>>>>>>>> REQUIRES working adb shell <<<<<<<<<<<
1. Download this zip, and extract its contents to /sdcard/extracted/rootED01/ (Root Explorer, which is not required, will do this by default when you click Extract All)
2. For each of the two STEP.txt files (in the zip and copied below), open an 'adb shell' and paste its contents into your shell.
Includes:
+ instructions, with pasteable root and unroot
+ Superuser.apk
+ su
+ busybox
+ rage.bin
CREDITS:
* adrynalyne for his version of busybox.
* 743C for rageagainsthecage exploit binary.
* ChainsDD for Superuser.apk
* Eousphoros on droidforums for his very similar guide.
********
Most people will prefer to use Super OneClick root. I only wrote this guide in response to finding this, and hoping that I could indeed get terminal emulator to root.
Unfortunately, I could find no way to change the permissions of the copied rage.bin without using adb. If anyone can find a way around this for froyo, I would love to hear about it!
I decided to post this guide anyway. At least it's a manual root that works with the official ED01 froyo update. If there is interest, I will go into detail about installing ADB, etc.
rootED01.zip
MD5: e97913f3bed5283c89d5b755a66f28e5
SHA-1: ab87ad372d0f9ba9d1d5043175953e91bdef77f3
# >>>>>>>>>> STEP ONE <<<<<<<<<<<<<
# Note: This path must match the files you extracted!
export ROOT_TOOLS=/sdcard/extracted/rootED01
cd $ROOT_TOOLS
cat rage.bin >/data/local/tmp/rage.bin
cd /data/local/tmp
chmod 777 rage.bin
./rage.bin
echo "Rage.bin will be done applying root. Reopen shell in 10 seconds."
# >>>>>>>>> STEP TWO <<<<<<<<<<<
# Do not procede with this step until you see a # in newly opened shell.
# Note: This path must match the files you extracted!
export ROOT_TOOLS=/sdcard/extracted/rootED01
# mount /system for writing & copy su & busybox
mount -o rw,remount /dev/block/stl9 /system
cd $ROOT_TOOLS/xbin
cat su >/system/xbin/su
cat busybox >/system/xbin/busybox
cd /system/xbin
chmod 4755 su
chmod 4755 busybox
#install Superuser
cd $ROOT_TOOLS/app/
cat ./Superuser.apk >/system/app/Superuser.apk
reboot now
# >>>>>>>>>> UNROOT <<<<<<<<<<<<
# get root
su
# mount /system for writing
mount -o rw,remount /dev/block/stl9 /system
#delete su & busybox
rm /system/xbin/su
rm /system/xbin/busybox
# delete Superuser.apk
rm /system/app/Superuser.apk
# delete other clutter
rm /data/local/tmp/rage.bin
# Once you reboot, the last of your root will be gone
mount -o ro,remount /dev/block/stl9 /system
This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self. REMEMBER I DO THIS FOR FUN, please respect the thread as well as others opinions
OLD UPDATES AT THE END OF THIS POST.
First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
Also you should look at the http://www.nooktabletdev.orgfor information on the Nook Tablet Development process. - Thanks to dj_segfault
Rooting ScriptsWindows: Root, OTA block, De-bloat, Gapps Thanks to Indirect
Mac/Linux: Rooting script Thanks to t-r-i-c-k
Mac/Linux: Root,OTA Block, Gapps
CURRENT PROGRESS
adb connection: COMPLETE
adb root: COMPLETE
busybox:COMPLETE
permanent root: COMPLETE BY INDIRECT
GApps and Market: COMPLETE BY INDIRECT & Anlog
recovery mode: COMPLETE BY nemith
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
THANKS TO NEMITH
bootloader: Locked and Signed Irrelevant
uboot: CRACKED BY BAUWKS
THANKS TO BAUWKS
Loglud said:
bauwks method uses the flashing_boot.img to his advantage, and since it is not checked by security, effectively he has made an insecure uboot. While this is not an unlocked bootloader, it is a way to get around the security, and enable custom recovery and higher level processes to be run.
I have been looking at this line of code for a long time, and as im sure hkvc and bauwks saw it is a large (but 100% necessary) flaw:
distro/u-boot/board/omap4430sdp/mmc.c: 559 : setenv ("bootcmd", "setenv setbootargs setenv bootargs ${sdbootargs}; run setbootargs; mmcinit 0; fatload mmc 0:1 0x81000000 flashing_boot.img; booti 0x81000000");
Without this line of code, it would be impossible for any one but the factory whom could JTAG flash (but since it is secured, most likely they also have to make a flashing_boot.img).
