DDG search drop in powered by ddg.patdryburgh.com

Awesome FOSS Logo
Discover awesome open source software
Launched 🚀🧑‍🚀
Sun, Oct 25, 2015 by vados

Rooting the Huawei (Softbank) 201HW/U9201L

Categories
firefoxos random musings tools
android-logo

Recently, during a trip to Japan, my FirefoxOS Flame‘s backlight decided to go out in a blaze of glory.

Upon opening the device up, I found that the ribbon (as well as the connector) for the device had burn marks on them, and thought that might be the cause of the issue (some sort of short, I assume). Luckily, there is actually ongoing service for the FirefoxOS Flame, all you have to do is to send an email to flameservice@thundersoft.com.

After getting in contact with the support theme at Thundersoft (?), they informed me that I would have to ship the device over and possibly pay a few fees to have the device evaluated, and possibly fixed. While this would be a completely reasonable option, I decided that before I sent the device to them, I’d try my hand at flashing FirefoxOS on a spare device (that I ironically bought in Japan, when a different phone of mine croaked) myself.

Enter the Huawei Softbank 201HW/U9201L (pdadb). The phone has very modest specs, and just happened to be an extra I had lying around, so I figured I would try to get FFOS on this device first, before trying bigger/more powerful devices. The phone I have is running (a heavily modified) version of Android Ice Cream Sandwich (ICS) 4.0.4.

Obviously, before I can flash/install FirefoxOS onto the device, I need to be able to arbitrarily write and read files on the device, otherwise known as “root access”. My first instinct was to use adb shell to get into the device and poke around, see what permissions I had. I quickly realized, of course, that I had just about none. I didn’t even think *any* part of the device was writable by the “shell” user, until I found /data/local/tmp. Note that you can’t even readdir on the folders above, you just need to know that /data/local/tmp is there, and you can access/write to to the folder. Lots of searching is what lead me to that directory (and realizing that I could echo "message" > somefile to some other files). Once I figured this out, trying exploits became as easy as finding the binaries and giving them a go. Unfortunately, none of them panned out. I tried the following exploits, all which seemed to be built for ICS, or be universal:

  • z4root
  • rageagainstthecage
  • Root_with_Restore_by_Bin4ry

While ultimately fruitless, I did end up learning a lot about the basic privilege escalation methods of some older rootkits, through a fantastic set of slides I found online. The talk/presentation is called Don’t Root Robots, by Jon Oberheide of Duo. I also found a great breakdown of the rageagainstthecage exploit.

I came upon the fastboot instructions by sheer luck on a guide related to the One+, and started wondering if the bootloader was the better approach, since I seemed to be making no progress with privilege escalation. After all this searching and reading (a lot of which was done on XDA developers), it seemed clear that most rooting happened either through loading of a custom ROM/unlocked bootloader, or through privilege escalations.

Then I came across this:

android-logo

Recently, during a trip to Japan, my FirefoxOS Flame‘s backlight decided to go out in a blaze of glory.

Upon opening the device up, I found that the ribbon (as well as the connector) for the device had burn marks on them, and thought that might be the cause of the issue (some sort of short, I assume). Luckily, there is actually ongoing service for the FirefoxOS Flame, all you have to do is to send an email to flameservice@thundersoft.com.

After getting in contact with the support theme at Thundersoft (?), they informed me that I would have to ship the device over and possibly pay a few fees to have the device evaluated, and possibly fixed. While this would be a completely reasonable option, I decided that before I sent the device to them, I’d try my hand at flashing FirefoxOS on a spare device (that I ironically bought in Japan, when a different phone of mine croaked) myself.

Enter the Huawei Softbank 201HW/U9201L (pdadb). The phone has very modest specs, and just happened to be an extra I had lying around, so I figured I would try to get FFOS on this device first, before trying bigger/more powerful devices. The phone I have is running (a heavily modified) version of Android Ice Cream Sandwich (ICS) 4.0.4.

