Root Deconstructing p3droid's pre-rooted two-part GingerBread files

[scary alien]

There's been speculation about exactly how p3droid's pre-rooted two-part GB .zip files actually gains you root (including a question as to whether or not these files really are the official 2.3.3 / .596 OTA).

I made my own speculations about how this was accomplished in a few different threads here in the Droid X root sub-forum:

5/30: http://androidforums.com/droid-x-all-things-root/344640-froyo-gingerbread-rooted-will-i-lose-everything.html#post2751212
6/10: http://androidforums.com/droid-x-all-things-root/352562-i-dont-understand.html#post2806667
6/15: http://androidforums.com/droid-x-all-things-root/348670-gingerbreak-ota-gb.html#post2825785

Well, I decided to deconstruct p3droid's files and uncover exactly how the root process works.

The Results

1. p3droid's pre-rooted two-part GB .zip files ARE the official 2.3.3 / .596 OTA, just with root already baked-in.

2. There's no "secret sauce" or new GingerBread root exploit involved here--just some very clever and creative work by p3droid's The Black Hat team to pre-package the root parts in the two-part .zip files.

3. Currently, SBF'ing back to Froyo, rooting with Z4root, and installing the p3droid's two-part pre-rooted .zip files are the only way to gain and retain root for 2.3.3 / .596 GingerBread (i.e., you have to have root (in Froyo) to get/retain root in GingerBread.

The Boring Details ()

1. Analyzing the files themselves:

  File Size     File Name
  ----------- --------------------------------------------------
  104,274,395 Blur_Version.2.3.340.MB810.Verizon.en.US-Part1.zip
   13,534,847 Blur_Version.2.3.340.MB810.Verizon.en.US-Part2.zip
  -----------
  117,809,242 (81 directories, 938 files)


  File Size     File Name
  ----------- --------------------------------------------------
  117,239,128 Official DX Gingerbread 2.3.3 (4.5.596) Release OTA.zip
              (70 directories, 928 files)

  There is a difference of 570,114 bytes between the two filesets.

The difference in the number of files and directories is accounted for by the splitting-up of the OTA into two different .zip files (i.e., the duplicated META-INF files used in signed .zip files) and the inclusion of the root-related files. The following are the only "extra" (non META-INF files) are the following four files (which were inserted into the the part1.zip file):

 logwrapper\bin\logwrapper (koush's bootstrap recovery exploit)
 root\app\Superuser.apk (superuser whitelist app)
 root\bin\busybox (root tools/utilities)
 root\bin\su (superuser shell)

2. Analyzing the files' contents:

A. First, I extracted both of p3droid's pre-rooted two-part GingerBread .zip files into one common directory.

B. Next, I extracted the contents of the 2.3.3 (.596) official GingerBread OTA (update.zip) into its own directory.

C. Next, I used the fciv.exe utility to generate MD5 checksums for all of the files.

D. I then compared output of the generated MD5 files: the contents of the two-part, pre-rooted GB files are identical to the official GB 2.3.3 OTA with the exception of the inclusion of four extra root files mentioned above.

3. Analyzing the update-script files

Finally, I then compared the update-script files in each of the above filesets. Here are the differences that I observed:

1. The official OTA's update-script includes various assertions to ensure that you are indeed a Moto Droid X of the proper O/S release:

assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "verizon/shadow_vzw/cdma_shadow/shadow:2.2.1/VZW/23.340:user/ota-rel-keys,release-keys" ||
       file_getprop("/system/build.prop", "ro.build.fingerprint") == "verizon/shadow_vzw/cdma_shadow:2.3.3/4.5.1_57_DX5-26/110429:user/release-keys");
assert(getprop("ro.product.device") == "cdma_shadow" ||
       getprop("ro.build.product") == "cdma_shadow");

These assertion checks are not present in p3droid's update-script files.

2. p3droid's update-script installs the root-related logwrapper\bin\logwrapper, root\app\SuperUser.apk, root\bin\busybox, and root\bin\su files.

3. Lastly, p3droid's update-script makes the requisite symbolic links to busybox for all of the various commands/utilities that busybox supports.

4. There are a few minor spelling and order differences in the update-script filesets, but nothing significant.

------------------------------------------------------

That's it .

