Related
Hi,
Phone in question is Tmobile G2
I have had temp root access for sometime and used it to freeze apps that I did not trust/etc.
I had wanted to get perm root but the wiki instructions were a little bit too haphazard for me and I did not wish to have to downgrade off gingerbread.
Someone said there was a newer way that did not require a downgrade and you unlocked the bootloader from htc web site. Well I did that and somehow it's mucked up temp root access as Titanium no longer works.
How could unlocking bootloader screw this up?
Think I am ok now. It was superuser that was messed up. New version requires yes/no (or default set to yes) before Tbackup will get root access.
To anyone else with a G2 that was frustrated with these unclear wiki instructions/downgrading/etc:
It appears that unlocking the boot loader does in fact give you perm root access.
Go to htcdev to unlock your phone. You will need the superuser app but that should be it.
Now just need a good firewall to stop these programs from using my data anytime they please. Any good recommendations?
I have successfully rooted the AT&T HTC One X running build 2.20.
In the previous build (1.85), S-ON was only partially enforced, so it was possible to modify the /system partition without having unlocked the bootloader, in order to install su and Superuser.apk. This was changed in build 2.20: full S-ON is now in effect. As a result, it is no longer possible to write to /system even after remounting it as writable, since the S-ON feature has NAND-locked the storage.
In other words, it's impossible have a "permanent root" on 2.20 in the traditional sense without unlocking the bootloader.
I have prepared an exploit that gains temporary root access by leveraging two vulnerabilities and uses these newly gained root privileges to overwrite the CID ("superCID"), so that it's possible to unlock the bootloader via HTC's website. I'm sorry if you'd prefer to not unlock your bootloader this way, but there are no other options for root access available.
===========
DISCLAIMER
===========
This exploit modifies the CID of your device. Doing so likely voids your warranty, and may be in violation of your contract with AT&T (I am not a lawyer). Additionally, while this exploit has been tested and has not been observed to cause any negative side effects in practice, I am in no way responsible if it turns your device into an expensive paperweight.
=============
INSTRUCTIONS
=============
1. Download the exploit from:
http://vulnfactory.org/public/X_Factor_Windows.zip
Edit: Linux/Mac version available here. Thanks to Jesse Osiecki (@jesseosiecki) for suggesting I support this and providing me with a working version (that I ended up re-writing):
http://vulnfactory.org/public/X_Factor_Linux_OSX.zip
2. Extract the entire zip file.
3. Connect your device via USB, ensure you have the latest HTC USB drivers installed (only on Windows), and ensure USB debugging mode is enabled.
4. Double-click "run.bat", or if running Linux or OSX, open a terminal, change directories to the extracted exploit, and run "./run.sh".
5. Follow the instructions printed by the exploit. You will need to authorize two backup restorations during the exploit's execution.
6. If the exploit is successful, it will print "[+] Set CID!". If it does not print this, the exploit has failed, so please do not continue.
7. The exploit will automatically reboot into bootloader mode. Press enter after bootloader mode is finished booting, and the exploit will print your CID. If the exploit was successful, it should return "11111111" as your CID.
8. If your CID was successfully set, press enter to generate an unlock token.
9. Visit htcdev.com, navigate to the "Bootloader unlock" section, choose "All other supported models" from the drop-down menu, and provide the unlock token when asked.
10. After unlocking the bootloader, you can flash a custom recovery partition via fastboot, boot into recovery mode, and use a recovery ADB shell or install from an update.zip to install Superuser and su (I do not provide support for custom recoveries, but this is a straightforward process that other people can help with).
======
NOTES
======
I am not affiliated with any Android forum or group, including XDA - this is just where I've chosen to publish this exploit.
Portions of this exploit are similar in concept to the ADB backup/restore exploit published by Bin4ry, but the vulnerability used in this exploit is entirely distinct from Bin4ry's.
========
CREDITS
========
Thanks to Michael Coppola for pointing me at the vulnerable driver I leverage for the second phase of the exploit, and props for independently discovering the same vulnerability I used. Thanks to jcase and P3Droid for their continuing support - I owe you guys beers.
