Related
Hello everyone!
You may or may not know me, however I have secretly been working behind the scenes with ChiefzReloaded to learn how Android works. Together we have been trying to develop new ways to root the Slide, primarily because we both landed in a sticky situation that left us both without root and without a way to revert to root.
After many long hours of trying to restore my phone, I have now ported the exploid exploit to the MyTouch Slide! This means that you can gain root on any version of the Slide, INCLUDING the latest OTA! However, this isn't necessarily "easy" as in the One-Click Root program, but there are reasons for this. While Android is running we cannot write to /system and even if we force Linux to let us, the NAND protection will prevent Linux from completing the write!
To get started, please see the bottom of this post for the link and download it. You will want to download it to your computer and not your phone's SD card. Also, you will need the tools from the Android SDK. I would suggest extracting the file from my zip at the bottom of this page into the Android SDK's tools directory.
Extract the zip
Make sure your phone is in USB debugging mode AND you are in "Charge Only" mode.
Connect your phone to your computer.
Make sure you're in the same directory as where exploid is extracted before continuing to the next step.
Issue the following command: adb push exploid /sqlite_stmt_journals. Note: It MUST be in that directory - NO exceptions.
Run: adb shell
Run: cd /sqlite_stmt_journals
Run: chmod 0755 exploid
Run: ./exploid
Toggle your phone's Wifi (on or off, however you wish to do that).
Now (again) run: ./exploid (if prompted for a password enter: secretlol)
The next line should now begin with a pound (#) - if not, then something isn't setup right. Make sure to follow the directions verbatim. If you suspect you did follow them correctly, please reply to this post letting me know.
You should now be root! At this point you can do many things, but if you're looking to flash a custom ROM, continue to these instructions:
[NEW 10/18/2010:]
Steps 1-12 are intended to get you the ability to flash mtd0.img (which previously required using the SimpleRoot method) by gaining root inside of Android. By following the instructions in the rest of this section, it will allow you to flash a ROM or S-OFF your device:
The files you need are at: http://forum.xda-developers.com/showthread.php?t=703076- download both files linked in there (ESPRIMG.zip and SlideEng-package.zip)
Extract the contents of SlideEng-package.zip to a place of your choosing on your computer.
Place the entire (unextracted) ESPRIMG.zip on your SDcard.
Now push the files 'flash_image' and 'mtd0.img' that you just extracted from SlideEng-package.zip to /data/local using 'adb push'. (Noob? Instead of using 'adb push', install Droid Explorer and, using that utility, copy the 'flash_image' and 'mtd0.img' files to /data/local on your Slide)
Now I'm going to assume your phone is at root prompt (#) using steps 1-12. So now do (without typing the '#' symbols in front of both lines - they're just there to remind you that you need to be at a '#' prompt):
Code:
# cd /data/local
# chmod 04755 flash_image
# ./flash_image misc mtd0.img
Before you reboot make sure that the ESPRIMG.zip is on your SDcard!
Now turn off the phone.
Then press Volume-Down + Power.
The phone will power on and after about 5 minutes of verifying ESPRIMG.zip it will ask you if you want to flash it.
Press Volume-Up for 'YES' and wait until it finishes (ABSOLUTELY DO NOT POWER DOWN WHILE IT'S STILL FLASHING!!!).
Now when you go into recovery it should allow you to 'Apply update.zip from sdcard' (booting into Clockwork). If you don't have the Clockwork update.zip, here it is: http://www.4shared.com/file/OTRU7T3y/update_2.html (rename to update.zip after downloading since it's currently update_2.zip, then place it on your sdcard).
[/NEW 10/18/2010]
[NEW 12/30/2010]
Optional: Now that you're rooted you might want to disable all flash memory protections so you can permanently flash Clockworkmod (recovery - no more using an update.zip!) as well as other random things. Check here for details: http://forum.xda-developers.com/showthread.php?t=798168
[/NEW 12/30/2010]
CREDIT GOES TO:
[*] ChiefzReloaded! (For helping me learn the intricacies of Android and patiently answering all of my questions)
[*] 743C (For developing the original exploit)
Source code: (Yes, it's hackish. I was just trying to figure out why the system kept rebooting and haven't cleaned up the code since) download
DOWNLOAD:
http://www.4shared.com/file/CZsxSq-f/exploid.html
DONATE:
(Anything helps!)
(Some people may wonder why this is special compared to the One Click Root application. What's important is that One Click Root doesn't work on Slides running production/retail software, likely the same problem I had to fix to get exploid to work in my version.)
