Casio Commando users just got the Gingerbread 2.3.3 update via Verizon.
With Froyo I had easily used SuperOneClick to root my Commando and assumed Gingerbread (with Gingerbreak) would be no more difficult...BUT I WAS WRONG.
Gingerbreak does not work.
I've tried v1.0-.1-.2 of Gingerbreak and numerous iterations of SOC to no avail. Even retried with a factory reset.
I've read that there is little support for this particular phone because of it's somewhat niche status, but felt it worthwhile to start this thread in the hopes of locating and consolidating any other users with the same problem/possible solutions, but let's consider it a question thread just the same.
Have I missed an obvious method to root my newly updated Gingerbread (2.3.3) Casio Commando?
since this has received a handful of views and there is still no information/confirmation from any other commando users or anyone with any more knowledge than me, i'm going to give this thread one bump and then call it quits.
again: if you are a commando user in the same boat as me or have any leads on how to re-root after the update to gingerbread 2.3.3, please post it.
thanks, everyone.
Same Problem Sir
Same Problem, I installed 2.3.3. as well and lost root. Have tried different tactics using superoneclick to include psuneuter and ginger. The computer I was using has the Casio drivers so it was not "Waiting on Device". If needed I can post the output from superoneclick to show why it failed. Currently at work and do not have the capability.
Any help is appreciated.
I've already compared my SOC errors against issues with the same brand and different brands, and regardless of variance in method the failure repeats (the majority agreeing that it is a failure in the exploit, specifically the inability of SOC to read/write/remount at the end of the root process).
Has anyone tried rooting the 2.3.3 Commando with something other than SOC or Gingerbreak?
I am in the same boot. On top of that my display got corrupted in the process. It displays only stripes in the lower two thirds of the screen.
Any hints on how to recover from that?
Cheers
I am working on the root problem as well, I'll let you know if I have any success today. Feel free to ask if someone to test or verify something.
I am new at this but I understand that the os for the androids are based on Linux, have you tried a program in Linux? Just a question seeing as so far I have not found any there but I may not be looking in the right area.
No luck so far. I'll still be looking at it this week. The garbled offer above still applies, I'm available if anyone needs any testing or verification.
Any luck on this yet?
root
.. okay so new to the forum and excited to learn. so, not sure what everyone means by root. do have casio commando, and received auto 2.3 update. things seem to be fine, however it made my music all unknown artists and unknown titles. when i do go into any unknown tho, the title (s) of songs do appear.
I sure hope somebody can come to our aide and root gb 2.3. I never should have allowed the OTA stupid stupid stupid
Root means you own your phone. You have accesse to all files and can do whatever you want, like remove all the preinstalled crapware. Improves phone functions and tyre battery lasts longer.
Go figure, I finally decide to root my phone a week after it's made (temporarily I hope) impossible. I'm not versed in the languages required to work around this, but would love to help find a solution in any way I can.
Have there been any discoveries or developments regarding rooting the Commando post GB update? Maybe solid theories at least?
Is there anything that an average user such as myself could do to at least provide data to anyone willing to work around the GB block?
interesting, kixxit. this may have something to do with whatever app you are using as a media handler not being updated for a 2.3.3 OS.
as to the topic of the thread, i've still heard nothing about successful exploit discoveries but i will continue to scan the net and relevant forums daily until something changes.
good luck everyone, phone just doesn't feel right unrooted with all that bloat.
Anyone having any luck? Is the update even needed? I mean if I just keep the froyo, will there come a time that I need gingerbread?
I hope we can root this bad boy again...
I have the same exact problem tried every version of gingerbreak with on success i hope that there is a solution to our phones soon so we can root
Root-possible!!
Ladies and gentlemen,
Thanks to the Revolutionary team, CrimsonSentinal18, over in the Xperia Play section, Cl8rs for bringing this to the attention of some of the Xperia Play members, the Casio Commando running 2.3.3 has root!!
