Since there were some requests I made the source of
the zygote jailbreak, zimperlich, available here.
Its straight forward code just like the adb setuid() one.
Most of the time I spent getting the Makefile right and
tricking zygote to spawn the right amount of processes and
calling setuid() once more when we are already running.
Keeping in mind that I dont like Java.
I solved this with a ContentProvider and giving it a new
process name in AndroidManifest.xml, so the ContentProvider
is guaranteed to be invoked as a new process.
If the NPROC limit is reached this will be the root
process.
Also, we want some native code carried along with the .apk
for convenient purposes. The Android ABI requires that
it must be named libNAME.so but in fact it is of
type ET_EXEC and not ET_DYN so we can execute it as
binary.
If you look at the Makefile you can imagine that this
was a horror. You require a complete Android build in
$AROOT to succeed.
Of course you could also mis-use the RageAgainstTheCage
binary to exploit zygote (and not adb) if called from
an .apk like the z4root did. But I think nobody noticed
or cared that a different setuid() bug was actually exploited.
Thats at least what my short analysis showed. If I am wrong
I will remove this paragraph. So, only use the original
old but gold code on the commandline as proposed
to get the real deal! :)