Related
Hey guys,
I currently have LeoMar Revolution ROM installed, so phone is rooted, Superuser works fine etc.
Want to start playing around with adb (am new to this) and have the device showing up when running 'adb devices' but i cannot get adb root? Although the device is rooted ok?
So question is (yes i searched but cant find the answer) are phone root and adb root different things?
If so how do i go about getting adb root so i can push apps etc from cmd line?
Thanks in advance
kangfu84 said:
Hey guys,
I currently have LeoMar Revolution ROM installed, so phone is rooted, Superuser works fine etc.
Want to start playing around with adb (am new to this) and have the device showing up when running 'adb devices' but i cannot get adb root? Although the device is rooted ok?
So question is (yes i searched but cant find the answer) are phone root and adb root different things?
If so how do i go about getting adb root so i can push apps etc from cmd line?
Thanks in advance
Click to expand...
Click to collapse
When through cmd, you write su and press enter
If you get a $ sign, then you aren't adb rooted!
If you get a # sign, then you are adb rooted!
Umm, for adb root, I guess use superoneclick root and click shell root, you will get the # sign then!
Thanks for quick reply
I run abd shell and then su and i do get the #.
id=0 so i have root in an 'abd shell' but i cant get root when i just put 'adb root'
Tried to adb push the apks manually in adb shell but adb push doesnt exist in shell?
But i am trying to run a batch file that pushes some hidden apks and i get the error "cannot run as root in production builds" when i run the batch file?
Edit: I may have had a secure kernel installed, will try another kernel and re-try. Is it possible to have su rights when booted up with a secure kernel? That would explain things ..
kangfu84 said:
Thanks for quick reply
I run abd shell and then su and i do get the #.
id=0 so i have root in an 'abd shell' but i cant get root when i just put 'adb root'
But i am trying to run a batch file that pushes some hidden apks and i get the error "cannot run as root in production builds" when i run the batch file?
Edit: I may have had a secure kernel installed, will try another kernel and re-try. Is it possible to have su rights when booted up with a secure kernel? That would explain things ..
Click to expand...
Click to collapse
I have never tried doing pushing/pulling on stock/secure kernels ... so I can't tell you what's going wrong!
Will have a play with flashing other kernels and try again.
I have the yellow triangle show up on boot so i thought i had an insecure kernel. But maybe it is just there from when i installed a previous ROM/insecure kernel?
kangfu84 said:
Will have a play with flashing other kernels and try again.
I have the yellow triangle show up on boot so i thought i had an insecure kernel. But maybe it is just there from when i installed a previous ROM/insecure kernel?
Click to expand...
Click to collapse
Yellow triangle means you have a insecure kernel, maybe, Cf-root
"adb root" was only available on the original "Google dev phones" and requires special code somewhere on the phone (in the kernal?) to support it. When you root the phone it does not include the special code for "adb root" to work. I don't know what you need to do to get it working, but most people don't bother because there are other ways to do the same thing.
{Build:KI4, Version:1.3.4 (stock, rooted)}
LouisJB said:
"adb root" was only available on the original "Google dev phones" and requires special code somewhere on the phone (in the kernal?) to support it. When you root the phone it does not include the special code for "adb root" to work. I don't know what you need to do to get it working, but most people don't bother because there are other ways to do the same thing.
{Build:KI4, Version:1.3.4 (stock, rooted)}
Click to expand...
Click to collapse
Can i adb push apk's as su in an adb shell?
If so i guess i can push the apks i want to manually instead of using the batch file which is trying to get adb root.
kangfu84 said:
Can i adb push apk's as su in an adb shell?
Click to expand...
Click to collapse
1. If you use one of my insecure kernels, adb will be running as root, issue "adb root" and it will reply "adb is already running as root"
2. Yes you can adb push when using su root.
3. Why do you want to push APKs? If its to install them, then just use adb install <FILE NAME>
adb root can be used when ro.debuggable is set to 1 in /default.prop
and on every reboot ro.debuggable is replaced by the one in kernel you are using
Why did you bump a thread from November 2011 to post this gem? Is that what "Recognized Contributors" do? I did wonder.
Geez Oinky. I could really take that comment of yours (which is true on so many levels) & run with it ;-) But I can't be arsed these days (like more than a few people on here).
Probably one of the criteria for getting RC status; how many 8 mth old threads you bump over X period of time
oinkylicious said:
Why did you bump a thread from November 2011 to post this gem? Is that what "Recognized Contributors" do? I did wonder.
Click to expand...
Click to collapse
i was googling something related to this but not this and found this thread, readed it all and found that no one had answered this
then i thought many others can also look for this and i thought of answering for others who are googling for it not for the op, because i know op had got the answer many moths ago
and real xda member never offense but help others
I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?