======
Paypal
======
http://goo.gl/zBGb0
Awesome job!
Thanks for this djrbliss .. root.. yeah!!
Great work man! Congrats.
And welcome to all the new ROM flashers
Well, seems like here's the proof.
I take back my doubts, very nice job!
the one xl is my first android device so i got some questions
by temp root you mean when you shut off the phone we need to do it again?
and i guess there will be a perm root soon because of this exploit am i right?
also ty very much djrbliss
for achieving this :].
It utilizes a temp root to change the CID and therefore unlock
The unlock is permanent, the root is temporary
Though after you unlock, just flash a SuperUser zip and you will get permanent root
Temp root is being used to spoof the CID and unlock the bootloader in order to flash a custom recovery, and thus custom ROMs that are then rooted. This is a permanent root solution.
speednir123 said:
the one xl is my first android device so i got some questions
by temp root you mean when you shut off the phone we need to do it again?
and i guess there will be a perm root soon because of this exploit am i right?
also ty very much djrbliss
for achieving this :].
Click to expand...
Click to collapse
This will fully root your phone. Just follow instructions to root, Super CID, unlock BL then flash recovery.
The root itself is a different manner than 1.85 but the whole process after should be the same. This is a method to get you to unlock the BL.
Stupid question. Will this method work on Mac?
Sent from my HTC One X using xda app-developers app
It's not working for me, dammit
/system/bin/sh: /data/local/tmp/pwn: cannot execute - Permission denied
Sent from my HTC One X using Tapatalk 2
Yes! Finally!
Sent from my HTC One X using xda app-developers app
h1m said:
Stupid question. Will this method work on Mac?
Sent from my HTC One X using xda app-developers app
Click to expand...
Click to collapse
Well the bat file won't run obviously, but if you open up the bat and step through the commands it will work just fine.
ty guys for answering
i got another question does some one got
a step by step about the flash recovery stuff cause it's really confusing
Finally, you are the man!!! I've been following the think tank religiously every day for 2 months.
Sent from my HTC One X using Xparent Blue Tapatalk 2
Thanks for the work you put in on this, and congrats to all you 2.20 guys. Will send my donation I pledged this evening.
So this will work with the new HBOOT as well then? Say if someone uses the 2.20 RUU or got an ATT HOXL with the updated bootloader that came with 2.20 ?
Example - I can flash the 2.20 RUU to get a "fresh start" for my phone ( I have the older hboot , unlocked with S-On, never took the 2.20 update), run this, re-unlock, and then put CM10 back on and everything will function as it does now ?
Sent from my One X using Tapatalk 2
billydroid said:
It's not working for me, dammit
/system/bin/sh: /data/local/tmp/pwn: cannot execute - Permission denied
Sent from my HTC One X using Tapatalk 2
Click to expand...
Click to collapse
Sorry, made a small mistake. I've uploaded a new version to the same URL, please re-download and try again.
Thanks a lot man, massive help!! Will get to downloading right after I charge up!!
Sent from my HTC One X using xda premium
jakew02 said:
So this will work with the new HBOOT as well then? Say if someone uses the 2.20 RUU or got an ATT HOXL with the updated bootloader that came with 2.20 ?
Example - I can flash the 2.20 RUU to get a "fresh start" for my phone ( I have the older hboot , unlocked with S-On, never took the 2.20 update), run this, re-unlock, and then put CM10 back on and everything will function as it does now ?
Sent from my One X using Tapatalk 2
Click to expand...
Click to collapse
Why would you want to. Then you would have to flash boot.img separately which isn't that big of a deal but still annoying.
I was wondering, if now that the CID exploit was found if there would be any attempt to unlock the bootloader without using the HTC site. (i ask cuz i see most questions like this not answered, but people routing others to current x-factor exploit which requires htcdev.)
dergezero said:
I was wondering, if now that the CID exploit was found if there would be any attempt to unlock the bootloader without using the HTC site. (i ask cuz i see most questions like this not answered, but people routing others to current x-factor exploit which requires htcdev.)
