A brief analysis of Android Root, do you understand?

[[427920]]

This article is reprinted from the WeChat public account "Lazy Programming", the author is ayuliao. Please contact the Lazy Programming public account to reprint this article.

I have been studying Android reverse engineering recently, which involves rooting Android. There are many ways to root, and this article will briefly summarize them.

This is a popular science article, without code-level analysis.

Android Root Core Principles

The Android kernel is actually Linux, so if Android wants to obtain root permissions, it is actually equivalent to the Linux system of the kernel obtaining root permissions.

People who have used Linux know that we can obtain root permissions through sudo or su. The difference is that sudo obtains root permissions temporarily, while su obtains root permissions permanently.

Because Root permissions are dangerous, for example, users can delete any file. If the Android core code file is accidentally deleted, the phone will not be able to be used normally. In order to avoid this situation, Android phones do not provide the function of entering Root permissions by default, that is, they lack the su program.

If you want Android to gain root privileges, you first need to compile the su program file, copy it to PATH (environment variable), and give the su file execution permissions.

The PATH for Android phones is:

 /sbin
 /vendor/bin
 /system/sbin
 /system/bin
 /system/xbin

When performing root operation, the su program file is usually placed in the /system/xbin directory, so that after you connect the Android phone through adb shell, you can enter the root authority through the su command.

This is the principle, but in actual operation, there will be a logical deadlock. We need root privileges to copy the su file to the Android PATH, but we currently do not have root privileges. The purpose of copying the su file to the PATH is to obtain root privileges, so we are stuck in a logical deadlock with a dilemma.

One-click root

To obtain root privileges, you need to break through this logical deadlock.

A few years ago, there were many one-click root software on the market. At that time, the easiest way to root an Android phone was to download these one-click root software from the app store, and then use the software to easily allow Android to obtain root permissions.

This type of one-click root software will exploit vulnerabilities in the Android system to obtain a process with root privileges, and then use the process to copy the su file to the /system/xbin directory and grant the su file execution permissions. However, with the development of Android, many vulnerabilities have been plugged, and this type of one-click root software is no longer useful.

In addition, many one-click Root software are no different from rogue software. Because they have the highest permissions, they can do all kinds of rogue operations on your Android phone, and you can do nothing about it.

Flash Recovery

To obtain Android Root now, the more common way is to flash a third-party Recovery, and then use Recovery to flash the Root program.

What is Recovery?

An Android phone usually has two systems. One is the Android system itself, which is also the system that users will use by default when they turn on the phone. The other is the Recovery system. The main function of this system is to operate the Android system. For example, if the Android system fails to start, the Recovery system is needed. Most mobile phone manufacturers will allow users to enter the Recovery system by long pressing the power button + volume button, as shown below:

[[427921]]

After entering Recovery, you can freely manage the Android system itself. At this time, we will use Recovery to flash the su file to obtain the Rooted Android system.

If you are not using a Google product (such as Nexus), but a domestic manufacturer's phone, such as Xiaomi, Huawei, etc., you still need to break through the limitations brought by the BootLoader lock.

BootLoader is the first program that starts when you press the power button on your phone. Its main function is to start the entire Android system and Recovery system. However, domestic manufacturers will lock the BootLoader so that the phone can only run the Android system and Recovery verified by the manufacturer. The manufacturer's own Recovery is usually castrated, making it impossible for Android to obtain Root permissions.

For players of domestic manufacturers, the first step to obtain Root is to unlock the BootLoader. Unlocking is divided into official unlocking and forced unlocking. For example, if you use a Xiaomi phone and you want to flash the phone, you can go to the Xiaomi forum to apply for official unlocking, but some phones do not support official unlocking. At this time, you can only search for solutions yourself and perform forced unlocking.

The most commonly used third-party recovery is called TWRP (TeamWin Recovery Project), which is a tool developed by foreign Android enthusiasts. You need to find the corresponding version of TWRP according to your Android model.

Please note that flashing a third-party Recovery does not mean that Root has been completed. We just need a more powerful Recovery to help us flash the program that can obtain Root.

SuperSU vs Magisk

SuperSU and Magisk are both well-known root management programs. Both can be flashed through TWRP to allow Android to obtain root permissions, but there are major differences between the two.

SuperSU

SuperSU was developed by Chainfire. A few years ago, it was the best way to root Android. However, the discussion about SuperSU on the Internet stopped at the end of 2017. The reason was that SuperSU was acquired by a domestic company. SuperSU has since switched from open source mode to closed source mode. The open source version of SuperSU still remains on Github, and the latest supported Android version is 7.0. That is, after Android 8.0, if you want to use it, you need to use the closed source version, but no one is willing to use the closed source version of a strange company.

The way SuperSU achieves Root is to put the su program file prepared by SuperSU itself into Android, but it uses Recovery to flash su. In addition, the SuperSU application will also be flashed into the system.

If any application in Android can use Root permissions without restriction, then the phone will have no security. Therefore, the purpose of the SuperSU application is to manage applications that need to use Root. If an application needs to use Root, it will call the su program, and the su program is the su program processed by the SuperSU application. Before delegating permissions, the SuperSU application will be notified, thereby achieving the management of the application's acquisition of Root.

In Android 6.0, Google added the SafetyNet program to the Android system. The main function of this program is to monitor the system API. If it finds that the system API has been modified or the system integrity check fails, the application that uses this function will be informed. The practice of SuperSU that changes system files and adds files to the Android system partition will be detected by the SafetyNet program, resulting in many users who have achieved root through SuperSU being unable to use applications that use the SafetyNet function, such as Google Play and Netflix, and unable to obtain any OTA updates (Over The Air Updates, wireless download updates).

For more details about how to get root with SuperSU, see How-To SU written by Chainfire (http://su.chainfire.eu/).

Magisk

SuperSU was acquired and the open source version can only support up to Android 7.0, so Magisk took up the banner.

The way Magisk implements Root is to use Recovery to flash its own su program into Android to achieve Root.

The characteristic of Magisk is that it will mount a file system that is isolated from system files to load its own content. All changes made by Magisk occur in this independent file system and will not affect the files of the Android system itself, thus avoiding detection.

Similar to SuperSU, Magisk not only provides Root functions, but also provides the function of managing applications to obtain Root, thus preventing any application from abusing Root.

We can think of Magisk as a file system that implements various functions through clever design without directly modifying system files.

Because Magisk also has its own module system, many people will compare Xposed with Magisk (Xposed has nothing to do with obtaining Root).

The principle of Xposed is to load its own functions by hijacking the Zygote process of the Android system (the Zygote process is the process to be forked when the App is started). Obviously, Xposed needs to make corresponding modifications to the file system, which is easy to be detected. The intuitive difference between it and Magisk is as follows:

For more details about Magisk rooting, please refer to Magisk official documentation: Magisk Internal Details (https://topjohnwu.github.io/Magisk/details.html)

refer to

• Analysis of Android adb setuid privilege escalation vulnerability
• Analysis of Android Root Principle and New Anti-Root Ideas
• Magisk Manager Detailed Explanation
• What is SafetyNet? How to pass SafetyNet verification?