After learning that yesterday's XYBoard root (which was thought to work on all Gingerbread/Honeycomb Moto devices) didn't play nice with Motorola's Xoom Family Edition, highly respected security researcher Dan Rosenberg decided to have a look, hoping to bring root back to the FE.

In a post to his blog earlier today, Rosenberg announced that he has found a working exploit for rooting the Xoom Family Edition. Rosenberg has again beaten others to the punch, namely a developer called Evil_DevNull, who Rosenberg calls out in the post for the alleged plagiarism of a previous FE exploit.

The post goes on to explain the "stupidest root ever," making clear a convenient vulnerability that was evidently begging to be exploited:

The first few arguments cmdclient supports are “ec_recovery”, “ec_btmac”, “ec_snid”, “ec_skunumber”, and “ec_imeiwithbarcode”. Each of these commands builds a command string using the second argument (such as “echo [arg] > /sys//EcControl/RecoveryMode”) and executes it using system(). These are all trivial command injection vulnerabilities: something like “cmdclient ec_skunumber ‘; [my cmd];’” works fine to execute arbitrary commands as root. Ok, device rooted, that was easy.

But one of the other cmdclient options was so ridiculous that it’s hard to believe it isn’t a deliberate backdoor. “cmdclient sys_open” will perform a “chmod 777 /data” and “chmod 777 /cache”, among a few other things, which obviously cripples the security of the device and allows gaining root yet again. They might as well rename the application “own_my_device_now”.

For those who may think they've just read a passage written in Greek, Rosenberg has made the exploit fairly user-friendly, offering script downloads at his blog. For more information, or to grab the download, just click through the source link below.

Source: Vulnfactory.org

Liam Spradlin
Liam loves Android, design, user experience, and travel. He doesn't love ill-proportioned letter forms, advertisements made entirely of stock photography, and writing biographical snippets.

  • https://twitter.com/#!/trter10 trter10

    Umm Liam, Evil's exploit was the FIRST XOOM FE EXPLOIT, he called him out for allegedly kanging an acer a500 exploit.... Get your facts straight before posting this stuff.

    • http://www.AndroidPolice.com Artem Russakovskii

      You should probably re-read Dan's post again. He calls out Evil for kanging the XOOM FE root, not the A500 root.

    • Justin Case

      Actually no, Evil re-used someone else's exploit.

      Dan's is a second exploit in the same binary as the first.

      Please, get your fact straight. Evil has to date, not produced an original exploit.

  • Yess

    Nice work. Finally someone that knows what he is doing.