I have tested this rooting application on two of my Android devices
1. Samsung Galaxy TAB
2. Samsung Galaxy S
It worked without a fuss. One of the device, as you know is a tablet. Both of them has the stock 2.2 Froyo ROM. I downloaded the apk, transferred it on to a SD card and than copied it to my phone and ran it. I first tested it with the temporary root option. I have heard that the permanent root option does not work on some devices.
Here are the devices that are compatible with the permanent root option in z4root.
The following devices do not work with permanent root option, however the temporary root option works
NOTE: For z4root to work, the USB debugging option must be enabled. You can enable it from Settings.
If you can not find the USB debugging option, do not worry. Follow these steps
1. Download Launcher Pro app
2. Install it
3. Long press on the home button and choose Launcher Pro from the menu
4. Now the home screen should be running on Launcher Pro, long press on Desktop and choose shortcuts
5. Scroll down on the popup menu that appears and select “Activities”
6. Select “Setting” from the Activities menu.
7. Now select “Development”, it will create a shortcut on the home screen.
8. Press the back button or home screen button and go back to the home screen.
9. Press the “Development” shortcut.
10. You should see the USB Debugging option, you can disable or enable it, as you wish.
The download link is at the bottom of this page.
How to make z4root work?
You do not have to resort to any fancy tricks, just copy it on to your phone or tablet and run it. The options in the app are self explanatory. If you are not sure, use the temporary root option.It will also install Busybox.
How Z4root works?
It uses a vulnerability in the Linux kernel, in which it takes advantage of a ‘Constant’ that defines how many child process or forked process a parent process can have. The exploit was coded by Sebastian Krahmer, it forks of processes till the fork() function fails, which indicates that the maximum number of process for the given UID has been reached.
The function now communicates with the parent exploit process and signals it to kill the adb daemon (adbd). This where it all goes sideways, when the adb daemon restarts, it starts with ‘root’ privileges and after some maintenance work it runs as a normal shell user.
Normally the process counter should decrement the number of processes for the root user, but, since process count is already at maximum after running the exploit, it will fail and continue running with root privileges.
Now the exploit connects back with the adb daemon and gets a root shell on the device. Pretty clever.
The exploit was named Rage-Against-the-Cage and is used by z4root.
What is the current status of the vulnerability?
The vulnerability is patched and the exploit will not work on the newer Android versions released after Android 2.2.