[Q] Root method discovered for NEC Terrain? - General Questions and Answers

So I saw network unlocked NEC Terrain up on Amazon for about $85 or so, and I was thinking of getting one. However, the fact that root permissions haven't been obtained on this phone is really what is holding me back from purchasing it, and the last time I checked, the devs still have not found a PERMANENT root method for it...
I saw an app called Towelroot by geohot that can (maybe) not only root the Galaxy S5, but ANY recent Android phone, AS LONG AS it does not have 3.4.0 kernel or newer (at least that's what the article said regarding the Note 3 anyway).
Since I do not have the Terrain, I can't test this towelroot app to see if it works. So I was wondering if anyone out there with a Terrain would be willing to test this out to see if it works,and then report back the results. This device came out last year, and has not had software updates since October of 2013 because NEC doesn't want to do Androids anymore, so I am going to assume it does not have the 3.4.0 kernel. So maybe, just maybe, it will work. And who knows, if by some chance it does work, that could even lead to greater things being done with this device...
EDIT: I just read an article from ATT regarding the software on the Terrain on what I think is the latest firmware update. It said the kernel version was 3.0.8. I probably shouldn't, but I'm getting my hopes up. I kinda want this phone
http://www.att.com/esupport/article.jsp?sid=KB421350&cv=820#fbid=ex0inqn4h0e
Sent from my MB855 from the free version of xda app because cheap

It does not work
Hello,
Towelroot doesn't work on NEC Terrain. I've tried it with different configurations. I've also tried: labda root, poot, framaroot, z4root, vroot, baidu root, saferoot. Moreover I've tried manually root phone using this guide, tried dd modified boot.img, but that didn't stick and after reboot there wasn't any changes.
Problem is that one can't remount /system partition to rw. It just says “invalid argument”. Furthermore there is not any fastboot support (locked out I guess).
I can get temp root using method discribed by justDave, remount / and /data (maybe others partitions too, nether tried) partitions, mount ././tmp/xbin (with busybox and su in it) over /system/xbin, but that doesn't get me anywhere.
I'm thinking about dd custom recovery, but I need to read on it thirst. If you have any suggestions or other rooting methonds, manual rooting guides etc., please post them here and I will try them if my knowledge lets me.
Off topic: NEC closed their mobile devision. Just google “NEC Pulls the Plug on Smartphones” (I can't post links form outside). So there isn't any good news for peaple with NEC Terrain.

Well that sucks, towelroot was pretty much my only suggestion. I'll look into others. But just as a heads up, I don't think I'll be buying one anymore, so I won't be taking a LOT of time to research root methods.
And yes, I am aware that NEC stopped with smartphones. I assume that is why they are so cheap on Amazon?
Edit: bin4ry universal root for 4.0/4.1: http://m.ibtimes.co.uk/root-android-smartphone-tablet-universal-tool-install-385487 Chances are low that this will actually work, but I posted it anyway.
Sent from my MB855 using XDA Free mobile app

Yeah... no.
Personally I don't think you should buy it if there isn't permanent root method and I don't think there will be any. NEC Terrain isn't popular so nobody with know-how will join the effort to root it. Also at least my phone has problems with battery (from the moment I got it). It holds charge for 8 hours max. "Wakelock Detector" says it's always awake. Something with suspend_backoff, but because I can't uninstall bloatware I can't find out which app actually causes it. Furthermore without the root one can't turn off "Fast Dormancy", which in my country drains battery. At this point I'm not afraid to hard brick it or nailed it to the wall, because without the root it is good as paperweight for me.
bin4ry universal root for 4.0/4.1 don't worked either. When I ran RunMe.sh (I'm on linux) nothing happens. Script is using commands like "am start -a android.intent.action.MAIN -n com.sonyericsson.android.servicemenu/.ServiceMainMenu" and moving folders which phone doesn't have.

