Database Info

Override system binaries on CM-mod

This is hack for the userinit.sh script that allows to override
system programs with different binaries or just add some new
executable programs to your rom as you can use your ext3 partition
as storage. One more advantage is that your customizations
will be persistent even after a update.
For this to work you have to add this lines to your /system/sd/userinit.sh script:
Code:
mount -o remount,rw /dev/rootfs /
mkdir /usr
chown root.root /usr
chmod 755 /usr
mkdir /system/sd/bin
chown root.shell /system/sd/bin
chmod 755 /system/sd/bin
ln -s /system/sd/bin /usr/bin
mount -o remount,ro /dev/rootfs /
After a reboot, you'll find a newly created bin
directory in /system/sd/ linked to /usr/bin.
/usr/bin is the first directory to be searched
in path in CM-mod ROMs so any program dropped
there will be found and executed before others with
same name in the system. So you can simply:
Code:
adb push new_program /usr/bin
adb shell
cd /usr/bin
chmod 755 new_program
chown root.shell new_program
This is experimental stuff and therefore USE IT AT YOUR OWN RISK.
Tested on CM-mod-3.6.7.2 and CM-mod-3.6.8 and works fine for me.

So if I were to use this method. I could 'truely' replace the home screen with one of the 3rd party ones. ie aHome or dxTop? As it is now, I've noticed that even setting aHome as default, Home still runs in the background. Using Advanced Task Manager to confirm this btw.
If this is the case, I'll be using this shortly. As I'm tired of just running 3rd party programs in addition to the programs they are suppose to replace.
Its like using windowblinds in windows, instead of just replacing the whole shell. lol

followinginsanity said:
So if I were to use this method. I could 'truely' replace the home screen with one of the 3rd party ones. ie aHome or dxTop? As it is now, I've noticed that even setting aHome as default, Home still runs in the background. Using Advanced Task Manager to confirm this btw.
If this is the case, I'll be using this shortly. As I'm tired of just running 3rd party programs in addition to the programs they are suppose to replace.
Its like using windowblinds in windows, instead of just replacing the whole shell. lol
Click to expand...
Click to collapse
This only lets your run cli programs. This is below the dalvik system so it won't help you change the launcher.apk for ahome or dxtop.

Ok I see what your saying now. Misunderstood the exact intent of the changes

Cool trick, thanks. I already had a /system/sd/bin, so I modified it a little to skip creating it and doing the chmod etc on it.
Slight mod to avoid the whole thing if /usr is already there.. .
Code:
if ! [ -d /usr ]
then
mount -o remount,rw /dev/rootfs /;
mkdir /usr;
chown root.root /usr;
chmod 755 /usr;
ln -s /system/sd/bin /usr/bin;
mount -o remount,ro /dev/rootfs /;
fi
This is useful to me as my userinit.sh is the new one from the compcache thread and can be run to get status info on compcache after boot. No need to remount the filesystem and all that when what we need is already there.

I don't think you can skip the creation of /usr as it is lost
after a reboot at least on cm-mod, you can skip the creation
of system/sd/bin if it already exists tough. OTOH running:
Code:
mkdir /usr
chown root.root /usr
chmod 755 /usr
mkdir /system/sd/bin
chown root.shell /system/sd/bin
chmod 755 /system/sd/bin
ln -s /system/sd/bin /usr/bin
will do no harm as mkdir and ln will fail if the targets already exist
and chown and chmod will just ensure that you can run your
programs.To be on the safe side i would suggest:
Code:
mount -o remount,rw /dev/rootfs /
mkdir /usr
chown root.root /usr
chmod 755 /usr
# we should check if /system/sd is mounted
if [ ! -d /system/sd/bin ] ; then
mkdir /system/sd/bin
chown root.root /system/sd/bin
chmod 755 /system/sd/bin
fi
ln -s /system/sd/bin /usr/bin
mount -o remount,ro /dev/rootfs /

