1. Download our Official Android App: Forums for Android!

Root Deconstructing p3droid's pre-rooted two-part GingerBread files

Discussion in 'Android Devices' started by scary alien, Jun 18, 2011.

  1. scary alien

    scary alien not really so scary
    Moderator Thread Starter
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,282
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,282
    23,573
    2,138
    Male
    space alien ;)
    Indy
    There's been speculation about exactly how p3droid's pre-rooted two-part GB .zip files actually gains you root (including a question as to whether or not these files really are the official 2.3.3 / .596 OTA).

    I made my own speculations about how this was accomplished in a few different threads here in the Droid X root sub-forum:

    5/30: http://androidforums.com/droid-x-all-things-root/344640-froyo-gingerbread-rooted-will-i-lose-everything.html#post2751212
    6/10: http://androidforums.com/droid-x-all-things-root/352562-i-dont-understand.html#post2806667
    6/15: http://androidforums.com/droid-x-all-things-root/348670-gingerbreak-ota-gb.html#post2825785

    Well, I decided to deconstruct p3droid's files and uncover exactly how the root process works.

    The Results

    1. p3droid's pre-rooted two-part GB .zip files ARE the official 2.3.3 / .596 OTA, just with root already baked-in.

    2. There's no "secret sauce" or new GingerBread root exploit involved here--just some very clever and creative work by p3droid's The Black Hat team to pre-package the root parts in the two-part .zip files.

    3. Currently, SBF'ing back to Froyo, rooting with Z4root, and installing the p3droid's two-part pre-rooted .zip files are the only way to gain and retain root for 2.3.3 / .596 GingerBread (i.e., you have to have root (in Froyo) to get/retain root in GingerBread.

    The Boring Details (;))

    1. Analyzing the files themselves:
    Code (Text):
    1.  
    2.   File Size     File Name
    3.   ----------- --------------------------------------------------
    4.   104,274,395 Blur_Version.2.3.340.MB810.Verizon.en.US-Part1.zip
    5.    13,534,847 Blur_Version.2.3.340.MB810.Verizon.en.US-Part2.zip
    6.   -----------
    7.   117,809,242 (81 directories, 938 files)
    8.  
    9.  
    10.   File Size     File Name
    11.   ----------- --------------------------------------------------
    12.   117,239,128 Official DX Gingerbread 2.3.3 (4.5.596) Release OTA.zip
    13.               (70 directories, 928 files)
    14.  
    15.   There is a difference of 570,114 bytes between the two filesets.
    The difference in the number of files and directories is accounted for by the splitting-up of the OTA into two different .zip files (i.e., the duplicated META-INF files used in signed .zip files) and the inclusion of the root-related files. The following are the only "extra" (non META-INF files) are the following four files (which were inserted into the the part1.zip file):
    Code (Text):
    1.  
    2.  logwrapper\bin\logwrapper (koush's bootstrap recovery exploit)
    3.  root\app\Superuser.apk (superuser whitelist app)
    4.  root\bin\busybox (root tools/utilities)
    5.  root\bin\su (superuser shell)
    2. Analyzing the files' contents:

    A. First, I extracted both of p3droid's pre-rooted two-part GingerBread .zip files into one common directory.

    B. Next, I extracted the contents of the 2.3.3 (.596) official GingerBread OTA (update.zip) into its own directory.

    C. Next, I used the fciv.exe utility to generate MD5 checksums for all of the files.

    D. I then compared output of the generated MD5 files: the contents of the two-part, pre-rooted GB files are identical to the official GB 2.3.3 OTA with the exception of the inclusion of four extra root files mentioned above.

    3. Analyzing the update-script files

    Finally, I then compared the update-script files in each of the above filesets. Here are the differences that I observed:

    1. The official OTA's update-script includes various assertions to ensure that you are indeed a Moto Droid X of the proper O/S release:
    Code (Text):
    1.  
    2. assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "verizon/shadow_vzw/cdma_shadow/shadow:2.2.1/VZW/23.340:user/ota-rel-keys,release-keys" ||
    3.        file_getprop("/system/build.prop", "ro.build.fingerprint") == "verizon/shadow_vzw/cdma_shadow:2.3.3/4.5.1_57_DX5-26/110429:user/release-keys");
    4. assert(getprop("ro.product.device") == "cdma_shadow" ||
    5.        getprop("ro.build.product") == "cdma_shadow");
    These assertion checks are not present in p3droid's update-script files.

