[S-OFF] Facepalm s-off Droid Incredible 4G LTE - Verizon HTC Droid Incredible 4G LTE

Welcome to Facepalm S-Off for the Droid Incredible 4G LTE.
Credits and terms:
Exploit by beaups. Full guide, testing, and concept by jcase and beaups. Thanks to dsb9938 and dr_drache for support and testing. Thanks also to all of the regulars at teamandirc.
Both beaups and jcase will collect the applicable active bounties. Further donations are greatly appreciated and can be sent to:
beaups - Donate to beaups
jcase - Donate to jcase
dsb9938 - Donate to dsb9938
dr_drache - Donate to dr_drache
Thanks also to mdmower for commissioning Facepalm for this device, and testing.
You can also come by irc for support or just to say thanks: #FacePalm http://chat.andirc.net:8080/?channels=facepalm
While this process shouldn’t be too risky, bricks can happen. None of us will be accountable. If you are worried, don’t do it.
This is a pretty simple method, however, you will need to have a working adb and fastboot environment. This method will work on any operating system that supports adb and fastboot. You should understand how to use a terminal window in your O/S. If you don’t understand adb and fastboot, you probably don’t need S-off.
Lastly, the work herein should not be stolen, repackaged, one clicked, bat’d, etc. soffbin3 is not GPL and may not be reused, integrated into other work, reposted, or redistributed without our permission.
For this to work, you must be rooted and have superCID (unlock/custom recovery is optional), see the threads below for help and information regarding obtaining superCID, unlock, root, etc. Note these threads are provided for convenience only. Please look for support for them in each respective thread if you need it, do NOT clutter this thread with support requests regarding obtaining superCID and/or root! If you try this process without superCID, it will not work, and you may have issues!:
Droid Incredible 4G LTE SuperCID: http://forum.xda-developers.com/showthread.php?t=2214653
Once you have confirmed you have SuperCID, get started (read it through first so you understand it all):
1.) Download patcher and unzip it in your working directory:
soffbin3.zip
2.) Download the RUU zip below:
http://d-h.st/MOw
3.)
Code:
adb reboot bootloader
(wait for bootloader)
4.)
Code:
fastboot oem rebootRUU
(wait for black HTC Screen)
5.)
Code:
fastboot flash zip 2.17.605.2_rom.zip
After 2-3 minutes, You should see the following error “FAILED (remote: 92 supercid! please flush image again immediately)”
6.) Immediately issue the following command:
Code:
fastboot oem boot
You may see some errors, just wait for the device to boot into Android (only now, you should be booted into Android with no eMMC write protection of any kind active).
7.) Issue the following commands to update the security partition with S-off flags (one command at a time!):
Code:
adb push soffbin3 /data/local/tmp/
adb shell chmod 744 /data/local/tmp/soffbin3
adb shell
su
/data/local/tmp/soffbin3
exit
exit
8.) Wait a few seconds, then:
Code:
adb reboot bootloader
9.) You should see what you are looking for!
If you need help or just care to say thanks, join us on IRC: #FacePalm http://chat.andirc.net:8080/?channels=facepalm
Enjoy.

beaups said:
Welcome to Facepalm S-Off for the Droid Incredible 4G LTE.
Credits and terms:
Exploit by beaups. Full guide, testing, and concept by jcase and beaups. Thanks to dsb9938 and dr_drache for support and testing. Thanks also to all of the regulars at teamandirc.
Both beaups and jcase will collect the applicable active bounties. Further donations are greatly appreciated and can be sent to:
beaups - Donate to beaups
jcase - Donate to jcase
dsb9938 - Donate to dsb9938
dr_drache - Donate to dr_drache
Thanks also to mdmower for commissioning Facepalm for this device, and testing.
You can also come by irc for support or just to say thanks: #FacePalm http://chat.andirc.net:8080/?channels=facepalm
While this process shouldn’t be too risky, bricks can happen. None of us will be accountable. If you are worried, don’t do it.
This is a pretty simple method, however, you will need to have a working adb and fastboot environment. This method will work on any operating system that supports adb and fastboot. You should understand how to use a terminal window in your O/S. If you don’t understand adb and fastboot, you probably don’t need S-off.
Lastly, the work herein should not be stolen, repackaged, one clicked, bat’d, etc. soffbin3 is not GPL and may not be reused, integrated into other work, reposted, or redistributed without our permission.
For this to work, you must be rooted and have superCID (unlock/custom recovery is optional), see the threads below for help and information regarding obtaining superCID, unlock, root, etc. Note these threads are provided for convenience only. Please look for support for them in each respective thread if you need it, do NOT clutter this thread with support requests regarding obtaining superCID and/or root! If you try this process without superCID, it will not work, and you may have issues!:
Droid Incredible 4G LTE SuperCID: http://forum.xda-developers.com/showthread.php?t=2214653
Once you have confirmed you have SuperCID, get started (read it through first so you understand it all):
1.) Download patcher and unzip it in your working directory:
soffbin3.zip
2.) Download the RUU zip below:
http://d-h.st/MOw
3.)
Code:
adb reboot bootloader
(wait for bootloader)
4.)
Code:
fastboot oem rebootRUU
(wait for black HTC Screen)
5.)
Code:
fastboot flash zip 2.17.605.2_rom.zip
After 2-3 minutes, You should see the following error “FAILED (remote: 92 supercid! please flush image again immediately)”
6.) Immediately issue the following command:
Code:
fastboot oem boot
You may see some errors, just wait for the device to boot into Android (only now, you should be booted into Android with no eMMC write protection of any kind active).
7.) Issue the following commands to update the security partition with S-off flags (one command at a time!):
Code:
adb push soffbin3 /data/local/tmp/
adb shell chmod 744 /data/local/tmp/soffbin3
adb shell
su
/data/local/tmp/soffbin3
exit
exit
8.) Wait a few seconds, then:
Code:
adb reboot bootloader
9.) You should see what you are looking for!
If you need help or just care to say thanks, join us on IRC: #FacePalm http://chat.andirc.net:8080/?channels=facepalm
Enjoy.
Click to expand...
Click to collapse
wondering if this will survive a ota

jose51197 said:
wondering if this will survive a ota
Click to expand...
Click to collapse
Radio S-off always survives OTA...now whether or not the device survives.....
Sent from my HTC6435LVW using Tapatalk 2

Has anyone been able to get this to work? I've tried several times usually getting error 99: unknown fail while flashing the zip. I have superCID and an unlocked bootloader, fastboot and adb both working. I even returned the phone back to a stock rom at which point I got the zip to flash correctly (giving me error 92) but still get a write protection error trying to run soffbin3. When I retried after that I'm getting error 99 again at flashing the zip. I've tried from 2 different computers Windows 7 64 bit and Windows XP 32 bit same errors on both. Any ideas what could cause this?

