HardWayToBecomeRoot
Taken from HowDoiBecomeRoot
Academic way of becoming root
Getting the original software distribution
First, you need to go fetch the original binary distribution from Nokia's support site here
While you're there, get the flashing instructions (print the pdf) and the Windows flashing program (I know, I know, there's no publically available flashing program yet)
Quick alternative
Patch the firmware image to modify sudoers to allow execution of any command as root. Follow the instructions in this eMail: use xdelta to patch binary
Making sure you have the right modules
In order for this to work, you need to add some modules to your kernel that usually aren't compiled in by default.
Adding the MTD modules
First you need to add the MTD (Memory Technology Devices) support.
#!plain maemo $ su Password: xxxxxxxxxxx maemo # cd /usr/src/linux linux # make menuconfig
Once there, you need the following options :
#!plain Device Drivers ---> Memory Technology Devices (MTD) ---> <M> Memory Technology Devices (MTD) support (...) <M> Direct char device access to MTD devices <M> Caching block device access to MTD devices (...) Self-contained MTD device drivers ---> (...) <M> Test driver using RAM (4096) MTDRAM device size in KiB (128) MTDRAM erase block in KiB
Adding the jffs2 module
Once the MTD drivers are added, the jffs2 module options automagically appear in the filesystems configuration menus
#!plain File Systems ---> (...) Miscellaneous filesystems ---> (...) <M> Journalling Flash File System v2 (JFFS2) support (0) JFFS2 debugging verbosity (0 = quiet, 2 = noisy) [*] JFFS2 write-buffering support
Compiling and adding the modules
Save and exit the kernel configuration
#!plain linux # make modules linux # make modules_install linux # exit maemo $
Getting at the files
Unzip the .zip file and you see a .bin file which is a full system image (overwrites the entire flash -- that's why the instructions for flashing tell you to backup your data prior to flashing)
Extracting the embedded filesystem files
The system image is like a hard drive, with multiple partitions. the device firmware contains a bootloader that is able to handle the format. For the purpose of our research, we also need to 'deconstruct' the .bin file into each separate filesystem.
To this effect, we use a utility, ex.c
Note: the ex.c utility is a quick hack and has the .bin filename hardcoded. Modify appropriately with respect to your version of the .bin file
the best solution is to create a temporary directory, and copy the .bin file inside, then run the ex utility on it
#!plain maemo $ mkdir imagehack maemo $ cd imagehack imagehack $ mv <path>SU-18_0.2005.40-18_PR_F5_MR0_ARM.bin . imagehack $ mv <path>ex . imagehack $ ./ex imagehack $ mkdir contents imagehack $ mv *.dmp contents imagehack $ cd contents contents $ mkdir rootfs contents $ ls -l total 59096 -rw-r--r-- 1 sxpert users 8576 Oct 21 22:37 2nd.dmp -rw-r--r-- 1 sxpert users 1568384 Oct 21 22:37 initfs.dmp -rw-r--r-- 1 sxpert users 1480704 Oct 21 22:37 kernel.dmp drwxr-xr-x 24 root root 0 Jan 1 1970 rootfs -rw-r--r-- 1 sxpert users 57278464 Oct 21 22:37 rootfs.dmp -rw-r--r-- 1 sxpert users 79360 Oct 21 22:37 secondary.dmp -rw-r--r-- 1 sxpert users 13824 Oct 21 22:37 xloader.dmp
An alternative to using the 'ex' tool, is to use the 'flasher' program. See "Flasher tool usage".