Click to expand...
Click to collapse
12/9/11:
UBUNTU is here, thanks to ADAMOUTLER
http://www.youtube.com/watch?v=PwUg17pVWBs&hd=1
Keep in mind this is only an overlay verson but it is prof that one day we might be able to push roms and kernels over existing ones, then hijack then (next work) and then use them.
Please PM me or post if you know anything else, and or want to add anything.
Usefull threads
Usefull threads:
ROOTING:
Full root for Nook Tablet. [11/20/11] [Yes this is a permanent root!] Thanks to indirect
Noot Tablet - Easy root & Market on MAC (1 download, 1 script to run) Thanks to t-r-i-c-k
[Windows/Linux] Unroot and uninstall gApps for the nook tablet [Scripts] Thanks to indirect
MODS to Default Rom:
[Full Mod + Root + OTA block] Snowball-mod: Full Modification Root [1/6/2012] Thanks to cfoesch
[DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! Thanks to [DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! 1 Attachment(s) (Multi-page thread 1 2 3 ... Last Page)
Originally Posted By: diamond_lover
Kernels:Coming Soon
ROMS:Coming Soon
APPS:
[Tutorial][WIP] Installing alternative Keyboards on the NT. Thanks to robertely
[DEV] - HomeCatcher Redirect n Button to any Launcher Thanks to gojimi
Hidden Settings App Updated 12/30/11 Thanks to brianf21
Replacement SystemUI.apk v2: Permanent back and menu buttons, n as Home button Thanks to revcompgeek
DEVELOPMENT:
[Dev]Files of interest in the system Thanks to indirect
[REF] Nook Tablet Source Code Thanks to diamond_lover
BHT Installer (Basic Hacking Tools) Thanks to AdamOutler
[Stock Firmware]Restore Barnes & Nobel Nook 1.4.0 from SDCard Thanks to AdamOutler
Guides
Table of Contents
Enableing adb Connection (eab1)
Rooting using zergRush (rug2)
Installing busyboxy (ibb3)
Permanent root (pr4) THANKS TO INDIRECT
Installing GApps (aga5) THANKS TO ANLOG
Full system restore/wipe (fsr6) THANKS TO INDIRECT
Enableing adb Connection (eab1)
Install the andriod SDK that is required for your Operating system.
NOTE: This will requries the SDK, and JDK both of which can be downloaded by clicking the links, downloading and installing it.
Run the andriod SDK Manager and Install "Andriod SDK Platform-tools"
[*]Modify your adb_usb.ini file to read such as the following:
Code:
# ANDROID 3RD PARTY USB VENDOR ID LIST -- DO NOT EDIT.
# USE 'android update adb' TO GENERATE.
# 1 USB VENDOR ID PER LINE.
0x2080
This will be in your /home/{username}/.andriod/ folder for mac and linux
This will be in your C:/Users/{username}/.andriod folder for Windows.
ADB is now enabled for your device, however it is not ON your device. YOU MUST DO THIS EVERY TIME YOU WISH TO ADB INTO YOUR DEVICE.
[*]To do this you will need to download any app, and attempt to install it.
You can use this app if you need.
[*]Click on the Package Installer, and then a prompt will pop up asking if you want change the settings to allow 3rd party apps.
*DO NOT ENABLE IF YOU WISH TO ACCESS ADB*
I am working on a way to have it enabled by default.
[*]In the settings page you should see *2* USB Debuggin modes.
[*]Press them both and accept the prompt.
[*]PLUG IN YOUR DEVICE.
Note* You should see the Android Development icon on the bottom of the screen.
ADB will now be able to see your device. How ever you will need to restart the server before it sees it.
Rooting using zergRush (rug2)
This is for the poeople whom have access to adb. You will also need this file. Unzip the file.
Type in the following command (while in the folder with the zergRush Binary):
Code:
adb push ./zergRush /data/local
[*]Once thats installed run this:
Code:
adb shell chmod 777 /data/local/tmp
[*]And lastly:
Code:
adb shell /data/local/zergRush
[*]You are now rooted (only for this reboot)
Installing busyboxy (ibb3)
You will need root and the following busybox file.
