Related
Hot off the presses. Get it here.
That file is the crappy "patch" version that tries to patch you from RC29 to RC30.
Here is the full update, which should be much more reliable
Obviously, don't install it unless you want to lose root access
Update for those who are interested: I went ahead and bought myself a new G1. One of the stores in the area had a couple. It still had RC28 (not RC29) on it, so I'm back in business. I'll just unlock my RC30 one and sell it on ebay.
OMG how stupid can they be... look what I see in the update script
# delete unneeded files
delete SYSTEM:system/bin/telnetd
Click to expand...
Click to collapse
Can we patch this like today cause I kinda think there is more to this than just doing that.
neoobs said:
OMG how stupid can they be... look what I see in the update script
Can we patch this like today cause I kinda think there is more to this than just doing that.
Click to expand...
Click to collapse
There is. They added a kernel option "console=null", which I suspect basically makes it so that the physical keyboard no longer sends input to the console device. Note that there is still a root shell running on the console though.. it's just that now there isn't any way to send keypresses to that root shell.
Plus there are a ton of patches to the android apps and framework jars and such. Not sure what all changed there.
I'm in the process of modifying the patch, to apply to my phone without losing root access. More to come
What does the "applypatch" piece do?
That part looks different.
Interesting that it's only a 4 meg update, and that it only contains a new recovery.img and a new boot.img - I wonder what is different in those images. I hope they are keeping the recovery stuff in the open source branch updated - because, well, that's the nice thing for them to to do
Jesus Freke - when you get your patched-up version ready, please post it somewhere for us lazy bastards who want to ride your coat-tails
I just noticed something. This update doesn't wipe the system partition. If you had created a setuid copy of the shell ("su", or whatever), I don't think it will get deleted if you applied the update as-is.
but didn't you say it removes the use of keyboard in shell? If so we would still be up the creek. you know what a notice this update came really fast i never got and OTA until this(fishy) i had to force OTA. Well hope you work your magic JesusFreke.
Arg! dangit. I accidentally applied RC30 and lost my root access. I copied the wrong update file to my sdcard... grrrr!
So I'm out of the game. Sorry.
Oh, btw - I was wrong about the update keeping the setuid shell around. It completely wipes the permissions of the system folder, so if you did have a setuid copy of the shell, it will be set back to normal non-setuid status by the update. duh.
Sh**!! You were the shining hope , one question can you still get root through the adb shell? cuz if so you can save your a**
Nope. Like I said, I'm out of the game. Unless someone wants to trade me for a RC19/RC29 phone. Or until another root exploit is found. *sigh*
DOH! That sucks! Sorry to hear that, and thanks for taking one for the team.
So if an update does try to install do we just need to turn off the phone until a solution is found? I may need to go back to my Dash for a while until this all gets figured out!
The update that you meant to put on the card- was it a test? If the worst that will happen is the update will take maybe someone that doesnt mind the update could test it for you?
JesusFreke said:
Arg! dangit. I accidentally applied RC30 and lost my root access. I copied the wrong update file to my sdcard... grrrr!
So I'm out of the game. Sorry.
Click to expand...
Click to collapse
I'm sorry about that!
Also, I'm confused. Hadn't you updated the keys in your bootloader to prevent an update? Or does that simply prevent the phone from downloading an update?
Can not we flash back that old RC29 File again ????
The update zip contains the boot.img and the recovery.img. so when the update starts it rewrites JesusFreke's mod recovery.img
spoofing
could we spoof the version # on our device? thus ending the nag and the ability to force the upgrade, for the time being?
bhang
RegGuheert said:
I'm sorry about that!
Also, I'm confused. Hadn't you updated the keys in your bootloader to prevent an update? Or does that simply prevent the phone from downloading an update?
Click to expand...
Click to collapse
Yes. But I had accidentally re-signed the full update with the new key and updated my phone with it. I was in the process of modifying the update, and had grabbed the wrong file to sign and update.
JesusFreke said:
Yes. But I had accidentally re-signed the full update with the new key and updated my phone with it. I was in the process of modifying the update, and had grabbed the wrong file to sign and update.
Click to expand...
Click to collapse
Ahh! That's a pain in the arse... the usb mass storage process is running as root, any chance of a buffer exploit there?
JesusFreke said:
Yes. But I had accidentally re-signed the full update with the new key and updated my phone with it. I was in the process of modifying the update, and had grabbed the wrong file to sign and update.
Click to expand...
