[HOW-TO] Root FRGxx builds without unlocking bootloader - Nexus One Android Development

EDIT: Great news! We have an on-device one-click root again!
Simply download VISIONary from (edit: used to be in the Market) Modaco. I tried it on FRG83 stock. It works. No ADB, no external computer required, no fuss. Thanks to the developers!
EDIT again: Sorry, the FRG83D build no longer works with VISIONary - BUT - the overall rageagainstthecage method still works via ADB. I also hear that SuperOneClick works but it requires a Windows machine.
----
Ok it's been established that Universal Androot / exploid / freenexus no longer works on FRG33/FRG83 etc. And it's been established that "rageagainstthecage" does still work. So far I'm not aware of a one-click method to implement the latter exploit.
So I'm starting this thread to centralize everyone's experiences. I don't personally need these instructions but other folks apparently do. I've quoted a rooting guide in post #2. If you think any refinements are necessary or you have a better way of writing it out, please feel free to add to this thread.

Thanks to efrant for pointing the way to this guide. Based on comments below, I'm quoting another revised version.
hmanxx said:
Hi OP,
You may want to edit your post #2, I have inserted the mounting commands in the thread i posted previously. this will help novice users to get thing right out of box without figuring why permission denied.
I have just tried out the additional mounting steps..things are working fine..
Tidy up step by step rooting
1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz
2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.
3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250
Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}
[*] Searching for adb ...
[+] Found adb as PID 64
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
Follow the following steps to install Superuser.apk, busybox,su
F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit
F:\ADB>adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
# exit
exit
Click to expand...
Click to collapse
And below are the previous contents of this post, prior to editing.
-------------
Many respondents on this thread have indicated that the instructions don't work the first time. If you get to the step where you are supposed to get a root shell (#) but you instead get a non-root shell ($), start from the top and try the exploit once or twice more. Apparently if you are persistent it will work.
I'm also told these instructions are missing adb remount before the steps where you push busybox, su and so forth.
hmanxx said:
Tidy up step by step rooting
1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz
2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.
3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250
Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}
[*] Searching for adb ...
[+] Found adb as PID 64
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#
Follow the following steps to install Superuser.apk, busybox,su
F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit
F:\ADB>adb shell
# su
su
# exit
exit
Click to expand...
Click to collapse

I too am interested in this info. Looking forward to any info provided....

There is detailed step-by-step info in many threads as to how to use the rageagainstthecage exploit to root your device, e.g.: http://forum.xda-developers.com/showpost.php?p=8300203&postcount=55
Why start a new thread?

efrant said:
There is detailed step-by-step info in many threads as to how to use the rageagainstthecage exploit to root your device, e.g.: http://forum.xda-developers.com/showpost.php?p=8300203&postcount=55
Why start a new thread?
Click to expand...
Click to collapse
Actually that's perfect, thanks.
I started a new thread because the step-by-step info is buried in other threads and many folks post questions asking about it because they can't find said guides. I figured if I could start a new thread with a proper title, it would be located more easily.

All the info is located in Nexus One Wiki, under "Guides" / "Rooting". Direct link to the post with complete data. So I still don't see any need for the post, that will be buried in forum depths. My signature..
But since you posted it, and it's more detailed - I'll change the link to point to it.
[edit 2] The Wiki is damn slow after the forum crash...
[edit 3] It refuses to accept the submit, complaining about "session data loss". Time to complain to admins..

Heh well if the Wiki is crashy at the moment, all the more reason to have a redundant post here.
If you look back to the linked posts, I was the one who suggested which instructions for ali3nfr3ak to follow after a successful push of rageagainstthecage, and then ali3nfr3ak reported success on FRG33, and then hmanxx seems to have stripped out the irrelevant/unnecessary lines. So it's teamwork =)
One thing I'm not sure of - I see the original "exploid"/"freenexus" instructions included a cleanup by removing /system/bin/rootshell. Should something similar be done after rageagainstthecage to clean up?