FFDA said:
Personally I don't think you should buy it if there isn't permanent root method and I don't think there will be any. NEC Terrain isn't popular so nobody with know-how will join the effort to root it. Also at least my phone has problems with battery (from the moment I got it). It holds charge for 8 hours max. "Wakelock Detector" says it's always awake. Something with suspend_backoff, but because I can't uninstall bloatware I can't find out which app actually causes it. Furthermore without the root one can't turn off "Fast Dormancy", which in my country drains battery. At this point I'm not afraid to hard brick it or nailed it to the wall, because without the root it is good as paperweight for me.
bin4ry universal root for 4.0/4.1 don't worked either. When I ran RunMe.sh (I'm on linux) nothing happens. Script is using commands like "am start -a android.intent.action.MAIN -n com.sonyericsson.android.servicemenu/.ServiceMainMenu" and moving folders which phone doesn't have.
Click to expand...
Click to collapse
Yeah, I don't think I'm going to buy it anymore. I mean, that $80 price tag on Amazon looks good, but if no one can even get it ROOTED, then even for that price it's not worth it. I've been looking at another cheap, rugged phone to get, the Kyocera Hydro Life which is $125 at Wal-Mart for T-Mobile. At least that phone has a root method.
But maybe one day, if I see a Terrain for like $40 or something ridiculously cheap like that on an online store, I'll pick one up. Yes, smartphones can get that cheap. I saw a Motorola Bravo (not a bad phone, I have one myself with a 4.4.4 ROM) for $40 new on eBay.
But anyway, if I find a new root method, I'll be sure to post it here. Chances are really slim for anything actualy working, but hey, it's worth a try.

*BUMP* *BIG NEWS*
Just spoke with the very generous Kemonine96, a developer who I came to know through his work on the Rugby Smart. What started out as a half-sarcastic post made by me regarding Towelroot and the Terrain turned into what looks like a solution to this device's root issues! He thinks he has a solution to finally root this Terrain. And I believe him, because it sounds like he knows what he is talking about. Here are his exact words regarding some of my questions:
kemonine96 said:
You're welcome to borrow my work. All I'd ask is a note that it was adapted from the work done on the Rugby Pro.
Click to expand...
Click to collapse
He ran into a similar problem with the Galaxy Rugby where the /system would not mount as read/write. He made a root update.zip that fixed this issue. We are welcome to use it/modify it for the Terrain. But BE SURE TO GIVE HIM CREDIT IF YOU RELEASE SOMETHING BASED ON HIS ROOT.ZIP!!!! Please continue reading for more information:
kemonine96 said:
As for using it outright on the terrain: you likely need to adjust it some. Each device varies some and you'll need to hunt down the exact details. Fortunately the d2 familiy are all very similar so modifications should be minimal if necessary. I'd start by trying it and going from there.
You can use the following root (see OP root instructions). Dig through the update script and look for the file I'm renaming. You'll likely need something similar for the terrain. I developed this by gaining temporary root, unpacking an image I took of the boot partition and walking through the init scripts to see if they were calling anything "interesting" on /system. Managed to track down the file that was paving root/custom recovery. Once I knew the file I setup the update.zip to move the file out of the way so the call to it during boot would fail.
https://nuskunetworks.box.com/s/f1h6murg79lcoavvg0fk
The update.zip root stuff I've published requires a custom recovery to be available. The current "best way" prior to towel root was to flash a custom recovery with ODIN, immediately boot into recovery after the ODIN flash, applying the root update.zip and then booting into system. I came up with the exact procedure after much trial, error and chasing down ghosts.
If you have temporary root I'd do something similar to the following for permanent root
Setup busybox somewhere (/data maybe?) and use dd from it to copy off the whole emmc to an external sd card (use OTG + usb key if necessary). Do a full dd of the emmc disk under /dev and do a full dd of each partition under /dev
Start going through the partition images (BACKUPS are important here) using loopback mounts (or similar) and see where everything is at
Create a rough partition map (/dev/emmc0p1 maps to boot, /dev/emmc0p12 maps to recovery, etc [note these are contrived examples, look at the Rugby Pro stuff I've published for a starting point] -- This is a huge help to get others invovled and so you can figure out what is where quickly.
Once you find recovery/boot/system start looking for ways to adjust to get a developer version permanent root. It doesn't have to be pretty, It just needs to work to aid development along. The initial root method for the Rugby Pro was devloped by using a temp root to pull the boot partition, slip permanent root into the boot image, re-flash the updated boot image using dd. Once I had this I was able to start work on custom recovery and a saner root method.
Once you find a permanent root that can be used by developer types start looking at a proper custom recovery and get TWRP/CWM working
Ensure custom recovery (TWRP is a win all around at this point) is 100% and figure out if it's ever blown away during boot by some goofy script in /system (test by flashing custom recovery, booting it, rebooting into normal android, reboot back into recovery)
Get custom recovery mostly situated and work on an update.zip that sets up permanent root in a way that can be used by others easily (see my update.zip as a starting point)
Release custom recovery image, update.zip root and good instructions
Click to expand...
Click to collapse
This could be it. Thanks, Kemonine96. Thanks for not only this, but for your Rugby work as well
EDIT: To see the whole conversation, or in case I am leaving out information, please visit the Samsung Galaxy Rugby Pro Super Thread and go to the latest post. It should be somewhere around there.
Sent from my MB855 using XDA Free mobile app

