Nearly every person on earth is using smart phone.They make our life easier.They can perform many task that helps to make regular life efficient.But what if i say that all these smart phones that we are using are less privileged and restricted.
They can perform much more as compared to regular tasks.But to achieve this we have to remove restrictions and gain higher privilege on the device.This process of achieving higher privilege is known as rooting for android device.
The above given lines defines basic meaning of Rooting.But i don’t think that above lines are sufficient to satisfy your curiosity.That’s why lets deep dive in it.
We all know that android is unix based operating system and most of unix based Operating system defines two types of users
1.Normal User
Normal user has lower privileges on device as compared to root user.
2.Root user
Root user has all the privileges on the device.Root user is also refereed as Administrator in windows.
Every smart phone is shipped to you with a normal user and no access to root user. So, The process of achieving root access is know as rooting.After this process you can perform any task on the device.
But there are many hurdles for rooting process that android uses as security measures.We will discuss that hurdles. But before go further i recommend to understand basic terminology that are day to day word in rooting process.
- ROM(Read Only Memory)
A ROM is system image of operating system that contains executable instructions. “Stock ROM” comes installed on the device and “Custom ROM” comes from a third party.
- Kernel
Kernel is defines as the middleware that manages communications between hardware and software.You can install custom kernel on your device.
- Radio
Radio is part of your firmware that is related to your GPS,Wi-Fi and other things like that.You can install custom radio on your device.
- Recovery
It is a software on your phone that performs some system-level task.The stock recovery can not perform that much task. Custom recovery like ClockWorkMod(CWM) and TWRP(Team Win Recovery Project) can Perform much system level task.
- Flash
It is defined as the process of installing something on your device,whether it be a ROM,Kernel or recovery that comes in form of zip file.
- Bootloader
As name suggests, bootloader is lowest level of software on your phone that is necessary to run the operating system.Most Bootloaders are locked which means that we cannot flash any custom recovery or ROMs.
- ADB
ADB stands for android debug bridge.It is a command line tool for computer that helps to communicates with the devices.
Android Environment and security measures
Every application installed in android perform their task as normal user in sandboxes. only way to run the program as root is either use su to execute system call setuid(0) or setting suid bit on the the program. But both the operations are restricted in normal device.
Let’s check if we can perform both tasks on non rooted android as part of demonstration.
- executig su
su
From above image, we can clearly see that su is not present in non rooted android phone.
2.Setting SUID bit on the program
To execute a system call let’s create a binary from c source code.
gcc adb_suid.c -o adb_suid
Now let’s transfer the binary to target our android device.
adb push adb_suid /sdcard
Now, let’s try to execute binary
chmod a+s adb_suid
./adb_setuid
From the above image we can see that neither we can execute the binary nor we can set suid bit as we are not enough privileged.
If we launch a simple shell from ADB to execute the command in android os then the privilege of the command will be dependent on the value of ro.secure.It is an android system property which decides the privilege of the command.if the value of ro.secure=0, ADB shell will run the command as root user.But if the value of ro.secure=1 then all command will be executed as normal user.
Guess what ro.secure is set to on almost every stock OEM Android build. But can we change the value of ro.secure on a system? The answer is no, as implied by the ro(read only) in the name of the property. The value of this property is set at boot time from the default.prop file in the root directory.
To check the value of ro.secure execute the following command getprop ro.secure
getprop ro.secure
Apart from ro.secure other security measure that are followed by the manufacturer is that they lock the bootloader.If the bootloader is locked then user cannot flash any type of ROM or any other recovery.
Which makes rooting process more difficult as sometime flashing of modified images is required to escalate privileges.
Plan and Procedure to root
Basically rooting is the process of escalation of lower privileges to higher privileges.Keeping that in mind rooting process can be accomplished in 2 steps:
- Find the exploit that allows the execution of arbitrary code as root.
- Use exploit to install su and superuser.apk as root
After the installation of su and superuser.apk the application or service that require root will invoke su to run the code as root user.