@ cmstlst This is a good idea, because when I did this I had like 3 different pages open as all the information was spread everywhere, hopefully this will make it easier for everyone to follow, good one

I used the steps posted here to restore root access to a Nexus One which had been previously rooted with 1-click. It was running stock FRF91. It was a fairly smooth process, especially since the update to FRG83 did not delete my Superuser.apk, su, or busybox files. The permissions had just been turned down, so with the RageAgainstTheCage exploit active, I was able to change the permissions as indicated and was off and running.
The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
for the read/write mount and was then able to turn up the permissions. And, in the interests of completeness, to mount /system read-only again afterward:
mount -o remount,ro -t yaffs2 /dev/block/mtdblock4 /system
Thanks much for consolidating the procedure where it was easy to find.

anyway to re-lock the Bootloader

highvista said:
The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
Click to expand...
Click to collapse
It's mtdblock3, not mtdblock4, though for some reason the mount worked for me even on 6. But in any case, much better and easier done using ADB command:
adb remount
Finally the Wiki is also back to work, the "Rooting FRG83" link is updated to point to this thread.

Here, the rageagainstthecage didn't work.
I followed these steps:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}[*] Searching for adb ...
[+] Found adb as PID 64[*] Spawning children. Dont type anything and wait for reset![*][*] If you like what we are doing you can send us PayPal money to[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.[*] If you are a company and feel like you profit from our work,[*] we also accept donations > 1000 USD![*][*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#
Click to expand...
Click to collapse
But, I didn't get root shell (#), when I typed "adb shell" I still got ($).
I'm in FRG83, Android 2.2.1.
Any ideas?

cmstlist said:
Thanks to efrant for pointing the way to this guide.
Click to expand...
Click to collapse
Thank you for posting this. It was a big help. I lost my root after 2.2.1 and this worked great. I did have to execute the .bin file 3 times. The first time, I got $, and the second time as well. It was only on the 3rd execute that I got the # prompt. I read that others had the same problem, that it only worked after a few times.
highvista said:
I used the steps posted here to restore root access to a Nexus One which had been previously rooted with 1-click. It was running stock FRF91. It was a fairly smooth process, especially since the update to FRG83 did not delete my Superuser.apk, su, or busybox files. The permissions had just been turned down, so with the RageAgainstTheCage exploit active, I was able to change the permissions as indicated and was off and running.
The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
for the read/write mount and was then able to turn up the permissions. And, in the interests of completeness, to mount /system read-only again afterward:
mount -o remount,ro -t yaffs2 /dev/block/mtdblock4 /system
Thanks much for consolidating the procedure where it was easy to find.
Click to expand...
Click to collapse
Thank you for this. I was in the same situation and I was not able to set the premissions. Then I saw your post. I am not a Linux/Unix guy, so it was step-by-step for me. Curiously, why is it necessary to change the premission for su, busybox, etc.?
Thanks guys.

Atento said:
Here, the rageagainstthecage didn't work.
I followed these steps:
But, I didn't get root shell (#), when I typed "adb shell" I still got ($).
I'm in FRG83, Android 2.2.1.
Any ideas?
Click to expand...
Click to collapse
I had this, too. Like the above poster said, I got # after several tries. However something went wrong midway through the other steps from efrant, and I went back and lost #, only had $.
Also looking for ideas.

Xel'Naga said:
I had this, too. Like the above poster said, I got # after several tries. However something went wrong midway through the other steps from efrant, and I went back and lost #, only had $.
Also looking for ideas.
Click to expand...
Click to collapse
I would try the process over again from the beginning. Once you get the #, follow highvista's information to mount the file system as RW, and do the chmods. After you are done, re-mount as RO.

snovvman said:
I would try the process over again from the beginning. Once you get the #, follow highvista's information to mount the file system as RW, and do the chmods. After you are done, re-mount as RO.
Click to expand...
Click to collapse
Yup, had to reboot the device and try again about four times and then it finally all stuck. Now rooted on 2.2.1.

snovvman said:
Thank you for posting this. It was a big help. I lost my root after 2.2.1 and this worked great. I did have to execute the .bin file 3 times. The first time, I got $, and the second time as well. It was only on the 3rd execute that I got the # prompt. I read that others had the same problem, that it only worked after a few times.
Thank you for this. I was in the same situation and I was not able to set the premissions. Then I saw your post. I am not a Linux/Unix guy, so it was step-by-step for me. Curiously, why is it necessary to change the premission for su, busybox, etc.?
Thanks guys.
Click to expand...
Click to collapse
Thanks for your replies! I'm rooted now.
Thanks for all!!!