Click to expand...
Click to collapse
no. you need SU, and you can't get SU on 2.20 without an unlocked bootloader. You can only get superCID on 2.20 (from temp root)
Is there anyone out there still looking for a non-htcdev way to root? and does anyone know why the x-factor exploit cant be used to gain the temp root? is there a thread where this is discussed. i cant seem to find it.
You don't need to use x-factor because you are still superCID even after an RUU (I think, correct me if I'm wrong)
So all you have to do is re-unlock with htcdev
dergezero said:
Is there anyone out there still looking for a non-htcdev way to root? and does anyone know why the x-factor exploit cant be used to gain the temp root? is there a thread where this is discussed. i cant seem to find it.
Click to expand...
Click to collapse
Xfactor does give temp root.. it uses temp root to change your cid
Sent from my One X using xda app-developers app
There is currently no way to root on 2.20 firmware, without using HTCDev.com.
If you want to prevent HTC from having your IMEI (and possibly knowing that you unlocked your bootloader), then you can try this: http://forum.xda-developers.com/showthread.php?t=1734558
Still have to go thru HTCDev.com but spoofs the IMEI and SN.
Really not all that useful, as the bootloader will only read UNLOCKED or RELOCKED anyway (if returning for warranty purposes).
I cannot for the life of my get root access to this phone, its a refurb shipped to me as a warranty replacement, so its basically new, with all the OTA updates already applied, I have tried all the links to root, like the One Clicks etc, even tried the One_X_ATT_All-In-One_Kit_v1.1, when I try to do it manually, I used ADB Shell, and it connects ok, I can see files etc on the system partition, but when I type SU, it says file not found, when I copied SU files to the SD card and tried to run it from there, it says permission denied. This phone seems to be locked right down!
Android Version : 4.0.3 Full build number is 1.94.631.3 CL76063 release-keys
I have tried everything I could think of, and have searched the forums, I just cannot find a solution... Any help would be appreciated...
-NS
n8dog89 said:
I cannot for the life of my get root access to this phone, its a refurb shipped to me as a warranty replacement, so its basically new, with all the OTA updates already applied, I have tried all the links to root, like the One Clicks etc, even tried the One_X_ATT_All-In-One_Kit_v1.1, when I try to do it manually, I used ADB Shell, and it connects ok, I can see files etc on the system partition, but when I type SU, it says file not found, when I copied SU files to the SD card and tried to run it from there, it says permission denied. This phone seems to be locked right down!
Android Version : 4.0.3 Full build number is 1.94.631.3 CL76063 release-keys
I have tried everything I could think of, and have searched the forums, I just cannot find a solution... Any help would be appreciated...
-NS
Click to expand...
Click to collapse
unlock your bootloader through HTC-Dev (all other models)
flash twrp
flash superuser from recovery downloads.noshufou.netdna-cdn.com/superuser/Superuser-3.1.3-arm-signed.zip
None of the AT&T root solutions apply to you, or any other carrier version of the One X/XL except AT&T. For the AT&T version, we need to have root in order to spoof the CID and get bootloader unlock via HTCDev.com. This is because AT&T is blocking HTC for allowing the bootloader to be unlocked (and the only carrier to do so).
You can skip all that and just unlock the bootloader via HTCDev.com (as mentioned in the reply above). Then install custom recovery (TWRP) and flash SU to achieve root. Or alternately, flash a rooted ROM.
absolutelygrim said:
unlock your bootloader through HTC-Dev (all other models)
flash twrp
flash superuser from recovery downloads.noshufou.netdna-cdn.com/superuser/Superuser-3.1.3-arm-signed.zip
Click to expand...
Click to collapse
So what you are saying is that I do not have to change my CID or root before unlocking boot loader?
I got my identifier token and am going to submit it... I just saw another response, looks like I have it easy and was looking way too hard... the first time I rooted my phone I DID have to spoof my CID etc, thus the confusion...
Thanks guys!
n8dog89 said:
So what you are saying is that I do not have to change my CID or root before unlocking boot loader?
