Incredible Rooted, Eris Leakers Next?


Last Updated:

  1. andrewzpsu

    andrewzpsu Well-Known Member This Topic's Starter

    Joined:
    Nov 6, 2009
    Messages:
    165
    Likes Received:
    12
    Might want to look at the race conditions they used to break it, maybe that can help with the leakers to get rooted. Of course I don't know, I'm not a dev.
     

    Advertisement
  2. zerovertex

    zerovertex Well-Known Member

    Joined:
    Feb 11, 2010
    Messages:
    88
    Likes Received:
    1
  3. alprazolam

    alprazolam Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    1,722
    Likes Received:
    194
    So are boot loaders completely different between phones? Do you know if root was achieved by exploit, or did the devs get an unsigned copy of 2.1 for inc?
     
  4. T2noob

    T2noob Well-Known Member

    Joined:
    Jan 16, 2010
    Messages:
    471
    Likes Received:
    98
    I don't even think people are working on root for leakers. The eris is an old phone and a small community so we don't have a lot of people looking.
     
  5. erisuser1

    erisuser1 Well-Known Member

    Joined:
    Nov 11, 2009
    Messages:
    1,644
    Likes Received:
    759
    Here's what I did.

    Read the entire 27 pages of the XDA thread corresponding to the unrevoked.com page mentioned above in zerovertex' post.

    Then, I installed first the leak-V1 recovery partition, and attempted the method using my Eris about 30 times, and repeated this test (smaller number of trials), but after first installing the leak-V3 recovery partition. No hint of luck either time. Note that because the exploits involved are two separate race conditions, my lack of luck doesn't necessarily prove anything; that's the nature of races. I couldn't even get the first race to occur - but I am using a very old Linux machine, so if there is a window there, I'm pretty sure that I am sampling it very slowly.


    The bootloader and main OS are irrelevant in this attack - the "exploit", if you want to call it that, is aimed at processes running underneath the recovery boot.

    The basic hack apparently exploits a momentary condition where adb's companion process on the phone, adbd, is running in the recovery boot. Apparently, if you talk to it during the brief moment it is alive, it lingers rather than exiting. This sets up the stage for yet another race condition: an HTC-signed update.zip file is loaded by the recovery menu, and while the recovery process on the phone is verifying the file, it gets re-written. You need the adbd process on the phone to linger so that the update.zip file can be overwritten from the PC (using "adb push")... at exactly the right moment... ugh.


    Anyway, I gave it a quick shot on the Eris. If you take a look over at the posts in that XDA thread, you will see that many folks with the Incredible are duplicating the instructions that others are succeeding at, and failing miserably. That's the nature of races. The Tattoo was rooted with a race, and the devs had to spend some time tuning the "workload" of the phone and the timing of the attack to get the race to be more probable. In this case, getting a higher-probability success rate with the initial race may involve writing a customized adb client.

    The second race is rather interesting: it means that the update process on the phone closes the "update.zip" file after verifying it, and then re-opens it. (That's a bonehead mistake on Google's part, frankly.) That suggests that it is a common vulnerability for all Android phones. Unfortunately, to make use of it, you need to be able to overwrite the update.zip file. Usually (in the recovery boot) there is no way to make this happen - that's why the first race in this particular hack is to get adbd to stay running.

    Anyway - until the Incredible devs get a better handle on it, I probably won't spend any more time on it - we don't even know if the initial race window is present on the Eris yet.

    eu1
     
  6. alprazolam

    alprazolam Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    1,722
    Likes Received:
    194
    Very interesting and thanks for the breakdown from all of your reading. I kept wondering what "race window" was and it makes sense to me now. It will be interesting to see if this can be replicated on the Eris.
     

Share This Page

Loading...