mpappas87 said:
Has anyone been able to get this to work? I've tried several times usually getting error 99: unknown fail while flashing the zip. I have superCID and an unlocked bootloader, fastboot and adb both working. I even returned the phone back to a stock rom at which point I got the zip to flash correctly (giving me error 92) but still get a write protection error trying to run soffbin3. When I retried after that I'm getting error 99 again at flashing the zip. I've tried from 2 different computers Windows 7 64 bit and Windows XP 32 bit same errors on both. Any ideas what could cause this?
Click to expand...
Click to collapse
Of course it's been tested
For error99 do a full forced power down (hold power for 30 sec while unplugged or pull battery if you have one), then boot back up holding vol down to get back to bootloader.
Also, confirm you have superCID via fastboot getvar cid

beaups said:
Of course it's been tested
For error99 do a full forced power down (hold power for 30 sec while unplugged or pull battery if you have one), then boot back up holding vol down to get back to bootloader.
Also, confirm you have superCID via fastboot getvar cid
Click to expand...
Click to collapse
what value do you want us to have with super cid.
I unlocked and then reverted back toe the stock cid

dcooterfrog said:
what value do you want us to have with super cid.
I unlocked and then reverted back toe the stock cid
Click to expand...
Click to collapse
I THINK YOU SHOULD REMAIN ON SUPERCID(11111111)til you get s-off then if need be revert back.

dcooterfrog said:
what value do you want us to have with super cid.
I unlocked and then reverted back toe the stock cid
Click to expand...
Click to collapse
Any supercid should do, but 1's and 2's have been tested.
Sent from my HTC6435LVW using Tapatalk 2

Of course you've tested it I meant has anyone who is just a user trying to follow your instructions got it to work yet, I wasn't trying to be sarcastic. Anyway your battery pull instructions work for error 99 however I still keep getting the write protection error. My bootloader is unlocked and I have superCID set to 11111111. I'll copy what I see here so you can look at it
c:\Android>fastboot oem rebootRUU
...
(bootloader) Start Verify: 3
OKAY [ 0.072s]
finished. total time: 0.072s
c:\Android>fastboot flash zip 2.17.605.2_rom.zip
sending 'zip' (583416 KB)...
OKAY [ 24.313s]
writing 'zip'...
(bootloader) adopting the signature contained in this image...
FAILED (remote: 92 supercid! please flush image again immediately)
finished. total time: 24.422s
c:\Android>fastboot oem boot
< waiting for device >
...
(bootloader) Boot/Recovery signature checking...
(bootloader) Boot/Recovery signature checking...
(bootloader) setup_tag addr=0x80400100 cmdline add=0xC02FA8C4
(bootloader) TAG:Ramdisk OK
(bootloader) TAG:skuid 0x2DB00
(bootloader) TAG:hero panel = 0x4940045
(bootloader) TAG:engineerid = 0x0
(bootloader) TAG: PS ID = 0x0
(bootloader) TAG: Gyro ID = 0x0
(bootloader) Device CID is super CID
(bootloader) CID is super CID
(bootloader) Backup CID is empty
(bootloader) setting->cid::11111111
(bootloader) serial number: HT26SS300293
(bootloader) commandline from head: console=ttyHSL0,115200,n8
(bootloader) command line length =739
(bootloader) active commandline: poweron_status=1 reset_status=0 board_fi
(bootloader) ghter.disable_uart3=0 diag.enabled=0 board_fighter.debug_uar
(bootloader) t=0 userdata_sel=0 androidboot.emmc=true androidboot.pagesiz
(bootloader) e=2048 skuid=0 ddt=20 ats=0 androidboot.lb=1 td.td=1 td.sf=
(bootloader) 1 td.ofs=328 td.prd=1 td.dly=0 td.tmo=300 hlog.ofs=628 un.of
(bootloader) s=694 imc_online_log=0 androidboot.efuse_info=FFSL androidb
(bootloader) oot.baseband=1.53.06.0919 androidboot.cid=11111111 androidbo
(bootloader) ot.devicerev=3 androidboot.batt_poweron=good_battery android
(bootloader) boot.carrier=ALL and
(bootloader) aARM_Partion[0].name=misc
(bootloader) aARM_Partion[1].name=recovery
(bootloader) aARM_Partion[2].name=boot
(bootloader) aARM_Partion[3].name=system
(bootloader) aARM_Partion[4].name=local
(bootloader) aARM_Partion[5].name=cache
(bootloader) aARM_Partion[6].name=userdata
(bootloader) aARM_Partion[7].name=devlog
(bootloader) aARM_Partion[8].name=pdata
(bootloader) aARM_Partion[9].name=fat
(bootloader) aARM_Partion[A].name=extra
(bootloader) aARM_Partion.name=radio
(bootloader) aARM_Partion[C].name=adsp
(bootloader) aARM_Partion[D].name=dsps
(bootloader) aARM_Partion[E].name=wcnss
(bootloader) aARM_Partion[F].name=radio_config
(bootloader) aARM_Partion[10].name=modem_st1
(bootloader) aARM_Partion[11].name=modem_st2
(bootloader) partition number=18
(bootloader) Valid partition num=18
(bootloader) TZ_HTC_SVC_SET_DDR_MPU ret = 0
(bootloader) smem 90005000 (phy 90005000): TZ_HTC_SVC_UPDATE_SMEM ret = 0
(bootloader) TZ_HTC_SVC_LOG_OPERATOR ret = 0
(bootloader) TZ_HTC_SVC_ENC ret = 0
(bootloader) TZ_HTC_SVC_DISABLE ret = 474079232 (0x1C41E000)
(bootloader) jump_to_kernel: machine_id(3524), tags_addr(0x80400100), ker
(bootloader) nel_addr(0x80408000)
(bootloader) -------------------hboot boot time:9464 msec
FAILED (status read failed (Too many links))
finished. total time: 6.292s
c:\Android>adb push soffbin3 /data/local/tmp/
1078 KB/s (2209 bytes in 0.002s)
c:\Android>adb shell chmod 744 /data/local/tmp/soffbin3
c:\Android>adb shell
[email protected]:/ # su
su
[email protected]:/ # /data/local/tmp/soffbin3
/data/local/tmp/soffbin3
/data/local/tmp/soffbin3[2]: cannot create │╗▒╫÷: Read-only file system
/data/local/tmp/soffbin3[2]: ┴√╓♣î⌠: not found
/data/local/tmp/soffbin3[4]: syntax error: 'ⁿ' unexpected
/data/local/tmp/soffbin3[2]: ╕╚Ç╫⌂idτº╬R░4↔∩N¥U÷Å┘)╘¿j¥&j+ò╩U¿PñF╩≥ÇTAäBÑJÇJôç
►╝D<B}░wYQéäè╘─ï∙╬▄;╗wªnE╟>{ε╣ττ₧{ε╣?τ╣╣┼yM╙╚*ö: not found
/data/local/tmp/soffbin3[2]: ┘ªnc↕♂mè◄←ßî╟Θ: not found
/data/local/tmp/soffbin3[2]: ô♦∞☻─Q└: not found
/data/local/tmp/soffbin3[2]: ª↕Wê2└δ}▄G╗2öó^≡▲ñ√⌐ç♦/│.₧: not found
1|[email protected]:/ # exit
exit
1|[email protected]:/ # exit
exit
c:\Android>adb reboot bootloader
Click to expand...
Click to collapse
I hope you can help me figure this out, I'd really like to have s-off and I do appreciate all your hard work putting this together for us.
Edit:
I tried again this time entering the fastboot oem boot and pressing enter while it was flashing the zip so that it ran as soon as it finished flashing the zip and it rebooted back to the black HTC screen. Is that supposed to happen should I just wait, I waited five minute (I timed it) and it never changed from that screen.
c:\Android>fastboot oem rebootRUU
...
(bootloader) Start Verify: 3
OKAY [ 0.075s]
finished. total time: 0.075s
c:\Android>fastboot flash zip 2.17.605.2_rom.zip
sending 'zip' (583416 KB)...
OKAY [ 24.340s]
writing 'zip'...
(bootloader) adopting the signature contained in this image...
FAILED (remote: 92 supercid! please flush image again immediately)
finished. total time: 24.449s
c:\Android>fastboot oem boot
...
FAILED (command write failed (Too many links))
finished. total time: 0.001s
Click to expand...
Click to collapse

Well those are some weird errors you are getting indeed, the soffbin3 is pretty simple, should just return a 1.
Perhaps try on a more stock rom?
And your first method was the correct behavior, not the 2nd.
edit: I see your adb push only pushed 2209 bytes, which is the size of the ZIP file, not the decompressed binary.
The instructions clearly state you need to UNZIP it, not just delete the zip extension from your downloaded file. We zip the file before uploading in order to identify download errors.
Once decompressed the binary is 4751 bytes.

