Why are the rooting apps not working anymore?


Question

A couple years ago, it was easy to root any device: Install KingRoot, KingoRoot, or a similar app, hit the large ROOT button, and let it do the rest. After 5 minutes or so, a green "Root Succeeded!" prompt will pop up, and we can choose to keep the root app, or uninstall it and install a clean root manager app like SuperSU/Superuser.



How do they work? Why aren't they working anymore? And if they work, should I use them or not?


Answer

I had this question a few months ago, and I found this answer through some research, so I thought to share my research in this site by answering my question, considering the fake information online. (For example, the official KingoRoot site says that it can root Android Oreo which is completely wrong information)



How do the rooting apps work?



There are quite a lot of rooting apps, KingRoot, KingoRoot, Z4Root, Root Genius, Universal Androot to name a few popular/used to be popular apps. All of them use exploits/vulnerabilities/loopholes in the Android OS to give themselves privileges reserved to the system apps or even the Android OS itself. And then they mount as read/write the directory named /system which houses the processes required to get the system running and the system apps, and place a binary named su in a place of the directory, namely /system/bin/su. If some app requires root, the app executes that binary, and you see a prompt whether to allow or decline root access.



The exploits/vulnerabilities that get discovered are given an CVEID, and then detailed in the CVE website, and fixed in the Android Security Bulletins. An example is the infamous DirtyC0W vulnerability which was given the CVEID CVE-2016-5195, which plagued and still plague the older Linux kernels. Almost all of the apps mentioned above exploit this vulnerability.



Why are the rooting apps not working anymore?



As referenced in the Bulletins above, Google fixes a series of issues in Android every month. So the scope of the vulnerabilities is highly decreasing. All the vulnerabilities the rooting apps uses to date were fixed in the security patches somewhere around 2018 January.



But there can be issues some manufacturers forgot to patch! What about them?



On Android 6.0.0 or newer, that will just cause the device to not boot anymore. To understand the reason for this, we have to look at a concept named Chain of Trust.



Chain of Trust, abbreviated CoT, is a security mechanism that was introduced to protect the Android OS from viruses and unauthorized modifications. It works like a chain of hardware and software, where each part verifies the next part. On a step-by-step basis:




  1. When you power on the device, a hardware function (sometimes called Boot ROM) starts. The Boot ROM is burned into the hardware and cannot be changed.

  2. The Boot ROM verifies the first software in the CoT, the bootloader which is a raw binary blob, sometimes called the preloader. (Also the Boot ROM sometimes loads and uses special custom partitions/binaries depending on the vendor) If the bootloader does not pass the verifications, the device shuts down. If it passes, the Boot ROM runs the bootloader.

  3. The bootloader checks the options passed to it by the Boot ROM, and selects the appropriate boot mode. The usual boot modes which exist on almost every device are the normal Android boot, Recovery and Fastboot/Download.



If the bootloader is locked it verifies if the next part of CoT to run is intact, and if it is, the bootloader runs it. If it is not, it can shut down, reboot, or get stuck in a special bootloader mode depending on the device model.



If the bootloader is unlocked it does not verify the next part of CoT but directly loads it.




  1. The next part is called the boot partition. It handles the way to boot the system itself. In Android versions on/newer than 6.0.0 (Lollipop), it also verifies if the system is intact, and if it is modified, it shuts down.



As mentioned first, these root apps exploit the vulnerabilities to modify /system, which is verified by the boot partition as mentioned in Stage 4 above. So any modification will cause the device not to boot. This state is commonly referred to as a "soft-brick", which can only be fixed by a re-flash.



So the newer devices require the bootloader to be unlocked if you want to root your device. These devices are rooted by flashing a recovery with more options than the normal recovery (like TWRP, ClockWorkMod), usually referred to as a custom recovery, and using that to modify the boot partition (and disable the system verification). It is also possible to directly modify the boot partition without a custom recovery.



Some manufacturers give a way to unlock the bootloader, and some of them don't. The popular devices with locked bootloades (for an example US carrier locked Samsung S devices) tends to be exploited by the Android modding community.



My device is still Android 5.1.1 or older! Should I use these to root?



Most of those older devices are possible to root by the rooting apps. So, you could. Should you? That depends on your preferences. Root access grants the power over everything in the OS, and with root access, it usually doesn't take even a microsecond to make sure that your device won't ever boot again. It is very probable that the rooting apps ever won't do that, but, they could. Also, with root an app could access everything your device does, and everything it holds in its memory including your credit card information, passwords, etc. If that sounds like a serious privacy threat to you, maybe don't use the root apps. If you don't care about that, you can try them.