Here are step by step instructions to getting root on your phone!!
(I did it on my wife's Casio Commando, it worked, but she didn't want root, so i unrooted it right after I got root checker to say "You have root!")
Update!!: Guide! With Pictures!
At dropbox.com: http://db.tt/RaAUnzjW
At Ubuntu one: http://ubuntuone.com/64OujxgkGMv1N2QSoPmXin
or at Filesonic: http://www.filesonic.com/file/2711952454
(or attached)
Note: Android SDK Download link: http://developer.android.com/sdk/index.html
If you have any questions, i'll be lurking with answers!
Update: So far we have atleast 10 people who have confirmed rooting possible! (people who actually left me a message) ... no unfixable errors yet (i.e. no bricking)
Thanks for the post paxChristo!
I ran into trouble while installing the "superuser.apk"
when I re-ran the routine im an getting stuck with permissions trouble.
see below for a screen shot on how zergRush fails to run its thing even so it work the first time around and told me I am rooted.
--------------------------------------------------------------------------------------------------
C:\Program Files\Android\android-sdk\platform-tools>adb push "c:\droid\zergRush" /data/local/tmp
push: c:\droid\zergRush/zergRush -> /data/local/tmp/zergRush
push: c:\droid\zergRush/Superuser.apk -> /data/local/tmp/Superuser.apk
2 files pushed. 0 files skipped.
1690 KB/s (780946 bytes in 0.451s)
C:\Program Files\Android\android-sdk\platform-tools>adb shell
$ chmod 755 /data/local/tmp/zergRush
chmod 755 /data/local/tmp/zergRush
$ /data/local/tmp/zergRush
/data/local/tmp/zergRush
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[-] Cannot copy boomsh.: Permission denied
$ adb remount
adb remount
adb: permission denied
-----------------------------------------------------------------------------------------------
I restarted the phone but no Superuser app and when I try other apps like "SetCPU" I get the "no root access detected" errors.
Some help would be appriciated.
Thanks!
Any time you restart your phone (without making it all the way through, or even after unless you install insecure adb) you need to run zergRush to regain root priviledges,
BUT before running zergRush go into adb shell and type:
1) "rm /data/local/tmp/boomsh"
2) "rm /data/local/tmp/sh"
What problems do you have install Superuser.apk?
Related
ive tried many app's to root my phone,with same results! None of them have worked,no matter how many times i tried.SuperOneClick v2.1.1.0
Checking drivers...
Killing ADB Server...
* server not running *
OK 0.09s
Starting ADB Server...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
OK 4.19s
Waiting for device...
OK 0.09s
2.3.4
Getting manufacturer...
zte
OK 0.02s
Getting model...
X500
OK 0.02s
Getting version...
eng.ztemt.20110910.015846
OK 0.02s
Checking if rooted...
False
OK 0.05s
Installing BusyBox (temporary)... - Step #1
1107 KB/s (1062992 bytes in 0.937s)
OK 1.03s
Installing BusyBox (temporary)... - Step #2
OK 0.09s
Rooting device... - Step #1
OK 0.08s
Rooting device... - Step #2
OK 0.05s
Rooting device... - Step #3
116 KB/s (16830 bytes in 0.140s)
OK 0.25s
Rooting device... - Step #4
OK 0.05s
Rooting device... - Step #5
OK 0.03s
Rooting device... - Step #6
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x0001536c
[+] Using device /devices/platform/msm_sdcc.1/mmc_host
[*] vold: 0000 GOT start: 0x0001536c GOT end: 0x000153ac
OK 24.14s
Rooting device... - Step #7
OK 26.09s
Remounting /system with read-write access...
mount: Operation not permitted
FAILED
These are results from superoneclick 2.1.1
Model X500 Android 2.3.4
BASEBAND version ZTE-C X500_31_Z10_S_TS3BG312A_05
KERNAL [email protected]#1
BUILD#SAME AS BASEBAND
Can i get some imput or idea's,thanks!
