[Root/Write Protection Bypass] MotoX (no unlock needed) - Moto X Original Android Development

The latest OTAs patch this exploit
The "Camera patch" patches the vulnerability we use to gain system user, and pwnmymoto will no longer work on devices with this update.
Warning:
I will not be responsible for damage to your device(s) by using this exploit. Antivirus software and Play services will likely detect this as potentially
malicious. It is an exploit, deal with it or don't use it. Do not mirror these applications without my permission!
Change Log:
1.4.3 detects failed su installation (0 size su) and allows reinstallation
1.4.1 adds reliability, and fixes issues for users when improper permissions are applied to su (Preventing updates).
PwnMyMoto is a replacement for my previously released MotoRoot. PwnMyMoto exploits three vulnerabilities, to gain root access, then to gain write to system. This is a traditional root, and doesn't use any 'hackery' to maintain su access unlike MotoRoot.
First we use bug 9695860 (aka second masterkey) to gain system user, then it uses a symlink attack to gain root access. After gaining root we exploit a flaw in the bootloader, allowing us to bypass the write protection applied to system. In the process we remove stock recovery, so OTAs will not be a worry.
Install PwnMyMoto by running:
adb install -r PwnMyMoto-<version and model go here>.apk
Click to expand...
Click to collapse
Then run PwnMyMoto, depending on the current root status of your phone it will reboot 2 or 3 times, after the last reboot it will uninstall it self and su will be installed on the actual system partition. Please install SuperSu from the market after this step is done.
We have two (ok more but were not going into that) boot modes. First is normal, which boots regular Android, and in this case boots with system write protected. Second is recovery mode, normally it boots recovery without write protection. Our exploit will hijack recovery bootmode and boot Android without write protection.
After running this exploit, if you boot normally /system will be write protected. If you boot to "recovery", Android will boot without write protection. If you wish to edit system, you must boot into "recovery" to do so, any changes made will stick and will work in either bootmode. My suggestion is to make your changes in "recovery" and run the device day to day in normal mode, until we are certain "recovery" mode will be 100% stable for day to day use.
The exploit will uninstall itself after successful exploitation.
To see if write protection is applied, you can run:
adb shell getprop ro.boot.write_protect
Click to expand...
Click to collapse
If it returns '1' then write protection is applied to /system, if it returns '0' then no write protection has been applied.
In the future we will have a replacement recovery, but at this time it is still in development. Enjoy.

Figure I should add that this does not allow usage of custom kernels at this time because everything is still signature checked.

"Thank You" just doesn't quite cover it. But THANK YOU!! for making all of our Moto X's more awesome!
donation is forthcoming, good sir.

If I rooted previously with MotoRoot, should I unroot and uninstall that app first before running this one?

So to apply entitlement hack we'd have to write in recovery mode then reboot into normal?
Sent from my HTC One using Tapatalk 4

_MetalHead_ said:
If I rooted previously with MotoRoot, should I unroot and uninstall that app first before running this one?
Click to expand...
Click to collapse
I didn't and it worked fine. It will also remove the app originally used to root.

Your the man jcase, thanks a bunch I still remember back to the Eris days when you Rick Rolled a bunch of us on a ROM you put out. Lol thanks again for this exploit.
jonathanphx1

I am in no way trying to reverse engineer your tool, as I don't have a fraction of the knowledge required to do so, however, I am becoming increasingly ripping apart things like this similar to Dan Rosenberg numerous tools. All I've got to say is dex2jar sucks donkey **** for helping me understand these things on a lower level!
The beer is flowing I hope everyone has a good night!
:good::beer:

So for my stupid question of the day - how does one boot into recovery on this phone? Is it Power-Up or some other combination? Presuming I need to be in "recovery" to get xposed to stick.
Answered my own question. Fastboot is Power-Down.

du bist krank said:
I am in no way trying to reverse engineer your tool, as I don't have a fraction of the knowledge required to do so, however, I am becoming increasingly ripping apart things like this similar to Dan Rosenberg numerous tools. All I've got to say is dex2jar sucks donkey **** for helping me understand these things on a lower level!
The beer is flowing I hope everyone has a good night!
:good::beer:
Click to expand...
Click to collapse
No obfuscation was done to the Dex, not hiding anything. Try smali
Sent from my GT-I9505G using XDA Premium 4 mobile app

anyone else's widgets acting strange?
Sent from my XT1058 using XDA Premium 4 mobile app

Installed no issues. This is fantastic. Just curious if there is a way to reverse it in case we needed to go to the stock recovery for any reason?
Sent from my XT1058 using xda app-developers app

rmead01 said:
Installed no issues. This is fantastic. Just curious if there is a way to reverse it in case we needed to go to the stock recovery for any reason?
Sent from my XT1058 using xda app-developers app
Click to expand...
Click to collapse
just flash stock firmware if needed
Sent from my XT1058 using XDA Premium 4 mobile app

Do we have to use adb to install this or can we use any method to put the apk on the sdcard and install it from there?

You can install from the apk. Just like a app. Just delete the motoroot app and reboot then download and install the pwn app. Worked for me.
Cole
Moto X+

Thanks jcase, working great. Was a bit scared after the 3rd reboot that it was in a boot-loop but it stopped and haven't noticed any significant changes battery, performance, or screen wise.

