[Q] Root (technically) explained - Atrix 4G Q&A, Help & Troubleshooting

This is not a question about how to root the Atrix. I've already done that.
My question is about what actually is changed in the phone by following the root procedure. (I searched the forum but didn't find elsewhere the answers I look for).
Why do I ask?
1) Because I'd like to have a better understanding of the android OS.
2) Because I'd like to understand and know what do I need to do in case I want to unroot and return to plain stock.
My case:
(I've just rooted my Atrix. I didn't unlock it)
I've followed the "manual" procedure proposed by BriefMobile.
I can essentially understand (more or less) the commands listed (mount, remount, cp, install, chmod 6755, flash...)
What I'd like to understand better is what changes does the command
Code:
fastboot flash preinstall root.img
Does it just copy new files? Or does it copy (and replace) files on the phone?
(In the second case I'm afraid I made a mistake in not backing them up before running that command...)
Thanks in advance for your help.

Putting it in Windows terms (because Android is Linux), root is like having administrator privileges on your computer. It allows you to modify any system files that would normally be kept locked down. It also allows you to run applications, such as SetCPU, which can directly control hardware (in this case CPU frequency/speed and voltage) and low-level system files. Root in Android is comprised of two main files: the "su" binary (which is the command that applications use to invoke a request to do something with root privileges) and the SuperUser.apk (SuperUser app that's in the app drawer). The SuperUser app exists to prompt you whenever an application asks for root permission. So if you go into the terminal and type a low-level command, you'll see something like, "You do not have permission to do this". But if you type "su" before the command, it will run if you hit "Allow" on the SuperUser request.
Get it?

Product F(RED) said:
....
Get it?
Click to expand...
Click to collapse
Thanks Product F(RED) .
Yes I got it.
I already knew what rooting means in general terms.
What I really asked (sorry if I wasn't clear enough) is what does the root "physically" change on the phone.
According to your answer I assume it just adds the "su" binary and the "SuperUser" app (apart from changing some permission on some system folders) and that it doesn't replace any "stock" system file.
I also assume that these new files are extracted from the "root.img" (or "preinstall.img") files flashed by the fastboot command.
Is it so?
I was a little confused because I saw in some other forum a reference to some "stock" files wiped out in the /preinstall/app/ folder by the root process, mining the reversibility of the procedure (in case of no previous full system backup).

sphere314 said:
Thanks Product F(RED) .
Yes I got it.
I already knew what rooting means in general terms.
What I really asked (sorry if I wasn't clear enough) is what does the root "physically" change on the phone.
According to your answer I assume it just adds the "su" binary and the "SuperUser" app (apart from changing some permission on some system folders) and that it doesn't replace any "stock" system file.
I also assume that these new files are extracted from the "root.img" (or "preinstall.img") files flashed by the fastboot command.
Is it so?
I was a little confused because I saw in some other forum a reference to some "stock" files wiped out in the /preinstall/app/ folder by the root process.
Click to expand...
Click to collapse
Pretty much, yes, you're adding those two files (as well as another called BusyBox that allows other files to run, but this you can install after you root). The scenario I'm describing is that you're on a stock ROM and you just rooted your phone for the first time.
Though fastboot is present on every phone, using it to flash those two files seems to be unique to your phone because rooting methods vary from phone to phone. But basically the two most common methods are:
1. You flash a custom recovery from your computer if your phone's bootloader is not locked, and then you can flash the root files (su/SuperUser.apk) to the ROM from there or just flash a custom ROM that includes them.
or
2. You use fastboot/adb/some third-party method to root the stock ROM on your phone from your computer, then you install a custom recovery, and then you can flash custom ROMs/kernels/etc.
That /preinstall/app folder seems to be unique to your phone, but if I had to guess, it has something to do with deleting preloaded bloatware that comes with the phone. Because out of the box you can't, but once you have root permissions, you can go to that folder with a file manager to delete the APKs or use something like Titanium Backup to do it.

