16
Sep
nexusae0_moto-x-thiumb

That didn't take long. Just 2 days after Justin Case released a root method for the Moto X, Droid Ultra, Droid Mini, and Droid Maxx, he's already back with a hack that bypasses write protection. By disabling the write protection afforded by the bootloader, it becomes possible to flash 3rd-party ROMs, themes, and other mods. In other words, the flood gates are open for the modding community.

Much like MotoRoot, PwnMyMoto is packaged as a single app that must be sideloaded with adb. After running it and waiting through 2-3 reboots, your phone will be set up to boot into either the standard write-protected mode (recommended for daily use) or with write protection disabled. Let's start with the instructions and then we'll get into some details about how it works.

Disclaimer: Android Police isn't responsible for any harm to your device - proceed at your own risk.

Do not use these mods on any device for which they are not intended! They are only for the Moto X, Droid Maxx, Droid Mini, and Droid Ultra.

Instructions

  1. Download PwnMyMoto to your computer. Get the Moto X version from here or the Droid Ultra/Mini/Maxx version from here.
  2. From the command line, install PwnMyMoto by typing:
    'adb install -r <filename>.apk' (Note: replace filename with the version of PwnMyMoto you just downloaded)
  3. The Play Store and some virus scanners may detect PwnMyMoto as malicious software. Just acknowledge the risk and allow it to be installed.
  4. Tap the button.
  5. Wait while the phone reboots 2-3 times.
  6. Install SuperSU from the Play Store.
  7. Be Awesome!

The apk will uninstall itself after everything is complete.

pwnmymotovcqcQYa
left: PwnMyMoto screenshot, right: write protection is disabled

At this stage, your phone is ready to go. This hack will change the behavior of your phone in a fairly specific way. When the phone boots normally, it will be write protected like always. However, booting into recovery will now boot into Android, but with full write access to /system. While custom recoveries still can't be flashed to the recovery partition (more on that in a bit), they will be able to hook into the boot process and act just like normal, from the user's perspective. At the time of this writing, custom recoveries are still in development, but expected soon.

From your computer, you can always find out which mode you are in by typing 'adb shell getprop ro.boot.write_protect'. If it returns a 0, write protection is disabled; otherwise, /system is protected.

Unlike MotoRoot, PwnMyMoto is a complete rooting solution and doesn't rely on any hacks to keep superuser functional. This means you are free to wipe data (factory reset) without having to re-root each time.

How It Works

With the MotoRoot hack, we caught a glimpse of some of the interesting exploits that went into getting everything working. This time around, a little more time and a bit of luck made for a much more elegant solution. Again, the second "Master Key" exploit makes an appearance to gain system-level access, this time followed by a symlink attack to achieve root access.

This is where things get really interesting. It turns out that Motorola signed the boot.img and recovery with the same key, yet never checks to determine which is loaded into each partition. This creates an excellent opportunity, as it allows the boot.img to be written into the recovery partition. At first, this doesn't seem like a very useful option, except that one of the features of booting to recovery is that write protection is automatically disabled. PwnMyMoto creates a backup of the recovery image (storing it in /sdcard/recovery-stock.img for safe keeping), and overwrites that partition with the boot.img. With this configuration, restarting the phone into recovery launches the Android OS with full write access.

From here, PwnMyMoto simply re-roots and writes su to the system partition permanently.

Since the recovery partition itself can't be used for its intended purpose, an alternate solution is necessary to achieve the traditional effect. For this, Justin is supporting Hashcode's Safestrap, which is capable of hijacking the boot process and launching a custom recovery located elsewhere.

In Closing

To be fair, this still isn't quite as perfect as having an unlocked bootloader, which would make it possible to replace the boot.img and recovery with unsigned versions, but it's definitely enough to break ground on all of the fun things that go beyond simply rooting or relying on a hijack recovery for loading 3rd-party ROMs. Ultimately, this brings the latest round of Motorola devices into the fold, possibly giving them a life outside of just the OEM experience. Now, we can look forward to what the community can do with this new level of access, as I suspect quite a few people are excited to start digging.

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • tanknspank

    Very interesting how it was achieved. I knew most of those words, so good explanation!

  • sourabh

    Has there ever been a phone that hasnt been rooted?
    The Dev community is amazing.

  • Gnex

    My Verizon Moto X is bloat free and running the AOSP browser. Justin really is a boss.

  • Air2004

    Can you please make this work on the sprint photon 4g

    • http://www.androidpolice.com/ Artem Russakovskii

      And the Droid please.

  • Steve Freeman

    Well...this definitely changes my opinion of the Maxx. If it turns out (which I'm assuming it will) that the next Nexus doesn't come to Verizon, I'll very likely get the Maxx!

    • Barnassey

      Google learned from their last nexus experience with Verizon. The next nexus will NEVER come to Verizon agin.

      • Steve Freeman

        Unless something official comes out saying that, all we have are assumptions. Granted, they're good assumptions, and probably correct. But you know what they say..."don't assume things, dumbass".

        • Barnassey

          Well as the zenmaster says "we'll see".

      • nerdwaller

        I am considering switching to ATT for this reason... but ATT doesn't seem to be as quality of service unfortunately. Now to convince the mrs.

  • Casen Brashear

    What are the odds that Googlrola left these phones with a relatively easy root method as a big f-off to Verizon and ATT?

    • Scott Kaforey

      Pretty slim, as Google has already patched the bug in AOSP. This just made good use of a potentially dangerous bug in the Android software (masterkey)

      • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

        I also have my doubts that this was intentionally done by Google/Motorola, but it's not impossible. It's very likely the use of the same signing key for both the recovery and boot image was an oversight. We'll never know for sure...

        I can't really speak for Justin on the use of the second master key exploit, but I believe he chose it for two reasons:

        First, specifically because it is already patched in 4.3. Why use something that may not be public knowledge or could draw attention to something that could be used in the future? Besides, after these phones start getting updates to 4.3+, it's possible (read: almost certain) that more than just this particular exploit will have been patched.

        Second, for packaging purposes. A lot of rooting exploits require active use of a computer and a few terminal commands in the middle of the process. Sure, the first install step here uses a computer, but the app is free and clear to operate on its own for the rest.

    • mgamerz

      That would be pretty stupid. You don't make software that is purposely insecure. It might be fun for tinkers but as a programmer doing something like that guarantees you don't keep your job.

      Edit: Unless you're the NSA, then that is your job

  • Jordan Barrett

    If you rooted with the first way, installing the apk says "an existing package by the same name with a conflicting signature is already installed." I unrooted, restarted, and tried the apk again and it still says the same thing. Not sure how to use this updated root. Am I missing something obvious?

    • nerdwaller

      I had this same issue, but I was using their bad link (to the Ultra/Maxx page instead of the MotoX page).

  • nerdwaller

    You have the link for the MotoX to the wrong page (right now it is taking you to the Maxx/Mini). The correct link is: http://forum.xda-developers.com/showthread.php?t=2444957

  • http://about.me/doitdude.social.media Gregory Garvin

    This does not work on my device. I am using ATT as my cell provider. The PwnMyMoto says app does not install. Anyone with experience doing this or a work around? The instructions on the MotoX website do not seem to work either.

  • wallymann

    whats the status of the PwnMyMoto apk for the maxx? i'm trying to install and i get this error:

    pkg: /data/local/tmp/PwnMyMoto-1.4.3-Droid.apk
    Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

    i've googled and can find no mention of a signed version being posted anywhere on the interwebs. looking for suggestions to get my maxx rooted.

Quantcast