Click to collapse
koush said:
mount -oremount,rw /dev/block/mtdblock3 /system
You can't remount that directory that unless you have root.
Use the dd command to copy stuff around (the cp command is not available). I should mention I'm a Windows guy, and am pretty clueless with Linux: my coworker figured the rest of this out once I got to a root prompt.
Incidentally, in the /system/bin directory there is a flash_image executable that changes the recovery.img used when you hard reset the device. I've noticed that I can run this without root access from a standard adb shell. Maybe we never needed to root the device after all... I think we can flash it without root access... I'm too scared to mess with that at all though.
Click to expand...
Click to collapse
I found this, you may want to look into it.
syrusfrost said:
I found this, you may want to look into it.
Click to expand...
Click to collapse
Thanks. But you have to have root access for the flash_image command to work. Or more precisely, you have to have write access to the /dev/mtd/mtd# device that you are trying to flash.
I am also the same unlucky guy who had Press Update Button and now we are in RC30
Now what are the chances of our device to get root access or ability to flash Test_Signed code in RC30
well i removed( # delete unneeded files delete SYSTEM:system/bin/telnetd )and replaced the boot.img and recovery.img with jesusfreke's anything else i should edit before i try to resign and update?
Before you just delete this post I want to say what I EXACTLY want to know:
What does it need that the ROM signs me in as root? I don't want to know how to flash one of these ROMs like Cyanogen or something, but I want to know what I have to change in my ROM that it logs in as ROOT!
So if there is a post already, just tell me WHERE. Because when I search for "how to root" or something like that I get those flashing guides.
I hope you can help me.
Best regards,
b!rust
http://forum.xda-developers.com/showthread.php?t=581819
Hi, you said you flashed your phone with the ION rom, correct? Well, download the SDK and follow the instructions in dferreira's first post detailing how to obtain root
Yeah! That's right. But I wanted to know, how I can do that in general.
And I'm a bit confused, because after I did it like it was said in the thread you mentioned and I type
Code:
su
id
in the console (Terminalemulator.apk and also via adb) it doesn't say I'm root.
//edit: in Terminal Emulator it says I am user "app_38" in the group "app_38". In the adb shell it says that I'm user "shell" in group "shell"...
What does it say in the terminal? Because as far as I know, root uid is 0, and mine isn't listed as such. I'm not 100% sure, because I'm also new to this, but I think that regardless of whether it shows or not you are indeed root.
For example, to test root on my phone I took a few screenshots of my phone using the app "drocap2" which requires root. I also was able to flash a new bootscreen image etc
Yeah that's right uid 0 is root and that's what confused me. But when you say that you can run apps that require root... I will test it in a sec.
How did it go?
Edit: I think actually you need to enable local root for using a terminal and such (instead of going through the recovery/adb shell).
http://android-dls.com/wiki/index.php?title=Magic_Root_Access
But don't quote me, just picking it up as I go
I am trying to root a motorola i886. Its a really wierd nextel iDEN PTT phone that is running (i believe) android 2.0 or 2.1 but has no touchscreen...
Basically I have been able to get a root shell (#) from 'adb shell' by pushing some program called psneuter to the phone and running it. Once I had this I could install apps via adb ok, but it seems like whenever I try to run any apps that require root they error saying they do not have root access.
As far as I can tell pretty much every rooting guide for every other phone has you putting 'su' and sometimes 'busybox' into /system/bin and 'Superuser.apk' into /system/app. I did both of these but still got the same errors about apps not having root. I tried a few different versions of these files I found from different sites to no avail. Running su on a terminal emulator on the phone itself would get the error "operation not allowed" or something like that. Then I found some other guide where you just copy 'sh' to 'su' and chmod su to 4755. When I did that I could get to a # prompt on the phone's terminal emulator app by typing 'su' but still got root errors for apps that need root.
I though maybe someone here would know something that I missed. As far as I can tell, I have applied the correct permissions to all these files or have at least tried every combination I can think of to no avail (shouldn't chmod 777 just make everything work?)
Also, does the phone usually come with a stock version of busybox on it? Do you need a specific version of these files for your device or version of android?
When an app on the phone tries to get root access is it just basically trying to run 'su' internally or something like that?
Also forgot to mention I have tried all the one-click-root apps and they do not work for this stupid phone. (well the super one click one was how I figured out how to get the adb shell root but the regular root button doesn't work...)
