I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.
Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!
A summary:
To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.
Some experiments
I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.
I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278 device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
./adb remount
remount succeeded
./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[COLOR="Red"]/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0[/COLOR]
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[I][...many lines snipped out...][/I]
# exit
So, /system is now r/w. Let's push "su".
Code:
./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
./adb shell "chown root.shell /system/bin/su"
./adb shell "chmod 06755 /system/bin/su"
./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
./adb shell "ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
[COLOR="Red"]-rw-rw-rw- root root 22228 2011-11-10 12:53 su[/COLOR]
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root shell 22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
[COLOR="Red"]lrwxrwxrwx root root 2011-12-30 16:48 su -> /system/bin/su[/COLOR]
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root root 7221765 2011-08-02 01:08 Settings.apk
[I][...many lines snipped out...][/I]
-rw-r--r-- root root 296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root root 785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root root 551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root root 255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
[COLOR="Red"]-rw-r--r-- root root 785801 2011-11-10 12:54 Superuser.apk
[/COLOR]# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
[B][COLOR="Red"]su: permission denied[/COLOR][/B]
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".
Doing this with scripts
I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.
The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.
The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.
G2 Temp Root
Hi, I got a tmo g2 2.3.4
i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.
Any way to combine this temp root with older options to gain a perm root?
Cool man! Thanks!
HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
Click to expand...
Click to collapse
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...
Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
fkereki said:
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Click to expand...
Click to collapse
well that sucks!
Related
I recently watched a video on YouTube on how to root the HTC Amaze. I followed the directions and unlocked the bootloader successfully but when I ran the ZergRushTempRoot.bat to root it, I got the following:
C:\Zerg rush root>adb wait-for-device
C:\Zerg rush root>adb push zergRush /data/local/
1328 KB/s (21215 bytes in 0.015s)
C:\Zerg rush root>adb shell chmod 777 /data/local/zergRush
C:\Zerg rush root>adb shell rm /data/local/tmp/*sh
C:\Zerg rush root>adb shell /data/local/zergRush
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00017118
[*] Scooting ...
[*] Sending 149 zerglings ...
[*] Sending 189 zerglings ...
[-] Hellions with BLUE flames !
C:\Zerg rush root>adb wait-for-device
C:\Zerg rush root>adb shell sleep 1
C:\Zerg rush root>adb remount
remount failed: Operation not permitted
C:\Zerg rush root>adb shell mount -o rw,remount rootfs /
mount: Operation not permitted
C:\Zerg rush root>adb shell mount -o remount,suid /dev/block/mmcblk0p29 /system
mount: Operation not permitted
C:\Zerg rush root>adb shell chmod 4755 /system/bin/sh
Unable to chmod /system/bin/sh: Read-only file system
C:\Zerg rush root>adb push ./su /system/bin
failed to copy './su' to '/system/bin/su': Read-only file system
C:\Zerg rush root>adb push ./su /system/bin
failed to copy './su' to '/system/bin/su': Read-only file system
C:\Zerg rush root>adb push ./busybox /system/bin
failed to copy './busybox' to '/system/bin/busybox': Read-only file system
C:\Zerg rush root>adb shell chmod 4755 /system/bin
Unable to chmod /system/bin: Read-only file system
C:\Zerg rush root>adb shell chmod 4755 /system/bin/su
Unable to chmod /system/bin/su: No such file or directory
C:\Zerg rush root>adb shell chmod 4755 /system/bin/su
Unable to chmod /system/bin/su: No such file or directory
C:\Zerg rush root>adb push ./Superuser.apk /system/app
failed to copy './Superuser.apk' to '/system/app/Superuser.apk': Read-only file
system
C:\Zerg rush root>adb install ./androidterm.apk
2904 KB/s (92780 bytes in 0.031s)
pkg: /data/local/tmp/androidterm.apk
Failure [INSTALL_FAILED_ALREADY_EXISTS]
C:\Zerg rush root>adb wait-for-device
C:\Zerg rush root>adb shell sync
C:\Zerg rush root>pause
Press any key to continue . . .
If anyone can help me get this phone rooted, I would appreciate it.
Thanks,
George
[email protected]
root htc amaze 4g
i am in canada. useing mobilicity on this phone. i am also facing same problem. i am also waiting for root. after i readable my indian language. thanks
anybody plz help me.
