close
close

How to Root Android Device for Vulnerability Scanning and Assessment

Posted on by angelo
How to Root Android Device for Vulnerability Scanning and Assessment

How to Root Android Device for Vulnerability Scanning and Assessment

TL;DR

  • Rooting is useful for Android reviews
  • The process is relatively simple.
  • This will erase all user data from the device and void any warranty.

Introduction

For mobile testing, whether it’s apps or hardware, it’s essential to have full control over the device for vulnerability scanning and assessment. Rooting an Android device allows us to gain root privileges, which gives us full access to the operating system, including access to the private storage of any installed apps.

In this blog, we will go through the general process of rooting an Android device using Magisk. I will use a generic MediaTek-based Android phone as an example.

There are other ways to root an Android device than the technique described below, although I prefer to use Magisk because it maintains Google’s SafetyNet which allows us to test apps that rely on Google’s SafetyNet API. One of the main features of Magisk is its ability to hide root access to certain apps that usually block rooted devices, such as banking apps or streaming services. This is achieved through Magisk Hide, a feature that hides root status from selected apps

Before diving in, it’s important to note some risks associated with rooting:

  • This would void the warranty on the device (that old chestnut)
  • This could potentially make your device unstable
  • Increased attack surface of the device, opening it to malware (do not download questionable content).

One thing to note before rooting the phone: During the rooting process, the bootloader needs to be unlocked, which means we get the permissions to modify the device’s firmware. This is usually done using a command like fastboot oem unlock. It is important to note, however, that running this command and accepting the warning message triggers a security measure that erases the userdata partition, which contains all of the phone’s application data, including its settings. This measure is intended to protect personal data, as unlocking the bootloader potentially exposes the device to various security risks.

If you want to preserve user data, there are other methods to unlock the bootloader without triggering the wipe. This involves flashing the partition via specific protocols tied to specific chips:

  • For Qualcomm devices you can use EDL (Emergency Download Mode)
  • For MediaTek devices, BROM (Boot ROM) mode
  • For Unisoc devices, search download mode.

These methods allow you to flash the firmware while keeping user data intact, bypassing the automatic data wipe that comes with the normal bootloader unlocking process. In the next blogs, we will cover rooting devices with the above methods.

General rooting

Prerequisites

  1. The phone to root
  2. A copy of the phone’s boot image. start.img The file is the boot image of the Android device. It contains the kernel and initial RAM disk which are important for the boot process of the device. The kernel acts as a bridge between the hardware and software that manages the device’s resources and processes. The RAM disk contains the files and scripts needed to mount the system partition and prepare the Android operating environment during boot.

When rooting with Magisk, the boot.img file must be modified to allow the system to run with root privileges without modifying the system partition. By patching the boot.img file, Magisk injects its components into the boot process, allowing root access while keeping the system partition intact. This makes it easier to update and pass SafetyNet checks.

To get the boot.img file, you need to extract it from the firmware of your device model and software version. As an example, the Google Pixel firmware can be downloaded from their official website (https://developers.google.com/android/ota).

Sometimes the firmware file is already unpacked with the boot.img partition accessible in an archive. Other times, like the pixel, it is packaged in a file named payload.bin.

There are many tools that can recover boot.img file from payload.bin. The name of one of these tools is dumper (https://github.com/vm03/payload_dumper).

(venv) usr@craboo:~$ python3 payload_dumper/payload_dumper.py --out ./ --images boot payload.bin
 
Processing boot partition................................Done
(venv) usr@craboo:~$ file boot.img
 
boot.img: Android bootimg, kernel

Download and install Magisk

Enable developer options by tapping the build number multiple times and then enabling it. OEM Unlock And USB Debugging from developer options.

It is recommended to download Magisk from its github page or build it yourself from source.

https://github.com/topjohnwu/Magisk

Install Magisk on the phone:

usr@craboo:~/ adb install Magisk-v27.0.apk
 
Performing Streamed Install
 
Success

Push our partition to a device with Magisk installed:

usr@craboo:~/ adb push boot.img /sdcard/Download
 
boot.img: 1 file pushed, 0 skipped. 143.3 MB/s (16777216 bytes in 0.112s)

Run the Magisk application, then select the image and apply a root patch:

Select the file:

Once Magisk has finished fixing the image, it will show its location below:

Remove the patched file from the device:

usr@craboo:~/ adb pull /sdcard/Download/magisk_patched-26400_OS0SW.img
 
/sdcard/Download/magisk_patched-26400_OS0SW.img: 1 file pulled, 0 skipped. 35.4 MB/s (16777216 bytes in 0.452s)

Boot the device into bootloader mode:

usr@craboo:~/ adb reboot bootloader

We can unlock the bootloader with the following command:

usr@craboo:~/ fastboot oem unlock

Note that the unlock command may vary depending on the device. In some cases, the command may be:

usr@craboo:~/ fastboot flashing unlock

Some devices may require a key to unlock the bootloader.

Once the unlock command is issued, a warning will appear on the screen stating that personal data will be erased. This includes ADB debugging settings, which will therefore need to be re-enabled when the device is restarted.

We can use the following fastboot command to check if the device is unlocked:

usr@craboo:~/ fastboot getvar unlocked
 
unlocked: yes
 
Finished. Total time: 0.003s

Next, we will flash our corrected image to the device:

usr@craboo:~/ fastboot flash boot magisk_patched-27000_qR5Fu.img
 
Sending 'boot' (16384 KB)                          OKAY (  0.516s)
 
Writing 'boot'                                     OKAY (  1.227s)
 
Finished. Total time: 1.756s

Then restart the device:

usr@craboo:~/ fastboot reboot
 
Rebooting                                          OKAY (  0.002s)
 
Finished. Total time: 0.053s

When the phone reboots, you can get a root shell:

usr@craboo:~/ adb shell
 
a28f2_v2_s26_xs15_en:/ $ su
 
a28f2_v2_s26_xs15_en:/ # id
 
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
 
a28f2_v2_s26_xs15_en:/ #

Please note that once the bootloader is unlocked, users will receive a warning message every time the device is powered on. This message alerts users that the device’s security has been modified. This warning message is meant to remind you that the device’s state may be different from the manufacturer’s original settings.

Conclusion

Now you know how to successfully root an Android device using Magisk. Remember to approach this process methodically and be aware that it will void warranties and erase all user data. Keep an eye out for future articles on how to root things.

The article How to Root Android Device for Vulnerability Scanning and Assessment appeared first on Pen Test Partners.