Thats whats up!!
If you be trollin then YOU BES TRAWLLIN
But if not then good job nb!
Sent from my T-Mobile myTouch 3G Slide using XDA App
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
falken98 said:
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
Click to expand...
Click to collapse
Sure, I was getting around to that - and I understand your concern. I'll post it in a second.
falken98 said:
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
Click to expand...
Click to collapse
You think nb is distributing a virus disguised as a root method?
Waaaaaat
Sent from my T-Mobile myTouch 3G Slide using XDA App
r0man said:
You think nb is distributing a virus disguised as a root method?
Waaaaaat
Click to expand...
Click to collapse
It is a bit funny, but I do understand his concern. I've posted the source code into the original post. Compiling it should result in the same hash as the binary I posted.
Good to see this I suggested this in another thread glad to see it in use thanks a bunch
nbetcher said:
It is a bit funny, but I do understand his concern. I've posted the source code into the original post. Compiling it should result in the same hash as the binary I posted.
Click to expand...
Click to collapse
Ill take a look at it when I get home.
ilostchild said:
Good to see this I suggested this in another thread glad to see it in use thanks a bunch
Click to expand...
Click to collapse
I actually had to do a lot of work on it. It doesn't quite work the same as the original exploid simply because the original exploid crashes the entire system and reboots. This causes the rootshell to never be committed to NAND and thus you get no where. I had to keep playing with things until I found a different method that works. It took several hours of me being upset with it, but watched the latest Burn Notice, came back to it, and BAM I had a stroke of genius.
where is rootshell? i can't exicute rootshell nor can i "cp" any files from sdcard however i do have a # instead of a $
Armyjon88 said:
where is rootshell? i can't exicute rootshell nor can i "cp" any files from sdcard however i do have a # instead of a $
Click to expand...
Click to collapse
Ignore that portion of the instructions provided by the program. As I stated, this is not intended for non-developers at this point. The # is your indication that you're running as root.
I am headed to work, but I don't usually have much going on there - I will be setting up a much cleaner system/environment for non-developers to work with and perma-root their phones with over the next few hours. Stay tuned!
Sweet
Sent from my T-Mobile myTouch 3G Slide using XDA App
having # and running as root as stated before u can actually follow with eng and then custom recovery and ur choice's rom..pls correct me if im wrong..thanx
statuzz said:
having # and running as root as stated before u can actually follow with eng and then custom recovery and ur choice's rom..pls correct me if im wrong..thanx
Click to expand...
Click to collapse
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
nbetcher said:
Ignore that portion of the instructions provided by the program. As I stated, this is not intended for non-developers at this point. The # is your indication that you're running as root.
I am headed to work, but I don't usually have much going on there - I will be setting up a much cleaner system/environment for non-developers to work with and perma-root their phones with over the next few hours. Stay tuned!
Click to expand...
Click to collapse
Let me know if you want to work together on some kind of one-click root app for the Slide. If the commands work through the terminal on the phone itself rather than via adb, I could probably make this into an app already, but since you're working on a more non-developer-friendly version, I'll just wait until that's out
televate said:
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
Click to expand...
Click to collapse
I'm delaying the release of my non-developer program for another couple hours.
As far as what you said above, all you need to do after gaining the # prompt is (in a separate window):
adb push flash_image /data/local
adb push mtd0.img /data/local
(switch back to your # adb shell, then type
cd /data/local
chmod 04755 flash_image
./flash_image misc mtd0.img
Then reboot and apply the ESPRIMG.zip. All of these files are found on the same post that I referenced in my OP. These instructions are all in that same page.
televate said:
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
Click to expand...
Click to collapse
Im also stuck since im not sure if you can update to eng from the ota..But first i want to personally thank the OP & CR for providing this.
This would be great for a One Click method
this would be nice to work into a one click root!
And This did work for me!
Does this root method gets /system moumted when android running?In short do we finaly get metamorph and root explorer working?
Hey guys,
I currently have LeoMar Revolution ROM installed, so phone is rooted, Superuser works fine etc.
Want to start playing around with adb (am new to this) and have the device showing up when running 'adb devices' but i cannot get adb root? Although the device is rooted ok?
So question is (yes i searched but cant find the answer) are phone root and adb root different things?
If so how do i go about getting adb root so i can push apps etc from cmd line?
Thanks in advance
kangfu84 said:
Hey guys,
I currently have LeoMar Revolution ROM installed, so phone is rooted, Superuser works fine etc.