Hello,
Thank you for this post. I also have the exact same issue.
Similar to kapil1878, I am also on Mobilicity in Canada.
Same issue here! Amaze t-mobile.
rooting
having the same problem about rooting. t-mobile usa
remount fails
So, one thing at a time.
First off remount fails. Why? Lets look at the script. I've numbered the lines for reference:
1 :cd %:h
2 adb wait-for-device
3 adb push zergRush /data/local/
4 adb shell chmod 777 /data/local/zergRush
5 adb shell /data/local/zergRush
6 adb wait-for-device
7 adb shell sleep 1
8 adb remount
9 adb shell mount -r -w -o remount rootfs /
10 adb shell mount -o remount,suid /dev/block/mmcblk0p29 /system
11 adb shell chmod 4755 /system/bin/sh
12 adb push ./su /system/bin
13 adb push ./su /system/bin
14 adb push ./busybox /system/bin
15 adb shell chmod 4755 /system/bin
16 adb shell chmod 4755 /system/bin/su
17 adb shell chmod 4755 /system/bin/su
18 adb push ./Superuser.apk /system/app
19 adb install ./androidterm.apk
20 adb wait-for-device
21 adb shell sync
22 pause
Line 8 is what fails first, probably causing a chain reaction of failures. This is because there's a critical spot on the device we need to write to that we can't write to for some reason.
I executed:
adb devices
The above command provides the serial numbers of all connected Android devices. I needed this for the next command which was:
adb -s [put serial number here] shell
This gave me access to the command line on the device. Then I executed:
mount
The above command tells you what file systems are active and usable, i.e. file systems that are mounted and ready for action. I think "file system" in this case may be synonymous with partition.
Now... looking up the remount command in the reference material shows that it is supposed to (and this is cut from the manual) :
adb remount - remounts the /system partition on the device read-write
However the result from our mount command a minute ago shows this for the /system mount. Note that there's a bunch of crap I've cut out but we are only interested in /system for now, anyway:
rootfs / rootfs ro,relatime 0 0
.
.
.
/dev/block/mmcblk0p29 /system ext4 ro,relatime,barrier=1,data=ordered 0 0
.
.
.
tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
So... guessing based on my previous Unix experience, ro probably means that this partition is mounted read only. That means we have to find a way to remount it "rw". Problem is that I can't figure out what the command is. We already know remount doesn't work.
Here are some of my attempts:
$ mount -t ext4 -o rw,relatime,barrier=1,data=ordered /dev/block/mmcblk0p29 /system
mount -t ext4 -o rw,relatime,barrier=1,data=ordered /dev/block/mmcblk0p29 /system
mount: Operation not permitted
$ mount -t ext4 -o remount,rw,relatime,barrier=1,data=ordered /dev/block/mmcblk0p29 /system
mount -t ext4 -o remount,rw,relatime,barrier=1,data=ordered /dev/block/mmcblk0p29 /system
mount: Operation not permitted
Now, then. We don't have permissions require to execute remount and for mount we get the above. The only thing I can think of at this point is that I need to elevate the permissions of the user I am logged in as. Anybody know how to do that on Android? How do I know who I am logged in as? Is there more than one user even?
everyone should check out the thread below, Binary100100 does an excellent job in explaining how to root...
http://forum.xda-developers.com/showthread.php?t=1426179?referrerid=922386
Greetings,
I have received my shiny new Eluga Power and I am wondering if anybody else has this device and if anybody has rooted there's?
Sent from my P-07D using xda premium
Edit: moved to Q&A, lets see if you can get some help but do search for your device.
First welcome...
Next time post in the Q&A section for questions. To better serve you do a search for your device and look in the Dev section for your model device...also you will find a Q&A section there, Thank you.
Btw ensure you read the forum rules.
Sent from a closet, at Arkham Asylum using Forum Runner.
ianford10 said:
Greetings,
I have received my shiny new Eluga Power and I am wondering if anybody else has this device and if anybody has rooted there's?
Sent from my P-07D using xda premium
Click to expand...
Click to collapse
Where did you get it from?HOw much? How's it first impression?
mixmaster said:
Where did you get it from?HOw much? How's it first impression?
