Please make sure you understand that rooting a device will invalidate your warranty. I have posted this guide for informational purposes only.
This has been a long time coming and I realise that there are many guides/how-to’s out there but I thought I’d write a brief blog entry that has all of this info in one place – with a few extra hints/tips along the way.
Stage 1 – Rooting the device
1. Obtain the Motorola USB drivers (Windows) from here or the direct link is here.
2. Obtain Dan Rosenberg’s root exploit from here.
3. Connect the Xoom 2 device to your system via USB.
4. Extract the xyz_windows.zip file contents and execute ‘run.bat’ – The device will reboot a number of times. When completed you should see confirmation within the terminal window.
If needed, you can refer to Dan’s original blog entry here.
Stage 2 – Installing Backtrack 5
The Offensive Security team have a brief post regarding this which can be found here.
You’ll need to ensure that there is around 5GB of free space on your device.
1. Download the ARM version of Backtrack 5 from here.
N.B At the time of writing there was only a download available for the ARM architecture for the BT5 version, not r1, r2 or r3.
2. Use a terminal emulator, file manager (if Xoom is attached to your system) or Android SDK tools to create the following directory on the tablet /sdcard/BT5
3. Extract the contents of the 7-zip file on your host system and copy the following files to the /sdcard directory on the tablet:
busybox
installbusybox.sh
4. Install busybox by executing the following command from within the /sdcard directory using your terminal emulator:
sh installbusybox.sh
5. Copy the following files into the /sdcard/BT5 directory. Before doing this I also used 7-zip to extract the bt.img.gz file on my host system as doing this on the Xoom seemed to be quite slow:
fsrw
mountonly
bootbt
unionfs
bt.img.gz or the extracted bt5.img
6. Use your terminal emulator and change to the /sdcard/BT5 directory. Assuming that you’ve previously copied the extracted bt5.img you can run the OS by executing the command sh bootbt (su will be required).
N.B If you haven’t already extracted and copied the bt5.img file you can do so by running the following command on the tablet gunzip bt5.img.gz
7. Finished – You should be presented with #console access.
Stage 3 – VNC Access
If you want GUI access you can perform the following steps.
1. Download a VNC client app from Google Play (personally I use WYSE Pocket cloud as it is feature packed and provides a very simple and intuitive interface).
2. Use the terminal enumerator to boot into Backtack and run the following commands:
export USER=root
vncpasswd (set a password – the default is toortoor)
vncstart (vncstop to stop the server when you’ve finished)
3. You should now be able to use your VNC app to connect to the localhost. If you want to check which port is listening for VNC connections (generally TCP 5900 – although not so in my case) you can use the command netstat –antp and look for the corresponding program (xtightvnc).