Root Android and Install Recovery linux shell script & Android root原理

文件来自cnblogs 黑暗伯爵,文章地址:




从脚本来看,最关键的就是这个程序了:rageagainstthecage。粗粗google了一下,貌似这个程序以hack的方式,将运行在终端设备上的adbd daemon进程以root的身份重启,这样设备上的adbd就变成root权限,从而我们可以在PC上通过adb来做很多root才能做的事情了 -- 比如,将/system挂载成rw,拷贝su, busybox这些玩意到ROM里面,安装recovery等等。


First the code will check that there is an NPROC setting. This is the maximum number of simultaneous processes which the system will allow. A quick “ulimit -a” once connected over adb should show you this setting for your device (this is set to 3301 processes on a Droid Incredible). The code will then try to find the process ID of the currently running adb daemon on the device. After that, the attack starts a loop to generated processes until it can no longer fork any more processes. Once the limit is hit, one process is killed off and the adb daemon process is restarted. As the code comment points out, this is a bit of a race at this point to make sure the adb can restart, but the number of processes stays maxed out. When the adb daemon starts up on an Android device, it is running as root. The code will later check if it should stay as root, or run in “secure” mode which drops its privileges to the “shell” account. This attack attemps to max out the process so that when the adb daemon attempts to call “setuid” in its code, the call will fail. The current adb code does not check if the setuid call was successful or not, so will happily keep running as root even if this fails.

posted @ 2011-10-14 10:14  super119  阅读(716)  评论(0编辑  收藏  举报