Hi OP,
You may want to edit your post #2, I have inserted the mounting commands in the thread i posted previously. this will help novice users to get thing right out of box without figuring why permission denied.
I have just tried out the additional mounting steps..things are working fine..
Tidy up step by step rooting
1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/...nstTheCage.tgz
2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.
3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/show...&postcount=250
Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}[*] Searching for adb ...
[+] Found adb as PID 64[*] Spawning children. Dont type anything and wait for reset![*][*] If you like what we are doing you can send us PayPal money to[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.[*] If you are a company and feel like you profit from our work,[*] we also accept donations > 1000 USD![*][*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
Follow the following steps to install Superuser.apk, busybox,su
F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit
F:\ADB>adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
# exit
exit

Thanks, I'll fix it up when I'm at a desktop computer again and less occupied by the Masters thesis I'm defending in just over 2 weeks
Sent from my Nexus One using XDA App

hehe oh noes. I gave the cage file a go 3 times, failed, so I got pissed and unlocked the bootloader, then now I read about the remounting of the file system.. didn't think about that.
well.. now I can't undo the unlocking :/

Related

rooting the Streak Froyo build (official)

As the froyo upgrades are rolling out now, you'll find that universal androot doesn't work.
If you are using windows, then its very easy to root the new builds using superoneclick.
http://forum.xda-developers.com/showthread.php?t=803682
you can do it with linux but its quicker to do it manually.
I'll post instructions later for that.. see post #3
I'll also update with some tweaks that help with battery life and speed
Thanks for this Mate
here's how to root the froyo streak builds manually.. so useful to linux / mac users and anyone who doesn't want to use the superoneclick
Code:
GET ECLAIR/FROYO version of Superuser.apk and su
from http://forum.xda-developers.com/showthread.php?t=682828 extract the two files to the directory you're working from..
GET rageagainstthecage from
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz
extract the rageagainstthecage-arm5.bin to the same directory you're working from
open a terminal/command line
adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
adb push Superuser.apk /data/local/tmp/Superuser.apk
adb push su /data/local/tmp/su
adb push busybox /data/local/tmp/busybox
adb shell chmod 700 /data/local/tmp/rageagainstthecage
adb shell chmod 700 /data/local/tmp/busybox
adb shell
cd /data/local/tmp
./rageagainstthecage
******this will kill adb server but manually kill it anyway and restart it ******
adb kill-server
adb start-server
* daemon not running. starting it now *
* daemon started successfully *
adb shell
mount -o remount,rw -t yaffs2 /dev/block/mtdblock6 /system
**********Follow the following steps to install Superuser.apk, busybox,su ****************
cd /data/local/tmp
./busybox cp busybox /system/bin/
chmod 4755 /system/bin/busybox
busybox cp Superuser.apk /system/app/
busybox cp su /system/bin/
chmod 4755 /system/bin/su
exit
exit
then reboot streak
************to remount filesystem as readonly,*************
adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock6 /system
# exit
exit
This is supposed to be a helpful thread to help people who want a simple easy way of rooting the froyo releases.
Not a discussion on why you cant find something
Orionbg I have no idea whether that one works as the two ways I've suggested do work..
Lets keep it simple, think about those who really struggle rather than confusing them with more info than needed ;-)
Lufc can you lock it and add it to the stickies so as not to let it spiral away.
I'd rather keep it clear and easy for people to follow...

[HOWTO] ubuntu Soft Root Nexus One 2.2.1 FRG83D

This guide is for people who want root but want to keep their stock rom, not breaking the warranty, unlocking bootloader etc.
A proud ubuntu user, I am writing this in a new thread purely because the manual rageagainstthecage method and SuperOneClick method did not not work for me, see link to my conclusion below if you care
http://forum.xda-developers.com/showpost.php?p=11305312&postcount=2526
What did work however was via adb shell using psneuter and its fairly simple if you follow the following commands.
This guide assumes you know how to get access to the shell via adb, if you dont then search elsewhere.
OK lets get to business!
1. Download the attached nexus_one_softroot.tar from the bottom of this post and extract contents to the same folder as adb
2. Open up your terminal, cd to the same folder as adb and the extracted files
3. Enter the following commands:
Code:
sudo ./adb push psneuter /data/local/tmp/psneuter
sudo ./adb push busybox /data/local/tmp/busybox
sudo ./adb push su /data/local/tmp/su
sudo ./adb shell chmod 755 /data/local/tmp/psneuter
sudo ./adb shell chmod 755 /data/local/tmp/busybox
sudo ./adb shell chmod 755 /data/local/tmp/su
sudo ./adb shell
After this you should see only a $ which tells us that we at the android command line with user privileges only, lets continue
Code:
$ cd /data/local/tmp
$ ls
busybox
su
psneuter
$ ./psneuter
property service neutered.
killing adbd. (should restart in a second or two)
You will now be kicked out of android shell, lets go back in
Code:
sudo ./adb shell
After this you should see only a # which tells us that we root baby! If you want to double check issue this command
Code:
# id
uid=0(root) gid=0(root)
Lets continue on. From this point we will install busybox and su which will make root permanent
Code:
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
# cd /data/local/tmp
# ./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
# busybox cp su /system/bin
# chmod 4755 /system/bin/su
# exit
For some reason I sometimes have to enter exit twice to leave the android shell. Again, re-access the android shell
Code:
sudo ./adb shell
Now in the android shell we can finish up
Code:
# su
# mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
# exit
# exit
Lastly we must install Superuser, and I did this from the android market so I knew its the latest version, its simple to get, less command input etc.
Now you have root! I hope this was simple enough to follow, I have not really written a guide before but from lots of searching I just could not find a solution for my Nexus One 2.2.1 FRG83D, especially any guide that uses psneuter.
Anyway, glad to contribute
EDIT - also, being new to starting threads, this may not quite be in the right section of the forum, sorry if thats the case mods