Obviously, before I can flash/install FirefoxOS onto the device, I need to be able to arbitrarily write and read files on the device, otherwise known as “root access”. My first instinct was to use adb shell to get into the device and poke around, see what permissions I had. I quickly realized, of course, that I had just about none. I didn’t even think *any* part of the device was writable by the “shell” user, until I found /data/local/tmp. Note that you can’t even readdir on the folders above, you just need to know that /data/local/tmp is there, and you can access/write to to the folder. Lots of searching is what lead me to that directory (and realizing that I could echo "message" > somefile to some other files). Once I figured this out, trying exploits became as easy as finding the binaries and giving them a go. Unfortunately, none of them panned out. I tried the following exploits, all which seemed to be built for ICS, or be universal:

  • z4root
  • rageagainstthecage
  • Root_with_Restore_by_Bin4ry

While ultimately fruitless, I did end up learning a lot about the basic privilege escalation methods of some older rootkits, through a fantastic set of slides I found online. The talk/presentation is called Don’t Root Robots, by Jon Oberheide of Duo. I also found a great breakdown of the rageagainstthecage exploit.

I came upon the fastboot instructions by sheer luck on a guide related to the One+, and started wondering if the bootloader was the better approach, since I seemed to be making no progress with privilege escalation. After all this searching and reading (a lot of which was done on XDA developers), it seemed clear that most rooting happened either through loading of a custom ROM/unlocked bootloader, or through privilege escalations.

Then I came across]8 that laid out the basic procedure, as well as provided a link to a ClockWorkMod-enabled recovery image to use. This post let me know that I was close, in my digging, and that since the bootloader seemed to be so easily unlocked, it was going to be easy to replace the recovery facilities with something that would load a custom update/ROM.

From what I understand, ClockWorkMod(CWM) is a custom recovery image selections/option menu that you can use when you boot a device into recovery mode. It often goes with installing new/custom ROMs, as it will facilitate picking a custom ROM from an attached SD card to be loaded.

After much trial and error, I was able to get a custom recovery image loaded with the following steps:

  1. Enable USB Debugging (If you don’t see the Developer options, you may have to go into Device info and tap the build number 7 times or something like that)
  2. Enable Fastboot
  3. Connect your computer (which should have ADB and android tools installed) to the phone
  4. Confirm that the device is connected, by calling adb devices and ensuring your device is present (note, you should also be able to adb shell at this point)
  5. Reboot the device into the bootloader by issuing the command adb reboot bootloader
  6. When the device has rebooted, it will get stuck on the Softbank screen, rather than fulling loading Android
  7. While rebooted in bootloader mode, issue the command fastboot devices (I had to sudo), to list the connected fastboot devices. You should see your device (you may have to sudo).
  8. Perform a factory unlock by issuing the command fastboot oem unlock (I had to sudo).
  9. Download the CWM-enabled recovery image from the relevant XDA developers thread. (Mirrored through this blog) wmaster_s CWM recovery for Ascend P1 LTE
  10. Flash the CWM-enabled recovery image by issuing the command fastboot flash recovery recovery.img (after you unzip the RAR file, there will be a recovery.img inside).

I also found a stock copy of Huawei’s firmware. Though this link seems to be for the U9202L, it’s probably close enough, so I downloaded it for reference purposes). It’s probably a good idea to have a copy of this for use if things go south.

Now, I get to try and find a custom ROM that won’t brick my phone that I can use. I did find this exploration extremely useful, however, and definitely have learned a thing or two about working with android.

Now, to do the actual rooting! It’s not clear to me whether the above (getting the custom recovery installed) was necessary, but I finally managed to find a root kit that actually worked. In the previously linked super helpful blog post, there was a link to a 2chan (ni-chaneru) thread in which someone posted a ridiculously helpful script bundle That was hosted on dropbox. Here’s a hw01e_root.

Turns out that if you unzip that folder, look in rooooooot.txt, you can easily make a bash script out of the commands (or run them one by one), and root your phone!

After running those commands, I was able to successfully use su. It was a wild ride, but ultimately, I finally have root access on the device, thanks to some brave souls who have gone ahead and done the work for me.

Now, it’s time to try and actually get FirefoxOS on the thing.