Lab RootInitMods on Rooting and Init Mods

Table of Contents

1 Lab Goals

The purpose of this lab is (i) to bring a perspective surrounding the rooting of Android devices, (ii) to get you to understand more of the Android internals (such as partitions, mounting, su, SuperUserAPKs, and (iii) to make you aware of exploits that can root a device without user intervention.

2 Background

This is a lab in the course Android Internals and Security.

2.1 Prerequisites

Before beginning the experiments described below, you should be able to answer the following questions. The Lecture Notes of mine have the answers. But, web search will be good enough. Learn to recognize and ignore copy-paste authors.

  1. What partitions? What is a file volume? What is mounting?
  2. What is rooting? What is su? sudo? busybox?
  3. What is a CPU emulator? What is QEMU?
  4. What is an AVD[Android Virtual Device]?
  5. Does rooting make the device insecure?
  6. What does Android SDK install? The file /usr/local/android-sdk/SDK-Readme.txt has the answers.

2.2 Add to ~/.bashrc

You might want to insert the following into ~/.bashrc. Note that /usr/local is where my Android setup is located.

alias studio='/usr/local/android-studio/bin/studio.sh &'
alias android='/usr/local/android-sdk/tools/android &'
alias mkavd='/usr/local/android-sdk/tools/android avd &'
alias adb=/usr/local/android-sdk/platform-tools/adb
alias emx86=/usr/local/android-sdk/tools/emulator64-x86
alias emulator=/usr/local/android-sdk/tools/emulator

2.3 Caution?!

You will be modifying the files in the root partition. Even though the title of the lab is InitMods, you will be making changes beyond init.rc. Use an AVD, or a real device that is rooted. All mods are reversible. If you are careless, your device may not boot.

3 Equipment Needed

  1. A PC with 5+ GB of available file space, and a decent CPU to run an ARM emultor without being too sluggish. Preferably a Linux PC. This lab is doable in Windows, but I am not interested in writing it up.
  2. With Android SDK already installed.
  3. You will need an AVD.
  4. A real Android device that you wish to root. Discover a ready-to-use rooting procedure. Preferably from xda.com.

4 Tasks

  1. Bonus Tasks: These are optional. Doing them will earn you points that are helpful when assigning letter grades in the end.
  2. Deliverables: Take these lists are suggestions. Add/ delete as appropriate.

4.1 Task: Rooting a Real Device

4.1.1 Check that a Device is Rooted or Not

  1. Verify that the AVD and the real device you chose are rooted or not.
  2. Google Play has several APKs that can check. Not all of them check thoroughly.
  3. Try, say two, such APKs, and report on your experience.
  4. You are expected to know how to do this check manually at the terminal level within the device. Report on your experience.

4.1.2 Rooting

  1. Install busybox and bash via adb install. Did the device need to be rooted for this?
  2. Captute the output of id.
  3. Unroot the AVD.

4.1.3 Install a few Rooted-Only APKs

  1. Discover two Rooted-Only APKs, one from Google Play and another from FDroid.org. Install and run them in the AVD.

4.1.4 Deliverables

  1. (i) Description of the AVD. Do not upload *.img files. (ii) A transcript of how you rooted. (iii) ls -l listings of busybox, and su executables within the AVD. (iv) Screenshots of the rooted-only APKs.

4.2 Task: Use the on Statement in init.rc

  1. Insert an additional on statement that periodically does something that is easy to notice by us. E.g., play an MP3, on the hour, every hour. [Rquirement Goal: This should consume as little as possible the CPU and battery resources. You are not expected to verify this.]
  2. Deliverables: (i) Describe how you accomplished the task. (ii) Suggest one "on" statement that could be deleted without losing device functionality.

4.3 Task: Kill Processes not on White Lists

  1. Design and deploy an on-going service, named killoff, that kills-off processes that are not on a white-list. The service program takes one or more white-list file names. A white-list file is a text file, with exactly one process name per line. This is doable in a shell script language.
  2. How often? Every second? Minute? Make it configurable.
  3. This is best done by placing your script in /system/etc/init.d/.
  4. Deliverables: (i) Describe how you accomplished the task. Include the shell script, and the relevant lines of init.rc that start this service in the PDF. (ii) Describe how you tested.

4.4 Task: Key Logger

  1. Install a key logger, that is [preferably] "invisible". Log the keys to a file named .keys.txt. Log each key byte as two hex digits, without the 0x. Keep the file size under 10MB.
  2. Deliverables: (i) Describe how you accomplished the task. (ii) Include a selection of .keys.txt in the PDF.

4.5 Task: [Bonus] Boot Animation Change

  1. Change the boot animation (see the references) to something of your choice. But, without using an APK, without flashing via recovery. You are welcome to use adb, or a local shell running inside the device.
  2. Deliverables: (i) Describe how you accomplished the task. At the level of what file was placed where. (ii) What is the expected content of bootanimation.zip? (iii) Screenshots, just a couple. (iv) Answer this Q [Make an educated guess]: While the boot animation is running is something productive happening?

4.6 Task: [Bonus] Process Logger

  1. On Linux, ps aux lists all processes and their status and resource usage. Learn (i) what the equivalent is within Android at the Linux level, and (ii) the path name pnm where Android system logs are kept. Do the equivalent of ps aux >> /pnm/ps-aux-log.txt. When this log file becomes bigger than 1 MB, delete the first several lines so that it becomes about 500 KB. Do this in a loop.
  2. Deliverables: (i) Describe how you accomplished the task. (ii) Include a selection of /pnm/ps-aux-log.txt in the PDF.

5 Submission

All submissions are into Pilot dropboxes. The LabName of this lab is RootInitMods.

There should be APK files as used in this lab, and one PDF file named exactly Report-LabName.pdf that includes all screenshots, and your commentary on all aspects of this lab. Scripts are used to check various things – so file names should obey "rules". Suggestions as to what this commentary should focus on are spread out in the above.

6 References

  1. Boot Animations: The web has many tutorials on how to change. Here is one, 2016. Here is a collection of animations.
  2. Help with Init Mods Task: Use the "on" Statement. Study the init.rc file of AOSP. Better yet: Study the init.rc of your device.
  3. Editing init.rc. Here is a decent tutorial. 2012.
  4. http://www.android-keylogger.net/ Has a pretty good description of what a key logger is.

7 End

Copyright © 2019 www.wright.edu/~pmateti • 2019-03-05