I know you're probably not going to believe me when I tell you this but I did unzip it something must have went wrong with the download/unzipping the first time. I re-downloaded it checked the MD5 and unzipped it and it worked great first try. Thank you so much for your help.

mpappas87 said:
I know you're probably not going to believe me when I tell you this but I did unzip it something must have went wrong with the download/unzipping the first time. I re-downloaded it checked the MD5 and unzipped it and it worked great first try. Thank you so much for your help.
Click to expand...
Click to collapse
no problem, glad you got it sorted.

some more questions
what does step 5 do. will it wipe my device. if used tibu to integrate a lot of apps into the stock rom and debloated a lot.
will it just recopy the stock system
what does the soffbin3 program do.

dcooterfrog said:
some more questions
what does step 5 do. will it wipe my device. if used tibu to integrate a lot of apps into the stock rom and debloated a lot.
will it just recopy the stock system
what does the soffbin3 program do.
Click to expand...
Click to collapse
The process just s-off's your device. If followed properly, there will be no wipe etc.
Sent from my HTC6435LVW using Tapatalk 2

Permission denied when trying to obtain S-OFF
Trouble obtaining S-OFF
Been working on this a while now. I go slowly through each step up to the point where it asks to type in su and hit enter and this is what I see (in command prompt):
FAILED (status read failed (Too many links))
finished. total time: 7.001s
C:\Users\Joe\Desktop\Fireball>adb push soffbin3 /data/local/tmp/
26 KB/s (4751 bytes in 0.173s)
C:\Users\Joe\Desktop\Fireball>adb shell chmod 744 /data/local/tmp/soffbin3
C:\Users\Joe\Desktop\Fireball>adb shell
[email protected]:/ $ su
su
1|[email protected]:/ $ /data/local/tmp/soffbin3
/data/local/tmp/soffbin3
open: Permission denied
[email protected]:/ $
I'm going to guess that somehow it's not booting back into the stock rooted ROM with write privileges? I've tried going through this procedure 4 times to ensure I didn't type in anything wrong. Also, to confirm, I do have superCID:
(bootloader) Device CID is super CID
(bootloader) CID is super CID
(bootloader) Backup CID is empty
(bootloader) setting->cid::11111111
and I have made sure the soff binary file (is of course unzipped) but also 4751 bytes.
Any ideas what I'm doing wrong here? I really appreciate this detailed write up, I just don't think I'm doing something right. Thanks!

joesee said:
Trouble obtaining S-OFF
Been working on this a while now. I go slowly through each step up to the point where it asks to type in su and hit enter and this is what I see (in command prompt):
FAILED (status read failed (Too many links))
finished. total time: 7.001s
C:\Users\Joe\Desktop\Fireball>adb push soffbin3 /data/local/tmp/
26 KB/s (4751 bytes in 0.173s)
C:\Users\Joe\Desktop\Fireball>adb shell chmod 744 /data/local/tmp/soffbin3
C:\Users\Joe\Desktop\Fireball>adb shell
[email protected]:/ $ su
su
1|[email protected]:/ $ /data/local/tmp/soffbin3
/data/local/tmp/soffbin3
open: Permission denied
[email protected]:/ $
I'm going to guess that somehow it's not booting back into the stock rooted ROM with write privileges? I've tried going through this procedure 4 times to ensure I didn't type in anything wrong. Also, to confirm, I do have superCID:
(bootloader) Device CID is super CID
(bootloader) CID is super CID
(bootloader) Backup CID is empty
(bootloader) setting->cid::11111111
and I have made sure the soff binary file (is of course unzipped) but also 4751 bytes.
Any ideas what I'm doing wrong here? I really appreciate this detailed write up, I just don't think I'm doing something right. Thanks!
Click to expand...
Click to collapse
You don't seem to have root access when trying to run soffbin3.
when you issue the su command the prompt should go from $ to #
But its staying $. So you either need to redo temp root or flash a custom recovery and flash an su zip.
Sent from my Nexus 7 using xda app-developers app

Incredible
Phenomenal work, thank you! Well written instructions and successful S-OFF of my device. I had no bizarre questions about what exactly a step meant. Lets just say good riddance to bad rubbish that comes from some of our friends.
and btw...Oh my gosh...I didn't need a specially sized microSD card to accomplish this

times_infinity said:
You don't seem to have root access when trying to run soffbin3.
when you issue the su command the prompt should go from $ to #
But its staying $. So you either need to redo temp root or flash a custom recovery and flash an su zip.
Sent from my Nexus 7 using xda app-developers app
Click to expand...
Click to collapse
I don't understand temp root? The ROM I'm running is rooted, but when the phone is "temp rooted" I'm assuming you mean the phone lets you run commands as 'su' while running adb commands. If that's correct, that means according to this thread http://forum.xda-developers.com/showthread.php?t=2214653 - I would have to type this in ADB:
adb restore fakebackup.ab
adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done" > NUL
then reboot when the command is finished and only THEN I have temp root and can finish with the facepalm instructions right before I go into adb shell?
I have dabbled around with adb commands for a while now but don't understand why I've got su.zip flashed on my phone and have root at the ROM level I have to do this temp root ? Please help me understand?
Right now my phone is stuck in the odd mode where only your notification bar appears and accepts no adb commands but does show up under "adb devices'.
---------- Post added at 11:56 PM ---------- Previous post was at 11:24 PM ----------
times_infinity said:
You don't seem to have root access when trying to run soffbin3.
when you issue the su command the prompt should go from $ to #
But its staying $. So you either need to redo temp root or flash a custom recovery and flash an su zip.
Sent from my Nexus 7 using xda app-developers app
Click to expand...
Click to collapse
After running the temproot adb commands shown in my previous post, this is a paste of my command prompt:
C:\Android\Inc4G>adb shell chmod 744 /data/local/tmp/soffbin3
C:\Android\Inc4G>adb shell
[email protected]:/ # su
su
[email protected]:/ # /data/local/tmp/soffbin3
/data/local/tmp/soffbin3
1|[email protected]:/ # exit
exit
1|[email protected]:/ # exit
exit
C:\Android\Inc4G>adb reboot bootloader
That time I did not get permission denied, but there was no pause whatsoever in the command and after rebooting into the bootloader I still have S-ON. Before I try something else I was wondering what might be happening?
---------- Post added 10th June 2013 at 12:09 AM ---------- Previous post was 9th June 2013 at 11:56 PM ----------
joesee said:
I don't understand temp root? The ROM I'm running is rooted, but when the phone is "temp rooted" I'm assuming you mean the phone lets you run commands as 'su' while running adb commands. If that's correct, that means according to this thread http://forum.xda-developers.com/showthread.php?t=2214653 - I would have to type this in ADB:
adb restore fakebackup.ab
adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done" > NUL
then reboot when the command is finished and only THEN I have temp root and can finish with the facepalm instructions right before I go into adb shell?
I have dabbled around with adb commands for a while now but don't understand why I've got su.zip flashed on my phone and have root at the ROM level I have to do this temp root ? Please help me understand?
Right now my phone is stuck in the odd mode where only your notification bar appears and accepts no adb commands but does show up under "adb devices'.
---------- Post added at 11:56 PM ---------- Previous post was at 11:24 PM ----------
After running the temproot adb commands shown in my previous post, this is a paste of my command prompt:
C:\Android\Inc4G>adb shell chmod 744 /data/local/tmp/soffbin3
C:\Android\Inc4G>adb shell
[email protected]:/ # su
su
[email protected]:/ # /data/local/tmp/soffbin3
/data/local/tmp/soffbin3
1|[email protected]:/ # exit
exit
1|[email protected]:/ # exit
exit
C:\Android\Inc4G>adb reboot bootloader
That time I did not get permission denied, but there was no pause whatsoever in the command and after rebooting into the bootloader I still have S-ON. Before I try something else I was wondering what might be happening?
Click to expand...
Click to collapse
I just wanted to take a minute and thank everyone for this write up. After running through this process 3 full times, I've FINALLY gotten S-OFF on my Incredible4G. Thanks again for all your hard work!!

