 Okay, this video is part of the series, hopefully you've watched the previous videos otherwise you're probably going to be lost. And this is going to be similar to last week's tutorial where we created a root telnet account on your phone or shell on your phone for local root and also remote although not recommended access to your Android device, in this case I'm using Motorola G. Things you need to have installed, ADB, Fastboot, and Aboot IMG on your computer. And unlike last week where I went through everything manually and even messed up once or twice, today we're going to be looking at a script I wrote that should all make the process no guarantees. This is a project that still probably needs a lot of work, but it is working right now. You need a Motorola G, you need to unlock the bootloader, went over that in the beginning of this series. Now, I have a couple of projects out there. There's one I did a video on a while ago and that was my shell web UI. This is a web interface for your device that allows you to basically run shell commands from web browser. It's fun for some things, but you also probably watched last week's tutorial where we did a telnet login. This week I'm going to show you, I've incorporated that web UI into my Motorola G root tricks. I created a file here called httplocal.sh that will give you a local loopback shell in the web browser. It will also allow you to run other commands as well as starting up your telnet. So let's go ahead and just start looking at the script, I've talked long enough. So here is what the script looks like. I'm going to go to the top, I'm using Vim as my text area, use whatever text area you'd like. The link to this will be in the description of this video. It's on my GitHub page, github.com forward slash mil-x-1000, look for the project called MotoG root tricks. So this is a script you're going to run on your desktop. It's mainly designed for Debian based systems, Debian, Ubuntu, Linux Mint, stuff like that. But it should work pretty much on other systems, it's just this part of the script here where if you don't already have a boot image, fast boot or ADB installed, my script tries to install it for you and that will only work on Debian based systems. So let's just go through this, it's a bash script, we're going to create some variables up here for images, what port we're going to run our web interface on, so you may want to change that if you want to do a different port. This URL here is to a stock boot image for the Motorola G, so a lot of this stuff will work on other phones, but you're going to want to either create or get a stock boot image, that's the boot partition. So this is when I pulled off my phone, put up on GitHub for you guys to download, so I showed in the last video how to make your own or pull your own off the phone, variable for the directory we're going to be working in, the script does do a few things that you may need root access for at least on my system, I have it set up so you need root access to ADB into the phone that way, heaven forbid I have some malicious software on my computer which probably isn't going to happen, but it can't get into my phone if my phone is hooked up without being root over suit, so this if you're not root, it tries to restart the script as root, now this will remove, if you already ran the script, this will remove whatever files you created last time and then it will make that directory, again this part here checks to see if you have those required packages installed, if not it will try to install them on the Debian based system, here we are downloading the stock boot image from my GitHub account, now we're going to move into our work directory, we're going to check that, or at least look at that stock image we downloaded, just make sure that it is that, a boot image that is, we're going to make a boot folder move into that, then use ADB IMG to extract that image, then we're going to quickly check that, when I say check we're just looking at, the script doesn't actually check and stop if it's not, but checks for the initial RAM disk image, then it pulls down a new boot IMG config, which is basically the boot IMG config that you have there already, but with the added parameter of permissive for the secure Linux, this allows these scripts to run as root on your phone, otherwise it's not going to work, the secure link is going to go, hey, hey, hey, these scripts shouldn't be running as root, we don't want to give people root access, this is saying, you know what, check for that, but continue anyway, I explained that more in the previous video, then we're going to make our empty folder for our initial RAM disk, and we're going to move into it, and then we're going to use GZIP and CPIO to extract that initial RAM disk, again the initial RAM disk is, when your phone starts, the boot loader loads, it goes to the boot partition, which is the image we're working on here, and within that there's an image called initrdimg, which is a very minimal file system that loads to RAM, and that file system decides what other partitions get mounted and what scripts and services run, so we're extracting that minimal file system to the folder we're in, and you can manually make changes, but my script here will make a couple changes, next thing we'll do, we'll grab from my github account a www.zip file, that zip file contains html interfaces, a couple of CGI scripts, as well as the config file for the