Analysis of root cracking principles in Android

Currently, root Cracking in Android is a basic skill! There are also a lot of software for one-key cracking on the Internet, making root cracking more and more easy. But you have thought about root cracking.
How does it work? What is the essence of root cracking? Is it because of the Linux kernal vulnerability? This article will analyze the root cracking principle.

There is an article on the Internet that has briefly introduced the basic principle of root cracking. You can refer to "android root privilege Cracking Analysis" first. This article can only provide a brief description of the root principle, however, it is not clearly described in some specific aspects. This article will make some necessary extensions and supplements for it.

If you have developed a program, the code for obtaining the root permission on the Root mobile phone is as follows:

   1: Process process = Runtime.getRuntime().exec("su");

   2: DataOutputStream os = new DataOutputStream(process.getOutputStream());

   3: ......

   4: os.writeBytes("exit\n");

   5: os.flush();

From the code above, we can see that the su program must be run first. In fact, the root secrets are all in the SU program, the android root permission Cracking Analysis describes that the default su program of the Android system can run only root and shell, which is safe. If you remove this restriction, it is root cracking!

Next, we will analyze how the program obtains the root permission. If you are familiar with the Linux su command, you may know that the su program has set the SUID bit, let's check the su permission settings on my mobile phone (which has been cracked by root,

We found that the su owner and all groups are root, which is actually a soft link of busybox. We checked the attributes of busybox and found that SUID and SGID are set, and the owner and all groups are root. What is the role of SUID and SGID? If you are not quite clear, please refer to the actual user ID and valid user ID of the Linux process. In this way, common users who run busybox obtain valid root users during the running process of busybox. The su program is to start a new program and escalate its permissions to root (we mentioned above that Su is actually busybox, and its permissions at runtime are root, of course, you also have permissions to improve your permissions ).

Note that SUID must be set for Su on the Root phone, And SUID must be set for all Su programs on the Linux system. Refer to the su permissions on the UC Server:

We found that Su also sets the SUID bit, so that normal users can run the su program, and the su program will verify the root password, if the su program is correct, it can increase the user's root permission (because it sets the SUID bit, it is the root permission during runtime, so that it has the permission to improve its own permissions ).

In this way, we can see that the root principle of Android system cracking is to replace the su program in the system, because the default su program in the system needs to verify the actual user permissions (only root and
The shell user has the right to run the system's default su program, and other users will return an error when running ). However, the actual user permissions will not be checked after the crack, so that normal users can run the su program,
You can also upgrade your permissions through the su program.

At this point, we are not confused about root cracking. Root cracking does not take advantage of any Linux kernel vulnerabilities (Linux kernel cannot have such a large vulnerability). It can be understood as root
In your system, the attacker inserts the trojan su into your system and says it is a trojan, if a malicious program runs in the system and Su Can Be Used to escalate its permissions, this will be disastrous.
. In general, if the root user is a mobile phone, there will be a superuser application to allow the user to manage who is allowed to get the root permission. It is also an insurance for the system!

The above are some of Simon's personal understandings of root cracking. If there are any mistakes, you are welcome to correct them.

Original