Product F(RED) said:
Pretty much, yes, you're adding those two files (as well as another called BusyBox that allows other files to run, but this you can install after you root). The scenario I'm describing is that you're on a stock ROM and you just rooted your phone for the first time.
Though fastboot is present on every phone, using it to flash those two files seems to be unique to your phone because rooting methods vary from phone to phone. But basically the two most common methods are:
1. You flash a custom recovery from your computer if your phone's bootloader is not locked, and then you can flash the root files (su/SuperUser.apk) to the ROM from there or just flash a custom ROM that includes them.
or
2. You use fastboot/adb/some third-party method to root the stock ROM on your phone from your computer, then you install a custom recovery, and then you can flash custom ROMs/kernels/etc.
That /preinstall/app folder seems to be unique to your phone, but if I had to guess, it has something to do with deleting preloaded bloatware that comes with the phone. Because out of the box you can't, but once you have root permissions, you can go to that folder with a file manager to delete the APKs or use something like Titanium Backup to do it.
Click to expand...
Click to collapse
Thanks again Product F(RED).
Things are clearer now.
I wasn't aware of the installation of "BusyBox" (I found it in my phone in the folder /osh/bin/)
I think the root method I used (BriefMobile) is the type 2. I didn't install a custom recovery as I'm not interested yet in flashing custom ROMs/kernels/etc.
So, to summarize...
The basic root methods (no unlock) consists in
1) install the "su" binary
2) install the "busybox" binary
3) install the "superuser.apk" app
4) change some r-w permissions
In my case (probably) the root method also wiped out some preloaded bloatware file in the /preinstall/app folder but that's not essential (unless Moto makes a check for the presence of those files before an OTA update).

They usually do check (and will fail) because OTA's are like patches; not really replacements for the whole /system/ partition. Never take an OTA when you're rooted, especially because they can do things like update and lock your bootloader, among other things. It's safer to wait until rooted versions pop up in the development section for your phone.

Related

[Q] MTK6573 custom recovery and backups / Stock Boot, Recovery + Scatter included

Phone is a Star X19i
Now I'm looking at getting a system to allow me to back up the rom and re-flash if needed.
Post 4 has attachments of my boot, recovery and scatter files.
Old issue: (Solved)
Stupid thing I did I renamed the mtklockscreen.odex to mtklockscreen.odex1 just as a test in a half asleep phase to see if I would get the stock lockscreen loading.
Suffice to say the phone no longer boots.
Really don't think I can get into ADB and rename the file to get the phone booting again unless anyone knows a way.
Android was 2.3.6 and I asked the seller if it was possible to get the rom incase anything like happened which they didn't.
So anyone have any ideas?
I have attached the stock recovery and boot images made with cat and a scatter file I made to post 4.
As I have no idea about modifying these for hard root can anyone take a look?
I don't know the specifics of the phone, but if you can go into recovery mode maybe you can get adb working, or use a flashable zip to rename the file by installing it from recovery (just need to edit the zips' updater script)
dxppxd said:
I don't know the specifics of the phone, but if you can go into recovery mode maybe you can get adb working, or use a flashable zip to rename the file by installing it from recovery (just need to edit the zips' updater script)
Click to expand...
Click to collapse
I got into built in Factory mode and can see the file I renamed through ADB and android commander but cannot rename it back due to not having hard root access.
I also have a copy of the boot and recovery partitions 5 and 6 respectively I made in the adb shell yesterday as I was half looking at getting hard root access.
ren mtklockscreen.odex1 mtklockscreen.odex
ren: permission denied
I read you can do a custom recovery with root using SP Tools still so can anyone help me do this?
I know about system root etc and stuff and have flashed roms before on other tablets and have been a PC I.T tech (wouldn't think it due to the stupid mistake) but this recovery and scatter files etc is kinda new to me.
I have a scatter file now I just made if anyone is interested in helping me.
Yes I have a MTK6573 but the scatter file came from the MT6516 Rom Studio which I read works the same for the 6573.
Attached is also my stock boot and recovery partitions I made with cat yesterday if there usable to anyone to help.
Well I got it working and fixed.
I had to go into adb shell and su and mount the file system as writable, as I have used linux before I didn't know about android and what needed to be done and permission locks etc.
The stock boot, recovery and scatter files will remain on this thread if anyone wants to help create or find a recovery which can allow me to create backups and flash custom roms.
I may be able to provide a dump of android 2.3.6 for those that want it once I'm provided with a backup solution as I have read a few people wanting this updated android rom.
This got too close to what I would like liked with bricking this phone.
And I'm not comfortable unless I have a rom backup of this.
Rooting Advice: For anyone with a MTK6573 on Android 2.3.6 trying to root but having issues with super one click make sure you only turn on USB debugging after Android has loaded and just before you plug the usb cable in to run super one click.
I have seen a few thread and posters here about not being able to root the phone and this is the cause that debug needs to be switched on right before you connect and try to root.
Original seller has agreed to send the firmware and flashing stuff on cd for me so I can upload it for you all.
This is a win for MTK6573 Star X19i owners as I'll have the updated 2.3.6 Gingerbread firmware to release for you all root modify etc in a week or so.
Be careful with ROM studio. I believe it is not compatible with MT6573.
You want to read this: http://bm-smartphone-reviews.blogspot.com/2012_04_01_archive.html
cybermaus said:
Be careful with ROM studio. I believe it is not compatible with MT6573.
You want to read this: http://bm-smartphone-reviews.blogspot.com/2012_04_01_archive.html
Click to expand...
Click to collapse
That's what I read and did to get my scatter as I used cat then used the program linked in that thread to generate the scatter.