busybox httpd, and we'll look at that here in a moment, so it downloads that, extracts, it removes it, it double checks and it makes sure that all the CGI scripts are executable, then it's going to ask for a username and password, this will be the username and password that will be used in your web interface, it's not asking for your username and password on your system, in fact I recommend not using, at least not using that password, because this will be stored in plain text on your phone, so I'm just going to go ahead and check, so basically this will be when you go to access your web shell, you're going to have to type in a username and password, it's on a loopback device, so people can't sniff that password even though it's unencrypted unless they're already on your phone, in which case you're already screwed, but keep in mind, lost security issues when you're doing stuff like this, that once you enter in your username and password in the web interface, it's now accessible to any web page you go to, can send commands to your phone and now again, this is a work in progress, so normally when I do this, I'll use incognito mode on my phone and then exit out of it when I'm done, but for a website to do that, it's definitely, definitely possible, be aware of that, but unlike you at this point because well, not a lot of people are doing this, I make this video, not a lot of people know, more people start doing it, websites can start attacking that, but they need to know what port you're running on, which they can just mass attack all ports, so using different ports will help, obviously using different username and password, but definitely when you use this shell in a web interface, when you are done, exit out so that it's password protected again, another thing that I've talked about doing with this that I haven't done yet is adding some sort of key that needs to be passed, so that even if a website tries this and you've already logged in, if it doesn't know the key, it's not going to be able to access that stuff. I don't have that implemented yet, and that's just one more thing you can do to make this more secure, because it's not the most secure, but really, smartphones in general are not very secure, in most cases when they're rooted, there's an su command you run, and that gives your root shell with no username and password. When they design smartphones, they decide to throw a lot of security out the window to make things easier, even though these security things have been in place on Linux systems and Unix systems for 30 years, and they've worked great, they've thrown that out. Anyway, although they put some other stuff in place, like the secure Linux, which we just bypassed, anyway, it takes that username password and adds it to the end of our www.config file, so that that's required. Next, we're going to add our script to our startup services. I explained that in the last video. Basically, init.rc is a script that runs at start time, and we're just telling it, hey, start up our script as root. That's what that's doing there. Next, we're customizing, we're creating a custom initial script, so that script that we're running, this is where we're creating it. Basically, we're taking all this and putting it into our script file. It's saying that this is a shell script, and it echoes loading even though you're not going to see that. It sleeps for 30 seconds. I do that just to make sure all the processes that we may require have already loaded. By the time that 30 seconds up, your phone is just about done booting, so you're not going to notice that 30 seconds. We move into our www folder, which came out of the zip file we downloaded earlier, and we start busybox HTTPD on the port that was set at the beginning of the script, and we're telling it to use the config file that's in the root directory, which we'll look at in a moment. Make sure that script is executable, then we're going to get busybox. We're using busybox to not only start our HTTP, but a lot of our CGI scripts in there are going to be using busybox. We're downloading that to our initial RAM disk image under SBN Busybox, making it executable. That's a pre-compiled copy of busybox for Android devices that I did not compile. I just want to say that I got it off GitHub, so there could be something malicious in there. I haven't noticed anything. Use that at your own discretion. You may want to compile your own version of busybox for our devices, so you're probably the best way to go. Now we're going to repack our boot image. First thing we need to do is repack our initial RAM disk image. We're going to CD backup one directory. I just have some output on the screen so that you can see that you're in that directory, although all this is going pretty fast. We're going to remove any initial RAM disk underscore new image that may already exist, because if that already exists, then this next command is not going to run properly, which is using a boot IMG pack the initial RAM disk to package our RAM disk folder into that new image file. Now we're going to take, we're going to use a boot IMG to create a new, another image that is going to be loaded to our device. Again, we're going to load it up to RAM completely and not touch the hard drive on the phone at all, but you could, after testing this out, put this as your boot partition. But we're going to create a new part image up in the, up one directory, and that's a variable that we