Want to start playing around with adb (am new to this) and have the device showing up when running 'adb devices' but i cannot get adb root? Although the device is rooted ok?
So question is (yes i searched but cant find the answer) are phone root and adb root different things?
If so how do i go about getting adb root so i can push apps etc from cmd line?
Thanks in advance
Click to expand...
Click to collapse
When through cmd, you write su and press enter
If you get a $ sign, then you aren't adb rooted!
If you get a # sign, then you are adb rooted!
Umm, for adb root, I guess use superoneclick root and click shell root, you will get the # sign then!
Thanks for quick reply
I run abd shell and then su and i do get the #.
id=0 so i have root in an 'abd shell' but i cant get root when i just put 'adb root'
Tried to adb push the apks manually in adb shell but adb push doesnt exist in shell?
But i am trying to run a batch file that pushes some hidden apks and i get the error "cannot run as root in production builds" when i run the batch file?
Edit: I may have had a secure kernel installed, will try another kernel and re-try. Is it possible to have su rights when booted up with a secure kernel? That would explain things ..
kangfu84 said:
Thanks for quick reply
I run abd shell and then su and i do get the #.
id=0 so i have root in an 'abd shell' but i cant get root when i just put 'adb root'
But i am trying to run a batch file that pushes some hidden apks and i get the error "cannot run as root in production builds" when i run the batch file?
Edit: I may have had a secure kernel installed, will try another kernel and re-try. Is it possible to have su rights when booted up with a secure kernel? That would explain things ..
Click to expand...
Click to collapse
I have never tried doing pushing/pulling on stock/secure kernels ... so I can't tell you what's going wrong!
Will have a play with flashing other kernels and try again.
I have the yellow triangle show up on boot so i thought i had an insecure kernel. But maybe it is just there from when i installed a previous ROM/insecure kernel?
kangfu84 said:
Will have a play with flashing other kernels and try again.
I have the yellow triangle show up on boot so i thought i had an insecure kernel. But maybe it is just there from when i installed a previous ROM/insecure kernel?
Click to expand...
Click to collapse
Yellow triangle means you have a insecure kernel, maybe, Cf-root
"adb root" was only available on the original "Google dev phones" and requires special code somewhere on the phone (in the kernal?) to support it. When you root the phone it does not include the special code for "adb root" to work. I don't know what you need to do to get it working, but most people don't bother because there are other ways to do the same thing.
{Build:KI4, Version:1.3.4 (stock, rooted)}
LouisJB said:
"adb root" was only available on the original "Google dev phones" and requires special code somewhere on the phone (in the kernal?) to support it. When you root the phone it does not include the special code for "adb root" to work. I don't know what you need to do to get it working, but most people don't bother because there are other ways to do the same thing.
{Build:KI4, Version:1.3.4 (stock, rooted)}
Click to expand...
Click to collapse
Can i adb push apk's as su in an adb shell?
If so i guess i can push the apks i want to manually instead of using the batch file which is trying to get adb root.
kangfu84 said:
Can i adb push apk's as su in an adb shell?
Click to expand...
Click to collapse
1. If you use one of my insecure kernels, adb will be running as root, issue "adb root" and it will reply "adb is already running as root"
2. Yes you can adb push when using su root.
3. Why do you want to push APKs? If its to install them, then just use adb install <FILE NAME>
adb root can be used when ro.debuggable is set to 1 in /default.prop
and on every reboot ro.debuggable is replaced by the one in kernel you are using
Why did you bump a thread from November 2011 to post this gem? Is that what "Recognized Contributors" do? I did wonder.
Geez Oinky. I could really take that comment of yours (which is true on so many levels) & run with it ;-) But I can't be arsed these days (like more than a few people on here).
Probably one of the criteria for getting RC status; how many 8 mth old threads you bump over X period of time
oinkylicious said:
Why did you bump a thread from November 2011 to post this gem? Is that what "Recognized Contributors" do? I did wonder.
Click to expand...
Click to collapse
i was googling something related to this but not this and found this thread, readed it all and found that no one had answered this
then i thought many others can also look for this and i thought of answering for others who are googling for it not for the op, because i know op had got the answer many moths ago
and real xda member never offense but help others
The world's first ereader with a color Mirasol display is finally on the market, but unfortunately it's running a severely locked-down Android by the Korean bookstore chain Kyobo. The Kyobo ui is entirely in Korean, the browser blocks downloads, and the reader app is crap. In other words, it's basically useless to anyone outside of Korea. A few enterprising Americans have imported them and been extremely disappointed. Will someone please take a look at this device and see if it can be rooted or if something else can be done to make it of use to the rest of us?
