Pop-up this diagram to its own window |
Imagine the Windows or Apple operating system being released without "administrator" access.
That's Android.
The Android operating system by default prevents access to
[1.] internal /system
and /data folders under the root or top-level folder from which all files can be reached.
"Rooted" means being able to view and manipulate files and folders in root (system) folders. "Rooting" are the steps to acquire elevated privileges. But unsanctioned exploit mechanisms must be used.
By default the Andorid operating system prevents File Explorers and other apps from accessing files in those protected folders. So (ironically for safety) only Partial Backups can be performed on Android devices that have not been rooted. But after rooting, complete backups can be taken.
This may be because mobile device manufacturers want users to only use their backup software, such as the widely derided Samsung Kies. The strategy for Apple is that all media (music, videos, books, etc.) be purchased through their iTunes store.
"Bloatware" apps wireless carriers (such as AT&T, Sprint, Verizon, etc.) provided with devices by default cannot be uninstalled like user-installed apps because they are in the /system/app folder not reachable by ordinary users. When the device is "rooted", carrier-imposed apps can be removed to free up limited space and services memory on mobile devices. Current restrictions seem meant to ensure that regular users have to live with what is provided them. Rooting is needed to remove carrier-imposed CarrierIQ logging of every user action.
Rooting may finally come up to an end when device manufacturers beef up security mechanisms.
Samsung is shipping Secure Boot to prevent from loading operating systems which do not have a Samsung-issued cyryptographic signature (X.509 certificate).
QUESTION: Does this mean a network connection is needed to check revocation?
To detect tampering, Samsung has TIMA (TrustZone-based Integrity Measurement Architecture), where TrustZone is an ARM-based hardware.
Samsung trademarked the acronym KNOX (as in Fort Knox, where the US government is supposed to keep its gold) for its container holding secure apps, with a separate home page of secure apps.
SE for Android (Security Enhancements for Android) enforces Mandatory Access Control (MAC) policies to isolate applications and data within the platform.
Two of the most common exploits to root Android is
[18.] Odin
and
[17.] SuperOneClick.
These somehow manage to install a
[2.] su binary in the
/system/bin or /system/xbin directory.
The su executable program was written by brit Adam Shanks, aka ChainsDD. To confirm whether a phone has been rooted, look for Superuser's app icon on the desktop/home screen and in Settings > Options > Applications. Text in the cross-bones are hex for "codetolive livetocode".
[3.] the Superuser.apk app in the /system/app directory provides a GUI to approve or deny the use of root access to whitelist other apps and thus enable them to run with impunity. A different version of Superuser is needed for each version of Android (cupcake/donut, eclair/froyo, etc.) so the icon can change.
[4.] Custom Java Android app programs such as APP: Root Checker (by joeykrim), which does not require a rooted phone, but can determine whether the phone has been rooted. It may use this code to see if an exec command returns without error:
Runtime runtime = Runtime.getRuntime(); try { runtime.exec("su"); } catch (Exception e) { // Error occurred while executing command, does not have root. }
YOUTUBE: Here's Why You Should Root Your Android Phone by pocketnowvideo
YOUTUBE: Android Guy Weekly: To Root, or Not To Root by pocketnowvideo mentions CyanogenMod which replaces firmware on devices. [ Wikipedia]
ARTICLE: The Power of Rooting
ARTICLE: Why Root?
WIKIPEDIA: Rooting_(Android_OS)
The current situation is like buying a car with the hood welded shut. You can't get under the hood to fix an annoying noise. The only mechanic are in blind alleys. You go there and see teenagers wearing hoodies so you can't see their eyes. They talk among themselves in a language you can barely understand.
They ask you questions about your phone you don't know the answer to. They say "each combination of device x modem version x carrier x country requires a different technique such that using an exploit meant to be used for another combo may "brick" a device (render it usable like a mud brick)."
They each contradict one another, so you don't know which one to believe. Each of them holds out a different bottle.