Also guys you can use exposed to get advance boot menu and choose recovery or use any of the boot apps to achieve without the volume/power hassles.
Cole
Moto X+

I used the thanks button. But I wanted to say thank you as well. Working great.
And for others - I did not uninstall RootMyMoto first. I just installed PwnMyMoto and it took care of the rest including uninstalling RootMyMoto.

dier325 said:
Thanks jcase, working great. Was a bit scared after the 3rd reboot that it was in a boot-loop but it stopped and haven't noticed any significant changes battery, performance, or screen wise.
Click to expand...
Click to collapse
have you tried your fix yet for wireless tethering with the permanent write solution?

htowngator said:
have you tried your fix yet for wireless tethering with the permanent write solution?
Click to expand...
Click to collapse
I didn't make that. I acutally have wireless tethering and probably will just use it from Verizon.

Related

[How to] Disable CarrierIQ on the Atrix 2

I am posting this in the Developer forum, because it is still a little more than a In-experienced user can handle at the moment, and the potential to get into a bootloop is a little higher if you are not familiar with what you are doing here.
If you are at all new / uncomfortable with Android, UNIX/LINUX, this phone, or adb, then: PLEASE DON'T TRY THIS AT HOME.
If you get into a bootloop I am not responsible for this, nor is this the place to complain if that happens. You can ask for support here though if this process has caused that.
If you do get into a bootloop, then try and help me out, with providing as much info as possible with what happened (any output or screen prints are VERY helpful). I am also posting the original /system/etc/init.goldfish.sh file here AT THE BOTTOM OF THIS POST. That way if it does all go wrong it is here to grab. So don't go asking for it someplace else, or even asking here for it.
You have been warned!
Now with that out of the way, on to the good stuff.
1) Go grab some kind of bloat freeze program, from the market. I have used bloat freezer from the market with great success.
Just download and install it, don't run it just yet, if you already have, and frozen the "Device Health Application", then unfreeze it, and reboot, before doing the next step.
It is VERY important that it is done in EXACTLY this order. The reason is, if the Device Health program is frozen when you let the init script run, it will not work exactly as it should and these services will restart, since part of it is frozen when it first runs, and it all has to be disabled in the proper way, so that it can not be restarted remotely, or we will HAVE to use cron to run checks. Cron is an elaborate hack, I don't want to have to do, unless we HAVE to. If you do it in the exact order noted here, cron will not be needed and this will not restart.
2) Go get the init.goldfish.sh file from http://dl.dropbox.com/u/45576654/init.goldfish.sh.tar
push this tarball to your phone:
Code:
adb push init.goldfish.sh.tar /data/local/
End code
Now is the command line part of this hack.
Code:
adb shell
su
mount -o remount, rw /system
cd /data/local
tar -xvf init.goldfish.sh.tar
cp /system/etc/init.goldfish.sh /sdcard/init.goldfish.sh
cp ./init.goldfish.sh /system/etc/init.goldfish.sh
chown root /system/etc/init.goldfish.sh
chmod 550 /system/etc/init.goldfish.sh
mount -o remount, ro /system
reboot
End code
Now when your phone comes back up:
3) Open your bloat freezer program and freeze the "Device Health Application"
Your phone will freak out, and tell you that Device Health has stopped and it will keep asking you to FC, all you can do is pull the battery.
Put the battery back in the phone an boot it up.
Now CarrierIQ should be 100% disabled on your Atrix 2.
As promissed, here is the Original /system/etc/init.goldfish.sh file in a tarball, just use the same code above to put this back in place.
DON'T USE ROOT EXPLORER TO COPY THESE FILES INTO PLACE!!!
Original /system/etc/init.goldfish.sh file:
http://dl.dropbox.com/u/45576654/init.goldfish.sh-orig.tar
The Jedi Master strikes again!
The force is strong in this one. Seriously Jim you absolutely amaze me. You are the Linux guru.
Sent from my MB865
Train us, he will.
Sent from my MB865 using Tapatalk
LOL....
Hopefully I have not scared everyone from trying this.... I just want to let all the newbies who just got this as thier first android phone yesterday, and rooted it today, and now think that this is a good hack to try, that this is not the best thing for them just yet. It can and will bootloop the phone if you get too excited and don't follow the directions exactly... I got mine in a bootloop testing this all out, and finding the exact steps, but it was not hard to get out of, because it gets into android enough to let you adb in, if you screw up...
quick question: Why would rooting followed by freezing not work for that application? I think I did that when I got the phone. I don't see anything called Device Health in my running or installed applications.
Is carrierIQ still running on my phone? Have you got a string I can look for in the 'ps' output in the Terminal to confirm? There are 100000 processes running on these phones these days, most with cryptic names.... I miss the G1 days....
devsk said:
quick question: Why would rooting followed by freezing not work for that application? I think I did that when I got the phone. I don't see anything called Device Health in my running or installed applications.
Is carrierIQ still running on my phone? Have you got a string I can look for in the 'ps' output in the Terminal to confirm? There are 100000 processes running on these phones these days, most with cryptic names.... I miss the G1 days....
Click to expand...
Click to collapse
No just freezing the device health app just stops the collection process.
The part where you run the commands to stop the services in android are where the data can and will be sent to CIQ or AT&T, there are other things collected that att does not care much about (ATT only wants what is collected with the dev health app), and that goes straight to CIQ, so the services at the OS level are VERY important to stop. There is really not a way to see them running, but I have found that these can and will restart if my instructions are not followed 100%. To find out if CIQ is doing anything take a look on youtube there is a video that explains how to look at the system logs and see what is being collected if anything, and what is being sent out. After a lot of trial and error, I found this is the ONLY way to stop it 100%.
