Easy Rooting for MIDx024

Discussion in 'Coby Generation 2 Technical' started by lfom, Nov 1, 2011.

  1. lfom

    lfom Senior Member Developer

    Joined:
    Sep 12, 2011
    Messages:
    1,387
    Likes Received:
    240
    Trophy Points:
    162
    Location:
    Brasil
    Background

    steev's found out that init.rc runs a shell script called "install-recovery.sh" during boot with root privileges. The file is located in /etc which is also writable, so even with stock Android one should be able to copy files to this folder. More info in steev's initial post here. His solution requires that Python for Android to be installed, so I decided to create a "simpler" solution that only requires adb or terminal.

    This RootKit has su and Superuser.apk, both from signed package from adroidsu.com website. Should work with any MIDx024 (7024, 8024, 1024) tablet with Froyo installed. May work with other models if the requirements in the original thread by steev are met.

    PS: it seems that AllDro2 derived custom ROMs do not allow writing to /etc, so you cannot use this. Anyway, most custom ROMs already come with root activated so it's not a bid deal.
    PS2: I will check steev's suggestion for debuggered method and add an universal build if it works on both Froyo and Gingerbread.


    Installation

    1. Using Terminal Emulator
    - download file, unzip contents to a folder (for instance, /sdcard/RootKit - it will hold 4 files: install-recovery.sh, patch2.sh, su and Superuser.apk");
    - Open Terminal Emulator and run these commands, using ENTER/RETURN at the end of every line, replacing "/sdcard/RootKit" with the path to the downloaded files:
    Code:
    cp /sdcard/RootKit/* /etc/
    chmod 777 /etc/install-recovery.sh
    - close Terminal Emulator and reboot.

    2. Using adb
    - download file, unzip contents to a folder (for instance, a folder "RootKit" where you can call adb from)
    - Use these adb commands, replacing "RootKit" with the actual folder name containing the downloaded files:
    Code:
    adb push RootKit /etc/
    adb shell chmod 777 /etc/install-recovery.sh
    - remove USB and reboot tablet.

    If all goes OK, you will see Superuser app in your apps drawer and a 0 bytes "logrooting.txt" in /etc folder (you can delete it as root now). If it doesn't work, logrooting.txt should help to find out the problem. Superuser.apk is installed in the /system partition, so it will remain even after a factory reset or "SD card init". Enjoy! ;)


    V1.0
    Download link: RootKit - Minus.com
    MD5 2B:18:14:92:ED:96:31:B7:9E:88:27:C5:5C:BB:13:40

    PS: this version has only 3 files (no patch2.sh) and logrooting.txt is written in root folder.


    V1.1
    Download link: http://min.us/lbkxrWvFDv5A1Y
    MD5 8B:FF:20:B6:34:2F:C0:A0:40:13:21:BD:4C:28:90:75

    Changelog
    - fixed busybox fixing
    - logrooting.txt moved to /etc for cleanness and easy deletion
    - after installation, security hole is patched (install-recovery.sh can be modified only with root privileges)
    - security patch displayed in dmesg.

    V1.2
    Download link: http://min.us/lUK0F1CU2bOOe
    MD5 26:1E:DC:08:2D:0A:5D:1A:AA:2E:08:62:A8:EE:A9:38

    Changelog
    - Updated su (3.0.3) and Superuser.apk (3.0.6)
    - security patch updated with steev's tip


    Props to steev for the idea and the logging mechanism.
     
    Last edited: Jan 19, 2012
    • Like Like x 2
  2. steev

    steev Senior Member Developer

    Joined:
    Sep 3, 2011
    Messages:
    370
    Likes Received:
    236
    Trophy Points:
    132
    Tablet / Device:
    Coby Kyros MID7024
    Cool.

    I don't think /etc is writable on the urbetter gingerbread builds, at least not on the Alldro2 firmware.

    However, /system/bin is writable and the file /system/bin/debuggerd gets run as root by init.rc.
    So you can place your own script there.
     
  3. lfom

    lfom Senior Member Developer

    Joined:
    Sep 12, 2011
    Messages:
    1,387
    Likes Received:
    240
    Trophy Points:
    162
    Location:
    Brasil
    Hmmm, I think it is. I should release a new version of my CFW soon with the system enhancements you've added to your latest version (if it's OK with you, of course) so I will be able to test this. But here it seems that /etc is drwxrwxrwx. Actually, I think it's a big security hole, so I will add a patch that will make install-recovery.sh writable by root only.
     
