Since Dan Rosenberg declared his intentions to stop publishing exploits for Motorola devices, fans of the OEM have been wondering if there will be much of a future within the modding community. While the distant future is still very foggy, Justin Case has come to the rescue with his own rooting method for Motorola's latest salvo of devices. His simple-to-use app roots the Moto X, Ultra, Mini, and Maxx.
I'm sure most of you are here to get your phone rooted, so let's go straight to the instructions. I will follow with a more in-depth explanation about how it works.
- Download the rooting app for the Moto X here, or for the Maxx/Mini/Ultra here. Be careful to get the right variant for your phone.
- Install it by typing:
'adb install -r motoroot.apk' (Note: filenames vary by device).
- Run the app on your device.
- Tap on the 'Setup' button and wait for the phone to reboot.
- Install SuperSU from the Play Store.
- Brag to your friends.
By the time you've completed all of these steps, you should be rocking a fully rooted phone. Pretty simple, right? Well, the process of building the hack was a lot trickier, but Justin was kind enough to share some more details of how it works.
A few exploits were used to make this rooting method happen. Like most devices, the first step is to work around the bootloader, as it write protects the /system partition to prevent tampering.
Typically, nothing is really allowed to write to /system outside of the bootloader and recovery. To gain access, Justin crafted an app to take advantage of the second "Master Key" exploit, which uses the signing key of a trusted application but installs modified code to gain system-level privileges. See, those things can be used for good. It's worth noting, since Justin's method currently makes use of this exploit, which was fixed by Google for Android 4.3, this specific rooting method will cease to work if the firmware is updated to the most recent version of the OS.
Thanks to the first exploit, Justin's app can now run as system. At this stage, the software prepares some files and configuration changes to help elevate the app from being a system user to a root user. If you're following along with the instructions above, this is when the phone reboots and the app must be reinstalled.
At this stage, the app moves on to establishing a more permanent root. To begin with, a small ext4 system image is placed in /data/xbin.img and mounted over the /system/xbin folder. The new folder contains everything that originally existed in /system/xbin, but also adds the necessary su and busybox binaries. To keep root locked in on subsequent reboots, Justin has the app listen for BOOT_COMPLETE, then re-mounts the new /system/xbin image. Due to the way the file is stored, wiping data or uninstalling the app will require re-rooting the device. Justin has also included options to disable and re-enable root if necessary.
Thanks to Dan's prior work and this contribution from Justin, virtually every major Motorola device can be rooted, and many of those can even be bootloader unlocked.
Unfortunately, this doesn't mean future devices - or even firmware updates - will enjoy the same treatment. So far, it appears that Motorola will remain fairly diligent about blocking most modding efforts, which may ultimately drive away anybody with the necessary skills. Ideally, Google's philosophy of openness will invade Motorola and unlockable bootloaders will become standard. Barring that, let's hope reasonable hacks keep emerging for some time.