The only outstanding question in my mind is why it was necessary to create two .zip files. I'm sure there's a good reason...I just don't know what it is right now . My son has a Droid 2 Global that is about to get its GingerBread update and I was considering using this information to build a two-part .zip set for him if it weren't for this lingering question...

Congrats and thanks again to p3droid and Team Black Hat for making this GingerBread rooting method for all of us.

Cheers!

 

[bouchigo]

There's been speculation about exactly how p3droid's pre-rooted two-part GB .zip files actually gains you root (including a question as to whether or not these files really are the official 2.3.3 / .596 OTA).

I made my own speculations about how this was accomplished in a few different threads here in the Droid X root sub-forum:

5/30: http://androidforums.com/droid-x-all-things-root/344640-froyo-gingerbread-rooted-will-i-lose-everything.html#post2751212
6/10: http://androidforums.com/droid-x-all-things-root/352562-i-dont-understand.html#post2806667
6/15: http://androidforums.com/droid-x-all-things-root/348670-gingerbreak-ota-gb.html#post2825785

Well, I decided to deconstruct p3droid's files and uncover exactly how the root process works.

The Results

1. p3droid's pre-rooted two-part GB .zip files ARE the official 2.3.3 / .596 OTA, just with root already baked-in.

2. There's no "secret sauce" or new GingerBread root exploit involved here--just some very clever and creative work by p3droid's The Black Hat team to pre-package the root parts in the two-part .zip files.

3. Currently, SBF'ing back to Froyo, rooting with Z4root, and installing the p3droid's two-part pre-rooted .zip files are the only way to gain and retain root for 2.3.3 / .596 GingerBread (i.e., you have to have root (in Froyo) to get/retain root in GingerBread.

The Boring Details ()

1. [COLOR="Blue"]Analyzing the files themselves:[/COLOR]

  File Size     File Name
  ----------- --------------------------------------------------
  104,274,395 Blur_Version.2.3.340.MB810.Verizon.en.US-Part1.zip
   13,534,847 Blur_Version.2.3.340.MB810.Verizon.en.US-Part2.zip
  -----------
  117,809,242 (81 directories, 938 files)


  File Size     File Name
  ----------- --------------------------------------------------
  117,239,128 Official DX Gingerbread 2.3.3 (4.5.596) Release OTA.zip
              (70 directories, 928 files)

  There is a difference of 570,114 bytes between the two filesets.

The difference in the number of files and directories is accounted for by the splitting-up of the OTA into two different .zip files (i.e., the duplicated META-INF files used in signed .zip files) and the inclusion of the root-related files. The following are the only "extra" (non META-INF files) are the following four files (which were inserted into the the part1.zip file):

 logwrapper\bin\logwrapper (koush's bootstrap recovery exploit)
 root\app\Superuser.apk (superuser whitelist app)
 root\bin\busybox (root tools/utilities)
 root\bin\su (superuser shell)

2. [COLOR="blue"]Analyzing the files' contents:[/COLOR]

A. First, I extracted both of p3droid's pre-rooted two-part GingerBread .zip files into one common directory.

B. Next, I extracted the contents of the 2.3.3 (.596) official GingerBread OTA (update.zip) into its own directory.

C. Next, I used the fciv.exe utility to generate MD5 checksums for all of the files.

D. I then compared output of the generated MD5 files: [COLOR="Red"]the contents of the two-part, pre-rooted GB files are identical to the official GB 2.3.3 OTA with the exception of the inclusion of four extra root files mentioned above.[/COLOR]

3. [COLOR="blue"]Analyzing the update-script files[/COLOR]

Finally, I then compared the update-script files in each of the above filesets. Here are the differences that I observed:

1. The official OTA's update-script includes various assertions to ensure that you are indeed a Moto Droid X of the proper O/S release:

assert(file_getprop("/system/build.prop", "ro.build.fingerprint") == "verizon/shadow_vzw/cdma_shadow/shadow:2.2.1/VZW/23.340:user/ota-rel-keys,release-keys" ||
       file_getprop("/system/build.prop", "ro.build.fingerprint") == "verizon/shadow_vzw/cdma_shadow:2.3.3/4.5.1_57_DX5-26/110429:user/release-keys");
assert(getprop("ro.product.device") == "cdma_shadow" ||
       getprop("ro.build.product") == "cdma_shadow");

These assertion checks are not present in p3droid's update-script files.

