1. Eclair’s Creamy Center: How The Droid Was Rooted Michael Goffin CarolinaCon 2010

2. Can you hear me now? RIT Graduate 2006 Computer Science House Alumni Hack or Halo and ShmooCon staff member of 0x90 and DroidDev

3. What we’ll cover Definitions Rooting timeline Post-rooting progress How to root your phone

4. Definitions Droid

5. Definitions Droid Specs: CDMA dual band (800/1900 MHz); CDMA2000 1xRTT/1xEV-DO rev.0/1xEV-DO rev.A 3.7-inch screen with 854×480 (16:9 widescreen) capacitive touchscreen 5 megapixel camera with autofocus and LED flash and video recording 600 MHz ARM Cortex A8 Processor (underclocked to 550) 256 MB RAM / 512 MB ROM 16G microSD GPS, Wi-Fi, 3.5mm HeadPhone Jack Talk Time: 420 minutes Standby Time: 450 hours

6. Definitions AOSP Android Open Source Project Odex Java VM on Android is a Dalvik VM (designed for processor/memory-constrained devices) consumes DEX files (Java files rendered by DX) files loaded into VM then classes optimized by dexopt Optimization results in an ODEX’d file Deodex de-odexing a file to hack on the code done using deodexerent

7. Why root the Droid? Overclocking Installing apps which require escalated privileges Theming Wireless tethering Backported apps from other Android devices (Milestone, Nexus One, etc.) Control over OTA updates Mixing and matching featuresets from different Android versions

8. Key Dates Release of Droid - 11/6 Finding official 2.0.1 update.zip - 12/7 First root - 12/8 First local root - 12/8 Simplified rooting process - 12/9 Custom Payload Instructions - 12/10 Official OTA Rollout of 2.0.1 – 12/11

9. Where we started A small group of us met on www.droidforums.net in early November www.droidforums.net Created a private IRC channel, Google Waves, and reached out to other sites www.alldroid.org forum.xda-developers.com started looking for potential exploits

10. Where we started [mbm] found this gem in the Android source: verifier.c – this section is a signature check to verify everything from the start to the eocd which marks the end of the update.zip file for (i = 4; i < eocd_size-3; ++i) { if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b && eocd[i+2] == 0x05 && eocd[i+1] == 0x06) { // if the sequence $50 $4b $05 $06 appears anywhere after // the real one, minzip will find the later (wrong) one, // which could be exploitable. Fail verification if // this sequence occurs anywhere after the real one. LOGE("EOCD marker occurs after start of EOCD\n"); fclose(f); return VERIFY_FAILURE;

11. BONUS NUGGET! For those interested in the patch that was eventually submitted to Google: Commit: https://review.source.android.com/#change,12807 https://review.source.android.com/#change,12807 Diff: https://review.source.android.com/#patch,s idebyside,12807,1,verifier.c https://review.source.android.com/#patch,s idebyside,12807,1,verifier.c

12. Where we started Waiting game for the official update.zip to come out so we can work with it [mbm] to the rescue!! https://android.clients.google.com/updat es/voles/signed-voles-ESD56-from- ESD20.84263456.zip https://android.clients.google.com/updat es/voles/signed-voles-ESD56-from- ESD20.84263456.zip

13. Game on Zinx Verituse used the official update.zip to craft a custom update.zip using the exploit The goal was to create an update.zip that the phone would accept as a standard update file, but inject an su binary to gain root access

14. Game on Process involves (30k’ view): 1.Create a non-zip file of all 0’s the same size as the update.zip (donor file) 2.Building a payload zip file 3.Concatenate payload to non-zip into an update.zip file 4.Adjust offsets 5.Append signature from donor to end of your update.zip 6.For any file you want from donor copy out the relevant hex 7.Use dd to take the donor in and out it to your update.zip

15. Game on The detailed process can be found here: http://alldroid.org/threads/13908-Crafting- your-own-update-zip-payload Zinx wrote Volez to make this easier: http://zenthought.org/content/project/vole z

16. First Root Posted Zinx posted the first root to www.alldroid.org www.alldroid.org http://alldroid.org/viewtopic.php?f=236&t= 567 first root process gave us root through ADB shell required plugging into a computer

17. First Local Root Posted Same day, I posted instructions for getting local root on the phone without the need for a computer Goal was to get access for developers to start porting their “root required” apps in the Google Market to the Droid

18. First Local Root Posted Process involves (again, 30k’ view): 1.Root droid using Zinx’ process 2.Download a special su binary used in previous Android rooted installs 3.Use ADB to push su binary to /data/local/ (writable user folder) 4.Remount /system on the phone to be rw 5.`mv /system/bin/su /system/bin/osu` 6.`cat /data/local/su > /system/bin/su` 7.`chmod 6755 /system/bin/su` 8.Run `sync` then `reboot` End result is being able to execute `su` from a terminal emulator directly on the phone

