1. radiko's Avatar
    Here's an easy guide to getting root access on the BB10 simulator. This is useful for people who want to study how BlackBerry's QNX-based OS works, or who need to debug low-level problems with their applications.
    Users familiar with unix can skip to the high-level overview at the end of the post.

    Part 1: Mounting the hard disk image

    We need to mount the disk image of the simulator in an environment where we can modify any of its files. The direct way to do this would be to mount it using the OS running on your desktop, but it it likely that it does not have drivers for the QNX filesystem, or only has read-only support.

    ( If your kernel does have qnx6 filesystem support, you can mount the VMDK image as a loopback device using tools provided by VMWare, then mount the filesystem, and skip the rest of this section. )

    Instead, we're going to run the QNX desktop as a virtual machine, attach the simulator's disk to it, mount it inside QNX Neutrino, and give all users access to the BlackBerry 10 OS's equivalent of "sudo".

    Download QNX Software Development Platform:
    QNX Software Development Platform 6.5.0 [Build 201007091524] QNX Neutrino RTOS Installation and Boot DVD [All Targets]

    Create a new VMWare virtual machine, and attach to it the ISO you just downloaded.

    Then attach the hard disk image of the simulator you wish to root. When asked, say that you want to *share* the disk with the virtual machine that created it.

    Make sure that the BB10 simulator you are modifying is completely shutdown, and not just suspended.

    Now launch the virtual machine with QNX Neutrino on it, and log-in with the user "root" and a blank password.

    Part 2: Modifying the simulator

    Open the terminal, which you can find in the right side-panel under "Utilities". Go to /fs/hd1-qnx6/bin/ and set the suid and sgid bits of the executable "setuidgid" by running:

    # chmod gu+s setuidgid

    Many common UNIX utilities have been made unexecutable by the dev account or even removed. Fix this by setting the read bit and the executable bit on all executable files.

    # cd /fs/hd1-qnx6/usr/bin
    # chmod -R a+rx *
    # cd /fs/hd1-qnx6/usr/sbin
    # chmod -R a+rx *
    # cd /fs/hd1-qnx6/bin
    # chmod -R a+rx *
    # cd /fs/hd1-qnx6/sbin
    # chmod -R a+rx *

    Copy in missing utilities:

    # cp /bin/ps /usr/bin/top /usr/bin/chattr /fs/hd1-qnx6/usr/bin

    Part 3: Root

    Shutdown your virtual machine. (Once again making sure did you did not simply
    "suspend" it.) And launch your BB10 virtual machine. SSH to it and type:

    # setuidgid root ksh

    That's it!

    Fun things to do
    1. Run qconn as root. Remember to enable all the extra views in Momentics.
    2. Re-enable disabled account types in /pps/system/appconfig/sys.settings
    Work accounts won't work because the simulator does not ship with the
    Enterprise Management Agent (ema).
    3. Read logs in /dev/shmem/slogger2
    4. Explore the Persistent Publish/Subscribe system.

    Summary
    1. Download QNX Software Development Platform 6.5.0 [Build 201007091524] QNX Neutrino RTOS Installation and Boot DVD [All Targets]
    2. Attach the ISO to a new virtual machine.
    3. Attach the simulator's disk to the new virtual machine.
    4. Make sure the blackberry simulator is STOPPED and not SUSPENDED.
    5. Boot the virtual machine.
    6. root password: [none]
    7. Terminal is under "utilities" in the right side-panel.
    8. The simulator filesystems will be mounted in /fs
    9. The sudo executable is hd1-qnx6/bin/setuidgid, set it suid.
    10. While you're at it, make everything in hd1-qnx6/(s)bin hd1-qnx6/usr/(s)bin readable and executable
    11. Let's try throwing in a bunch of executables that are missing from the image, like ps, top, chattr.
    12. Shutdown the QNX virtual machine. Do not "suspend"!
    13. Launch the simulator, SSH to it, run: setuidgid root ksh
    diegonei, ofutur, kndL and 3 others like this.
    07-18-13 08:22 PM
  2. diegonei's Avatar
    Surely this will help devs out there!