[GUIDE] Manual root for Official ED01

>>>>>>>> REQUIRES working adb shell <<<<<<<<<<<
1. Download this zip, and extract its contents to /sdcard/extracted/rootED01/ (Root Explorer, which is not required, will do this by default when you click Extract All)
2. For each of the two STEP.txt files (in the zip and copied below), open an 'adb shell' and paste its contents into your shell.
Includes:
+ instructions, with pasteable root and unroot
+ Superuser.apk
+ su
+ busybox
+ rage.bin
CREDITS:
* adrynalyne for his version of busybox.
* 743C for rageagainsthecage exploit binary.
* ChainsDD for Superuser.apk
* Eousphoros on droidforums for his very similar guide.
********
Most people will prefer to use Super OneClick root. I only wrote this guide in response to finding this, and hoping that I could indeed get terminal emulator to root.
Unfortunately, I could find no way to change the permissions of the copied rage.bin without using adb. If anyone can find a way around this for froyo, I would love to hear about it!
I decided to post this guide anyway. At least it's a manual root that works with the official ED01 froyo update. If there is interest, I will go into detail about installing ADB, etc.
rootED01.zip
MD5: e97913f3bed5283c89d5b755a66f28e5
SHA-1: ab87ad372d0f9ba9d1d5043175953e91bdef77f3
# >>>>>>>>>> STEP ONE <<<<<<<<<<<<<
# Note: This path must match the files you extracted!
export ROOT_TOOLS=/sdcard/extracted/rootED01
cd $ROOT_TOOLS
cat rage.bin >/data/local/tmp/rage.bin
cd /data/local/tmp
chmod 777 rage.bin
./rage.bin
echo "Rage.bin will be done applying root. Reopen shell in 10 seconds."
# >>>>>>>>> STEP TWO <<<<<<<<<<<
# Do not procede with this step until you see a # in newly opened shell.
# Note: This path must match the files you extracted!
export ROOT_TOOLS=/sdcard/extracted/rootED01
# mount /system for writing & copy su & busybox
mount -o rw,remount /dev/block/stl9 /system
cd $ROOT_TOOLS/xbin
cat su >/system/xbin/su
cat busybox >/system/xbin/busybox
cd /system/xbin
chmod 4755 su
chmod 4755 busybox
#install Superuser
cd $ROOT_TOOLS/app/
cat ./Superuser.apk >/system/app/Superuser.apk
reboot now
# >>>>>>>>>> UNROOT <<<<<<<<<<<<
# get root
su
# mount /system for writing
mount -o rw,remount /dev/block/stl9 /system
#delete su & busybox
rm /system/xbin/su
rm /system/xbin/busybox
# delete Superuser.apk
rm /system/app/Superuser.apk
# delete other clutter
rm /data/local/tmp/rage.bin
# Once you reboot, the last of your root will be gone
mount -o ro,remount /dev/block/stl9 /system

[DEV] Current Progress and Guides: CRACKED UBOOT!!! Roms and Kernels Comming Soon