So you pick one -- the bottle with a skull and crossbones on it. As they hand it to you that say that it may blow up your car.
You cross your fingers as you pour it in your gas tank. Poof. Your car hood pops open.
As you drive away you realize that now anyone can open your hood and take the battery and alternator from your car.
This is the situation with mobile phones in the US. Most enterprises, especially feduciary banks and health care organizations, are concerned that rooting would expose them to vulnerabilties.
Since the devices operate "in the wild" on the public internet, one feared scenario is for a malware IP scanner to discover a mobile device under test, and somehow cause a virus to infect it. Or if the tester visits a rogue website. See: this.
But are these vulnerabilities there even when devices are not rooted?
Capabilities available after rooting, such as tethering to turn phone networks into a wi-fi router for Windows/Mac clients, means less money for wireless carriers. So carriers:
On July 26, 2010, the U.S. Copyright office announced a new exemption making it officially legal to root a device and run unauthorized third-party applications, as well as the ability to unlock any cell phone for use on multiple carriers. In China and some other countries, users need no such ruling.
Recent Motorola phones (Devour, Droid X, Droid 2, Droid Pro, Atrix, etc.) have signed boot partitions, which render them unfriendly for rooting. Motorola's purchase by Google may not change this, as it's an enterprise requirement. A similar secure boot mechanism is being introduced into Windows 8.
Barnes & Noble’s NOOK Tablet has a locked bootloader.
Early roots of Amazon's Kindle Fire for Ice Cream Sandwich had difficulty with sound drivers.
WEBSITE: This HTC portal website lists HTC devices since 2011, and provides (for registered users) a "Begin Unlock Bootloader" button. As this diagram illustrates, a fastbook command requests the device identifier token for submission to HTDdev.com, which after validation emails back an Unlock key for use by the Unlock command on the device. But the Droid DNA from Verizon is not listed.
Ironically, the "cat and mouse" game of ever increasing sophistication in anti-rooting requires ever more invasive rooting techniques. Since Sep 21 2012, Verizon offered a $600 "Developer Edition" S III when it began selling regular Samsung Galaxy S3 with a locked bootloader. This prevents flashing (via Odin) of a custom recovery kernel. So Rootzwiki responded by offering an older bootchain to flash the custom recovery kernel, then continue on by flashed custom recovery by flashing the fully unlocked bootloader. Just another speed bump.
The Google Nexus 4 smartphone running stock Android 4.2 for $299, without a contract, on Amazon. A 16GB Samsung Galaxy S4 with stock Android 4.2 with unlocked bootloader and without bloatware can be purchased on the Google Play store for $649. It has LTE for use on AT&T and T-Mobile.
It is confusing to read websites and videos on rooting because procedures to obtain root access is different for each model of phone from each manufacturer. US and international versions may also require different methods. Thus, rooting methods change over time. But obsolete methods still clutter the internet, confusing people who have better things to do than keep up with such matters.
The fear with rooting is that it introduces something which has not been adequately vetted for security by corporations such as Symantec or HP Fortify who provide enterprise security services.
But I don't think any legitimate large company is likely to step forward and stand behind any rooting mechanism because the cost of possible lawsuits and hassles with carriers likely won't offset the revenue from selling rooting services.
CAUTION: So rooting is likely to remain in hobbyist hands. This is the most troubling issue to me. On the one hand, since hobbyists are not professionals working with "adult supervision" in corporations, it's less obvious if one of them goes rogue and implants malware. On the other hand, wide variation in device manufacturers, models, and operating systems means the small community of hobbyists cannot produce all root kits for every phone soon after public release.
Thus I call on the professional software developer and testing technical community to help out here, and apply their expertise. What is needed is some group to define a rigorous approach to evaluating root mechanisms ROMs. More open, objective evaluations are needed.
For Windows, Odin Multi Downloader works with USB drivers for Samsung phones.
Adam Outler, an XDA Elite Recognized Developer, came up with a CLOUD approach downloadable
here.