Here is an article on how to do it - there is one on how to unroot too from the same site: score.rockthatmobile.com/how-to-root-the-cricket-zte-score-x500/
Thanks for the info. By the way does anyone know where I can find a custom rom for this phone. I know it is not a popular phone. But I would like to see a custom rom.
darnell3515 said:
Thanks for the info. By the way does anyone know where I can find a custom rom for this phone. I know it is not a popular phone. But I would like to see a custom rom.
Click to expand...
Click to collapse
with how unpopular the phone is there won't be much selection but remember, google is your friend.
oh...2011 oops
unlock
Hi I purchased ZTE Score X500 it's CDMA2000 1X EVDO Digital Mobile Phone, Android 2.3.4 Kernel ver. 2.6.35.7-perf+ Software version ZTE-C X500_31_Z10_S_TS3BG312A_05
Since I am in Canada I can not use it.
I like the phone it has everything I need WIFI, GPS and all phone features plus pre-loaded with some applications. It doesn't have sim card and I wonder if it can be unlocked to be able to use it here in Canada. Appreciate any response.
Just want to ad that it is great as GPS, you can install any nav-software that is for android and you do not have to have data plan. So if you are looking to buy a GPS I higly recommend to buy this one. You get GPS with WIFI and BT for $70. Where can you get that??? Also is there an aplication that will allow me to erase some of the aplications that are custom installed and also is there an registry editor or desktop manager . Any help will be apreciated.
ztex500 said:
Hi I purchased ZTE Score X500 it's CDMA2000 1X EVDO Digital Mobile Phone, Android 2.3.4 Kernel ver. 2.6.35.7-perf+ Software version ZTE-C X500_31_Z10_S_TS3BG312A_05
Since I am in Canada I can not use it.
I like the phone it has everything I need WIFI, GPS and all phone features plus pre-loaded with some applications. It doesn't have sim card and I wonder if it can be unlocked to be able to use it here in Canada. Appreciate any response.
Just want to ad that it is great as GPS, you can install any nav-software that is for android and you do not have to have data plan. So if you are looking to buy a GPS I higly recommend to buy this one. You get GPS with WIFI and BT for $70. Where can you get that??? Also is there an aplication that will allow me to erase some of the aplications that are custom installed and also is there an registry editor or desktop manager . Any help will be apreciated.
Click to expand...
Click to collapse
I believe you need to Root your phone. I did and after I used Terminal Manager to erase some of the programs you are talking about, until I found Titanium Backup which lets you uninstall those programs ALOT easier.
rooted w/ the above method, worked like a charm, only took about 15 mins, no hiccups (compared to my epic 4g touch, first foray into rooting... took like 3 nights of trial and error...).
anyway for those wondering, this $50 prepaid phone from cricket is dope. with root i can tether off this thing, unlimited. used titanium backup to get rid of bull**** muve bloatware... this thing does not have carrieriq on it... only thing i would love is some custom roms!!
i'm real new to the root scene, only had an android since e4gtouch came out and i'm happy as hell.
i needed a second line, picked up this cheapo phone, and i'm really quite satisfied.
anyway i registered just to thank furiousnn for the sharing. peace out!
AmokGolgrath said:
I believe you need to Root your phone. I did and after I used Terminal Manager to erase some of the programs you are talking about, until I found Titanium Backup which lets you uninstall those programs ALOT easier.
Click to expand...
Click to collapse
Thanks
I rooted with no problem. Was hesitant to uninstall cricket applications.
Anyway I gave a shoot and uninstalled all except my account and reboted and so far everything works good. Now I have to optimize and install replacement software for video music picture documents and so on.
Instruction: for root I used program "Zerg rush root" for removing applications used "Rom Toolbox"
Question. Does root mean that phone is unlocked if not what need to be done to unlock so I can use here in Canada.
Thanks any help appreciated.
Root mean.....