This would be a great place to put a set of the GNU utilities like ls, ln, cp, mv, etc to go along with bash. Busybox is great and all, but there are some advanced options in the GNU versions that aren't available in Busybox. Has anyone compiled them for Android? I might try copying the Debian ones over and see if they work without the rest of the chroot. I'm thinking I'll need at least some of /lib from debian for them to work though.

ttabbal said:
This would be a great place to put a set of the GNU utilities like ls, ln, cp, mv, etc to go along with bash. Busybox is great and all, but there are some advanced options in the GNU versions that aren't available in Busybox. Has anyone compiled them for Android? I might try copying the Debian ones over and see if they work without the rest of the chroot. I'm thinking I'll need at least some of /lib from debian for them to work though.
Click to expand...
Click to collapse
Have you tried a fully configured busybox with desktop options enabled?
Attached just for reference my .config.

farmatito said:
Have you tried a fully configured busybox with desktop options enabled?
Attached just for reference my .config.
Click to expand...
Click to collapse
Nope. Is there a binary available? I don't have a cross compiler set up right now.

Try this, You can create all the symlinks with this command:
Code:
adb push busybox /usr/bin
adb shell
cd /usr/bin
./busybox --install .
For full functionality you should also add /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow. I link them to /system/sd/etc/ to have them rw
Code:
mkdir /system/sd/etc
chmod 644 /system/sd/etc
/system/bin/chown root.root /system/sd/etc
/system/bin/chown root.root /system/sd/etc/passwd
/system/bin/chown root.root /system/sd/etc/group
/system/bin/chown root.root /system/sd/etc/shadow
/system/bin/chown root.root /system/sd/etc/gshadow
/system/bin/chown root.root /system/sd/etc/fstab
chmod 644 /system/sd/etc/passwd
chmod 644 /system/sd/etc/group
chmod 600 /system/sd/etc/shadow
chmod 600 /system/sd/etc/gshadow
ln -s /system/sd/etc/passwd /etc/passwd
ln -s /system/sd/etc/shadow /etc/shadow
ln -s /system/sd/etc/group /etc/group
ln -s /system/sd/etc/gshadow /etc/gshadow
Remove the su link to busybox for now as it interferes with
the superuser app (otoh you could set a root passwd and
use busybox's su BUT ONLY FROM A SHELL)
Code:
rm /usr/bin/su
You should also:
Code:
passwd root
addgroup -g 65534 nogroup
You can even use ash as your default shell by doing:
Code:
if [ -e /usr/bin/busybox ] ; then
mount --bind /usr/bin/sh /system/bin/sh
fi
# Fix scripts in /system/bin
for i in am ime input monkey pm svc
do
if [ `grep -c "#!/system/bin/sh" /system/bin/$i` -eq 0 ] ; then
echo "#!/system/bin/sh" > /system/bin/$i.tmp
cat /system/bin/$i >> /system/bin/$i.tmp
mv /system/bin/$i.tmp /system/bin/$i
chown root.shell /system/bin/$i
chmod 755 /system/bin/$i
fi
done

Thanks! That worked great.

farmatito said:
Try this, You can create all the symlinks with this command:Remove the su link to busybox for now as it interferes with
the superuser app (otoh you could set a root passwd and
use busybox's su BUT ONLY FROM A SHELL)
Click to expand...
Click to collapse
Hey farmatito - just stumbled onto this thread and am going to follow this but I am unclear on how to remove the su link to busybox? Any direction would be appreciated! Thanks.
Edit: I realize you mean to just rm it from /system/sd/bin - duh. thanks for this thread! I like having the full busybox bin.

cd /usr/bin
rm su

farmatito said:
cd /usr/bin
rm su
Click to expand...
Click to collapse
Yeah, I figured that out - thanks. I had edited my above post saying such.
another question for you - I was going through your busybox config file - and am wondering which directory you store it in so that it is used when installing busybox?