No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.
hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean
Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator
Does any one know if one person with development capabilty is trying to find a way to root JB ?
I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.
Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...
Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.
yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says
Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file
Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627
I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.
Have a strange one I don't know how to fix. Purchased a Pyle PTBL102BCD tablet for the Mrs. to use basically as an ebook reader (according to About, running 4.2.2). When it came in I started sideloading apps to prepare it for her (I do not have a Google account), and searched on the Net about rooting the device. Found a one-click that worked with a different Pyle tablet, so I gave it a shot.
Now I have root access _only_ through the adb shell. None of the apps (including Superuser.apk itself as tested by updating /system/bin/su) can get root access, yet I have no problem running root through an adb shell - remounted file systems, even performed an su which is the only instance Superuser.apk's log shows. Root access in the shell remains between reboots, so it's not a temporary root.
If the adb shell has root, I _should_ be able to use it to grant access to everything else, and I've followed a few different "manual" root instructions (having different permission settings for su and busybox), with no joy. So long as I connect with a USB cable and type on the Windows machine, I'm god. On the tablet itself...not so much.
I hope that someone with a more intimate knowledge of Android internals can point me in the right direction for achieving root completely. Currently have Titanium Backup and ConnectBot (long java errors when I attempt to su there) installed to test root, Superuser v3.1.3 and su v3.1.1. Permissions on su are -rwsr-sr-x. And the human is confused.
Did you get anywhere with this? I have the same problem. What one-click did you use?
mfurlend said:
Did you get anywhere with this? I have the same problem. What one-click did you use?
Click to expand...
Click to collapse
Side note; REALLY hate the new forum software. With all the untrusted Google and Amazon javascript (which my company firewalls), it's a pain for me to even log in let alone post replies. (And I wonder if I'm the only person in the world sick to death of all the unnecessary ajax garbage...)
Anywho, used Kingo, rooted and unrooted a few times, until I finally acquired complete root on the thing. Once I did, I could run Samba, and once that worked, I could more easily transfer files and apks to the tablet.
Still don't understand why it was left in such a...weird...state - having root by default in adb is just a scary thing!
thanks for the information. I tried doing that but I encountered various problems. Eventually, after trying to do it manually, I totally screwed up the device. Now it won't boot.. I still have access to adb. I need to flash this thing. Do you know what the stock ROM is?
mfurlend said:
Do you know what the stock ROM is?
Click to expand...
Click to collapse
No...I can give you the Kernel version info (3.0.36+ [email protected] #48) and build number (rk3168_k11_4.2.2_v20131230), but other than that no clue.
Hi. I'm having trouble rooting my Envizen V100MDT tablet the manual way since it's a production build and won't allow adb as root, but also since I can't find a compatible su binary nor su moderator program to run on it without getting an weird error code while at the tablet's shell. I tried to take advice from
[KERNEL] adb "cannot run as root in production builds" fix
but to no avail since the default.prop file is also locked into read-only mode. The reason that I'm writing this post is because i'VE TRIED AT LEAST 7 ONE-TAP METHODS WITH NO RESULTS. So, since I'm not a kernel coder and will not pursue an understanding of the free code available , and I'd like to do this without giving a complete re-install/flash of the kernel and all of its important components, my post is here.
Goodday,
I have been looking into rooting my android device for over a week now and was still not able to find how it can be done for an unidentified tablet.
I have an Allwinner T8 tablet (headunit) that runs oreo 8.1.0, theres no info availlable on this unit whatsoever, all i have is a detailled system information gathered by root checker, i can post the detaills if its required.
I've managed to make a full backup of my device using the adb backup command incase something goes wrong it can be reverted easily.
No custom recovery option availlable to flash.
Is it possible to root my device using the supersu zip without a custom recovery for example with adb using the command "adb flash"?
The most usefull guide for my situation i have come across is the magisk manager installation guide: ht tps://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
This method requires me to have the stock boot image from my device, seeing i don't have root and cant just copy that file, where exactly can i find this file(whats the path to it)?
Is it possible to use adb command "adb root; adb pull ... " to retrieve this file? If not how can i get my hands on this file?
Please help me, i have spend many houres searching google and watching videos but all of wich are the easy methods that don't work for my tablet or require root or a custom recovery wich i cant install... pretty frustrating...
I think magisk manager is the only correct way to go for my problem
Also, if i remount my system or root with read&write rights using adb shell, is that the same as rooting my device?
if i can read and write into the system directory on my device then i should be set.
So what exactly is the diffrence between rooting my device and remounting my device/system as read/write?
anyone??