    2. p3droid's update-script installs the root-related logwrapper\bin\logwrapper, root\app\SuperUser.apk, root\bin\busybox, and root\bin\su files.

    3. Lastly, p3droid's update-script makes the requisite symbolic links to busybox for all of the various commands/utilities that busybox supports.

    4. There are a few minor spelling and order differences in the update-script filesets, but nothing significant.

    ------------------------------------------------------

    That's it ;).

    The only outstanding question in my mind is why it was necessary to create two .zip files. I'm sure there's a good reason...I just don't know what it is right now ;). My son has a Droid 2 Global that is about to get its GingerBread update and I was considering using this information to build a two-part .zip set for him if it weren't for this lingering question...

    Congrats and thanks again to p3droid and Team Black Hat for making this GingerBread rooting method for all of us.

    Cheers!
     

    Advertisement

  2. bouchigo

    bouchigo Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,756
    Joined:
    Aug 10, 2010

    Aug 10, 2010
    3,756
    1,026
    413
    Production Engineer Mngr.
    Stockton, CA

    You've got too much time on your hands; go make us another app or something :p;):D
     
    FragDroidX and scary alien like this.
  3. scary alien

    scary alien not really so scary
    Moderator Thread Starter
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,282
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,282
    23,573
    2,138
    Male
    space alien ;)
    Indy
    LOL...yeah, I'm doing some of that, too! :p

    My son was over today asking if I had heard any news about GB for his D2G and it got me thinking about what I posted above.

    I don't know if p3droid is involved or interested in doing for the D2G what he's done for the DX, I wanted to really see what it might take.

    The methodology of what I did is not really new or particularly difficult (AF members thenestor and erisuser1 did something very similar for some HTC Eris 2.1 updates last year) and the tools I used (fciv, Winmerge, winrar) didn't require me to bust into Linux for this.

    Besides, its a Saturday...got the lawn mowed before the rain came and I was just chilling here on AF :).

    Cheers!
     
  4. Snow02

    Snow02 Lurker
    Rank:
    None
    Points:
    6
    Posts:
    7
    Joined:
    Feb 16, 2011

    Feb 16, 2011
    7
    3
    6
    The reason it's in two parts is because he actually installs the ota, flashes the root files on his unlocked dev phone, then makes a backup. That's part 1. Part 2 consists of the update elements not included in a nandroid backup.

    So the real magic is that he has a dev phone. He can root any build just like you root the nexus.
     
    scary alien likes this.
  5. Metfanant

    Metfanant Android Expert
    Rank:
    None
    Points:
    163
    Posts:
    2,450
    Joined:
    Sep 23, 2010

    Sep 23, 2010
    2,450
    412
    163
    i imagine he/tbh will be interested in doing something similar with the D2G...you might want to hit him up on Twitter...

    although he might be in a bad mood right now...becuse apparently he got a leak of Gingerbread for the Fascinate...went out and actually bought a Fascinate to install it...then posted some pictures...got called a liar by some "high and mighties" in the Fascinate community and has now vowed to never release his leak of Gingerbread because of the way he was treated by them...
     
  6. scary alien

    scary alien not really so scary
    Moderator Thread Starter
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,282
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,282
    23,573
    2,138
    Male
    space alien ;)
    Indy
    Ah, that is interesting...

    Although I'm thinking that its not the Nandroid backup that is relevant for part2, but the files that are actually being installed in part2 (Nandroid backups are filesystem/partition inclusive...unless there's a way to specify what files should be excluded...).

    I'm thinking that these might be key files that would be different between a Nexus and a Droid X? Dunno for sure...

    Thank you for this.
     