Please use the Q&A Forum for questions Thanks
Moving to Q&A
Nate over at The Digital Reader has a firmware update that supposedly contains all of the installed apps. He is asking for someone to try and hack it. He has a download link for the firmware at The Digital Reader.
I also posted this as a question here on XDA:
http://forum.xda-developers.com/showthread.php?t=1432283
it is rooted since some time already.
files and instructions are in the following archive, but since instructions are in korean, i'll do a writeup below.
(argh! spambot won't allow this link, so you'll have to piece it together...)
www<dot>4shared<dot>com/zip/aLwRc7ZG/mirasol_rooting.html
edit: needed files are also in an attachment below
the gist is that you need to flash the boot partition via fastboot, setup root and busybox, and then modify secure->install_non_market_apps in settings.db.
you will need to have adb and fastboot from the android sdk working on your computer. There are many posts about this elsewhere, so i won't go into the details.
also, i only print filename without path, just find the corresponding file in the mentioned archive and modify the commands accordingly.
flash the boot partition via fastboot
first get your kyobo into fastboot mode (with usb cable attached) by pressing volume-down at bootup. timing here can be a bit finicky, but easiest seems to be to shut it down completely and then press just after pressing power.
issue a 'fastboot devices' on computer, if successful it should give you the response '???????????? fastboot' or similar. if empty or hangs, try again by rebooting the kyobo by pressing power with volume-up held (you can go into fastboot immediately after reboot by volume-down as expected).
when positive response above, you can flash by
Code:
fastboot flash boot boot.img
and then reboot by
Code:
fastboot reboot
edit: simplified fastboot instructions, thanks to smb_gaiden, whose button-poking-fu is strong.
setup root and busybox
with boot partition flashed you now have adb access, so let's use it. let the device boot as normal, and then issue the following.
Code:
adb push busybox /data/local/tmp
adb push fixsu.sh /data/local/tmp
adb push su /data/local/tmp
adb shell chmod 777 /data/local/tmp/busybox
adb shell chmod 777 /data/local/tmp/fixsu.sh
adb shell chmod 777 /data/local/tmp/su
adb shell /data/local/tmp/fixsu.sh
adb shell ln -s /data/local/tmp/busybox /system/xbin/busybox
after this, install some apk's from the archive
Code:
adb install superuser.apk
adb install blackmart.apk
fix non-market apps setting
only thing left is to change a setting to allow non-market apps to be installed. if you don't care about your current settings (locale, etc), you can just push the settings.db from the archive like so:
Code:
adb push settings.db /data/data/com.android.providers.settings/databases/
if you *do* care about your settings, you'll need to pull the settings.db, edit it in some sqlite db editor (set secure->install_non_market_apps to 1) and push the result.
that's it. all rooted. now you just need to install angry birds and yer' set ;-)
Adb doesn't seem to start properly on device
Hello.
I did succeed in flashing the bootloader via fastboot.
However when I boot device - I see adb on usb only for some initial seconds, and then it disappears.
For that matter my device already had December firmware on it.
Any ideas how to activate adb on device?
Thank you,
Leonid
it may be that persist.service.adb.enable is reset, stopping the adbd service. try flashing the attached boot image instead, see if that fixes it. it is the same as above, except that persist.service.adb.enable is ignored.
edit: i took a look at the december update, afaict it should pose no problem (very few changes in there).
Once these steps are done, how do you install google market?
Thanks.
edit: the original instructions were snafu, so i replaced them with something that should actually work.
getting android market running on the kyobo
needed files are in the attached archive.
install like so:
Code:
adb remount
adb push DrmProvider.apk /system/app
adb push MediaProvider.apk /system/app
adb push DownloadProvider.apk /system/app
adb push GoogleServicesFramework.apk /system/app
adb push Market-3.4.4.apk /system/app
adb push init.qcom.post_boot.sh /system/etc
adb push fix-shared-user.sh /data/local/tmp
adb shell chmod 777 /data/local/tmp/fix-shared-user.sh
adb shell /data/local/tmp/fix-shared-user.sh
wait for the reboot, find market in the menu, and off you go (with downloads this time ;-)
if downloads still do not work after this, try re-executing the last line. android periodically writes to the file we are modifying, which might clobber our changes if unlucky.
I am thinking about buying one of these because I have seen it on sale for 50% discount. However, the general reviews aren't too encouraging, so will rooting make any difference to overall performance?
fatboy1976 said:
I have seen it on sale for 50% discount.
