Tuesday, October 23, 2012

A universal primer for rooting concepts on Android devices

A universal primer for rooting concepts on Android devices

If you don't know what rooting an Android phone means, and/or you want a clear understanding of the concepts of rooting, read on. My goal is to help you understand what rooting is, why you might consider rooting, and the potential risks it carries. 
This guide isnot intended to be a "how to root YOUR phone" guide, nor does it cover all the things you can do once rooted.

Android is an operating system that runs on Linux. Linux is a UNIX-like operating system, and in the UNIX world, the administrator account is called "root." This root account has full admin access over the entire system. That system in the Android world is located in a partition on your phone's internal memory called /system.

When you turn on your phone, a program called the bootloader, a.k.a. HBOOT, is run. By default, one of the tasks of the bootloader is to protect certain partitions on your internal memory from being tampered with, either accidentally or intentionally. This protection is sometimes referred to as NAND* protection, NAND lock, S-ON (an HTC-specific term), or "locked bootloader." The aforementioned /system is one of the partitions that is protected by the bootloader.

* NAND refers to the type of flash memory used in the phone.

In a normal startup, the bootloader kicks off the operating system, and the result is Android loading up and presenting you with your phone's user interface. But the bootloader also has the ability to load a special program called recovery instead of the operating system. The name of this program suggests that its purpose is to provide tools that help you recover your phone should the internal memory contents get damaged. The recovery program can replace the contents of /system entirely, and it can also make backups of your entire internal memory. The recovery program lives in a partition called /recovery. This partition is also write-protected by the bootloader.

In the most literal definition of the word, rooting is giving your phone the ability to be granted root (admin) access to the system. To do this, a special program called su (a.k.a superuser) is called, and its job is to grant a user or application root access when requested. The su program is not factory-installed on your phone. The process of adding su to your system is what is known as rooting.

However, when most people refer to rooting, they are not necessarily referring to the literal definition of the word. Implicit in the rooting process is removing the NAND protection being enforced by the bootloader. The reason the bootloader aspect is significant in the rooting process is that without write access to the /system partition, much of the post-root functionality is still unavailable. In fact, to place su onto the /system partition, NAND protection must be disabled; otherwise the bootloader will prohibit the attempt to write the su program to /system. Removing this bootloader protection, a.k.a. NAND unlock, S-OFF, "unlocking the bootloader," allows for the modification of the /recovery partition, the /boot partition where the Linux kernel is stored, and the /hboot partition, where the bootloader program itself is stored. Rooting stands for freedom and openness. Once this security is removed, only then do you have full access to your phone.

In some devices, it's possible to add su to the system but not remove the NAND protection of the bootloader. This scenario is often referred to as a half-root. A full-root, therefore, is a phone where the NAND protection is removed, and su has been added to /system. Typically, a custom recovery program also replaces the stock recovery program as part of a full root.

There is no single rooting method that works with all Android devices. Because each manufacturer uses its own bootloader program, which comes with its own unique security measures, a root exploit is often specific to a given device. Even within a given phone, there could be variations in the version of the firmware and operating system, which may require a unique exploit for each version. Therefore, when a phone is released or updated, there may be no known method of obtaining root. The process of rooting a phone is typically started when a phone hacker starts to analyze the components of the phone (both hardware and firmware) and starts to test for weaknesses or exploits that might disable the bootloader security, or grant temporary root privileges. There's never a guarantee that a phone can be cracked, but if an exploit is found, the person or team who discovered the exploit may create a rooting package or procedure and share with the rest of the community. For most people, rooting their phone is simply following in the footsteps of the pioneer(s) who have cleared the path already.

Not all phones can be fully rooted. Again, it comes down to the hardware/firmware used by the manufacturer. Motorola and HTC have released phones with additional security measures that make them very difficult to crack. While it appears that hackers have overcome HTC's latest defenses, the bootloader protection of some Motorola phones have yet to fall as of this writing. On the other hand, some manufacturers like Samsung and Sony are trending toward a more relaxed bootloader protection policy. And due to community pressure, HTC and Motorola have both issued statements that they plan to "unlock their bootloaders" in the near future.

The hallmark of a full-root is the removal of the bootloader's NAND protection. Therefore, this is typically the first objective of the root exploit. Once the NAND protection is gone, a custom recovery program is written to the /recovery partition, overwriting the default recovery program.

The custom recovery program contains more functionality than what is provided with the stock recovery program, and this is the reason it is included as part of the root exploit. The recovery program (sometimes referred to as the recovery image) will be an essential tool for the user once the phone is rooted. Not only can it be used to recover from bad configurations, it can also flash custom operating systems, allowing the user to customize their phone to a very high degree.

The final step is adding the su program to the /system partition. Two programs are added: the Linux-executable file called su, and an Android app called superuser. Android applications that request root privileges will present the request to the superuser app, and that app will call su only if the phone's user approves. You can think of the superuser app as a security guard between an Android app and su, and the guard will want authorization from the phone's user before allowing the app to obtain root privileges.

When a root exploit is initially found, it may or may not be stable. What this means is that it may not work reliably, or worse, it may cause a permanent failure of the phone, preventing it from booting up. A responsible phone hacker will therefore test the exploit extensively across many phones and modify the exploit as needed to make it stable. When the exploit has been proven to work safely and reliably, it is released to the public. However, this does not guarantee that the exploit will work with every single phone that it targets. The person or team that releases the exploit will make it clear that the exploit is "use at your own risk." Each person considering rooting their phone needs to understand this risk and decide whether it's worth proceeding or not.

Once the exploit has removed the NAND protection, the risk of permanently damaging your phone becomes very, very low. That's not to say that you can't get yourself into a bind, but with a little bit of know-how, rarely does a bad situation mean a bricked phone. If you haven't guessed already, a bricked phone is a phone that shares the qualities of a brick: it can look rectangular and do nothing.
As a preemptive safety measure, the custom recovery program installed as part of the root exploit contains a very useful tool called a NANDroid backup/restore. This utility backs up your internal memory and essentially is a save-state. No matter how you change your phone in the future, you can always bring your phone back to the state it was in at the time of the backup. It is highly recommended to make a NANDroid backup before flashing anything.