That didn't take long. Just 2 days after Justin Case released a root method for the Moto X, Droid Ultra, Droid Mini, and Droid Maxx, he's already back with a hack that bypasses write protection. By disabling the write protection afforded by the bootloader, it becomes possible to flash 3rd-party ROMs, themes, and other mods. In other words, the flood gates are open for the modding community.

Much like MotoRoot, PwnMyMoto is packaged as a single app that must be sideloaded with adb. After running it and waiting through 2-3 reboots, your phone will be set up to boot into either the standard write-protected mode (recommended for daily use) or with write protection disabled. Let's start with the instructions and then we'll get into some details about how it works.

[disclaimer1]

Do not use these mods on any device for which they are not intended! They are only for the Moto X, Droid Maxx, Droid Mini, and Droid Ultra.

Instructions

  1. Download PwnMyMoto to your computer. Get the Moto X version from here or the Droid Ultra/Mini/Maxx version from here.
  2. From the command line, install PwnMyMoto by typing: 'adb install -r <filename>.apk' (Note: replace filename with the version of PwnMyMoto you just downloaded)
  3. The Play Store and some virus scanners may detect PwnMyMoto as malicious software. Just acknowledge the risk and allow it to be installed.
  4. Tap the button.
  5. Wait while the phone reboots 2-3 times.
  6. Install SuperSU from the Play Store.
  7. Be Awesome!

The apk will uninstall itself after everything is complete.

left: PwnMyMoto screenshot, right: write protection is disabled

At this stage, your phone is ready to go. This hack will change the behavior of your phone in a fairly specific way. When the phone boots normally, it will be write protected like always. However, booting into recovery will now boot into Android, but with full write access to /system. While custom recoveries still can't be flashed to the recovery partition (more on that in a bit), they will be able to hook into the boot process and act just like normal, from the user's perspective. At the time of this writing, custom recoveries are still in development, but expected soon.

From your computer, you can always find out which mode you are in by typing 'adb shell getprop ro.boot.write_protect'. If it returns a 0, write protection is disabled; otherwise, /system is protected.

Unlike MotoRoot, PwnMyMoto is a complete rooting solution and doesn't rely on any hacks to keep superuser functional. This means you are free to wipe data (factory reset) without having to re-root each time.

How It Works

With the MotoRoot hack, we caught a glimpse of some of the interesting exploits that went into getting everything working. This time around, a little more time and a bit of luck made for a much more elegant solution. Again, the second "Master Key" exploit makes an appearance to gain system-level access, this time followed by a symlink attack to achieve root access.

This is where things get really interesting. It turns out that Motorola signed the boot.img and recovery with the same key, yet never checks to determine which is loaded into each partition. This creates an excellent opportunity, as it allows the boot.img to be written into the recovery partition. At first, this doesn't seem like a very useful option, except that one of the features of booting to recovery is that write protection is automatically disabled. PwnMyMoto creates a backup of the recovery image (storing it in /sdcard/recovery-stock.img for safe keeping), and overwrites that partition with the boot.img. With this configuration, restarting the phone into recovery launches the Android OS with full write access.

From here, PwnMyMoto simply re-roots and writes su to the system partition permanently.

Since the recovery partition itself can't be used for its intended purpose, an alternate solution is necessary to achieve the traditional effect. For this, Justin is supporting Hashcode's Safestrap, which is capable of hijacking the boot process and launching a custom recovery located elsewhere.

In Closing

To be fair, this still isn't quite as perfect as having an unlocked bootloader, which would make it possible to replace the boot.img and recovery with unsigned versions, but it's definitely enough to break ground on all of the fun things that go beyond simply rooting or relying on a hijack recovery for loading 3rd-party ROMs. Ultimately, this brings the latest round of Motorola devices into the fold, possibly giving them a life outside of just the OEM experience. Now, we can look forward to what the community can do with this new level of access, as I suspect quite a few people are excited to start digging.