Click to expand...
Click to collapse
where is that?
throwaway4096 said:
you'll need GoogleServicesFramework.apk and Market-3.4.4.apk from the following links:
http://androidmarketu.googlecode.com/files/GoogleServicesFramework.apk
http://forum.xda-developers.com/showthread.php?t=1391565
install like so:
Code:
adb remount
adb push GoogleServicesFramework.apk /system/app
adb push Market-3.4.4.apk /system/app
find Market in the menu and off you go.
Click to expand...
Click to collapse
I'm finding the market force closes when downloading an app.
May I seek help from someone who has rooted recently? I am finding it pretty difficult to get into fastboot. So some questions as I continue to play.
Which version is currently rootable? I bought mine this week and want to be sure it is still applicable with the method here.
Do I need a USB driver to work this hack? EDIT: Yes, found with a web search.
When do I press the volume keys? Immediately after power? Similar timing? When I see the flicker on the screen? When I see the logo? Before all that? EDIT: I did not need the volume up key to get into fastboot.
Thanks!
rooting for beginners
Some friends and i ordered the kyobo to solve our eye-problem (nystagm)
We still can´t figure out, how to root it.
Can you please give us some rooting instruktion vor beginners??
It would be so essential for us, as the kyobo is little worth without forgeign apps!
Thank you very much!
Joe
send2toonie said:
I'm finding the market force closes when downloading an app.
Click to expand...
Click to collapse
Hi, I am stuck with the same problem. Have tried many things?!
---------- Post added at 04:57 PM ---------- Previous post was at 04:32 PM ----------
smb_gaiden said:
May I seek help from someone who has rooted recently? I am finding it pretty difficult to get into fastboot. So some questions as I continue to play.
Which version is currently rootable? I bought mine this week and want to be sure it is still applicable with the method here.
Do I need a USB driver to work this hack? EDIT: Yes, found with a web search.
When do I press the volume keys? Immediately after power? Similar timing? When I see the flicker on the screen? When I see the logo? Before all that? EDIT: I did not need the volume up key to get into fastboot.
Thanks!
Click to expand...
Click to collapse
Hi, Managed to root my kyobo after about 8 h trying. I installed the firmware update on my kyobo, that is found on the web, as instructed from the SD card. Then I installed fastboot and adb on my computer (search for 'how to install fastboot and adb'), as I found instructions for that as well. To enter fastboot I kept Kyobos, volume down button for about 10 sec, when booting the device (kyobo connected to computer with USB) - nothing happens -> however on my computers command window (cmd), 'fastboot devices' command produces an answer with '? ..' as it should. The biggest issue I had was to get adb working. For this purpose I installed and removed a couple of USB drivers - I don't really know how I got it to work finally.
You can tell if you have succeeded installing a useful usb driver, if you enter the 'adb devices' command in the cmd window and it returns a device number. Then you are ready to go with the rest of the commands/instruction as seen in the insturction of this thread.
From the blackmart application I was able to install many useful applications - the Launcher application can replace the Kyobo "home" application, which is very useful.
I installed android market as well, but so far I have not been able to download and install applications. I think It might be a permission issue between kyobo software and the installed android market?
Hey Guys!
is there a way to root the kyobo via mikrosd?
thanks a lot
Joe
Hey Joe. I've seen you on this forum as well as The Digital Reader asking for help with the Kyobo rooting. I too am a beginner and I'm trying to build up the nerve to try it. Wish us both luck and I hope someone can share rooting-for-dummies with us.
@fatboy1976: rooting won't improve performance in itself. it makes the device better as you can install apps, but ofc the hardware is still the same.
@send2toonie: yes, sorry about that. it worked for me, but only thanks to other changes. it's hard to keep track :-/. i updated the original post with new instructions which should work properly.
@smb_gaiden: hah, excellent, i never tried that! original post updated.
@Joe84: it should be possible to root via microsd by creating an update.zip. i haven't gotten around to trying that yet, but maybe in future. for now this is as simple as it gets.
Kaarlos said:
Hi, I am stuck with the same problem. Have tried many things?!
---------- Post added at 04:57 PM ---------- Previous post was at 04:32 PM ----------
Hi, Managed to root my kyobo after about 8 h trying. I installed the firmware ...(updated -see above..) .., which is very useful.
I installed android market as well, but so far I have not been able to download and install applications. I think It might be a permission issue between kyobo software and the installed android market?
Click to expand...
