After learning that yesterday's XYBoard root (which was thought to work on all Gingerbread/Honeycomb Moto devices) didn't play nice with Motorola's Xoom Family Edition, highly respected security researcher Dan Rosenberg decided to have a look, hoping to bring root back to the FE.
In a post to his blog earlier today, Rosenberg announced that he has found a working exploit for rooting the Xoom Family Edition. Rosenberg has again beaten others to the punch, namely a developer called Evil_DevNull, who Rosenberg calls out in the post for the alleged plagiarism of a previous FE exploit.
The post goes on to explain the "stupidest root ever," making clear a convenient vulnerability that was evidently begging to be exploited:
The first few arguments cmdclient supports are “ec_recovery”, “ec_btmac”, “ec_snid”, “ec_skunumber”, and “ec_imeiwithbarcode”. Each of these commands builds a command string using the second argument (such as “echo [arg] > /sys//EcControl/RecoveryMode”) and executes it using system(). These are all trivial command injection vulnerabilities: something like “cmdclient ec_skunumber ‘; [my cmd];’” works fine to execute arbitrary commands as root. Ok, device rooted, that was easy.
But one of the other cmdclient options was so ridiculous that it’s hard to believe it isn’t a deliberate backdoor. “cmdclient sys_open” will perform a “chmod 777 /data” and “chmod 777 /cache”, among a few other things, which obviously cripples the security of the device and allows gaining root yet again. They might as well rename the application “own_my_device_now”.
For those who may think they've just read a passage written in Greek, Rosenberg has made the exploit fairly user-friendly, offering script downloads at his blog. For more information, or to grab the download, just click through the source link below.