I got my identifier token and am going to submit it... I just saw another response, looks like I have it easy and was looking way too hard... the first time I rooted my phone I DID have to spoof my CID etc, thus the confusion...
Thanks guys!
Click to expand...
Click to collapse
Unfortunately like it has been for days, HTCDev.com/bootloader site is just not working... :crying:
Thanks again guys.
n8dog89 said:
Unfortunately like it has been for days, HTCDev.com/bootloader site is just not working... :crying:
Click to expand...
Click to collapse
I can confirm that, this site still not working.
Edited at 15:10 :
At last! Web site awake and I can unlock bootloader.
Bumping. Would unlocking bootloader and flashing superuser from recovery work on the new OTA JB update?
Hi all,
I'm trying to get the unlock token at htcdev and I keep getting this message after I submit the copied txt from the fastboot result.
"Error code: 172. Error reason: CID not allowed (MID not exist in model rule)."
PLEASE... any help would be most appreciated.
System info:
https://www.mediafire.com/folder/2wrw5rjia39a43l,7tbtdftnp8goph8,1e1h80ub7q1bhq8/shared
Assuming you're in the right forums (Verizon HTC M8), you can't use HTCdev to unlock the phone. Thee only way to unlock the Verizon version of the phone is through a 3rd party unlock method, that was created by jcase and his team, called Sunshine. Here's their website for thee unlock: http://theroot.ninja/
Hi… Thanks for the speedy reply.
That's my my second dilemma. Root is a requirement and towel root isn't working either. So, I'm running in circles. I can't use Sunshine to unlock the bootloader because its not rooted and I can't root it because I can't unlock the bootloader.
RuLEoF2 said:
Hi all,
I'm trying to get the unlock token at htcdev and I keep getting this message after I submit the copied txt from the fastboot result.
"Error code: 172. Error reason: CID not allowed (MID not exist in model rule)."
PLEASE... any help would be most appreciated.
System info:
https://www.mediafire.com/folder/2wrw5rjia39a43l,7tbtdftnp8goph8,1e1h80ub7q1bhq8/shared
Click to expand...
Click to collapse
You cannot unlock you're boot loader. You have vzw 4.4.4 firmware. Sunshine doesn't work on that yet. You are S.O.L. until they update.
Sorry.
Does it work on 4.4.3?
I'm only asking because I've having an issue with my screen and I was planning on taking it back to exchange it. When I got this one, it had 4.4.3 on it and then I got the 4.4.4 OTA. it's a gamble, but if the new phone still has 4.4.3 on it, then I can just dodged the OTA and try sunshine on that one.
RuLEoF2 said:
Hi… Thanks for the speedy reply.
That's my my second dilemma. Root is a requirement and towel root isn't working either. So, I running in circles. I can't use Sunshine to unlock the bootloader because its not rooted and I can't root it because I can't unlock the bootloader.
Click to expand...
Click to collapse
Sunshine does everything. Except if your phone is up to date, you can't do anything cause nothing works for the 4.4.4 vzw m8
RuLEoF2 said:
Hi… Thanks for the speedy reply.
That's my my second dilemma. Root is a requirement and towel root isn't working either. So, I'm running in circles. I can't use Sunshine to unlock the bootloader because its not rooted and I can't root it because I can't unlock the bootloader.
Click to expand...
Click to collapse
silver04v said:
Sunshine does everything. Except if your phone is up to date, you can't do anything cause nothing works for the 4.4.4 vzw m8
Click to expand...
Click to collapse
RuLEoF2 said:
Does it work on 4.4.3?
I'm only asking because I've having an issue with my screen and I was planning on taking it back to exchange it. When I got this one, it had 4.4.3 on it and then I got the 4.4.4 OTA. it's a gamble, but if the new phone still has 4.4.3 on it, then I can just dodged the OTA and try sunshine on that one.
Click to expand...
Click to collapse
Ok. So, does sunshine work on 4.4.3?
In any case, the sunshie web page says that root is required but I can't root it.
Root is required and yes it will work on 4.4.3. Sunshine has a temp root utility built in to the program so it is all in one system.