prscott1 said:
Yeah, I figured that out - thanks. I had edited my above post saying such.
another question for you - I was going through your busybox config file - and am wondering which directory you store it in so that it is used when installing busybox?
Click to expand...
Click to collapse
Download the source code from www.busybox.net
extract it
cd busybox
cp my_config .config
make oldconfig
make
You need a cross compiler to build it
you can download one at
http://www.codesourcery.com/sgpp/lite/arm/portal/release830
or
http://www.codesourcery.com/sgpp/lite/arm/portal/release827

Quick stupid question please... tried searching but haven't found much.
After doing the userinit.sh mod shown here and using the new busybox (thanks for that, btw!), I noticed that a lot of the commands (including 'ls' which is now using /usr/bin/ls) show ansi colors in a terminal that supports them (i.e. 'Terminal' or 'Better Terminal' app) which is awesome but 'adb shell' looks mostly horrible with escape sequences instead of colors, like this:
Code:
# cd /system/sd
cd /system/sd
# ls -l
ls -l
drwxrwx--x 2 system system 2048 Aug 19 16:04 ←[1;34mapp←[0m
drwxrwx--x 2 system system 1024 Aug 16 02:12 ←[1;34mapp-private←[0m
drwxr-xr-x 2 root root 4096 Aug 19 20:40 ←[1;34mbin←[0m
drwxrwx--x 2 system system 7168 Aug 19 16:04 ←[1;34mdalvik-cache←[0m
drw-r--r-- 2 root root 1024 Aug 19 20:39 ←[1;34metc←[0m
drwxr-xr-x 2 root root 12288 Jul 10 02:29 ←[1;34mlost+found←[0m
drwxrwxrwx 2 root root 1024 Jul 22 18:15 ←[1;34mmedia←[0m
-rwxr-xr-x 1 root root 331 Aug 19 20:28 ←[1;32muserinit.sh←[0m
Do you guys set your $TERM variable to something that makes the adb terminal more "sane" or is not possible because adb is limited and I should just ssh or telnet in, etc.?
I've tried setting $TERM to various standard things (ansi/vt100/xterm/etc.) but the dumb adb terminal remains.. well.. dumb.

rub1k said:
Quick stupid question please... tried searching but haven't found much.
After doing the userinit.sh mod shown here and using the new busybox (thanks for that, btw!), I noticed that a lot of the commands (including 'ls' which is now using /usr/bin/ls) show ansi colors in a terminal that supports them (i.e. 'Terminal' or 'Better Terminal' app) which is awesome but 'adb shell' looks mostly horrible with escape sequences instead of colors, like this:
Code:
# cd /system/sd
cd /system/sd
# ls -l
ls -l
drwxrwx--x 2 system system 2048 Aug 19 16:04 ←[1;34mapp←[0m
drwxrwx--x 2 system system 1024 Aug 16 02:12 ←[1;34mapp-private←[0m
drwxr-xr-x 2 root root 4096 Aug 19 20:40 ←[1;34mbin←[0m
drwxrwx--x 2 system system 7168 Aug 19 16:04 ←[1;34mdalvik-cache←[0m
drw-r--r-- 2 root root 1024 Aug 19 20:39 ←[1;34metc←[0m
drwxr-xr-x 2 root root 12288 Jul 10 02:29 ←[1;34mlost+found←[0m
drwxrwxrwx 2 root root 1024 Jul 22 18:15 ←[1;34mmedia←[0m
-rwxr-xr-x 1 root root 331 Aug 19 20:28 ←[1;32muserinit.sh←[0m
Do you guys set your $TERM variable to something that makes the adb terminal more "sane" or is not possible because adb is limited and I should just ssh or telnet in, etc.?
I've tried setting $TERM to various standard things (ansi/vt100/xterm/etc.) but the dumb adb terminal remains.. well.. dumb.
Click to expand...
Click to collapse
What terminal are you using?
I use konsole on linux and everything looks fine.
Cannot say if there is a suitable terminal for windows,
maybe the one that comes with the mingw compiler.
If nothing works you can just:
Code:
cd /usr/bin
rm ls

farmatito said:
Download the source code from www.busybox.net
extract it
cd busybox
cp my_config .config
make oldconfig
make
You need a cross compiler to build it
you can download one at
http://www.codesourcery.com/sgpp/lite/arm/portal/release830
or
http://www.codesourcery.com/sgpp/lite/arm/portal/release827
Click to expand...
Click to collapse
Many thanks!

