--- layout: post status: publish published: true title: HTC Wildfire Stage 1 Soft-Root wordpress_id: 8 wordpress_url: http://new.martineve.com/?p=8 date: !binary |- MjAxMC0wOC0xNSAwODo1NzowNyArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0xNSAwODo1NzowNyArMDIwMA== categories: - Technology - Android - InfoSec tags: - Android - root - HTC - Wildfire comments: - id: 2 author: quidoh author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0xNSAxMDozNjozOSArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0xNSAxMDozNjozOSArMDIwMA== content: Awesome there is no beter word then awesome!It works fine. Thanks alot! - id: 3 author: Roffeboffe author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0xNSAxMjozMTowMyArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0xNSAxMjozMTowMyArMDIwMA== content: Works perfectly. :) Thanx a lot. Actually this is all I need. I can live with doing this every boot. Finally my daughter can get my old android which I have been promising her since I got the wildfire. Market enabler v3.0.8 works perfectly on the Wildfire also. :) Finally I have access to my paid apps again. - id: 4 author: Comfreak89 author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0xNSAyMToyMTozNiArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0xNSAyMToyMTozNiArMDIwMA== content: ! 'If I will push the files to /sqlite_stmt_journals/ it says the following:user>adb shell$ push "C:\Users\user\Desktop\wildfire root\exploid" /sqlite_stmt_journals/push "C:\Users\user\Desktop\wildfire root\exploid" /sqlite_stmt_journals/push: permission deniedI start the cmd as administrator.Need help :)' - id: 5 author: Comfreak89 author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0xNSAyMjoxNzo0OCArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0xNSAyMjoxNzo0OCArMDIwMA== content: got it...:) - id: 6 author: wildfireM author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0xOSAxNjo1NjoyNyArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0xOSAxNjo1NjoyNyArMDIwMA== content: thanks, Martin. I need to add some fonts. After making the above softroot, how I can add the fonts? If I do the following steps it fails already at adb root:adb root adb shell mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system adb push c:\adb\ /system/fontsadb shell reboot Please advise, thanks !!! - id: 7 author: myjanky author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0xOSAyMToxOToxOCArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0xOSAyMToxOToxOCArMDIwMA== content: Hi, I am interested in compiling a version for the Motus MB300. After reviewing the exploid source and modifying the code to fit the Motus it fails somewhat. I can get /system rw but any attempt to issue another command boot loops the device. Any suggestions or help please advise. - id: 8 author: Martin Eve author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0yMCAwNTo1ODo0MyArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0yMCAwNTo1ODo0MyArMDIwMA== content: ! '@wildfireM and myjanky: you are both experiencing the problem of NAND protection. This soft-root does *not* bypass the protection on the flash memory.If you want to temporarily write to /system, you''ll need to mount /dev/block/mtdblock3 somewhere else, then create a new directory and symlink the files *inside each directory of that mount* somewhere else, then mount bind this second directory over the top of /system. You can then put new files into that new directory and they will appear in /system/*' - id: 9 author: wildfireM author_email: '' author_url: '' date: !binary |- MjAxMC0wOC0yMCAwNjoyMTowMyArMDIwMA== date_gmt: !binary |- MjAxMC0wOC0yMCAwNjoyMTowMyArMDIwMA== content: Thank you for your answer, Can you please kindly let me know the instructions to write on the commandline, to do the above suggestions? - id: 10 author: wildfireM author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxMzoyNjowNCArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxMzoyNjowNCArMDIwMA== content: