HardWayToBecomeRoot

Taken from HowDoiBecomeRoot

Academic way of becoming root

Getting the original software distribution

First, you need to go fetch the original binary distribution from Nokia's support site here

While you're there, get the flashing instructions (print the pdf) and the Windows flashing program (I know, I know, there's no publically available flashing program yet)

Quick alternative

Patch the firmware image to modify sudoers to allow execution of any command as root. Follow the instructions in this eMail: use xdelta to patch binary

Making sure you have the right modules

In order for this to work, you need to add some modules to your kernel that usually aren't compiled in by default.

Adding the MTD modules

First you need to add the MTD (Memory Technology Devices) support.

#!plain
maemo $ su
Password: xxxxxxxxxxx
maemo # cd /usr/src/linux
linux # make menuconfig

Once there, you need the following options :

#!plain
Device Drivers  --->
  Memory Technology Devices (MTD)  --->
    <M> Memory Technology Devices (MTD) support
(...)
    <M> Direct char device access to MTD devices
    <M> Caching block device access to MTD devices
(...)
        Self-contained MTD device drivers --->
(...)
          <M> Test driver using RAM
          (4096) MTDRAM device size in KiB
          (128) MTDRAM erase block in KiB

Adding the jffs2 module

Once the MTD drivers are added, the jffs2 module options automagically appear in the filesystems configuration menus

#!plain
File Systems --->
(...)
  Miscellaneous filesystems --->
(...)
    <M> Journalling Flash File System v2 (JFFS2) support
    (0)   JFFS2 debugging verbosity (0 = quiet, 2 = noisy)
    [*]   JFFS2 write-buffering support

Compiling and adding the modules

Save and exit the kernel configuration

#!plain
linux # make modules
linux # make modules_install
linux # exit
maemo $

Getting at the files

Unzip the .zip file and you see a .bin file which is a full system image (overwrites the entire flash -- that's why the instructions for flashing tell you to backup your data prior to flashing)

Extracting the embedded filesystem files

The system image is like a hard drive, with multiple partitions. the device firmware contains a bootloader that is able to handle the format. For the purpose of our research, we also need to 'deconstruct' the .bin file into each separate filesystem.

To this effect, we use a utility, ex.c

Note: the ex.c utility is a quick hack and has the .bin filename hardcoded. Modify appropriately with respect to your version of the .bin file

the best solution is to create a temporary directory, and copy the .bin file inside, then run the ex utility on it

#!plain
maemo $ mkdir imagehack
maemo $ cd imagehack
imagehack $ mv <path>SU-18_0.2005.40-18_PR_F5_MR0_ARM.bin .
imagehack $ mv <path>ex .
imagehack $ ./ex
imagehack $ mkdir contents
imagehack $ mv *.dmp contents
imagehack $ cd contents
contents $ mkdir rootfs
contents $ ls -l
total 59096
-rw-r--r--   1 sxpert users     8576 Oct 21 22:37 2nd.dmp
-rw-r--r--   1 sxpert users  1568384 Oct 21 22:37 initfs.dmp
-rw-r--r--   1 sxpert users  1480704 Oct 21 22:37 kernel.dmp
drwxr-xr-x  24 root   root         0 Jan  1  1970 rootfs
-rw-r--r--   1 sxpert users 57278464 Oct 21 22:37 rootfs.dmp
-rw-r--r--   1 sxpert users    79360 Oct 21 22:37 secondary.dmp
-rw-r--r--   1 sxpert users    13824 Oct 21 22:37 xloader.dmp

An alternative to using the 'ex' tool, is to use the 'flasher' program. See "Flasher tool usage".