I can't help with your specific questions, but there is some info about rooting the i1, another iDEN with Android. Although it looks like the i1 is actually Android, and not the Motorola-altered, not-really-Android, proprietary software that the i886 has.
http://www.howardforums.com/showthread.php/1662431-Motorola-i1-Rooted
http://forum.cyanogenmod.com/topic/5520-ive-rooted-my-i1/
garbb said:
I am trying to root a motorola i886. Its a really wierd nextel iDEN PTT phone that is running (i believe) android 2.0 or 2.1 but has no touchscreen...
Basically I have been able to get a root shell (#) from 'adb shell' by pushing some program called psneuter to the phone and running it. Once I had this I could install apps via adb ok, but it seems like whenever I try to run any apps that require root they error saying they do not have root access.
As far as I can tell pretty much every rooting guide for every other phone has you putting 'su' and sometimes 'busybox' into /system/bin and 'Superuser.apk' into /system/app. I did both of these but still got the same errors about apps not having root. I tried a few different versions of these files I found from different sites to no avail. Running su on a terminal emulator on the phone itself would get the error "operation not allowed" or something like that. Then I found some other guide where you just copy 'sh' to 'su' and chmod su to 4755. When I did that I could get to a # prompt on the phone's terminal emulator app by typing 'su' but still got root errors for apps that need root.
I though maybe someone here would know something that I missed. As far as I can tell, I have applied the correct permissions to all these files or have at least tried every combination I can think of to no avail (shouldn't chmod 777 just make everything work?)
Also, does the phone usually come with a stock version of busybox on it? Do you need a specific version of these files for your device or version of android?
When an app on the phone tries to get root access is it just basically trying to run 'su' internally or something like that?
Also forgot to mention I have tried all the one-click-root apps and they do not work for this stupid phone. (well the super one click one was how I figured out how to get the adb shell root but the regular root button doesn't work...)
Click to expand...
Click to collapse
PM to me,i rooted sucefully, and install many applications with android SDK suite.
Regards.
geminis said:
PM to me,i rooted sucefully, and install many applications with android SDK suite.
Regards.
Click to expand...
Click to collapse
Wow, I can't believe someone found this thread and replied after so long. Thanks, but in the meantime I actually figured out how to root it fully and get root apps to work. I think i just tried different su's and superuser.apk's that I found on the internet until one worked...
Now, if you have figured out how to change the nextel push-to-talk chirp/beep sounds then let me know how you did that. I actually found the .wav files for the PTT sounds in some .apk in /system (phone.apk I think?) but for some reason changing them had no effect on the sound the phone makes when using the push-to-talk feature...
Its been 10 years but do you still have the firmware for this device? I need to flash it, it doesnt finish booting up
I don't have a full ROM .zip file for this phone, only some update .zips. But the first link result for a google search for "motorola admiral stock rom" worked for me for downloading a file.
Wrong phone, sorry.
Sorry but i don't understand. Isn't the Motorola admiral a different device? Does that zip work for the i886? If so, how do I flash it, because the i886 doenst have a recovery mode.
Oh, oops sorry, I was confusing this phone with another one. I looked and I don't have and firmware files for this, sorry.
OK, thanks for replying
Hello xda, I have a bit of a problem:
I have a Samsung Exhibit which I rooted using the zergRush method found here on the forums. At first everything worked fine. But recently I was trying to push a modified system app to my phone using adb and it told me the action wasn't permitted. Checking the shell, and terminal emulator on my phone to see if I had superuser permissions failed. So I went about trying to root my phone again, which according to the zergRush script said was successfull, but checking the shell once again showed that I still did not have superuser permissions. I did a factory wipe of my phone in hopes of trying to get it to root again with no success. But here's the weird part, although it doesn't appear I have root access all my apps that require root access (titanium backup, my screenshot app, and some of widgetlocker's features) still fully function.....
Does anyone have any idea what's going on here? I would love my system folder access back
Thanks in advance.
Dumb question, but your H-Boot shows S-Off? Just covering the bases... Also, do you have Super User installed and functional?
To be honest... I don't know what H-Boot or S-Off means. Pretty new to all of this. Mind giving me a walkthrough? I have superuser installed yes. It's granting programs superuser permissions. But I can't access su in terminal emulator or in the shell.
Well, I'm not the top tier technical person here, so I'm not exactly sure on how to get your problem resumed, since I've not heard of that. On the other hand, there might be a different way to accomplish what you are trying to do.
