Database Info

Am I rooted?

Hi, I got an unlocked UK Vodaphone Magic yesterday and after much reading around on the site decided to take the plunge and root my phone today. I followed the easy guide in the Wiki (Step 1) and flashed what I later read as to be the wrong rom for my phone but luckily it looks as though all is well. As far as I know everything went okay (no errors or anything My SPL thing said .0004 but now is .2005.)
The phone still boots fine as it did (maybe a little slower) but all functions still work okay. I downloaded a bluetooth app for sending and recieving on the marketplace but when I click the option to turn on recieving within the app, it says my phone is still required to be rooted. Is there an way I can test if it's definately rooted? I have tried a search, but can't seem to find anything relevant. Any help is appreciated, thanks.

**Just to add to this, one point when I was following the guide and got to step 12, after doing that I typed in "adb shell flash_image recovery /sdcard/recovery-new.img" in the command prompt, nothing happened to the phone and the command prompt line didn't say anything at all it just went to the next line so I could type again (at the same point it didn't mention any errors). Don't know if thats normal or not, but I tried it twice and carried on following the rest of the steps.

All normal Leviathon. Try this:
Note: To Test, Just Try Using CPU Overclocker Widget(Its Free) From The Market Before & After Using This... u ll Notice the Change
Steps:
1. Download The Install-Enable-SU-By-Sangeet.exe & Extract Any where By Double Clicking It.
New Fixed Download Link: http://android-latest-build-images.googlecode.com/files/Install-Enable-SU.exe
2. Connect Ur Phone Via USB Cable
3. Run The Install-Enable-SU .bat File.
4. Choose Appropriate options..
5. Rebooting Not Recommended...(UR WISH)

getting a device not found doing this
Looks like mine isnt rooted properly either, yet I can flash roms etc??? The cpu widget is giving an application error when trying to run it....

You can flash ROMs because you got root and then flashed a modified SPL. Unless the ROM you flash has root like the hero v1.1+ ROM then you have to get root again.

BrumBrum74 said:
All normal Leviathon. Try this:
Note: To Test, Just Try Using CPU Overclocker Widget(Its Free) From The Market Before & After Using This... u ll Notice the Change
Steps:
1. Download The Install-Enable-SU-By-Sangeet.exe & Extract Any where By Double Clicking It.
New Fixed Download Link: http://android-latest-build-images.googlecode.com/files/Install-Enable-SU.exe
2. Connect Ur Phone Via USB Cable
3. Run The Install-Enable-SU .bat File.
4. Choose Appropriate options..
5. Rebooting Not Recommended...(UR WISH)
Click to expand...
Click to collapse
Thanks for your help, just about to try the Enable-SU.exe thing. Can't find CPU Overclocker Widget on market place (search reveals nothing), tried another one called OverclockingWidget, but that won't work, because I need root.
Installed Enable-SU.exe fine, this allowed me to enable the recieving of bluetooth files, but whenever i recieve a file of any kind, it gets to 100% and then the phone resets itself? Seperatly from this, I thought I'd browse the superuser permissions icon to see what was in it, there was one thing with a + next to it which I clicked (thinking I could edit it or something) and now it's dissapeared, don't know if this matters or not.
Further EDIT - The more I'm reading the more confused I'm getting (it doesn't take me much), but I was trying to find something on the Wiki on how to flash a rom now (assuming my phone is rooted?) and I stumbled upon a link to the SPL file that I am now running, said something about flashing the radio first? That wasn't mentioned in the guide I followed, should I have done this? Also, If my phone is rooted, where do I go from here? I can't seem to find anything relating to how I now flash new roms apart from something in the Wiki about using the terminal app to gain root again? Sorry for all the questions, I'm sure I'm confusing things when they don't need to be.
My Fastboot Menu thingy reads like so :
Sapphire PVT 32B ENG S-OFF H
HBOOT-1.33.2005 (SAPP10000)
CPLD-10
RADIO-2.22.19.261
Apr 20 2009, 15:30:43

sammypwns said:
You can flash ROMs because you got root and then flashed a modified SPL. Unless the ROM you flash has root like the hero v1.1+ ROM then you have to get root again.
Click to expand...
Click to collapse
Cheers for response. Im confused some apps work and some give an application error. The ones that work a box pops up asking for root access which i allow and in superuser app it is logged in there. Am wondering why some apps arent working and some are? Is there a simple way to check root status from a terminal on the phone?
P.S am using nk02's ion r5 rom. Have also tried fatal1ty's hero v3 but flashed back to this.

Okay I think I've made some more progress in reading, when I took the steps to root my magic nothing was wiped by the way? (Photos, settings etc) Is that also normal? aside from the issues I'm having with the bluetooth rebooting after recieving files and not able to find the CPU overclocker. And this possible Radio issue, I want to try the Ion R5 rom and then later on try the Hero Black rom, so I just name the resulting zip as "update", enter the recovery menu (power on + home) and select update from the list and this will flash the new rom? If I then wanted to try a new rom later, I just do the same (rename the file to update) and re-flash it over the top? If someone could verify I'm on the right tracks or if this incorrect I would be eternally gratefull.