Mounting the rootfs

In order to mount the rootfs, you first need to initialize the MTD simulation stack in the kernel

#!plain
contents $ su
Password: xxxxxxxxx
contents # modprobe mtdcore
contents # modprobe jffs2
contents # modprobe mtdram total_size=55936 erase_size=128
contents # modprobe mtdchar
contents # modprobe mtdblock

You may need to create the device

#!plain
contents # mknod /dev/mtdblock0 b 31 0

Then you can do the actual mounting procedure

#!plain
contents # dd if=rootfs.dmp of=/dev/mtdblock0
contents # mount -t jffs2 /dev/mtdblock0 rootfs

You're in, go into the directory

#!plain
contents # cd rootfs
rootfs # ls -l
total 0
drwxr-xr-x   2 root root 0 Oct  7 10:57 bin
drwxr-xr-x   2 root root 0 Sep  5 15:08 boot
drwxrwxr-x   2 root root 0 Oct  7 10:29 cdrom
drwxr-xr-x   3 root root 0 Oct  7 10:31 dev
drwxr-xr-x  49 root root 0 Oct  7 10:29 etc
drwxrwxr-x   2 root root 0 Oct  7 10:29 floppy
drwxrwsr-x   3 root root 0 Oct  7 10:39 home
drwxrwxr-x   2 root root 0 Oct  7 10:29 initrd
drwxr-xr-x   4 root root 0 Oct  7 10:57 lib
drwxrwxr-x   3 root root 0 Oct  7 10:31 media
drwxr-xr-x   2 root root 0 Sep  5 15:08 mnt
drwxrwxr-x   2 root root 0 Oct  7 10:29 opt
drwxr-xr-x   2 root root 0 Sep  5 15:08 proc
drwxr-xr-x   4 root root 0 Dec 21  1999 root
drwxr-xr-x   2 root root 0 Sep 12 14:24 sbin
drwxrwxr-x   2 root root 0 Oct  7 10:29 srv
drwxr-xr-x   2 root root 0 Aug  4 16:15 sys
drwxrwxrwt   2 root root 0 Oct  7 10:30 tmp
drwxr-xr-x  12 root root 0 Oct  7 10:31 usr
drwxr-xr-x  13 root root 0 Oct  7 10:40 var

Modifying the filesystem

The script usr/sbin/gainroot is obviously meant to start a root shell (etc/sudoers already allows you to execute gainroot with root privileges, however, gainroot refuses to spawn a shell when the R&D mode is disabled). Modify the script so it always spawns a shell. c'mon, you're a 31337 h4xx0r, you should be able to do that yourself...

Dumping the filesystem image

Next, umount the rootfs and store the image back in the file:

#!plain
rootfs # cd ..
contents # umount rootfs
contents # dd if=/dev/mtdblock0 of=rootfs.dmp

Creating a new firmware image

We use another quick hack to reconstruct the firmware image, cn.c

Again, the name of the firmware image is hardcoded, and even worse, it also expects to find the original software in the parent directory. So if you really really followed this howto step by step, it should work.

#!plain
contents # exit
contents $ ./cn
contents $ ls
total 118052
-rw-r--r--  1 sxpert users     8576 Oct 21 21:48 2nd.dmp
-rw-r--r--  1 sxpert users 60429517 Oct 21 21:51 SU-18_0.2005.40-18_PR_F5_MR0_ARM.bin
-rwxr-xr-x  1 sxpert users     8161 Oct 21 21:51 cn
-rw-r--r--  1 sxpert users  1568384 Oct 21 21:48 initfs.dmp
-rw-r--r--  1 sxpert users  1480704 Oct 21 21:48 kernel.dmp
-rw-r--r--  1 sxpert users 57278464 Oct 21 21:48 rootfs.dmp
-rw-r--r--  1 sxpert users    79360 Oct 21 21:48 secondary.dmp
-rw-r--r--  1 sxpert users    13824 Oct 21 21:48 xloader.dmp

Use the flasher to flash this image on your device.

Becoming root

  • Install xterm
  • execute 'sudo /usr/sbin/gainroot'
  • then execute 'su - '

Example:

#!plain
~ $ sudo gainroot
Root shell enabled


BusyBox v1.00 (Debian 2:20041102-11) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/home/user # su - 


BusyBox v1.00 (Debian 2:20041102-11) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

Nokia770-51:~#

Have fun breaking your device!

Credits

original post