Click to collapse
Jep! With the updated instuctions the Android Market now finally works!! Thanks! (Installed twice)
Kaarlos said:
Jep! With the updated instuctions the Android Market now finally works!! Thanks! (Installed twice)
Click to expand...
Click to collapse
Hi,
Could you post the OS/processor version and driver name that got adb working for you. If you can also remember the keys pressed to put the Kyobo in the correct boot mode for adb, that would be nice too.
I have also managed to load apps on my Kyobo but that is without having su, Superuser, adb and Android Market working. The above info would be helpful in fixing that. Holding the volume down fir 10 seconds after pressing power on puts the Kyobo into fastboot mode. Adb requires a different mode and set of key presses. This is because there is a menu of boot options being displayed which can't be seen on the Mirasol screen. I suspect this is because of display settings within the boot.img but that is only a guess on my behalf.
Hello:
I'm a buyer of an Iview 760TPC (chinese 1.3Mpx camera version).
The reason I'm writing is because its some days reading and trying things to get everything unlocked, and seems that is really impossible to flash a new firmware or to get root. I'm getting really mad.
- I have managed to get adb recognize the tablet on linux and on windows. Despite of that, I get "adbd cannot run on production builds".
- If I do an 'adb shell', I get a prompt (with no superuser privileges). If I try to 'su', I get a "Passwd:" prompt , so I cannot get a superuser prompt to remount the filesystems, neither push any file to /system.
Browsing, I see there's no 'su' on /system/bin but there's on /system/xbin. Is a read-only filesystem and I cannot push anything.
- I installed root explorer but cannot mount R/W the filesystems.
- Installed Busybox installer. Says that the tablet is rooted, but when I try to install busybox, says that I have not permissions. Same if I try one of the upgrade menus of superuser. There are not privileges.
- I tried many times, to flash a firmware with the livesuit method, but the tablet is not being recognized. When I do the combination to enter the flashing mode, it boots a like a recovery with 4 options:
1) erase user data partition
2) enter adfu
3) upgrade firmware from sdcard
4) exit menu
I'm interested in the 3er option, but I can't find any information of the process itself (where to put the firmware, if its the same img as with the livesuit method, and what name needs to have the file)
There's also an ADFU mode, that I don't understand, but windows recognizes a new device when I enter there (but there's no driver or information I can found). The screen gets like a bit of white color, and the only way to exit from there is to press home+power buttons without the usb cable.
I've tried superoneclick but it doesn't work because there's not 'su' binary. Same happens with the installers of the CWM, not working because there's no 'su' (so I could flash a file with any kind of name)
Any help would be aprecciated. Sorry for my engrish and for asking so much, but I don't know how to proceed ;-)
Thanks
What version of Android is the device running? You could try manually pushing an exploit binary (e.g. zergrush) onto the device and executing to get temp root, at which point you should be able to mount /system as R/W and then push the su binary to /system/bin
The exploit binary to use would depend on the version of Android though. zergrush is for 2.3 I think (maybe 2.3.something). For early versions of ICS (4.0), there is mempodroid (might have spelt that wrong).
EDIT: Also, everything you can do over ADB, you could do by installing SSHDroid on the device and connecting via SSH from a computer.
Thanks a lot for your answer SifJar:
The tablet comes with ICS 4.0.3 and 3.0.8 kernel.
Superoneclick has the psneuter and zergRush exploits(neither of those seem to work for me).
Found this thread:
http://forum.xda-developers.com/showthread.php?t=1461736
Edit: It does not work for me:
./adb shell
[email protected]:/ $ chmod 777 /data/local/mempodroid
[email protected]:/ $ /data/local/mempodroid 0xd9ec 0xaf47 sh
/system/bin/sh: /data/local/mempodroid: not executable: magic 7F45
Thanks
Installed SSHDroid from the Play Store, but does not work either.
I get:
Can't generate RSA keys: sh <stdin>[1]: /data/data/berserker.android.apps.sshdroid/dropbear/dropbearkey: not executable: magic 7F45
Don't really know what else can I do.
Thanks
mempodroid requires a different offset for each device. "0xd9ec 0xaf47 sh" is for the Eee Pad Transformer Prime. You need to get the right offset for your device. You can try this to do that: http://forum.xda-developers.com/showthread.php?t=1612591
EDIT: But it looks like your device may not be able to run standard Android binaries, which would be quite an inconvenience for trying to root it.