Oh, sorry, I should have specified that.
This was using adb from my Vista x64 laptop (yeah, sorry, stuck with win32 for using adb so terminal choices rather limited).
So, basically, it was just running "adb[.exe] shell" from a Windows command prompt.
Tried bash under cygwin and even though it has full ansi coloring support, it looks like adb.exe isn't very terminal friendly because extended/escaped ansi still don't translate.
No big deal; I'll remove /usr/bin/ls for now or temporarily alias 'ls' to /system/xbin/bb/ls while I'm in an adb shell.
Wondering what else I could be using via the USB connection to get a shell prompt within my G1... easiest way is to turn on the wifi and telnet/ssh in, I guess?
EDIT: Duh, just started telnetd and forwarded the port using adb and problem solved (using putty to telnet in as described here and it works very nicely).

rub1k said:
Quick stupid question please... tried searching but haven't found much.
After doing the userinit.sh mod shown here and using the new busybox (thanks for that, btw!), I noticed that a lot of the commands (including 'ls' which is now using /usr/bin/ls) show ansi colors in a terminal that supports them (i.e. 'Terminal' or 'Better Terminal' app) which is awesome but 'adb shell' looks mostly horrible with escape sequences instead of colors, like this:
Code:
# cd /system/sd
cd /system/sd
# ls -l
ls -l
drwxrwx--x 2 system system 2048 Aug 19 16:04 ←[1;34mapp←[0m
drwxrwx--x 2 system system 1024 Aug 16 02:12 ←[1;34mapp-private←[0m
drwxr-xr-x 2 root root 4096 Aug 19 20:40 ←[1;34mbin←[0m
drwxrwx--x 2 system system 7168 Aug 19 16:04 ←[1;34mdalvik-cache←[0m
drw-r--r-- 2 root root 1024 Aug 19 20:39 ←[1;34metc←[0m
drwxr-xr-x 2 root root 12288 Jul 10 02:29 ←[1;34mlost+found←[0m
drwxrwxrwx 2 root root 1024 Jul 22 18:15 ←[1;34mmedia←[0m
-rwxr-xr-x 1 root root 331 Aug 19 20:28 ←[1;32muserinit.sh←[0m
Do you guys set your $TERM variable to something that makes the adb terminal more "sane" or is not possible because adb is limited and I should just ssh or telnet in, etc.?
I've tried setting $TERM to various standard things (ansi/vt100/xterm/etc.) but the dumb adb terminal remains.. well.. dumb.
Click to expand...
Click to collapse
If you are on a windows pc, try using cygwin - works great.

Rooting the HTC DESIRE Z, VISION, G2 with Super Tool under Linux

I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.
Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!
A summary:
To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.
Some experiments
I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.
I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278 device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
./adb remount
remount succeeded
./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[COLOR="Red"]/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0[/COLOR]
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[I][...many lines snipped out...][/I]
# exit
So, /system is now r/w. Let's push "su".
Code:
./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
./adb shell "chown root.shell /system/bin/su"
./adb shell "chmod 06755 /system/bin/su"
./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
./adb shell "ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
[COLOR="Red"]-rw-rw-rw- root root 22228 2011-11-10 12:53 su[/COLOR]
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root shell 22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
[COLOR="Red"]lrwxrwxrwx root root 2011-12-30 16:48 su -> /system/bin/su[/COLOR]
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root root 7221765 2011-08-02 01:08 Settings.apk
[I][...many lines snipped out...][/I]
-rw-r--r-- root root 296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root root 785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root root 551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root root 255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
[COLOR="Red"]-rw-r--r-- root root 785801 2011-11-10 12:54 Superuser.apk
[/COLOR]# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
[B][COLOR="Red"]su: permission denied[/COLOR][/B]
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".
Doing this with scripts
I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.
The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.
The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.