I was wondering if I could kindly get some assistance.
I keep getting the following error:
C:\WINDOWS\system32>fastboot flash zip 2.17.605.2_rom.zip
error: cannot load '2.17.605.2_rom.zip'
I am BL unlocked, supercid, running ViperROM.
I am not quite sure what I am doing wrong. I seemed to have followed the instructions to a tee.
Assistance is greatly appreciated!

Moved to troubleshoot forum.
Thread
Sent from my ADR6410LVW using xda app-developers app

Related

[Q] NOOB Alert Bootloader unlocked, Can't achieve perm root

Sorry for being such a noob. I've followed every instruction to the "T".
I've unlocked the bootloader from HTC with no problems. Then I ran OneClickRoot_1.1... it stated I had achieved Perm root. But no su binary is found. I tried to manually install Superuser from the market as well as busybox. I can't figure it out. I've researched these forums for hours. I also made sure phone was in "Charge only", usb debugging was enabled, and HTC Sync was closed.
Does this have anything to do with me accepting the OTA on Thursday, before I tried to root. Please help. I'll include the script from the OneClick.
Press any key to continue . . .
--- WAITING FOR DEVICE ---
--- Device Connected ---
Checking for previous attempts...
Pushing Zergrush...
2251 KB/s (23060 bytes in 0.010s)
Setting Permissions...
Gaining Perm Root (Aka running zergrush)...
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00000118
[*] Scooting ...
[*] Sending 149 zerglings ...
[*] Sending 189 zerglings ...
[-] Hellions with BLUE flames !
--- WAITING FOR DEVICE ---
--- Device Connected ---
Pushing Busybox
2592 KB/s (1075144 bytes in 0.405s)
Setting Permissions...
Remounting System...
mount: permission denied (are you root?)
Coping Busybox to /system/xbin/...
/system/xbin/busybox: cannot open for write: Read-only file system
Installing Busybox...
Unable to chmod /system/xbin/busybox: No such file or directory
Unable to chmod /system/xbin/busybox: No such file or directory
/system/xbin/busybox: not found
Installing Superuser...
failed to copy 'tools\su' to '/system/bin/su': Read-only file system
Unable to chmod /system/bin/su: No such file or directory
Unable to chmod /system/bin/su: No such file or directory
rm failed for /system/xbin/su, Read-only file system
link failed Read-only file system
failed to copy 'tools\Superuser.apk' to '/system/app/./Superuser.apk': Read-onl
file system
Removing tools That Was Pushed To Data...
Congrats You Are Now Perm Rooted...
Press any key to continue . . .
I assume this is this the one click root NilsP posted? That one worked great for me. Make sure USB debugging is enabled and you have checked the box under applications to enable use of non-market apps.
If you continue to have issues, flash the AmonRa recovery via fastboot and under Developer Options you can choose to install superuser while in recovery.
You will have to flash Amon Ra recovery through fastboot. There is info about that in development thread. Read through first few pages of Amon Ra thread. Once you have recovery, boot it up from hboot, and then install su and superuser from development section in Amon Ra recovery. The only confusing part for me was preparing to flash Amon Ra thru Windows command prompt due to my inexperience. PM me for further assistance. Good luck. One click does not work for the OTA.
Thanks guys...wish me luck
Kbartley77 said:
Thanks guys...wish me luck
Click to expand...
Click to collapse
You should be able to put Amon Ra inside the same folder you just used for unlocking. Then use command:
Fastboot flash recovery (nameofrecoveryfilehere)
You will need to add .IMG to the file name for it to work.
Sent from my ADR6425LVW using Tapatalk
Kbartley77 said:
Sorry for being such a noob. I've followed every instruction to the "T".
I've unlocked the bootloader from HTC with no problems. Then I ran OneClickRoot_1.1... it stated I had achieved Perm root. But no su binary is found. I tried to manually install Superuser from the market as well as busybox. I can't figure it out. I've researched these forums for hours. I also made sure phone was in "Charge only", usb debugging was enabled, and HTC Sync was closed.
Does this have anything to do with me accepting the OTA on Thursday, before I tried to root. Please help. I'll include the script from the OneClick.
Press any key to continue . . .
--- WAITING FOR DEVICE ---
--- Device Connected ---
Checking for previous attempts...
Pushing Zergrush...
2251 KB/s (23060 bytes in 0.010s)
Setting Permissions...
Gaining Perm Root (Aka running zergrush)...
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00000118
[*] Scooting ...
[*] Sending 149 zerglings ...
[*] Sending 189 zerglings ...
[-] Hellions with BLUE flames !
--- WAITING FOR DEVICE ---
--- Device Connected ---
Pushing Busybox
2592 KB/s (1075144 bytes in 0.405s)
Setting Permissions...
Remounting System...
mount: permission denied (are you root?)
Coping Busybox to /system/xbin/...
/system/xbin/busybox: cannot open for write: Read-only file system
Installing Busybox...
Unable to chmod /system/xbin/busybox: No such file or directory
Unable to chmod /system/xbin/busybox: No such file or directory
/system/xbin/busybox: not found
Installing Superuser...
failed to copy 'tools\su' to '/system/bin/su': Read-only file system
Unable to chmod /system/bin/su: No such file or directory
Unable to chmod /system/bin/su: No such file or directory
rm failed for /system/xbin/su, Read-only file system
link failed Read-only file system
failed to copy 'tools\Superuser.apk' to '/system/app/./Superuser.apk': Read-onl
file system
Removing tools That Was Pushed To Data...
Congrats You Are Now Perm Rooted...
Press any key to continue . . .
Click to expand...
Click to collapse
if you can't root using oneclickroot,
flash AmonRA recovery using cleanflash
then install su and superuser under Developer menu under AmonRA recovery.
Amonra Recovery: http://forum.xda-developers.com/showthread.php?t=1339679
Cleanflash: http://forum.xda-developers.com/showthread.php?t=1416791
Same Issue
feralicious said:
You should be able to put Amon Ra inside the same folder you just used for unlocking. Then use command:
Fastboot flash recovery (nameofrecoveryfilehere)
You will need to add .IMG to the file name for it to work.
Sent from my ADR6425LVW using Tapatalk
Click to expand...
Click to collapse
Hello, I am having the same issue. I use Clean Flash 1.0, and the image file from Amonra PH98IMG.zip. Everything says that it worked. I load SU through Recovery. No icon appears under Apps for superuser so I go to the market and load SuperUser. The first time I run Root Explorer the SuperUser image appears allowing me to grant approval. When I go into Terminal Emulator and type SU I am granted access. So I restart my phone and go back to Terminal Emulator, when I type SU I get Access Denied. The one thing that is stated here and in another thread is the part about "Fastboot flash recovery (recovery.img)". What is this and were is it done? Do you type it just as shown minus the quotes? Is that what I am missing and causing a permanent root to act like a temporary root.
Thank you for your help.
dnvm said:
Hello, I am having the same issue. I use Clean Flash 1.0, and the image file from Amonra PH98IMG.zip. Everything says that it worked. I load SU through Recovery. No icon appears under Apps for superuser so I go to the market and load SuperUser. The first time I run Root Explorer the SuperUser image appears allowing me to grant approval. When I go into Terminal Emulator and type SU I am granted access. So I restart my phone and go back to Terminal Emulator, when I type SU I get Access Denied. The one thing that is stated here and in another thread is the part about "Fastboot flash recovery (recovery.img)". What is this and were is it done? Do you type it just as shown minus the quotes? Is that what I am missing and causing a permanent root to act like a temporary root.
Thank you for your help.
Click to expand...
Click to collapse
go here
http://forum.xda-developers.com/showthread.php?t=1466474
Im in the same boat.. I took the ota update and now i cant root. I tried going into cmd to flash the recovery img, and it says "cannot load recovery img" I also tried using clean flash 1.0 and i get the same thing "cannot load" and than the phone just boots in fastboot.. What could be the problem?
feralicious said:
You should be able to put Amon Ra inside the same folder you just used for unlocking. Then use command:
Fastboot flash recovery (nameofrecoveryfilehere)
You will need to add .IMG to the file name for it to work.
Sent from my ADR6425LVW using Tapatalk
Click to expand...
Click to collapse
Still not showing root. Any more ideas??
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\KC>cd c:\Android
c:\Android>Fastboot flash recovery recovery.img
sending 'recovery' (7062 KB)...
OKAY [ 1.430s]
writing 'recovery'...
OKAY [ 5.036s]
finished. total time: 6.467s
c:\Android
Kbartley77 said:
Still not showing root. Any more ideas??
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\KC>cd c:\Android
c:\Android>Fastboot flash recovery recovery.img
sending 'recovery' (7062 KB)...
OKAY [ 1.430s]
writing 'recovery'...
OKAY [ 5.036s]
finished. total time: 6.467s
c:\Android
Click to expand...
Click to collapse
c:/Android>fastboot flash recovery (name of recovery).img
Not recovery.img
Sent from my ADR6425LVW using xda premium
Alright I rebooted into Bootloader and selected recovery.
It put me into RA-Vigor-v3.0.6
Which option do I select?
-Reboot system now
-USB-MS Toggle
-Backup/Restore
-Wipe
-Partition
-Mounts
-Other
-Format Data
-Dev. Menu
-Power off
Please forgive me for my newbness.
Kbartley77 said:
Alright I rebooted into Bootloader and selected recovery.
It put me into RA-Vigor-v3.0.6
Which option do I select?
-Reboot system now
-USB-MS Toggle
-Backup/Restore
-Wipe
-Partition
-Mounts
-Other
-Format Data
-Dev. Menu
-Power off
Please forgive me for my newbness.
Click to expand...
Click to collapse
Developer menu if your trying to achieve root. Then there is an option to install su and superuser. Select that then after that is done immediately reboot. You may or may not still have to download the superuser off the market and update it. I didn't but alot of people reported having to do so.
I'm ROOTED!!!! Thank you everyone for your time and patience!!!
qudwis, thank you for responding. That Post is what I followed, but I do not see any way once in Fastboot were I can type "fastboot flash recovery recovery_signed.img". I restart my phone and I get to the screen were HBOOT and Fastboot are located. But there is no command line to type into. That is were I need the step by step to help me.
Thank you for your help.
dnvm said:
qudwis, thank you for responding. That Post is what I followed, but I do not see any way once in Fastboot were I can type "fastboot flash recovery recovery_signed.img". I restart my phone and I get to the screen were HBOOT and Fastboot are located. But there is no command line to type into. That is were I need the step by step to help me.
Thank you for your help.
Click to expand...
Click to collapse
You have to do this in Cmd, while the phone is in fastboot
Sent from my DROID RAZR using XDA App
dnvm said:
qudwis, thank you for responding. That Post is what I followed, but I do not see any way once in Fastboot were I can type "fastboot flash recovery recovery_signed.img". I restart my phone and I get to the screen were HBOOT and Fastboot are located. But there is no command line to type into. That is were I need the step by step to help me.
Thank you for your help.
Click to expand...
Click to collapse
You run those commands on your PC in a command/DOS prompt.