Type in the following command while in the location where busy box was downloaded to:
Code:
adb push ./busybox /data/local
[*]Busybox works by calling binaries from a file outside of /system/bin/. We must make this file by issuing the following command:
Code:
adb shell mkdir /data/busybox
[*]Lets make sure we can install busybox without permission probles:
Code:
adb shell chmod 777 /data/local/busybox
[*]Next install busybox in the folder:
Code:
adb shell /data/local/busybox --install
[*]We now need to take the /system/folder, and mount it as a writeable folder:
Code:
adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
[*]Link it into bin:
Code:
adb shell ln -s /data/local/busybox /system/bin/busybox
You now have busybox installed
Permanent root (pr4)
THANKS TO INDIRECT for Files and Scripts
We will need SU and Superuser.apk
First we need to install the Superuser.apk:
Code:
adb wait-for-device install Superuser.apk
adb remount
[*]Next lets go ahead and push the su application up to the /data/local/ folder
Code:
adb push su /data/local/
[*]Next we will need to change the permissions and cp su from the /data/local/ folder to the /system/bin/
Code:
adb shell chmod 4755 /data/local/su;mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system;busybox cp /data/local/su /system/bin
Installing GApps (eab1)
THANKS TO ANALOG and INDIRECT for Scripts
First things first we need to download the GAPPS. The most reacent one is this one or get the most recent one here.
[*] Unzip and navigate to the most root folder of that package in your shell.
[*]We need to verify that adb is booting into root. To do this we can issue the command:
Code:
adb shell id
If id doesn't return root then you will need to re-zergRush your device
[*]Now it is time for us to export the apps to the directories.
Code:
adb shell mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system
adb push system/app/CarHomeGoogle.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/app/FOTAKill.apk /system/app/
adb shell chmod 644 /system/app/FOTAKill.apk
adb push system/app/GenieWidget.apk /system/app/
adb shell chmod 644 /system/app/GenieWidget.apk
adb push system/app/GoogleBackupTransport.apk /system/app/
adb shell chmod 644 /system/app/GoogleBackupTransport.apk
adb push system/app/GoogleCalendarSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleCalendarSyncAdapter.apk
adb push system/app/GoogleContactsSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleContactsSyncAdapter.apk
adb push system/app/GoogleFeedback.apk /system/app/
adb shell chmod 644 /system/app/GoogleFeedback.apk
adb push system/app/GooglePartnerSetup.apk /system/app/
adb shell chmod 644 /system/app/GooglePartnerSetup.apk
adb push system/app/GoogleQuickSearchBox.apk /system/app/
adb shell chmod 644 /system/app/GoogleQuickSearchBox.apk
adb push system/app/GoogleServicesFramework.apk /system/app/
adb shell chmod 644 /system/app/GoogleServicesFramework.apk
adb push system/app/LatinImeTutorial.apk /system/app/
adb shell chmod 644 /system/app/LatinImeTutorial.apk
adb push system/app/MarketUpdater.apk /system/app/
adb shell chmod 644 /system/app/MarketUpdater.apk
adb push system/app/MediaUploader.apk /system/app/
adb shell chmod 644 /system/app/MediaUploader.apk
adb push system/app/NetworkLocation.apk /system/app/
adb shell chmod 644 /system/app/NetworkLocation.apk
adb push system/app/OneTimeInitializer.apk /system/app/
adb shell chmod 644 /system/app/OneTimeInitializer.apk
adb push system/app/Talk.apk /system/app/
adb shell chmod 644 /system/app/Talk.apk
adb push system/app/Vending.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/etc/permissions/com.google.android.maps.xml /system/etc/permissions/
adb push system/etc/permissions/features.xml /system/etc/permissions/
adb push system/framework/com.google.android.maps.jar /system/framework/
adb push system/lib/libvoicesearch.so /system/lib/
Now you have GApps installed from Anlog's. All Credits go to him and Indirect
Full system restore/wipe (fsr6)
THANKS TO INDIRECT
WARNING THIS WILL WIPE YOUR ENTIRE FILESYSTEM!!!
Go into adb shell or terminal emulator.
Issue command:
Code:
echo -n '0000' > /bootloader/BootCnt
Next reboot your device by conventional methods or issue:
Code:
reboot
Your nook will now restart and tell you it is resetting.
You now have a clean slate!
Got some links for howto's on the adb connection/root.
Yeah - if someone has details on how to adb connect and root, it'd be helpful to include links. I've yet to see specifics for either.
Reserved
Sent from Tapatalk, NOOK Color CM7 Nightly's!
I aplogize im still typing them up
Damn loglud, I ended up beating you to the root lol. Sorry about that! D:
The Droid 2 and Droid X had locked bootloaders with the 'e-fuse' and Koush got around them and installed CWM with this...
http://www.koushikdutta.com/2010/08/droid-x-recovery.html
What do you guys think? I don't have a NT yet to try anything (probably won't get one until sometime around x-mas).
l
Indirect said:
Damn loglud, I ended up beating you to the root lol. Sorry about that! D:
Click to expand...
