2

I have read a bit about the adb backup format, and it seems quite straight forward.

Is it possible to use adb backup restore with a specially crafted backup to root a device? If not, why not?

The idea is to restore something to some place on the device that usually could only be there when the device was already rooted. Like the adb backup service itself. It must run with quite high permissions. So why not restore a special tool with appropiate permissions?

Community
  • 1
Elrond
  • 147
  • 8

1 Answers1

1

Your assumption that the process which writes the restored files to the storage device runs with "quite high permissions" is wrong. Backup service calls backup agents (implemented by applications themselves) to backup and restore data. So each app backs up and restores its own backup data.

  • 2
    Do you have a reference for that, Alex? In fact, a bug in adbd is used by several root exploits, as for the restore process the daemon actually gets "raised permissions". Simply take a look at bin4ry's root package if you don't believe that. The "backup service" you describe is Google Cloud Backup, which has to be actively supported by the apps to be backed up/restored, not adb backup / adb restore. – Izzy Jul 14 '13 at 23:35