Root does not mean the phone is unlocked- root just give you full use of the Android OS- complete customization. You can use superuser and enable tethering without the tethering plan.
Almost like a pure Google phone is the best way to describe a root in simple terms.
phone on sale
This little one is on sale as described in this post:
http://forum.xda-developers.com/showthread.php?t=1538047
there is some nice discussion going on there about the use of it without activation
Rooted x501
Thanks for your advice. I successfully rooted ZTE x501 cricket using superoneclick.
how do i unroot my zte score.. it only boots to zte logo
I rooted my zte score and i softbricked it it only boots to logo is there any way i can unroot or fix it
..when i connect it to the pc zerg superuser busy box and su pop up what do i do
https://sites.google.com/site/mophocorner/
Site to help with everything Motorola Photon 4G.
Hoping to help with newbies that want to flash, root, unlock, etc. before they get stuck and have to wait for replies to fix there phone, Hopefully this guide will just work and they wont HAVE to post for help. That is the point of this at least! Let me know if there is anything I can add or change and I will gladly give it some thought!
Thanks!
I have updated the page, just so everyone knows!! Check it out!!! Let me know if I am missing anything.
Sent from my Xoom using XDA
The photon torpedo method is needed to root the 2.3.5 version just released.
Sent from my MB855 using Tapatalk 2
THANKS!
Thank you for that. Added the Torpedo root method! =]
Thanks for putting all that info into one spot! Definitely helps out that much more as it is somewhat easier to refer to rather than bouncing from one post to another here in the forums! I would imagine it'll help out many people (including me!).
I'm still fairly new to some things and some times the added explanation of certain topics and/or issues is what's needed to get the job done!
Also, as far as the *photon-torpedo* root method goes... I used that method without an issue on Android 2.3.4. After updating to Android 2.3.5 the other day, I used that same method again without issue and it worked perfectly! Unfortunately (at least from what I've read), being that I updated to 2.3.5, I won't be able to unlock the bootloader as if right now. Not really something I'm too concerned about, being that I hadn't prior to the update anyway.
Sent from my MB855 using Tapatalk 2
I hate to be that guy but this is certainly relevant to the discussion at hand. I used the Photon Torpedo method originally when it first came out. Since then I have kept it stock and performed the OTA updates as they come. After each update I just run the last two commands:
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Always worked in the past. I just got updated to the new "2.3.5" and I can't seem to get root back. The photon-torpedo script has multiple errors "libpcprofile.so cannot be loaded as audit interface" and "permission denied". Consequently the install-su script doesn't succeed. Can't mount /system as RW and everything is permission denied.
Worst part is that the SU binary still exists in /system/bin/su but I can't use it. I get permission denied on everything I try.
Am I borked? Is there something I have forgotten?
Jleeblanch, are you using the new update from Motorola from the soak test?
Grep,
To answer your question, yes. The new update unroots your device so you will have to re-root using the photon-torpedo method again.
I was rooted prior to the update with that method and after the update I was un-rooted! Trying to re-root using Terminal Emulator on device wouldn't work. Got "permissions denied" when running the tar command. But, using adb on the computer worked without a problem!
So basically, just redo the torpedo root method from step 1 and you'll successfully get root back guaranteed!!
Hope that helps!
Also, I had the SU binary in place as you did along with other root specific apps. Those apps are pretty much worthless until you gain root again.
It has been confirmed in the "soak" that 2.3.5 update will completely un-root your device...
Sent from my MB855 using Tapatalk 2
nice. should come in handy for others. even me cuz im kind of a noob.... waiting for way around locked bootloader after 2.3.5 ota
Sent from my Motorola Electrify using XDA
Grep_The_Truth said:
I hate to be that guy but this is certainly relevant to the discussion at hand. I used the Photon Torpedo method originally when it first came out. Since then I have kept it stock and performed the OTA updates as they come. After each update I just run the last two commands:
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Always worked in the past. I just got updated to the new "2.3.5" and I can't seem to get root back. The photon-torpedo script has multiple errors "libpcprofile.so cannot be loaded as audit interface" and "permission denied". Consequently the install-su script doesn't succeed. Can't mount /system as RW and everything is permission denied.