Hi, I've in cmd:
PHP:
uid=0<root> gid=0<root>
So I should be root, but some root-apps doesn't work...is this maybe because they're not ready for cupcake? e.g. OverclockWidget - doesnt't start!
Ah, I have the app "Overclock" I can set the MHz and looks like it works, but when i go back to the app, there are no MHz shown?! Mhhh...I am really root?

brianius said:
Hi, I've in cmd:
PHP:
uid=0<root> gid=0<root>
So I should be root, but some root-apps doesn't work...is this maybe because they're not ready for cupcake? e.g. OverclockWidget - doesnt't start!
Ah, I have the app "Overclock" I can set the MHz and looks like it works, but when i go back to the app, there are no MHz shown?! Mhhh...I am really root?
Click to expand...
Click to collapse
Is the app called "Overclock"? or "Open Overclock"? I just tried Open Overclock and that asked me for root access, the program runs (although I have not tried any of the settings because I dont know what I'm doing), but I would assume the phone is rooted if it prompts for root access to run and works? That's what I'm basing mine on anyway.

Leviathon said:
Is the app called "Overclock"? or "Open Overclock"? I just tried Open Overclock and that asked me for root access, the program runs (although I have not tried any of the settings because I dont know what I'm doing), but I would assume the phone is rooted if it prompts for root access to run and works? That's what I'm basing mine on anyway.
Click to expand...
Click to collapse
No it was: Overclock
I've tried OpenOverclock, but there's no hint or message that I have no root...but it looks not too good
Do you have the android sdk and adb installed? so you can check it by typing: "adb shell id" in cmd/shell. Check that the USB driver works with "adb devices".
And try SetCPU, it's MUCH BETTER!

brianius said:
No it was: Overclock
I've tried OpenOverclock, but there's no hint or message that I have no root...but it looks not too good
Do you have the android sdk and adb installed? so you can check it by typing: "adb shell id" in cmd/shell. Check that the USB driver works with "adb devices".
And try SetCPU, it's MUCH BETTER!
Click to expand...
Click to collapse
It says uid=0<root> gid=0<root>
USB works fine
I'll give Set CPU a try
EDIT - Have tried Set CPU, although I have no idea what I'm doing, what is some good safe settings?
I assume that I am deffo rooted then, so how would I use other roms now? Just rename them to update and use the boot menu thing to flash them?

Okay I read up on the CPU thing, tried all settings, doesn't seem to make any difference in speed to mine (even on max settings), i.e reading tweets with twitdroid is still pretty laggy - I guess it doesn't work with all models then?

[MOD] Tethering Fix for Rogers users running AT&T based ROMs

Seems the AT&T ROMs have some tether protection (entitlement check) built into them that does not exist on the Rogers ROMs. So if you are a Rogers user and have flashed an AT&T based ROM then you will need to make a change to your telephony database to be able to get tethering working.
This problem probably is not unique to Rogers and probably applies to anyone who is using an AT&T based ROM on a network other than AT&T. To apply this to a different carrier you will just need to change the APN, numeric, mcc and mnc values in step 5 to match your carrier values.
Update: Turge made a flashable zip to perform this update.
Just install the zip in recovery.
Flashable ZIP (thanks Turge):
http://forum.xda-developers.com/attachment.php?attachmentid=1145125&d=1340286308
------------------------------------------------------------------
Old Instructions:
1. Use a rooted filemanager (e.g. ES File Explorer) to backup the Telephony Database (/data/data/com.android.providers.telephony/databases/telephony.db) to a safe place (e.g. /sdcard/).
2. Download SQLite Installer for Root from the Market and open the app and install SQLite3
3. Open an adb shell
4. Type the following command in to open the telephony database:
su -c sqlite3 /data/data/com.android.providers.telephony/databases/telephony.db
5. This should have opened sqlite3. If it did then type the following command in to update the database:
INSERT INTO carriers (name, numeric, mcc, mnc, apn, authtype, type, insert_by, state, protocol, roaming_protocol, carrier_enabled, bearer) VALUES ("Entitlement","302720","302","720","ltemobile.apn","-1","entitle","internal","hidden","IP","IP","1","0");
6. To confirm that this has been applied you can type the following:
select * from carriers;
This should list all the carriers you have in your telephony.db and the one you just added should be at the bottom.
7. Type the following to quit sqlite3
.exit
8. Type the following to reboot your phone
reboot
When your phone reboots it will work with standard ICS/Sense tethering!