Click to collapse
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Loglud said:
l
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Click to expand...
Click to collapse
Superoneclick...love!
Sent from my Nook Tablet using Tapatalk
Loglud said:
l
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Click to expand...
Click to collapse
Not at all so long as you give proper credits.
Loglud said:
This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self.
First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
CURRENT PROGRESS
adb connection: COMPLETE
adb root: COMPLETE
busybox: COMPLETE
permanent root: IN PROGRESS
bootloader: Locked and Signed
By the bootloader being locked and signed it is very difficult to design anything that will boot besides nook roms. In order to solve this some of the Devs have suggested the following:
kexec: RESEARCHING
2nd init: RESEARCHING
CWM: NOT STARTED
Please PM me or post if you know anything else, and or want to add anything.
Click to expand...
Click to collapse
hopefully it is cracked soon cause i dont want to buy this if i can't have a full custom rom, all of the verizon motorola phones run roms off of 2nd init and it just isnt the same to be honest. you can never run a full custom rom with second init(well you can but you have to build the rom to fit the kernel) and honestly i want my device to be mine
you should tweet cvpcs or someone who makes and maintains 2nd init roms to get more info on it though
Can't get busybox installed
I'm stuck... I get errors for #3 for busybox... errors like...
Code:
$ adb shell /data/local/busybox --install
busybox: /data/busybox/[: No such file or directory
busybox: /data/busybox/[[: No such file or directory
busybox: /data/busybox/addgroup: No such file or directory
.....
busybox: /data/busybox/yes: No such file or directory
busybox: /data/busybox/zcat: No such file or directory
busybox: /data/busybox/zcip: No such file or directory
So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!
Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?
(I'm running from OSX, if that matters)
EDIT: and of course I'm getting...
Code:
$ adb shell ln -s /data/local/busybox /system/bin/busybox
link failed Read-only file system
$ adb remount
remount failed: Operation not permitted
kgingeri said:
I'm stuck... I get errors for #3 for busybox... errors like...
Code:
$ adb shell /data/local/busybox --install
busybox: /data/busybox/[: No such file or directory
busybox: /data/busybox/[[: No such file or directory
busybox: /data/busybox/addgroup: No such file or directory
.....
busybox: /data/busybox/yes: No such file or directory
busybox: /data/busybox/zcat: No such file or directory
busybox: /data/busybox/zcip: No such file or directory
So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!
Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?
(I'm running from OSX, if that matters)
EDIT: and of course I'm getting...
Code:
$ adb shell ln -s /data/local/busybox /system/bin/busybox
link failed Read-only file system
$ adb remount
remount failed: Operation not permitted
Click to expand...
Click to collapse
Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw
Still some glitches installing busybox...
Loglud said:
Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw
Click to expand...
Click to collapse
Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?
After the initial 'push' command, I could install via:
Code:
mac-osx$ adb shell
$ su root
# cd /data/local
# chmod 755 busybox
# ls -l
-rwxr-xr-x shell shell 1745016 2011-11-21 00:21 busybox
# mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
# mkdir ../busybox
# ./busybox --install
Also, is the line:
Code:
# ln -s /data/local/busybox /system/bin/busybox
not supposed to be
Code:
# ln -s /data/busybox /system/bin/busybox
Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.
EDIT: PS my mount on data is as follows..
Code:
# mount|grep /data
/dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0
EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...
Code:
# cd /
# ls -l | grep '\<data\>'
drwxrwx--x system system 2011-11-21 18:25 data
# chmod 777 data
kgingeri said:
Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?
After the initial 'push' command, I could install via:
Code:
mac-osx$ adb shell
$ su root
# cd /data/local
# chmod 755 busybox
# ls -l
-rwxr-xr-x shell shell 1745016 2011-11-21 00:21 busybox
# mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
# mkdir ../busybox
# ./busybox --install
Also, is the line:
Code:
# ln -s /data/local/busybox /system/bin/busybox
not supposed to be
Code:
# ln -s /data/busybox /system/bin/busybox
Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.
EDIT: PS my mount on data is as follows..
Code:
# mount|grep /data
/dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0
EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...
Code:
# cd /
# ls -l | grep '\<data\>'
drwxrwx--x system system 2011-11-21 18:25 data
# chmod 777 data
Click to expand...
