1 | Vulnerability/Exploit name | release date | author | effect (root, unlock,...) | notes | link | |
|---|---|---|---|---|---|---|---|
2 | psneuter | scotty2 | root | https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c | |||
3 | Exploid | 7/15/2010 | Stealth | root | http://c-skills.blogspot.com/2010/07/android-trickery.html | ||
4 | GingerBreak | 5/26/2011 | Stealth | root | http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html | ||
5 | RageAgainstTheCage | Stealth | root | ||||
6 | KillingInTheNameOf | Stealth | root | http://c-skills.blogspot.com/2011/01/adb-trickery-again.html | |||
7 | Zimperlich | 2/24/2011 | Stealth | http://c-skills.blogspot.com/2011/02/zimperlich-sources.html | |||
8 | Zergrush | Revolutionary | root | https://github.com/revolutionary/zergRush/blob/master/zergRush.c | http://forum.xda-developers.com/showthread.php?t=1296916 | ||
9 | Tacoroot | jcase | root | HTC Recovery symlink attack to local.prop from /data/recovery/something bliss found first, but was too slow! | https://github.com/CunningLogic/TacoRoot | ||
10 | Nachoroot | jcase | root | AMI304 Magnetic Sensor, symlink to local.prop. | https://github.com/CunningLogic/NachoRoot | ||
11 | Burritoroot | jcase | root | Typo prevented app from sending a debugging intent, caused adb to run as root | https://github.com/CunningLogic/BurritoRoot | ||
12 | Gorditaroot | jcase | install custom recovery or root | Similar to Nachoroot, different path, AMI304 Magnetic Sensor, symlink to recovery mtd device | https://github.com/CunningLogic/GorditaRoot | ||
13 | Enchilada | jcase | root | System left r/w & Internal memory left as ext4? I think. Symlink attack from DCIM dir to install-recovery.sh | https://github.com/CunningLogic/Enchilada | ||
14 | ZTERoot (Avail) | jcase | root | ~70 rediculous intents left over from engineering. Stupid OEM. | https://github.com/CunningLogic/ZTERoot | http://www.androidpolice.com/2012/01/11/developer-codes-left-in-retail-zte-avail-att-offer-quick-and-easy-root-access/ | |
15 | ZTERoot (Merrit) | jcase | root | Symlink attack from debugging/logging app | http://forum.xda-developers.com/showthread.php?t=1714299 | ||
16 | LG ICS Root | jcase | root | Symlink attack | http://forum.xda-developers.com/showthread.php?t=1912277 | ||
17 | DefyXT Root | jcase | root | Unprotected intent allowing various permission changes. | http://forum.xda-developers.com/showthread.php?t=2031562 | ||
18 | Cyanide | jcase | root | DeftXT Root Loggerlancher changing permissions, system mounted r/w | https://github.com/CunningLogic/Cyanide | ||
19 | LG Optimus Logic | jcase | root | ||||
20 | LG Optmus Elite | jcase | root | LG not verifying integrity of system partition when flashing through download mode. TOT images are patchable. Probably valid on all LG devices. | http://www.androidpolice.com/2012/06/12/exclusive-how-to-root-the-virgin-mobile-lg-optimus-elite/ | ||
21 | Pantech | jcase | root | Pantach does not verify integerty of system partition when flashing through download mode. PDL images are patchable. | unpublished | ||
22 | HTC DNA | jcase | enable unlocking | Backupmanger sets /data 777, then symlink to mmbblk0p5 to change CID. Not root, but enables bootloader unlock | http://forum.xda-developers.com/showthread.php?t=2011611 | ||
23 | HTC One X AT&T | jcase | root | HTC Ready2go webapp triggering chmod 777 on file in world writable dir. Lasted whole 4 hours. | http://www.androidpolice.com/2012/05/25/exclusive-how-to-root-the-att-htc-one-x-on-version-1-85-or-earlier/ | ||
24 | Hisense Pulse | cj_000 | root | ro.debuggable=1 on initial firmware | |||
25 | Generic LG | ? | root | ro.debuggable=1 on some older LGs | unpublished | ||
26 | LG ADB Backdoor | Giantpune | root | Backdoor, restarts adb as root with key | |||
27 | Poot | Giantpune | root | Qualcomm diag device | |||
28 | Lit | Giantpune | root | LG Backlight | |||
