A log of how I rooted my Sony Ericsson Xperia Arc S Android phone (and how rooting via zergRush method work)

Using the method as described here:


The following is a log of how I did the rooting of Sony Ericsson Xperia Arc S (LT18i).

NOTE: “+” is output from “set -x” bash command. And my Android SDK is installed in /opt/android-sdk-linux directory, as shown below.

+ cd /opt/android-sdk-linux/platform-tools
+ ./adb wait-for-device
+ ./adb shell 'cd /data/local/tmp/; rm *'
rm failed for *, No such file or directory
+ ./adb push files/zergRush /data/local/tmp/.
513 KB/s (23056 bytes in 0.043s)
+ ./adb shell 'chmod 777 /data/local/tmp/zergRush'
+ ./adb shell /data/local/tmp/zergRush

[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.

[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.

[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x2abcccc4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0x6fd193d3 0x6fd39667
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...

[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
+ ./adb wait-for-device
+ ./adb push files/busybox /data/local/tmp/.
2260 KB/s (1075144 bytes in 0.464s)
+ ./adb shell 'chmod 755 /data/local/tmp/busybox'
+ ./adb shell '/data/local/tmp/busybox mount -o remount,rw /system'
+ ./adb shell 'dd if=/data/local/tmp/busybox of=/system/xbin/busybox'
2099+1 records in
2099+1 records out
1075144 bytes transferred in 0.375 secs (2867050 bytes/sec)
+ ./adb shell 'chown root.shell /system/xbin/busybox'
+ ./adb shell 'chmod 04755 /system/xbin/busybox'
+ ./adb shell '/system/xbin/busybox ##install -s /system/xbin'
BusyBox v1.18.4 (2011-04-04 18:40:20 CDT) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.

Currently defined functions:
[, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping, ash,
awk, base64, basename, beep, blkid, blockdev, bootchartd, brctl,
bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp, chmod,
chown, chpasswd, chpst, chroot, chrt, chvt, cksum, clear, cmp, comm,
cp, cpio, crond, crontab, cryptpw, cttyhack, cut, date, dc, dd,
deallocvt, delgroup, deluser, depmod, devmem, df, dhcprelay, diff,
dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap,
dumpleases, echo, ed, egrep, eject, env, envdir, envuidgid, ether-wake,
expand, expr, fakeidentd, false, fbset, fbsplash, fdflush, fdformat,
fdisk, fgconsole, fgrep, find, findfs, flock, fold, free, freeramdisk,
fsck, fsck.minix, fsync, ftpd, ftpget, ftpput, fuser, getopt, getty,
grep, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid, hostname,
httpd, hush, hwclock, id, ifconfig, ifdown, ifenslave, ifplugd, ifup,
inetd, init, insmod, install, ionice, iostat, ip, ipaddr, ipcalc,
ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kbd_mode, kill,
killall, killall5, klogd, last, length, less, linux32, linux64,
linuxrc, ln, loadfont, loadkmap, logger, login, logname, logread,
losetup, lpd, lpq, lpr, ls, lsattr, lsmod, lspci, lsusb, lzcat, lzma,
lzop, lzopcat, makedevs, makemime, man, md5sum, mdev, mesg, microcom,
mkdir, mkdosfs, mke2fs, mkfifo, mkfs.ext2, mkfs.minix, mkfs.vfat,
mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount,
mountpoint, mpstat, mt, mv, nameif, nbd-client, nc, netstat, nice,
nmeter, nohup, nslookup, ntpd, od, openvt, passwd, patch, pgrep, pidof,
ping, ping6, pipe_progress, pivot_root, pkill, pmap, popmaildir,
poweroff, powertop, printenv, printf, ps, pscan, pwd, raidautorun,
rdate, rdev, readahead, readlink, readprofile, realpath, reboot,
reformime, remove-shell, renice, reset, resize, rev, rm, rmdir, rmmod,
route, rpm, rpm2cpio, rtcwake, run-parts, runlevel, runsv, runsvdir,
rx, script, scriptreplay, sed, sendmail, seq, setarch, setconsole,
setfont, setkeycodes, setlogcons, setsid, setuidgid, sh, sha1sum,
sha256sum, sha512sum, showkey, slattach, sleep, smemcap, softlimit,
sort, split, start-stop-daemon, stat, strings, stty, su, sulogin, sum,
sv, svlogd, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac,
tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp, tftpd, time,
timeout, top, touch, tr, traceroute, traceroute6, true, tty, ttysize,
tunctl, udhcpc, udhcpd, udpsvd, umount, uname, unexpand, uniq,
unix2dos, unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode,
uuencode, vconfig, vi, vlock, volname, wall, watch, watchdog, wc, wget,
which, who, whoami, xargs, xz, xzcat, yes, zcat, zcip

+ ./adb shell 'rm -r /data/local/tmp/busybox'
+ ./adb push files/su /system/bin/su
493 KB/s (22228 bytes in 0.044s)
+ ./adb shell 'chown root.shell /system/bin/su'
+ ./adb shell 'chmod 06755 /system/bin/su'
+ ./adb shell 'rm /system/xbin/su'
rm failed for /system/xbin/su, No such file or directory
+ ./adb shell 'ln -s /system/bin/su /system/xbin/su'
+ ./adb push files/Superuser.apk /system/app/.
1982 KB/s (785801 bytes in 0.387s)
+ ./adb shell 'cd /data/local/tmp/; rm *'
+ ./adb reboot

Some explanation: As shown above, zergRush is in fact using an existing vulnerability to escalate from non-root user to root user, and thus only then is “mount” command possible. The “mount” command is necessary to remount the /system as rewritable, so that “su” or “busybox” can be created/copied there. This is unlike other method, where booting up in bootloader mode are needed to root the handphone.


One response to this post.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: