How DingleBerry works to gain root access on PlayBook

By Jerry Hildenbrand on 5 Dec 2011 08:21 pm EST
4
loading...
0
loading...
64
loading...
DingleBerry

In case you haven't heard, you can now root your BlackBerry PlayBook using the Dingleberry tool. What that means and what you'll be able to do with it is an ongoing question, and at this point all we're sure of is that it will be fun. Rooting a mobile device opens up possibilities beyond the limited view of the manufacturer, and lets creative minds have a go at things RIM would never think of. We've already talked about how the enabler of this exploit was discovered and reported to RIM by one of our very own, but what exactly is it doing?

BlackBerry Desktop Manager is a handy program. Having a local backup of your device can be a lifesaver, and enough of us know that one. (Full disclosure -- I love Android, but I use and abuse both a PlayBook and an Curve 8520 as well. I'm a bit of a mobile whore, and freely admit it). But the problem is that those backups aren't signed by RIM's private signing key, and are hackable. That lets people do cool things like pull bar files out of them, and scary things like exploit the permissions of a config file to inject code into the system image saved on your computer. In this case it's the Samba.conf file, which determines how files and folders are shared across the network. The PlayBook uses Samba for mounting the certificate and media folder for wireless sharing. Dingleberry opens up the backup file, changes the parameters in the Samba.conf file, then logs in remotely to crack the system open. How the exploit runs at boot time and forces the edited file to be loaded we don't know, but it's nicely done. But remote exploits are common enough that this should have never left Waterloo this way. Especially since RIM knew.

Expect a patch very soon, and expect it to be forced on you. On the bright side, unless you have to have your PlayBook fully functional at all times, you may be able to opt-out of any patches and wait for independent developers to create a different type of patch that updates without unrooting. We see it on the Android side all the time, and it's worth a shot. Also, as Chris Wade mentioned on the CrackBerry podcast, you can force a version downgrade to roll back to the version that is exploitable. Like we said, until we see what RIM has in store some of the questions are still unanswered. In the meantime, be sure to have as much fun as you can while it lasts!

Topics: News & Rumors

Reader comments

How DingleBerry works to gain root access on PlayBook

38 Comments

Hey, I'm currently on the Developers Beta OS 2.0.0.4869, followed the steps after I've downloaded and launched the DB application on my windows PC ( windows 7, doubt that helps) followed the steps, it connected to my playbook, got to the screen where it said I need to make a backup of my playbook then open it up, so i went to the BB Desktop Software, opened it up, and it won't detect my PB saying my battery is dead or is in the middle of a reboot....anyways , fortunate enough i had a back up from a few weeks ago, so i launched that with dingleberry......wait.....then the application closes..... Anyone else come across this or something similar?

Hey Kevin,

So I did some research, for some reason with WiFi and Developers Mode enabled, my DM won't connect to my PB. Regardless, turn them BOTH off, connected to DM, made a new backup of settings, went to DingleBerry, followed the steps, and it informed me that it made a DingleBerry backup file, that I need to restore on the DM. So I went back to DM, and when I open up the restore option, it just spends forever ..... will try again later though!

Let me know if anyone comes across this and is able to bypass it :p

Try turning off your wi-fi before connecting to DM via USB. Not sure why this happens but it might be competing network connectivity. Hope that works.

Yea I had wifi off throughout the whole process and I have since tried a few more things but to no avail :(. DM simply won't let me back up my playbook, no matter what I do or what I have enabled/disabled. Thanks for the help anyway.

Hmmmm, bluetooh as well? Have you tried a different USB cable and port? I assume you're running the most current OS.

Sorry, I'm too lazy to read through all the articles..so what happens after you jailbreak it? What are you able to do with it that you couldn't before you jailbroke it?

I didnt read all of them, but there seems to something about a blue light, I think you could turn it on or something very important like that.

I was getting the open close then I changed the Development Address on the development mode screen of the pb.. Then change the address on dingleberry and connected without a problem. Do a restart on playbook first. I did but don't know if this makes a difference.

Looks like RIM has already patched the exploit with an update. It's about 4mb, and still the same firmware number....That was fast.

False and did you even read the article

*you can force a version downgrade to roll back to the version that is exploitable.

That's interesting since I received an update, otherwise I wouldn't have posted that. I haven't removed any applications from my PlayBook, or added any lately so the update must have been for something I didn't already have.

Thanks for being a dismissive a**hole though. This is the first article I've commented on, and I read all articles that I am interested in, in full. I am not one to partially read articles and comment like a moron.

