There was a thread on the SU model, I'm interested if anyone else has a One SC. There's a family of One S-lookalikes that HTC makes for the three major Chinese networks. It's a dual-SIM device supporting CDMA2000 and GSM mainly for the China market. Outside specs are similar to the One SU but the SoC is supposedly an ST-Ericsson U8500.
Anyway, I've been trying to root the thing using Root_with_Restore_by_Bin4ry (http://forum.xda-developers.com/showthread.php?t=1886460) but it always fails. I've modified the script and managed to remount /system as read-write and copy su to /system/xbin/su. ls shows that su is in the right folder with the right permissions. However, after rebooting, all changes are lost. Anyone else having success rooting this phone? Do I need to unlock the bootloader first?
# ls -l
-rwxr-xr-x root shell 9756 2013-01-02 13:35 battery_params
-rwxr-xr-x root shell 71700 2013-01-02 13:35 dexdump
-rwxr-xr-x root shell 35660 2013-01-02 13:35 kexec.dyn
-rwxr-xr-x root shell 22280 2013-01-02 13:35 pppoe
-rwxr-xr-x root shell 13920 2013-01-02 13:35 ste-cg29xx_ctrl
-rwsr-sr-x root root 380532 2013-03-17 17:14 su
-rwxr-xr-x root shell 34668 2013-01-02 13:36 wireless_modem
Click to expand...
Click to collapse
Related
Hi! I have lost root access after recently updating my HTC Evo 4G. I checked with 'root checker' with the following response. I have looked at previous posts but none of them fit. Can someone help?
Thanks in advance.
Root Access is not properly configured or was not granted.
Superuser.apk - com.noshufou.android.su - version 2.3.6.3 is installed!
System Environment PATH: /sbin /vendor/bin /system/sbin /system/bin /system/xbin
The adb binary is set to default shell user access as a standard non-root user
Standard su binary location: ls -l /system/bin/su:
-rwxr-xr-x root shell 26324 2011-10-13 22:39 su
Standard su binary location: ls -l /system/xbin/su:
lrwxrwxrwx root root 2011-10-13 22:39 su -> /system/bin/su
Alternate su binary location:
/sbin/su: Permission denied
Alternate su type binary location:
/system/xbin/sudo: No such file or directory
SU binary not found or not operating properly
Try re-rooting .
Sent from my GT-S5830 using XDA App
Thanks a bunch!
I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.
Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!
A summary:
To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.
Some experiments
I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.
I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278 device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
./adb remount
remount succeeded
./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[COLOR="Red"]/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0[/COLOR]
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[I][...many lines snipped out...][/I]
# exit
So, /system is now r/w. Let's push "su".
Code:
./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
./adb shell "chown root.shell /system/bin/su"
./adb shell "chmod 06755 /system/bin/su"
./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
./adb shell "ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
[COLOR="Red"]-rw-rw-rw- root root 22228 2011-11-10 12:53 su[/COLOR]
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root shell 22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
[COLOR="Red"]lrwxrwxrwx root root 2011-12-30 16:48 su -> /system/bin/su[/COLOR]
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root root 7221765 2011-08-02 01:08 Settings.apk
[I][...many lines snipped out...][/I]
-rw-r--r-- root root 296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root root 785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root root 551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root root 255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
[COLOR="Red"]-rw-r--r-- root root 785801 2011-11-10 12:54 Superuser.apk
[/COLOR]# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
[B][COLOR="Red"]su: permission denied[/COLOR][/B]
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".
Doing this with scripts
I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.
The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.
The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.
G2 Temp Root
Hi, I got a tmo g2 2.3.4
i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.
Any way to combine this temp root with older options to gain a perm root?
Cool man! Thanks!
HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
Click to expand...
Click to collapse
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...
Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
fkereki said:
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Click to expand...
Click to collapse
well that sucks!
Hi all,
not sure if this is the right section to post this...