Hey Jim. sorry I've been out of the forums for so long on this. I was going to dig around my atrix2 and see what I could find wrt carrieriq. I got stuck on missing shell tools and you gave me some advice wrt paths and such. I was wondering if you could point me in the right direction for fixing up my env when I shell in? I also don't seem to have grep anywhere... odd.
YOu mentioned doing some of the destructive work in an emulator, and I would like to try the same thing, but I've no idea how to get the atrix2 ROM into an emulator. How did you accomplish this?
I followed the instructions above precisely and verified that my init.goldfish.sh is indeed modified correctly with the carrieriq stuff, and have suffered no ill effects. I have not, however, attempted to determine if carrieriq processes have stopped running. I did notice that after having frozen and unfrozen device.health.monitor a few times, it doesn't ever register as a running app... wonder what's up with that.
thanks for the help.
I was wondering....could this be made into a handy dandy flashable zip?
Then after flashing just freeze the app?
Sent from my MB865 using XDA App
tylercarter said:
I was wondering....could this be made into a handy dandy flashable zip?
Then after flashing just freeze the app?
Sent from my MB865 using XDA App
Click to expand...
Click to collapse
Yep, working on it, should have it up for download tomorrow.... It will also be in my rom.
Jim
Sent from my MB865 using xda premium
jimbridgman said:
Yep, working on it, should have it up for download tomorrow.... It will also be in my rom.
Jim
Sent from my MB865 using xda premium
Click to expand...
Click to collapse
Sent from my MB865 using xda premium
jimbridgman said:
Sent from my MB865 using xda premium
Click to expand...
Click to collapse
NICE! you really are a jedi master!
Who wants to be the first to try this out? I have created a flashable zip to disable CIQ on every boot, all you have to do is grab the file below:
http://dl.dropbox.com/u/45576654/NoCIQ.zip
Then with CWM, flash it, don't wipe anything, except maybe dalvic cache, but nothing else. This will only flash one file to your phone.
You will still have to freeze the device health app as in the OP.
This is just a test right now, once someone other than me tests this, and reports back, that all is great, then I will update the OP, to this method.
jimbridgman said:
Who wants to be the first to try this out? I have created a flashable zip to disable CIQ on every boot, all you have to do is grab the file below:
http://dl.dropbox.com/u/45576654/NoCIQ.zip
Then with CWM, flash it, don't wipe anything, except maybe dalvic cache, but nothing else. This will only flash one file to your phone.
You will still have to freeze the device health app as in the OP.
This is just a test right now, once someone other than me tests this, and reports back, that all is great, then I will update the OP, to this method.
Click to expand...
Click to collapse
It said switch to edify scripting. Installation aborted. Something about gingerbread cwm 3. Not sure. Never see this before. I checked the zip and it has 2 updater scripts. One just has a ~ at the end. I know nothing of code but just trying to help.
Sent from my MB865 using XDA App
jimbridgman said:
Who wants to be the first to try this out? I have created a flashable zip to disable CIQ on every boot, all you have to do is grab the file below:
http://dl.dropbox.com/u/45576654/NoCIQ.zip
Then with CWM, flash it, don't wipe anything, except maybe dalvic cache, but nothing else. This will only flash one file to your phone.
You will still have to freeze the device health app as in the OP.
This is just a test right now, once someone other than me tests this, and reports back, that all is great, then I will update the OP, to this method.
Click to expand...
Click to collapse
Tried this. No go. Here is the error in CWM.
Installing Update...
Amend Scripting (update0script) is no longer supported.
Amend Scripting was deprecated by Google in Android 1.5.
It was necessary to remove it when upgrading to the ClockworkMod 3.0 Gingerbread based recover.
Please switch to Edify scripting (updater-script and update-binary) to create working update zip packages.
Installation Aborted.
There ya go. Hope this helps.
holeshot77 said:
Tried this. No go. Here is the error in CWM.
Installing Update...
Amend Scripting (update0script) is no longer supported.
Amend Scripting was deprecated by Google in Android 1.5.
It was necessary to remove it when upgrading to the ClockworkMod 3.0 Gingerbread based recover.
Please switch to Edify scripting (updater-script and update-binary) to create working update zip packages.
Installation Aborted.
There ya go. Hope this helps.
Click to expand...
Click to collapse
hes working on it. wont be much longer
Why not use the app by TrevE?
Sent from my MB865 using xda premium
1.18.12 said:
Why not use the app by TrevE?
Sent from my MB865 using xda premium
Click to expand...
Click to collapse
That does not perform the hack, only detects if it is running. The voodoo ciq detection app works much better though.
Jim
Sent from my MB865 using xda premium
I just rooted my phone, applied the hack and used Titanium Backup to freeze the Device Health App but I didn't see any FC.
Although when I opened Ti Backup, it told me that my su right are wrong. They are 4755 instead of 6755 or something like that and TiBu told me that it will fix it. I fixed it then froze the app and no FC or nothing. Phone is running fine but not sure if it worked.
Is it really necessary for the app to FC in order to show that it worked?
Should I try it all over again?
Thank you.
noobsquared said:
I just rooted my phone, applied the hack and used Titanium Backup to freeze the Device Health App but I didn't see any FC.
Although when I opened Ti Backup, it told me that my su right are wrong. They are 4755 instead of 6755 or something like that and TiBu told me that it will fix it. I fixed it then froze the app and no FC or nothing. Phone is running fine but not sure if it worked.
Is it really necessary for the app to FC in order to show that it worked?
Should I try it all over again?
Thank you.
Click to expand...
Click to collapse
Go download and install this, and it will show you if it (CarrierIQ) is active or not.
https://market.android.com/details?id=org.projectvoodoo.simplecarrieriqdetector&hl=en