I tried to write an ADB script to do this but ran into problems with the INSERT command so I just wrote some instructions instead.
Someone more skilled at scripting could probably build an ADB script pretty easily I am sure.

cmaxwe said:
I tried to write an ADB script to do this but ran into problems with the INSERT command so I just wrote some instructions instead.
Someone more skilled at scripting could probably build an ADB script pretty easily I am sure.
Click to expand...
Click to collapse
I was bored, so I made you a recovery flashable zip to perform your changes
If you want to find out if it worked, just type "cat /tmp/recovery.log" via adb shell after flashing the zip. The output should look like this:
Opening update package...
Installing update...
Enabling Rogers Tethering on AT&T ROM
by cmaxwe and Turge
about to run program [/sbin/busybox] with 3 args
about to run program [/sbin/busybox] with 3 args
minzip: Extracted file "/tmp/enable.sh"
minzip: Extracted file "/tmp/sqlite3"
about to run program [/sbin/busybox] with 3 args
1307|Entitlement|302720|302|720|ltemobile.apn ||||||||||-1|entitle|internal|||hidden|||||IP|IP|1|0
script result was [Done]
Done
Click to expand...
Click to collapse

I just created a hack that will unlock the tethering on AT&T based ROMs without modding this setting, so I'll post it in a couple when I get the chance

Calkulin said:
I just created a hack that will unlock the tethering on AT&T based ROMs without modding this setting, so I'll post it in a couple when I get the chance
Click to expand...
Click to collapse
This way is much better, it is universal.

designgears said:
This way is much better, it is universal.
Click to expand...
Click to collapse
Yeah the other method is carrier agnostic/universal but it needs to be updated for each new AT&T RUU.
Using the method in this thread you could create a flash file for each carrier and that flash file should be usable on any new AT&T RUU.
The method in this thread seems safer too because you are just modifying a few rows in a database instead of replacing functionality/executable code (which I think is what the other mod does).
In fact ROM creators could insert Entitlement rows for all the common carriers in the Telephony.db and we wouldn't need to worry about any of these mods.

I just flashed it and tried to run a wifi-hotspot and it doesn't seem to work.
I do get a different message now saying that if I want this to work, I should call someone from att or dial 611.
Anyone else try this?

daitienshi said:
I just flashed it and tried to run a wifi-hotspot and it doesn't seem to work.
I do get a different message now saying that if I want this to work, I should call someone from att or dial 611.
Anyone else try this?
Click to expand...
Click to collapse
i tried it and got the same result as you....

zakhir_n said:
i tried it and got the same result as you....
Click to expand...
Click to collapse
Same here, no luck. Rooted stock 1.85 AT&T, connected on "4G" (HSPA+).
(ADB method)

shchenok said:
Same here, no luck. Rooted stock 1.85 AT&T, connected on "4G" (HSPA+).
(ADB method)
Click to expand...
Click to collapse
That is odd...hmm.
With the ADB method did step 6 (select * from carriers) show the new line that you added?
Also are you in Canada on the Rogers network? This is only for Rogers.
Edit: If you are both on HSPA+ and not LTE then maybe that has something to do with it. The APN that I used was for LTE. You could try replacing ltemobile.apn in the instructions above with rogers-core-appl1.apn.
I would do revert to the backup of your telephony.db first before I tried this though as I am not sure what happens if you have more than one Entitlement APN for a carrier. It probably just uses the first one in the list which would mean adding rogers-core-appl1.apn would have no impact.

cmaxwe said:
That is odd...hmm.
With the ADB method did step 6 (select * from carriers) show the new line that you added?
Also are you in Canada on the Rogers network? This is only for Rogers.
Click to expand...
Click to collapse
Yes, it did.
No, I'm on AT&T, my mistake!

[Q] Root ZTE Valet Z665c

Does anyone have any information on how to root this phone?
It is a tracfone running Android 4.1 with 1ghz qualcomm cpu.
Thanks.

I'm also looking for someone who might have some pointers on how to root this phone or install KitKat apps from Nexus 5 dump!!!
I know it is a low end phone but there are lots of people in the Tracfone world who are now able to get Android phones and are NEW to the smartphone universe.
Thanks.

I'm thinking of buying this phone. As a low end Android, how does it hold up? And if you want to root it, try Bin4ry's root method here. Just be careful.

Tried Bin4ry on ZTE Valet but it failed to root
I've had the phone a couple of days so far and while I'm by no means a qualified reviewer of smartphones, I do like the ZTE Valet. I'm too cheap to pay the $70-100 USD/month for a post-paid service that I don't need.
After searching the forums and seeing that no one reported trying to root the phone, I took a brave pill and tried the Bin4ry method (v31). I got the same message that many users reported - after rebooting, it fails to mount and copy the necessary files. Both the new standard method and the old method failed. It did no apparent harm to the phone - just didn't work. Here's some details on the phone I have:
Android version 4.1.1
Kernel 3.4.0-perf [email protected]
Thanks for any ideas or advice.

I just picked one up at Kmart for $80 today and am checking things out, trying to see about rooting it. My Hisense Sero 7 Pro tab is rooted and running great with a DoPa custom ROM.