Click to expand...
Click to collapse
Had to import it from a Japanese eBay store with a cost of £560 with delivery. First impressions of the phone are very good, nice big clear screen, batter life is okay considering the screen size, calls are crisp and clear, feels good in the hand to hold. Will have more info as I use it over the next couple of weeks
Sent from my P-07D using xda premium
Rooting P-07D success...
I was able to root my Panasonic Eluga Power (P-07D) you can check the screenshot below. As of the moment I am re-writing the steps for others so they can easily follow the instructions as this was written in Japanese (Thanks to http://sithxi.blog49.fc2.com/blog-entry-51.html and goroh_kun. Hopefully this would help others root there device just like me. The only main problem for me now is SIM unlock the device.
Panasonic Eluga Power rooting instructions...
As promised here are the steps: (This seems to look like a temporary root, as you will loose it once the device rebooted) But still it's a good primary step. For the source code it can be downloaded from here. Panasonic Eluga Power Source Code
goroh_kun
2012/10/18
root privileges acquisition & tomoyo released experimental version in
the p-07d
things to do
Run:
1. >adb restore p-07d.ab
I press OK authentication
After the restore is finished
2. Open another command prompt and type the following:
>adb shell
$cd /data/data/com.android.settings/a/
$ls -l -d
drwxrwxrwx system system a
- check directory called A exists, it is world readable, writable as
show above
3. $ ls -l
⇒ file00 〜 file99 check if files exists
Delete all file from file00 ~ file99
run the command below
4. >adb shell
$cd /data/data/com.android.settings/
$rm -r a/*
change permissions to 777 /persist
This is the tricky part as you need to to do this using two command prompt, one running the adb restore p-07d.ab while the other on the shell command running ln -s /persist a/file99 command.
5. First run: >adb restore p-07d.ab while it is restoring on the other command prompt run in shell $ ln-s / persist a/file99
6. Now lets check the permission to folder /persist by typing on the command prompt that is already in shell.
$ ls -l -d /persist
drwxrwxrwx system system persist <--(you should see this)
Now move on your other command prompt window and run the following commands. (you can download the needed file at this link
Then run the command below to push the files needed for rooting:
>adb push init.cne.rc /data/local/tmp
>adb push p07dgetroot /data/local/tmp
>adb push xsh /data/local/tmp/
>adb push libQ.so /persist
>adb shell rm /persist/init.cne.rc
>adb shell ln -s /data/local/tmp/init.cne.rc /persist/init.cne.rc
>adb reboot
The next step is kinda hard to understand and I qoute: "/persist at Startup directory of the recovery process because it will not be restored and persist the only symbolic links should be a basic /data/local/tmp to keep the change."
After re-move environment variable is changed to check (LD_PRELOAD= /presist/libQ.so and be sure it is).
7. > adb shell
$echo $LD_PRELOAD
/persist/libQ.so <--(you should see this)
8. To Unlock Tomoyo, follow this steps:
> adb shell
$ cat /data/local/tmp/p07dgetroot > /tmp/xsh
$ ls -l /tmp/xsh
-rw-rw-rw- shell shell xsh <--(you should see this)
Make sure that wirelss LAN is ON before doing the command below:
9. WLAN ON / TURN OFF WLAN / TURN ON WLAN (wait to be connected before typing the below command or you will have to do it again)
$ ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$ /tmp/xsh
/tmp/xsh
/tmp/.mem fd=3
read ret = 256
write ret = 256
At this stage, Tomoyo is now unlocked
10.
$rm /tmp/xsh
$cat /data/local/tmp/xsh > /tmp/xsh
11. WLAN ON / TURN OFF WLAN / TURN ON WLAN (wait to be connected before typing the below command or you will have to do it again)
$ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
12. $/tmp/xsh
$(precmd)[email protected]$HOSTNAME:${PWD:-?} $ <--(you should see
this)
Here is a shell with root privileges, so stand up and be able to work a variety. You can also install the su
13. $(precmd)[email protected]$HOSTNAME:${PWD:-?} $
$ mount -o remount,rw /system /system
$ chmod 777 /system/app/
$ chmod 777 /system/bin/
$ chmod 777 /system/xbin/
Open another command prompt:
adb push Superuser.apk /system/app/
adb push su /system/bin/
adb push busybox /system/xbin/
Go back to ($(precmd)[email protected]$HOSTNAME:${PWD:-?} $) window:
chown root.root /system/bin/su
chmod 6755 /system/bin/su
chmod 644 /system/app/Superuser.apk
chown root.shell /system/xbin/busybox
chmod 755 /system/xbin/busybox
chmod 755 /system/app/
chmod 755 /system/bin/
chmod 755 /system/xbin/
Verify root access by installing "Root Checker".