Help for rooting

Hello,
I've not posted on here for a bit.
Basically I'm wanting to put my HTC Flyer WiFi back to Gingerbread as Honeycomb is no where near as stable.
Not used the Flyer for a while because of this.
I have thought about this for a while and looked at rooting the Flyer but everytime I look into it and find instructions I have more questions and seem to hit a brick wall at various stages.
As I am a complete noob and never rooted a device, can anyone help in a basic way.
Is the HTC dev root a good place to start?
Thanks, any help appreciated.
Sent from my HTC Sensation XE with Beats Audio Z715e using xda premium
/banned
Banned?
Sent from my HTC Sensation XE with Beats Audio Z715e using xda premium
Wrong section. Development if for developers to post their work (ROMs, mods, etc.). Development is not for posting of questions, or seeking basic help.
Post in Q&A.
JB1971 said:
As I am a complete noob and never rooted a device, can anyone help in a basic way.
Is the HTC dev root a good place to start?
Thanks, any help appreciated.
Sent from my HTC Sensation XE with Beats Audio Z715e using xda premium
Click to expand...
Click to collapse
Because I just root it recently, I can help you:-
Required downloads
1.First download the Gingerbread RUU.
2.If you don't have adb and fastboot on your PC
◦Get fastboot and adb tool for windows
3.Download universal misc_version and unzip to obtain the misc_version file.
4.Download tacoroot
5.Place both the misc_version and tacoroot.bin files in the same directory as adb
Procedure
1.Check the version number for your gingerbread RUU
RUU_Flyer_hTC_Asia_WWE_2.27.707.1_Radio_20.3504.30.089BU_3809.07.04.06_M_release_204905_signed
3.The version is 2.27.707.1
4.Boot your flyer up to android if it's not already on, with usb debugging enabled and connect it to the PC.
5.Run the following adb commands (in DOS prompt after install adb tools)
6.Code:
adb push tacoroot.bin /data/local/
adb push misc_version /data/local/
adb shell chmod 755 /data/local/tacoroot.bin
adb shell chmod 755 /data/local/misc_version
adb shell /data/local/tacoroot.bin --setup
7.At this point your device will reboot to recovery
8.Simultaneously press Volume Down and Power
9.Reboot your device
10.Run the following command
11.Code:
adb shell /data/local/tacoroot.bin --root
12.Your device will reboot, do not worry if it does not boot fully, it doesn't matter for this procedure, and it is a side effect of this root exploit.
13.Run the following command:
14.Code:
adb shell /data/local/misc_version -s 2.27.707.1
15.Note that the number in RED is the version number retrieved in step 1.
16.Reboot to fastboot:
17.Code:
adb reboot bootloader
Relock the bootloader:
18.Code:
fastboot oem lock
19.Go back to fastboot mode ( lock causes the device to reboot )
20.Run your RUU ( if on linux or mac, see other similar threads from me on how to RUU on those OSes )
This is what happened in the command prompt:-
What is happened in real case:-
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
D:\>cd download
D:\Download>cd flyer
D:\Download\Flyer>cd fastboot
D:\Download\Flyer\fastboot>adb push tacoroot.bin /data/local/
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
614 KB/s (14475 bytes in 0.023s)
D:\Download\Flyer\fastboot>adb push misc_version /data/local/
2489 KB/s (367096 bytes in 0.144s)
D:\Download\Flyer\fastboot>adb shell chmod 755 /data/local/tacoroot.bin
D:\Download\Flyer\fastboot>adb shell chmod 755 /data/local/misc_version
D:\Download\Flyer\fastboot>adb shell /data/local/tacoroot.bin --setup
TacoRoot: HTC Edition v1
By Justin Case (jcase)
Presented by TeamAndIRC, RootzWiki and AndroidPolice
With great assistance from Reid Holland (Erishasnobattery)
----------
TacoRoot: HTC Edition v1 is based on a vulnerability independently discovered by
both Justin Case and Dan Rosenberg (Rosenberg fist). I believe unrevoked and
AlpahRev were also aware of it.
----------
Usage:
--recovery : For this exploit to work, you must have booted recovery at least on
ce after your last factory reset.
--setup : Setup the phone for root, must be done before --root.
--root : Root the phone.
--undo : Remove TacoRoot.
----------
Rebooting into recovery, please press Volume+, Volume- and Power at the same tim
e, and reboot the system.
D:\Download\Flyer\fastboot>adb shell /data/local/tacoroot.bin --root
TacoRoot: HTC Edition v1
By Justin Case (jcase)
Presented by TeamAndIRC, RootzWiki and AndroidPolice
With great assistance from Reid Holland (Erishasnobattery)
----------
TacoRoot: HTC Edition v1 is based on a vulnerability independently discovered by
both Justin Case and Dan Rosenberg (Rosenberg fist). I believe unrevoked and
AlpahRev were also aware of it.
----------
Usage:
--recovery : For this exploit to work, you must have booted recovery at least on
ce after your last factory reset.
--setup : Setup the phone for root, must be done before --root.
--root : Root the phone.
--undo : Remove TacoRoot.
----------
Rebooting into root.
D:\Download\Flyer\fastboot>adb shell /data/local/misc_version -s 2.27.707.1
--set_version set. VERSION will be changed to: 2.27.707.1
Patching and backing up misc partition...
D:\Download\Flyer\fastboot>adb shell /data/local/misc_version -s 2.27.707.1
--set_version set. VERSION will be changed to: 2.27.707.1
Patching and backing up misc partition...
D:\Download\Flyer\fastboot>adb reboot bootloader
error: device not found
D:\Download\Flyer\fastboot>adb reboot bootloader
error: device not found
D:\Download\Flyer\fastboot>adb reboot bootloader