I also purchased one of these and am happy so far. I have a question on the magnetic and rotation sensor. They seem to show up as installed as ak8962 devices but apps like 'my android sensors' don't show any data being returned. are they just not actually installed?
thanks
sam
gberpa said:
I just picked one up at Kmart for $80 today and am checking things out, trying to see about rooting it. My Hisense Sero 7 Pro tab is rooted and running great with a DoPa custom ROM.
Click to expand...
Click to collapse

samcoinc said:
I also purchased one of these and am happy so far. I have a question on the magnetic and rotation sensor. They seem to show up as installed as ak8962 devices but apps like 'my android sensors' don't show any data being returned. are they just not actually installed?
thanks
sam
Click to expand...
Click to collapse
The rotation of the device changes the screen from portrait to landscape and 'maps', 'Gas Buddy' seems to show the right direction for magnetic north. I haven't had much time to check yet. AAMF, I haven't activated or transferred my number to the 'phone' yet as am deciding if is a 'keeper'. So far, I think it is as I can use WiFi and 'turn off' mobile data by option. Now checking things like battery life in standby.. Haven't found an option to shut WiFi when screen is off like in my JB 4.2.1 and HC 3.1 devices. Only seem to be able to turn WiFi on or off or see an option for airplane mode.

I agree - the screen rotates (how - I don't know ) I would assume gas buddy is using GPS to find north.
sam
gberpa said:
The rotation of the device changes the screen from portrait to landscape and 'maps', 'Gas Buddy' seems to show the right direction for magnetic north. I haven't had much time to check yet. AAMF, I haven't activated or transferred my number to the 'phone' yet as am deciding if is a 'keeper'. So far, I think it is as I can use WiFi and 'turn off' mobile data by option. Now checking things like battery life in standby.. Haven't found an option to shut WiFi when screen is off like in my JB 4.2.1 and HC 3.1 devices. Only seem to be able to turn WiFi on or off or see an option for airplane mode.
Click to expand...
Click to collapse

Any update on this?

It isn't looking good so far..
http://androidforums.com/zte-valet/799676-ill-help-find-root-method-if.html
They have tried a bunch of stuff so far.
sam
Unkn0wn0ne said:
Any update on this?
Click to expand...
Click to collapse

samcoinc said:
It isn't looking good so far..
They have tried a bunch of stuff so far.
sam
Click to expand...
Click to collapse
I'm going to get my hands on the phone soon. I'll proceed to attempt to get a recovery or something compiled for it if I can. First, I'd have to dump the rom and kernel which might require root access, but we will see. Once we have a recovery we can port CyanogenMod over to it.
Also I think I know why it's crashing, but I can't be sure until I can test it out myself.

Unkn0wn0ne said:
I'm going to get my hands on the phone soon. I'll proceed to attempt to get a recovery or something compiled for it if I can. First, I'd have to dump the rom and kernel which might require root access, but we will see. Once we have a recovery we can port CyanogenMod over to it.
Also I think I know why it's crashing, but I can't be sure until I can test it out myself.
Click to expand...
Click to collapse
Wish you luck..just got my replacement unit from TracFone after the first one's screen froze.

oooops. Sorry posted in wrong thread.

ZTE Valet Z665c - obtaining temporary root
After trying numerous root methods (Bin4ry, Framaroot, ...), I stumbled on a method of getting temporary root using Cydia Impactor. Cydia Impactor appears to be partially successful. First of all, please note that all credit goes to those involved with Cydia Impactor and the discovery of the original exploits (do a search if you want).
This method might seem a little convoluted, but it works reliably for me. Note that I use a Linux machine so you might have to adapt the steps to work on another platform.
Prerequisites:
1. Menu -> System settings -> Developer options -> USB debugging ->Enabled.
2. Menu -> System settings -> Developer options -> Stay awake ->Enabled (to keep the telnet session from going to sleep).
3. telnet (I am running on Ubuntu, but some sort of telnet program is needed).
4. Cydia Impactor
5. phone is connected to your wifi.
Steps:
1. Run the "Cydia Impactor" to "# drop SuperSU to /system/xbin/su". See what happens.
2. It failed for me giving an error related to not being able to remount /system or not being able to create /system/xbin/su.
3. In Cydia Impactor, run "# start telnetd as system on port 2222". You don't need to bother to telnet in. Just let it finish and then proceed to the next step.
4. In Cydia Impactor, run "# start telnetd as root on port 22". Let it finish.
5. Telnet into your phone from a terminal on your computer: "telnet 192.168.1.117 -l root 22". Note that the ip address is likely different on your network, e.g., 192.168.1.xxx.
6. If everything worked OK, you should be presented with a root prompt ("~ #"). I have busybox (obtained from the Bin4ry exploit download) that I adb pushed to /data/local/tmp. The command "/data/local/tmp/busybox whoami" tells me I am indeed root.
OK - now the bad news for me. I proceed to try to install su but remount fails. If I issue the command:
~ # mount -o rw,remount /system
~ #
A root prompt is returned with no error message suggesting that it successfully remounted /system. Woohoo! But a "mount" command (or cat /proc/mounts) says it is still "ro" or read only. Darn. Does it appear that ZTE has crippled the mount command in some way? Now the question is how to permanently install root? I have poked around and at least was able to make a backup to my sdcard using bzip2
This should at least help as a first step. Others including myself have posted elsewhere on this phone. At this point, I'm not willing to risk flashing anything. I'm a noob so I'm hoping someone who is more familiar with the permissions and that sort of thing can complete the root and post a solution.
Thanks.