    Good find!
    07-18-13 08:54 PM
  3. ofutur's Avatar
    Or... you could maybe do this for part2?
    perl -i.backup -0777 -pe 's/\x69\x66\x20\x5b\x20\x22\x24\x7b\x42\x4f\x41\x52\x 44\x5f\x43\x4f\x4e\x46\x49\x47\x7d\x22\x20\x21\x3d \x20\x22\x64\x65\x76\x65\x6c\x6f\x70\x65\x72\x22\x 20\x5d\x3b\x20\x74\x68\x65\x6e\x0a\x20\x20\x20\x20 \x20\x20\x20\x20\x72\x6d\x20\x2d\x72\x66\x20\x2f\x 72\x6f\x6f\x74\x2f\x2e\x20\x3e\x20\x2f\x64\x65\x76 \x2f\x6e\x75\x6c\x6c\x20\x32\x3e\x26\x31\x3b\x0a\x 20\x20\x20\x20\x66\x69\x3b/\x63\x70\x20\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x 73\x65\x74\x75\x69\x64\x67\x69\x64\x20\x2f\x74\x6d \x70\x20\x26\x26\x20\x63\x68\x6d\x6f\x64\x20\x36\x 37\x35\x35\x20\x2f\x74\x6d\x70\x2f\x73\x65\x74\x75 \x69\x64\x67\x69\x64\x3b\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20\x20\x20\x20/g' BlackBerry10Simulator-s001.vmdk
    That's one long line

    And for part 3, SSH to it and then
    Code:
    /tmp/setuidgid root /bin/sh
    Credits to cmw
    Last edited by ofutur; 07-19-13 at 11:53 AM.
    07-18-13 09:01 PM
  4. ddddafadf's Avatar
    Cmw found this?! Awesome stuff.
    07-19-13 02:30 AM
  5. WhiteSpir1t's Avatar
    Here's an easy guide to getting root access on the BB10 simulator. This is useful for people who want to study how BlackBerry's QNX-based OS works, or who need to debug low-level problems with their applications.
    Users familiar with unix can skip to the high-level overview at the end of the post.

    Part 1: Mounting the hard disk image

    We need to mount the disk image of the simulator in an environment where we can modify any of its files. The direct way to do this would be to mount it using the OS running on your desktop, but it it likely that it does not have drivers for the QNX filesystem, or only has read-only support.

    ( If your kernel does have qnx6 filesystem support, you can mount the VMDK image as a loopback device using tools provided by VMWare, then mount the filesystem, and skip the rest of this section. )

    Instead, we're going to run the QNX desktop as a virtual machine, attach the simulator's disk to it, mount it inside QNX Neutrino, and give all users access to the BlackBerry 10 OS's equivalent of "sudo".

    Download QNX Software Development Platform:
    QNX Software Development Platform 6.5.0 [Build 201007091524] QNX Neutrino RTOS Installation and Boot DVD [All Targets]

    Create a new VMWare virtual machine, and attach to it the ISO you just downloaded.

    Then attach the hard disk image of the simulator you wish to root. When asked, say that you want to *share* the disk with the virtual machine that created it.

    Make sure that the BB10 simulator you are modifying is completely shutdown, and not just suspended.

    Now launch the virtual machine with QNX Neutrino on it, and log-in with the user "root" and a blank password.

    Part 2: Modifying the simulator

    Open the terminal, which you can find in the right side-panel under "Utilities". Go to /fs/hd1-qnx6/bin/ and set the suid and sgid bits of the executable "setuidgid" by running:

    # chmod gu+s setuidgid

    Many common UNIX utilities have been made unexecutable by the dev account or even removed. Fix this by setting the read bit and the executable bit on all executable files.