What are you trying to achieve, pushing a modified system app to do what and where? My suggestion, might be to just put it on your phone through USB to the root folder and then move it in ES File manager, or w/e you use. If all you are doing is pushing.
Obviously ADB shell detects your device, but I'm not sure why it is saying it doesn't have SU access. My other suggestion is to redo the ADB/Android SDK installs. I had a problem where I installed them wrong, by installing too much and ADB did not work properly. So, there might be a chance your phone is fine, but the ADB/SDK are not proper, somehow.
Let me know.
If that were the case, and my phone was fine, wouldn't I be able to access super user through terminal emulator on my phone? Right now when typing su in terminal emulator, the pop up to grant superuser permissions appears but when you allow it to have su permission the # doesn't turn to a $ like it should. The more I think about it the more I think it's a problem with superuser. I've seen people talking about an update to superuser that can break your root? Mehhhh.
Seems like other have had this problem too... Not sure if a nandroid recovery will fix this, otherwise you might have to try to unroot, and then reroot.
Sorry, just might have to do a little more digging than I was able to. Good luck
Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
@jcadduono - For recowvery, and pointing me in the right direction on IRC.
@brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.
Very cool work! Glad to see people putting my shell (such as it is) to good use. Wish I had a V20 to try it out
I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).
jcadduono said:
I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).
Click to expand...
Click to collapse
if system_server can read init then thats a serious flaw.... Question for you. you said it would be very device specific. does that mean its unique for each individual phone or each model?
EDIT:Unfortunately we only have access to the init.rc not the binary it self.
@jcadduono I appreciate your input and direction in this matter another idea we have been toying with is
We have the aboot boot recovery and system dump. From the tmob variant would it be possible to make a tot from that for our devices changing the props to match our device, build, and carrier info? We can also pull apks from /system/apps and /privapps to our ext sdcard
@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA
roosta said:
@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA
Click to expand...
Click to collapse
It should work on all models. I personally use a sprint model(LS997). I think it MAY have been tested on VZW as well.
I can confirm that work on H990DS
Sent from my MI PAD using XDA-Developers mobile app
We know from earlier LG phone releases that the laf partition when bypassed in some way (corrupted, etc) aboot will boot to fastboot when going into download mode. It was my thought that the bootloader could be unlocked from there. However corrupting laf eliminates device recovery. Catch-22.
I think the best way to proceed is to get a working .TOT first which is just a waiting game. That would ensure device recovery and replacing the bootloader in the .TOT and signing it with something unlockable.
This is a great way to explore the locked phones in the meantime, thanks.
ATT Pretty Please
me2151 said:
Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
@jcadduono - For recowvery, and pointing me in the right direction on IRC.
@brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.
Click to expand...
Click to collapse
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!
NRadonich said:
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!
Click to expand...
Click to collapse
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario
elliwigy said:
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario
Click to expand...
Click to collapse
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid
markbencze said:
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid
Click to expand...
Click to collapse
Unfortunately its a tcp shell. not a pure adb shell. so we cannot push or pull to those directories
Wow great progress keep up the good work. You guys are helping those assholes from LG sell more phones. Obviously some people have not made the switch because the lack of root. Root users are very influential leaders to get others to try out a new device.
Sent from my LG-LS997 using XDA-Developers mobile app
Works on the LG G5 also...
Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA
roosta said:
Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA
Click to expand...
Click to collapse
it shouldnt be an expectation as weve made it clear we do not have root and are hitting hurdles.. we have been advised we need to atack selinux and or the bl but at this point were wanting to try to use debug firmware which hoprfully would allow a bl unlock..
unfortunately nobody can creat a .tot with the debug firmware at al and theres no way at all to flash the images..
we need to somehow leverage an exploit to gain a temp adb root shell before we could even attempt anything and this has not been done in a way thats useful to us..
unfortunately we need more experienced devs at this point.
LG Australia (and as such, Taiwan) have effectively confirmed their H990DS v20 mobile phone's bootloader is confirmed as being unlockable. However (and for no apparent reason) they will not confirm why one region have released a variant of the phone with the bootloader unlock and why they are refusing this to others phones/regions. Because of course, they have zero training and information about anything related to their company expect for goods released in a specific region. That comes from a 'product expert'
Titanium Backup
Howdy,
Just reading through the thread, I understand that it's not quite a "full" root, but would it be enough to run Titanium Backup? I'm hoping to move away from root access with my V20 but it would be really helpful if I could do it temporarily, restore some application and data backups, reboot and uninstall Titanium.
Tim