[Q] Backing up ROM before rooting

Hello,
I want to root my device with odin and chainfire. I know this basically leaves my recovery
untouched and modifies some system files so as to allow root apps to install themselves
in a way that they can run with root permssion.
1. I would like to know more about exactly what changes this kind of rooting does to the
device's file system.
2. I want to back up my ROM before this (not my data, just the program that factory
resets my device). That way, if I don't like something or something doesn't work I know
I can go back.
3. If once I root my device I install ClockworkMod as my recovery, does that mean my
old recovery is gone forever and I cannot get it back (not that I would probably need it
but just in case).
Can someone please help?
Thanks,
John Goche
johngoche99 said:
Hello,
I want to root my device with odin and chainfire. I know this basically leaves my recovery
untouched and modifies some system files so as to allow root apps to install themselves
in a way that they can run with root permssion.
1. I would like to know more about exactly what changes this kind of rooting does to the
device's file system.
2. I want to back up my ROM before this (not my data, just the program that factory
resets my device). That way, if I don't like something or something doesn't work I know
I can go back.
3. If once I root my device I install ClockworkMod as my recovery, does that mean my
old recovery is gone forever and I cannot get it back (not that I would probably need it
but just in case).
Can someone please help?
Thanks,
John Goche
Click to expand...
Click to collapse
1. It doesn't make any changes to the file system. Are you sure you're using the right term?
It tells you what it does here:
http://autoroot.chainfire.eu
2. You cannot back up your rom before rooting. You require a custom recovery to do this... unless the s3 toolbox does this??have a look. There is a nandroid over adb option
http://forum.xda-developers.com/showthread.php?t=1746680
Factory reset only manages /data I.e your stuff. It doesn't restore roms
3. The toolbox in 2. Can flash stock recovery
Sent from my GT-I9300 using Tapatalk 2
1. OK, so there's the ROM, and there's the filesystem. So it's not like in Unix where everything is a file.
I thought the ROM includes all the files which are part of the filesystem including /system/xbin and the
kernel. I thought the filesystem is part of the flashed ROM, not a separate thing.
2. I have adb installed. How do I do a nandroid over adb?
3. OK, so the default recovery just restores the /data partition.
johngoche99 said:
1. OK, so there's the ROM, and there's the filesystem. So it's not like in Unix where everything is a file.
I thought the ROM includes all the files which are part of the filesystem including /system/xbin and the
kernel. I thought the filesystem is part of the flashed ROM, not a separate thing.
2. I have adb installed. How do I do a nandroid over adb?
3. OK, so the default recovery just restores the /data partition.
Click to expand...
Click to collapse
1. File system = ext4, fat32, ntfs etc.
The ROM is a collection of files, within the /system partition and a kernel (boot.img). Of course there is a file system beneath this but its completely irrelevant to our discussions.
But cf auto root puts an app in /system/app and a binary in /system/bin. I suppose you're using "filesystem" in the way linux uses that to navigate to the /root of the OS.
2. Download the windows application I linked you to and follow the prompts to set up correctly. Then its a menu option
3. The stock recovery only WIPES the /data partition. It restores nothing
Sent from my GT-I9300 using Tapatalk 2
1. OK, the ROM is a collection of files. Now I'm in sync. So only two files are modified during the rooting process,
and app in /system/app (which does what?) and a binary in /system/bin (presumably a shell?).
2. Download the windows application I linked you to and follow the prompts to set up correctly. Then its a menu option
Where is the windows application you linked me. With all the clutter on the XDA pages I can hardly see it.
3. The stock recovery only WIPES the /data partition. It restores nothing
Thanks. Not sure why the data partition is not browsable with adb shell by default.
Thanks.
The su binary is the actual root. But you need a superuser app too. The app acts as a gatekeeper. When you run an app that requires root, superuser app opens and asks you if you want to allow or deny access to this app. Think of it as a level of protection
The link in my first post in my number 2. Answer is a specific thread for the windows application called unified toolbox. Just read all of post one. It tells you everything you need to know.
/data is protected because things that could otherwise be deleted can prevent android from booting up.
Not sure if you're familiar with Linux, but /data isn't quite the same as your home directory. That would be /sdcard. I suppose the Linux equivalent of /data would be /usr (although not really as despite their similarity, linux and android are not the same. Only really the kernel)
Sent from my GT-I9300 using Tapatalk 2

Is root absolutely necessery for flashing ports?