Awesome!
These findings are great, I'd be willing to check this out soon. (Linux box is down do to hardware issue. ).
If we can obtain root the remounting issue can definitely be fixed. Also, does busybox have the premissions to run?
Try this:
Code:
mount | grep system
That will give you somewhere within the text the partition that is registered as /system . Then:
Code:
mount -o rw,remount [PARTITION-THAT-COMMAND-RETURNED-HERE-MINUS-BRACKETS] /system
See if that works. But anyways, if it doesn't it can still be rooted! (just temporarily, but it is no longer an 'unrootable' device)
Note: I am not responsible for what happens using those commands.

a little more info in response to your questions
Dear Unkn0wn0ne,
I had messed around with it and also tried something like you suggested, e.g.:
mount -o rw,remount,relatime,data=ordered -t ext4 /dev/block/mmcblk0p19 /system
Also tried it with the "-n" option to avoid a write to mtab although I don't remember seeing mtab while purusing the file system.
Hadn't noticed that busybox was available under /system/bin:
~ # ls -al /system/bin/busybox
-rwxr-xr-x 1 root shell 1075144 Jul 19 11:20 /system/bin/busybox
~ #
Could be that it has a more limited command set than the one I put in /data/local/tmp. A lot of the commands under /system/bin have a symbolic link to toolbox.
Note that the telnet connection needs to be made over wifi and not the one available over usb. I got the ip address from my router's client list.
Oh yes - thanks for the reminder. Forgot to include the disclaimer about harming the phone or voiding the warranty.
Hope it works out well for you. Glad to hear your encouraging remarks.

Awesome!
Alright so that didn't work. This guy over here has a suggestion (he has scene your thread): - I can't publish links so I'll pm the link to you.
Also if busybox is symbolically linked you'd have to tell it specifically to call to the busybox pushed over via adb to: /data/local/tmp/busybox and not the stock.
In this case: /data/loocal/tmp/busybox/mount
Also the disclaimer is a must. There will always be that person that tries to blame it on someone else.
Note: I am not responsible for whatever happens using the information provided in this post.

karmmisht said:
After trying numerous root methods (Bin4ry, Framaroot, ...), I stumbled on a method of getting temporary root using Cydia Impactor. Cydia Impactor appears to be partially successful. First of all, please note that all credit goes to those involved with Cydia Impactor and the discovery of the original exploits (do a search if you want).
This method might seem a little convoluted, but it works reliably for me. Note that I use a Linux machine so you might have to adapt the steps to work on another platform.
This should at least help as a first step. Others including myself have posted elsewhere on this phone. At this point, I'm not willing to risk flashing anything. I'm a noob so I'm hoping someone who is more familiar with the permissions and that sort of thing can complete the root and post a solution.
Thanks.
Click to expand...
Click to collapse
I attempted this myself on my Windows 8 machine. I had to enable telnet, but that was easy. I had to reararange the command to "telnet root 192.168.x.xxx:22" (xxx is my IP). It keeps giving me the error "Connect failed."
Any thoughts out there?

try putty
Ph0enix_216,
I tried to connect from a Windows 7 machine and it works using putty for telnet (www.putty.org, a great program). Be sure to set the Connection->Data->Auto-login name to root.

well the guy in the other thread bricked his it sounds like...
http://androidforums.com/zte-valet/799676-ill-help-find-root-method-if-3.html
They tried to modify the mmcblk0p16 boot image and re-copy it back. It seemed to re-copy but then didn't boot with a verify error.. (I am paraphrasing - and don't really understand what they where doing )
sam
Ph0enix_216 said:
I attempted this myself on my Windows 8 machine. I had to enable telnet, but that was easy. I had to reararange the command to "telnet root 192.168.x.xxx:22" (xxx is my IP). It keeps giving me the error "Connect failed."
Any thoughts out there?
Click to expand...
Click to collapse

Temporary root shell for developers on locked bootloaders.

Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
 @jcadduono - For recowvery, and pointing me in the right direction on IRC.
 @brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.

Very cool work! Glad to see people putting my shell (such as it is) to good use. Wish I had a V20 to try it out

I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).

jcadduono said:
I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).
Click to expand...
Click to collapse
if system_server can read init then thats a serious flaw.... Question for you. you said it would be very device specific. does that mean its unique for each individual phone or each model?
EDIT:Unfortunately we only have access to the init.rc not the binary it self.

@jcadduono I appreciate your input and direction in this matter another idea we have been toying with is
We have the aboot boot recovery and system dump. From the tmob variant would it be possible to make a tot from that for our devices changing the props to match our device, build, and carrier info? We can also pull apks from /system/apps and /privapps to our ext sdcard

@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA

roosta said:
@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA
Click to expand...
Click to collapse
It should work on all models. I personally use a sprint model(LS997). I think it MAY have been tested on VZW as well.