2. p3droid's update-script installs the root-related logwrapper\bin\logwrapper, root\app\SuperUser.apk, root\bin\busybox, and root\bin\su files.

3. Lastly, p3droid's update-script makes the requisite symbolic links to busybox for all of the various commands/utilities that busybox supports.

4. There are a few minor spelling and order differences in the update-script filesets, but nothing significant.

------------------------------------------------------

That's it .

The only outstanding question in my mind is why it was necessary to create two .zip files. I'm sure there's a good reason...I just don't know what it is right now . My son has a Droid 2 Global that is about to get its GingerBread update and I was considering using this information to build a two-part .zip set for him if it weren't for this lingering question...

Congrats and thanks again to p3droid and Team Black Hat for making this GingerBread rooting method for all of us.

Cheers!

You've got too much time on your hands; go make us another app or something

 

[scary alien]

You've got too much time on your hands; go make us another app or something

LOL...yeah, I'm doing some of that, too!

My son was over today asking if I had heard any news about GB for his D2G and it got me thinking about what I posted above.

I don't know if p3droid is involved or interested in doing for the D2G what he's done for the DX, I wanted to really see what it might take.

The methodology of what I did is not really new or particularly difficult (AF members thenestor and erisuser1 did something very similar for some HTC Eris 2.1 updates last year) and the tools I used (fciv, Winmerge, winrar) didn't require me to bust into Linux for this.

Besides, its a Saturday...got the lawn mowed before the rain came and I was just chilling here on AF .

Cheers!

 

[Snow02]

The reason it's in two parts is because he actually installs the ota, flashes the root files on his unlocked dev phone, then makes a backup. That's part 1. Part 2 consists of the update elements not included in a nandroid backup.

So the real magic is that he has a dev phone. He can root any build just like you root the nexus.

 

[Metfanant]

LOL...yeah, I'm doing some of that, too!

My son was over today asking if I had heard any news about GB for his D2G and it got me thinking about what I posted above.

I don't know if p3droid is involved or interested in doing for the D2G what he's done for the DX, I wanted to really see what it might take.

The methodology of what I did is not really new or particularly difficult (AF members thenestor and erisuser1 did something very similar for some HTC Eris 2.1 updates last year) and the tools I used (fciv, Winmerge, winrar) didn't require me to bust into Linux for this.

Besides, its a Saturday...got the lawn mowed before the rain came and I was just chilling here on AF .

Cheers!

i imagine he/tbh will be interested in doing something similar with the D2G...you might want to hit him up on Twitter...

although he might be in a bad mood right now...becuse apparently he got a leak of Gingerbread for the Fascinate...went out and actually bought a Fascinate to install it...then posted some pictures...got called a liar by some "high and mighties" in the Fascinate community and has now vowed to never release his leak of Gingerbread because of the way he was treated by them...

 

[scary alien]

The reason it's in two parts is because he actually installs the ota, flashes the root files on his unlocked dev phone, then makes a backup. That's part 1. Part 2 consists of the update elements not included in a nandroid backup.

So the real magic is that he has a dev phone. He can root any build just like you root the nexus.

Ah, that is interesting...

Although I'm thinking that its not the Nandroid backup that is relevant for part2, but the files that are actually being installed in part2 (Nandroid backups are filesystem/partition inclusive...unless there's a way to specify what files should be excluded...).

I'm thinking that these might be key files that would be different between a Nexus and a Droid X? Dunno for sure...

Thank you for this.

 

[Snow02]

Ah, that is interesting...

Although I'm thinking that its not the Nandroid backup that is relevant for part2, but the files that are actually being installed in part2 (Nandroid backups are filesystem/partition inclusive...unless there's a way to specify what files should be excluded...).

I'm thinking that these might be key files that would be different between a Nexus and a Droid X? Dunno for sure.

Thank you for this.

There are aspects of the update (rdl, bp, cdt, and a few others) that are not included in a nandroid. I'm not positive what all of them are for, but I believe a couple are what let the bootloader verify the system. He just pulls these from the update and puts them in a zip. I don't believe they're all written to the primary partition. Nvram maybe?

