TIME TRAVEL: 2013 – GeoHot Release ActiveRoot To Easily Root The Samsung Galaxy S4 [How To]

Hacker GeoHot is known for jumping around various hacking scenes. He first started off working with iOS releasing numerous Jailbreaks, then transitioned into hacking the PlayStation and now it looks like he is getting into creating Android roots.

According to a thread on the XDA Developer Forums GeoHot has released a root as a single .apk file. Usually rooting is a little bit more complicated of a process compared to Jailbreaking, but with this ‘active’ root for the Galaxy S4 users simply need to install the .apk file and their device will become rooted.

How To Root The Galaxy S4 With GeoHot's ActiveRoot APK

GeoHot is calling the tool ActiveRoot and it is available to download for free from the official ActiveRoot website. The steps for using ActiveRoot to root your Galaxy S4 are simple.

  1. First go to Settings and click the “More” tab. Then go into security and check “Unknown Sources.”
  2. Next enable USB Debugging. Go to Settings and click on the “More” tab. Go into “About device.” Rapidly click on “Build number” until it it tells you that you have enabled developer options. Then go back and and Developer Options now appear in the “More” tab. Go in and check “USB Debugging.”
  3. Visit http://geohot.com/activeroot from your device and click the lampda picture to download the apk file.
  4. Run the apk. It should give you a message telling you that you have root.
  5. Visit the Play Store and download the Super User app of your choice (such as SuperSU).

Let us know if you were able to use ActiveRoot to root your Galaxy S4 in the comments.

CVE-2014-3153 Exploit


This awesome vulnerability, that affect pretty much all Linux kernels from the last five years, was found by Comex about a month ago. It is also the vulnerability that is used in TowelRoot by GeoHot, to root the Samsung S5 and a bunch of other Android based devices. TowelRoot is closed source and heavily obfuscated though, and there are still no public exploits available for this vulnerability for desktop/server systems. So, I decided to make one myself. 😉

One of the interesting things with this vulnerability is that it is triggered through the futex() syscall, that is usually allowed even within very limited sandboxes (such as the seccomp-based one used by Google Chrome). The reason that this syscall is usually allowed is because it’s used to implement threading primitives, so unless the sandboxed application is single-threaded the futex() syscall is required.

This is not the first, and certainly not the last, time that I developed a kernel exploit. Some of you may remember the exploit I developed for a Windows GDI vulnerability back in 2006, for a vulnerability that Microsoft did not patch until two weeks after I demonstrated my exploit at BlackHat Europe in 2007. I must say though, this was definitely more challenging than most kernel vulnerabilities I have researched. Fortunately, challenging equals fun for me. 😉

My initial exploit patched the release() function pointer in the ptmx_fops structure, to achieve code execution in kernel context and calling commit_creds(prepare_kernel_cred(0)). The problem with this approach, however, was that it is prevented by a protection mechanism known as SMEP, that is supported by Intel Haswell CPU:s. Due to this, I changed my exploit to target the addr_limit value in the thread_info structure instead. This allows me to enable one of my threads to read/write arbitrary kernel memory, and provide root-access for me (and optionally disable other kernel-based protection mechanisms, such as SELinux) without having to executing any code in kernel context.

To Comex, great job in finding this vulnerability! I first realized what a talent you have after reverse-engineering your star-exploit back in 2010 (before realizing that you had released it as open source :D), that you used for the JailbreakMe 2.0 site. Judging from all the vulnerabilities you have found since then, you are no one-hit-wonder either. 😉 Unlike a lot of the kids these days, you find a lot of vulnerabilities that requires a deep understanding of the target code in question, rather than just throwing a fuzzer at it.

To GeoHot, really impressive work with developing the TowelRoot exploit in such a short amount of time! The breadth and depth of your work, ranging from PS3 jailbreaks, iPhone unlocks and jailbreaks, and now Android roots, not to mention your success in CTF competitions with PPP as well as with your one-man-team, is truly an inspiration. 🙂