RuLEoF2 said:
Hi… Thanks for the speedy reply.
That's my my second dilemma. Root is a requirement and towel root isn't working either. So, I'm running in circles. I can't use Sunshine to unlock the bootloader because its not rooted and I can't root it because I can't unlock the bootloader.
Click to expand...
Click to collapse
zax10 said:
Root is required and yes it will work on 4.4.3. Sunshine has a temp root utility built in to the program so it is all in one system.
Click to expand...
Click to collapse
Very good. Thank you for the clarification.
RuLEoF2 said:
Very good. Thank you for the clarification.
Click to expand...
Click to collapse
1 more thing to clarify, I have a Verizon M7, and TowelRoot DOES work, there's just a hidden trick for our phones.... Tap the welcome/ intro msg that appears when u open the towelroot app (i believe I had to tap 3 times) and a string of numbers appears , u change the last number from a 0 to a 1 and then it works for our phones. It's not needed for sunshine, but for ppl who wanna take the shortcut after sunshine of just downloading and using flashify to flash recovery (root or temp root required) it works. It was Towelroot V3 I believe. I'm on 4.4.3 sense 6 m7, and I know it worked on 4.4.2 when everyone was saying it didn't work, so if it's something u wanna look into, give it a try. Even the website I believe said it didn't"officially" support our phones, but after doing that trick, it does
bdizzle1686 said:
1 more thing to clarify, I have a Verizon M7, and TowelRoot DOES work, there's just a hidden trick for our phones.... Tap the welcome/ intro msg that appears when u open the towelroot app (i believe I had to tap 3 times) and a string of numbers appears , u change the last number from a 0 to a 1 and then it works for our phones. It's not needed for sunshine, but for ppl who wanna take the shortcut after sunshine of just downloading and using flashify to flash recovery (root or temp root required) it works. It was Towelroot V3 I believe. I'm on 4.4.3 sense 6 m7, and I know it worked on 4.4.2 when everyone was saying it didn't work, so if it's something u wanna look into, give it a try. Even the website I believe said it didn't"officially" support our phones, but after doing that trick, it does
Click to expand...
Click to collapse
Sounds risky.
RuLEoF2 said:
Sounds risky.
Click to expand...
Click to collapse
Wrong phone too. I would stick to sunshine. Cost $$ but comes with support if needed.
The Stig 04 said:
Wrong phone too. I would stick to sunshine. Cost $$ but comes with support if needed.
Click to expand...
Click to collapse
Good point.
bdizzle1686, thanks for the tip but I think I'll wait.
RuLEoF2 said:
Good point.
bdizzle1686, thanks for the tip but I think I'll wait.
Click to expand...
Click to collapse
Not a problem, and yeah it probably does pose some risks, just figured I'd let ya know. Alotta ppl just see that the app doesn't"officially" support any of the htc one phones and take that as fact when it's really not true. I did it with my phone n haven't had a problem, but had I known at the time the risks of doing it that way pose, I probably wouldn't have done it that way
Ok… please forgive my frustration but can someone please explain to me how rooting this phone works… or doesn't work.
I rooted my HTC Incredible and my Rezound with ease. I got pretty comfortable with adb so I went on flashing roms and other mods. They were so easy but now everything seems to be so complicated with this phone.
I'm going nuts trying to understand these confusing threads where it sounds like you need to root the phone in order to root the phone. Even though they don't work, I see instructions to use firewater, towelroot or weaksause so that you can use sunshine. I read where someone was asking for help because sunshine wouldn't work and they couldn't figure it out because the phone was already unlocked, rooted and s-off. ,isn't that what sunshine does… unlock, root and s-off?
My HTC One M8 is bone stock, off-the-shelf with kitkat 4.4.4.
What do I need to use sunshine, now with 2.7.1 or later with 3.0?
Can I use an RUU to downgrade to 4.4.3 so that sunshine 2.7.1 will work?
Is sunshine REALLY the only way that works… or doesn't work (right now)?
Thank you in advance for your help and your patience.