G2 Temp Root
Hi, I got a tmo g2 2.3.4
i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.
Any way to combine this temp root with older options to gain a perm root?

Cool man! Thanks!

HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
Click to expand...
Click to collapse
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...

Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.

fkereki said:
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Click to expand...
Click to collapse
well that sucks!

Panasonic Eluga Power P-07D

Greetings,
I have received my shiny new Eluga Power and I am wondering if anybody else has this device and if anybody has rooted there's?
Sent from my P-07D using xda premium

Edit: moved to Q&A, lets see if you can get some help but do search for your device.
First welcome...
Next time post in the Q&A section for questions. To better serve you do a search for your device and look in the Dev section for your model device...also you will find a Q&A section there, Thank you.
Btw ensure you read the forum rules.
Sent from a closet, at Arkham Asylum using Forum Runner.

ianford10 said:
Greetings,
I have received my shiny new Eluga Power and I am wondering if anybody else has this device and if anybody has rooted there's?
Sent from my P-07D using xda premium
Click to expand...
Click to collapse
Where did you get it from?HOw much? How's it first impression?

mixmaster said:
Where did you get it from?HOw much? How's it first impression?
Click to expand...
Click to collapse
Had to import it from a Japanese eBay store with a cost of £560 with delivery. First impressions of the phone are very good, nice big clear screen, batter life is okay considering the screen size, calls are crisp and clear, feels good in the hand to hold. Will have more info as I use it over the next couple of weeks
Sent from my P-07D using xda premium

Rooting P-07D success...
I was able to root my Panasonic Eluga Power (P-07D) you can check the screenshot below. As of the moment I am re-writing the steps for others so they can easily follow the instructions as this was written in Japanese (Thanks to http://sithxi.blog49.fc2.com/blog-entry-51.html and goroh_kun. Hopefully this would help others root there device just like me. The only main problem for me now is SIM unlock the device.