Worst part is that the SU binary still exists in /system/bin/su but I can't use it. I get permission denied on everything I try.
Am I borked? Is there something I have forgotten?
Jleeblanch, are you using the new update from Motorola from the soak test?
Click to expand...
Click to collapse
Sent from my MB855 using Tapatalk 2
Root
You could always use root-keeper from the market if your lazy like me.
the link to the download torpedo is not working
spursrob said:
the link to the download torpedo is not working
Click to expand...
Click to collapse
The Imperium has your back. I will be upping a new guide and Root-Unlock-Relock pack soon but hosting is changing servers so for now torpedo is attached to this post.
Lokifish Marz said:
The Imperium has your back. I will be upping a new guide and Root-Unlock-Relock pack soon but hosting is changing servers so for now torpedo is attached to this post.
Click to expand...
Click to collapse
Clearly, I am retarded....I have studied this post 15 times but I can't find any way to see an attachment. Where is it?
cool old lady said:
Clearly, I am retarded....I have studied this post 15 times but I can't find any way to see an attachment. Where is it?
Click to expand...
Click to collapse
try it now, post 6. Are you on 2.3.4 or 2.3.5? If you're on 2.3.4 then just use the root/unlock/relock pack (the link is at the top of post 6.
OK - I see it now and I've downloaded it - thank you very much. I am on 2.3.5 from the soak test.
Are these still the correct/only instructions? If so I may still be in trouble...my "favorite method....into /data/tmp"? I don't know any method, much less have a favorite.
Instructions:
Use your favorite method to get photon-torpedo.tar into /data/tmp
Install Superuser from the Market
Install Android Terminal Emulator from the Market
Run Android Terminal Emulator
Run cd /data/tmp
Run /bin/tar xf /data/tmp/photon-torpedo.tar
Run /data/tmp/photon-torpedo.sh
Run /data/tmp/install-su.sh
I'm actually on my way to bed. I will write a more detailed walkthrough tomorrow and post it in the Photon Compendium. Eventually I plan to script the entire process but am working on unified webtop stuff right now.
Grep_The_Truth said:
I hate to be that guy but this is certainly relevant to the discussion at hand. I used the Photon Torpedo method originally when it first came out. Since then I have kept it stock and performed the OTA updates as they come. After each update I just run the last two commands:
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Always worked in the past. I just got updated to the new "2.3.5" and I can't seem to get root back. The photon-torpedo script has multiple errors "libpcprofile.so cannot be loaded as audit interface" and "permission denied". Consequently the install-su script doesn't succeed. Can't mount /system as RW and everything is permission denied.
Worst part is that the SU binary still exists in /system/bin/su but I can't use it. I get permission denied on everything I try.
Am I borked? Is there something I have forgotten?
Jleeblanch, are you using the new update from Motorola from the soak test?
Click to expand...
Click to collapse
Me to, had to used one click Root (20 times)
Navigate to the Android Market and install the “Superuser” application from ChainsDD
Download and extract 22MB Root-Unlock-Relock.zip from the Imperium website
Go to the "rsd drivers" folder located in the Root-Unlock-Relock folder and install the drivers for your system (32bit or 64bit windows)
Download photon-torpedo.tar
Place photon-torpedo.tar in the "AIO Root" folder located in the Root-Unlock-Relock folder
On your phone, in menu/settings/applications/development make sure usb debugging is checked
Connect your phone to your computer and select "charging" mode from the connections options in notifcations
From the "AIO Root" folder, double click the "Command Prompt" shortcut
Type the following commands:
adb push photon-torpedo.tar /data/tmp
adb shell
cd /data/tmp
/bin/tar xf /data/tmp/photon-torpedo.tar
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Ignore the errors when running torpedo and let the process complete.
