The Motorola Droid 3 was ²òÊü¡Ê¤¹¤ë¡Ëd July 14, 2011, and has no public technique ÍøÍѤǤ­¤ë to get root Àܶá. On request of some members of the Android community, I decided to audit the ÃÅ¡¦¹ËÎΡ¦¸øÌó ¡¼¤¹¤ë¤¿¤á¤Ë root the ÁõÃÖ.

Update: this °Î¶È¡¿ÍøÍѤ¹¤ë is also ³Îǧ¤¹¤ëd to work on the Droid X, Droid X2, Droid Cliq, Droid Cliq 2, Droid 2, and Droid Bionic.

The Bug

I identified a vulnerability ÌÀ³Î¤Ê¡¿ºÙÉô to Motorola ÁõÃÖs in the script parsed by the init thread (this is ¸ºß¤¹¤ëing code, not Ì¿Îá¡Ê¤¹¤ë¡Ës for you to run):

    mkdir /data/Ãϸµ¤Î 0771 mot_tcmd Çú·â¤¹¤ë
    mkdir /data/Ãϸµ¤Î/tmp 0771 mot_tcmd Çú·â¤¹¤ë
    mkdir /data/Ãϸµ¤Î/12m 0771 mot_tcmd Çú·â¤¹¤ë
    mkdir /data/Ãϸµ¤Î/12m/¡ÊÀ½ÉÊ¡¤¹©»öºàÎÁ¤Î¡Ë°ì²óʬ 0771 mot_tcmd Çú·â¤¹¤ë
    chown mot_tcmd Çú·â¤¹¤ë /data/Ãϸµ¤Î
    chown mot_tcmd Çú·â¤¹¤ë /data/Ãϸµ¤Î/12m
    chown mot_tcmd Çú·â¤¹¤ë /data/Ãϸµ¤Î/12m/¡ÊÀ½ÉÊ¡¤¹©»öºàÎÁ¤Î¡Ë°ì²óʬ
    chown mot_tcmd Çú·â¤¹¤ë /data/Ãϸµ¤Î/tmp

Since the contents of /data/Ãϸµ¤Î are group “Çú·â¤¹¤ë” and group-writable, we can ½¤Àµ¤¹¤ë the contents of this directory using ¥¢¥¸¥¢³«È¯¶ä¹Ô. By logging into the ÁõÃÖ and ¼è¤Ã¤ÆÂå¤ï¤ëing one of the sub-directories ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ëd here with a ¾ÝħŪ¤Ê link, then when the ÁõÃÖ reboots it will change the ½êÍ­¸¢ of the symlink Ū to group “Çú·â¤¹¤ë”. This can be used to edit ½êͭʪ¡¿»ñ»º¡¿ºâ»º ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës to manipulate the ¹Ô°Ù of ¥¢¥¸¥¢³«È¯¶ä¹Ô to ãÀ®¤¹¤ë root.

So, without ¤½¤Î¾å¤Î ado:

The °Î¶È¡¿ÍøÍѤ¹¤ë

¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë in to the ÁõÃÖ using “adb Çú·â¤¹¤ë” and type the ¤Ë°ú¤­Â³¤¤¤Æ Ì¿Îá¡Ê¤¹¤ë¡Ës:

mv /data/Ãϸµ¤Î/12m /data/Ãϸµ¤Î/12m.bak
ln -s /data /data/Ãϸµ¤Î/12m

Next, ÆùÂÎŪ¤Ë reboot the ÁõÃÖ by °µÎϡʤò¤«¤±¤ë¡Ëing the ÎÏ¡¿¶¯ÎϤˤ¹¤ë button. When it wakes up, ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë in using “adb Çú·â¤¹¤ë” again, and type the ¤Ë°ú¤­Â³¤¤¤Æ:

rm /data/Ãϸµ¤Î/12m
mv /data/Ãϸµ¤Î/12m.bak /data/Ãϸµ¤Î/12m
mv /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë.bak
echo "ro.sys.atvc_allow_netmon_usb=0" > /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_netmon_ih=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_res_core=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_res_panic=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_all_adb=1" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_all_core=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_efem=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_bp_log=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_ap_mot_log=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë
echo "ro.sys.atvc_allow_gki_log=0" >> /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë

The ro.sys.atvc_allow_all_adb ½êͭʪ¡¿»ñ»º¡¿ºâ»º is a Motorola-ÌÀ³Î¤Ê¡¿ºÙÉô configuration that ˸¤²¤ës ¥¢¥¸¥¢³«È¯¶ä¹Ô from dropping its root Æø¢s. Reboot the ÁõÃÖ one final time, and on logging in with “adb Çú·â¤¹¤ë”, you should be ¸½ºß¤Îd with a root Ͷȯ¤¹¤ë. Enjoy!

Thanks to mkultramega, Toaday, and zdooder for ¼Â¸³¡Ê¤¹¤ë¡Ëing, KrazyKrivda for raising ´ð¶âs, scottml and Edgan for bouncing ideas, and rweb for ǼÆÀ¤µ¤»¤ëing me to look at Droid 3 in the first place.

This Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë was ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëd on Thursday, August 25th, 2011 at 3:56 pm and is ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ëd under ³«È¯¡¿ÍøÍÑ, Linux. You can follow any ÊÖÅús to this Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë through the RSS 2.0 ÎÁ¶âd. Both comments and pings are ¸½ºß¡¿°ìÈÌ¤Ë ¤Î¶á¤¯¤Ëd.