Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile G2 'Permaroot' Achieved

Posted by timothy on from the proud-we-are-of-all-of-them dept.

VValdo writes "After over a month of relentless hacking, genius scotty2 has finally smashed the G2's notorious emmc-read-only-on-boot mechanism, which had been incorrectly characterized in the press as a 'rootkit.' The hack involves several steps — first achieving 'temp root' through a fork bomb exploit, then running a specially crafted kernel module that power-resets the read-only emmc to bring it up in read-write mode. Finally, the bootloader is re-flashed, which permanently removes the read-only on subsequent boots. The whole process is expected to be automated by tomorrow."

4 of 262 comments (clear)

  1. Re:Description makes the guy sound like a magician by tmzt · · Score: 4, Informative

    You know what they say, irc logs are the first draft of history and they're linked from the wiki, so I'll make this brief. Scotty2, whose early successes include hacking the unhackable gsm RAZR, had a plan of attack that went directly for the eMMC chip through a kernel module. Though sidetracked by a month of other avenues, including the traditional radio and bootloader exploits, buffer overflows and the rest while building a war chest of knowledge about kernel modules (try building a kernel module for a kernel without source sometime) and patiently educating me (sometimes too patient), it came back to the same GPIO 88 that had been looked at a month earlier, and the same method. After the "hard reset" attempt of the eMMC module failed it was clear to him that only powering down the chip would allow the write protect to be disabled (or a reset line but that was either/both not connected or disabled in the eMMC's configuration). So the next month was spent trying to find a way to power down this chip. The reality is HTC was really clever and didn't actually use GPIO 88 itself in the traditional way, but instead used it as a pull down against the eMMC's power line (we think) so that changing the GPIO's configuration and not it's level would reset the chip. This is exactly what HTC's bootloader does when it needs to disable the write protect. If you follow the IRC logs from last night you'll see that it was finally looking at what parameters were being passed to the gpio_config (name is guessed) function, which didn't make any sense for just switching the value of the GPIO line. I know, personally, I had fun and hope you can see that from all the source on github.com/tmzt which is scotty2's, mine, and others. It's all there for anyone who needs to get into a locked down kernel (tivoized) on ARM, so you don't have to start from scratch.

  2. Re:Forgive my ignorance... by colinnwn · · Score: 4, Informative

    Allows you to run on the G2, non-T-Mobile versions of the Android operating system.

  3. Re:Why would you want this, again? by cbhacking · · Score: 5, Informative

    Nokia N900. Debian Linux ported to ARM with a small-touchscreen-friendly interface. Comes with a terminal app; open that; type "su" and hit Enter. The default root password is publicly available (good idea to change it). People complain that its app store is lacking, and they're right, but they're also missing the point: the thing *runs desktop Linux*!
    It has repositories.
    sudo apt-get install <foo>
    You can even compile from source taballs right on the phone, if you really want to / there's no pre-built binaries.

    The browser is Gecko-based, and includes Flash. You can install AdBlock Plus if you want. You can even install mobile Firefox and get the full Firefox experience, with extensions. You can also install other browsers, if you prefer. Nothing is stopping you.

    The main downside is that it's a due for a refresh. The hardware runs the OS and apps fine, but it's not terribly impressive by modern smartphone measures.

    --
    There's no place I could be, since I've found Serenity...
  4. Re:this just encourages them by Miamicanes · · Score: 4, Informative

    > All they really need is an indicator that it WAS hacked so they can choose to honor the warranty or not,

    For the record, in the United States, a consumer can't be coerced into disclaiming a manufacturer's warranty, and a manufacturer can't disclaim a warranty for mere breach of contractual terms (least of all a contract of adhesion) unless the breach involved non-payment for a service contract or the manufacturer can demonstrate that whatever it is that the consumer did WAS, in fact, the reason for the failure.

    It's called the Magnuson-Moss Warranty Act.

    Also, a few points that need to be repeated often:

    * Few phones truly get "bricked". 99% of the time, someone screws up a reflash, panics when it doesn't reboot, posts a few messages online, hits google, then figures out 1-36 hours later that he needs to take out the battery, wait a minute or so, then power it back up with some nearly impossible combination of button-presses to trigger its REAL "last-chance" bootloader.

    * It's almost impossible to truly cause real, honest-to-god permanent hardware damage to a recent-vintage phone by reflashing. Worst-case, it might take a minimum-wage employee at an authorized repair center with a JTAG a few minutes to reflash it.