I can confirm that work on H990DS
Sent from my MI PAD using XDA-Developers mobile app

We know from earlier LG phone releases that the laf partition when bypassed in some way (corrupted, etc) aboot will boot to fastboot when going into download mode. It was my thought that the bootloader could be unlocked from there. However corrupting laf eliminates device recovery. Catch-22.
I think the best way to proceed is to get a working .TOT first which is just a waiting game. That would ensure device recovery and replacing the bootloader in the .TOT and signing it with something unlockable.
This is a great way to explore the locked phones in the meantime, thanks.

ATT Pretty Please

me2151 said:
Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
@jcadduono - For recowvery, and pointing me in the right direction on IRC.
@brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.
Click to expand...
Click to collapse
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!

NRadonich said:
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!
Click to expand...
Click to collapse
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario

elliwigy said:
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario
Click to expand...
Click to collapse
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid

markbencze said:
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid
Click to expand...
Click to collapse
Unfortunately its a tcp shell. not a pure adb shell. so we cannot push or pull to those directories

Wow great progress keep up the good work. You guys are helping those assholes from LG sell more phones. Obviously some people have not made the switch because the lack of root. Root users are very influential leaders to get others to try out a new device.
Sent from my LG-LS997 using XDA-Developers mobile app

Works on the LG G5 also...

Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA

roosta said:
Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA
Click to expand...
Click to collapse
it shouldnt be an expectation as weve made it clear we do not have root and are hitting hurdles.. we have been advised we need to atack selinux and or the bl but at this point were wanting to try to use debug firmware which hoprfully would allow a bl unlock..
unfortunately nobody can creat a .tot with the debug firmware at al and theres no way at all to flash the images..
we need to somehow leverage an exploit to gain a temp adb root shell before we could even attempt anything and this has not been done in a way thats useful to us..
unfortunately we need more experienced devs at this point.

LG Australia (and as such, Taiwan) have effectively confirmed their H990DS v20 mobile phone's bootloader is confirmed as being unlockable. However (and for no apparent reason) they will not confirm why one region have released a variant of the phone with the bootloader unlock and why they are refusing this to others phones/regions. Because of course, they have zero training and information about anything related to their company expect for goods released in a specific region. That comes from a 'product expert'

Titanium Backup
Howdy,
Just reading through the thread, I understand that it's not quite a "full" root, but would it be enough to run Titanium Backup? I'm hoping to move away from root access with my V20 but it would be really helpful if I could do it temporarily, restore some application and data backups, reboot and uninstall Titanium.
Tim

[SOLVED] Android Trojan.Gorilla.AM or Guerrilla.AM on my device OEM launcher...

(NOTE: this post is a duplicate of a similar thread I started on the Android Central user forum)
Hello everyone,
In the continuing saga of the Leagoo T5C i bought before the holidays from GearBest, I've seen the good (the price and overall build quality, along with a reasonably good user experience), the bad (some notifications that I just can't get rid of, among other things), and I now present you the ugly: after watching a review video on YouTube about my device, I learned that it came loaded with a Trojan called "Gorilla.AM"...
***EDIT: apparently, the Trojan's name could actually be "Guerrilla.AM", I'm not sure.***
Needless to say, I did as the tester had, and installed Malwarebytes, which, sure enough, found the exact same Trojan on my device.
You can watch the video here: https://www.youtube.com/watch?v=R5l3z7BvBtk
It so happens that it's embedded in Leagoo's own application launcher, called Sujet (in French; maybe it's called "Subject" in English, I don't know). I can force quit the application, since I use another launcher called Apex (good pick, by the way), but Malwarebytes can't seem to shake the Trojan off my device nonetheless.
A quick search on Google gives very little in the way of information about this malware, but I'd like to be on the safe side, so I came here.
Any contribution would be welcome at this stage.

Hi. I've seen your post on a french-speaking forum but for my own reasons I don't want to help there, too many morons.
Leagoo is well-known for smartphones with built-in spyware/adware. I've had both a Z5 and a M5 and both had such crap in the stock firmware.
This one is new to me but you'll probably have to follow the same steps to get rid of it.
Try
Code:
adb shell pm disable <internal name of that launcher>
first (from a PC connected to the device with ADB - zillions of tutorials available for this)
The internal name can be found by guessing or by using one of the many apps that will show you the information. One is https://play.google.com/store/apps/details?id=com.csdroid.pkg
If that fails, try adding "-k -user 0" to the command line.
If it fails again (denied) then you have no choice but to root your device first, then use this pm command from a root shell or directly delete the folder for "Sujet/Subject" from /system/app or /system/priv-app where you'll find it.