 

[scary alien]

There are aspects of the update (rdl, bp, cdt, and a few others) that are not included in a nandroid. I'm not positive what all of them are for, but I believe a couple are what let the bootloader verify the system. He just pulls these from the update and puts them in a zip. I don't believe they're all written to the primary partition. Nvram maybe?

Yes, the bp.img, cdrom, cdt.bin, device_tree.bin, logo.bin, metadata.gpb, and rdl.bin are the only things in the part2.zip, so your line of thought made me think that he'd have to update/replace what was built / backed-up on the dev phone with the proper ones for the X.

A (semi-quick) Google search pulled-back the veil a little bit re. this: I'm thinking that p3droid builds the part1.zip like you described (Nandroid backup, etc.) and then redacts the files listed above from the part1.zip file--because they will be flashed in the part2.zip file which is already pre-built specifically for the Droid X. These files appear to be very phone-specific:

partitions:cdt [And Developers]

and if they were grabbed in the dev (Nexus) phone's Nandroid backup, they'd probably have to be replaced with the proper ones for the DX.

Thank you again, Snow02. This was (is ) a very enlightening conversation and I appreciate your feedback. Please don't think I'm trying to argue with you or be contrary, I'm just trying to reverse-engineer what I think might have been done. Please let me know if you think I'm all-wet here (won't be the first time, LOL ).

Cheers!

 

[Metfanant]

and if they were grabbed in the dev (Nexus) phone's Nandroid backup, they'd probably have to be replaced with the proper ones for the DX.

his dev phone is not really a Nexus device...its a DX...its silver i believe

 

[scary alien]

his dev phone is not really a Nexus device...its a DX...its silver i believe

Ah, thanks! Snow02 mentioned the Nexus, but he might have been speaking generally and I misunderstood.

Didn't know that the Droid X was available as a developer phone.....unless he procured a R&D phone (which wouldn't surprise me).

Cheers!

 

[Metfanant]

Ah, thanks! Snow02 mentioned the Nexus, but he might have been speaking generally and I misunderstood.

Didn't know that the Droid X was available as a developer phone.....unless he procured a R&D phone (which wouldn't surprise me).

Cheers!

yeah...im not exactly sure how he came about getting it...but i know he has a Developer version of the X...im not positive about it being silver...but i swear i remember him tweeting something about it being silver once...

from what i understand its the same phone...unlocked bootloader, and a different recovery system than ours...

 

[Snow02]

Correct. I just said he can root it the same way you do a nexus. You just flash the root files. But it is an unlocked DX - sorry if that wasn't clear.

 

[Snow02]

And back to the part 2 zip, he doesn't do anything other than pull those files straight from the update package and re-zip and sign them. That's it. The magic really is just the phone. I don't mean that to sound derogatory, he's done plenty of development to warrant recognition. But there's no mystery or dev tricks here I'm afraid.

 

[trophynuts]

yeah he actually tweeted the other day that he was selling one of his DevX phones. I think he had more than one and they are silver.

 

[Deleted User]

Interesting post, thanks for looking at them. I actually only recently re-downloaded them myself and was going to paw through them.

I've often wondered if there was a way to overwrite a stock X with an image from P3's phone. It wouldn't be done in software, of course, because of the locked bootloader, but there are usually contacts on the motherboard to serially write data to storage. It's not really scalable though, since it usually involves some precise soldering, so it still wouldn't have resulted in a mass unlocking of devices.

 

[Snow02]

Interesting post, thanks for looking at them. I actually only recently re-downloaded them myself and was going to paw through them.

I've often wondered if there was a way to overwrite a stock X with an image from P3's phone. It wouldn't be done in software, of course, because of the locked bootloader, but there are usually contacts on the motherboard to serially write data to storage. It's not really scalable though, since it usually involves some precise soldering, so it still wouldn't have resulted in a mass unlocking of devices.

Huh? The update files he releases are images from his phone. And if you're referring to attempting to copy his recovery and all in an attempt to unlock a stock phone, that still wouldn't work. If I'm not mistaken, the efuse in a dev model would not be programmed, or be programmed differently than a stock device. As that's a one time writable hardware key, there's no way around it.

