The other day, we were made privy to the fact that Justin Case, a respected community developer, had found some exploits that would make it possible to root the Motorola Moto X, as well as the Motorola DROID Maxx, Motorola DROID Ultra, and Motorola DROID Mini. We weren’t given any details or a method at the time, though one was promised to arrive in the days to follow.
Well, it does appear we’re “in the days to follow,” and as such, the man — known mostly by his handle “jcase” on Twitter and XDA — has blessed us with the goods. He calls it PwnMyMoto, a replacement for the root/boot package previously known as MotoRoot.
What PwnMyMoto will do
Simply put, PwnMyMoto is an APK that you sideload onto your device through ADB. From there, the application is automatically installed, and upon running it will apply the necessary tricks and hacks required to achieve root. After installation, PwnMyMoto uninstalls itself, and you have a sticky root solution to use to your hearts’ content.
By sticky, I mean that you will be able to reboot your phone and remain in the rooted state without having to touch a thing. This is permanent — the kind we like — without any weird hacks or tricks, so we are extremely excited that such a solution was found in such a short amount of time. This will also give you the ability to write to system, though that’s something that we can only worry about once custom recoveries (and hopefully custom ROMs, eventually) begin to make their way onto the interwebz.
How it was achieved
Justin explains that the full method relied on three available exploits:
First we use bug 9695860 (aka second masterkey) to gain system user, then it uses a symlink attack to gain root access. After gaining root we exploit a flaw in the bootloader, allowing us to bypass the write protection applied to system. In the process we remove stock recovery, so OTAs will not be a worry.
With that, this method keeps write-protection “on” in the “normal” boot state, but completely disables protection when you’re booted into the the device’s recovery state. This will be useful for making changes that require write access. Justin suggests only booting into “recovery” to make those changes, and sticking to the typical boot state for your normal day-to-day business.
Note that custom recoveries are still being looked into, and that this does not currently give us the ability to flash custom kernels (as that part of the bit is still verified by official signatures). In short, this isn’t the full-fledged access we are all hoping to have, but it is a very big step.
How to root your Moto X, DROID MAXX, Ultra, and Mini
Now comes the fun stuff — rooting! These instructions are quite simple if you know your way around ADB. Be sure to give them a good read two or three times before going forward. Also, we must remind you that anything that happens to your device as a result of this is your own responsibility. No one is forcing a gun to your head and making you do this. As long as you understand that, then let’s dive in:
- Download PwnMyMoto for Moto X here. The XDA attachments show different APKs for different carriers, so be sure to download the one for your carrier of choice. If you are using the DROID phones, you will want the APK that is found here (and they’re only on Verizon, so there’s nothing to worry about in regards to carrier).
- Using ADB while your phone is connected, run this command (replace the bracketed text with the appropriate filename): “adb install -r PwnMyMoto-<version and model go here>.apk“.
- Boot your phone like normal, and run the PwnMyMoto app. Your phone will reboot a few times as it applies all the changes. The PwnMyMoto app will be uninstalled after this step, and su will be installed on the system partition.
- Download SuperSU from the Google Play Store. This is what you will use to control root access for any application that needs it.
And that’s it! Easy stuff, right? If you want to check to make sure things went OK, all you have to do is run the following ADB command:
adb shell getprop ro.boot.write_protect
If that returns a value of “0” then you’re good to go. Give it a try, and be sure to refer to the XDA threads here and here if you have any questions or concerns. We’ll be keeping our eye on the scene to see what else will come of this huge breakthrough.