One click root app!

Hello guys, as you know, the latest one click root that worked on the Transformer was SparkyRoot. Well, with the newest EeePad update (9.2.1.21), it is impossible to root without PC. Well, I have completely cracked the EeePad code. You will be amazed with the options included in my new one click root app. Try it and see for yourself! (Also works on TF201 and SF101 slide) Here is the download link. http://depositfiles.com/files/jp4hcc5ze
That's great to hear. To bad I'm already rooted so I can't try it.
Should make it easy for those needing to root if it work.
Didn't work set cpu and titanium back up didn't work
Sent from my Transformer TF101 using Tapatalk 2
First off..thanks for giving it a go..
Looking forward to hearing some solid reports.
You might want to put a little more detail into your OP..
As your post count is not up and your other threads are still feely new..
I am looking at picking up a new TF B60 next week and if this works as it should,of course will be willing to give it a go..
Sent from my Transformer TF101 using Tapatalk
Yes, there are problems with it. It seems to give partial root access, but not full root. I am working hard to fix the bugs. For some reason, root apps aren't detecting the root, but I was able to edit system files with no problems. The undetected installation for apps works, and transforming the tablet into Linux and MAC work. For some reason, windows is glitching up. Any ideas on how to get apps to detect root?
When i see partial root usually the su is not getting install to system/xbin but it is in system/bin. See that with the OTA root keeper sometimes.
Any movement or progress on this?
Sent from my SGH-I897 using XDA
baseballfanz said:
When i see partial root usually the su is not getting install to system/xbin but it is in system/bin. See that with the OTA root keeper sometimes.
Click to expand...
Click to collapse
Can you move it manually via terminal from bin to xbin? If so does that get you a full root?
Sent from my PG41200 using Xparent Purple Tapatalk 2
bsoplinger said:
Can you move it manually via terminal from bin to xbin? If so does that get you a full root?
Sent from my PG41200 using Xparent Purple Tapatalk 2
Click to expand...
Click to collapse
I don't know how this apps work but with OTA Rootkeeper you can copy su from system/bin to system/xbin and that solved it most of the times.
There is still bugs in this app. I am working hard to fix them. The su is in xbin, but still not full access. I heard undetected installation is known to glitch up and corrupt files. Maybe I need to remove undetected installation and do normal installation. But when you do normal installation for superuser (through app) it says "There was a problem parsing the package". Maybe use an alternative package installer?
Have you gotten any further in developing your app?
Yes, I got the windows transformation working. Few apps are detecting root, though. Screenshot apps detect it, and a few root managers work as well. Most arent detecting it, though. Also, syncing files doesnt work...
I have my one-click done, it's in my sig and called PERI.
Uses symlinking as found by wolf to grant root.
I'll be making an on tf app too soon. This is all completely open source and 100% working on the 3 tf101 based tfs. You can take a look at the code if you like, it's very simple.
Yes, I am familiar with PERI. PERI isnt an app, though. My Asus Root Menu is a one-click from the device-No PC required.
The commands can be run On-Tf, and I'm in progress of developing an app to put on the TF right now. Should work with 100% success. Then finally out of beta. If you need any assistance with building yours too I'm willing to help.
EDIT:
--
And dude, you're running into problems I almost GUARANTEE, because you're using andromo. Those 'make apps no coding required' wysiwyg tools are total junk. Code it the old-fashioned way :]
What method are you using too Root? I couldn't find any actual commands that are run by your app, just a bunch of invoke pages to text with nothing really attached too it except some ads stuff.. I apologize if I missed it.
And how in the world did you get linux/mac and windows 7 on there if the apk is only ~276KB A system image installer for the Ubuntu ARM image mabye, but there isn't an image for windows or mac (and both are closed-source).
--
Superuser needs to be flashed via recovery/bootloader/adb in a non-locked environment. This is probably where the problem parsing package error comes from.
--
Has anyone sides the OP gotten this too work even partially?
Yes, it has partially rooted a few people, and some people got full root. I have recieved many pm's about it. How is your app coming along?

