你若盛开，蝴蝶自来

Android 提权root相关

Posted on 2016-05-14 |

Github

公司要启动制作自己的支付sdk相关项目，所以近期在调研android提权root方面的资料，大概总结如下。

何谓root

android自带有很多安全机制，比如权限机制，进程隔离（沙盒）机制,想绕过这些机制需要做大量的工作。
常见的root工具包含：漏洞可执行文件，su文件，superuser.apk文件。su文件是一个可执行文件，可以响应用户发出的”su”命令。
linux 切换为root需要输入su命令，su文件在/system/bin目录下，android系统下没有su文件，因此只要将su文件放到该目录下，就能切换到root了。
system系统目录是写保护的，普通用户没有写权限，root漏洞在执行后可以使进程获取临时root权限，这是再通过remount命令重新挂载系统使/system变为可写，之后就可以通过文件拷贝命令将su文件放在system/bin和system/xbin 目录，su文件拷贝成功后，即使重启手机，任何进程仍然可以通过调用”su”命令来请求，而该su文件是一个特别定制的文件，必须通过superuser.apk来授权app权限，superuser.apk现在由 chainsDD团队 升级维护。

总结起来，现在主流的root工具的做法都是将su文件复制到Android系统/system/xbin目录下，将所有者更换成root用户，并用chmod命令设置为可执行权限和setuid(s)权限。

代码备份

z4root老版本源码

1	https://github.com/huanxingxyz/z4root/tree/master/z4root-read-only

利用漏洞

android版本和机型碎片化严重，现在主流的root软件大都是利用linux内核层漏洞，挖洞真心是个技术活。

psneuter

作者是scotty2，root

1	https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c

Exploid

作者是Stealth，root

1	http://c-skills.blogspot.com/2010/07/android-trickery.html

GingerBreak

作者是Stealth，root

1	http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html

KillingInTheNameOf

作者是Stealth，root

1	http://c-skills.blogspot.com/2011/01/adb-trickery-again.html

Zimperlich

作者是Stealth，root

1	http://c-skills.blogspot.com/2011/02/zimperlich-sources.html

Zergrush

Revolutionary,root

1	https://github.com/revolutionary/zergRush/blob/master/zergRush.c

Tacoroot

jcase,root

1	https://github.com/CunningLogic/TacoRoot

Nachoroot

jcase,root

1	https://github.com/CunningLogic/NachoRoot

Burritoroot

jcase,root

1	https://github.com/CunningLogic/BurritoRoot

Gorditaroot

jcase,install custom recovery or root

1	https://github.com/CunningLogic/GorditaRoot

Enchilada

jcase,root

1	https://github.com/CunningLogic/Enchilada

太多了，写不过来了

Vulnerability/Exploit name
author effect (root, unlock,…) link
psneuter

scotty2 root https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c
Exploid Stealth root http://c-skills.blogspot.com/2010/07/android-trickery.html
GingerBreak Stealth root http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html
RageAgainstTheCage Stealth root
KillingInTheNameOf Stealth root http://c-skills.blogspot.com/2011/01/adb-trickery-again.html
Zimperlich Stealth http://c-skills.blogspot.com/2011/02/zimperlich-sources.html
Zergrush Revolutionary root https://github.com/revolutionary/zergRush/blob/master/zergRush.c
Tacoroot jcase root https://github.com/CunningLogic/TacoRoot
Nachoroot jcase root https://github.com/CunningLogic/NachoRoot
Burritoroot jcase root https://github.com/CunningLogic/BurritoRoot
Gorditaroot jcase install custom recovery or root https://github.com/CunningLogic/GorditaRoot
Enchilada jcase root https://github.com/CunningLogic/Enchilada
ZTERoot (Avail) jcase root https://github.com/CunningLogic/ZTERoot
ZTERoot (Merrit) jcase root http://forum.xda-developers.com/showthread.php?t=1714299
LG ICS Root jcase root http://forum.xda-developers.com/showthread.php?t=1912277
DefyXT Root jcase root http://forum.xda-developers.com/showthread.php?t=2031562
Cyanide jcase root https://github.com/CunningLogic/Cyanide
LG Optimus Logic jcase root
LG Optmus Elite jcase root http://www.androidpolice.com/2012/06/12/exclusive-how-to-root-the-virgin-mobile-lg-optimus-elite/
Pantech jcase root unpublished
HTC DNA jcase enable unlocking http://forum.xda-developers.com/showthread.php?t=2011611
HTC One X AT&T jcase root http://www.androidpolice.com/2012/05/25/exclusive-how-to-root-the-att-htc-one-x-on-version-1-85-or-earlier/
Hisense Pulse cj_000 root
Generic LG ? root unpublished
LG ADB Backdoor Giantpune root
Poot Giantpune root
Lit Giantpune root
ZTE Backdoor “Anonymous” root
HTC Eris 2.1 Root wag3slav3 install custom recovery ? XDA Forums
Droid 3 Root bliss root http://vulnfactory.org/blog/2011/08/25/rooting-the-droid-3/
Motofail bliss root http://vulnfactory.org/public/motofail_windows.zip
XYZ bliss root http://vulnfactory.org/public/xyz_windows.zip
LG Spectrum Root bliss root http://vulnfactory.org/public/spectrum_root_windows.zip
Megatron bliss root http://vulnfactory.org/blog/2012/02/26/rooting-the-lg-thrill-optimus-3d/
LG Esteem Root bliss root http://vulnfactory.org/public/LG_Esteem_Root_v2_Windows.zip
Razr’s Edge bliss root http://vulnfactory.org/public/razrs_edge_windows.zip
Razr Blade bliss root http://vulnfactory.org/public/razr_blade.zip
X-Factor bliss change CID http://forum.xda-developers.com/showthread.php?t=1952038
Samsung Admire Root bliss root http://vulnfactory.org/blog/2011/09/12/rooting-the-samsung-admire/
Thinkpad Tablet bliss root http://vulnfactory.org/public/Thinkpad_Root_Windows.zip
Sony Tablet S bliss root http://vulnfactory.org/blog/2012/02/08/rooting-the-sony-tablet-s/
Xoomfail bliss root http://vulnfactory.org/blog/2012/02/18/xoom-fe-stupid-bugs-and-more-plagiarism/
Motofail2Go bliss root http://vulnfactory.org/public/motofail2go_windows.zip
XPRT bliss root http://vulnfactory.org/public/xprt_root_windows.zip
Nandpwn bliss root https://github.com/djrbliss/revue/tree/master/nandpwn
Motochopper bliss root http://vulnfactory.org/public/motochopper.zip
ADB Restore Root bin4ry root
Exynos-abuse alephzain root http://forum.xda-developers.com/showthread.php?t=2057818
IconiaRoot alephzain root http://forum.xda-developers.com/showthread.php?t=2048511
fr3vo Kevin Bruckert root
levitator Jon Larimer, Jon Oberheide root http://jon.oberheide.org/files/levitator.c
mempodroid saurik/zx2c4 root
asroot (Wunderbar?) zinx root http://code.google.com/p/flashrec/source/browse/#svn%2Ftrunk%2Fandroid-root
Samsung Infuse 4G Michael Coppola root http://www.poppopret.org/?p=22