Click to collapse
ok so whats happening? i modified the guides and i was hopping that would help you. The command is
Code:
# ln -s /data/local/busybox /system/bin/busybox
and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.
Loglud said:
ok so whats happening? i modified the guides and i was hopping that would help you. The command is
Code:
# ln -s /data/local/busybox /system/bin/busybox
and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.
Click to expand...
Click to collapse
Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...
Here you are as it happens
MBAir$ ls busybox
busybox
MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)
MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied
Of course there is no point continuing until I do the following...
MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit
MBAir$ adb shell mkdir /data/busybox
MBAir$ adb shell chmod 777 /data/local/busybox
MBAir$ adb shell /data/local/busybox --install
MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted
To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)
kgingeri said:
Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...
Here you are as it happens
MBAir$ ls busybox
busybox
MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)
MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied
Of course there is no point continuing until I do the following...
MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit
MBAir$ adb shell mkdir /data/busybox
MBAir$ adb shell chmod 777 /data/local/busybox
MBAir$ adb shell /data/local/busybox --install
MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted
To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)
Click to expand...
Click to collapse
re run zergRush exploit. your adb shell is defaulting to the shell username. by rerunning the zergy you will allow for yourself to use the adb shell as root. make sure you dont run it as the root user though. you are also more then welcome to hop in irc and ask questions.
Any one having difficulty rooting or see anything that needs to be updated?
I Rooted my New SONY XPERIA TABLET S SGPT121US ICS 4.0.3
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Guide to Root your Xperia Tablet S!! ATTENTION: I am not responsible if you brick or damage your device, use at your OWN RISK!!
Files you need:
All in one Xperia Tablet root.zip
OR
ADB Tools
SonyTabletICS-2.zip
Superuser-3.1.3-arm-signed.zip
VpnFaker.apk (Attachment)
ATTENTION: For those who are not using the US firmware, the attached VpnFaker.apk may not be suitable for your tablet.
Please follow these steps(click me) to resign the VpnFaker.apk. Thanks to WonderEkin
***Pls Execute the command line by line***
Unzip those files into a dir, Open cmd console, cd to that dir
Run the following command and press Restore on your tablet
Code:
Code:
adb restore settings.ab
Check the result
Code:
Code:
adb shell ls -ld /data/data/com.android.settings/a
[COLOR="Green"]drwxrwxrwx system system a[/COLOR]
And continue, ignore the "rm -r a" permission denied error
Code:
Code:
adb shell
cd /data/data/com.android.settings
rm -r a
while : ; do ln -s /data a/file99; done
While the loop is running, open another cmd console and run
Code:
Code:
adb restore settings.ab
Once the restore process is completed, you can press CTRL+C on the 1st cmd console to break the loop
Check the /data permission
Code:
Code:
adb shell ls -ld /data
[COLOR="Green"]drwxrwxrwx system system data[/COLOR]
Then continue
Code:
Code:
adb push busybox /data/local/tmp
adb push rootkit.tar.gz /data/local/tmp
adb push Superuser.apk /data/local/tmp
adb push su /data/local/tmp
adb shell
cd /data/local/tmp
chmod 755 busybox
./busybox tar zxf rootkit.tar.gz
exit
Push the resigned VpnFaker.apk(resign by ZipSigner 2) and update the timestamp
Code:
Code:
adb push VpnFaker.apk /data/local/tmp
adb shell
touch -t 1346025600 /data/local/tmp/VpnFaker.apk
exit
Now, replace the VpnDialogs (ignore "cp: can't open 'system/xxxxxxx': Permission denied" while you execute "/data/local/tmp/busybox cp -r system system2")
Code:
Code:
adb shell
cd /data
/data/local/tmp/busybox cp -r system system2
/data/local/tmp/busybox find system2 -type f -exec chmod 666 {} \;
/data/local/tmp/busybox find system2 -type d -exec chmod 777 {} \;
mv system system-
mv system2 system
mv app app-
mkdir app
mv /data/local/tmp/VpnFaker.apk /data/app
Make sure the datatime is 2012/08/27 00:00
Code:
Code:
TZ=0 ls -l /data/app
[COLOR="green"]-rw-r--r-- shell shell 198580 2012-08-27 00:00 VpnFaker.apk[/COLOR]
Generate the packages.xml
Code:
Code:
/data/local/tmp/busybox sed -f /data/local/tmp/packages.xml.sed system-/packages.xml > system/packages.xml
And double check the result
Code:
Code:
/data/local/tmp/busybox grep vpndialogs system/packages.xml
[COLOR="green"]<updated-package name="com.android.vpndialogs" codepath="/system/app/VpnDialogs.apk" nativelibrarypath="/data/data/com.android.vpndialogs/lib" flags="1" ft="136f14be668" it="136f14be668" ut="136f14be668" version="15" shareduserid="1000">
<package name="com.android.vpndialogs" codepath="/data/app/VpnFaker.apk" nativelibrarypath="/data/data/com.android.vpndialogs/lib" flags="1" ft="1396560b400" it="1396560b400" ut="1396560b400" version="45" shareduserid="1000">[/COLOR]
Exit adb shell and reboot, you should see something like "Android is updating" during startup.