Kyocera DuraForce Super Thread

Welcome to the Kyocera DuraForce super thread
There isn't much information floating around for the DuraForce and I've created this thread to aggregate information as it's found so we have a single place for useful information, hacks, etc.
I'll keep the thread as up to date as possible and organize any information from future posts into the originals so people can find information easier.
There is a Lollipop update available for the device as of early February, 2016. I have found a way for users to update if the OTA fails (see below). I've also updated the below posts with information regarding the Lollipop update and moved the KitKat notes to another location (link for old notes is below)
Ota - lmy47v1218_2217
For those who are having trouble applying a FOTA on the DuraForce, check /cache/fota/xyz_fotalog_123.dat It's a text file that contains a lot of really good info on what is going on during a FOTA. Including errors. Keep a look out for signature mismatch errors.
I had errors with the following files. Took me a few tries to get the OTA applied as each attempt resulted in one error.
Uninstall Xposed (moar hacks)
/system/usr/keylayout/gpio-keys.kl (disable PTT/Speaker buttons)
/system/etc/permissions/platform.xml (sd card "fix")
If trying to address the issues manually does not work, follow the procedure below.
Download "vanilla" system image from HERE (link)
Extract zip file
Ensure at least 2Gb of storage is available for internal data
adb push mmcblk0p21_KVT49L_0617_0132 /storage/sdcard0/
adb shell
su
dd if=/storage/sdcard0/mmcblk0p21_KVT49L_0617_0132 of=/dev/block/mmcblk0p21
Reboot phone once it completes. It will take awhile and not report anything during the process.
After phone boots, run "adb reboot recovery"
Wipe data / factory reset
Wipe cache
Reboot
Run software update
General Notes - Lolipop
Force Reboot: Pwr + Vol Up + Vol Dn + Back + Home + App Switcher buttons for ~10-30 seconds
Root: Use KingRoot from http://king-root.net/ -- I used the android APK successfully
SD cards bigger than 32Gb still do not work correctly on stock firmware
Known Working Customizations
To be determined
KitKat Notes
All previous notes for KitKat have been moved to a document in box. The notes can be found HERE (link)
Sources / Mirror(s)
The OSS drop is available on Kyocera's developer site: http://www.kyoceramobile.com/support/developers/
Misc file mirror: https://nuskunetworks.box.com/s/p5hwq3hboctl0saze0wkcv3jzfefuw45
Do you trust Kingo?
I'm THRILLED to hear you were able to root and freeze all the AT&T crapware. I can't wait to do the same. But how do you feel about Kingo? I'm almost leaning more to keeping the bloat, kind of the devil you know, you know?
kemonine96 said:
Welcome to the Kyocera DuraForce super thread
There isn't much information floating around for the DuraForce and I've created this thread to aggregate information as it's found so we have a single place for useful information, hacks, etc.
I'll keep the thread as up to date as possible and organize any information from future posts into the originals so people can find information easier.
If you're looking for root, look no further than Kingo. I can confirm the Windows version of Kingo is working on the AT&T varient of the DuraForce.
Click to expand...
Click to collapse
tomzweifel said:
How do you feel about Kingo?
Click to expand...
Click to collapse
I've used it a few times over the last year and can only complain it does a sloppier job compared to SuperSU. Every pre-canned root wants to crap all over /system and none is better than the other so long as you get the su binary in a working state IMHO. I know Kingo is harder to clean up after than SuperSU / others but it's a hell of a lot easier to just use Kingo to root and cleanup after. Stacking root exploits and similar like Kingo is doing is a huge PITA and best left to those specializing in such things.
tomzweifel said:
I'm almost leaning more to keeping the bloat, kind of the devil you know, you know?
Click to expand...
Click to collapse
Fair enough, I was able to replace Kingo with SuperSU pretty easily:
Install SuperSU from Play Store
Run SuperSU and update su binary via "Normal" mode
Authorize SuperSU when Kingo prompts
Allow SuperSU to replace su binary
Freeze/Remove Kingo
Reboot and enjoy SuperSU
Optional: cleanup other Kingo remnants
Components to clean up?
Any chance you can steer me towards the "remnants" that need to be cleaned up and where to find them, just to make sure I get it all? I'm probably going to go though this exact process tonight or tomorrow.
Thanks for the information!
kemonine96 said:
I've used it a few times over the last year and can only complain it does a sloppier job compared to SuperSU. Every pre-canned root wants to crap all over /system and none is better than the other so long as you get the su binary in a working state IMHO. I know Kingo is harder to clean up after than SuperSU / others but it's a hell of a lot easier to just use Kingo to root and cleanup after. Stacking root exploits and similar like Kingo is doing is a huge PITA and best left to those specializing in such things.