 

[Deleted User]

Huh? The update files he releases are images from his phone. And if you're referring to attempting to copy his recovery and all in an attempt to unlock a stock phone, that still wouldn't work. If I'm not mistaken, the efuse in a dev model would not be programmed, or be programmed differently than a stock device. As that's a one time writable hardware key, there's no way around it.

I know what his releases are, and I know that you can't simply overwrite the existing bootloader with his own though the software.

What I'm saying is, many embedded devices are given serial headers somewhere on their boards for the initial software images to be written to the device via simple protocols - or for devices with completely corrupt software to be recovered - and this often bypasses any sanity checks on the device since they're designed to write directly to the memory. Now, these headers are often not exposed on the production devices and are simply traces on the PCB that go nowhere, but it's more expensive to do a different run of the boards so they just stop adding the actual headers and leave the exposed traces.

Simply idle speculation is all.

 

[Kevmueller]

The only outstanding question in my mind is why it was necessary to create two .zip files. I'm sure there's a good reason...I just don't know what it is right now . My son has a Droid 2 Global that is about to get its GingerBread update and I was considering using this information to build a two-part .zip set for him if it weren't for this lingering question...

Congrats and thanks again to p3droid and Team Black Hat for making this GingerBread rooting method for all of us.

Cheers!

My wife has a D2G as well so I was hoping that TBH would do something, but if you come up with anything as well it would be great if you would let me know as well. Thanks

 

[scary alien]

My wife has a D2G as well so I was hoping that TBH would do something, but if you come up with anything as well it would be great if you would let me know as well. Thanks

Will do .

My son's phone is simply rooted and we haven't install D2 Bootstrap or anything to make a Nandroid backup (yet). I do think I've got at least one .sbf file for his phone laying-around somewhere, just in case I do try this on his phone (he's been a valuable tester for my BattMonX app and loves the root-only LED-is-always-on feature). Its hard-enough keeping-up with my DX to really R&D his D2G .

I'll let you know if anything comes of this, but concept of building the two-part .zip files seems straight-forward enough.

Cheers!

 

[Bugly]

Will do .

My son's phone is simply rooted and we haven't install D2 Bootstrap or anything to make a Nandroid backup (yet). I do think I've got at least one .sbf file for his phone laying-around somewhere, just in case I do try this on his phone (he's been a valuable tester for my BattMonX app and loves the root-only LED-is-always-on feature). Its hard-enough keeping-up with my DX to really R&D his D2G .

I'll let you know if anything comes of this, but concept of building the two-part .zip files seems straight-forward enough.

Cheers!

I have the D2G SBF file if you need it, let me know, as I, too have a D2G that could use some GB to fix the issues it has (my wife thanks you in advance...)
http://www.megaupload.com/?d=3VV4AICS

 

[scary alien]

I have the D2G SBF file if you need it, let me know, as I, too have a D2G that could use some GB to fix the issues it has (my wife thanks you in advance...)
MEGAUPLOAD - The leading online storage and file delivery service

Thanks! If there's been only one .sbf published for it, then that's the one I snagged way back when (just in case, eh? ).

We'll have to see how this all unfolds and I would certainly "let" an experienced team like p3droid/TBH take a crack at it before I did . VZW/Moto still have yet to release the OTA...then it will have to be captured (I'll have to coordinate with my son to do that), etc. I'll certainly keep any eye-out...would be cool to do.

Cheers!

 

[cougar214]

i imagine he/tbh will be interested in doing something similar with the D2G...you might want to hit him up on Twitter...

although he might be in a bad mood right now...becuse apparently he got a leak of Gingerbread for the Fascinate...went out and actually bought a Fascinate to install it...then posted some pictures...got called a liar by some "high and mighties" in the Fascinate community and has now vowed to never release his leak of Gingerbread because of the way he was treated by them...

Give him some time to cool off. For every a$$hole there is 3 people with respect for his work that really want to try his stuff out.

 

[Bugly]

yeah, I think that's the only SBF out there for D2G, but you can OTA to the most current release from there. I hope you can do this! This could end the "issues" my wife has had with her D2G, its a great device, but buggy as, well, you know....