Lannig said:
Hi. I've seen your post on a french-speaking forum but for my own reasons I don't want to help there, too many morons.
Leagoo is well-known for smartphones with built-in spyware/adware. I've had both a Z5 and a M5 and both had such crap in the stock firmware.
This one is new to me but you'll probably have to follow the same steps to get rid of it.
Try
Code:
adb shell pm disable <internal name of that launcher>
first (from a PC connected to the device with ADB - zillions of tutorials available for this)
The internal name can be found by guessing or by using one of the many apps that will show you the information. One is https://play.google.com/store/apps/details?id=com.csdroid.pkg
If that fails, try adding "-k -user 0" to the command line.
If it fails again (denied) then you have no choice but to root your device first, then use this pm command from a root shell or directly delete the folder for "Sujet/Subject" from /system/app or /system/priv-app where you'll find it.
Click to expand...
Click to collapse
Hi,
OK, first off, thanks for the reply. Secondly, as I've stated before, I'm new to Android, and though I know my way around the command line in both Windows, Linux et OS X (not so much macOS: my MacBook Pro is 12-years old...), I suppose there are some things to set up first, before you can actually do what you suggest.
I understand that ADB stands for Android Debug Bridge, so is it an existing functionality in, say, Windows, that you can trigger from the command line, or a third-party software you have to install first?
On the Android side, what action should I take? Any Developer command to enable/disable to let ADB interact with my device the way it's supposed to?

Yes, you need to enable debug mode on your phone too. I could refer you to one of the zillion tutorials available on the net, but here's a summary.
Go to settings > about... (à propos)
Make at least 7 rapid touches on the line that says "build number" or its french translation.
This will make a new settings menu available from the main settings page: developer options
In this new menu, enable USB debugging.
Then you need to install ADB on your Mac and I'm at loss to help you there because I'm totally foreign to Macs. Never used one.
This seems like a good start: https://www.xda-developers.com/install-adb-windows-macos-linux/
Note: you may also try issuing the commands mentioned above from a terminal emulator running directly on your Android device, although I'm told that it's not exactly the same thing protection-wise.
Install this: https://play.google.com/store/apps/details?id=jackpal.androidterm and try typing the commands from the emulator window. If it works, no need for ADB (although having ADB will probably prove useful sooner or later and I encourage you to take the step).
EDIT: forget the guys from Phonandroid, they're brain-damaged beyond help

Lannig said:
Yes, you need to enable debug mode on your phone too. I could refer you to one of the zillion tutorials available on the net, but here's a summary.
Go to settings > about... (à propos)
Make at least 7 rapid touches on the line that says "build number" or its french translation.
This will make a new settings menu available from the main settings page: developer options
In this new menu, enable USB debugging.
Then you need to install ADB on your Mac and I'm at loss to help you there because I'm totally foreign to Macs. Never used one.
This seems like a good start: https://www.xda-developers.com/install-adb-windows-macos-linux/
Note: you may also try issuing the commands mentioned above from a terminal emulator running directly on your Android device, although I'm told that it's not exactly the same thing protection-wise.
Install this: https://play.google.com/store/apps/details?id=jackpal.androidterm and try typing the commands from the emulator window. If it works, no need for ADB (although having ADB will probably prove useful sooner or later and I encourage you to take the step).
EDIT: forget the guys from Phonandroid, they're brain-damaged beyond help
Click to expand...
Click to collapse
OK, thanks for the heads-up; I've already installed a Terminal emulator on the phone, so I'm gonna give it a go in a moment. I concur about Phoneandroid, alas: I've just received flak from one of the moderators because I'd double-posted on the same subject, whereas I'd just posted one thread, in the wrong part of the forum, according to him. Go figure...

OK, please feed back on your attempts, both from terminal emulator and through ADB.
Alas, I suspect that root will be required. It was for me on my Z5 and M5 to get rid of Leagoo's crapware.
Phonandroid is a bunch of losers with bloated egos posing as experts when 2/3 of the replies given are total BS.

"Er, Houston, we've had a problem..."
On Windows: "ADB is not a recognized name for a command applet..."
On OS X: "adb: command not found"
Stumped, I am...

"Er, Houston, we've had a problem..."
On Windows: "ADB is not a recognized name for a command applet..."
On OS X: "adb: command not found"
Stumped, I am...

(Additional question, not quite related: Aida64 indicates that my device runs a 4.4.49 version of the Android kernel, when the current version for Android 7.x is supposed to be 4.4.1; how does that compute--no pun intended--with my issue?)

Missing adb command is because the adb.exe (Windows) or adb (Mac) file is not in the command path. Either make the folder that contains the adb[.exe] file the current folder using the cd command or use whatever context menu for opening a command line window within the currently selected folder works, or even add that folder to the PATH variable. Google "add directory to path" for Windows and MacOS.
No idea about the kernel version. Minor kernel versions may vary within an Android release. Not surprising and most definitely unrelated to your problem. The crapware certainly isn't part of the kernel. It's most likely a system app i.e. a folder within either /system/app or /system/priv-app folders. You can't delete it without root, but you might be able to disable (freeze) it with the commands I gave you.

OK, thanks. I did "cd" to the folder where I had unzipped ADB on Windows (on the Mac, when I tried to open the ADB executable, I got a "cpu not supported" error message in the Terminal, as I feared, since my MBP is 32-bit-only, and most Mac applications nowadays only support 64-bit CPUs), and still got the "adb unrecognized command" error in PowerShell.
The phone was plugged in, and the right USB mode, so I'm still a bit baffled here. Gonna try it again with a different approach. Will keep you posted.
Over and out...