This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self. REMEMBER I DO THIS FOR FUN, please respect the thread as well as others opinions
OLD UPDATES AT THE END OF THIS POST.
First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
Also you should look at the http://www.nooktabletdev.orgfor information on the Nook Tablet Development process. - Thanks to dj_segfault
Rooting Scripts​Windows: Root, OTA block, De-bloat, Gapps Thanks to Indirect
Mac/Linux: Rooting script Thanks to t-r-i-c-k
Mac/Linux: Root,OTA Block, Gapps
CURRENT PROGRESS
adb connection: COMPLETE
adb root: COMPLETE
busybox:COMPLETE
permanent root: COMPLETE BY INDIRECT
GApps and Market: COMPLETE BY INDIRECT & Anlog
recovery mode: COMPLETE BY nemith
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
THANKS TO NEMITH
bootloader: Locked and Signed Irrelevant
uboot: CRACKED BY BAUWKS
THANKS TO BAUWKS​
Loglud said:
bauwks method uses the flashing_boot.img to his advantage, and since it is not checked by security, effectively he has made an insecure uboot. While this is not an unlocked bootloader, it is a way to get around the security, and enable custom recovery and higher level processes to be run.
I have been looking at this line of code for a long time, and as im sure hkvc and bauwks saw it is a large (but 100% necessary) flaw:
distro/u-boot/board/omap4430sdp/mmc.c: 559 : setenv ("bootcmd", "setenv setbootargs setenv bootargs ${sdbootargs}; run setbootargs; mmcinit 0; fatload mmc 0:1 0x81000000 flashing_boot.img; booti 0x81000000");
Without this line of code, it would be impossible for any one but the factory whom could JTAG flash (but since it is secured, most likely they also have to make a flashing_boot.img).
Click to expand...
Click to collapse
12/9/11:
UBUNTU is here, thanks to ADAMOUTLER
http://www.youtube.com/watch?v=PwUg17pVWBs&hd=1
Keep in mind this is only an overlay verson but it is prof that one day we might be able to push roms and kernels over existing ones, then hijack then (next work) and then use them.​
Please PM me or post if you know anything else, and or want to add anything.
Usefull threads
Usefull threads:
ROOTING:
Full root for Nook Tablet. [11/20/11] [Yes this is a permanent root!] Thanks to indirect
Noot Tablet - Easy root & Market on MAC (1 download, 1 script to run) Thanks to t-r-i-c-k
[Windows/Linux] Unroot and uninstall gApps for the nook tablet [Scripts] Thanks to indirect
MODS to Default Rom:
[Full Mod + Root + OTA block] Snowball-mod: Full Modification Root [1/6/2012] Thanks to cfoesch
[DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! Thanks to [DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! 1 Attachment(s) (Multi-page thread 1 2 3 ... Last Page)
Originally Posted By: diamond_lover
Kernels:​Coming Soon​
ROMS:​Coming Soon​
APPS:
[Tutorial][WIP] Installing alternative Keyboards on the NT. Thanks to robertely
[DEV] - HomeCatcher Redirect n Button to any Launcher Thanks to gojimi
Hidden Settings App Updated 12/30/11 Thanks to brianf21
Replacement SystemUI.apk v2: Permanent back and menu buttons, n as Home button Thanks to revcompgeek
DEVELOPMENT:
[Dev]Files of interest in the system Thanks to indirect
[REF] Nook Tablet Source Code Thanks to diamond_lover
BHT Installer (Basic Hacking Tools) Thanks to AdamOutler
[Stock Firmware]Restore Barnes & Nobel Nook 1.4.0 from SDCard Thanks to AdamOutler​
Guides
Table of Contents
Enableing adb Connection (eab1)
Rooting using zergRush (rug2)
Installing busyboxy (ibb3)
Permanent root (pr4) THANKS TO INDIRECT
Installing GApps (aga5) THANKS TO ANLOG
Full system restore/wipe (fsr6) THANKS TO INDIRECT
Enableing adb Connection (eab1)
Install the andriod SDK that is required for your Operating system.
NOTE: This will requries the SDK, and JDK both of which can be downloaded by clicking the links, downloading and installing it.
Run the andriod SDK Manager and Install "Andriod SDK Platform-tools"
[*]Modify your adb_usb.ini file to read such as the following:
Code:
# ANDROID 3RD PARTY USB VENDOR ID LIST -- DO NOT EDIT.
# USE 'android update adb' TO GENERATE.
# 1 USB VENDOR ID PER LINE.
0x2080
This will be in your /home/{username}/.andriod/ folder for mac and linux
This will be in your C:/Users/{username}/.andriod folder for Windows.
ADB is now enabled for your device, however it is not ON your device. YOU MUST DO THIS EVERY TIME YOU WISH TO ADB INTO YOUR DEVICE.
[*]To do this you will need to download any app, and attempt to install it.
You can use this app if you need.
[*]Click on the Package Installer, and then a prompt will pop up asking if you want change the settings to allow 3rd party apps.
*DO NOT ENABLE IF YOU WISH TO ACCESS ADB*
I am working on a way to have it enabled by default.
[*]In the settings page you should see *2* USB Debuggin modes.
[*]Press them both and accept the prompt.
[*]PLUG IN YOUR DEVICE.
Note* You should see the Android Development icon on the bottom of the screen.
ADB will now be able to see your device. How ever you will need to restart the server before it sees it.
Rooting using zergRush (rug2)
This is for the poeople whom have access to adb. You will also need this file. Unzip the file.
Type in the following command (while in the folder with the zergRush Binary):
Code:
adb push ./zergRush /data/local
[*]Once thats installed run this:
Code:
adb shell chmod 777 /data/local/tmp
[*]And lastly:
Code:
adb shell /data/local/zergRush
[*]You are now rooted (only for this reboot)
Installing busyboxy (ibb3)
You will need root and the following busybox file.
Type in the following command while in the location where busy box was downloaded to:
Code:
adb push ./busybox /data/local
[*]Busybox works by calling binaries from a file outside of /system/bin/. We must make this file by issuing the following command:
Code:
adb shell mkdir /data/busybox
[*]Lets make sure we can install busybox without permission probles:
Code:
