Android tablet bq Edison

Root (on any OS)

December 14, 2012



The bq Edison is an Android tablet built by the Spanish company bq. It is an affordable device with excellent specifications for its price, namely a Rockchip 3066 Dual-core SoC with a Mali 400 Quad-Core GPU, 16 GB internal SD, 1 GB Ram memory, and shipped originally with Ice Cream Sandwich. In this post I will show how the bq Edison can be rooted in a very simple way, in any of the major operating systems.

Since the coming of low-cost Nexus devices, companies such as bq had to drop their prices in order to remain competitive. Bq is an highly successful company in this aspect, since it provides really affordable devices and a great user support.

The root method that I demonstrate here is based on the method of DoomLord. However, I provide files for doing the process in Linux 64 bits and Windows. Users of Mac OS X and Linux 32 bits need only to find a compatible ADB binary, which should be relatively easy to find on the Internet, and replace the one in the files folder (after unzipping the files below!).

This method uses adb to exploit a security issue in the emulator mode of Android. I will provide technical details for those more technically interested. As disclaimer, as normal, you are on your one, I’m not responsible if your device bricks, although I doubt that that may happen..

What do you need:

Instructions:

  1. Unzip the file
  2. Connect your tablet to the computer using the USB cable
  3. Enable USB debug in Settings > Developer Options
  4. Enable Unknown sources in Settings > Security
  5. Make sure ADB detects the tablet:
    • On Windows, make sure the ADB Drivers are installed (http://www.mediafire.com/download.php?kmy55fhj9ab2kfe).
    • With a command prompt or Linux terminal, cd into the unzipped files folder and write adb devices. If adb detects the device, it should appear as 0123456789ABCDEF.
    • On Linux if you get errors because of permissions, read below.
  6. Execute the runme.bat (Windows) or runme.sh (Linux)
  7. Read the instructions, the tablet will reboot twice.
  8. Done, check with an application such as Root Checker to see if root worked, and update the Superuser application and su binary. The su binary is updated inside Superuser application.

Technical details:

To understand what is happening behind the scenes, just open one of the script files with a text editor, and read it line by line. So, what is happening here?

  1. Since the device starts by being unrooted, you don't have access to many internal folders. But one of the folders we have non-root access is /data/local/. So, the script starts by creating a tmp folder in /data/local.
  2. Then, it moves /data/local/tmp to /data/local/tmp.bak. Then it creates a symlink (like a shortcut in Windows) from /data/local/tmp.bak to /data. Therefone, anything you write to /data/local/tmp.bak will be forwarded to /data.
  3. Reboot.
  4. Then, the script writes "ro.kernel.qemu=1" to /data/local.prop. This will enable the tablet to boot in Emulator mode.
  5. Reboot.
  6. When it boots again, the device will be in Emulator mode, with complete root access.
  7. The script then copies the su binary, Superuser.apk and busybox, and changes permissions to keep root active.
  8. Removes /data/local.prop and the tmp in /data/local, and reboots again.

The sixth step is the most important, since in Emulator mode one as complete root access, including read-write access to the /system partition which you won't have again when the device boots normally. For instance, you can just use the steps 4, 5, 6 and 8 if you need to remove applications from /system/app.

To understand why the property "ro.kernel.qemu=1" gives root access when the device boots, see this piece of code from the adb service in the device, located in system/core/adb/adb.c of the Android source code (ICS).

int adb_main(int is_daemon, int server_port)
{
    int secure = 0;

    (...)

    /* run adbd in secure mode if ro.secure is set and
    ** we are not in the emulator
    */
    property_get("ro.kernel.qemu", value, "");
    if (strcmp(value, "1") != 0) {
        property_get("ro.secure", value, "1");
        if (strcmp(value, "1") == 0) {
            // don't run as root if ro.secure is set...
            secure = 1;
            (...)
        }
    }

    (...)

    if (secure) {
        (...)
        /* then switch user and group to "shell" */
        if (setgid(AID_SHELL) != 0) {
            exit(1);
        }
        if (setuid(AID_SHELL) != 0) {
            exit(1);
        }
        (...)
    }
}

Since on boot, the adb process is initiated by a boot process which is root, by inheritance, adb starts as a root service. However, if ro.kernel.qemu equals 0, secure variable is set to 1 and eventually the uid of the adb service is set to AID_SHELL, instead of AID_ROOT or another root process. So, by setting ro.kernel.qemu=1, the adb service never gets to AID_SHELL, and all processes initiated by adb will inherit the same uid as adb which is root. That is why this method works!

Some ideas:

  • Even if you are root, the /system partition on bq Edison is read-only. So, if you want to remove some applications from /system/app, you must apply the ro.kernel.qemu=1 hack, reboot into emulator mode, do adb remount and then remove what you want. In the end, remove /data/local.prop and reboot again back to normal mode.

  • If you get stuck on emulator mode while copying some files, and you start to get paranoid because you brake your device, just remove /data/local.prop with adb rm /data/local.prop and reboot with adb reboot. Don't forget to use the adb in the files folder if the terminal or command prompt does not find adb.

What if my Linux does not detect the tablet:

When you do adb devices, if you get something like "?????????", maybe it has to do with lack of permissions. So, with the tablet connected to the PC, do lsusb. You will get a list of USB devices connected to your computer.

jventura@laptop-ventura:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 002: ID 0408:03ba Quanta Computer, Inc.
Bus 002 Device 022: ID 2207:0010                    <<< bq Edison ?!

Now disconnect the device and do lsusb again. If the device disappears, it is indeed the bq Edison. Now, create a file (or update an existing file) like sudo gedit /etc/udev/rules.d/99-android.rules. Leafpad is just the text editor I use in XFCE, but you can use another text editor like vim or gedit. Add the following to the file and save.

#Rockchip
SUBSYSTEM=="usb", ATTRS{idVendor}=="2207", MODE="0666"

Basically, you are granting to vendor 2207 permissions 0666 (read-write access to everyone). The number 2207 came from lsusb above, remember?

Reload the udev service with sudo service udev restart, and try again adb devices. If everything worked correctly, you will find your bq Edison as 0123456789ABCDEF. If you find any problems, try to restart your computer, so udev can be properly restarted.

If you are doing adb devices and no device appears, not even ????? no permissions, you have to cd into android-sdk-linux/tools/ and do ./android update adb to generate the ~/.android/adb_usb.ini file. Then edit the file with gedit ~/.android/adb_usb.ini and add the Rockchip idVendor.

# ANDROID 3RD PARTY USB VENDOR ID LIST — DO NOT EDIT.
# USE 'android update adb' TO GENERATE.
# 1 USB VENDOR ID PER LINE.
0x2207

Restart, and now everything should work!