Martin, any news with the wildire root solving the NAND protection?thanks. - id: 11 author: Martin Eve author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxMzoyODozNCArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxMzoyODozNCArMDIwMA== content: Hi,Yes! Unrevoked has been able to fully root the Wildfire for a couple of weeks now!Best,Martin - id: 12 author: wildfireM author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxNDowNDozNiArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxNDowNDozNiArMDIwMA== content: Martin , thanks! I've downloaded and have the reflash.exe. Also installed the driver. But if I want only to install the fonts, what shall I do? - id: 13 author: Martin Eve author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxNDowODowMSArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxNDowODowMSArMDIwMA== content: You can't install fonts without full root access, so you need to root the device, reboot into recovery (the only mode where it's possible to modify /system) and push the fonts into the correct location. XDA forums might be a better place to ask for specific directions... - id: 14 author: wildfireM author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxNDo0Mzo0MyArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxNDo0Mzo0MyArMDIwMA== content: ! 'ok, I understand you mean this: adb push c:\adb\ /system/fonts/I dont know what hapenned...but my wildfire shows blankc screen, with the upper red light only, no mater which buttons I push. It is after I made a reflash.exe before. I was able to use it regular after this. Any advise?thanks.' - id: 15 author: Martin Eve author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxNDo1ODowNCArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxNDo1ODowNCArMDIwMA== content: I'm sorry, but I'm not a technical support forum, of which there are many on the internet. Take battery out. Restart, should be fine. - id: 16 author: wildfireM author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxNTowMzoxMyArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxNTowMzoxMyArMDIwMA== content: sorry, thank you. - id: 17 author: wildfireM author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOCAxNToyNjo0MyArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOCAxNToyNjo0MyArMDIwMA== content: ! 'Martin: thank you for all your help. I realy appreciate this! notr only for me. I succesfully pushed all the 8 fonts! still does not see the hebrew (did all needed), I''m sure something still missing but I''m on my way. Moshe' - id: 18 author: mightfly author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOSAxMzo1MzozOCArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOSAxMzo1MzozOCArMDIwMA== content: ! 'Martin, I tried your app on an unbranded WildfireKernel version2.6.29-c9472fc1but no joy I am afraid even after waiting 2, 10, 15s after the ''Force Close'' message.So I tried again with the manual approach.This comes up with:[-] creat: Permission deniedI can see that hotplug has already been created in /sqlite_stmt_journals with permissions-rw-r--r--Any ideas would be much appreciated, as I am keen to use sqlite3 on the device.' - id: 19 author: mightfly author_email: '' author_url: '' date: !binary |- MjAxMC0wOS0wOSAxNTo0NDoxMSArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0wOSAxNTo0NDoxMSArMDIwMA== content: Sorry - I should have mentioned that I did this after installing the recent system update. Is it possible that the exploit has been closed? - id: 45 author: Brian author_email: soccer_maniac26@hotmail.com author_url: '' date: !binary |- MjAxMC0wOS0yNSAwNzoyMzozOCArMDIwMA== date_gmt: !binary |- MjAxMC0wOS0yNSAwNzoyMzozOCArMDIwMA== content: I tried to download the softroot apk file but the link doesnt work - id: 84 author: Daniel author_email: pseudoesfera@gmail.com author_url: '' date: !binary |- MjAxMC0xMC0wNCAyMzowNToxMyArMDIwMA== date_gmt: !binary |- MjAxMC0xMC0wNCAyMzowNToxMyArMDIwMA== content: ! 