error: device not found
D:\Download\Flyer\fastboot>adb reboot bootloader
error: device not found
D:\Download\Flyer\fastboot>fastboot oem lock
... INFODevice was already locked!
OKAY [ 0.004s]
finished. total time: 0.005s
D:\Download\Flyer\fastboot>
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Then I just run the RUU

[FAILURES] revone v0.2.1

Moderator note: Please feel very free to move this thread to a more appropriate forum. Thanks -- kmdm
Let's correlate the failures and try to find out what's going on.
You must be using revone v0.2.1
If revone fails for you, please detail the following information (don't clutter this thread or I simply won't bother looking through it ).
revone error code / description / sympton
Your CID (fastboot getvar cid)
Your HBOOT version (fastboot getvar version-bootloader
Your software version (fastboot getvar version-main)
Your kernel version (adb shell uname -r)
If revone fails with error code (-1), the output of running this immediately after that: ./revone -P
Please feel free to include anything else that is obviously relevant but missing from the list.
(You may also post if you create and maintain a google docs spreadsheet of the information )
Thanks,
- kmdm
Hello, I am getting error code -1. Below is all my information. Also attached is the screenshot of the whole process:
CID : H3G__001
HBOOT : 1.44.0000
Software : 1.28.771.6
Kernel :3.4.10-gddcfb8c [email protected]#1 SMP PREEMPT
The output after running the -P command can be seen on the screenshot.
EDIT!!!
I just followed the very same instructions described by wideopen4ever and it worked for me too. I've been trying all day and on after the specific sequence with rebooting in that order worked for me!!!
revone failed (error code = -1)
cid: HTC__001
version-bootloader: 1.44.0000
version-main:
3.4.10-CM-g616ab68
revone successful - no need to reboot.
CID : HTC__622
HBOOT : 1.44.0000
Software : 1.29.708.4
Kernel :3.4.10-ge503309
./revone -s 0 -u
revone failed (error code = -1)
./revone -P
revone successful - no need to reboot
Flinny said:
revone failed (error code = -1)
cid: HTC__001
version-bootloader: 1.44.0000
version-main:
3.4.10-CM-g616ab68
revone successful - no need to reboot.
Click to expand...
Click to collapse
Have you guys tried to reboot after running the "revone - P" command. I notice that it said no need to reboot in cmd but revone instructions said you should reboot before running "revone -s 0 -u"
Sent from my HTC One using xda app-developers app
CID:H3G__001​HBOOT:1.44.0000​Software Version:1.28.771.6​Kernel version:3.4.10​
Code:
C:\sdk\platform-tools>adb push revone /data/local/tmp/
2851 KB/s (648208 bytes in 0.222s)
C:\sdk\platform-tools>adb shell
[email protected]:/ $ cd /data/local/tmp
cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 revone
chmod 755 revone
[email protected]:/data/local/tmp $ ./revone -P
./revone -P
revone v0.2.1
Gaining root access (thanks to Dan's motochopper)...[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
251|[email protected]:/data/local/tmp $
Hello.
thanks DLX support revone.
I use temproot M7_WLJ (HTC J One) revone.
>adb push revone /data/local/tmp/
>adb shell chmod 755 /datalocal/tmp/revone
>adb shell
$ ~~~~~temproot~~~~
# cd /data/local/tmp
# ./revone -P
>
...M7_WLJ is without permission reboot.
M7_WLJ info
CID:KDDI_801
HBOOT version : 1.52.0000
software : 1.05.970.1
kernel version : 3.4.10
thanks
failure on preparation step : ./revone-0.2.1 -P ==> "[-] Failed to map memory."...
After repeating "-P" command, the step succeed, but when I try "s-off & Unlock" step, I get error code -1.
I tried "-s 0 -u" commands, without reboot AND with Reboot, but same result...
A part of my cmd prompt :
Code:
251|[email protected]:/data/local/tmp $ ./revone-0.2.1 -P
./revone-0.2.1 -P
revone v0.2.1
Gaining root access (thanks to Dan's motochopper)...[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
[-] Failed to map memory.
251|[email protected]:/data/local/tmp $ ./revone-0.2.1 -P
./revone-0.2.1 -P
revone v0.2.1
Gaining root access (thanks to Dan's motochopper)...Success.
revone successful - no need to reboot.
10|[email protected]:/data/local/tmp $ ./revone-0.2.1 -s 0 -u
./revone-0.2.1 -s 0 -u
revone v0.2.1
revone failed (error code = -1)
255|[email protected]:/data/local/tmp $
CID = ORANG202
HBOOT version = 1.44.0000
version-main = 1.28.73.7
kernel version = 3.4.10-gddcfb8c [email protected]#1 SMP PREEMPT
IMPORTANT EDIT :
VICTORYYYYYYYYYY !!!!!........ between each steps with success, I reboot phone with Power off button for 15seconds (soft-reset I think)...
@ kmdm and all the Revolutionary Team ; Thanks again for the good work ......
CID: HTC_044
version bootloader: 1.44.0000
version main: 1.29.707.17
kernel: 3.4.10-g4919859
./revone -s 0 -u
Gaining root access (thanks to Dan's motochopper)...Success.
revone failed (error code = -1)
./revone -P
revone failed (error code = 2)
CID : VODAP110
HBOOT : 1.44.0000
Software : 1.29.708.4
Kernel :3.4.10-ge503309
revone successful
Here are a few things I learned after getting a some failures...
1. Update to the latest RUU availiable specificly for your variation
2. Unlock your bootloader
3. Flash recovery
4. Root (don't rely on revone built in root)
5. Disable Fast Boot in Power settings
6. Fully power down, boot back up
7. Run revone with su ( ex: su ./revone -P )
After that I have had no problems with the 10 or so I have done.
Thread closed on OP's request.
Any issues please report in the original thread