You may also want to look at the root methods for other msm8960 and msm8660 devices. HTC, Sony and Samsung all used the platform prior to JB and there may be other examples floating around.
The Terrain was late to the party compared to some so it'll likely be trickier.

kemonine96 said:
You may also want to look at the root methods for other msm8960 and msm8660 devices. HTC, Sony and Samsung all used the platform prior to JB and there may be other examples floating around.
The Terrain was late to the party compared to some so it'll likely be trickier.
Click to expand...
Click to collapse
Since NEC gave up on smartphones after they made the Terrain, I doubt we will be getting any official drivers/kernels or anything of the sort from them.
Sent from my MB855 using XDA Free mobile app

jasonmerc said:
Since NEC gave up on smartphones after they made the Terrain, I doubt we will be getting any official drivers/kernels or anything of the sort from them.
Sent from my MB855 using XDA Free mobile app
Click to expand...
Click to collapse
As long as you can get the 3.0 kernel (it's GPL after all) you should be able to get newer releases going. It'll be a pita, but it's doable if you've got a starting point.
The real pain will likely be the keyboard / screen drivers since they are non standard compared to other devices.

kemonine96 said:
As long as you can get the 3.0 kernel (it's GPL after all) you should be able to get newer releases going. It'll be a pita, but it's doable if you've got a starting point.
Click to expand...
Click to collapse
I'd LOVE to be able to do these things myself, but alas, I am but a script kiddie as of now. I will begin my Android-modding studies as of now. Give me about 100 years and I should be good to go!
Sent from my MB855 using XDA Free mobile app

jasonmerc said:
I'd LOVE to be able to do these things myself, but alas, I am but a script kiddie as of now. I will begin my Android-modding studies as of now. Give me about 100 years and I should be good to go!
Sent from my MB855 using XDA Free mobile app
Click to expand...
Click to collapse
Guess where we all started, including myself?
The key is to keep smashing your face on your desk till you get through.

kemonine96 said:
The key is to keep smashing your face on your desk till you get through.
Click to expand...
Click to collapse
And that is why I am glad the phone is rugged.
Sent from my MB855 using XDA Free mobile app

Best way to proceed
If you have temporary root I'd do something similar to the following for permanent root
Setup busybox somewhere (/data maybe?) and use dd from it to copy off the whole emmc to an external sd card (use OTG + usb key if necessary). Do a full dd of the emmc disk under /dev and do a full dd of each partition under /dev
Start going through the partition images (BACKUPS are important here) using loopback mounts (or similar) and see where everything is at
Click to expand...
Click to collapse
Gaining temp shell root and setting up busybox isn't a problem, we already have that (again thanks to justDave). I have almost all partitions as *.img files (one was too big for sdcard file system). Tomorrow I plan to buy an OTG cable and get the last one. But it is impossible to mount most of the partitions. I'm thinking that like boot image, one must to "unzip" other partitions with special program to look inside. Anyone has any advice on this?
Create a rough partition map (/dev/emmc0p1 maps to boot, /dev/emmc0p12 maps to recovery, etc [note these are contrived examples, look at the Rugby Pro stuff I've published for a starting point] -- This is a huge help to get others invovled and so you can figure out what is where quickly.
Click to expand...
Click to collapse
Partition maps already in [DEV][REF]El Grande Partition Table Reference thread. I think there is enough information there or I had missed something?
Once you find recovery/boot/system start looking for ways to adjust to get a developer version permanent root. It doesn't have to be pretty, It just needs to work to aid development along. The initial root method for the Rugby Pro was devloped by using a temp root to pull the boot partition, slip permanent root into the boot image, re-flash the updated boot image using dd. Once I had this I was able to start work on custom recovery and a saner root method.
Click to expand...
Click to collapse
This is where my problems begins. I don't know what exactly change in boot to gain a root. I tried the simplest thing, that is changing ro.secure=1 to ro.secure=0 but that didn't stick. Maybe I did something wrong (used two different methods to create boot.img files. One image was made with mkbootimg another with abootimg), but at least other two people (aluminumx & MrMEEE) tried dd their custom boot.img without any luck. Maybe I should try dd custom recovery first? Or boot.img the way to go?
Just as reminder I want to say that there is not any fastboot support.
Can someone tell me what I should focus on? boot.img or recovery mode?