'I''ve followed the instructions but every time I run the exploid file, I get a segmentation fault. I have to note that I''m running an updated version of the Firmware (2.1-update1) and Software Number: 1.25.162.1. I''d like to believe that this is the source of my problems rather that some mistake I might have done during the procedure. Is there any workarounds or a new version of that file? Thanks.' - id: 111 author: oli author_email: abuse@golka.priv.at author_url: http://goloka.priv.at date: !binary |- MjAxMC0xMC0xMiAxNzozNToyMiArMDIwMA== date_gmt: !binary |- MjAxMC0xMC0xMiAxNzozNToyMiArMDIwMA== content: ! "i test the one click soft root with the new 2.1 update version, make it 5x no working, the superuser add dont work\r\ndont wont to make it this way, couse see other people also dont work\r\n\r\ndo you check this problem, or should i update to 2.2 and make root then ?\r\nwill update to 2.2 but hope that t-mobile released it next month, so dont wont to flash and get brake when i get the update in few months.\r\n\r\nplease help, want root, soft root for my wildfire, need swapper and other apps\r\n\r\nthy very much for help" - id: 112 author: oli author_email: abuse@golka.priv.at author_url: http://goloka.priv.at date: !binary |- MjAxMC0xMC0xMiAxNzozNjo0OSArMDIwMA== date_gmt: !binary |- MjAxMC0xMC0xMiAxNzozNjo0OSArMDIwMA== content: ! "sry my fault is that the superuser addon dont work and say he had a new version, make a .zip file on data card, but this file has 0mb and seems like broken\r\n\r\nhope you can help me android neewb" - id: 3689 author: ledpepper author_email: ross.innes@ilabquality.com author_url: '' date: !binary |- MjAxMC0xMi0wMyAwOTowNDoyNiArMDEwMA== date_gmt: !binary |- MjAxMC0xMi0wMyAwOTowNDoyNiArMDEwMA== content: ! "Hi Martin,\r\n\r\nI have the same problem as Daniel and mightfly. I too am receiving segmentation faults.\r\n\r\nFirmware: 2.1 -update1\r\nBaseband: 13.53.55.24H_3.35.19.25\r\nKernel: 2.6.29 htc-kernal@u18000-Build-149 #1\r\nBuild number: 1.37.405.1" - id: 3696 author: Martin Paul Eve author_email: martin@martineve.com author_url: '' date: !binary |- MjAxMC0xMi0wMyAwOTozMzoyMiArMDEwMA== date_gmt: !binary |- MjAxMC0xMi0wMyAwOTozMzoyMiArMDEwMA== content: ! "Hi,\r\n\r\nIt's supposed to segfault; that's the exploit doing its work.\r\n\r\nHowever, if you don't have root afterwards, then it seems likely that this solution is no longer working. Why not try unrevoked to get permanent root? It works fine, is pretty safe and a a much better solution than mine which was only ever meant as a temporary stop-gap.\r\n\r\nCheers,\r\n\r\nMartin" - id: 6177 author: daniel author_email: kosamu@hotmail.com author_url: '' date: !binary |- MjAxMS0wMi0xMyAyMToyNDozMiArMDEwMA== date_gmt: !binary |- MjAxMS0wMi0xMyAyMToyNDozMiArMDEwMA== content: Doe`s this work on 2.2.1?? - id: 6291 author: Ankur author_email: ankur.nairit@gmail.com author_url: http://ankurtechblog.blogspot.com date: !binary |- MjAxMS0wNS0xMCAwNzo0Njo0MSArMDIwMA== date_gmt: !binary |- MjAxMS0wNS0xMCAwNzo0Njo0MSArMDIwMA== content: ! "Hi Martin Could you tell me if this procedure would work and get me a soft root on my wildfire running 2.2.1 and HBOOT > 1.0.X ?\r\n I have tried a couple of tutorials but have been unable to get root access or S OFF ." - id: 6293 author: Martin Paul Eve author_email: martin@martineve.com author_url: '' date: !binary |- MjAxMS0wNS0xMyAxNzo1Mjo0NyArMDIwMA== date_gmt: !binary |- MjAxMS0wNS0xMyAxNzo1Mjo0NyArMDIwMA== content: ! 'Hi Ankur, I believe not as the exploit is designed for 2.1, not 2.2 and there are additional problems with rooting the later Wildfire versions. I believe the only root/S-OFF solution at the moment is the XTC clip. Best, Martin' ---


UPDATE 2013-06-30: I'm afraid that I've had to remove the below files as my host thinks they are a virus. Great. Anyway, this method has easily been surpassed by now.