  7. Snow02

    Snow02 Lurker
    Rank:
    None
    Points:
    6
    Posts:
    7
    Joined:
    Feb 16, 2011

    Feb 16, 2011
    7
    3
    6
    There are aspects of the update (rdl, bp, cdt, and a few others) that are not included in a nandroid. I'm not positive what all of them are for, but I believe a couple are what let the bootloader verify the system. He just pulls these from the update and puts them in a zip. I don't believe they're all written to the primary partition. Nvram maybe?
     
    scary alien likes this.
  8. scary alien

    scary alien not really so scary
    Moderator Thread Starter
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,282
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,282
    23,573
    2,138
    Male
    space alien ;)
    Indy
    Yes, the bp.img, cdrom, cdt.bin, device_tree.bin, logo.bin, metadata.gpb, and rdl.bin are the only things in the part2.zip, so your line of thought made me think that he'd have to update/replace what was built / backed-up on the dev phone with the proper ones for the X.

    A (semi-quick) Google search pulled-back the veil a little bit re. this: I'm thinking that p3droid builds the part1.zip like you described (Nandroid backup, etc.) and then redacts the files listed above from the part1.zip file--because they will be flashed in the part2.zip file which is already pre-built specifically for the Droid X. These files appear to be very phone-specific:

    partitions:cdt [And Developers]

    and if they were grabbed in the dev (Nexus) phone's Nandroid backup, they'd probably have to be replaced with the proper ones for the DX.

    Thank you again, Snow02. This was (is ;)) a very enlightening conversation and I appreciate your feedback. Please don't think I'm trying to argue with you or be contrary, I'm just trying to reverse-engineer what I think might have been done. Please let me know if you think I'm all-wet here (won't be the first time, LOL ;)).

    Cheers!
     
  9. Metfanant

    Metfanant Android Expert
    Rank:
    None
    Points:
    163
    Posts:
    2,450
    Joined:
    Sep 23, 2010

    Sep 23, 2010
    2,450
    412
    163
    his dev phone is not really a Nexus device...its a DX...its silver i believe
     
    scary alien likes this.
  10. scary alien

    scary alien not really so scary
    Moderator Thread Starter
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,282
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,282
    23,573
    2,138
    Male
    space alien ;)
    Indy
    Ah, thanks! Snow02 mentioned the Nexus, but he might have been speaking generally and I misunderstood.

    Didn't know that the Droid X was available as a developer phone...:thinking:..unless he procured a R&D phone (which wouldn't surprise me).

    Cheers!
     
  11. Metfanant

    Metfanant Android Expert
    Rank:
    None
    Points:
    163
    Posts:
    2,450
    Joined:
    Sep 23, 2010

    Sep 23, 2010
    2,450
    412
    163
    yeah...im not exactly sure how he came about getting it...but i know he has a Developer version of the X...im not positive about it being silver...but i swear i remember him tweeting something about it being silver once...

    from what i understand its the same phone...unlocked bootloader, and a different recovery system than ours...
     
  12. Snow02

    Snow02 Lurker
    Rank:
    None
    Points:
    6
    Posts:
    7
    Joined:
    Feb 16, 2011

    Feb 16, 2011
    7
    3
    6
    Correct. I just said he can root it the same way you do a nexus. You just flash the root files. But it is an unlocked DX - sorry if that wasn't clear.
     
    Metfanant likes this.
  13. Snow02

    Snow02 Lurker
    Rank:
    None
    Points:
    6
    Posts:
    7
    Joined:
    Feb 16, 2011

    Feb 16, 2011
    7
    3
    6
    And back to the part 2 zip, he doesn't do anything other than pull those files straight from the update package and re-zip and sign them. That's it. The magic really is just the phone. I don't mean that to sound derogatory, he's done plenty of development to warrant recognition. But there's no mystery or dev tricks here I'm afraid.
     
  14. trophynuts

    trophynuts Android Expert
    Rank:
    None
    Points:
    313
    Posts:
    5,630
    Joined:
    Jul 6, 2010

    Jul 6, 2010
    5,630
    1,792
    313
    I work in a Tech related field. Have been in a tec
    SouthEastern US
    yeah he actually tweeted the other day that he was selling one of his DevX phones. I think he had more than one and they are silver.
     
  15. binary visions

    binary visions Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,334
    Joined:
    May 14, 2010

    May 14, 2010
    3,334
    1,443
    413
    Interesting post, thanks for looking at them. I actually only recently re-downloaded them myself and was going to paw through them.

    I've often wondered if there was a way to overwrite a stock X with an image from P3's phone. It wouldn't be done in software, of course, because of the locked bootloader, but there are usually contacts on the motherboard to serially write data to storage. It's not really scalable though, since it usually involves some precise soldering, so it still wouldn't have resulted in a mass unlocking of devices.
     