adb shell chmod 777 /data/local/busybox
[*]Next install busybox in the folder:
Code:
adb shell /data/local/busybox --install
[*]We now need to take the /system/folder, and mount it as a writeable folder:
Code:
adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
[*]Link it into bin:
Code:
adb shell ln -s /data/local/busybox /system/bin/busybox
You now have busybox installed
Permanent root (pr4)
THANKS TO INDIRECT for Files and Scripts
We will need SU and Superuser.apk
First we need to install the Superuser.apk:
Code:
adb wait-for-device install Superuser.apk
adb remount
[*]Next lets go ahead and push the su application up to the /data/local/ folder
Code:
adb push su /data/local/
[*]Next we will need to change the permissions and cp su from the /data/local/ folder to the /system/bin/
Code:
adb shell chmod 4755 /data/local/su;mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system;busybox cp /data/local/su /system/bin
Installing GApps (eab1)
THANKS TO ANALOG and INDIRECT for Scripts
First things first we need to download the GAPPS. The most reacent one is this one or get the most recent one here.
[*] Unzip and navigate to the most root folder of that package in your shell.
[*]We need to verify that adb is booting into root. To do this we can issue the command:
Code:
adb shell id
If id doesn't return root then you will need to re-zergRush your device
[*]Now it is time for us to export the apps to the directories.
Code:
adb shell mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system
adb push system/app/CarHomeGoogle.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/app/FOTAKill.apk /system/app/
adb shell chmod 644 /system/app/FOTAKill.apk
adb push system/app/GenieWidget.apk /system/app/
adb shell chmod 644 /system/app/GenieWidget.apk
adb push system/app/GoogleBackupTransport.apk /system/app/
adb shell chmod 644 /system/app/GoogleBackupTransport.apk
adb push system/app/GoogleCalendarSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleCalendarSyncAdapter.apk
adb push system/app/GoogleContactsSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleContactsSyncAdapter.apk
adb push system/app/GoogleFeedback.apk /system/app/
adb shell chmod 644 /system/app/GoogleFeedback.apk
adb push system/app/GooglePartnerSetup.apk /system/app/
adb shell chmod 644 /system/app/GooglePartnerSetup.apk
adb push system/app/GoogleQuickSearchBox.apk /system/app/
adb shell chmod 644 /system/app/GoogleQuickSearchBox.apk
adb push system/app/GoogleServicesFramework.apk /system/app/
adb shell chmod 644 /system/app/GoogleServicesFramework.apk
adb push system/app/LatinImeTutorial.apk /system/app/
adb shell chmod 644 /system/app/LatinImeTutorial.apk
adb push system/app/MarketUpdater.apk /system/app/
adb shell chmod 644 /system/app/MarketUpdater.apk
adb push system/app/MediaUploader.apk /system/app/
adb shell chmod 644 /system/app/MediaUploader.apk
adb push system/app/NetworkLocation.apk /system/app/
adb shell chmod 644 /system/app/NetworkLocation.apk
adb push system/app/OneTimeInitializer.apk /system/app/
adb shell chmod 644 /system/app/OneTimeInitializer.apk
adb push system/app/Talk.apk /system/app/
adb shell chmod 644 /system/app/Talk.apk
adb push system/app/Vending.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/etc/permissions/com.google.android.maps.xml /system/etc/permissions/
adb push system/etc/permissions/features.xml /system/etc/permissions/
adb push system/framework/com.google.android.maps.jar /system/framework/
adb push system/lib/libvoicesearch.so /system/lib/
Now you have GApps installed from Anlog's. All Credits go to him and Indirect
Full system restore/wipe (fsr6)
THANKS TO INDIRECT
WARNING THIS WILL WIPE YOUR ENTIRE FILESYSTEM!!!
Go into adb shell or terminal emulator.
Issue command:
Code:
echo -n '0000' > /bootloader/BootCnt
Next reboot your device by conventional methods or issue:
Code:
reboot
Your nook will now restart and tell you it is resetting.
You now have a clean slate!
Got some links for howto's on the adb connection/root.
Yeah - if someone has details on how to adb connect and root, it'd be helpful to include links. I've yet to see specifics for either.
Reserved
Sent from Tapatalk, NOOK Color CM7 Nightly's!
I aplogize im still typing them up
Damn loglud, I ended up beating you to the root lol. Sorry about that! D:
The Droid 2 and Droid X had locked bootloaders with the 'e-fuse' and Koush got around them and installed CWM with this...
http://www.koushikdutta.com/2010/08/droid-x-recovery.html
What do you guys think? I don't have a NT yet to try anything (probably won't get one until sometime around x-mas).
l
Indirect said:
Damn loglud, I ended up beating you to the root lol. Sorry about that! D:
Click to expand...
Click to collapse
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Loglud said:
l
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Click to expand...
Click to collapse
Superoneclick...love!
Sent from my Nook Tablet using Tapatalk
Loglud said:
l
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Click to expand...
Click to collapse
Not at all so long as you give proper credits.
Loglud said:
This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self.
First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
CURRENT PROGRESS
adb connection: COMPLETE
adb root: COMPLETE
busybox: COMPLETE
permanent root: IN PROGRESS
bootloader: Locked and Signed
By the bootloader being locked and signed it is very difficult to design anything that will boot besides nook roms. In order to solve this some of the Devs have suggested the following:
kexec: RESEARCHING
2nd init: RESEARCHING
CWM: NOT STARTED
Please PM me or post if you know anything else, and or want to add anything.
Click to expand...
Click to collapse