This is a break from my customary blog posts on Thomas Pynchon and my university research to present a sample of one my other research interests in the realm of computer science and information security. Google has, for a fair while now, been distributing their stripped down version of the Linux operating system -- Android -- on mobile devices. These devices are capable of running as fully fledged Linux distributions but for the fact that manufacturers lock down the phones and make it incredibly difficult to gain administrative priveleges on the devices. As such, I have begun investigating ways by which to circumvent this ridiculous restriction of users' rights on their own devices; as the recent US Supreme Court ruling sensibly decreed: the devices are owned by the end-users, the end-users should be able to control what is run on such systems and circumventing the protection mechanisms on a device one owns is neither illegal, nor protected by the DMCA. Recently, a group dubbed "The Android Exploid Crew" released an extremely clever piece of code for the Android operating system which exploits the hotplug system. Essentially, it manages to install itself as a callback function upon enable/disable of any hotplug device (wifi/bluetooth) which is executed with escalated priveleges. The original exploit copies itself to a new binary in /system/bin, the flash-memory filesystem which has been remounted read-write, and which is owned by the root account and has the setuid bit set. Now: the recent HTC device, the Wildfire (codenamed: Buzz), has an interesting system of protection on the flash memory -- NAND protection. This means that, despite the read-write remount of the /system filesystem, any write to this area will result in the system spiralling out of memory, refusing the write and then rebooting. Obviously, this means that the exploit, in its original form, results in a crash and reboot. I have now modified this exploit to perform differently so that it will work on the Wildfire. I anticipate that the best usage for my work is as follows, which I may attempt to implement if I have time: Setup application (can we run at startup?) checks for existence of /system/bin/su
If not existent, it unpacks su binary and exploid binary to /sqlite_stmt_journals
Runs exploit
Rebind mount /dev/block/mtdblock3 to /sqlite_stmt_journals/binmount
Symlinks all binaries from /sqlite_stmt_journals/binmount/bin to /sqlite_stmt_journals/newbin
Copies su to /sqlite_stmt_journals/newbin
Chmods/chowns /sqlite_stmt_journals/newbin to a safe combo
Mounts /sqlite_stmt_journals/newbin over the top of /system/bin
su will now function correctly Anyway, I have achieved all this manually and now have at /system/bin/ the su binary and, linked into this, the Superuser.apk application! Obligatory screenshot of barnacle wifi tether requesting superuser permissions attached. So, anyway, to reproduce this, grab these files (source at the end of the post if you want to recompile): http://www.martineve.com/wildfirestage1root/su
http://www.martineve.com/wildfirestage1root/busybox
http://www.martineve.com/wildfirestage1root/Superuser.apk
http://www.martineve.com/wildfirestage1root/exploid ANY STEPS YOU TAKE FROM HEREON ARE YOUR OWN UNDERTAKING. I ACCEPT NO RESPONSIBILITY FOR A BRICKED DEVICE, EVEN THOUGH I PERSONALLY HAD NO PROBLEMS. Setup adb
Push all the files to /sqlite_stmt_journals/
Execute: adb shell
cd /sqlite_stmt_journals
./exploid Toggle your wifi on and off Back at shell, execute: mkdir binmount
mkdir newbin
chmod 755 ./busybox
./exploid
./busybox mount -r -t yaffs2 /dev/block/mtdblock3 ./binmount
./busybox ln -s /sqlite_stmt_journals/binmount/bin/* /sqlite_stmt_journals/newbin/
./busybox cp ./su ./newbin/
./busybox mount --bind /sqlite_stmt_journals/newbin /system/bin
./busybox cp ./Superuser.apk /data/app/
./busybox rm ./exploid
./busybox rm ./su You now have a rooted HTC Wildfire... until you reboot. Source files:
http://www.martineve.com/wildfirestage1root/exploid.c
http://www.martineve.com/wildfirestage1root/makefile
http://forum.xda-developers.com/showthread.php?t=682828