I installed Z4 mod and ran it and it says my g-tab is rooted. I have read that custom ROMS are pre-rooted. In my limited linux experience - being root gives you total control over the machine. I ran Terminal Emulator and cd / to get me to the top of the file structure. I tried to mkdir test and I was denied because the file system is read only. Next I went into the system folder because a lot of stuff in there looks familiar. I again tried mkdir test and was denied because the file system is read only. It would seem that to be root I would need a password and Z4 didn't offer to give me one or let me set it. Thinking further, I wonder if the file system is mounted for read only and that is why I can't create a new directory. When I am running the rom (Vegan) I can write there (understanding that I am writing to the sdcard that is mounted - presumably with RW access. So, what is all this rooting talk about then? What is the purpose of being root if you still do not have access to the file system?
You need Superuser.apk, as well. Think of Superuser as similar to Windows UAC, and rooting as making yourself an administrator. Even though you have root (admin) access, UAC (Supeuser.apk) still needs to let you through.
You also need "root aware" apps. Perfect example is Titanium Backup and that's usually my "litmus test" for verifying if I really have root or not on a device.
yup, in my limited rooting experience (droid1 and gtablet), after the process, there was always a new icon in the app tray entitled "superuser". i didnt have to install it separately, it showed up after the rooting process. if you don't have the superuser app, im betting the root process was unsuccessful.
my memory tells me i had some problems with z4root rooting my tablet, and i had to do it a few times before it actually worked. that was back in december tho, so i dont know if the current version of z4 is different than the one i used, and if so, if kinks were worked out...
so yeah, i probably helped none.
I always though z4root and Superuser were kind of a package deal.
I use them on my Cowon D3, as Cowon completely locks down their recovery process. boo to that.
rodzero,
With z4root you install it first. Then, you install a file manager program like "Root
Explorer" and when it comes up you click to "Allow" it. After that, you can go in
through Root Explorer and create and change R/O to R/W as needed. Same same
with Titanium Backup, once you have "allowed" it you can do what you need
to with the program.
Rev
More Investigation.
Thanks for the fast responses! I do have Superuser installed and it pops up from time to time when an app wants su access. Using terminal emulator, I worked my way into and what do I find but su! I ran su and got was granted su rights in the terminal. I felt pretty smug so I headed into the etc folder thinking I would make a simple change to the hosts file just to see if I could do it. I'm used to using nano in Ubuntu but no nano here. I tried vi (which I really don't know how to use) and I got some strange display but I don't think it was an editor. So, for the sake of closing the loop - if I wanted to edit the hosts file and add a new host - how would I do it. The Terminal Emulator now seems to be in the list to be granted su whenever I type it in. I know how to move around the file system. What kind of text editor would I invoke to actually alter the file? OK.... I went and downloaded TED and worked my way back to the hosts file, added a line but TED doesn't have su rights to save the file. So it looks like su exists but I don't see how to run an app in su mode except for terminal where I can invoke it by a text command. What's the missing piece to get TED to ask for su access?
Just a guess, but TED need to ask for elevation of privileges. It's probably an app issue.
Hey all,
I would just like to say I am new to this whole thing, and HAVE searched the forums, and found this link to be most helpful:
http://forum.xda-developers.com/showpost.php?p=12029729&postcount=12
I am merely trying to install the new swype beta, I am currently trying to uninstall my current version of swype, now I have done the majority of the steps the only thing I am having trouble doing is giving the phone read/write access
as when I try: mkdir /mnt/sdcard/swype_backup I get an error because it's a read-only file system.
I am using ADB; the first line of the post I linked to says to enable R/W access if you're using Root Explorer... but I am not, so how can I accomplish this through adb?
Am I missing something glaringly obvious?
Thanks for your time and patience
Edit: I believe adb is working to the extent it should... after I type in adb shell I do infact get a '#' before each line.
It's all fixed, re-did gladroot and now everything worked perfectly, not sure exactly why it wasn't before
thanks anyways!
I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?
No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.
hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean
Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator
Does any one know if one person with development capabilty is trying to find a way to root JB ?
I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.
Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...
Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.
yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says
Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file
Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627
I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.
I tried using kingo-root and kingroot, both on phone and on computer. I am not sure where to proceed from there, but i will say it got to around 90%. The reason I want to root is to disable the boot animation or startup sound(s), which is not usually disabled automatically when I have my phone on mute. I tried the sound disabler app, it seems to not be working (the startup sound still plays).
----------------------------------------------------------------------------------------------------
Well I also noticed you can do a command get ver all, but its going to require someone with that has better phone skills than of my own .. also try command while connected to computer "adb pull system" without the quotes it got to 82% for me before it wouldn't write no more still have the files for system if anyone needs them for rewriting or porting in the bootloader ... also by the way i dont know if this will help but i have got the some of these it may be helpful?.. its in the pic.
Root revvl plus coolpad
Hi do you root the revvl plus how can I do please help me thankful
TRY THIS
SmartPhoneDeveloper said:
I tried using kingo-root and kingroot, both on phone and on computer. I am not sure where to proceed from there, but i will say it got to around 90%. The reason I want to root is to disable the boot animation or startup sound(s), which is not usually disabled automatically when I have my phone on mute. I tried the sound disabler app, it seems to not be working (the startup sound still plays).
----------------------------------------------------------------------------------------------------
Well I also noticed you can do a command get ver all, but its going to require someone with that has better phone skills than of my own .. also try command while connected to computer "adb pull system" without the quotes it got to 82% for me before it wouldn't write no more still have the files for system if anyone needs them for rewriting or porting in the bootloader ... also by the way i dont know if this will help but i have got the some of these it may be helpful?.. its in the pic.
Click to expand...
Click to collapse
Hi there,
Well you can use various different methods of Rooting your Mobile, try using One-click Root or use any other rooting software
As far as I have gotten but better than nowhere...
There's a file in the etc folder in the system folder at your root. Use Termux to command "cd /system/etc/" Then command "ls". You can see a unique file called xtra_root_cert.pem in that folder. Command "apt install joe"... Then "joe xtra_root_cert.pem" You can get the certificate hash from the text displayed. That is as far as I have gotten. Lord knows what to do with it. It's some sort of password to unlock the root I think... Maybe not but highly likely. Any devs know what to do with it or how to use it?
WatchYerBak said:
There's a file in the etc folder in the system folder at your root. Use Termux to command "cd /system/etc/" Then command "ls". You can see a unique file called xtra_root_cert.pem in that folder. Command "apt install joe"... Then "joe xtra_root_cert.pem" You can get the certificate hash from the text displayed. That is as far as I have gotten. Lord knows what to do with it. It's some sort of password to unlock the root I think... Maybe not but highly likely. Any devs know what to do with it or how to use it?
Click to expand...
Click to collapse
That would be an SSL certificate.
Any news about rooting this ?
I saw a log in a forum, where MAGISK SU was running on the phone...