Panasonic Eluga Power rooting instructions...
As promised here are the steps: (This seems to look like a temporary root, as you will loose it once the device rebooted) But still it's a good primary step. For the source code it can be downloaded from here. Panasonic Eluga Power Source Code
goroh_kun
2012/10/18
root privileges acquisition & tomoyo released experimental version in
the p-07d
things to do
Run:
1. >adb restore p-07d.ab
I press OK authentication
After the restore is finished
2. Open another command prompt and type the following:
>adb shell
$cd /data/data/com.android.settings/a/
$ls -l -d
drwxrwxrwx system system a
- check directory called A exists, it is world readable, writable as
show above
3. $ ls -l
⇒ file00 〜 file99 check if files exists
Delete all file from file00 ~ file99
run the command below
4. >adb shell
$cd /data/data/com.android.settings/
$rm -r a/*
change permissions to 777 /persist
This is the tricky part as you need to to do this using two command prompt, one running the adb restore p-07d.ab while the other on the shell command running ln -s /persist a/file99 command.
5. First run: >adb restore p-07d.ab while it is restoring on the other command prompt run in shell $ ln-s / persist a/file99
6. Now lets check the permission to folder /persist by typing on the command prompt that is already in shell.
$ ls -l -d /persist
drwxrwxrwx system system persist <--(you should see this)
Now move on your other command prompt window and run the following commands. (you can download the needed file at this link
Then run the command below to push the files needed for rooting:
>adb push init.cne.rc /data/local/tmp
>adb push p07dgetroot /data/local/tmp
>adb push xsh /data/local/tmp/
>adb push libQ.so /persist
>adb shell rm /persist/init.cne.rc
>adb shell ln -s /data/local/tmp/init.cne.rc /persist/init.cne.rc
>adb reboot
The next step is kinda hard to understand and I qoute: "/persist at Startup directory of the recovery process because it will not be restored and persist the only symbolic links should be a basic /data/local/tmp to keep the change."
After re-move environment variable is changed to check (LD_PRELOAD= /presist/libQ.so and be sure it is).
7. > adb shell
$echo $LD_PRELOAD
/persist/libQ.so <--(you should see this)
8. To Unlock Tomoyo, follow this steps:
> adb shell
$ cat /data/local/tmp/p07dgetroot > /tmp/xsh
$ ls -l /tmp/xsh
-rw-rw-rw- shell shell xsh <--(you should see this)
Make sure that wirelss LAN is ON before doing the command below:
9. WLAN ON / TURN OFF WLAN / TURN ON WLAN (wait to be connected before typing the below command or you will have to do it again)
$ ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$ /tmp/xsh
/tmp/xsh
/tmp/.mem fd=3
read ret = 256
write ret = 256
At this stage, Tomoyo is now unlocked
10.
$rm /tmp/xsh
$cat /data/local/tmp/xsh > /tmp/xsh
11. WLAN ON / TURN OFF WLAN / TURN ON WLAN (wait to be connected before typing the below command or you will have to do it again)
$ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
12. $/tmp/xsh
$(precmd)[email protected]$HOSTNAME:${PWD:-?} $ <--(you should see
this)
Here is a shell with root privileges, so stand up and be able to work a variety. You can also install the su
13. $(precmd)[email protected]$HOSTNAME:${PWD:-?} $
$ mount -o remount,rw /system /system
$ chmod 777 /system/app/
$ chmod 777 /system/bin/
$ chmod 777 /system/xbin/
Open another command prompt:
adb push Superuser.apk /system/app/
adb push su /system/bin/
adb push busybox /system/xbin/
Go back to ($(precmd)[email protected]$HOSTNAME:${PWD:-?} $) window:
chown root.root /system/bin/su
chmod 6755 /system/bin/su
chmod 644 /system/app/Superuser.apk
chown root.shell /system/xbin/busybox
chmod 755 /system/xbin/busybox
chmod 755 /system/app/
chmod 755 /system/bin/
chmod 755 /system/xbin/
Verify root access by installing "Root Checker".
Note: each time you reboot your device you will need to run Tomoyo Unlock script to regain root access (Step 8 - 12) which I re-wrote below:
8. Tomoyo Unlock
> adb shell
$ cat /data/local/tmp/p07dgetroot > /tmp/xsh
$ ls -l /tmp/xsh
-rw-rw-rw- shell shell xsh <--(you should see this)
WLAN ON / OFF / ON
$ ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$ /tmp/xsh
/tmp/xsh
/tmp/.mem fd=3
read ret = 256
write ret = 256
At this stage, tomoyo is released
$rm /tmp/xsh
$cat /data/local/tmp/xsh > /tmp/xsh
WLAN ON / OFF / ON
$ls -l /tmp/xsh
-rwsr-sr-x root root xsh <--(you should see this)
$/tmp/xsh
$(precmd)[email protected]$HOSTNAME:${PWD:-?} $ <---(you should end up here to regain root access, if not redo it again)
Proof:

ask questions
hi,
If it unlocked the device of sim by docomo, when i root it, the condition of unlock sim whether will cancel????
---------- Post added at 12:10 AM ---------- Previous post was at 12:06 AM ----------
dear zyper95,
Can you make the picture to show the process of root??
thank a lot

Panasonic P-07D
Hello, Someone tell me how to reset to factory settings "Android system recovery -> wipe data / factory reset -> Yes-delete all user data -> Please input password". What is the password to be entered? Help please.

Panasonic Eluga Power P-07D hard reset plz:crying::crying::crying:

Kenel [22 Sep 2012] Tweaked 7.1 [3.0.43][ICS Sense][MIUIv4]

Desire S
Hboot 2.00.2002 o-on rl dev->unlocked
instaled = rooted stock RUU_SAGA_ICS_35_S_HTC_EU_14.01.401.2_20.76.30.0835_3831.19.00.110_275068
when i replace boot.img ...from ---> .V7.1 STABLE FOR SENSE 4 | EXPERIMENTAL FOR SENSE 3.6/MIUIv4
I only got black screen and reboot to recovery (after some time)
flashing org boot.img from ruu zip ... restores phone operation again
Why is this kernel not working .. because of hboot???
(installed busybox 1.20.2 with busysbox installer from market)... ?
Thanks for HELP!