29 | ZTE Backdoor | "Anonymous" | root | binary spawned root shell, password protected. | |||
30 | HTC Eris 2.1 Root | wag3slav3 | install custom recovery | symlink attack from /data/local/something to recovery block device | ? XDA Forums | ||
31 | Droid 3 Root | 8/25/2011 | bliss | root | symlink attack from /data/local/something to local.prop | http://vulnfactory.org/blog/2011/08/25/rooting-the-droid-3/ | |
32 | Motofail | 2/11/2012 | bliss | root | symlink attack on /data/dontpanic and /data/logger | http://vulnfactory.org/public/motofail_windows.zip | |
33 | XYZ | 2/17/2012 | bliss | root | symlink attack on /pds/public/battd, /data/dontpanic, and /data/logger | http://vulnfactory.org/public/xyz_windows.zip | |
34 | LG Spectrum Root | 2/19/2012 | bliss | root | symlink attack on /data/gpscfg/gps_env.conf | http://vulnfactory.org/public/spectrum_root_windows.zip | |
35 | Megatron | 2/26/2012 | bliss | root | symlink attack on com.ti.fmrxapp | http://vulnfactory.org/blog/2012/02/26/rooting-the-lg-thrill-optimus-3d/ | |
36 | LG Esteem Root | 2/15/2012 | bliss | root | symlink attack on /data/bootlogo/bootlogopid | http://vulnfactory.org/public/LG_Esteem_Root_v2_Windows.zip | |
37 | Razr's Edge | 6/21/2012 | bliss | root | symlink attack on /data/local/12m | http://vulnfactory.org/public/razrs_edge_windows.zip | |
38 | Razr Blade | 1/15/2013 | bliss | root | symlink attack on /data/dontpanic, overwriting SmartActions .jar file to run code as system | http://vulnfactory.org/public/razr_blade.zip | |
39 | X-Factor | 10/23/2012 | bliss | change CID | symlink attack on telephony ADB restore to change permissions on /dev/diag, followed by kernel exploit (same as Poot) | http://forum.xda-developers.com/showthread.php?t=1952038 | |
40 | Samsung Admire Root | 9/12/2011 | bliss | root | symlink attack on /data/log/dumpState_app_native.log | http://vulnfactory.org/blog/2011/09/12/rooting-the-samsung-admire/ | |
41 | Thinkpad Tablet | 1/22/2012 | bliss | root | symlink attack on Lenovo Mobility Manager | http://vulnfactory.org/public/Thinkpad_Root_Windows.zip | |
42 | Sony Tablet S | 2/8/2012 | bliss | root | symlink attack on /log to change package.list, followed by symlink attack on "pm" (replace "lib" directory of system app to remove arbitrary files) | http://vulnfactory.org/blog/2012/02/08/rooting-the-sony-tablet-s/ | |
43 | Xoomfail | 2/18/2012 | bliss | root | cmdclient changed perms on /data to 0777 by design | http://vulnfactory.org/blog/2012/02/18/xoom-fe-stupid-bugs-and-more-plagiarism/ | |
44 | Motofail2Go | 10/16/2012 | bliss | root | symlink attack on data directory for bug2go | http://vulnfactory.org/public/motofail2go_windows.zip | |
45 | XPRT | 10/8/2012 | bliss | root | symlink attack on /data/dontpanic | http://vulnfactory.org/public/xprt_root_windows.zip | |
46 | Nandpwn | 8/4/2012 | bliss | root | Ridiculousness on Logitech Revue | https://github.com/djrbliss/revue/tree/master/nandpwn | |
47 | Motochopper | 4/9/2013 | bliss | root | http://vulnfactory.org/public/motochopper.zip | ||
48 | ADB Restore Root | bin4ry | root | ||||
49 | Exynos-abuse | alephzain | root | Access to system memory through /dev/exynos-mem on Exynos devices | http://forum.xda-developers.com/showthread.php?t=2057818 | ||
50 | IconiaRoot | alephzain | root | http://forum.xda-developers.com/showthread.php?t=2048511 | |||
51 | fr3vo | Kevin Bruckert | root | Arbitrary kernel write in Qualcomm's MSM rotator | |||
52 | levitator | Jon Larimer, Jon Oberheide | root | Out-of-bounds memory mapping in pvrsrvkm | http://jon.oberheide.org/files/levitator.c | ||
53 | mempodroid | saurik/zx2c4 | root | Bad kernel jazz with /proc/pid/mem and suid binaries | |||
54 | asroot (Wunderbar?) | zinx | root | http://code.google.com/p/flashrec/source/browse/#svn%2Ftrunk%2Fandroid-root | |||
55 | Samsung Infuse 4G | 1/3/2012 | Michael Coppola | root | symlink attack on /data/data/.drm/.wmdrm/sample.hds | http://www.poppopret.org/?p=22 |