19. First Local Root Posted Detailed, but outdated instructions can be found here: http://alldroid.org/viewtopic.php?f=210&t= 572

20. Simplified Rooting Process Easier process was posted the day after: update.zip was fitted with special su binary and Superuser.apk from Cyanogen to manage applications attempting to use escalated privileges

21. Enter Sholes.info group! original group from IRC with some other developers from other sites created www.sholes.info www.sholes.info Sholes was the codename of the Droid yes, we hosted http://as.sholes.infohttp://as.sholes.info goal was to start customizing the phone and continuing exploit research for when Google patched

22. Enter Sholes.info group! First project released: sprecovery modified recovery to replace the one currently on the Droid would allow us to easily run custom updates, ROMs, and other changes into the phone off of the SD card written by SirPsychoS

23. Enter Sholes.info group! Second project: SholesMod custom ROM installed using sprecovery custom kernel modifications ported applications shell enhancements developed and tested by all of the SholesMod group

24. Enter Sholes.info group! Third project: SMUpdater app put in the Google Market automated the downloading of latest ROM versions onto SD card and installing will install sprecovery, root the phone, and install the ROM written by Camel put in market for $5 as a donation to the team, but also put on site for free $25k in 2-3 weeks

25. Enter Sholes.info group! Group continued backporting Focus shifted to overclocking Released ROM with 600/800/1000mHz Configured using SetCPU app through Market Added AdamZ’s Smoked Glass theme Backported 2.1 applications 2.1 is still not officially released as of writing this, but sounds like 3/19

26. Breaking News!! [Verizon] spokesperson Thomas Pica said in an email [on 3/18], "The Android 2.1 upgrade for the Droid by Motorola was deployed to a small number of Verizon Wireless test users as scheduled. It is expected the broader phased rollout to all Droid by Motorola users will take place, but not just yet. No date scheduled yet." http://www.phonescoop.com/news/item.php?n=567 6

27. There Goes Sholes.info group! Issues arose within sholes.info and the site and source was taken down by server owner Luckily we were using Mercurial so we all had source Another great reason to use a distributed SCM! Group decided to refund everyone their money from purchasing the app and move forward with a free app, and site donation only

28. Enter DroidMod group! SMUpdater was discontinued New site http://droidmod.orghttp://droidmod.org New members joined to increase bandwidth and support for increased demand Camel created DMUpdater 1.0 Group created a new ROM to go out with 1.0 more apps backported Download from site only until we can get it in the Market

29. Using DroidMod

36. More on the DroidMod group Open IRC channel on freenode: #droidmod Moved from Mercurial to git Currently working on compiling the 2.6.32 kernel for the Droid New DroidMod coming soon!

37. What others are doing Lots of ROMs coming out with custom themes, kernels, apps, etc. Overclocking exceeding 1200/1300 Koush recently ported Cyanogenmod from the Nexus over to the Droid 360 degree rotation

38. Summary of URLs AOSP: http://source.android.com/http://source.android.com/ AOSP Git Repo: http://android.git.kernel.org/http://android.git.kernel.org/ Forums: http://www.alldroid.org http://www.droidforums.net http://forum.xda-developers.com http://forum.droidmod.org Committed patch for exploit: https://review.source.android.com/#change,12807 https://review.source.android.com/#change,12807 Diff: https://review.source.android.com/#patch,sidebyside,12807,1,verifier.chttps://review.source.android.com/#patch,sidebyside,12807,1,verifier.c Guessed URL for update: https://android.clients.google.com/updates/voles/signed-voles-ESD56-from- ESD20.84263456.zip https://android.clients.google.com/updates/voles/signed-voles-ESD56-from- ESD20.84263456.zip Creating update.zip: http://alldroid.org/viewtopic.php?f=286&t=626http://alldroid.org/viewtopic.php?f=286&t=626 First root process: http://alldroid.org/viewtopic.php?f=236&t=567http://alldroid.org/viewtopic.php?f=236&t=567 First local root process: http://alldroid.org/viewtopic.php?f=210&t=572http://alldroid.org/viewtopic.php?f=210&t=572

39. Credit where it’s due [mbm] - finding original exploit in code, guessing update URL that made this possible Zinx Verituse - put together original update.zip payload, and tool, and posted the first rooting Cyanogen - Superuser.apk mjxg - local root SirPsychoS - recovery mod koush - Cyanogen mod ported to Droid Camel - Original SholesMod Updater and new DroidMod Updater Contributors to DroidMod and advancement of the droid hacking community: [mbm], SirPsychoS, humancyborg, m0nkee, mjxg, Orgg, Randomcity, trevorj, angel12, birdman, Camel, forkup, planb, unicron, votetrev, vulcan, xeudoxus, gandhip, Ronen, visbits, electrofunk, koush, takeda

40. Thank you Slides will be available on my website: www.mgoff.in