SifJar said:
mempodroid requires a different offset for each device. "0xd9ec 0xaf47 sh" is for the Eee Pad Transformer Prime. You need to get the right offset for your device. You can try this to do that: http://forum.xda-developers.com/showthread.php?t=1612591
EDIT: But it looks like your device may not be able to run standard Android binaries, which would be quite an inconvenience for trying to root it.
Click to expand...
Click to collapse
I think I should reflash a new firmware from that recovery that has from factory, but there's no way I can do it. I mean, it is supposed to have an special mode that you enter with a button combination and to flash then with livesuit, but in this chinese clone, does not seem to work that combination of buttons.
From the recovery, ADFU seems to mean Actions Device Firmware Update. There's some information here http://wiki.s1mp3.org/USB_modes
- If I put the device in ADFU mode, windows ask for an USB driver (that I don't have or does not exist either)
- Another thing. There's a flashing from sdcard, that seems to support, but there's no information or manual of where is supposed to put the firmware, the name of the file or if it needs to be zipped (and what file/s inside and names),...
Thanks
It's possible the flashing from sd card supports standard update .ZIPs. You could try this one, it's a ZIP that should work for rooting most Android devices I believe. Superuser.zip
(This is from a topic on the HTC Explorer phone, but there is nothing specific to that phone in the ZIP as far as I know)
EDIT: This ZIP doesn't overwrite the firmware or anything, all it does is add su, busybox and Superuser to the existing /system partition.
EDIT: If selecting the "Update firmware from SD card" option doesn't give the option to browse for a ZIP, rename it to "update.zip" and place it in the root of the card and try again.
SifJar said:
It's possible the flashing from sd card supports standard update .ZIPs. You could try this one, it's a ZIP that should work for rooting most Android devices I believe. Superuser.zip
(This is from a topic on the HTC Explorer phone, but there is nothing specific to that phone in the ZIP as far as I know)
EDIT: This ZIP doesn't overwrite the firmware or anything, all it does is add su, busybox and Superuser to the existing /system partition.
EDIT: If selecting the "Update firmware from SD card" option doesn't give the option to browse for a ZIP, rename it to "update.zip" and place it in the root of the card and try again.
Click to expand...
Click to collapse
Thanks a lot. Does not have a browsing option so I need to know the needed name. Does not seem to work with the update.zip method
Does it try to install update.zip and give an error or does it say there is no update on the SD card?
Also, can you try and extract the su binary you said is in /system/xbin and post it here? There's something I would like to check.
EDIT: From adb shell, type the following, without quotes, "cat /proc/cpuinfo" and post the output here please
EDIT: Another silly suggestion - you could try guessing the password su asks you for. Maybe it's something obvious like "root" or "admin".
SifJar said:
Does it try to install update.zip and give an error or does it say there is no update on the SD card?
Also, can you try and extract the su binary you said is in /system/xbin and post it here? There's something I would like to check.
EDIT: From adb shell, type the following, without quotes, "cat /proc/cpuinfo" and post the output here please
Click to expand...
Click to collapse
Seems that it does not even try to update, no error message, nothing. I tried putting the update.zip in both /sdcard (internal sdcard) and /sd-ext (microsd)
Code:
[email protected]:/ $ cat /proc/cpuinfo
system type : actions-atv5201
processor : 0
cpu model : MIPS 74Kc V5.0 FPU V0.0
BogoMIPS : 719.25
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0000, 0x0460, 0x0868]
ASEs implemented : mips16 dsp
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available
I have attached the 'su' binary from /system/xbin
Also:
Code:
$file su
su: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked (uses shared libs), with unknown capability 0xf41 = 0x756e6700, with unknown capability 0x70100 = 0x1040000, stripped
But the table description of the manufacturer, says that has an Allwinner A10 (Cortex A8). Does not seem to be true, right?
Thanks
Looks like a MIPS processor then, not an ARM as most android devices have. That explains why exploit don't run and SSH didn't work, both use code compiled for ARM processors. It also means a standard su binary won't work on that device. You'll need one compiled for MIPS.
Does the update from sd card give any sort of error?
No. It does not say anything. I'll try to find the right update.zip for the MIPS architecture. Perhaps it could work.
Edit: Found this https://rapidshare.com/files/2288417520/Superuser-3.0.7-mips32r2-ics_signed.zip , but does not seem that I can flash it from the recovery with the update.zip method
Thanks a lot Sifjar
I'm afraid I'm now out of suggestions. The last piece of advice I can give is try and find an official update for the tablet from the manufacturer and investigate the format of that update, to try and identify how an update should be formatted/named for your device.