    # cd /fs/hd1-qnx6/usr/bin
    # chmod -R a+rx *
    # cd /fs/hd1-qnx6/usr/sbin
    # chmod -R a+rx *
    # cd /fs/hd1-qnx6/bin
    # chmod -R a+rx *
    # cd /fs/hd1-qnx6/sbin
    # chmod -R a+rx *

    Copy in missing utilities:

    # cp /bin/ps /usr/bin/top /usr/bin/chattr /fs/hd1-qnx6/usr/bin

    Part 3: Root

    Shutdown your virtual machine. (Once again making sure did you did not simply
    "suspend" it.) And launch your BB10 virtual machine. SSH to it and type:

    # setuidgid root ksh

    That's it!

    Fun things to do
    1. Run qconn as root. Remember to enable all the extra views in Momentics.
    2. Re-enable disabled account types in /pps/system/appconfig/sys.settings
    Work accounts won't work because the simulator does not ship with the
    Enterprise Management Agent (ema).
    3. Read logs in /dev/shmem/slogger2
    4. Explore the Persistent Publish/Subscribe system.

    Summary
    1. Download QNX Software Development Platform 6.5.0 [Build 201007091524] QNX Neutrino RTOS Installation and Boot DVD [All Targets]
    2. Attach the ISO to a new virtual machine.
    3. Attach the simulator's disk to the new virtual machine.
    4. Make sure the blackberry simulator is STOPPED and not SUSPENDED.
    5. Boot the virtual machine.
    6. root password: [none]
    7. Terminal is under "utilities" in the right side-panel.
    8. The simulator filesystems will be mounted in /fs
    9. The sudo executable is hd1-qnx6/bin/setuidgid, set it suid.
    10. While you're at it, make everything in hd1-qnx6/(s)bin hd1-qnx6/usr/(s)bin readable and executable
    11. Let's try throwing in a bunch of executables that are missing from the image, like ps, top, chattr.
    12. Shutdown the QNX virtual machine. Do not "suspend"!
    13. Launch the simulator, SSH to it, run: setuidgid root ksh
    Where can I find the executables like ps etc?

    Posted via CB10
    07-19-13 12:49 PM
  6. radiko's Avatar
    I'd considered using a regexp, but it's a much more brittle solution. If that part of startup.sh is ever changed, that one-liner breaks. Of course, it's way less work!

    Where can I find the executables like ps etc?
    Usually in /bin, /sbin, /usr/bin, /usr/sbin. If the executable is on your path, you can type "which <exec>", for example:
    Code:
    which ps
    ddddafadf likes this.
    07-19-13 01:58 PM
  7. Ed Giardina's Avatar
    So this is pretty great, I can now browse the filesystem with impunity and run a handful of basic *nix commands.

    However, What about higher level stuff? Doesn't look like I can successfully launch an app on the device by running anything in the /apps folder. It looks like these aren't meant to be invoked from the command line. On android there's an 'intent' switching logic; anything similar on BB10 to launch apps from the telnet interface?
    08-12-13 10:31 AM
  8. Richard Buckley's Avatar
    So this is pretty great, I can now browse the filesystem with impunity and run a handful of basic *nix commands.

    However, What about higher level stuff? Doesn't look like I can successfully launch an app on the device by running anything in the /apps folder. It looks like these aren't meant to be invoked from the command line. On android there's an 'intent' switching logic; anything similar on BB10 to launch apps from the telnet interface?
    Since the SDK can launch an application I would say there should be. No idea where to look though.
    08-12-13 10:36 AM
  9. UncleVernon's Avatar
    Hi radiko,
    Thanks for sharing this. I tried to replicate your finding, I used the following:

    This QNX VMware iso:
    qnxsdp-6.5.0-201007091524-nto.iso

    These Playbook VM's
    1. BlackBerryPlayBookSimulator-Installer-1.0.8-6067-Win-201112052354.exe
    2. BlackBerryPlayBookSimulator-Installer-2.0.0-7971-Win-201202221232.exe
    3. BlackBerryPlayBookSimulator-Installer-2.1.0-560-Win-201205282256.exe

    And
    VMware Workstation 10.0.1 build 1379776

    I could succesfully add the second harddisk (containing the PB file system) to the QNX VM, and see indeed the folder

    /fs/hd1-qnx6/bin/

    But then when trying to find setuidgid in that folder, I got puzzled. It is not there.