[Q] XT910 not rootable?

Hello,
I've tried to root an used XT910 i just bought for 3 days now but absolutely none of the methods that can be found are working.
The device already has android 4.1.2 flashed (982.124.14.XT910.Retail.en.EU).
It seems that all versions using a script (including the VirtualBox method, razrblade, razredge, EPRJ_EasyRoot_ICS, etc) try to acces the /data partition via adb - but this mountpoint is not accessible on my device:
Code:
[email protected]_spyder:/ $ ls -l /data
opendir failed, Permission denied
and:
Code:
[email protected]_spyder:/ $ ls -l /data/local/l2m/batch
/data/local/l2m/batch: No such file or directory
file permissions on /data:
Code:
drwxrwx--x system system 2014-08-08 21:03 data
Any variant trying to load/patch via recovery also fails (installation aborted), the bootloader also cannot be unlocked:
Code:
# fastboot oem unlock
...
(bootloader) fastboot oem unlock disabled!
FAILED (remote: )
finished. total time: 0.006s
I'm using debian linux on all my computers, so i'm using adb and fastboot from the android-tools packages.
Any suggestions on how i can root the android install and/or unlock the bootloader so i can install cyanogenmod? Thanks!
r4p.t0x said:
Hello,
I've tried to root an used XT910 i just bought for 3 days now but absolutely none of the methods that can be found are working.
The device already has android 4.1.2 flashed (982.124.14.XT910.Retail.en.EU).
It seems that all versions using a script (including the VirtualBox method, razrblade, razredge, EPRJ_EasyRoot_ICS, etc) try to acces the /data partition via adb - but this mountpoint is not accessible on my device:
Code:
[email protected]_spyder:/ $ ls -l /data
opendir failed, Permission denied
and:
Code:
[email protected]_spyder:/ $ ls -l /data/local/l2m/batch
/data/local/l2m/batch: No such file or directory
file permissions on /data:
Code:
drwxrwx--x system system 2014-08-08 21:03 data
Any variant trying to load/patch via recovery also fails (installation aborted), the bootloader also cannot be unlocked:
Code:
# fastboot oem unlock
...
(bootloader) fastboot oem unlock disabled!
FAILED (remote: )
finished. total time: 0.006s
I'm using debian linux on all my computers, so i'm using adb and fastboot from the android-tools packages.
Any suggestions on how i can root the android install and/or unlock the bootloader so i can install cyanogenmod? Thanks!
Click to expand...
Click to collapse
You can't unlock bootloader in our phones,that's a well known fact.
Did you look in the Settings/Security/Unknown sources,is it checked?
And usb debugging in Developer options must be checked also...
Sometimes mock locations must be On too...
Sent from my Razr XT910
welder73 said:
You can't unlock bootloader in our phones,that's a well known fact.
Did you look in the Settings/Security/Unknown sources,is it checked?
And usb debugging in Developer options must be checked also...
Sometimes mock locations must be On too...
Sent from my Razr XT910
Click to expand...
Click to collapse
Installation from unknown sources is allowed; usb debugging is active (otherwise i couldn't access the phone via adb?); mock locations wasn't active but this shouldn't change anything about the fact that /data/local/l2m doesn't exist and /data is not writeable, so all the script-based exploits won't work...
r4p.t0x said:
Hello,
I've tried to root an used XT910 i just bought for 3 days now but absolutely none of the methods that can be found are working.
The device already has android 4.1.2 flashed (982.124.14.XT910.Retail.en.EU).
It seems that all versions using a script (including the VirtualBox method, razrblade, razredge, EPRJ_EasyRoot_ICS, etc) try to acces the /data partition via adb - but this mountpoint is not accessible on my device:
Code:
[email protected]_spyder:/ $ ls -l /data
opendir failed, Permission denied
and:
Code:
[email protected]_spyder:/ $ ls -l /data/local/l2m/batch
/data/local/l2m/batch: No such file or directory
file permissions on /data:
Code:
drwxrwx--x system system 2014-08-08 21:03 data
Any variant trying to load/patch via recovery also fails (installation aborted), the bootloader also cannot be unlocked:
Code:
# fastboot oem unlock
...
(bootloader) fastboot oem unlock disabled!
FAILED (remote: )
finished. total time: 0.006s
I'm using debian linux on all my computers, so i'm using adb and fastboot from the android-tools packages.
Any suggestions on how i can root the android install and/or unlock the bootloader so i can install cyanogenmod? Thanks!
Click to expand...
Click to collapse
You should try rootmaster software but it's only works from microsoft windows.