OK, here's what I got: "Error: java.lang.SecurityException: Shell cannot change component state for com.leagoo.launcher3/null to 2"
Basically, from my poor understanding of how Android works, it's root or die, right?

UglyStuff said:
OK, here's what I got: "Error: java.lang.SecurityException: Shell cannot change component state for com.leagoo.launcher3/null to 2"
Basically, from my poor understanding of how Android works, it's root or die, right?
Click to expand...
Click to collapse
I see that this phone has 7.x android. So, a Magisk Systemless flash might work. After rooting your device, get a good launcher integrate it to /system. Then delete your stock launcher all together.
Tell me if this works.
---------- Post added at 01:23 PM ---------- Previous post was at 01:20 PM ----------
rhn19 said:
I see that this phone has 7.x android. So, a Magisk Systemless flash might work. After rooting your device, get a good launcher integrate it to /system. Then delete your stock launcher all together.
Tell me if this works.
Click to expand...
Click to collapse
If you are new to this, use an app from play store for uninstalling and integrating apps.

Hi,
Yes, like I said, I'm a newbie when it comes to Android, so I'll abstain from rooting my device for now, but I'll keep your suggestions under advisement, because I suppose there'll be no other option in the long run. I'm gathering info on how to safely root a device.
I've done countless jailbreaks on iPhones, and it was always absolutely painless, but then, I had better understanding of how iOS works than I have Android, so until I know more about the OS, I'll keep my phone as it is.
Thanks again!

UglyStuff said:
Hi,
Yes, like I said, I'm a newbie when it comes to Android, so I'll abstain from rooting my device for now, but I'll keep your suggestions under advisement, because I suppose there'll be no other option in the long run. I'm gathering info on how to safely root a device.
I've done countless jailbreaks on iPhones, and it was always absolutely painless, but then, I had better understanding of how iOS works than I have Android, so until I know more about the OS, I'll keep my phone as it is.
Thanks again!
Click to expand...
Click to collapse
Jailbreaking vs Rooting is like 5-1 on difficulty level. Because Android is Open source while IOS is not. I would highly suggest you Root it if your phone does not have warranty. After all something that is on /system partition like your launcher will need superuser access to modify it. I cannot think of a way that wont void your warranty.
You can flash TWRP and then boot into aroma-fm but that will void your warranty. Rooting is the preferred option here.

Yeah, well, the phone is brand-new, and still under warranty, but that's not what's holding me back: I'd rather not brick it, most of all, because I need it, if not as my main phone, at least for connectivity.
I've read tutorials on this very website about using TWRP to flash a new baseband, but I'm curious about what firmware to choose, where to download it from to be sure it's not laden with bad stuff, and how sure I'll be to have an operable phone afterwards.

UglyStuff said:
Yeah, well, the phone is brand-new, and still under warranty, but that's not what's holding me back: I'd rather not brick it, most of all, because I need it, if not as my main phone, at least for connectivity.
I've read tutorials on this very website about using TWRP to flash a new baseband, but I'm curious about what firmware to choose, where to download it from to be sure it's not laden with bad stuff, and how sure I'll be to have an operable phone afterwards.
Click to expand...
Click to collapse
Why do you want a new firmware? I don't get you man, do you want to clear out the malware or try a new ROM? Because i think you would have to build a new ROM, there is not one available i guess.

That's the thing: the malware on my phone is part of the application launcher installed by the OEM. In other words, it's embedded inside the ROM. If I root my phone and somehow manage to get rid of this launcher, what's to tell me that Leagoo won't push it silently back onto my device under the disguise of an update?
I don't know what to do here. I understand that based on stock Android, each OEM applies a certain number of modifications to accommodate the hardware it used to build the phone, and since the SoC is brand-new, I gather there aren't many drivers available, unless I leave the current baseline in place.
I'm kinda caught between a rock and a hard place here...

UglyStuff said:
That's the thing: the malware on my phone is part of the application launcher installed by the OEM. In other words, it's embedded inside the ROM. If I root my phone and somehow manage to get rid of this launcher, what's to tell me that Leagoo won't push it silently back onto my device under the disguise of an update?
I don't know what to do here. I understand that based on stock Android, each OEM applies a certain number of modifications to accommodate the hardware it used to build the phone, and since the SoC is brand-new, I gather there aren't many drivers available, unless I leave the current baseline in place.
I'm kinda caught between a rock and a hard place here...
Click to expand...
Click to collapse
If you use malwarebytes after root that thing wont happen. And almost all of the OEMs have a trigger which voids when rooting or flashing firmware. After that the OEM wont give you updates unless you use the A/B partitioning system.

OK, I understand how rooting my phone would void the warranty: after all, it's a substantial change in the phone software, and the OEM can't be made responsible for any mishap that occurs after I've rooted the phone.
What's the A/B partitioning system (I suppose it helps partition your storage space)? I don't have a microSD card installed (I use the slot for my second SIM), but I do have 32 Gb of storage space, minus what's already used up.
Do you know KingRoot? Is it as good and (reasonably) safe a rooting tool as they say it is?