Thank you SifJar. You helped me a lot to find what happens with this tablet ;-)
I've read from more people, buying Allwiner A10 tablets on efox, and receiving different ones (lower specs and usually MIPS based). I'd not recommend to buy to this seller because it does not even answer your questions or does give you support.
I'm pretty sure, that could be one of the clones of the Ainol Novo7 Paladin/Basic. I'll try to find it
dreamer_ said:
Thank you SifJar. You helped me a lot to find what happens with this tablet ;-)
I've read from more people, buying Allwiner A10 tablets on efox, and receiving different ones (lower specs and usually MIPS based). I'd not recommend to buy to this seller because it does not even answer your questions or does give you support.
I'm pretty sure, that could be one of the clones of the Ainol Novo7 Paladin/Basic. I'll try to find it
Click to expand...
Click to collapse
Well I believe from a bit of reading about the Ainol tablet you should be able to type "adb remount" and then "adb root" to get root access from adb on that tablet. Then you can push a MIPS su binary to the device and be done with it. But it depends how close a clone it is whether the same will be true for your tablet I guess.
EDIT: Have you found any way to access a fastboot mode? (Possibly the command "adb reboot bootloader" would work) If the bootloader isn't locked, you may be able to extract the system.img, root the img and then flash it back with fastboot. Although that is something I have only heard about, I have no experience in how one would go about rooting the system.img. (Extracting it from the phone and flashing back isn't overly hard).
I have tried both things with no success. The remount, fails and I don't have root access then (and R/O Filesystems)
adb reboot bootloader, just reboots the device
I have found a post from a guy http://tabletrepublic.com/forum/other-tablets/actions-cpu-android-tablet-actions-atm7013-1-3ghz-cpu-2087.html#post20776, that seems to have my same tablet (or both tablets seem to be the same MIPS based).
I still think that could be a novo 7 basic/paladin clone and it does have the same recovery and the DFU mode. I'm downloading the tools and FW from the paladin, but seems to be impossible to find anything more about my tablet.
Thanks
dreamer_ said:
I have tried both things with no success. The remount, fails and I don't have root access then (and R/O Filesystems)
adb reboot bootloader, just reboots the device
I have found a post from a guy http://tabletrepublic.com/forum/oth...ctions-atm7013-1-3ghz-cpu-2087.html#post20776, that seems to have my same tablet (or both tablets seem to be the same MIPS based).
I still think that could be a novo 7 basic/paladin clone and it does have the same recovery and the DFU mode. I'm downloading the tools and FW from the paladin, but seems to be impossible to find anything more about my tablet.
Thanks
Click to expand...
Click to collapse
This is one of the big issues with China based devices. Not only is it have really limited development they tend to use none standard hardware so none of the current things work on it. Then toss in the fact that the hardware is not always what it is said to be.
Sent from my SGH-I897 using Tapatalk 2
The USB drivers for the novo paladin, didn't work for me....If I only could flash a CWM recovery for my tablet, perhaps I could then flash the superuser.zip with the 'su' binary that SifJar said.
zelendel said:
This is one of the big issues with China based devices. Not only is it have really limited development they tend to use none standard hardware so none of the current things work on it. Then toss in the fact that the hardware is not always what it is said to be.
Click to expand...
Click to collapse
Yes...my problem has been mainly that in the efox website, they are basically lying you in the product description, and selling a thing that is not true.
Casually, there's also an IVIEW tablet on the market, exactly like mine, made only for the chinese market (without the IVIEW letters and 1.3mpx camera)...and that was what I thought I bought, a chinese IVEW (and my mistake)
You really need to see the cpuinfo to see that, and not everybody will do it....
Thanks
If you download this: usbview.zip
You can use it to find the vendor ID (app shows it as IdVendor) for your device (put it in the DFU mode thing first), and then you could try using fastboot and specifying the vendor ID with -i argument, it might work without drivers then (not sure if this is right, but I think something similar was done with the Kindle Fire)
just try something like
Code:
fastboot -i 0xFFFF devices
replacing 0xFFFF with the vendor ID from that app, to see if it detects it at all
Thanks. Does not seem to return anything (a return). It works with '-i device' at the end of the line.
Code:
fastboot.exe devices -i 0x10D6
ADB does give me this:
Code:
c:\sonec>ADB\adb.exe devices
List of devices attached
Actions Semi. 23711DF4 device
I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?
No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.
hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean
Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator
Does any one know if one person with development capabilty is trying to find a way to root JB ?
I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.
Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...
Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.
yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says
Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file
Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627
I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.