RuLEoF2 said:
Ok… please forgive my frustration but can someone please explain to me how rooting this phone works… or doesn't work.
I rooted my HTC Incredible and my Rezound with ease. I got pretty comfortable with adb so I went on flashing roms and other mods. They were so easy but now everything seems to be so complicated with this phone.
I'm going nuts trying to understand these confusing threads where it sounds like you need to root the phone in order to root the phone. Even though they don't work, I see instructions to use firewater, towelroot or weaksause so that you can use sunshine. I read where someone was asking for help because sunshine wouldn't work and they couldn't figure it out because the phone was already unlocked, rooted and s-off. ,isn't that what sunshine does… unlock, root and s-off?
My HTC One M8 is bone stock, off-the-shelf with kitkat 4.4.4.
What do I need to use sunshine, now with 2.7.1 or later with 3.0?
Can I use an RUU to downgrade to 4.4.3 so that sunshine 2.7.1 will work?
Is sunshine REALLY the only way that works… or doesn't work (right now)?
Thank you in advance for your help and your patience.
Click to expand...
Click to collapse
If you're bone stock S-ON with 4.4.4 then you cannot root the phone yet. Probably won't be able to till early January when the new sunshine is released.
If you're bone stock S-OFF on 4.4.4 all you need to do is flash a custom recovery and then flash the latest SuperSU zip file.
RuLEoF2 said:
Ok… please forgive my frustration but can someone please explain to me how rooting this phone works… or doesn't work.
I rooted my HTC Incredible and my Rezound with ease. I got pretty comfortable with adb so I went on flashing roms and other mods. They were so easy but now everything seems to be so complicated with this phone.
I'm going nuts trying to understand these confusing threads where it sounds like you need to root the phone in order to root the phone. Even though they don't work, I see instructions to use firewater, towelroot or weaksause so that you can use sunshine. I read where someone was asking for help because sunshine wouldn't work and they couldn't figure it out because the phone was already unlocked, rooted and s-off. ,isn't that what sunshine does… unlock, root and s-off?
My HTC One M8 is bone stock, off-the-shelf with kitkat 4.4.4.
What do I need to use sunshine, now with 2.7.1 or later with 3.0?
Can I use an RUU to downgrade to 4.4.3 so that sunshine 2.7.1 will work?
Is sunshine REALLY the only way that works… or doesn't work (right now)?
Thank you in advance for your help and your patience.
Click to expand...
Click to collapse
.... and to ease your confusion: What a lot of people get mixed up is
temp root with weaksauce + firewater worked for some devices on 4.4.2 (hardware variants making the difference).
For those 4.4.2 weaksauce+firewater did not work and all 4.4.3 M8s there's only Sunshine (and it temp-roots the device in the process)
4.4.4: beaups announced they are shooting for a first week of January release for Sunshine 3
And no, you cannot downgrade to 4.3 with S-on.
Time to try your luck with the new weaksauce and sunshine.
http://forum.xda-developers.com/ver...ncluding-4-t2971591/post57462117#post57462117
dottat said:
Time to try your luck with the new weaksauce and sunshine.
http://forum.xda-developers.com/ver...ncluding-4-t2971591/post57462117#post57462117
Click to expand...
Click to collapse
That worked! Bootloader is now UNLOCKED and S-OFF. Thank you!! I must have had the earlier version of weaksause.
Still no root though. SuperSU keeps failing when I try to update the binary online and my desktop is out of commision so no recovery yet either. I've got a new desktop on the way which should be here by the end of the week.
Is there anything I can try in the meantime?
RuLEoF2 said:
That worked! Bootloader is now UNLOCKED and S-OFF. Thank you!! I must have had the earlier version of weaksause.
Still no root though. SuperSU keeps failing when I try to update the binary online and my desktop is out of commision so no recovery yet either. I've got a new desktop on the way which should be here by the end of the week.
Is there anything I can try in the meantime?
Click to expand...
Click to collapse
You can download from the play store the app called flashify to put a custom recovery on since no CPU right now u said, then you can download thesuperSU.zip llatest from XDA and flash it in said custom recovery. That should get you rooted.