I already have root access through adb shell and I've installed superuser. However, my apps don't seem to be able to gain root access. This is what they have available:
$ su
# ls -l /system/xbin/su
lrwxrwxrwx root root 2012-03-29 17:27 su -> /system/bin/su
# ls -l /system/bin/su
-rwsr-sr-x root shell 64196 2012-03-29 14:10 su
I also compiled busybox 1.19.4 and it's on the device in /system/bin and xbin. I can use it with the busybox prefix (didn't manage to install it, the --install option doesn't work here... applet not found).
What am I missing for my root apps to work? Is it because of the missing --install on busybox? If so, does anyone know where to find a version that works?
Thanks!
Desire S
Hboot 2.00.2002 o-on rl dev->unlocked
instaled = rooted stock RUU_SAGA_ICS_35_S_HTC_EU_14.01.401.2_20.76.30.0835_3831.19.00.110_275068
when i replace boot.img ...from ---> .V7.1 STABLE FOR SENSE 4 | EXPERIMENTAL FOR SENSE 3.6/MIUIv4
I only got black screen and reboot to recovery (after some time)
flashing org boot.img from ruu zip ... restores phone operation again
Why is this kernel not working .. because of hboot???
(installed busybox 1.20.2 with busysbox installer from market)... ?
Thanks for HELP!
Hboot 2.00.2002 is ENG S-OFF
Yours probably is 2.02.0002. Be more careful about such things.
You have to modify one number in the zip before flash. Read the kernel thread again
Sent from my HTC Desire S
amidabuddha said:
Hboot 2.00.2002 is ENG S-OFF
Yours probably is 2.02.0002. Be more careful about such things.
You have to modify one number in the zip before flash. Read the kernel thread again
Sent from my HTC Desire S
Click to expand...
Click to collapse
ok! mine is is 2.02.0002. ----- > S-ON Rl (****unlocked****)
"
mount("ext4", "EMMC", "/dev/block/mmcblk0p29", "/system/lib"); --- The line is totaly missing from "updater-script" in Tweaked3_7.1-Sense3.6-bcm4329.zip
adding mount line with 28 or 29 does not solve the issue :/ .... but 29 should be the right one.. as i looked up mount command in terminal... and system/lib is --> dev/block/mmcblk0p29
Flashing ZIP with 4ext recovery (latest)...
Obviously you dont like to read instructions.
Sense3.6 is for custom ROMs not for Stock
Anyway there is a new installer - use it
Sent from my HTC Desire S
amidabuddha said:
Obviously you dont like to read instructions.
Sense3.6 is for custom ROMa not for Stock
Anyway there is a new installer use it
Sent from my HTC Desire S
Click to expand...
Click to collapse
ok. New installer works.
oTeMpLo said:
ok. New installer works.
Click to expand...
Click to collapse
stock ics rom.
8.0 installer fails to create init.d folder !!!! /system/etc/init.d .. after manualy creating it .. it copies scripts to init.d folder,,
after that ficing permissions with fix_perm.bat .. as some init.d scrips have wring pemissions..
but modules still don't get loaded.
lsmod --> only wifidriver listed.
no zram ---> ecet...
free returns ---> swap 0 0 0
manualy starting ./51-zram works!!!
just init.d scripts dont get processed.
oTeMpLo said:
stock ics rom.
8.0 installer fails to create init.d folder !!!! /system/etc/init.d .. after manualy creating it .. it copies scripts to init.d folder,,
after that ficing permissions with fix_perm.bat .. as some init.d scrips have wring pemissions..
but modules still don't get loaded.
lsmod --> only wifidriver listed.
no zram ---> ecet...
free returns ---> swap 0 0 0
manualy starting ./51-zram works!!!
just init.d scripts dont get processed.
Click to expand...
Click to collapse
Code:
adb shell chmod 750 /system/etc/init.d/{scriptname}
adb shell chown 0.2000 /system/etc/init.d/{scriptname}
reboot
amidabuddha said:
Code:
adb shell chmod 750 /system/etc/init.d/{scriptname}
adb shell chown 0.2000 /system/etc/init.d/{scriptname}
reboot
Click to expand...