Once I get some free time I'll write a single script covering everything from rooting to SBFing back to stock. My goal is to get any given process down to ten keystrokes or less.
Hmph. Well....I think it worked. Root Checker says "congrats" - but wasn't it supposed to wipe all my stuff from the phone or something?
no root doesn't wipe data. (neither does unlock if done right)
Sent from my mopho
Hello everyone
This week I finally got my first android phone ever. Panasonic's P-06D which currently only sells in Japan.
I'm a medicore tech-freak and I like to have full access on my gadgets, so I thought about rooting it.
Here comes the problem (or rather - question):
Has anyone of you successfully rooted the P-06D or heard from it? I can't find anything on xda-developers, neither did Google (com and co.jp) result anything useful. Here's what I already tried:
- I have tried several one-click root tools like SuperOneClick, but that just froze on me.
- I looked into some batch scripts for automatic rooting. I get the adb shell but I every time I try to push busybox, su or debugfs to /data/local/12m, I get a permission error. (failed to copy 'su' to '/data/local/12m': Permission denied)
The P-06D runs Android ICS 4.0.4 - Build number 09.0708. If you need more details, just say so!
Is there anything I've completely missed or are there just no existing rooting for the P-06D?
Thanks for reading and have a nice day!
I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?
No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.
hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean
Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator
Does any one know if one person with development capabilty is trying to find a way to root JB ?
I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.
Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...
Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.
yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says
Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file
Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627
I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.
Have a strange one I don't know how to fix. Purchased a Pyle PTBL102BCD tablet for the Mrs. to use basically as an ebook reader (according to About, running 4.2.2). When it came in I started sideloading apps to prepare it for her (I do not have a Google account), and searched on the Net about rooting the device. Found a one-click that worked with a different Pyle tablet, so I gave it a shot.
Now I have root access _only_ through the adb shell. None of the apps (including Superuser.apk itself as tested by updating /system/bin/su) can get root access, yet I have no problem running root through an adb shell - remounted file systems, even performed an su which is the only instance Superuser.apk's log shows. Root access in the shell remains between reboots, so it's not a temporary root.
If the adb shell has root, I _should_ be able to use it to grant access to everything else, and I've followed a few different "manual" root instructions (having different permission settings for su and busybox), with no joy. So long as I connect with a USB cable and type on the Windows machine, I'm god. On the tablet itself...not so much.
I hope that someone with a more intimate knowledge of Android internals can point me in the right direction for achieving root completely. Currently have Titanium Backup and ConnectBot (long java errors when I attempt to su there) installed to test root, Superuser v3.1.3 and su v3.1.1. Permissions on su are -rwsr-sr-x. And the human is confused.
Did you get anywhere with this? I have the same problem. What one-click did you use?
mfurlend said:
Did you get anywhere with this? I have the same problem. What one-click did you use?
Click to expand...
Click to collapse
Side note; REALLY hate the new forum software. With all the untrusted Google and Amazon javascript (which my company firewalls), it's a pain for me to even log in let alone post replies. (And I wonder if I'm the only person in the world sick to death of all the unnecessary ajax garbage...)
Anywho, used Kingo, rooted and unrooted a few times, until I finally acquired complete root on the thing. Once I did, I could run Samba, and once that worked, I could more easily transfer files and apks to the tablet.
Still don't understand why it was left in such a...weird...state - having root by default in adb is just a scary thing!
thanks for the information. I tried doing that but I encountered various problems. Eventually, after trying to do it manually, I totally screwed up the device. Now it won't boot.. I still have access to adb. I need to flash this thing. Do you know what the stock ROM is?
mfurlend said:
Do you know what the stock ROM is?
Click to expand...
Click to collapse
No...I can give you the Kernel version info (3.0.36+ [email protected] #48) and build number (rk3168_k11_4.2.2_v20131230), but other than that no clue.