Note: each time you reboot your device you will need to run Tomoyo Unlock script to regain root access (Step 8 - 12) which I re-wrote below:
8. Tomoyo Unlock
> adb shell
$ cat /data/local/tmp/p07dgetroot > /tmp/xsh
$ ls -l /tmp/xsh
-rw-rw-rw- shell shell xsh <--(you should see this)
WLAN ON / OFF / ON
$ ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$ /tmp/xsh
/tmp/xsh
/tmp/.mem fd=3
read ret = 256
write ret = 256
At this stage, tomoyo is released
$rm /tmp/xsh
$cat /data/local/tmp/xsh > /tmp/xsh
WLAN ON / OFF / ON
$ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$/tmp/xsh
$(precmd)[email protected]$HOSTNAME:${PWD:-?} $ <---(you should end up here to regain root access, if not redo it again)
Proof:
ask questions
hi,
If it unlocked the device of sim by docomo, when i root it, the condition of unlock sim whether will cancel????
---------- Post added at 12:10 AM ---------- Previous post was at 12:06 AM ----------
dear zyper95,
Can you make the picture to show the process of root??
thank a lot
Panasonic P-07D
Hello, Someone tell me how to reset to factory settings "Android system recovery -> wipe data / factory reset -> Yes-delete all user data -> Please input password". What is the password to be entered? Help please.
Panasonic Eluga Power P-07D hard reset plz:crying::crying::crying:
So I have been working on rooting for the Nabi XD. Specifically to grab a dd of mmcblk0p1 and p2 so I can extract kernel and ramdisk to build a TWRP.
The 2 options I have tried are 1) Bin4ry root many Android, 2) Build TWRP based off the different Nabi2 kernel to gain access to /system
Bin4ry exploit fails with mount: Permission denied, when attempting to remount rw with busybox. The device is 4.1.1 so they must have patched it or cherry picked a patch. The build was this year.
The TWRP will boot but with a blank screen. Comparing the config.gz for kernel builds explains the blank screen. ADB is however is up and running, but the internal storage is not seen as a block device. cat proc/partitions is blank.
The third thing of interest is that there is a bin in xbin called su2. su2 -v yields an output of 3.3.
Code:
[email protected]:/system/xbin $ su2 -v
su2 -v
3.3
[email protected]:/system/xbin $ su2 -help
su2 -help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
[email protected]:/system/xbin $ ls -l su2
-rwxr-xr-x root shell 91728 2013-02-02 07:03 su2
How can I put this to use? Just running su2 over adb results in nothing, and through Term.apk as permission denied. I obviously need the associated Superuser.apk to grant access, but it seems hardcoded to look for su. I looked through the source to see if I could recompile to look for su2, but I don't know if it's as simple as that.
Any thoughts?
Strange they left the su binary there.
But first : show me a "ls -l su2", we need to see if it has correct permissions or if it is just there and cannot do anything
Second: just try "su2 -c /system/bin/sh", if you are lucky it starts a rootshell.
Regards
I thought it was weird too that is was left behind, and hopefully an easy way to even gain temp root. If I can just dd the boot partition it's smooth sailing.
[email protected]:/system/xbin $ ls -l su2
-rwxr-xr-x root shell 91728 2013-02-02 07:03 su2
No setuid bit set? Should be -rwsr-sr-x?
I tried the second thing via adb. It just echos the command and prompt stays $. Using something like Term.apk yields permission denied. Tried different quotes for passing -c. Any symlinking tricks?