Click to collapse
yes i run fix_perm.bat
[email protected]:/system/etc/init.d # ls -l
ls -l
-rwxr-x--- root shell 157 2012-10-02 21:31 50-s2wEB
-rwxr-x--- root shell 68 2012-10-02 21:31 52-cifs
-rwxr-x--- root shell 107 2012-10-02 21:31 54-ntfs
-rwxr-x--- root shell 80 2012-10-02 21:31 53-kineto_gan
-rwxr-x--- root shell 117 2012-10-02 21:31 51-zram
[email protected]:/system/etc/init.d #
[email protected]:/system/lib/modules # ls -l
ls -l
-rw-r--r-- root root 320724 2008-08-01 14:00 bcm4329.ko
-rw-r--r-- root root 3118416 2012-10-02 21:31 cifs.ko
-rw-r--r-- root root 2262132 2012-10-02 21:31 ntfs.ko
-rw-r--r-- root root 29536 2012-10-02 21:31 nls_utf8.ko
-rw-r--r-- root root 175844 2012-10-02 21:31 kineto_gan.ko
-rw-r--r-- root root 218212 2012-10-02 21:31 zram.ko
[email protected]:/system/lib/modules #
Any other idea?
installed busybox 1.20.2 in /system/xbin ... some comands are still inked to "toolbox" ?!?
Thanks for help!
Check if /system/xbin/run-parts is there
amidabuddha said:
Check if /system/xbin/run-parts is there
Click to expand...
Click to collapse
[email protected]:/system/xbin # ls -l run*
ls -l run*
lrwxrwxrwx root root 2012-10-02 21:08 run-parts -> /system/xbin/busybox
[email protected]:/system/xbin #
[email protected]:/system/xbin # ls -l busy*
ls -l busy*
-rwxr-xr-x root root 863436 2012-10-02 21:08 busybox
[email protected]:/system/xbin #
oTeMpLo said:
[email protected]:/system/xbin # ls -l run*
ls -l run*
lrwxrwxrwx root root 2012-10-02 21:08 run-parts -> /system/xbin/busybox
[email protected]:/system/xbin #
[email protected]:/system/xbin # ls -l busy*
ls -l busy*
-rwxr-xr-x root root 863436 2012-10-02 21:08 busybox
[email protected]:/system/xbin #
Click to expand...
Click to collapse
.. ok now it works.... reboot afer remove in new install of busybox.....
tanks for Patiens with me!!! ....
[originally posted in galaxy tab 1 forum by mistake...]
I used clockworkmod recovery and the cwm-root-gtab2.zip package to root my Tab 2. su appears to be installed ok, and I can get root permissions by running it from an adb shell:
~ $ adb shell
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(m ount),1011(adb),1015(sdcard_rw),1028(sdcard_r),300 1(net_bt_admin),3002(net_bt),3003(inet),3006(net_b w_stats)
[email protected]:/ $ su
[email protected]:/ # id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(m ount),1011(adb),1015(sdcard_rw),1028(sdcard_r),300 1(net_bt_admin),3002(net_bt),3003(inet),3006(net_b w_stats)
[email protected]:/ # ls -la /system/bin/su
-rwsr-sr-x root shell 22364 2008-08-01 12:00 su
[email protected]:/ #
So the su binary is present and has setuid bit set on its permissions. But if I run it from a SSH session, or via a terminal emulator on the Tab itself, I get permission error:
[email protected]:/ $ su
Permission denied
1|[email protected]:/ $
Various root checking apps report similar problems. What am I doing wrong? Other threads suggest steps to recreate the su binary with the correct 6755 permissions, but as far as I can see, everything is already as it should be permissions-wise.
Thanks.
First off ran in to the same problem as you I could not get that root to work through cwm method so i did some more research and found my answers here http://androidjinn.com/how-to-root-galaxy-tab-2-p3113-on-ueclk7-android-4-1-1-firmware.html assuming that you are on the gtp3113 model and on stock jb like i am and not looking to flash other roms lol i havent been able to find a way to load cwm without loosing my root again
aj9507 said:
First off ran in to the same problem as you I could not get that root to work through cwm method so i did some more research and found my answers here xxxxxxx assuming that you are on the gtp3113 model and on stock jb like i am and not looking to flash other roms lol i havent been able to find a way to load cwm without loosing my root again
Click to expand...
Click to collapse
Thanks, but unfortunately my model is P3110.