Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Root Exploit by TeamAndIRC, released to root the Kindle Fire 6.2.1

branch: master

deleted: bin/classes.dex

	deleted:    bin/classes/net/andirc/kindleroot/DirectCall$1.class
	deleted:    bin/classes/net/andirc/kindleroot/DirectCall.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity$1.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity$2.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity$3.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity$4.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity$5.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity$6.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity$7.class
	deleted:    bin/classes/net/andirc/kindleroot/KindlerootActivity.class
	deleted:    bin/classes/net/andirc/kindleroot/R$attr.class
	deleted:    bin/classes/net/andirc/kindleroot/R$drawable.class
	deleted:    bin/classes/net/andirc/kindleroot/R$layout.class
	deleted:    bin/classes/net/andirc/kindleroot/R$string.class
	deleted:    bin/classes/net/andirc/kindleroot/R.class
	deleted:    bin/kindleroot.apk
	deleted:    bin/res/drawable-hdpi/ic_launcher.png
	deleted:    bin/res/drawable-ldpi/ic_launcher.png
	deleted:    bin/res/drawable-mdpi/ic_launcher.png
	deleted:    bin/res/drawable/apapp.png
	deleted:    bin/res/drawable/burritorootbig.png
	deleted:    bin/resources.ap_
	deleted:    gen/net/andirc/kindleroot/R.java
latest commit 67cf420e0d
Justin Case authored January 06, 2012
Octocat-spinner-32 res new file: .classpath December 31, 2011
Octocat-spinner-32 src modified: src/net/andirc/kindleroot/DirectCall.java January 06, 2012
Octocat-spinner-32 .classpath new file: .classpath December 31, 2011
Octocat-spinner-32 .project new file: .classpath December 31, 2011
Octocat-spinner-32 AndroidManifest.xml new file: .classpath December 31, 2011
Octocat-spinner-32 LICENSE new file: .classpath December 31, 2011
Octocat-spinner-32 README modified: src/net/andirc/kindleroot/DirectCall.java January 06, 2012
Octocat-spinner-32 proguard.cfg new file: .classpath December 31, 2011
Octocat-spinner-32 project.properties new file: .classpath December 31, 2011
README
Please see the LICENSE file

BurritoRoot is a root exploit for the Kindle Fire, released to gain root on the 6.2.1 firmware. Originally
licensed under a proprietary license, we re-released under the GPL due to blatant code theft by the author
of 'unlockroot'. Not only is he a thief, but a moron, hell he stole the unroot code of our's that was broken.

How it all works

In /sbin/adbd is a secondary property check to see if adbD can run as root, "service.root.amazon.allow". Normally
this can only be set by a system or root process.
<snippet>

.rodata:000203EC aService_root_0 DCB "service.root.amazon.allow",0
.rodata:000203EC                                         ; DATA XREF: .text:0000EFECo
.rodata:00020406                 ALIGN 4
.rodata:00020408 a1_0            unicode 0, <1>,0        ; DATA XREF: .text:0000EFF0o
.rodata:00020408                                         ; .text:0000F000o
.rodata:0002040C aAdbdCannotRunA DCB "adbd cannot run as root in production builds",0xA,0
.rodata:0002040C                                         ; DATA XREF: .text:0000EFF4o
.rodata:0002043A                 ALIGN 4
.rodata:0002043C aService_adb__1 DCB "service.adb.root",0 ; DATA XREF: .text:0000EFFCo
.rodata:0002044D                 ALIGN 0x10
.rodata:00020450 aRestartingAdbd DCB "restarting adbd as root",0xA,0
.rodata:00020450                                         ; DATA XREF: .text:0

</snippet>

In Services.jar is the BroadcastReveiver com.lab126.services.EasterEggReceiver that allows the above property to
be set with a broadcast from any application.

<snippet>
.method private enable(Z)V
    .locals 2
    .parameter "enabled"

    .prologue
    .line 47
    if-eqz p1, :cond_0

    const-string v1, "1"

    move-object v0, v1

    .line 49
    .local v0, value:Ljava/lang/String;
    :goto_0
    const-string v1, "service.root.amazon.allow"

    invoke-static {v1, v0}, Landroid/os/SystemProperties;->set(Ljava/lang/String;Ljava/lang/String;)V

    .line 51
    return-void

    .line 47
    .end local v0           #value:Ljava/lang/String;
    :cond_0
    const-string v1, "0"

    move-object v0, v1

    goto :goto_0
.end method
</snipper>

After causing this property to be set, the user can simply do "adb root" and then adbD will run as root.



    /**
     * @author jcase - Justin Case - jcase@cunninglogic.com
     * @author TeamAndIRC - http://twitter.com/TeamAndIRC
     * 
     * Testers:
     * VashyPooh
     * Trevor Eckhart
     * 
     * Great Being of Knowledge:
     * IOMonster
     * 
     * Supporters:
     * http://AndroidPolice.com
     * http://RootzWiki.com - b16 for the graphics!
     * 
     * Copyright 2011 CunningLogic
     * This file is part of BurritoRoot.
     * 
     * BurritoRoot is free software: you can redistribute it and/or modify it under the terms of the 
     * GNU eneral Public License as published by the Free Software Foundation, either version 3 of 
     * the License, or (at your option) any later version.
     * 
     * BurritoRoot is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
     * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
     * General Public License for more details.
     * 
     * You should have received a copy of the GNU General Public License along with Foobar. If not, see
     * http://www.gnu.org/licenses/gpl-3.0.txt
     * 
     */

	/**
	 * The Wall Of Shame
	 * 
	 * Organizations and persons listed below have violated the copyright and/or licensing of BurritoRoot
	 * and have had their rights to use any part or derivative of BurritoRoot revoked.
	 * 
	 * You are scum, you steal the hard work of our developers. You even stole my non working unroot code
	 * you f*cking bum.
	 * 
	 * Author of unlockroot
	 * http://www(dot)unlockroot(dot)com
	 * Liang Bing
	 * cx66@msn.com
	 * support@unlockroot.com
	 * Hong  Kong
	 * 
	 */
Something went wrong with that request. Please try again.