hopefully it is cracked soon cause i dont want to buy this if i can't have a full custom rom, all of the verizon motorola phones run roms off of 2nd init and it just isnt the same to be honest. you can never run a full custom rom with second init(well you can but you have to build the rom to fit the kernel) and honestly i want my device to be mine
you should tweet cvpcs or someone who makes and maintains 2nd init roms to get more info on it though
Can't get busybox installed
I'm stuck... I get errors for #3 for busybox... errors like...
Code:
$ adb shell /data/local/busybox --install
busybox: /data/busybox/[: No such file or directory
busybox: /data/busybox/[[: No such file or directory
busybox: /data/busybox/addgroup: No such file or directory
.....
busybox: /data/busybox/yes: No such file or directory
busybox: /data/busybox/zcat: No such file or directory
busybox: /data/busybox/zcip: No such file or directory
So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!
Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?
(I'm running from OSX, if that matters)
EDIT: and of course I'm getting...
Code:
$ adb shell ln -s /data/local/busybox /system/bin/busybox
link failed Read-only file system
$ adb remount
remount failed: Operation not permitted
kgingeri said:
I'm stuck... I get errors for #3 for busybox... errors like...
Code:
$ adb shell /data/local/busybox --install
busybox: /data/busybox/[: No such file or directory
busybox: /data/busybox/[[: No such file or directory
busybox: /data/busybox/addgroup: No such file or directory
.....
busybox: /data/busybox/yes: No such file or directory
busybox: /data/busybox/zcat: No such file or directory
busybox: /data/busybox/zcip: No such file or directory
So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!
Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?
(I'm running from OSX, if that matters)
EDIT: and of course I'm getting...
Code:
$ adb shell ln -s /data/local/busybox /system/bin/busybox
link failed Read-only file system
$ adb remount
remount failed: Operation not permitted
Click to expand...
Click to collapse
Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw
Still some glitches installing busybox...
Loglud said:
Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw
Click to expand...
Click to collapse
Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?
After the initial 'push' command, I could install via:
Code:
mac-osx$ adb shell
$ su root
# cd /data/local
# chmod 755 busybox
# ls -l
-rwxr-xr-x shell shell 1745016 2011-11-21 00:21 busybox
# mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
# mkdir ../busybox
# ./busybox --install
Also, is the line:
Code:
# ln -s /data/local/busybox /system/bin/busybox
not supposed to be
Code:
# ln -s /data/busybox /system/bin/busybox
Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.
EDIT: PS my mount on data is as follows..
Code:
# mount|grep /data
/dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0
EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...
Code:
# cd /
# ls -l | grep '\<data\>'
drwxrwx--x system system 2011-11-21 18:25 data
# chmod 777 data
kgingeri said:
Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?
After the initial 'push' command, I could install via:
Code:
mac-osx$ adb shell
$ su root
# cd /data/local
# chmod 755 busybox
# ls -l
-rwxr-xr-x shell shell 1745016 2011-11-21 00:21 busybox
# mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
# mkdir ../busybox
# ./busybox --install
Also, is the line:
Code:
# ln -s /data/local/busybox /system/bin/busybox
not supposed to be
Code:
# ln -s /data/busybox /system/bin/busybox
Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.
EDIT: PS my mount on data is as follows..
Code:
# mount|grep /data
/dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0
EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...
Code:
# cd /
# ls -l | grep '\<data\>'
drwxrwx--x system system 2011-11-21 18:25 data
# chmod 777 data
Click to expand...
Click to collapse
ok so whats happening? i modified the guides and i was hopping that would help you. The command is
Code:
# ln -s /data/local/busybox /system/bin/busybox
and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.
Loglud said:
ok so whats happening? i modified the guides and i was hopping that would help you. The command is
Code:
# ln -s /data/local/busybox /system/bin/busybox
and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.
Click to expand...
Click to collapse
Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...
Here you are as it happens
MBAir$ ls busybox
busybox
MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)
MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied​
Of course there is no point continuing until I do the following...
MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit
MBAir$ adb shell mkdir /data/busybox
MBAir$ adb shell chmod 777 /data/local/busybox
MBAir$ adb shell /data/local/busybox --install
MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted​
To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)
kgingeri said:
Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...
Here you are as it happens
MBAir$ ls busybox
busybox
MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)
MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied​
Of course there is no point continuing until I do the following...
MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit
MBAir$ adb shell mkdir /data/busybox
MBAir$ adb shell chmod 777 /data/local/busybox
MBAir$ adb shell /data/local/busybox --install
MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted​
To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)
Click to expand...
Click to collapse
re run zergRush exploit. your adb shell is defaulting to the shell username. by rerunning the zergy you will allow for yourself to use the adb shell as root. make sure you dont run it as the root user though. you are also more then welcome to hop in irc and ask questions.
Any one having difficulty rooting or see anything that needs to be updated?