If you are savvy enough, there are the sources of almost all the exploits those root apps uses. You can try to search them up by CVEID, look for them in Git, compile and run them and try to get a root shell, and you will be able to install the su binary and the other dependencies yourself.



Also, KingoRoot has been known for sending highly sensitive data like IMEI and Serial Number to their servers. The chances are they will never use them, but, that's your decision in the end. And KingRoot is known for installing a backdoor in its SDK which allowed some apps to get root access unauthorized by the user.



Conclusion



The era of the rooting apps is long gone. The rooting apps doesn't work anymore and if you use them on newer Android versions you risk soft-bricking your device and probably losing all your data. If you use them on supported Android versions they would work most of the time, but there are privacy and security concerns you should consider before going on.



I hope my research would help someone in the future who gets the same problem as me. :)


Topics


2D Engines   3D Engines   9-Patch   Action Bars   Activities   ADB   Advertisements   Analytics   Animations   ANR   AOP   API   APK   APT   Architecture   Audio   Autocomplete   Background Processing   Backward Compatibility   Badges   Bar Codes   Benchmarking   Bitmaps   Bluetooth   Blur Effects   Bread Crumbs   BRMS   Browser Extensions   Build Systems   Bundles   Buttons   Caching   Camera   Canvas   Cards   Carousels   Changelog   Checkboxes   Cloud Storages   Color Analysis   Color Pickers   Colors   Comet/Push   Compass Sensors   Conferences   Content Providers   Continuous Integration   Crash Reports   Credit Cards   Credits   CSV   Curl/Flip   Data Binding   Data Generators   Data Structures   Database   Database Browsers   Date &   Debugging   Decompilers   Deep Links   Dependency Injections   Design   Design Patterns   Dex   Dialogs   Distributed Computing   Distribution Platforms   Download Managers   Drawables   Emoji   Emulators   EPUB   Equalizers &   Event Buses   Exception Handling   Face Recognition   Feedback &   File System   File/Directory   Fingerprint   Floating Action   Fonts   Forms   Fragments   FRP   FSM   Functional Programming   Gamepads   Games   Geocaching   Gestures   GIF   Glow Pad   Gradle Plugins   Graphics   Grid Views   Highlighting   HTML   HTTP Mocking   Icons   IDE   IDE Plugins   Image Croppers   Image Loaders   Image Pickers   Image Processing   Image Views   Instrumentation   Intents   Job Schedulers   JSON   Keyboard   Kotlin   Layouts   Library Demos   List View   List Views   Localization   Location   Lock Patterns   Logcat   Logging   Mails   Maps   Markdown   Mathematics   Maven Plugins   MBaaS   Media   Menus   Messaging   MIME   Mobile Web   Native Image   Navigation   NDK   Networking   NFC   NoSQL   Number Pickers   OAuth   Object Mocking   OCR Engines   OpenGL   ORM   Other Pickers   Parallax List   Parcelables   Particle Systems   Password Inputs   PDF   Permissions   Physics Engines   Platforms   Plugin Frameworks   Preferences   Progress Indicators   ProGuard   Properties   Protocol Buffer   Pull To   Purchases   Push/Pull   QR Codes   Quick Return   Radio Buttons   Range Bars   Ratings   Recycler Views   Resources   REST   Ripple Effects   RSS   Screenshots   Scripting   Scroll Views   SDK   Search Inputs   Security   Sensors   Services   Showcase Views   Signatures   Sliding Panels   Snackbars   SOAP   Social Networks   Spannable   Spinners   Splash Screens   SSH   Static Analysis   Status Bars   Styling   SVG   System   Tags   Task Managers   TDD &   Template Engines   Testing   Testing Tools   Text Formatting   Text Views   Text Watchers   Text-to   Toasts   Toolkits For   Tools   Tooltips   Trainings   TV   Twitter   Updaters   USB   User Stories   Utils   Validation   Video   View Adapters   View Pagers   Views   Watch Face   Wearable Data   Wearables   Weather   Web Tools   Web Views   WebRTC   WebSockets   Wheel Widgets   Wi-Fi   Widgets   Windows   Wizards   XML   XMPP   YAML   ZIP Codes