Hello everyone
This week I finally got my first android phone ever. Panasonic's P-06D which currently only sells in Japan.
I'm a medicore tech-freak and I like to have full access on my gadgets, so I thought about rooting it.
Here comes the problem (or rather - question):
Has anyone of you successfully rooted the P-06D or heard from it? I can't find anything on xda-developers, neither did Google (com and co.jp) result anything useful. Here's what I already tried:
- I have tried several one-click root tools like SuperOneClick, but that just froze on me.
- I looked into some batch scripts for automatic rooting. I get the adb shell but I every time I try to push busybox, su or debugfs to /data/local/12m, I get a permission error. (failed to copy 'su' to '/data/local/12m': Permission denied)
The P-06D runs Android ICS 4.0.4 - Build number 09.0708. If you need more details, just say so!
Is there anything I've completely missed or are there just no existing rooting for the P-06D?
Thanks for reading and have a nice day!
I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?
No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.
hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean
Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator
Does any one know if one person with development capabilty is trying to find a way to root JB ?
I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.
Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...
Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.
yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says
Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file
Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627
I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.
Have a strange one I don't know how to fix. Purchased a Pyle PTBL102BCD tablet for the Mrs. to use basically as an ebook reader (according to About, running 4.2.2). When it came in I started sideloading apps to prepare it for her (I do not have a Google account), and searched on the Net about rooting the device. Found a one-click that worked with a different Pyle tablet, so I gave it a shot.
Now I have root access _only_ through the adb shell. None of the apps (including Superuser.apk itself as tested by updating /system/bin/su) can get root access, yet I have no problem running root through an adb shell - remounted file systems, even performed an su which is the only instance Superuser.apk's log shows. Root access in the shell remains between reboots, so it's not a temporary root.
If the adb shell has root, I _should_ be able to use it to grant access to everything else, and I've followed a few different "manual" root instructions (having different permission settings for su and busybox), with no joy. So long as I connect with a USB cable and type on the Windows machine, I'm god. On the tablet itself...not so much.
I hope that someone with a more intimate knowledge of Android internals can point me in the right direction for achieving root completely. Currently have Titanium Backup and ConnectBot (long java errors when I attempt to su there) installed to test root, Superuser v3.1.3 and su v3.1.1. Permissions on su are -rwsr-sr-x. And the human is confused.
Did you get anywhere with this? I have the same problem. What one-click did you use?
mfurlend said:
Did you get anywhere with this? I have the same problem. What one-click did you use?
Click to expand...
Click to collapse
Side note; REALLY hate the new forum software. With all the untrusted Google and Amazon javascript (which my company firewalls), it's a pain for me to even log in let alone post replies. (And I wonder if I'm the only person in the world sick to death of all the unnecessary ajax garbage...)
Anywho, used Kingo, rooted and unrooted a few times, until I finally acquired complete root on the thing. Once I did, I could run Samba, and once that worked, I could more easily transfer files and apks to the tablet.
Still don't understand why it was left in such a...weird...state - having root by default in adb is just a scary thing!
thanks for the information. I tried doing that but I encountered various problems. Eventually, after trying to do it manually, I totally screwed up the device. Now it won't boot.. I still have access to adb. I need to flash this thing. Do you know what the stock ROM is?
mfurlend said:
Do you know what the stock ROM is?
Click to expand...
Click to collapse
No...I can give you the Kernel version info (3.0.36+ [email protected] #48) and build number (rk3168_k11_4.2.2_v20131230), but other than that no clue.
Hi.
I'm having trouble rooting my tablet, as the thread heading says. I'll give the spec's and then tell more about what I've attempted to root it already. First, this is an Envizen V100MDT1409010035, although it only really cares to call itself V100MDT. I've found only 1 other hyper-obscure thread about rooting a cousin-product of this device, and to my memory it was very well not worth the while. This is running a quad-core arm-based system. This silly little thing likes to complain that it's only in production build, so it won't allow adb to run as root on it to give me the access that I'd need to root it manually by forcing down that Superuser.apk and Su binary. Even though this odd little thing does have the su binary on it at /system/xbin/su, it still has one heck of a time executing it. It can't. It keeps giving a return code of 255 for some reason, so I tried downloading chainfire's su binary for the arm processor off of his website and found that the web link was broken, since I was just going to upload it, change the permissions, and execute the binary, right? Well, turns out that it can't even run properly. I've thought about custom compiling the su binary for my tablet, buuuuuuuuut I don't know how. At all. Right now it's just sitting here, on my laptop, leeching power. Currently, I'm running Linux Mint 17 with KDE here, no dual boot, and the laptop can't recognize the Device under the USB storage form, but it can under Media device (MTP) form. I read on another forum here that if I changed ro.debuggable=0 to ro.debuggable=1 in the /default.prop file, then I'd be able to run adb as root. Well, that's failed to crap, since that file and my /system folder are "basically" locked into read-only mode.
I've had a long day trying to get this crazy website to work after completing part of a formal lab for school.
I wasted 20 minutes trying to get my browser to work with the damn captcha on this website.
What I have in front of me is a brick that can play videogames.
Help before I explode.
Duplicate
My apologies, this is a duplicate for the thread "[Q] Need Help Rooting Obscure Tablet."
Hi.
I'm having trouble rooting my tablet, as the thread heading says. I'll give the spec's and then tell more about what I've attempted to root it already. First, this is an Envizen V100MDT1409010035, although it only really cares to call itself V100MDT. I've found only 1 other hyper-obscure thread about rooting a cousin-product of this device, and to my memory it was very well not worth the while. This is running a quad-core arm-based system. This silly little thing likes to complain that it's only in production build, so it won't allow adb to run as root on it to give me the access that I'd need to root it manually by forcing down that Superuser.apk and Su binary. Even though this odd little thing does have the su binary on it at /system/xbin/su, it still has one heck of a time executing it. It can't. It keeps giving a return code of 255 for some reason, so I tried downloading chainfire's su binary for the arm processor off of his website and found that the web link was broken, since I was just going to upload it, change the permissions, and execute the binary, right? Well, turns out that it can't even run properly. I've thought about custom compiling the su binary for my tablet, buuuuuuuuut I don't know how. At all. Right now it's just sitting here, on my laptop, leeching power. Currently, I'm running Linux Mint 17 with KDE here, no dual boot, and the laptop can't recognize the Device under the USB storage form, but it can under Media device (MTP) form. I read on another forum here that if I changed ro.debuggable=0 to ro.debuggable=1 in the /default.prop file, then I'd be able to run adb as root. Well, that's failed to crap, since that file and my /system folder are "basically" locked into read-only mode.
I've had a long day trying to get this crazy website to work after completing part of a formal lab for school.
What I have in front of me is a brick that can play videogames (updated in another thread).
Help before I explode.
Close This Please
I would appreciate if a moderator or administrator would close this thread due to a lack of responses/support.