Fair enough, I was able to replace Kingo with SuperSU pretty easily:
Install SuperSU from Play Store
Run SuperSU and update su binary via "Normal" mode
Authorize SuperSU when Kingo prompts
Allow SuperSU to replace su binary
Freeze/Remove Kingo
Reboot and enjoy SuperSU
Optional: cleanup other Kingo remnants
Click to expand...
Click to collapse
tomzweifel said:
Any chance you can steer me towards the "remnants" that need to be cleaned up and where to find them, just to make sure I get it all? I'm probably going to go though this exact process tonight or tomorrow.
Thanks for the information!
Click to expand...
Click to collapse
Unfortunately I don't have notes on what Kingo leaves around on /system... Some searching online or poking about /system should yield results.
New OTA Update
I just got notified of an available OTA update but I can't find a changelog or any info on it yet. I'll be sure to post it if I find it.
tomzweifel said:
I just got notified of an available OTA update but I can't find a changelog or any info on it yet. I'll be sure to post it if I find it.
Click to expand...
Click to collapse
Please do. I haven't gotten any notifications yet and I'm kinda curious what the OTA will contain.
http://www.att.com/esupport/article.jsp?sid=KB426870&cv=820
Software update includes
Kyocera Remote Lock
Miscellaneous improvements, fixes, and security updates
Dkesler76 said:
http://www.att.com/esupport/article.jsp?sid=KB426870&cv=820
Software update includes
Kyocera Remote Lock
Miscellaneous improvements, fixes, and security updates
Click to expand...
Click to collapse
Thanks for the heads up. Too bad it's not L.
kemonine96 said:
Thanks for the heads up. Too bad it's not L.
Click to expand...
Click to collapse
np yeah i wished it was to lol... seems that my phone wont take the ota i did delete the bloatware....probably why it wont update u know how to force the ota or do u know where i can get the apks to reinstall them to update it... ty dan
Dkesler76 said:
np yeah i wished it was to lol... seems that my phone wont take the ota i did delete the bloatware....probably why it wont update u know how to force the ota or do u know where i can get the apks to reinstall them to update it... ty dan
Click to expand...
Click to collapse
I managed to free up some time this weekend and I'm going to be pulling the OTA and seeing what I can do for re-packing it for those of us who are rooted and/or de-bloated.
Will post back with more info after I've had some time to poke at the OTA some.
Edit 1: Looks like this has patches for system and boot. /cache/delata looks like the directory where everything was downloaded. Hopefully binwalk and some other tools will yield useful information on what's contained within.
Edit 2: Looks like I was able to install the OTA despite being rooted. I'm waiting for 1st boot to verify root persisted and I'm also working on mirroring a number of partitions that can be used to "go back" to stock as well as images for updated partitions post-OTA.
Dkesler76 said:
np yeah i wished it was to lol... seems that my phone wont take the ota i did delete the bloatware....probably why it wont update u know how to force the ota or do u know where i can get the apks to reinstall them to update it... ty dan
Click to expand...
Click to collapse
I managed to get a stock boot and system partition uploaded today that you should be able to use to restore the de-bloated apps. The image is here
You can use a Linux machine (or other methods) to extract the APKs and put them back or use busybox + dd to restore the contents of the partition (you may need to re-root if writing the partition using dd). There are some good guys on XDA and elsewhere on how to restore a partition image on an Android device.
Edit: The posted file is for an ATT device
Good news everybody! The ATT OTA doesn't remove root and can be installed as-is provided you've not de-bloated the ROM or installed Xposed. If you've de-bloated (see below) you'll need to restore the missing bloatware and if you've installed Xposed, you'll need to uninstall it prior to applying the OTA.
In one of the early OP's there's a link to the "misc file mirror" that contains partition images for boot and system partitions. These are from an ATT device and can be used to restore back to a state that'll allow the OTA to apply.
Happy hacking and OTAing everyone.
kemonine96 said:
I managed to get a stock boot and system partition uploaded today that you should be able to use to restore the de-bloated apps. The image is here
You can use a Linux machine (or other methods) to extract the APKs and put them back or use busybox + dd to restore the contents of the partition (you may need to re-root if writing the partition using dd). There are some good guys on XDA and elsewhere on how to restore a partition image on an Android device.
Edit: The posted file is for an ATT device
Click to expand...
Click to collapse
weird i tried dd and busy box and no go not showing up on device
Dkesler76 said:
weird i tried dd and busy box and no go not showing up on device
Click to expand...
Click to collapse
What isn't showing up?