Mounting the rootfs
In order to mount the rootfs, you first need to initialize the MTD simulation stack in the kernel
#!plain contents $ su Password: xxxxxxxxx contents # modprobe mtdcore contents # modprobe jffs2 contents # modprobe mtdram total_size=55936 erase_size=128 contents # modprobe mtdchar contents # modprobe mtdblock
You may need to create the device
#!plain contents # mknod /dev/mtdblock0 b 31 0
Then you can do the actual mounting procedure
#!plain contents # dd if=rootfs.dmp of=/dev/mtdblock0 contents # mount -t jffs2 /dev/mtdblock0 rootfs
You're in, go into the directory
#!plain contents # cd rootfs rootfs # ls -l total 0 drwxr-xr-x 2 root root 0 Oct 7 10:57 bin drwxr-xr-x 2 root root 0 Sep 5 15:08 boot drwxrwxr-x 2 root root 0 Oct 7 10:29 cdrom drwxr-xr-x 3 root root 0 Oct 7 10:31 dev drwxr-xr-x 49 root root 0 Oct 7 10:29 etc drwxrwxr-x 2 root root 0 Oct 7 10:29 floppy drwxrwsr-x 3 root root 0 Oct 7 10:39 home drwxrwxr-x 2 root root 0 Oct 7 10:29 initrd drwxr-xr-x 4 root root 0 Oct 7 10:57 lib drwxrwxr-x 3 root root 0 Oct 7 10:31 media drwxr-xr-x 2 root root 0 Sep 5 15:08 mnt drwxrwxr-x 2 root root 0 Oct 7 10:29 opt drwxr-xr-x 2 root root 0 Sep 5 15:08 proc drwxr-xr-x 4 root root 0 Dec 21 1999 root drwxr-xr-x 2 root root 0 Sep 12 14:24 sbin drwxrwxr-x 2 root root 0 Oct 7 10:29 srv drwxr-xr-x 2 root root 0 Aug 4 16:15 sys drwxrwxrwt 2 root root 0 Oct 7 10:30 tmp drwxr-xr-x 12 root root 0 Oct 7 10:31 usr drwxr-xr-x 13 root root 0 Oct 7 10:40 var
Modifying the filesystem
The script usr/sbin/gainroot is obviously meant to start a root shell (etc/sudoers already allows you to execute gainroot with root privileges, however, gainroot refuses to spawn a shell when the R&D mode is disabled). Modify the script so it always spawns a shell. c'mon, you're a 31337 h4xx0r, you should be able to do that yourself...
Dumping the filesystem image
Next, umount the rootfs and store the image back in the file:
#!plain rootfs # cd .. contents # umount rootfs contents # dd if=/dev/mtdblock0 of=rootfs.dmp
Creating a new firmware image
We use another quick hack to reconstruct the firmware image, cn.c
Again, the name of the firmware image is hardcoded, and even worse, it also expects to find the original software in the parent directory. So if you really really followed this howto step by step, it should work.
#!plain contents # exit contents $ ./cn contents $ ls total 118052 -rw-r--r-- 1 sxpert users 8576 Oct 21 21:48 2nd.dmp -rw-r--r-- 1 sxpert users 60429517 Oct 21 21:51 SU-18_0.2005.40-18_PR_F5_MR0_ARM.bin -rwxr-xr-x 1 sxpert users 8161 Oct 21 21:51 cn -rw-r--r-- 1 sxpert users 1568384 Oct 21 21:48 initfs.dmp -rw-r--r-- 1 sxpert users 1480704 Oct 21 21:48 kernel.dmp -rw-r--r-- 1 sxpert users 57278464 Oct 21 21:48 rootfs.dmp -rw-r--r-- 1 sxpert users 79360 Oct 21 21:48 secondary.dmp -rw-r--r-- 1 sxpert users 13824 Oct 21 21:48 xloader.dmp
Use the flasher to flash this image on your device.
Becoming root
- Install xterm
- execute 'sudo /usr/sbin/gainroot'
- then execute 'su - '
Example:
#!plain ~ $ sudo gainroot Root shell enabled BusyBox v1.00 (Debian 2:20041102-11) Built-in shell (ash) Enter 'help' for a list of built-in commands. /home/user # su - BusyBox v1.00 (Debian 2:20041102-11) Built-in shell (ash) Enter 'help' for a list of built-in commands. Nokia770-51:~#
Have fun breaking your device!