Exactly how rooting works

Mar 3, 2012
20
0
0
Visit site
Are there any posts[when googling, I could not find any] that tells you EXACTLY how the general rooting exploit works with examples? At first, I was satisfied that it remounted /system as rw, installed su and Superuser.apk, but now, I really want to be able to understand how it works. How does it get permission to remount /system in the first place? Really, for my own educational purposes, I want to find/create/%s a rooting exploit, or something, so I really understand how it works. Are there any articles/posts on how rooting works exactly with (hopefully) code examples and a getting started article/post on where to get started with this stuff?
I know someone will ask this, so I have a rooted optimus s with gROM 2.2 and have small experience with Java.
 

JerryScript

Daydream Believer
Mar 8, 2011
2,055
1,559
0
Visit site
I don't know of any posts or articles specifically about the generic rooting process. Each exploit takes advantage of a different weakness in the system.

For example, a recent exploit known to work on at least one device (and probably most devices) takes advantage of the init process changing permissions during boot. It makes a symlink between the recovery partition and a file known to be given r/w permissions during boot in order for ini files to be parsed. Since the recovery partition is symlinked to this file, it also is given r/w permissions. It only lasts for a single boot, so you have to install a custom recovery before rebooting again. This exploit doesn't attempt to gain root, it simply finds a way to change permissions allowing you to install a custom recovery, which can then be used to flash the generic su and superuser files necessary for rooting.

Note- this exploit has been properly reported to AOSP. ;)
 

Paul627g

AC Moderator All-Star
Moderator
Nov 25, 2010
15,963
2,752
0
Visit site
Exploits are now becoming a thing of the past since Gingerbread was released. GB marked a new rule in the world of exploits with Google, the carriers and manufactures working together to close up the many known holes in the OS and other ares that were commonly explored to gain root access.

Now its become almost second nature to flashing a custom recovery in place of the stock recovery and then from there applying a custom kernel with root baked in or Superuser by itself. The methods vary but it seems like now the main "backdoor or exploit" into the device is now first getting a custom recovery on the device and going from there.

Note: I'm not very well schooled in these areas as our true devs like JerryScript but I've been around long enough to have seen much of what has gone on...