Code:
Code:
exit
adb reboot
Start the injected Terminal Emulator
Code:
Code:
adb shell am start -n com.android.vpndialogs/.Term
In Terminal Emulator
Code:
Code:
id
You should see the uid is 1000(system)
Still in the Terminal Emulator, ignore the script error
Code:
Code:
/data/local/tmp/onload.sh
/data/local/tmp/onload2.sh
Now back to the cmd console
Code:
adb shell
/dev/sh
id
Check the uid is 2000(shell)
And
Code:
Code:
chown 0.0 /data/local/tmp/_su
chmod 6755 /data/local/tmp/_su
/data/local/tmp/_su
id
Check the root access uid 0(root)
Backup /system (you may just skip it)
Code:
Code:
dd if=/dev/block/mmcblk0p3 of=/mnt/sdcard/system.ext4 bs=128K
Copy su & Superuser.apk to /system
Code:
Code:
/data/local/tmp/busybox mount -o rw,remount /system
/data/local/tmp/busybox cp /data/local/tmp/_su /system/xbin
chown 0.0 /system/xbin/_su
chmod 6755 /system/xbin/_su
/data/local/tmp/busybox cp /data/local/tmp/su /system/xbin
chown 0.0 /system/xbin/su
chmod 6755 /system/xbin/su
/data/local/tmp/busybox cp /data/local/tmp/Superuser.apk /system/app
/data/local/tmp/busybox mount -o ro,remount /system
sync
exit
Check the /system _su is working or not
Code:
Code:
_su
id
Should be uid 0(root)
And move the original /data/app & /data/system back (the original steps will keep the VpnFaker.apk, but i skip it)
Code:
Code:
cd /data
mv app app2
mv app- app
mv system system2
mv system- system
exit
exit
Reboot your tab
Code:
adb reboot
Now, your Sony Xperia Tablet S ICS 4.0.3 should be rooted.
Credits Yupandra2012 for link to Original Root Method.
& WonderEkin for his Translation from Japanese to English.
I have the Sony Tablet S and this is as far as I can get:
c:\SonyTablet>adb shell
[email protected]:/ $ cd /data
cd /data
[email protected]:/data $ /data/local/tmp/busybox cp -r system system2
/data/local/tmp/busybox cp -r system system2
cp: can't open 'system/entropy.dat': Permission denied
cp: can't open 'system/batterystats.bin': Permission denied
cp: can't open 'system/users/userlist.xml': Permission denied
cp: can't open 'system/users/0.xml': Permission denied
cp: can't open 'system/accounts.db': Permission denied
cp: can't open 'system/accounts.db-journal': Permission denied
cp: can't open 'system/called_pre_boots.dat': Permission denied
cp: can't open 'system/wallpaper_info.xml': Permission denied
cp: can't open 'system/appwidgets.xml': Permission denied
1|[email protected]:/data $
Any ideas?
This Thread is for Xperia Tablet S, but anyways you ignore this error and complete the rest of the steps, I had the same error, ignored it and it worked for me.
