28 December 2017

Rooting unprotected Android device using ADB script

I found out my crappy Denver tablet had privileged shell enabled by default (ro.secure=0 in default.prop) which means I can remount /system as rw and push SuperSU binaries into my tablet. And of cource, it's made by china, ROM made by china and kernel made by china. In build.prop, the data was written like this

ro.build.date=2016 12 21 星期三 19:08:23 CST

This method will not work if ro.secure is set to 1 but there is always a change that any crappy chinese devices can be easly rooted like this. All crappy Denver tablets I had are vulnerable even adb privileged shell is disabled.

I have written a simple CMD script that pushes SuperSU binaries, change permission and symlink files. Only tested in ARM device running Android 5.1.1. If you have a device running other OS and architectures, get SU binaries from SuperSU flashable.zip and customize the script by yourself. I only have ARM devices.

Source code:

@echo off
echo Starting adb...
adb.exe shell mount -o rw,remount,rw /system
echo Remounted /system as read-write
echo Creating directory /system/app/Superuser...
adb.exe shell mkdir -p /system/app/Superuser
echo Pushing files to device...
adb.exe push Superuser.apk /system/app/Superuser
adb.exe push install-recovery.sh /system/etc
adb.exe push libsupol.so /system/lib
adb.exe push supolicy /system/xbin
adb.exe push su /system/xbin
echo Copy rename su to daemonsu in /system/xbin/
adb.exe shell cp /system/xbin/su /system/xbin/daemonsu
echo Changing permission
adb.exe shell chmod 755 /system/app/Superuser
adb.exe shell chmod 644 /system/app/Superuser/Superuser.apk
adb.exe shell chmod 755 /system/etc/install-recovery.sh
adb.exe shell chmod 644 /system/lib/libsupol.so
adb.exe shell chmod 755 /system/xbin/su
adb.exe shell chmod 755 /system/xbin/daemonsu
adb.exe shell chmod 755 /system/xbin/supolicy
echo Renaming binary files
adb.exe shell mv -i /system/bin/app_process /system/bin/app_process_init
adb.exe shell mv -i /system/bin/app_process32 /system/bin/app_process32_original
echo Copying and renaming app_process files...
adb.exe shell cp /system/xbin/su /system/bin/app_process
adb.exe shell cp /system/xbin/su /system/bin/app_process32
echo Symlinking app_process files to daemonsu...
adb.exe shell ln -sf /system/xbin/daemonsu /system/bin/app_process
adb.exe shell ln -sf /system/xbin/daemonsu /system/bin/app_process32
echo Done, rebooting your device in 10 seconds
adb.exe reboot
echo Rebooting... After reboot, launch SuperSU and install binaries as NORMAL and reboot again.
echo If you want to update SuperSU to 2.82, update it to 2.82 SR5 instead. 2.82 is unstable.


Post a Comment