AdBlocking on Rooted Z5

Hi,
A while back I rooted my phone because I had had enough of missing out on xposed modules and had had enough with all the Ads!! When did Android become so riddled with adverts. (i know its not android itself before you say anything)
Anyway I managed to root my phone using the methods highlighted in the forum. I've got xposed working perfectly but I am still seeing averts in apps and on web pages. Correct me if I'm wrong but I should be able to hide these now. I've come from Galaxy S4 which I had rooted from day 1 so I never saw a single advert (in app or webpage) but now on my rooted Z5 I am still seeing a lot. Many apps (baconreader for example) have had the ads in there hidden but many still persist.
I've tried all the options I can see to be available to me
In no particular order and never installed at the same time incase they conflict.
- Adaway (this errors when applying the host file saying the copy failed)
- Adblock plus (app not browser)
- Adfree (this is what I used on my S4)
- MinMinGuard (tried different modes on this one and still no luck and no errors to speak of)
None of them error apart from AdAway.
Have any of you guys got a totally adfree experience on the Z5? If so how have you managed this?
I am using Adguard, it costs 8$ a year. That's almost free I think.
I just installed AdAway, the host file applied fine as far as I can tell (haven't rebooted).
Did you make sure you have a kernel that disables RIC, or disable it your self in a terminal emulator?
Sent from my E6683 using Tapatalk
Funkmasterchilla said:
I am using Adguard, it costs 8$ a year. That's almost free I think.
Click to expand...
Click to collapse
Thanks. I am aware of that option as it's what I was using before I rooted. (free version)
Not that $8 is a lot I don't see the point in paying for something when I can get a permanent solution for $0 so I'd like to know why the host method isn't working on my current setup.
Is there anybody with a rooted Z5 that has blocked all adverts using the host modification method?
TimDawg said:
Thanks. I am aware of that option as it's what I was using before I rooted. (free version)
Not that $8 is a lot I don't see the point in paying for something when I can get a permanent solution for $0 so I'd like to know why the host method isn't working on my current setup.
Is there anybody with a rooted Z5 that has blocked all adverts using the host modification method?
Click to expand...
Click to collapse
AdAway is working for me.
Like I said ensure you can remount /system as r/w.
Sent from my E6683 using Tapatalk
_Dennis_ said:
I just installed AdAway, the host file applied fine as far as I can tell (haven't rebooted).
Did you make sure you have a kernel that disables RIC, or disable it your self in a terminal emulator?
Sent from my E6683 using Tapatalk
Click to expand...
Click to collapse
I used the kernel that is on the dirty root guide. I was meaning to use the AndroPlus on but didn't in the end. Flashing a new kernel doesn't affect any of the data on it does it?
If I can disable RIC via terminal could you advise me how please. I've had a quick google and can't find anything.
Cheers
TimDawg said:
I used the kernel that is on the dirty root guide. I was meaning to use the AndroPlus on but didn't in the end. Flashing a new kernel doesn't affect any of the data on it does it?
If I can disable RIC via terminal could you advise me how please. I've had a quick google and can't find anything.
Cheers
Click to expand...
Click to collapse
Thanks to @tobias.waldvogel for this. Use the following in a terminal emulator to disable RIC, will need to be done on reboot (you can make it a boot script if you know how.)
Code:
su
echo 0 >/sys/kernel/security/sony_ric/enable
mount - o remount, rw /system
Sent from my E6683 using Tapatalk
See MOAAB (mother of all ad block) in Android Development and Hacking. Costs 0 bucks and blocks hosts. That's the best if you are rooted bro
_Dennis_ said:
Thanks to @tobias.waldvogel for this. Use the following in a terminal emulator to disable RIC, will need to be done on reboot (you can make it a boot script if you know how.)
Code:
su
echo 0 >/sys/kernel/security/sony_ric/enable
mount - o remount, rw /system
Sent from my E6683 using Tapatalk
Click to expand...
Click to collapse
I get an error saying no such directory. if i try to create it manually it fails...
TimDawg said:
I get an error saying no such directory. if i try to create it manually it fails...
Click to expand...
Click to collapse
It worked for mine....
You did it one line at a time? And approved super user for the terminal emulator?
Sent from my SM-T710 using Tapatalk
_Dennis_ said:
It worked for mine....
You did it one line at a time? And approved super user for the terminal emulator?
Sent from my SM-T710 using Tapatalk
Click to expand...
Click to collapse
yep one line at a time.
It's almost like my phone isn't totally rooted. I can do a lot of things that require root. If it try to create any folder inside /sys it fails.
TimDawg said:
yep one line at a time.
It's almost like my phone isn't totally rooted. I can do a lot of things that require root. If it try to create any folder inside /sys it fails.
Click to expand...
Click to collapse
What super user app do you use? How was it installed?
_Dennis_ said:
What super user app do you use? How was it installed?
Click to expand...
Click to collapse
SuperSU and it was installed via ADB
I think I must have messed up the kernel install somehow.
I'm busy tomorrow and not risking anything tonight so I'll give a fresh kernel a go on Monday. Already looking at AndroPlus kernels and there are a lot of options now. Enforcing and Permissive. I'm sure a Google will let me know what the difference is though.
TimDawg said:
SuperSU and it was installed via ADB
I think I must have messed up the kernel install somehow.
I'm busy tomorrow and not risking anything tonight so I'll give a fresh kernel a go on Monday. Already looking at AndroPlus kernels and there are a lot of options now. Enforcing and Permissive. I'm sure a Google will let me know what the difference is though.
Click to expand...
Click to collapse
Probably your best bet. Sorry I couldn't be of any help.
Sent from my E6683 using Tapatalk
How did you rooted your z5?
luisfillipe said:
How did you rooted your z5?
Click to expand...
Click to collapse
I used the method for Z5 dual SIM posted in the dirty root thread in development section. There are other simpler methods for the regular Z5, again in development section. It requires bootloader unlocks for all of them and that causes you to lose some Sony DRM keys.
Sent from my SM-T710 using Tapatalk
I tried Adblock since i'm not rooted, but it occasionally drain battery in sleep mode so I removed it..
I've always used Lucky Patcher for that. It has hosts blocking as well as disabling google ad modules inside apps, making everything clean and bull$hit free.
Gotta say I was starting it get a be pissed off with how much more complicated it is to do root this phone than any other android phone I've tried to do in the past...
so I came to the assumption that I'm supposed to be booting into recovery and installing the zip through there like I used to do to install ROMs on my older android phones.
I've flashed a few AndroPlus kernels and no luck. One of them left me stuck in bootloop which I let go around roughly 10 times until I decided it was getting nowhere. I did eventually manage to get one installed without a bootloop.
I wanted to know what Kernel I was running so I installed 'Kernel Adiutor' which required BusyBox to be installed alongside it. I found I was unable to install BusyBox which I guess was caused by the same thing causing all my other issues.
I've tried going through this whole over complicated process again and I hit a problem was trying to execute these two lines:
Code:
adb shell mount /dev/block/platform/soc.0/by-name/system /system
adb shell mount /dev/block/platform/soc.0/by-name/userdata /data
I read through everything I could find again to see if I could work out what was going on. While looking for this I can across this line of code:
Code:
fastboot flash boot boot.img
which is to be run if you want to flash the kernel via adb. (you need to extract the zip provided by AndroPlus)
Once this line had been executed I booted up again and was able to install BusyBox which let me see which kernel I had which showed AndroPlus (v3 incase you're interested) so I then tried AdAway again.
BINGO
Only thing is on some websites, particularly xda there is still a gap showing where the Advert would be displayed if not blocked. This I can live with.
I can't beleive how much more complicated this phone is to root compared to my HTC Desire, Galaxy S2 & S4. All of them were plug phone in. Click a few times and the jobs done. Is there a reason this hasn't been done for the Z5?
Just want to say thanks to all that have tried to help.
Thanks to AndroPlus for his kernel which has sorted me out.
Not so much thanks to Sony as this whole process has put me off ever getting another Sony phone. Mainly the fact I've lost some functionality what with having to unlock the bootloader. Overall I'm happy though.
Cheers