[email protected]:/system/xbin $ su2 -c /system/bin/sh
su2 -c /system/bin/sh
1|[email protected]:/system/xbin $ su2 -c '/system/bin/sh'
su2 -c '/system/bin/sh'
1|[email protected]:/system/xbin $ su2 -c "/system/bin/sh"
su2 -c "/system/bin/sh"
1|[email protected]:/system/xbin $
I have an old Samsung Galaxy S4. It's been off the network for a while and its system clock has drifted. However, adb works and I can use the old phone as a sandbox environment to learn about low level Android fundamentals. I would like to learn how to root the phone, ideally without using any apps - I prefer to learn how to compile my own local privilege escalation exploit and run it on my old phone.
adb shell getprop ro.build.version.release
5.0.1
adb shell getprop ro.build.version.sdk
21
dumpstate:
Build: LRX22C.I337UCSGOK3
Build fingerprint: 'samsung/jflteuc/jflteatt:5.0.1/LRX22C/I337UCSGOK3:user/release-keys'
Bootloader: I337UCSGOK3
Radio: mdm
Network: (unknown)
Kernel: Linux version 3.4.0-6185444 ([email protected]) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Wed Nov 30 21:31:59 KST 2016
Command line: console=null androidboot.hardware=qcom user_debug=23 msm_rtb.filter=0x3F ehci-hcd.park=3 [email protected] [email protected] sec_debug.reset_reason=0x1a2b3c00 androidboot.warranty_bit=0 lcd_attached=1 lcd_id=0x418047 androidboot.debug_level=0x4f4c sec_debug.enable=0 sec_debug.enable_user=0 androidboot.cp_debug_level=0x55FF sec_debug.enable_cp_debug=0 cordon=a569d279d878ac52077d6cfb9721d339 connie=SGH-I337_ATT_USA_76d68869445a30d9d8d06ffe689dd803 lpj=67678 loglevel=4 samsung.hardware=SGH-I337 androidboot.emmc_checksum=3 androidboot.warranty_bit=0 androidboot.bootloader=I337UCSGOK3 androidboot.nvdata_backup=0 androidboot.boot_recovery=0 androidboot.check_recovery_condition=0x0 level=0x574f4c44 vmalloc=450m sec_pvs=0 batt_id_value=0 diag=0 androidboot.csb_val=1 androidboot.emmc=true androidboot.serialno=95e836b4 androidboot.baseband=mdm
cat /proc/cpuinfo:
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 13.53
processor : 1
BogoMIPS : 13.53
processor : 2
BogoMIPS : 13.53
processor : 3
BogoMIPS : 13.53
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x51
CPU architecture: 7
CPU variant : 0x1
CPU part : 0x06f
CPU revision : 0
Hardware : SAMSUNG JF
Revision : 000a
Serial : 000095e8000036b4
Android is a ported Linux, hence rooting Android means adding su ( read: switchuser ) functionality welllknown from Linux to device's Android. That's all.
Can get achieved with ADB having a suitable su at hands.
https://forum.xda-developers.com/attachments/su-binaries-zip.5566949/
Do you have source code for that su? I believe it would still require an exploit to escalate privileges, since normally su needs to run with root permissions, and I don't have a way of elevating to root without it.
What you believe ist totally wrong: su doesn't need root permissions to run a shell command, su is what in general is called root.
Code:
su -c "<SHELL-COMMAND-HERE>"
Become familiar with Linux shell commands.
I can already run shell commands using adb shell. However, I cannot run privileged commands because the adb shell process does not run with root privileges. Can you please elaborate further?
OMG.
Code:
adb shell
simply opens a remote Android terminal what doesn't require any elevated privileges per se.
To run shell commands what require elevated privileges ( e.g. mount ) is achieved as follows
Code:
adb shell "<PATH-OF-SU-BINARY-HERE> -c '<SHELL-COMMAND-HERE>'"
Example:
Code:
adb shell "/data/local/tmp/su -c 'mount -o rw,remount /data'"
The adb shell allows running unprivileged commands but there are numerous things which cannot be done without the root privilege, such as remounting filesystems, changing permissions, accessing directories which require elevated privileges, etc. This is what I am asking about. Am I misunderstanding you - are you trying to say that adb shell can be used by an unprivileged user to run privileged commands?
See my revised post above yours.
@jf80dEf
The Samsung Galaxy S4 variant you have is from AT&T (model number SGH-I337) and it's running the final software release (OK3).