Hi everybody. I learned so much from this forum (and also from others) in one year and tried to share my knowledge to those who try to learn like me.
Now i would like to share one of my experiences. i dont know if someone wrote about this, yet i could not find anywhere in this forum. When we share a "port" for example "s4 keyboard for s3", we say that we need root access in order to use this port. But when i think, if this apk files replace themselves with the original ones and rom thinks that they are the originals, why should we need root access? Of course we need recovery to flash them but do we absolutely need root? And i flashed 3 separate ports (keyboard, launcher and callrecord) into a fresh installed 4.3 MK6 stock rom without root and they worked... and still do... (scripts have to delete odex files automatically)
Installing a recovery will increase the binary counter and since your binary is up why not rooting right? But those who dont want to root their phone but still want to use the visuality, can install a recovery and flash the ports without rooting... Tested and proven...
You need root access for applications/ports that will need to be installed in system directories (that only the superuser can alter). Some directories/partitions are read-only, so you have to mount the them as writable too. It all depends on the application.
alex.sg said:
You need root access for applications/ports that will need to be installed in system directories (that only the superuser can alter). Some directories/partitions are read-only, so you have to mount the them as writable too. It all depends on the application.
Click to expand...
Click to collapse
If editing apps from rom then yes. But if you are flashing them through recovery you dont need root access for read and write permitions. Script also does that itself. Thats what im talking about
Galaxy S3 tapatalk 2 ile

[Q] Cube U27GT - Help with Rooting a Stock Rom and can we get a forum?

Dear Admins,
Could we get a forum setup for the Cube U27GT WiFi version? I dug around on the site a bit beforehand but didn't see one, I apologize if I missed it and please direct me there if I did.
I have this tablet and I am doing some initial basic firmware development for it and want a proper place to start putting threads.
Dear Dev Community,
I can't root this bloody thing... At least, not the rom itself. Let me explain...
I can flash the stock rom from Cube and that can be rooted using Kango Root. --Fine...
However, I can't figure out how to replicate this when I make my own rom.
Thus far, here is what I have attempted...
1. Setup dsixda's excellent kitchen on my Ubuntu workstation.
2. Unpack the rom, clean things up, manually put the boot image into the dsixda unpacked working rom folder, run dsixda's root functionality (which add SU binary to xbin and SuperSu apk file to app folder as well as do some things with the boot image file).
3. Rather than using repack with Dsixda (which makes an update.zip image which I can't use because the stock recovery environment on this device can't flash zip update files and I can't for the life of me figure out how to get and or make a working CWM or TWRP recovery image for this unit)...
4. What I do is I run commands in linux to unpack the stock rom to another directory and mount that directory, then clear out a bunch of folders and then manually copy in my files from dsixda's working folder, then repackage up my unpacked stock rom into a new system.img file.
5. Then copy my now modified boot image, system image, and also userdata image (I modify that as well as that is where most all of the chinese bloatware is loaded from) to my SP_Flash_Tool, generate new checksum.ini file and flash normally...
What I get as a result...
1. As long as I am really careful with how I copy files into my new image, the new system flashes okay (if I am not careful, after flash USB storage for some reason has a format error and the system will boot but can't mount USB storage and other odd issues ensue as a result).
2. Assuming everything flashes okay, and no issue with USB storage partition, I have SuperSU installed and when I go to use an app (ES File Explorer or Root Checker) that require's root, I do get the prompt. However none of the root functions actually work and Root Checker tells me I am not rooted.
That is as far as I have got. So as a result, I have a really nice, westernized, cleaned up rom but with no root.
Anyone have any ideas?
This is my first adventure into mod'ing MTK roms so I am sure I am doing all kinds of things wrong . I had a good bit of experience on Rockchip SoC's before this though.
Kind regards and thanks in advance!
Roman
Figured it out!
So I finally did the following rather hackish work-around...
1. Flash stock firmware...
2. Root with Kingo Root
3. Enabled ADB
4. Attach to PC and fire up MTK Droid Tools
5. Take a full backup
6. Modify the system image from the backup and make changes
7. Put that in new firmware flash package
8. Flash new firmware
YAY - Cleaned up rom, modified, with root!
Once I get it all packaged up and uploaded to mtkfirmware.com I will post a link for anyone that wants a cleaned up rom with root!
The only downfall of the above method is that it absolutely requires that the developer have a device on hand because you can't just root the stock image file (at least, I couldn't figure out how... - bleh...
Kind Regards,
Roman
Dear roman,
Thanks for your hard work.
I have a simple question (I think) and if you have the time to reply or -any other android guru- I would be thankful.
My later issue was with a U27GT cube tablet, but I have others, one for each kid, and this is more of general question.
I am reading this and other forums about how to flash tablets from PC. My question is:
Can the flashing process be done from a SD card?
Thanks a lot and regards,
Fernando
SKorea