DL701Q rooted, no apk, (digiland 7") need help backtracking how

Got root, then su binary installed need some help backtracking a few things. If someone is up for it?
I guess the first thing first is. The first time I adb shell'd I got promted with root user: ( does this happen right off the bat for anyone else? I did a few things before this with modstrings and busybox. But, didn't try adb till after)
Code:
adb shell
[email protected]:/ #
Once I noticed I had root on shell I simply found the system mount at /dev/ubui0_0 and I mounted it rw.
Code:
[email protected]:/ # mount -o remount, /dev/ubi0_0
moved the su binary over to the sdcard. wrote it to system/xbin link named to /system/bin. gave permisions.
Code:
adb push su /sdcard/
[email protected]:/ # cat /sdcard/su > /system/xbin/su
[email protected]:/ # ln -s /system/xbin/su
[email protected]:/ # chmod 6755 /system/xbin/su
[email protected]:/ # su
[email protected]:/ # :D
Off I went. I need to update the binary, but as of right now Superuser shows root as 'allow', SuperSU deny (think it old binary).
If you guys are not getting root after adb shell on this device, I think I can backtrack the modstrings and other stuff I did.
I really don't know where this device sits on getting rooted. It seems like some windows programs did it before an update that happened at some point, but not anymore? I don't have access to windows so I don't keep up with those methods.
Thanks! Hope someone can help me out.

Categories

Resources