Another road block:
c:\STS>adb shell
[email protected]:/ $ cd /data
cd /data
[email protected]:/data $ /data/local/tmp/busybox cp -r system system2
/data/local/tmp/busybox cp -r system system2
cp: can't open 'system/entropy.dat': Permission denied
cp: can't open 'system/batterystats.bin': Permission denied
cp: can't open 'system/users/userlist.xml': Permission denied
cp: can't open 'system/users/0.xml': Permission denied
cp: can't open 'system/accounts.db': Permission denied
cp: can't open 'system/accounts.db-journal': Permission denied
cp: can't open 'system/called_pre_boots.dat': Permission denied
cp: can't open 'system/wallpaper_info.xml': Permission denied
cp: can't open 'system/appwidgets.xml': Permission denied
1|[email protected]:/data $ /data/local/tmp/busybox find system2 -type f -exec chmod
666 {} \;
d system2 -type f -exec chmod 666 {} \; <
[email protected]:/data $ /data/local/tmp/busybox find system2 -type d -exec chmod 7
77 {} \;
system2 -type d -exec chmod 777 {} \; <
[email protected]:/data $ mv system system-
mv system system-
[email protected]:/data $ mv system2 system
mv system2 system
[email protected]:/data $ mv app app-
mv app app-
[email protected]:/data $ mkdir app
mkdir app
[email protected]:/data $ mv /data/local/tmp/VpnFaker.apk /data/app
mv /data/local/tmp/VpnFaker.apk /data/app
[email protected]:/data $ TZ=0 ls -l /data/app
TZ=0 ls -l /data/app
-rw-rw-rw- shell shell 200436 2012-08-27 00:00 VpnFaker.apk
[email protected]:/data $ /data/local/tmp/busybox sed -f /data/local/tmp/packages.xm
l.sed system-/packages.xml > system/packages.xml
tem-/packages.xml > system/packages.xml <
/system/bin/sh: cannot create system/packages.xml: Permission denied
1|[email protected]:/data $ /data/local/tmp/busybox grep vpndialogs system/packages.
xml
p vpndialogs system/packages.xml <
<package name="com.android.vpndialogs" codePath="/system/app/VpnDialogs.apk" nat
iveLibraryPath="/data/data/com.android.vpndialogs/lib" flags="1" ft="138eb7f41b0
" it="138eb7f41b0" ut="138eb7f41b0" version="15" sharedUserId="1000">
[email protected]:/data $ exit
exit
c:\STS>adb reboot
c:\STS>adb shell am start -n com.android.vpndialogs/.Term
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Starting: Intent { cmp=com.android.vpndialogs/.Term }
Error type 3
Error: Activity class {com.android.vpndialogs/com.android.vpndialogs.Term} does
not exist.
c:\STS>
There were a few things that didn't match up along the way as well...
I am lost...
same here:
adb shell am start -n com.android.vpndialogs/.Term
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Starting: Intent { cmp=com.android.vpndialogs/.Term }
Error type 3
Error: Activity class {com.android.vpndialogs/com.android.vpndialogs.Term} does
not exist.
Do you type this in?
Code:
while : ; do ln -s /data a/file99; done
Now, can you please upload a system dump of Xperia Tablet S?
Thanks!
Guys the error you are facing means missing terminal emulator is not installed on your device. make sure you have terminal emulator downloaded and installed from Google play. Also note you will face errors with the onload scripts using the emulator just ignore it and resume normally.
could you upload the terminal emulator?
zorbakun said:
Guys the error you are facing means missing terminal emulator is not installed on your device. make sure you have terminal emulator downloaded and installed from Google play. Also note you will face errors with the onload scripts using the emulator just ignore it and resume normally.
Click to expand...
Click to collapse
I am a user in China,and my tablet S cant's download any app from googleplay.Can you upload the terminal emulator?
Thank you very much.
txiangyang said:
I am a user in China,and my tablet S cant's download any app from googleplay.Can you upload the terminal emulator?
Thank you very much.
Click to expand...
Click to collapse
The Vpnfaker.apk has already injected with terminal emulator. Moreover, all installed apps will temporary missing during the process.
as WonderEkin pointed out, people with problem (Error: Activity class {com.android.vpndialogs/com.android.vpndialogs.Term} does
not exist.) don't have the US version of the device hence They will need to re-sign the VpnFaker.apk as described here and start all over again from the beginning.
Guide has been updated to reflect the same.
Credits to WonderEkin
This method works like a charm. Yay for rooted Tablet S!
Thank you so much!
I was getting this:
adb shell am start -n com.android.vpndialogs/.Term
Starting: Intent { cmp=com.android.vpndialogs/.Term }
Error type 3
Error: Activity class {com.android.vpndialogs/com.android.vpndialogs.Term} does not exist.
I have a Tablet S, US Tablet, US Firmware, what am I suppose to do with the VpnFaker.apk?
"ATTENTION: For those who are not using the US firmware, the attached VpnFaker.apk may not be suitable for your tablet.
Please follow these steps(click me) to resign the VpnFaker.apk. Thanks to WonderEkin"
Not clear to me...
Is this only for new xperia tab s or does it work for the old tab s?
WOW so fast ..
Even though Sony Xperia Tablet S ain't Global out there yet ..