BusyBox by Stericson (Stephen Erickson) enable scripting operation.
ClockworkMod Recovery (CWM):
Cyanomod by developer Cyanogen (Steve Kondik) ( WIKIPEDIA) ironically requires a hack to establish a more secure VPN client connection, as well as purported higher reliability than official firmware.
Using Windows, download from MultiUpload I777UCKH7 OCD Root No BL.exe the Return/Unbrick to Stock, Kernel + Rooted System Package plus stock modem (Contains stock zImage, factoryfs.img with root, and modem.bin.) by Entropy512 (Andrew Dodd). Double-click on it to start the Odin3 One-Click Downloader program.
From Apple Mac or Linux, download Heimdall rooting files (by clicking "CLICK HERE to Download", not the big Download button).
SAMMobile.com/firmwares/ provides firmware of devices. For the Verizon Galaxay S3 SCH-I535, http://www.sammobile.com/firmwares/3/?download=14741
chainfire.eu
phonerebel.com
How about rooting devices only during testing, not during productive (production) use?
[34.] Root-friendly devices such as the Google-branded Nexus line of devices, HTC, and some other manufacturers allow rooting without the need for an exploit by running the fastboot program within Google Android SDK for Windows.
Sony Ericsson Xperia GSM phones also require a key. Their X10 and CDMA phones cannot be unlocked because of signed boot partitions.
< waiting for device > will appear forever if your phone is not recognized.
In this case, press Ctrl_C to exit.
z4mode
The following instructions apply to earlier HTC devices:
[5.] On Windows clients, first make the phone install its USB HBOOT driver on your Windows machine by using an alternate power-up mode:
[7.] Update USB drivers:
Obtain and run rooting programs:
WEBSITE:
Unrevoked.com offers an approach that bypasses "NAND locks" (whatever that is) with:
TOOL:
Unrevoked3 to root Android 2.2 wireless smartphones from HTC:
TEST: After the phone reboots on its own, a [3.] "Superuser Permissions" app should display in the app tray.
On Samsung phones, establish USB connection so [16.] adb can interact with the device.
Samsung Kies software uses MTP (Media Transfer Protocol) mode via USB cable to talk to Android devices. This is why a "MTP connected" notification appears.
Enabling USB Debugging changes the android device to use USB transfer mode. This causes Kies to issue error "Reconnect the device in Samsung Kies (PC Studio) mode. Current connection Mode not supported by Kies".
Android uses a fork of Linux for its security and drivers for many common devices.
Rooting Android devices involves use of Linux conventions.
Rather than use the standard copyleft Linux LibC, Android created its own BSD closed-source faster, smaller GLibC, called Bionic C (which uses 4-byte rather than 12-byte mutexes). Whereas POSIX SHM cannot, Android's reference-counted Ashmem (Anonymous SHared MEMory) can be freed automatically by a mmap() call after a ashmem_create_region() call. To allocate process memory shared between userspace and kernel drivers (for DSP, GPU, etc.), a pmem() call is made after ashmem_create_region().
NOTE: Unlike other Linux OS (such as Centos and Unbutu running in PCs), the Android installer does not include X11 windowing and related utilities.
TIP: Look for these features in rooting offerings:
[13] When users hold down just the power button, a connection is made from the battery to the Boot Loader which loads binary executable resources (the operating system kernel) from firmware into dynamic RAM memory where programs are executed.
The Boot Loader senses what keys were pressed to determine what to boot (normal boot, recovery mode, download mode).
Firmware is also (incorrectly) call "ROM". By definition, ROM (Read-only memory) cannot be written to or modified. So in the context of Android devices, "ROM" is a contraction of EEPROM -- NAND type of WIKIPEDIA: Flash Memory, in which "flash" is an analogy of a camera flash imprinting new patterns on memory logic (as if it actually can).
|
TIP: Backup the EFS partition which holds the device's IMEI, MAC address, etc.
adb shell su dd if=/dev/block/stl4 of=/sdcard/efs.rfs
TIP: Backup the user data partition which holds passwords, emails, etc.
adb shell su # dd if=/dev/block/stl14 of=/sdcard/userdata bs=4096
Verify the /dev/block ???