Use Janus vulnerability to get root access?

Hello,
let's assume I have a super-secure Android phone that's known for not being rootable. Let's also assume, I've successfully tried the Janus vulnerability and was able to replace the classes.dex of a system app with a slightly modified one.
As far as I understand it, using the Janus vulnerability, you can only replace the classes.dex but no resources. So whatever is in the classes.dex can only work with the resources already there.
Now the big question: Is there any classes.dex that doesn't depend on specific resources and that I could use to get e.g. a root shell?
I'll try to change a System app to gain higher rights, but i doubt this will be enough to write to system.
github.com/wegeneredv-de/CVE-2017-13156
Use Janus vulnerability to get root access ?
No, I think you can't really. It is maybe possible to root using this exploit by editing a system app because system apps have more rights than "normal" apps which are installed in /data partition. If you really want to use janus exploit to root your phone, try to find a privilege escalation exploit and edit an app to make it execute the exploit. But I think "normal" rooting methods are more efficients. You can install any app on your phone or update any apps, so you don't need Janus. Executing privilege escalation exploit is the only way to root your phone with no (not at 100% true, you can root your phone using recovery, but it is not the subject)
I hope I have helped you,
Have a n1ce day,
Luca
PS : Don't hesitate to thanks me
Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.
lucahack said:
Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.
Click to expand...
Click to collapse
There's no easier way? Something like copying a "su" binary to somewhere and setting a few filesystem permissions?
mbirth said:
There's no easier way? Something like copying a "su" binary to somewhere and setting a few filesystem permissions?
Click to expand...
Click to collapse
The easiest way is to flash supersu in a custom recovery to root. (link to supersu flashable : https://s3-us-west-2.amazonaws.com/supersu/download/zip/SuperSU-v2.82-201705271822.zip )
lucahack said:
Yes, you can. You can edit the system upgrade app to make it install a special package (that should be signed by recovery) to root your phone I think.
Click to expand...
Click to collapse
I've been looking into that for awhile. I thought it was possible using dirtycow also maybe.
How would a special package still be usable and signed by the recovery?
Wouldn't modification break the recovery signing?
Delgoth said:
I've been looking into that for awhile. I thought it was possible using dirtycow also maybe.
How would a special package still be usable and signed by the recovery?
Wouldn't modification break the recovery signing?
Click to expand...
Click to collapse
If you extract your ota certs from a valid OTA and sign the injected update.zip with those valid signatures it may be possible. That's the latest I've been looking into but the updater binaries are so complicated I don't know how it will work. I think the best option is smali edit within an app like testmode.apk on the K1 that can manipulate system properties and shared preferences. Once you can allow the properties to allow insecure adb or debuggable = true or secure = false you can do the rest of the work in adb. But BB probably has protections that will nullify on reboot.
jcrutchvt10 said:
If you extract your ota certs from a valid OTA and sign the injected update.zip with those valid signatures it may be possible. That's the latest I've been looking into but the updater binaries are so complicated I don't know how it will work. I think the best option is smali edit within an app like testmode.apk on the K1 that can manipulate system properties and shared preferences. Once you can allow the properties to allow insecure adb or debuggable = true or secure = false you can do the rest of the work in adb. But BB probably has protections that will nullify on reboot.
Click to expand...
Click to collapse
I have the Verizon test keys for the G925V 4CPI2 6.0.1, but my s6 edge is currently out of commission until I can find the signed bootloader binaries to upload to the device over the serial port. SDB and SDC are completely gone. I need to inject the data, but don't know the map of the sboot.bin
I had the same idea though. I'm glad I wasn't the only one. It got lost in the cracks because of other projects going on. I saw some malware one time that would install itself by piggybacking on the ota system update process, when you scheduled the update to occur five minutes from the current time. And that process I do believe relied on using a modified CSC or Cache once the process started.

Categories

Resources