Temporary root shell for developers on locked bootloaders.

Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
 @jcadduono - For recowvery, and pointing me in the right direction on IRC.
 @brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.
Very cool work! Glad to see people putting my shell (such as it is) to good use. Wish I had a V20 to try it out
I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).
jcadduono said:
I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).
Click to expand...
Click to collapse
if system_server can read init then thats a serious flaw.... Question for you. you said it would be very device specific. does that mean its unique for each individual phone or each model?
EDIT:Unfortunately we only have access to the init.rc not the binary it self.
@jcadduono I appreciate your input and direction in this matter another idea we have been toying with is
We have the aboot boot recovery and system dump. From the tmob variant would it be possible to make a tot from that for our devices changing the props to match our device, build, and carrier info? We can also pull apks from /system/apps and /privapps to our ext sdcard
@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA
roosta said:
@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA
Click to expand...
Click to collapse
It should work on all models. I personally use a sprint model(LS997). I think it MAY have been tested on VZW as well.
I can confirm that work on H990DS
Sent from my MI PAD using XDA-Developers mobile app
We know from earlier LG phone releases that the laf partition when bypassed in some way (corrupted, etc) aboot will boot to fastboot when going into download mode. It was my thought that the bootloader could be unlocked from there. However corrupting laf eliminates device recovery. Catch-22.
I think the best way to proceed is to get a working .TOT first which is just a waiting game. That would ensure device recovery and replacing the bootloader in the .TOT and signing it with something unlockable.
This is a great way to explore the locked phones in the meantime, thanks.
ATT Pretty Please
me2151 said:
Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
@jcadduono - For recowvery, and pointing me in the right direction on IRC.
@brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.
Click to expand...
Click to collapse
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!
NRadonich said:
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!
Click to expand...
Click to collapse
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario
elliwigy said:
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario
Click to expand...
Click to collapse
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid
markbencze said:
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid
Click to expand...
Click to collapse
Unfortunately its a tcp shell. not a pure adb shell. so we cannot push or pull to those directories
Wow great progress keep up the good work. You guys are helping those assholes from LG sell more phones. Obviously some people have not made the switch because the lack of root. Root users are very influential leaders to get others to try out a new device.
Sent from my LG-LS997 using XDA-Developers mobile app
Works on the LG G5 also...
Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA
roosta said:
Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA
Click to expand...
Click to collapse
it shouldnt be an expectation as weve made it clear we do not have root and are hitting hurdles.. we have been advised we need to atack selinux and or the bl but at this point were wanting to try to use debug firmware which hoprfully would allow a bl unlock..
unfortunately nobody can creat a .tot with the debug firmware at al and theres no way at all to flash the images..
we need to somehow leverage an exploit to gain a temp adb root shell before we could even attempt anything and this has not been done in a way thats useful to us..
unfortunately we need more experienced devs at this point.
LG Australia (and as such, Taiwan) have effectively confirmed their H990DS v20 mobile phone's bootloader is confirmed as being unlockable. However (and for no apparent reason) they will not confirm why one region have released a variant of the phone with the bootloader unlock and why they are refusing this to others phones/regions. Because of course, they have zero training and information about anything related to their company expect for goods released in a specific region. That comes from a 'product expert'
Titanium Backup
Howdy,
Just reading through the thread, I understand that it's not quite a "full" root, but would it be enough to run Titanium Backup? I'm hoping to move away from root access with my V20 but it would be really helpful if I could do it temporarily, restore some application and data backups, reboot and uninstall Titanium.
Tim

Categories

Resources