Getting root Access from Android Stock Recovery

This week a customer brought me a Verizon Samsung Galaxy Stellar (SCH-I200) that was freezing at the boot logo. They didn’t care about the phone itself working as they planned to turn it in under insurance. What they did want was their photos recovered from the internal storage. There are a few ways to tackle this and I managed to find a way I haven’t seen documented elsewhere. (or my googlefu is slacking)

Most, if not all, Android phones come with the data partition unencrypted which makes recovering data easier but they also don’t come with root access. There are plenty of ways to root android devices and a lot of them require the device to be running properly with adb enabled. The Galaxy Stellar I had was able to boot into the stock recovery. Fortunately for me, plugging the phone (in recovery mode) into my computer allowed adb access but only as a regular user. Searching the webs for rooting information on the Stellar brought me to a XDA Developers thread about “Saferoot” for the Galaxy S4. Turns out the Saferoot exploit can be used on quite a few different devices including the Galaxy Stellar. Saferoot is basically a script that runs the exploit and installs the su binary, busybox and SuperUser.apk. The script just puts everything into a temp folder on the phone and starts the “getroot” process. The getroot binary is compiled look in /data/local/tmp for the su binary to install. In the stock recovery, the data partition is not mounted so I was unable to access or create the /data/local/tmp directory. Luckily, the source code for getroot was available in the same thread so I modified it to look in /tmp which I did have access to as a regular user. The source code zip file has instructions for compiling with the android ndk. After recompiling getroot with the new path for the su binary, all I had to do was push the getroot and su binary files to /tmp with adb and run “adb shell /tmp/getroot”. The exploit ran and successfully installed su.

The next step was to get the data partition. One way to do this is to mount the data partition on the device (mount -t ext4 /dev/block/mmcblk0p15 /data) and use “adb pull” from your pc to get what you need. This works fine and would probably be the best way for a phone without an SD card slot. The Galaxy Stellar has an SD card slot so I popped in a card, mounted it to /sdcard and used dd to create an image file of the data partition (dd if=/dev/block/mmcblk0p15 of=/sdcard/mmcblk0p15.img). The data partition is ext4 so mounting the image file in linux is as easy as “mount -o loop /path/to/ext4.img /path/to/mount/dir”. Then you can pull out whatever you need.

I haven’t tested this method on any other phones yet so I don’t know if it’s only good for the Stellar. If you give this a try and it works for another device, please post a comment. You can download my getroot binary here.

Archives By Month