For this model, you need to downgrade to a lower firmware (NB1) and achieve root access by exploiting the vulnerability formally known as CVE-2014-3153. More details can be found here.
Thank you @SkandaH for answering my question! I believe the method you suggest involves using Odin to wipe the phone to make it vulnerable to the towelroot exploit. Reading between the lines, am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
jf80dEf said:
... am I interpreting correctly that there is no known (at least to you) exploit that runs on the OK3 software?
Click to expand...
Click to collapse
Yes, that's correct.
just for fun, I tried that method on rooted device, it doesn't work for Android 5+
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Android>adb devices
List of devices attached
ca1296db7d29 device
C:\Android>adb push su /data/local/tmp
su: 1 file pushed. 0.7 MB/s (75344 bytes in 0.105s)
C:\Android>adb shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 84
drwxrwx--x 2 shell shell 4096 2022-12-27 15:22 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 75344 2022-12-27 15:22 su
cereus:/data/local/tmp $ ./su
"./su": error: Android 5.0 and later only support position-independent executables (-fPIE).
1|cereus:/data/local/tmp $ rm ./su
cereus:/data/local/tmp $ exit
C:\Android>
copied another su binary from stock rooted android tv box (no superuser app required, permissions granted automatically.
Code:
C:\Android>adb push su /data/local/tmp
adb: error: failed to get feature set: more than one device/emulator
C:\Android>adb -s ca1296db7d29 push su /data/local/tmp
su: 1 file pushed. 1.4 MB/s (100068 bytes in 0.070s)
C:\Android>adb shell
error: more than one device/emulator
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ cd /data/local/tmp
cereus:/data/local/tmp $ chmod 6775 ./su
cereus:/data/local/tmp $ ls -la
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ ./su
255|cereus:/data/local/tmp $ ./su --help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
--daemon start the su daemon agent
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-u display the multiuser mode and exit
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
cereus:/data/local/tmp $ ./su --version
16 com.thirdparty.superuser
cereus:/data/local/tmp $
still it doesn't work from /data/local/tmp as the uid is 2000 (shell) so tried from /data/local where uid is 0 (root)
but I had to use Magisk /sbin/su for this already
Code:
cereus:/data/local/tmp $ ls -la /data/local
ls: /data/local: Permission denied
1|cereus:/data/local/tmp $ ls -la /data/local/tmp
total 108
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 .
drwxr-x--x 4 root root 4096 2022-07-24 14:19 ..
-rwsrwsr-x 1 shell shell 100068 2022-12-27 15:38 su
cereus:/data/local/tmp $ cp ./su ..
cp: ../su: Permission denied
1|cereus:/data/local/tmp $ which su
/sbin/su
cereus:/data/local/tmp $ /sbin/su -c 'cp ./su ..'
cereus:/data/local/tmp $ cd ..
cereus:/data/local $ ls -la
ls: .: Permission denied
1|cereus:/data/local $ /sbin/su -c 'chmod 6775 ./su'
cereus:/data/local $ /sbin/su -c 'ls -la'
total 120
drwxr-x--x 4 root root 4096 2022-12-27 15:45 .
drwxrwx--x 48 system system 4096 2022-07-24 20:32 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:45 su
drwxrwx--x 2 shell shell 4096 2022-12-27 15:39 tmp
drwxrwxrwx 2 shell shell 4096 2022-07-24 14:19 traces
cereus:/data/local $ ./su
255|cereus:/data/local $
despites the SUID bit is set correctly still it doesn't work. so I removed the nosuid mount flag for /data partition and double checked selinux isn't the problem
Code:
255|cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /data'
cereus:/data/local $ grep ' /data ' /proc/mounts
/dev/block/dm-1 /data ext4 rw,seclabel,nodev,noatime,noauto_da_alloc,resuid=10010,resgid=1065,errors=panic,data=ordered 0 0
cereus:/data/local $ ./su
255|cereus:/data/local $ getenforce
Permissive
cereus:/data/local $
still no way to get the root shell with that su binary, maybe prevented to run from /data at all. decided to try from other partition but there was no way. although permissions 2000 (shell) should at least see the file, but that wasn't the case. Magisk mount namespaces are set to global, no idea why the file is invisible in /cache
Code:
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'busybox mount -o remount,rw,suid /cache'
cereus:/data/local $ grep ' /cache ' /proc/mounts
/dev/block/platform/bootdevice/by-name/cache /cache ext4 rw,seclabel,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
cereus:/data/local $ /sbin/su -c 'cp ./su /cache'
cereus:/data/local $ cd /cache
/system/bin/sh: cd: /cache: Permission denied
2|cereus:/data/local $ /sbin/su -c 'cd /cache'
cereus:/data/local $ /sbin/su -c 'mkdir /cache/tmp'
cereus:/data/local $ /sbin/su -c 'chown 0.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'chown 2000.2000 /cache/tmp'
cereus:/data/local $ cd /cache/tmp
/system/bin/sh: cd: /cache/tmp: Permission denied
2|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 16
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:54 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # cp /cache/su .