[SOLVED] Unbricked! ('build.prop' mess; 'su' fails with EPERM )

See the next post for a solution.!
BACKGROUND
OK. So, I had an HDX 8.9 with 14.3.2.6 all setup with towelroot, HDXposed, gapps, play store, etc.
I used to have SafeStrap on this also, but I kept running out of space; so, I got rid of it:- a foolish idea, no doubt.
Even without a ROM slot, I may have had a better chance at recovering using the built-in shell... Oh, well...
THE DEED [**SCARY**]
I was trying to follow this excellent guide -without thinking too much- )
Or, closer to the truth, I thought: I have root and I won't mess with the boot process; so, what could possibly go wrong?
So, I modded my build.prop:
Code:
>>> diff build.prop.orig build.prop
25,26c25,28
< ro.product.model=KFAPWI
< ro.product.brand=Amazon
---
> #ro.product.model=KFAPWI
> #ro.product.brand=Amazon
> ro.product.model=SM-G900F
> ro.product.brand=Samsung
32c34,35
< ro.product.manufacturer=Amazon
---
> #ro.product.manufacturer=Amazon
> ro.product.manufacturer=Samsung
AND, I also forgot to adjust permissions on the new build.prop.
Code:
[email protected]:/system $ ls -l /system/build.prop*
-rw-rw-rw- root root 5561 2014-12-14 14:52 build.prop
-rw-r--r-- root root 5475 2014-09-09 03:53 build.prop.orig
I rebooted and got a nasty surprise: not only does the screen go black after the grey Kindle Fire logo (which wasn't too surprising), but su fails as well with exit code 1 (EPERM :- permission denied)
Code:
>>> adb shell
[email protected]:/ $ su
1|[email protected]:/ $ ls -al /system/xbin/su
-rwsr-sr-x root root 71264 2014-11-27 16:00 su
Permissions on the binary look OK (the same as in my backup image).
In fact, su will run with the '-v' (or '-h') option, but seems to EPERM when trying to exec another command.
Code:
[email protected]:/ $ su -v
2.35:SUPERSU
STATUS
I do have a backup of the original build.prop.
I also made images of all the 20-something MMC partitions using dd.
The "brick" has adb access, and fastboot seems to work as well.
Unfortunately, the more obvious workarounds such as adb remount or fastboot boot KERNEL MODDED-RAMDISK do not help.
Interestingly, fastboot boot downloads the image before bailing out with "boot not allowed on locked hw" (or something very similar),
which _may_ (?perhaps?) allow for overflowing a buffer by messing with the fastboot protocol.. (just speculating)
While writing this up, I also tried to flash the backup of my system partition.
Code:
>>> fastboot -i 0x1949 flash system system.img
target reported max download size of 1073741824 bytes
Invalid sparse file format at header magi
erasing 'system'...
OKAY [ 0.020s]
sending sparse 'system' (1032534 KB)...
OKAY [ 32.464s]
writing 'system'...
FAILED (remote: flashing not allowed for locked hw)
finished. total time: 32.536s
Not only did this not work, it also got me fairly nervous as it claimed to have erased the system partition.
Luckily, that did not happen. After rebooting, the situation is the same: everything's still there, but su fails.
QUESTIONS
Do wrong permissions on build.prop alone result in such weird behavior? Or, is it more likely that the changes in content caused the lockdown?
Does 'factory reset' (from the recovery screen) fix anything in the system partition? Or, is that the same thing as Factory Reset in Settings, which clears userdata?
All the unbricking guides (specifically for build.prop mistakes) I've seen so far are based a working su. Are there other options/exploits that could be useful?
Any chance that re-rooting might help? And, in that case, does anybody know about an adb-friendly rooting method for 14.3.2.6?
Any ideas I could try to unbrick my HDX?
Answers to my questions follow....
UNBRICKING
Learn about ghettoroot in this thread.
Code:
>>> wget 'http://forum.xda-developers.com/attachment.php?attachmentid=2924899&d=1409874318' -O ghettoroot-v0.2.2.zip
>>> unzip ghettoroot-v0.2.2.zip
>>> adb push ghettoroot/files/ghettoroot /data/local/tmp
>>> adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/ $ chmod 0755 ghettoroot
[email protected]:/ $ ./ghettoroot -n -m "1337 0 0 0 4 0" /system/bin/sh
# chmod 0644 /system/build.prop
# reboot
ANSWERS
Do wrong permissions on build.prop alone result in such weird behavior? Or, is it more likely that the changes in content caused the lockdown?
-- As it should be evident from the solution above, this whole nightmare was the result of the permissions being wrong; my HDX boots fine with the changed content.
Does 'factory reset' (from the recovery screen) fix anything in the system partition? Or, is that the same thing as Factory Reset in Settings, which clears userdata?
-- Thankfully, I didn't have to try this, but I do suspect that both ways to trigger Factory Reset will have the same effect.
All the unbricking guides (specifically for build.prop mistakes) I've seen so far are based a working su. Are there other options/exploits that could be useful?
-- Well, most guides also explained that one might have to root the device first; my only issue was that the examples used old exploits that do not work on 14.3.2.6.
Any chance that re-rooting might help? And, in that case, does anybody know about an adb-friendly rooting method for 14.3.2.6?
-- In fact, this is the solution. As towelroot works on 14.3.2.6, I was trying to find a command-line version: that's what ghettoroot is.
Wonderfully over-engineered for just unbricking, and the modstring is preset to work on some obscure Samsung device, but a bit of fiddling is all that was necessary to get it to work on the HDX 8.9.
Any ideas I could try to unbrick my HDX?
-- As a matter of fact, I started to look into getting around the bootloader (as I though I had lost root for good), and I have a much better clue where/how to get started.
The only problem is that I'm not exactly high on free cycles... In any case, if and when I get some time, I'll be loading the aboot image into IDA Pro...
These two -not completely unrelated- blog posts got me all excited..
draxie said:
Any ideas I could try to unbrick my HDX?
-- As a matter of fact, I started to look into getting around the bootloader (as I though I had lost root for good), and I have a much better clue where/how to get started.
The only problem is that I'm not exactly high on free cycles... In any case, if and when I get some time, I'll be loading the aboot image into IDA Pro...
These two -not completely unrelated- blog posts got me all excited..
Click to expand...
Click to collapse
Last I heard, Dan's TrustZone exploit won't do any good for our devices.
EncryptedCurse said:
Last I heard, Dan's TrustZone exploit won't do any good for our devices.
Click to expand...
Click to collapse
Fair enough. No point wasting time on that track then...
Just out of curiostiy, I ran strings on my aboot image (tha's the level of complexity I had time for)
and got a few -for me- new and interesting tidbits such as evidence of embedded public keys (expected)
Code:
Production Kernel Key1
Lab1261
Amazon1
Lab126 Root CA 10
Engineering Key1
Lab1261
Amazon1 0
Lab126 Tablet Root CA 10
Unlock Key1
Lab1261
Lab126 Bootchain CA0
and possible indications of a "native" unlock command:
Code:
Unlock code is correct
Unlock code is NOT correct
unlock_code
Of course, any unlock code is likely to be signed by the privare part of that "Unlock Key",
but there's hope that signature checking may be broken..
Wishful thinking, I know, but given that little kernel itself was vulnerable to an RSA padding attack (CVE-2014-0973),
I'd at least check if something similar might work for a "supported" unlock method (if such a thing now exists).
BTW, any clue if said padding attack may apply to our slate? All three public keys listed above have exponent 3 (see attachment); so, that part -at least- is fine. (-;
I'm not too inclined to test this as I'm unsure how I'd recover from a low-level boot error without a sane recovery partition...

Categories

Resources