    I tried all three versions of the PlayBook VM, all three I first powered them down through the PlayBook menu itself, and then through the WMware power down, so I guess all should be synced completely.

    What could be the issue here of not finding this executable?

    Thanks in advance for your input

    -UV
    02-06-14 04:27 AM
  10. 5h1vang's Avatar
    Hello,

    Anyone has tried rooting recently according to this tutorial ??
    I followed the steps and attached the blackberry simulator virtual disk with qnx. When I boot up qnx neutrino, it shows me two errors. I have attached a screenshot of errors. Rooting the BB 10 OS simulator-qnx.png

    At this point, I pressed F2 and proceeded. But then using terminal of qnx, I can't find anything under /fs/hd1-qnx.

    The last time when I tried, I got 3 folders under /fs namely
    1. cd0
    2.hd1-qnx
    3.hd1-qnx-2

    The third one (hd1-qnx-2) was the blackberry disk and I was able to see the filesystem properly.
    PLEASE help me with what am I doing wrong this time ?
    The steps I followed are the exact same as shown in this tutorial ?

    P.S : - I am using vmware workstation 9 in Windows 8.1 32-bit
    Blackberry10Simulator-BB10_0_698

    Thanks in advance.
    Last edited by 5h1vang; 09-07-14 at 02:40 AM.
    09-06-14 01:53 AM
  11. 5h1vang's Avatar
    Hi Crackberry Users,
    Finally I solved the problem.
    The solution is to use blackberry simulator version 10.1.X.
    Somehow I was using version 10.3 which seems to not work with this tutorial.

    While researching for this, I have found a very easy method to view local data storage.
    I promise, I will share this method soon with Crackberry users.
    09-09-14 02:05 AM
  12. dukzcry's Avatar
    Code:
    /tmp/setuidgid root /bin/sh
    Credits to cmw
    In simulator, /dev/shmem (/tmp) is mounted with suid option, so it's possible to run executables under the id of a file owner. On a real BB10 device with current OS release it's not a case, however. None of filesystems is mounted to allow this.
    So my question here is: has it ever been a case? I think that an early BB10 OS release might have such an 'insecure option', but unfortunately i can't check. My current device is supported only by a recent builds.
    So does anybody here know something about this? Maybe even CMW person is registered here?

    P.S.: It wouldn't help rooting, but it would allow running binaries under the other's id, for example, under the devuser from the terminal app, etc.
    Last edited by dukzcry; 09-22-14 at 11:36 PM.
    09-22-14 11:15 AM

Similar Threads

  1. What else could we use the Playbook for?
    By kwelamnp in forum BlackBerry PlayBook
    Replies: 82
    Last Post: 11-17-13, 09:58 AM
  2. PlayBook is going to my 10 month old!
    By tjwplaybook in forum BlackBerry PlayBook
    Replies: 8
    Last Post: 07-20-13, 06:59 PM
  3. Top 10 Things BlackBerry Can Improve in BlackBerry 10
    By nabil114 in forum BlackBerry 10 OS
    Replies: 2
    Last Post: 07-20-13, 04:24 PM
  4. Installed the 10.1 leak very cool....but
    By funnyswngr1 in forum BlackBerry Z10
    Replies: 4
    Last Post: 07-19-13, 01:09 AM
  5. Replies: 4
    Last Post: 07-19-13, 12:25 AM
LINK TO POST COPIED TO CLIPBOARD