Rooting Android Devices via adb
DISCLAIMER: Following the steps on this page may brick your device and will certainly void any warranty. You assume full responsibility in the event something goes wrong.
Rooting an Android device in this guide means:
- being able to write to the /system partition to install software
- creating an executable su which when executed runs as root
- installing additional software such as busybox, or Superuser.apk.
This guide does not cover modifying or reflashing the boot image on your device.
Mounting /system as read-write
If you have a debug version of adbd installed on your device, all you need to do get write permission on /system is to execute:
adb root # restart the adbd daemon as root adb remount # remount the /system partition as read-write
If you do not have a debug version of adb, you will need to exploit your device in order to restart adbd as root.
Using zergRush exploit to restart adbd as root
zergRush exploits a use-after-free bug in Android 2.2 and Android 2.3 to temporarily restart the adbd daemon as root.
To build zergRush:
- clone the zergRush repo
- download the NDK from http://developer.android.com/tools/sdk/ndk/index.html
- create the standalone toolchain
/path-to-ndk/build/tools/make-standalone-toolchain.sh \ --platform=android-8 --install-dir=/tmp/android-8-toolchain
- download the Android source
- build the Android source (required for headers and libraries)
- build zergRush
cd /path-to-android-source/ export PATH=/tmp/android-8-toolchain/bin/:$PATH arm-linux-androideabi-gcc -I system/core/include/ \ -L out/target/product/generic/system/lib/ -l cutils -l diskconfig -l log -l stdc++ -l m \ -o zergRush /pathto/zergRush.c
Once you have built zergRush, push it to your device and execute it.
adb shell mkdir /data/local/tmp exit
adb push zergRush /data/local/tmp/ adb shell cd /data/local/tmp/ chmod 777 zergRush ./zergRush
You will see output similar to:
[**] Zerg rush - Android 2.2/2.3 local root [**] (C) 2011 Revolutionary. All rights reserved. [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew. [+] Found a GingerBread ! 0x00000118 [*] Scooting ... [*] Sending 149 zerglings ... [*] Sending 189 zerglings ... [+] Zerglings found a way to enter ! 0x18 [+] Overseer found a path ! 0x000151e0 [*] Sending 189 zerglings ... [+] Zerglings caused crash (good news): 0x4011ccd4 0x0074 [*] Researching Metabolic Boost ... [+] Speedlings on the go ! 0xafd19413 0xafd3925f [*] Sending 181 zerglings ... [+] Rush did it ! It's a GG, man ! [+] Killing ADB and restarting as root... enjoy!
adbd will run as root until you reboot your device.
You should clean up after zergRush since it creates a couple of files which are owned by root.
adb shell cd /data/local/tmp rm boomsh sh exit
Once adbd is running as root, remount your /system partition as read-write. Now you can install any software you like to /system.
zergRush is known to work for:
- Google Nexus One Android 2.3.6
- Motorola Droid Pro Android 2.3.3
Creating our version of su in /system/bin will preserve any existing su which may exist in /system/xbin. In full-eng or emulator builds of Android, su is available in /system/xbin/.
If you do not have an su binary, a simple approach is to copy the shell executable sh to /system/bin/ and give it the correct permissions. This will preserve any existing /system/xbin/su. If there is an existing /system/bin/su you may wish to save it or skip this step. Note that the official Android version of su does not have the same usage as the sh we have copied. If you require the exact same command line behavior as the official su, you can copy a version from the Android source you built earlier.
adb shell cd /system/bin/ cat sh > su chmod 06755 su exit
You can either install busybox from Google Play or build it yourself or download it from http://busybox.net/downloads/binaries/. Note the armv6 version *does* work on armv7 devices. Once you have a version for your device.
adb push busybox /system/xbin/ adb shell cd /system/xbin ./busybox --install -s /system/xbin exit