cereus:/cache/tmp # chmod 6775 ./su
cereus:/cache/tmp # exit
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su
cereus:/data/local # cd /cache/tmp
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 shell shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root root 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # chown -R 0.2000 .
cereus:/cache/tmp # ls -la
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwxrwxr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/cache/tmp # ./su
255|cereus:/cache/tmp # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'chmod 6775 /cache/tmp/su'
cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $
finally, even tried from within Magisk root shell. still the binary throws error 255. as you can see the su binary owns the sticky bit and uid 0 (root)
Code:
127|cereus:/data/local $ /sbin/su
cereus:/data/local # /cache/tmp/su --version
16 com.thirdparty.superuser
cereus:/data/local # /cache/tmp/su
255|cereus:/data/local # exit
255|cereus:/data/local $ /cache/tmp/su
/system/bin/sh: /cache/tmp/su: not found
127|cereus:/data/local $ /sbin/su -c 'ls -la /cache/tmp'
total 120
drwxr-xr-x 2 root shell 4096 2022-12-27 15:58 .
drwxrwx--- 8 system cache 4096 2022-12-27 15:54 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 15:58 su
cereus:/data/local $
to confirm the binary is working at least, I wanted to install in /system. Because of systemless-root and avb/dm-verity i can't place file /system partition directly, so I used Magisk bind mount overlay
Code:
cereus:/data/local $ /sbin/su
cereus:/data/local # cd /data/adb/modules
cereus:/data/adb/modules # mkdir su_test
cereus:/data/adb/modules # cd su_test/
cereus:/data/adb/modules/su_test # mkdir -p system/xbin
cereus:/data/adb/modules/su_test # cp /cache/tmp/su system/xbin
cereus:/data/adb/modules/su_test # chown -R 0.2000 system
cereus:/data/adb/modules/su_test # chmod 6775 system/xbin/su
cereus:/data/adb/modules/su_test # ls -la system/xbin
total 108
drwxr-xr-x 2 root shell 4096 2022-12-27 16:10 .
drwxr-xr-x 3 root shell 4096 2022-12-27 16:10 ..
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 su
cereus:/data/adb/modules/su_test # echo 'id=su_test' > module.prop
cereus:/data/adb/modules/su_test # echo 'name=su_test' >> module.prop
cereus:/data/adb/modules/su_test # echo 'version=0.0.1' >> module.prop
cereus:/data/adb/modules/su_test # echo 'versionCode=001' >> module.prop
cereus:/data/adb/modules/su_test # echo 'author=aIecxs @ XDA' >> module.prop
cereus:/data/adb/modules/su_test # echo 'description=proof that su binary is "suitable" >> module.prop
cereus:/data/adb/modules/su_test # cat module.prop
id=su_test
name=su_test
version=0.0.1
versionCode=001
author=aIecxs @ XDA
description=proof that su binary is "suitable"
cereus:/data/adb/modules/su_test # ./system/xbin/su --version
16 com.thirdparty.superuser
cereus:/data/adb/modules/su_test # exit
cereus:/data/local $ exit
C:\Android>
after installing the magisk module, rebooted the phone and confirmed su binary works when running from system.
