Early November I wanted to extract the data I had on my very first TracFone Android device, a ZTE Valet. It turns out the ZTE Valet is easily temp rooted. Search for RootMyValet and a github result is the starting point. Buried under the github lib directory (IIRC) is the roothandler binary. I mention this because I spent days looking for the cited roothandler binary in su packages as described by the README.
All along I was misunderstanding the README. The README states to locate my favorite su package, and extract the su binary. It then instructs to copy the roothandler file in to the same /data/local/tmp directory as where the su binary is dropped, which gave me the impression roothandler is bundled with my favorite su package. But enter another issue, the Valet is Android 4.1 and all the recent su binaries I extracted required PIE (not to be confused with Android P/pie).
Eventually I found an old enough su without PIE, but not before taking an alternate path with KingRoot and discovering KingRoot not only failed to root, but successfully installed a bunch of shims to phone home statistics to qq.com and yahoo, and fails to offer the ability to uninstall.
Now I had two problems. The mostly well mannered "malware" KingRoot -- and -- I still did not have a backup.
First off, the native Android ADB backup didn't produce anything but 504 byte sized file and Move to IOS crashed. I tried another backup program from the Play Store, but it too, crashed. How bad is KingRoot? After setting up a hostapd + dnsmasq + tcpdump, I didn't see anything other than small packets headed toward qq and yahoo, but that doesn't mean it didn't lift some data during the initial installation. I'll save that for some later point in time.
As far as the RootMyValet presence on github, I gather that the RootMyValet.apk is purely a UI to invoke roothandler easily, and the github repo is the wrapper around the whole kit, which includes the apk for the optional UI invocation.
After crawling through the source code and finding a reference to a getroot function, I figured the github repo was an 'apk' that I am supposed to build myself. With that all cleared up and in possession of the roothandler binary, I prepared my own version of the script that roothandler executes.
In my own script, I had it chdir to /data and run 'busybox find | busybox cpio > /sdcard/data.cpio". This is a simplified version of the actual command as I don't recall the precise flags that the cpio plugin of this busybox required, but it suffices to say it would have been similar to "ov -H crc" or "ov -H newc".
If you're struggling to follow me up to this point, I used the platform-tools ADB binary, which allowed me to get a shell. In that shell I was able to invoke roothandler and roothandler, in turn, invokes the shell script (as described in the README) to run as root anything you require during the temp root.
Happy, I got my backup successfully migrated my OTP and organization's Duo multi-factor to different devices.
Update
I dug in a bit more in to the behavior of KingRoot on a Valet. It does work on the Valet, provided your /data volume is not encrypted. If you encrypted your Valet using the Android setting, KingRoot will not succeed, but it will install the hooks to ship telemetry.
After it succeeds on an unencrypted Valet, and after installing SuperSU, invoke adb shell and type su.
In this repeat attempt, I took these steps.
1. install KingRoot and launch.
2. Try Root - it succeeds.
3. install SuperSU
4. Grant SuperSU permission in KingRoot
5. adb shell, and try su, but it failed with Segmentation fault.
6. reboot the phone
7. run KingRoot again, and Try Root
8. adb shell, and try su, this time it worked.
No comments:
Post a Comment