Z4root Source Code Reading Note 1

1. First, locate the main Java class from the manifest. xml file. The main code of the file is as follows:

 <application android:icon="@drawable/z4small"                android:label="@string/z4root">                <activity android:name="z4root" android:theme="@style/Theme"                        android:launchMode="singleInstance" android:label="z4root"                        android:finishOnTaskLaunch="true" android:multiprocess="true"                        android:process=":three" android:screenOrientation="portrait">                        <intent-filter>                                <action android:name="android.intent.action.MAIN" />                                <category android:name="android.intent.category.LAUNCHER" />                        </intent-filter>                </activity>                <activity android:name="Phase1" android:theme="@style/Theme"                        android:launchMode="singleInstance" android:label="Phase1"                        android:finishOnTaskLaunch="true" android:multiprocess="true"                        android:process=":three" android:screenOrientation="portrait">                </activity>                <activity android:name="Phase2" android:theme="@style/Theme"                        android:launchMode="singleInstance" android:label="Phase2"                        android:finishOnTaskLaunch="true" android:multiprocess="true"                        android:process=":two" android:screenOrientation="portrait">                </activity>                <activity android:name="PhaseRemove" android:theme="@style/Theme"                        android:launchMode="singleInstance" android:label="PhaseRemove"                        android:finishOnTaskLaunch="true" android:multiprocess="true"                        android:process=":four" android:screenOrientation="portrait">                </activity>

The main classes are z4root. Java, phase1.java, and phase2.java, which are used to implement one-time root and permanent root functions.

2. Enter z4root. java.

The oncreate () method defines the listener method for the three buttons: rootbutton. setonclicklistener (New onclicklistener (), temprootbutton. setonclicklistener (New onclicklistener (), unrootbutton. setonclicklistener (New onclicklistener (). The three buttons correspond to one root, permanent root, and root cancellation on the program running interface. I only care about the root process, that is, the first two methods. From the code, we can see that they all call intent.
I = new intent (z4root. This, phase1.class); startactivity (I); load the activity phase1.

The difference is that sharedpreferences settings = getsharedpreferences (prefs_name, 0 );
Sharedpreferences. Editor editor = settings. Edit ();
Editor. putint (prefs_mode, mode_permroot );

Different input parameters are used to distinguish temporary root, permanent root, and cancel root (mode_temproot = 1, mode_permroot = 0, mode_unroot = 2 ).

Explanation of the above three lines of code: sharedpreferences is an interface used to access and modify software configuration parameter data,

1. getsharedpreferences (prefs_name, 0); returns the sharedpreferences attribute value, prefs_name = "z4rootprefs", an application of a file. If this file is not available, it is created.

2. Edit () modifies the sharedpreferences attribute value and takes effect after submission. Prefs_mode = "rootmode"

protected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);boolean AdsEnabled = settings.getBoolean(PREFS_ADS, true);if (AdsEnabled) {setContentView(R.layout.z4rootwadd);} else {setContentView(R.layout.z4root);}rootbutton = (Button) findViewById(R.id.rootbutton);unrootbutton = (Button) findViewById(R.id.unrootbutton);detailtext = (TextView) findViewById(R.id.detailtext);temprootbutton = (Button) findViewById(R.id.temprootbutton);rootbutton.setOnClickListener(new OnClickListener() {@Overridepublic void onClick(View v) {if (disabled)return;disabled = true;Intent i = new Intent(z4root.this, Phase1.class);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);SharedPreferences.Editor editor = settings.edit();editor.putInt(PREFS_MODE, MODE_PERMROOT);editor.commit();startActivity(i);finish();}});temprootbutton.setOnClickListener(new OnClickListener() {@Overridepublic void onClick(View v) {if (disabled)return;disabled = true;Intent i = new Intent(z4root.this, Phase1.class);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);SharedPreferences.Editor editor = settings.edit();editor.putInt(PREFS_MODE, MODE_TEMPROOT);editor.commit();startActivity(i);finish();}});unrootbutton.setOnClickListener(new OnClickListener() {@Overridepublic void onClick(View v) {if (disabled)return;disabled = true;Intent i;if (forceunroot) {i = new Intent(z4root.this, Phase1.class);SharedPreferences settings = getSharedPreferences(PREFS_NAME, 0);SharedPreferences.Editor editor = settings.edit();editor.putInt(PREFS_MODE, MODE_UNROOT);editor.commit();} else {i = new Intent(z4root.this, PhaseRemove.class);}startActivity(i);finish();}});new Thread() {public void run() {dostuff();};}.start();}

3. phase1.java

Phase1 is the main class in the activity. Use the run () method in the oncreate () method to call the all stuff () method. This should be the key way to implement root.

public void dostuff() {PowerManager pm = (PowerManager) getSystemService(POWER_SERVICE);wl = pm.newWakeLock(PowerManager.FULL_WAKE_LOCK | PowerManager.ACQUIRE_CAUSES_WAKEUP | PowerManager.ON_AFTER_RELEASE, "z4root");wl.acquire();saystuff("Saving required file...");try {SaveIncludedFileIntoFilesFolder(R.raw.rageagainstthecage, "rageagainstthecage", getApplicationContext());} catch (Exception e1) {// TODO Auto-generated catch blocke1.printStackTrace();}final int[] processId = new int[1];final FileDescriptor fd = Exec.createSubprocess("/system/bin/sh", "-", null, processId);Log.i("AAA", "Got processid: " + processId[0]);final FileOutputStream out = new FileOutputStream(fd);final FileInputStream in = new FileInputStream(fd);// final int[] processId_t = new int[1];// final FileDescriptor fd_t = Exec.createSubprocess("/system/bin/sh",// "-", null, processId_t);// Log.i("AAA", "Got processid_t: " + processId_t[0]);//// final FileOutputStream out_t = new FileOutputStream(fd_t);// final FileInputStream in_t = new FileInputStream(fd_t);new Thread() {public void run() {byte[] mBuffer = new byte[4096];// byte[] mBuffer_t = new byte[4096];int read = 0;while (read >= 0) {try {read = in.read(mBuffer);String str = new String(mBuffer, 0, read);Log.i("AAA", str);if (str.contains("Forked")) {Log.i("BBB", "FORKED FOUND!");saystuff("Forking completed");Intent intent = new Intent(getApplicationContext(), AlarmReceiver.class);PendingIntent sender = PendingIntent.getBroadcast(getApplicationContext(), 0, intent, 0);// Get the AlarmManager serviceAlarmManager am = (AlarmManager) getSystemService(ALARM_SERVICE);// for (int i=5;i<120;i+=15) {Calendar cal = Calendar.getInstance();cal.add(Calendar.SECOND, 5);am.set(AlarmManager.RTC_WAKEUP, cal.getTimeInMillis(), sender);// }// Get the AlarmManager servicesaystuff("Aquiring root shell...");wl.release();Thread.sleep(20000);finish();return;}if (str.contains("Cannot find adb")) {runOnUiThread(new Runnable() {@Overridepublic void run() {showDialog(SHOW_SETTINGS_DIALOG);}});}} catch (Exception e) {read = -1;e.printStackTrace();}}};}.start();try {String command = "chmod 777 " + getFilesDir() + "/rageagainstthecage\n";out.write(command.getBytes());out.flush();command = getFilesDir() + "/rageagainstthecage\n";out.write(command.getBytes());out.flush();saystuff("Running exploit in order to obtain root access...");} catch (Exception ex) {ex.printStackTrace();}}