Code:
C:\Android>adb -s ca1296db7d29 shell
cereus:/ $ which su
/sbin/su
cereus:/ $ ls -l /system/xbin/su
-rwsrwsr-x 1 root shell 100068 2022-12-27 16:10 /system/xbin/su
cereus:/ $ /system/xbin/su --version
16 com.thirdparty.superuser
cereus:/ $ /system/xbin/su
cereus:/ #
(note the /sbin/su binary is Magisk while the /system/xbin/su binary is the file copied from android tv box)
as on stock android device user/release-keys build adb root cannot work, there is no way to use the chown command. because it is impossible to place the file into /system or any proper location with directory owner 0 (root) from adb, it's not possible to get root shell from adb.
conclusion: an additional exploit (like mtk-su) is required to achieve this.
edit: fun fact. Magisk complains the foreign su binary that is provided by Magisk module xD
Hi
I have a new Android device, it's not any of the ones that have their own forum.
More specifically it runs Android 11 on top of a 4.19.193 Rockchip BSP kernel.
I need to read one or two specific files but these files are only readable by root.
I have ADB shell access.
What I do want to acheive:-
Temporarily have an ability to copy a file that's readable only by root, this could be by some GUI app that copies files, as long as the copy is readable by normal user, running commands as root, copy a partition to an image file, export to a desktop machine and read it there. Any one of these would get me that file.
What I don't want to do:-
I don't want to permanently modify the device, unlock the bootloader, put su into /system or anything like that.
Does anyone know of a rooting app that can give me temporary root access but then doesn't actually change the system?
thanks
To get temporary super-user ( AKA root ) rights on an Android's device shell all you have to do is to find a suitable su binary and copy it onto Android's filesystem.
A: To run Android shell commands with super-user right from within the shell on desktop computer ( AKA Command Prompt ) you have to run within desktop computer shell
Code:
adb devices
adb push <LOCATION-OF-SUITABLE-SU-BINARY-ON-PC-HERE> /data/local/tmp/
what will 1. connect the Android device to your desktop computer and 2. upload the su binary in the Android device temporary directory always available for the user.
B: Then, in desktop computer shell type
Code:
adb shell "cd /data/local/tmp & chmod 776 su"
what makes the su binary executable: its ownership by default is set to shell.
C: Then in desktop computer shell type
Code:
adb shell "ls -l"
what will show you content and permissions on recently uploaded files.
D:
To apply a series of Android shell commands what require super-user rights you now would run
Code:
adb shell
export PATH=/data/local/tmp:$PATH"
su -c "<SHELL-CMD-HERE>"
....
su -c "<SHELL-CMD-HERE">
exit
BTW:
When in an Android shell another process like su gets started then this spawned process runs as a child process means it inherits most of the parent process attributes.
adb push allowed me to send the file
Code:
adb push su /data/local/tmp/
su: 1 file pushed. 1.2 MB/s (11640 bytes in 0.009s)
but the adb shell command is failing
Code:
adb shell "cd /data/local/tmp & chmod 776 su"
chmod: su: No such file or directory
if I then log in over adb I don't seem to have permissions to do anything in data
Code:
adb shell
ls -al
drwxrwx--x 47 system system 4096 2022-09-02 16:31 data
cd data
ls -al
ls: .: Permission denied
additionally, I thought that su would need the suid bit set
Does chmod 766 acheive that?
oh this works
Code:
adb shell
cd /data/local/tmp
ls -al
total 18
drwxrwx--x 2 shell shell 3452 2022-09-02 16:32 .
drwxr-x--x 4 root root 3452 2022-07-27 03:04 ..
-rw-rw-rw- 1 shell shell 11640 2022-09-02 16:29 su
Code:
chmod 776 su
ls -al
total 18
drwxrwx--x 2 shell shell 3452 2022-09-02 16:32 .
drwxr-x--x 4 root root 3452 2022-07-27 03:04 ..
-rwxrwxrw- 1 shell shell 11640 2022-09-02 16:29 su
Code:
adb shell
export PATH=$PATH:/data/local/tmp
su
su: setgid failed: Operation not permitted
The device has separate boot_a, boot_b, dtbo_a, dtbo_b partitions.
If I could be reasonably sure that booting a boot partition from a similar device (I have one) would pick up the dtb from this device then I think I could be reasonably confident of not frying anything, I might try and boot it from fastboot.