CAUTION: The concern is that people are blindly installing software from those they don't really know. So far, hobbyists creating ROMs have not created malware. But who knows what the future holds.
TIP: Rather than executables which are difficult to examine, prefer rooting tools using open mechanisms such as shell scripts (.bat files for Windows and .sh for Mac/Linux). This provides a way to see what exactly is being changed and how it is being done, even if it's not examined unless there is a problem.
CSC (Customer Software Customization) area which stores the packages, APN settings, and branding specific to each geographical region and carrier/service provider.
There are several rules which custom ROMs need to follow (and cause problems if not), such as PIT files being in little-endian format (where hex numbers are read backward); and each image needs to fit within the partition size defined for it in the PIT (Partition Information Table) used.
Odin needs the tar files to be in the USTAR format. I haven't seen a free program that can write these other than the gnu linux tools - hence why I use Cygwin.
TIP: Prefer Odin for Windows and Heimdall for Mac. It does not specify which PIT because they just send the files along with an ID that tells the device WHAT will be flashed. The device decides according to its PIT WHERE it will be flashed.
Before starting this, do a full backup.
Because large files are loaded, begin with a fully charged device.
How to Root AT&T Galaxy S2
shows to press all 3 buttons
(Vol Up/ Vol Down / Power)
without first powering down.
Either way, The warning screen should appear to say:
If you are NOT flashing, remove the usb cable, and hold down the power button until the phone begins to reboot. Otherwise...
WARNING: Samsung and AT&T added to their Galaxy S II phones a way to detect whether rooting has occured. When a device is returned for service or other reason, AT&T technicans check for If "CUSTOM BINARY DOWNLOAD: YES" shown with a yellow warning triangle.
Hackers found that a micro-usb jig plug with 301,000 ohms of resistance connected across pins 4 and 5
forces the phone into
The flag is triggered by a counter which is set to YES when a
non-stock binary (kernel/ROM) is flashed.
But hackers noticed that the flag is not triggered if
CAUTION: Obtain programs directly from those who created them because download utility sites such as wupload.com and filesonic.com may offer obsolete or even malware-infused copies. Such sites obtain revenue from selling subscriptions for faster download speed and clicks on their pop-up windows. Those who make their files available can get a comission from such subscriptions. This is a way authors can monitize their work. So don't click thru, but do reward the author with a donation. It's only fair.
CAUTION: APK files must be converted to a flashable zip format file before being flashed on the device.
TIP: Create flashable zip files from original APK packages on the device so that you can revert back to untouched state.
Un-rooting brings the device back to conditions under warranty.
To transfer files, a telnet program is needed on each end.
On the Android:
A successful connection will show # the root prompt.
It's a good idea to backup original ROM so that one can return to it.
These apps is the operating system that manage 7) custom apps downloaded from Android Market or other store.
[6.] On new devices, resources are flashed onto the "ROM" by device manufacturers. Such versions are nicknamed stock ROMs, versus custom ROMs created by hobbyists.
Who has them?
The Froyo version of Android has its ROM resources at:
* /system/framework/framework-res.apk
The file extension APK (Android Package File) contains a set of files Android can execute.
Gingerbread version phones have two ROMs files:
* /system/framework/framework-res.apk
* /system/app/SystemUI.apk
Additionally, manufacturers add their own resources:
Samsung Froyo has a ROM at:
* /system/framework/twframework-res.apk
TOOL: apktool can be used to pull framework resources needed to build APKs for those phones.
$ apktool if com.htc.resources.apk I: Framework installed to: /home/brutall/apktool/framework/2.apk
miuiandroid.com WEBSITE: en.miui.com provides the US translations of ROMs coded in Simplified Chinese for users in the mainland China locale. It sports iOS (iPhone) look and feel.