created at the beginning of the script. It's boot2.img. We're going to use our bootIMG.config. We haven't changed the kernel, so we're going to use the same kernel that's in this directory, and our RAM disk is going to be the new RAM disk we just created. Then we're going to CD up one directory, run ADB reboot bootloader to reboot the phone that is hopefully connected right now to the computer, and then it's going to wait, it's going to run fast boot and wait for the phone to be detected in its bootloader, and then it's going to boot our new image. And this is the important, boot means we're loading it to RAM, we're not affecting the hard drive on the phone at all, unless one of your scripts does something to the hard drive. Okay, so that was a quick look at the script. Let's quickly move into, well let's run it and then I'll show you some files on there. So, first thing I'm going to do is make sure my phone's connected, and I type in my pins, unlock it, and they have a development bridge enabled. So I'm going to run this, it's going to restart it as root, which I've already typed in my password, so it got it. So that's what it's going to ask for my password, I'll just say Tom, Tom, and getting all that stuff, my phone's rebooting, and it uploaded our new image to the RAM of the phone, and now the phone is booting. While it's booting, I'm going to list here, we have our work directory here, and then inside that we've got our boot directory and our initial RAM disk. So this is what we extracted, and again we added our own script here in it, underscore my, that's our script, and we loaded it up with this script here, and we also downloaded our zip file, which contained this config file, and this www folder. And before we look at the phone, I want to look at our www.config file. So what we have here is this A and this D, so A colon 127.0.0.1, hopefully you know that's your loopback device. This is saying allow the device to connect back to itself, but the D here with an asterisk meaning all, it means deny connections from all other PCs. So right now I can tell you, I'll bring a browser over here, my phone has completed booting, and I'll show you that in a moment, and its IP address on my local network is 192.168.1.1 00, and we started this in the script on port 999, if I run that, you can see it shows that we see a web server because it says forbidden, but that means that I'm forbidden because I'm not on the phone itself. So no matter what I do here, unless there's a security hole in the web server itself, doesn't matter what passwords I know, I cannot access the web files that we have. And also at the bottom here, this is saying the username and password are TomTom, which we created with our script. Let's quickly go into the www folder, which is the main directory of our web server. You can see I have three folders, cgi.bin, html, and some javascript, which has jQuery in it because I use that to submit forms. So we'll cd into html, and there's two in here, mainly you want to look at the one that's just called cmd. So I'll vim into cmd.html, shrink this down just a little bit in case you could read. Okay, so again we're loading jQuery, and then basically the html is a text input with a button to run or open, and you'll see this when I show you it on the phone here in a moment, and then there's an output div tag that's empty. Run, runs it and puts the output inside this div tag, opens it up in a new tab. So if you have long running processes, you'll want to open it in the new window so that you can still run other commands while that's running. And up here is the difference between the two, like I said, one opens and one just submits it, but basically we're submitting to a cgi bin file, which cgi bin is where any programs that are executable we have on our web server are running, and there's one called cmd.cgi. Let's look at that. So we'll go up one directory in the cgi bin, and we'll vim cmd.cgi. And it's a very basic shell script. We got our shebang line telling what interpreter to use. This just outputs some information that your web browser needs to know, and then here it queries through all the strings, which we're only passing at one command, but it's going to be the cmd command. So basically these two lines are looking at all the variables passed in the URL of the command sent to the web server and then extracts out those commands and runs them. And here we got temp will put the name of the command you ran, and then the next temp will output the output of that command. So that's what that script does. Now I have a few others here. Let's clear the screen list. telnet, telnet delocal, info and echo. Some of these maybe need to be tweaked for different devices, but there's pretty written scripts to start up different things. Let's quickly look at the vim telnet.cgi here, and this should start up a telnet port 686. And this particular one if ran, will start up a root telnet login that's accessible from the network. So you really shouldn't be doing that. The other one local is the same thing but with a loopback only, so you can only connect to a device. And that's all stuff we did on the last week's tutorial. When you run this in the in your web browser it will output what port, one I made 866 and one I made 868. So last week I was talking, once you set up this telnet account server, you can telnet into your device as root either remotely or locally depending on how you have it set