You may be able to force a version downgrade to roll back to an exploitable version. That does not mean that a patched upgrade wasn't provided though. I reported what happened to me, and nothing more. Perhaps it was premature to assume that it was a patch for this issue, but from today's article it looks like the patch provided is approximately of the same size I mentioned.

(I talked about not removing or adding apps because, oh boy, guess what? You'll be impressed! I read an article saying if you remove a native app it will show up as an update to automatically be reinstalled) Reading FTW.

See it sucks when someone makes assumptions and talks down to you...now I don't know if you were having a bad day or not, but move along and learn some forum etiquette.

I just don't see the point of doing this. After rooting my Playbook I would have no idea what to do from there. I'll just wait for the 2.0 update and let you guys show me what you were able to do.

> How the exploit runs at boot time and forces the edited file to be loaded we don't know

The exploit doesn't run at the boot time. What the backup does is restore the Samba Configuration File (smb.conf) with a modified configuration that will run a script when accessed. Keep in mind that currently Samba is running as the root user, so then the scripts gets run via samba as root-it copies over your authorized_keys to the root's home directory and modifies the SSH Server Configuration file (sshd_config) to allow the root user to login directly-which is otherwise blocked by default.

This is just exploiting a very old fact. You do NOT run things as root unless you need too-in this case Samba really should not have been running as root as it indirectly allows you to execute scripts using this trick. The far more dangerous implication is that RIM never addressed the fact that backup files not only contained far to much valuable information but that it also allowed overwritten system settings at the same time. Obviously this is a very simple take on what they did, there are additional steps and tricks they used, but that's as simple of an explaination you can probably get.

Once the ssh server allows root login and once the root user has valid authorized_keys installed on the filesystem-you don't have to modified anything else. It will just work out of the box, regardless of the number of times you reboot and/or upgrade the firmware-until this gets patched.

FIPS certification tackles the cryptography nature in software.

I'm not saying that other security in the software aren't considerations, however FIPS specifically looks to make sure that the software that uses crypto is correct and sane. I've seen plenty of other software that has gotten FIPS but is far more insecure then QNX/PBOS in it's current state.

At least that is *my* understanding. Take it with a grain of salt-this is not my area of expertise by any means!

Uhhh, so it hacks my PlayBook backup file huh? Well, Mr. Smarty Pants, I found a flaw in your hack. My PlayBook (like those of many other people) doesn't backup to my PC... it fails every time. SO THERE! NOW how are you going to root it?

RIM anticipated this and solved it. Next.

sounds like it makes it possible to pirate games/apps by extracting bar files and redistributing them illegally. I suppose it was bound to happen at some point, but i worry it may discourage development on the BBX platform.

Exactly. This was discovered some time ago. Someone even posted a thread here (since removed) about extracting bar files from the backup. Needless to say, this set off a sh*t storm among developers in the bb dev forums.

@Jerry - After getting through the first paragraph of this, I scrolled up to see who wrote this. I took a double-take when I saw your name. Welcome aboard, and I enjoy listening to you on the Android Central podcasts. I'm glad that RIM has finally provided you with something to tinker with.

One of the flaws with publishing an expolit like this is that there are people who equate rooting with providing a rooted (Android) ROM. This is great for people who have a need to access some of the previously inaccessible functions of the Playbook, but my fear is that casual (but curious) users have incorrect expectations as to what to expect once the rooting process is complete.

From the time that this was announced, the forums lit up with people asking if rooting will provide anything from PIM apps to full-blown ICS. People need to be aware that unless you are a very experienced developer, they can essentially do nothing once the device is rooted.

Having said that, now that an exploit that can enable root has been discovered and since you can roll back to previous versions, the flood gates should open up to clever and creative developers actually produce something that will give a genuine purpose to rooting your device.

Nice article.

Wow! I am not much of a savvy on this. I am not sure I want to try it. I am still messing with trying to load Android apps without success. However, this new tool sounds awesome. Thanks!

Somebody should post a thread on how to enable Hulu and netflix. That would make the rooting more worthwhile.

Not possible yet. They just wanted to get this out before RIM put out an update. That's supposed to come in an update.

I was surprised to see Jerry writing on Crackberry, but I suppose overall he knows far more about rooting than the standard Crackberrian would (not to discredit the knowledge of our fearless leaders).

This sure is interesting, and I imagine that just as locked bootloaders get bypassed with enough time, this was only a matter of time. It sure does make it interesting to see, but also scary because the rooted and manipulated nature of the Android operating system can, and has, led to some user exploits. Though it has also lead to far more advances and creativity than exploits.

Have read all comments, have yet to read that this does ANYTHING useful, except waste the time of wannabe hackers. Pathetic.

LAME all this hype for nothing...blackberry is still secure...cant wait for them to fix this stupid glitch...