The original target was Nexus One and HTC Desire, but Cyanomod and others have ports to Droid X, Evo 4G and others.
Due to licensing, AOSP ROMS not created by Google itself does not contain
APP:
Google apps (GApps) such as Gmail, Android Market, Maps, and Voice Search.
So they must be downloaded separately. Different version of
WEBSITE:
CyanogenMod and dpi resolution supported by each device (from High to Medium to Tiny).
http://wiki.rootzwiki.com/index.php/Google_Apps
APP: Root Booter from well-regarded Speed Software, for $.99, boots rooted devices into recovery mode without the finger gymnastics described below.
To put the older G1 phone into recovery mode, hold down the home button and press power.
To put a Samsung S2 (GT-I9100) phone (as SGH-I777 on ATT and SGH-T989 on T-Mobile) into
Recovery mode:
The stock Samsung Galaxy S2 phone offers this recovery menu:
If you are just visiting, when "reboot system now" is selected, press the power button to reboot to the screen normally seen.
Modified phones have more options and keys to navigate. In the CWM (ClockworkMod) Recovery menu, go back with the power button and select using home button. Added menu options include:
Backups should be done before other actions after rooting as it provides a restore point.
Backups can be done from an option of entering Recovery Mode.
Complete backups of all files from a device, including files which only the root user can read, is aka a Nandroid backup.
Those who get the eebee jeebies while doing finger gymnastics prefer the comforts of an app for rooted phones:
ARTICLE: How to make a Comprehensive Backup of IMEI/EFS recommends that to backup the "fsg" and "backup" block devices of IMEI to use command adb reboot nvbackup.
QPST (Qualcomm Product Support Tool) is a Windows PC program used by service centre personnel to configure phones with Qualcomm chips connected via a data cable. It can be used to change the Carrier Banner, tweak the phone's speaker to make it louder, etc.
To issue commands to an Android device, one first has to connect from a Windows client machine to the phone, using a terminal app. There are several options.
Once installed, invoke it for its blue screen terminal view.
Type in su, then press the Enter (crooked arrow) symbol on your keypad.
Confirm the "Root access from the Super user Application".
Tap on “Allow to Proceed”.
GPS receivers can be slow -- as much as 12.5 minutes to acquire a location fix, even though the GPS system is designed to have several satellites visible from an unobstructed location. Being among large buildings (in Manhattan, New York) can cause GPS to lose their way.
To help in quickly determining a position, GPS devices also have Assisted-GPS (A-GPS), which use satellite acquisition information obtained via mobile data and/or WiFi connections. BTW, A-GPS data is obtained via the Secure User Plane Location (SUPL) protocol, on default port 7276 from host supl.google.com.
A-GPS data can become incorrect or corrupted somehow. This may be the case after large earthquakes which can move whole areas several meters.
To reset (flush) and re-download AGPS data, make sure wi-fi in available, then install:
After installation, launch the app. Hit the Settings button > Tools, and Manage A-GPS state. Tap Reset, then "Download". When done, exit the app and see if Google Maps (or whatever GPS app you use) gets a quicker GPS lock.
If resetting data doesn't do it, try rooting the device to run cm7, which enables access to /system/etc/gps.conf to remove SUPL_HOST and SUPL_PORT specifications.
The symlink "download" used to receive downloads from Android Market can be changed from the default /cache/download folder.
After root access to the phone is establish via a
Terminal app:
define a new folder on the SD card:
mkdir /mnt/sdcard/market-cache
Then su to get root access and define the new symlink:
ln -s /mnt/sdcard/market-cache download
Confirm the new symlink value and its access rights:
ls -ahl
Settings > Applications > Manage applications
does not list system and stock default apps not installed by the device user.
After root access to the phone is establish via a
Terminal app:
Type these commands (subsituting your-app-name for the name of your app):
mount -o remount,rw -t yaffs2 /dev/block/mtdblk3 /system ls /system/app rm /system/app/your-app-name mount -o remount,ro /dev/mtdblock3 /system
CarrierIQ is a rootkit. Devices are automatically entered into using Carrier IQ.