You could try it again. Just remember that ro.secure exists in multiple places. default.prop, and some inits as far as I remember. I'll check later on and repost. Had you tried to change all of them? I've also read that the image being written has to be the same size as the image being overwritten. I don't know if that's relevant for this though.

I can definitely give kemonie's suggestion a try. However, I am still not confident that we can get permanent root without unlocking/bypassing the nand lock first. I was able to identify the boot and recovery partitions relatively easily, and dd their contents out post no problem as well. Dd a new image back on was the problem... for testing purpose, using the stock boot image as base, I just added a zero length file to the folder, wrap it back up, and dd it back to boot, the file never made it thru even though dd didn't give any error. Which prompted me to think the nand was locked. So the other way of patching the boot partition would be applying an update.zip file in recovery mode, but we need a code as well, see screen shots. And yeah, no fastboot mode neither. It's very frustrating to hit all possible road blocks there can ever be to root this thing. But I do believe that the key lies in my terrain though, because reading from everyone who has posted so far, mine seems to be the only one that is confirmed unlocked. So yeah, if we can get some expert hackers to help in this effort, I wouldn't mind donating my time or even my phone to help.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sent from my SGH-I547C using XDA Free mobile app

aluminumx said:
But I do believe that the key lies in my terrain though, because reading from everyone who has posted so far, mine seems to be the only one that is confirmed unlocked.
Click to expand...
Click to collapse
What do you mean by that? In case you bought your phone from cellforce on eBay, I doubt your phone is special in any way. Some weeks ago in the light of discussions going on here I asked the seller how he unlocks the phone, whether he tampers with the software or if he just enters unlock codes. He claims he just uses unlock-codes. If that is true then your terrain should not be special, right?

laserdrome said:
What do you mean by that? In case you bought your phone from cellforce on eBay, I doubt your phone is special in any way. Some weeks ago in the light of discussions going on here I asked the seller how he unlocks the phone, whether he tampers with the software or if he just enters unlock codes. He claims he just uses unlock-codes. If that is true then your terrain should not be special, right?
Click to expand...
Click to collapse
hmmm, if that is truly the case, i.e, the seller just entered the code to unlock mine before he sold it, then yeah, mine won't be any special. However, from talking to the multiple other dealers, AT&T support and also NEC support, the unlock codes are not available for this phone at all, which would mean my seller got his batch already unlocked. I could be wrong though since I have talked to them almost a year ago and it maybe true that AT&T or NEC has released the code database. Anyway, the fact is that I haven't been able to find another owner on these forums who has their Terrain unlocked. The hope is that if we can successfully get it permanent root, then we can compare files and settings between the locked and unlocked ones. I do wish you good luck getting the code though, that would definitely be good news for a few people here