Great Job .
typo86 said:
I was getting this:
adb shell am start -n com.android.vpndialogs/.Term
Starting: Intent { cmp=com.android.vpndialogs/.Term }
Error type 3
Error: Activity class {com.android.vpndialogs/com.android.vpndialogs.Term} does not exist.
I have a Tablet S, US Tablet, US Firmware, what am I suppose to do with the VpnFaker.apk?
"ATTENTION: For those who are not using the US firmware, the attached VpnFaker.apk may not be suitable for your tablet.
Please follow these steps(click me) to resign the VpnFaker.apk. Thanks to WonderEkin"
Not clear to me...
Click to expand...
Click to collapse
If you don't have the US version of the tablet, then you may need to re-sign the VpnFaker.apk, but since you own the US version, then no need to resign it. just make sure you follow the procedure carefully one step at a time, and if possible have terminal emulator installed on your tab as well.
Roscobigfoot said:
Is this only for new xperia tab s or does it work for the old tab s?
Click to expand...
Click to collapse
Check this thread for old Sony Tablet S.
SWFlyerUK said:
Do you type this in?
Code:
while : ; do ln -s /data a/file99; done
Click to expand...
Click to collapse
Yes you do.
Still no luck...
Tried it both ways, followed instructions and I still end up here:
adb shell am start -n com.android.vpndialogs/.Term
Starting: Intent { cmp=com.android.vpndialogs/.Term }
Error type 3
Error: Activity class {com.android.vpndialogs/com.android.vpndialogs.Term} does not exist.
US old Tablet S, US Firmware...Is there anyone with a US tablet that has been able to root this way?
Now you can use my new All in one Xperia Tablet Root.zip for easier process, just extract it to an easy path like C:/Xperia root/ then open CMD pointing to the same path and Follow the guide in the first page.
I'm trying to root my german Motorola Moto G using a superboot image. This topic is very new for me so I followed the Instructions of Mikael Q Kuisma using the original boot.img from the stock ROM. In addition I want to have my image to install a superuser App. So I registered a service in the `init.rc` file which just runs the installer shell script. I register the service like this:
Code:
service installsu /system/bin/sh /superuser/install.sh
class main
user root
group root
oneshot
As far as i understood this service is run once as root when all other services of the class main are run. Am I right?
The superuser app I want to install is the one from Koushik Doutta. My install.sh script looks like this:
Code:
#!/system/bin/sh
mount -o remount,rw /system
chattr -i /system/bin/su
chattr -i /system/xbin/su
rm -f /system/bin/su
rm -f /system/xbin/su
rm -f /system/app/Superuser.*
rm -f /system/app/Supersu.*
rm -f /system/app/superuser.*
rm -f /system/app/supersu.*
rm -f /system/app/SuperUser.*
rm -f /system/app/SuperSU.*
cp /superuser/su /system/xbin/su
chown 0:0 /system/xbin/su
chmod 6755 /system/xbin/su
ln -s /system/xbin/su /system/bin/su
cp /superuser/Superuser.apk /system/app
chmod 644 /system/app/Superuser.apk
chattr -i /system/etc/install-recovery.sh
cp /superuser/install-recovery.sh /system/etc/install-recovery.sh
chmod 755 /system/etc/install-recovery.sh
touch /system/etc/.installed_su_daemon
mount -o remount,ro /system
This is basically the update-android script from the archive but without all the conditionals.
"ls -l" inside the superuser folder gives:
Code:
-rw-rw-r-- 1 root root 44 Nov 30 22:18 install-recovery.sh
-rwxr-x--- 1 root root 737 Jan 7 11:29 install.sh
-rwxr-xr-x 1 root root 283084 Nov 30 22:25 reboot
-rwxr-xr-x 1 root root 311872 Nov 30 22:25 su
-rw-rw-r-- 1 root root 2025538 Nov 30 22:25 Superuser.apk
I think this are the correct permissions?!
The image splitting tool of Mikael Q Kuisma warned me that a different version of mkbootimg was used to create the original boot image an suggested which variables I had to change in the source code. I did this and compiled my own version. The unmkbootimg tool also gave me the complete command including parameters to build the new image. I used it without any modifications.
Finally, the problem: It doesn't root my phone.
It seems like the installer script is never run, because I can't find the su binary using "adb shell ls /system/xbin/". Also the phone does not boot directly into Android. It shows me the Motorola logo, turns black, shows the unlock warning, shows boot animation and then Android is loaded. I don't have a reboot command inside the script, so shouldn't it boot straight to Android when I boot with "fastboot boot <new boot.img>"?
Is it possible to get kernel logs without being root?