  4. lfom

    lfom Senior Member Developer

    Joined:
    Sep 12, 2011
    Messages:
    1,387
    Likes Received:
    240
    Trophy Points:
    162
    Location:
    Brasil
    True. I was using another firmware and probably one of the patches I used made /etc writable. I have added the info, and also a new version that patches the security hole after enabling root. ;)
     
  5. steev

    steev Senior Member Developer

    Joined:
    Sep 3, 2011
    Messages:
    370
    Likes Received:
    236
    Trophy Points:
    132
    Tablet / Device:
    Coby Kyros MID7024
    /etc is a symlink (shortcut) to /system/etc

    Symlinks always appear to be 777 for some reason, so that may have confused you, but really they have the same permissions as the file they point to.
    /system/etc is 777 on Froyo, 755 (or something like that) on Alldro2 Gingerbread

    And sure if you like any of the changes I made to my firmware, feel free to use them in your own.
     
    • Like Like x 2
  6. steev

    steev Senior Member Developer

    Joined:
    Sep 3, 2011
    Messages:
    370
    Likes Received:
    236
    Trophy Points:
    132
    Tablet / Device:
    Coby Kyros MID7024
    Unfortunately, your patch doesn't fully close the security hole.

    Since everyone has write permission to /system/etc, they can still rename or delete the file with "mv -f" or "rm -f"

    A possible solution is the change the permissions of /system/etc to 1777.
    The 1 sets the Sticky bit, which prevents users from renaming or deleting files that don't belong to them.

    Something like this should do it:
    Code:
    sed -i -e 's:0777:1777:g' /init.rc
    
    (replaces all occurrences of '0777' with '1777' in /init.rc)
     
  7. lfom

    lfom Senior Member Developer

    Joined:
    Sep 12, 2011
    Messages:
    1,387
    Likes Received:
    240
    Trophy Points:
    162
    Location:
    Brasil
    I will go back to Froyo in order to test HMDI with sounda and I will take a look into it. Thanks!
     
  8. lfom

    lfom Senior Member Developer

    Joined:
    Sep 12, 2011
    Messages:
    1,387
    Likes Received:
    240
    Trophy Points:
    162
    Location:
    Brasil
    Even if "install-recovery.sh" is owned by root?

    I will try setting it to 1744 (just the file) and see if it works...
     
  9. jonataapolinario

    jonataapolinario Member

    Joined:
    Nov 5, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    60
    Tablet / Device:
    coby kyros 1024
    Hi all!
    Im net to android world, and i did the root but after root the usb dont works. in the PC it appear as Unknown device.
    I tryed with Z4Root and with this method, and both gives the same.

    another thing i dont know if its right. When i try to ping( in an application and in the console, the same) it retrieves me "operation not permitted". when i do "su" in the console and then ping, it works. its right i need to "su" before do root executions? and how can i "su" to enter in that other application? or my superuser is not running corretly?

    My device is an coby kyros 1024 4Gb.
    Thanks
     
  10. steev

    steev Senior Member Developer

    Joined:
    Sep 3, 2011
    Messages:
    370
    Likes Received:
    236
    Trophy Points:
    132
    Tablet / Device:
    Coby Kyros MID7024
    Yes, you can do this to test:
    Code:
    $ su
    (now we're root)
    # mkdir /test
    # chmod 777 /test
    # touch /test/owned_by_root
    # chown 0:0 /test/owned_by_root
    # chmod 0744 /test/owned_by_root
    # exit
    (now we're user)
    $ touch /test/malicious_script
    $ mv -f /test/malicious_script /test/owned_by_root
    (owned_by_root overwritten by malicious_script)
    
    Now try with "chmod 1777 /test", it doesn't work

    Also, my fix was bad since it changes the permissions of files other than /etc, just put a chmod 1777 /etc in your install-recovery.sh
     
    Last edited: Nov 5, 2011
  11. lfom

    lfom Senior Member Developer

    Joined:
    Sep 12, 2011
    Messages:
    1,387
    Likes Received:
    240
    Trophy Points:
    162
    Location:
    Brasil

    Sorry, I missed you post... Yes, that's exactly what su is supposed to be used for: running certain apps that need superuser privileges. But I don't think it would interfere with USB. By any chances you changed your USB from device to host mode in Settings? If yes, you must change it back so the computer can 'see' the tablet.
     

Share This Page

Search tags for this page

android terminal emulator commands ping

,

c777 unknown custom rom

,

firmware for gtouch c777

,

g touch c777