechanism similar to more feature-full GNU/Linux distributions and that works whenever, you must install a program within your root shell called su, short for super user. You can find one here, but please install the Superuser app as well. Upload the su program the same way you uploaded the exploit file, with adb push. Once in the root shell, you must remount the system partition in the phone as writeable, because it is mounted as read-only by default:
# mount -o rw,remount /dev/block/mtdblock3 /system
# cat /data/local/bin/su > /system/bin/su
# chmod 6755 /system/bin/su
Now reboot your phone.
# reboot
Once the phone completes the start up process it should be exactly the same as before, but with one added mechanism: the su program. The problem now is that any program can launch su and become the superuser so your first step to control its use should be to install an app called Superuser (it's also on the Android Market). For usage instructions see link. It's pretty simple though - if any non-approved app wants to run su, Superuser will be invoked to ask you if you allow or deny the requesting app such privileges.

Congratulations, you are now a mobile super user! :)
Enhanced by Zemanta

18 September 2010

On Android communities

Giant Google Android statue with puppy and cupcakeImage by ToastyKen via FlickrWhile not writing for the blog many things changed in all of our lives but to be a bit more specific, I bought an Android mobile phone. It is a budget second generation phone made by HTC and called Tattoo.

Android is the operating system that runs on the phone. It manages the hardware and offers a unified platform for apps to run on it. One of the main advantages of Android is its freedom. Because it is based on Linux, its licence forces the source code to be available for anyone to hack. However, the devices themselves aren't nearly as open. That's why hackers across the world love to break into phones and change their inner workings. Such actions are usually deemed entirely legal and can offer quite a bit of insight into how computers are made to work and the quality of work done by industry engineers.

Why would someone root their phone? To do advanced things to it that are otherwise impossible! For instance my Tattoo had faulty buttons under the screen. Before sending it in for repairs under warranty I copied the contents of the on-board memory chips onto my memory card and did a factory reset. That way no prying eyes could access my data, my email account, etc. That turned out to be a good move because the phone had to have its motherboard replaced. On this motherboard the memory chips were soldered and I would have lost months of customizations had I not made backups.

Many discussions on mobile phone hacking and development take place on the forum xda-developers.com. Of course there are many other, more specific sites, but usually everything worth noting can be found on these forums. A problem I had at the beginning while reading various threads there was that, sure, there are many technical and newbie guides but very little is said what the accomplished result is useful for. Perhaps that is also a consequence of the bulletin board nature of the site. I find that wiki sites are much better for new people because all the information is centralised on one page, condensed and more formatted for legibility than countless bits of information spread around forum posts.

By the way, if you are considering buying a smartphone, please, PLEASE, do yourself a favour and don't get a budget phone. I find myself wanting the characteristics of a better phone all the time. The hardware can be very limiting to the usefulness of various third party applications and even to their availability. Fortunately some of the limitations are software based and therefore the attractiveness and promise of community based upgrades and hacks becomes quickly evident.

I imagined this blog as being more technically orientated so as not to deviate from that premise I will soon post some guides how (and why) I have fun with my mobile phone.

Enhanced by Zemanta

Lets get Flash squared away

Hello after a long time. I have some free time again and my almost forgotten blog crept into my mind. Well the big news of the day, actually yesterday, is that a new version of the Flash player has been released, not only for the usual suspect like Windows and OS X but also for 64-bit Linux!

The big Flash 10.1 release a few months ago obviated users of 64-bit GNU/Linux distributions and their users have been left out in the cold regarding support for a native patched and secure Flash player. The last version was just suddenly made unavailable due to security holes and no update was released.

Fortunately a new version has been released, interestingly according to one not only due to outside pressure.

Here are a few tips regarding its installation on Ubuntu amd64:
  1. If you have any flash packages installed, it is prudent to remove them first:
    sudo apt-get remove -y --purge flashplugin-nonfree flashplugin-installer gnash

  2. If you had followed my previous guide, you need to clean up after it:
    sudo rm -f /usr/lib/mozilla/plugins/*flash*
    sudo rm -f ~/.mozilla/plugins/*flash*
    sudo rm -f /usr/lib/firefox/plugins/*flash*
    sudo rm -f /usr/lib/firefox-addons/plugins/*flash*

  3. Ubuntu users are welcome to install the plugin from a Personal Project Archive (Wikipedia article). This is a volunteer-based solution which bridges the gap between upstream release and Ubuntu official packaging. It should be as easy as running:
    sudo add-apt-repository ppa:sevenmachines/flash
    sudo apt-get update
    sudo apt-get install flashplugin64-nonfree

  4. If you wish to remove the PPA and the installed software it provides, you have two options. The manual way is to remove the PPA from the Software repositories list and reverting or uninstalling software packages the PPA provides or you could settle for an automatic process. You need to install another PPA first, though. Removal of the unwanted PPA is then as easy as this:
    sudo ppa-purge ppa:sevenmachines/flash

Users of other GNU/Linux distributions can use the procesure below (check the plugin paths, though!)
wget -qO- http://download.macromedia.com/pub/labs/flashplayer10/flashplayer_square_p1_64bit_linux_091510.tar.gz | tar xz > libflashplayer.so
sudo mv libflashplayer.so /usr/lib/mozilla/plugins/

Enhanced by Zemanta