Hboot 2.00.2002 is ENG S-OFF
Yours probably is 2.02.0002. Be more careful about such things.
You have to modify one number in the zip before flash. Read the kernel thread again
Sent from my HTC Desire S

amidabuddha said:
Hboot 2.00.2002 is ENG S-OFF
Yours probably is 2.02.0002. Be more careful about such things.
You have to modify one number in the zip before flash. Read the kernel thread again
Sent from my HTC Desire S
Click to expand...
Click to collapse
ok! mine is is 2.02.0002. ----- > S-ON Rl (****unlocked****)
"
mount("ext4", "EMMC", "/dev/block/mmcblk0p29", "/system/lib"); --- The line is totaly missing from "updater-script" in Tweaked3_7.1-Sense3.6-bcm4329.zip
adding mount line with 28 or 29 does not solve the issue :/ .... but 29 should be the right one.. as i looked up mount command in terminal... and system/lib is --> dev/block/mmcblk0p29
Flashing ZIP with 4ext recovery (latest)...

Obviously you dont like to read instructions.
Sense3.6 is for custom ROMs not for Stock
Anyway there is a new installer - use it
Sent from my HTC Desire S

amidabuddha said:
Obviously you dont like to read instructions.
Sense3.6 is for custom ROMa not for Stock
Anyway there is a new installer use it
Sent from my HTC Desire S
Click to expand...
Click to collapse
ok. New installer works.

oTeMpLo said:
ok. New installer works.
Click to expand...
Click to collapse
stock ics rom.
8.0 installer fails to create init.d folder !!!! /system/etc/init.d .. after manualy creating it .. it copies scripts to init.d folder,,
after that ficing permissions with fix_perm.bat .. as some init.d scrips have wring pemissions..
but modules still don't get loaded.
lsmod --> only wifidriver listed.
no zram ---> ecet...
free returns ---> swap 0 0 0
manualy starting ./51-zram works!!!
just init.d scripts dont get processed.

oTeMpLo said:
stock ics rom.
8.0 installer fails to create init.d folder !!!! /system/etc/init.d .. after manualy creating it .. it copies scripts to init.d folder,,
after that ficing permissions with fix_perm.bat .. as some init.d scrips have wring pemissions..
but modules still don't get loaded.
lsmod --> only wifidriver listed.
no zram ---> ecet...
free returns ---> swap 0 0 0
manualy starting ./51-zram works!!!
just init.d scripts dont get processed.
Click to expand...
Click to collapse
Code:
adb shell chmod 750 /system/etc/init.d/{scriptname}
adb shell chown 0.2000 /system/etc/init.d/{scriptname}
reboot

amidabuddha said:
Code:
adb shell chmod 750 /system/etc/init.d/{scriptname}
adb shell chown 0.2000 /system/etc/init.d/{scriptname}
reboot
Click to expand...
Click to collapse
yes i run fix_perm.bat
[email protected]:/system/etc/init.d # ls -l
ls -l
-rwxr-x--- root shell 157 2012-10-02 21:31 50-s2wEB
-rwxr-x--- root shell 68 2012-10-02 21:31 52-cifs
-rwxr-x--- root shell 107 2012-10-02 21:31 54-ntfs
-rwxr-x--- root shell 80 2012-10-02 21:31 53-kineto_gan
-rwxr-x--- root shell 117 2012-10-02 21:31 51-zram
[email protected]:/system/etc/init.d #
[email protected]:/system/lib/modules # ls -l
ls -l
-rw-r--r-- root root 320724 2008-08-01 14:00 bcm4329.ko
-rw-r--r-- root root 3118416 2012-10-02 21:31 cifs.ko
-rw-r--r-- root root 2262132 2012-10-02 21:31 ntfs.ko
-rw-r--r-- root root 29536 2012-10-02 21:31 nls_utf8.ko
-rw-r--r-- root root 175844 2012-10-02 21:31 kineto_gan.ko
-rw-r--r-- root root 218212 2012-10-02 21:31 zram.ko
[email protected]:/system/lib/modules #
Any other idea?
installed busybox 1.20.2 in /system/xbin ... some comands are still inked to "toolbox" ?!?
Thanks for help!

