Hi folks,
Here's a noir-style rooting app that was tested to work on both Nokia 8110 4G TA-1048 with v16 firmware and Alcatel OT-4044D with KaiOS 1.0. It also has the potential to work on the phones without busybox, since it carries its own unzip binary and uses its own resource loader function. So, despite rooting, this is also a testbed for sandbox escaping (at least for an app with "certified" permission).
Download link
(SHA256: abc4b5f20b3f6ace709e95560db728ce36783c78dcba49d346cbc2d1eec29bb3)
How to install
After you enter the developer/debug mode, Wallace app can be installed the same way OmniSD could be installed:
- via WebIDE of old Firefox/Pale Moon/NewMoon and adb forward tcp:6000 localfilesystem:/data/local/debugger-socket command,
or
How to use
Just press the central D-pad key and wait until Niander Wallace silhouette fully comes up. Then your ADB shell is rooted until the next reboot.
There's also a (usual) "secret" feature of privileged factory reset (with confirmation prompt, of course) if you press # instead of central key.
How it works
General flow is as follows:
1. First fitting master extension is selected depending on the platform (choice is done among engmodeExtension, jrdExtension and kaiosExtension);
2. Resource loader (see below) method is called to fetch "unzip" binary from the app resources into /data/local/tmp/unzip;
3. With the help of selected master extension startUniversalCommand method, a concatenated command is run to:
- stop adbd service;
- move the unzip binary from /data/local/tmp/unzip to /sbin/unzip and adjust its permissions (since /sbin structure is volatile until next reboot);
- run the unzip command against the local application package to extract adbd binary to /sbin;
- adjust the new /sbin/adbd permissions and start the adbd service again;
- remove leftover folder from primary storage if it's empty.
How resource loader method works
This is the most interesting part in this app. Resource loader uses the fact that main storage (used by B2G API method navigator.getDeviceStorage("sdcard")) can always be referred to as /storage/self/primary/ in the actual FS tree. The only issue is that in some cases (for instance, on 8110 v16 without SD card) the actual storage is mounted onto /storage/self/primary/0 but, due to some bug, the root of B2G "sdcard" storage handle still refers to /storage/self/primary/ itself, so attempts to write to the root result in DOM error. Hence, the logic of the loader method is as follows:
1. Shape the XHR with "application/octet-stream" content type and "blob" response type to fetch the necessary resource file. If succeeded, go to the next step, if not, return operation error.
2. Retreive the storage handle with navigator.getDeviceStorage("sdcard") and try writing the resulting blob to 0/tmpbin.bin file (relative to the B2G storage root, not physical location). On success, go to the next step, otherwise return operation error.
3. With the help of selected master extension startUniversalCommand method, run the command to move the file (found with the find command within the /storage/self/primary/ tree, because its location might be either /storage/self/primary/tmpbin.bin or /storage/self/primary/0/tmpbin.bin) to the target location. Return operation success.
So, now that you know what it is and how it all works, feel free to test it out on different configurations (for instance, v13 etc).
Have fun!
P.S. If you don't know who Niander Wallace is, don't worry... Just watch Blade Runner 2049 and you'll find out. ;)