Android Root Note

How Apps Use Root Privilege

Apps use the following code to gain root privilege. Basically, a new root shell process is created with Runtime.getRuntime().exec("su"). Then commands are sent to the new process through stdin.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
OutputStream stdin = null;
DataOutputStream os = null;
Process process = Runtime.getRuntime().exec("su");

stdin = process.getOutputStream();
try {
    os = new DataOutputStream(stdin);
    os.writeBytes("ls /data\n");
    os.writeBytes("exit\n");
    os.flush();
} catch (IOException e) {
    e.printStackTrace();
} finally {
    close(os);
}

How Root is Achieved

Since Apps use su to gain root privilege, we need a su binary with the following requirements:

  • existing. su may not necessarily exist.
  • chmod 4755. Apps should be able to execute su. The suid bit should have been set.
  • selinux is off. root can turn off selinux with the cmd setenforce 0.
  • Disable the uid check for the su from AOSP. The su source code in AOSP contains the following check. Apps cannot pass this check.
    1
    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");

Even if the su meets the above requirements, it’s still possible that su doen’t work for Apps. For example, /system maybe mounted as nosuid for Apps. To bypass SELinux and other limitations, some su solutions start a root sudaemon at boot up time. When Apps execute /system/xbin/su, /system/xbin/su accepts the commands and forwards them to the sudaemon.

How to Root an Emulator/Device with eng Build (works on Nougat)

  • Download SuperSu ZIP format
  • Start up the emulator with a writable system partition.
    emulator -avd [emulator_name] -writable-system
  • Unzip SuperSU. Get the SU related binaries for the correct architecture and put it in the right directory
    1
    2
    3
    4
    5
    6
    adb root
    adb remount
    adb push {supsersu_path}/{architecture}/su /system/xbin/su # may need su.pie, adb push {supsersu_path}/{architecture}/su.pie /system/xbin/su
    adb push {supsersu_path}/{architecture}/supolicy /system/xbin
    adb push {supsersu_path}/{architecture}/libsupol.so /system/lib
    adb shell chmod 06755 /system/xbin/su
  • Start the su daemon
    1
    2
    3
    # in adb root shell
    adb shell /system/xbin/su --init
    adb shell /system/xbin/su --daemon
  • Turn off SELinux
    1
    2
    # in adb root shell
    adb shell setenforce 0
  • Install SuperSu App
    1
    adb install {supsersu_path}/common/Superuser.apk
  • Open SuperSu App
    • If it complains about that the device is not rooted, you may have missed some previous steps. Check and do it again.
    • If it complains about outdated su binary, you can ignore it. If you accept to update the su binary, it is possible that your device can NOT boot up. If you decline to update the su binary, you need to turn off selinux every time you reboot the device.

Reference

Rooting the Android Emulator – on Android Studio 2.3 (Android 4.4+)
Android系统Root原理初探
Android高级Root技术原理解析