Check if /system/xbin/run-parts is there

amidabuddha said:
Check if /system/xbin/run-parts is there
Click to expand...
Click to collapse
[email protected]:/system/xbin # ls -l run*
ls -l run*
lrwxrwxrwx root root 2012-10-02 21:08 run-parts -> /system/xbin/busybox
[email protected]:/system/xbin #
[email protected]:/system/xbin # ls -l busy*
ls -l busy*
-rwxr-xr-x root root 863436 2012-10-02 21:08 busybox
[email protected]:/system/xbin #

oTeMpLo said:
[email protected]:/system/xbin # ls -l run*
ls -l run*
lrwxrwxrwx root root 2012-10-02 21:08 run-parts -> /system/xbin/busybox
[email protected]:/system/xbin #
[email protected]:/system/xbin # ls -l busy*
ls -l busy*
-rwxr-xr-x root root 863436 2012-10-02 21:08 busybox
[email protected]:/system/xbin #
Click to expand...
Click to collapse
.. ok now it works.... reboot afer remove in new install of busybox.....
tanks for Patiens with me!!! ....

[Q] Nabi XD root

So I have been working on rooting for the Nabi XD. Specifically to grab a dd of mmcblk0p1 and p2 so I can extract kernel and ramdisk to build a TWRP.
The 2 options I have tried are 1) Bin4ry root many Android, 2) Build TWRP based off the different Nabi2 kernel to gain access to /system
Bin4ry exploit fails with mount: Permission denied, when attempting to remount rw with busybox. The device is 4.1.1 so they must have patched it or cherry picked a patch. The build was this year.
The TWRP will boot but with a blank screen. Comparing the config.gz for kernel builds explains the blank screen. ADB is however is up and running, but the internal storage is not seen as a block device. cat proc/partitions is blank.
The third thing of interest is that there is a bin in xbin called su2. su2 -v yields an output of 3.3.
Code:
[email protected]:/system/xbin $ su2 -v
su2 -v
3.3
[email protected]:/system/xbin $ su2 -help
su2 -help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
[email protected]:/system/xbin $ ls -l su2
-rwxr-xr-x root shell 91728 2013-02-02 07:03 su2
How can I put this to use? Just running su2 over adb results in nothing, and through Term.apk as permission denied. I obviously need the associated Superuser.apk to grant access, but it seems hardcoded to look for su. I looked through the source to see if I could recompile to look for su2, but I don't know if it's as simple as that.
Any thoughts?

Strange they left the su binary there.
But first : show me a "ls -l su2", we need to see if it has correct permissions or if it is just there and cannot do anything
Second: just try "su2 -c /system/bin/sh", if you are lucky it starts a rootshell.
Regards

I thought it was weird too that is was left behind, and hopefully an easy way to even gain temp root. If I can just dd the boot partition it's smooth sailing.
[email protected]:/system/xbin $ ls -l su2
-rwxr-xr-x root shell 91728 2013-02-02 07:03 su2
No setuid bit set? Should be -rwsr-sr-x?
I tried the second thing via adb. It just echos the command and prompt stays $. Using something like Term.apk yields permission denied. Tried different quotes for passing -c. Any symlinking tricks?
[email protected]:/system/xbin $ su2 -c /system/bin/sh
su2 -c /system/bin/sh
1|[email protected]:/system/xbin $ su2 -c '/system/bin/sh'
su2 -c '/system/bin/sh'
1|[email protected]:/system/xbin $ su2 -c "/system/bin/sh"
su2 -c "/system/bin/sh"
1|[email protected]:/system/xbin $