  16. Snow02

    Snow02 Lurker
    Rank:
    None
    Points:
    6
    Posts:
    7
    Joined:
    Feb 16, 2011

    Feb 16, 2011
    7
    3
    6
    Huh? The update files he releases are images from his phone. And if you're referring to attempting to copy his recovery and all in an attempt to unlock a stock phone, that still wouldn't work. If I'm not mistaken, the efuse in a dev model would not be programmed, or be programmed differently than a stock device. As that's a one time writable hardware key, there's no way around it.
     
  17. binary visions

    binary visions Android Expert
    Rank:
    None
    Points:
    413
    Posts:
    3,334
    Joined:
    May 14, 2010

    May 14, 2010
    3,334
    1,443
    413
    I know what his releases are, and I know that you can't simply overwrite the existing bootloader with his own though the software.

    What I'm saying is, many embedded devices are given serial headers somewhere on their boards for the initial software images to be written to the device via simple protocols - or for devices with completely corrupt software to be recovered - and this often bypasses any sanity checks on the device since they're designed to write directly to the memory. Now, these headers are often not exposed on the production devices and are simply traces on the PCB that go nowhere, but it's more expensive to do a different run of the boards so they just stop adding the actual headers and leave the exposed traces.

    Simply idle speculation is all.
     
  18. Kevmueller

    Kevmueller Android Expert
    Rank:
    None
    Points:
    93
    Posts:
    766
    Joined:
    Aug 3, 2010

    Aug 3, 2010
    766
    145
    93
    Kansas City
    My wife has a D2G as well so I was hoping that TBH would do something, but if you come up with anything as well it would be great if you would let me know as well. Thanks
     
    Bugly likes this.
  19. scary alien

    scary alien not really so scary
    Moderator Thread Starter
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,282
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,282
    23,573
    2,138
    Male
    space alien ;)
    Indy
    Will do :).

    My son's phone is simply rooted and we haven't install D2 Bootstrap or anything to make a Nandroid backup (yet). I do think I've got at least one .sbf file for his phone laying-around somewhere, just in case I do try this on his phone (he's been a valuable tester for my BattMonX app and loves the root-only LED-is-always-on feature). Its hard-enough keeping-up with my DX to really R&D his D2G ;).

    I'll let you know if anything comes of this, but concept of building the two-part .zip files seems straight-forward enough.

    Cheers!
     
  20. Bugly

    Bugly Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    1,057
    Joined:
    Jan 30, 2011

    Jan 30, 2011
    1,057
    104
    143
    Male
    VW mechanic
    Tacoma, Washington
    I have the D2G SBF file if you need it, let me know, as I, too have a D2G that could use some GB to fix the issues it has (my wife thanks you in advance...)
    http://www.megaupload.com/?d=3VV4AICS
     
  21. scary alien

    scary alien not really so scary
    Moderator Thread Starter
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,282
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,282
    23,573
    2,138
    Male
    space alien ;)
    Indy
    Thanks! If there's been only one .sbf published for it, then that's the one I snagged way back when (just in case, eh? ;)).

    We'll have to see how this all unfolds and I would certainly "let" an experienced team like p3droid/TBH take a crack at it before I did ;). VZW/Moto still have yet to release the OTA...then it will have to be captured (I'll have to coordinate with my son to do that), etc. I'll certainly keep any eye-out...would be cool to do.

    Cheers!
     
  22. cougar214

    cougar214 Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    1,423
    Joined:
    Feb 9, 2011

    Feb 9, 2011
    1,423
    157
    143
    Give him some time to cool off. For every a$$hole there is 3 people with respect for his work that really want to try his stuff out.
     
  23. Bugly

    Bugly Android Expert
    Rank:
    None
    Points:
    143
    Posts:
    1,057
    Joined:
    Jan 30, 2011

    Jan 30, 2011
    1,057
    104
    143
    Male
    VW mechanic
    Tacoma, Washington
    yeah, I think that's the only SBF out there for D2G, but you can OTA to the most current release from there. I hope you can do this! This could end the "issues" my wife has had with her D2G, its a great device, but buggy as, well, you know....
     

Share This Page

Loading...