up. But there's no password. So even if you do it locally, it should be pretty secure. Unless you already have malicious software on your phone which hopefully you don't. So you're already screwed so it doesn't matter. But there's no protection. If someone wants to pick up your phone and it's unlocked they now have root access to your phone. Which would be the main concern here. If they know to telnet in, which most people wouldn't again, security through obscurity, not a good idea on its own but in correlation with other stuff it's not a bad idea. But what we can do here is our HTTP server is password protected which is some protection. And although the shell interface, the web interface is good for some things, you definitely want a shell for others. So you can have this HTTP service running and then when you need telnet you can start it up and you can also kill it if you want. I don't have a script set for that but you could use the cmd.cgi to kill it. So now that I've shown you all those let me go ahead and switch over to a camera view and show you this running on the actual. Okay I've hooded my phone with our custom initial RAM disk that loads up our HTTP server as a loopback device. Again this will allow us to access shell commands from our web browser as root but limits it to only on this device. People from remote devices, desktops, laptops, and other phones will not be able to access it the way we have it set up due to that www.config file we set up. So let's go ahead and have a look at that. Okay I'm going to try to do the best I can at this. So here we are I opened up the default web browser in this case Chrome. I'm going to click here. I'm going to do incognito and then I'm going to go into the URL I'm going to paste in the URL. It's localhost. We have it set up on port. Let me turn focus off here. There we go. Localhost 999 because that's what we set the port as. Ford slash html cmd.html. So with that set we'll hit enter and it will ask us to type in our password which I believe I set as Tom, username is Tom and password is Tom set that up when we ran our script and there we go we get a basic run command line here and I can type in something like ls and click run and it ran it. Put the code down here tells you the command you ran and gives you a list. Right now we're in our CGI directory so I could also change that and I can do forward slash and click run and below that it will add that command and this is everything in my root directory. So that's it again if it's a long command you can click open and it will open up a new window there so if it's a long running command you can have it running in the background and still be running other commands. So that's the basics of it again if we were to go into our CGI folder here there's other commands I have in there like one called info.CGI and that's inside our CGI bin folder let's see if I can get that and focus for you right there. So I'll go ahead and hit enter on that and it brings up just a bunch of information that's just a premade script already had lists out partitions on the device and some network information scripts you want or use that CMD.CGI file Now again there's a lot to think about as far as security when doing something like this. Again I used incognito mode not so much for privacy but so that I can exit out of that when I'm done because once you log in any device, any website can send commands to that URL and run them and basically it's that CMD.CGI which allows any commands to run. Now you can make premade scripts like I did and that's secure because they can only run as what they are but since my CMD.CGI file takes in commands and runs them as root anyone who can send something to that which you can from pretty much any website can run commands so that's the insecure part really there but we need to know the password the port you're on and also name that file you can rename that file again all this is, well not your password but using different ports renaming the file is kind of security through obscurity but security we tend to look at that and be like oh stupid security through obscurity you shouldn't do that alone in cooperation with other security measures such as username and password it's something that's just as added security so again create different username, different password rename that file to something else, change the port and you may want to implement some sort of keys so that not only are you sending the command but you gotta send a key to that and then they would have to know the key, they would have to know what you call the key in the variable so the default setup on this is not the most secure but you can easily make it a whole lot more secure but that's all based on how you decide to implement it so again I thank you for watching this video I hope you learn something from it the source code to the basic script that automates all this should be a link in the description, use it at your own discretion no warranty on it, it's designed to be run on a Debian based system and using the Motorola G again it's using the stock image for the boot partition off my phone so you may need to change that for other phones but I thank you for watching this tutorial, I hope that you enjoyed it, if you did be sure to like and subscribe, share, comment below and again I just hope that you learn something from this, as always my website is filmsbychris.com that's chrisdk and I hope that you have a great day