Apple iPhone 5 provides a Settings menu to switch off Carrier IQ (under Diagnostics).
HTC android devices have no off switch.
Samsung android devices have an on off switch that is not easily accessible and not made known to users that it’s there.
APP: Logging Checker by TrevE detects logging
APP: $1 Logging TestApp Pro Key - ROOT by TrevE () installs busybox for more automated operation and removal
APP: $5 per month ClockworkMod Tether (no root) from ClockworkMod does not require rooting but costs.
Carriers put limitations on this. But once rooted, cellphone wireless signals can pass thru to a PC or Mac workstation.
barnacle app ???
For tethering, the Linux kernel needs to have features CONFIG_NETFILTER, CONFIG_IP_NF_IPTABLES, and CONFIG_NETFILETR_XT_MATCH_MAC).
APP:
MasquedCrusader from rooted app specialist Soapbox Apps
improves network speed by locally caching nameserver data and forcing the use of Google's fast DNS servers.
APP:
MasquedCrusader Pro, for $4.99, also blocks ads and enable use of OpenDNS.
This we need because Comcast hijacks invalid DNS lookups by sending users to the Comcast search site rather than returning an error. This fools Chrome into thinking a valid webpage is being visited, and thus caches it in the browser's history.
APP: GDE home screens which are selectable as a spinning cube. Some say it's more stable than PandaHome and OpenHome.
APP: LMT Launcher illustrated has pie controls invoked by long-pressing the side of the screen as an additional layer above the Android menu.
CAUTION: Due to differences in ROMs, theme files must be associated with a specific ROM.
WEBSITE: Ultimate Online Theme Kitchen provides a cafeteria-like approach to assemblying a custom flashable zip compatible with Clockworkmod 3.
APP: File Expert reads as well as list files, even within zip folders.
APP: Root Explorer, for $3.99, provides readers of files as well as listing them.
APP: Android Optimizer has several utilities, including file explorer.
APP: SetCPU
APP: Spare Parts is like PowerTools for Windows, making it easier to tweak hidden settings.
This page summarizes
Brian's page and
Sprint MSL code list
An Master Subsidy Lock (MSL) code (such as ##868021# entered in the dialer instead of a phone number) accesses carriers' back-end functions in carrier's EPST: (Equipment Performance Support Tools).
To ensure that Voltage: value is at least 3800 (mV), Without plugging in the USB cable, in the phone dialer type *#0228#.
Each carrier uses a different algorithm to create the MSL code based on each phone's ESN. So a different code is assigned to every customer/device. Sprint uses a 8-digit code. BlackBerry uses a 16-digit code.
CDMA phones also have a one-time Service Programming Code (SPC) to activiate new phones.
Verizon uses CDMA.
T-mobile USA uses UMTS 3G data frequencies 1700/2100.
AT+T uses GSM 3G band on 850/1900.
MSL codes are kept from consumers because they want to recoup the subsidy for charging a lower cost for the phone at activation.
Carriers won't release the MSL nor activate a phone if that account has an outstanding balance. So before buying a second-hand phone, get the ESN and make sure it's clear.
Mistakes in rooting may require a hard reset of the device.
CAUTION: This wipes out everything on the device, which is why we do it.
Each device model has a different approach:
For the Samsung Galaxy S2, type this in your phone dialer: *2767*3855#
For the Nexus One:
1. Switch the phone off by holding down on the power button.
2. With the phone off, hold the Volume Down button, and
while still holding the Volume Down button, firmly press and release the Power button.
3. You'll boot into a menu with a white background, small text and the little skateboarding Android guys.
4. Press the Volume Down button until you reach the Clear Storage option.
5. Press the Power button to select Clear Storage.
6. Press Volume Up to confirm the selection.Sit back while your phone reboots in its virgin state.