文件来自cnblogs 黑暗伯爵,文章地址:http://www.cnblogs.com/hangxin1940/archive/2011/07/10/2102087.html
之前是windows版的一个shell,黑暗伯爵改成了linux版本的,这是完整的包:/Files/super119/AndroidRootAndRecovery.zip
从脚本来看,最关键的就是这个程序了:rageagainstthecage。粗粗google了一下,貌似这个程序以hack的方式,将运行在终端设备上的adbd daemon进程以root的身份重启,这样设备上的adbd就变成root权限,从而我们可以在PC上通过adb来做很多root才能做的事情了 -- 比如,将/system挂载成rw,拷贝su, busybox这些玩意到ROM里面,安装recovery等等。
至于rageagainstthecage的hack方式,是通过不停的fork进程到进程数上限,然后设备上adbd会重启(有一定的几率,是否会一定重启到adbd),然后adbd重启之后,在调用setuid将自己设置成非root用户的时候,setuid会失败,但是Android的adbd的代码并没有检测setuid是否失败了,于是,最终adbd以root身份运行了。下面是找到的英文解释,有空去看下adbd的代码,自己跟一下就清楚了:
First the code will check that there is an NPROC setting. This is the maximum number of simultaneous processes which the system will allow. A quick “ulimit -a” once connected over adb should show you this setting for your device (this is set to 3301 processes on a Droid Incredible). The code will then try to find the process ID of the currently running adb daemon on the device. After that, the attack starts a loop to generated processes until it can no longer fork any more processes. Once the limit is hit, one process is killed off and the adb daemon process is restarted. As the code comment points out, this is a bit of a race at this point to make sure the adb can restart, but the number of processes stays maxed out. When the adb daemon starts up on an Android device, it is running as root. The code will later check if it should stay as root, or run in “secure” mode which drops its privileges to the “shell” account. This attack attemps to max out the process so that when the adb daemon attempts to call “setuid” in its code, the call will fail. The current adb code does not check if the setuid call was successful or not, so will happily keep running as root even if this fails.