I have both a locked and unlocked NEC Terrain. And, if it were to be helpful, in the box of the unlocked one was a little slip of paper that says "CODE" and has a number on it. The phone was unlocked when I received it, so I can't confirm that the code on the paper is the unlock code for the phone.
I'd be happy to pull whatever files would be helpful from either device and post them. Give me a process and I'll get what you need.
aluminumx said:
hmmm, if that is truly the case, i.e, the seller just entered the code to unlock mine before he sold it, then yeah, mine won't be any special. However, from talking to the multiple other dealers, AT&T support and also NEC support, the unlock codes are not available for this phone at all, which would mean my seller got his batch already unlocked. I could be wrong though since I have talked to them almost a year ago and it maybe true that AT&T or NEC has released the code database. Anyway, the fact is that I haven't been able to find another owner on these forums who has their Terrain unlocked. The hope is that if we can successfully get it permanent root, then we can compare files and settings between the locked and unlocked ones. I do wish you good luck getting the code though, that would definitely be good news for a few people here
Click to expand...
Click to collapse

Hey timkiller, good that your vendor gave you the code as well. My guess is that it's the sim unlock code, which you probably don't need anymore as once your phone is unlocked, it "shouldn't" get relocked, but just in case, you should save it somewhere. However, if it's not the sim code but the maintenance code, that would be helpful for the rest of us. If you can try the following and let me know if that works. I am not exactly sure how familiar you are with android, so I will be a bit more detailed here, hope you are not insulted. I am by no means any expert, I basically just want to see If the code you got is the maintenance code or not.
1. power down the phone
2. hold the volume down button, and then the power button to turn on the phone, hold on to the keys until you see the android maintenance picture
3. press up volume, then down volume button, and a menu should show up. You are now in recovery mode. In this mode, you have to use the volume down to cycle through the menu items, the volume up to select it. You should see the following choices, if the menu is different from below, please let us know
a. reboot system now
b. wipe data/factory reset
c. wipe cache partition
d. repair software by sdcard
e. maintenance
4. use the volume down key to move to maintenance, then use volume up to select it. You should now be asked to enter the password. Again, use the volume buttons to enter the code you got. Remember to select OK at the end. If you got kicked out back to the original menu, then the code didn`t work, and proceed to step 5 below. I have no idea what it would look like if the code works though, but I imagine you will have a new menu system. Please let us know either way.
5. Las thing to try is the repair software by sdcard option. Use the volume buttons to select that, it will first ask you to confirm, volume down to yes and you will be prompted to enter password once again. Enter your code and let us know if it works.
Well, I won`t hold much hope on it, but it`s worth a try. if either option works, then we can compare your IMEI with the code, and maybe derive a pattern out of it. I know another NEC phone model is like that.
thanks for your help, crossing fingers
timekiller_9 said:
I have both a locked and unlocked NEC Terrain. And, if it were to be helpful, in the box of the unlocked one was a little slip of paper that says "CODE" and has a number on it. The phone was unlocked when I received it, so I can't confirm that the code on the paper is the unlock code for the phone.
I'd be happy to pull whatever files would be helpful from either device and post them. Give me a process and I'll get what you need.
Click to expand...
Click to collapse

I'm not insulted at all. I'm not an Android expert per say, but I am very tech savvy and can get around the device quite well. I can run a temporary root via adb, extract a partition, whatever it is that would be useful.
The recovery mode menu appears exactly as you describe it.
I tried the code I have to try to get into the maintenance and repair modes. Unfortunately neither worked, both kicked me back out to the previous menu. I suspect it's the unlock code that I have, or possibly even just a code for something else all together that the seller accidentally included in the box. It's a hand written slip of paper with just the word "CODE" and an 8 digit number on it, so we cannot be certain it's even for this device.
I'm happy to try any other ideas, or extract something for you to compare on either the locked or unlocked phone. I will be travelling for the next week so I will only have the unlocked phone with me.
aluminumx said:
Hey timkiller, good that your vendor gave you the code as well. My guess is that it's the sim unlock code, which you probably don't need anymore as once your phone is unlocked, it "shouldn't" get relocked, but just in case, you should save it somewhere. However, if it's not the sim code but the maintenance code, that would be helpful for the rest of us. If you can try the following and let me know if that works. I am not exactly sure how familiar you are with android, so I will be a bit more detailed here, hope you are not insulted. I am by no means any expert, I basically just want to see If the code you got is the maintenance code or not.
1. power down the phone
2. hold the volume down button, and then the power button to turn on the phone, hold on to the keys until you see the android maintenance picture
3. press up volume, then down volume button, and a menu should show up. You are now in recovery mode. In this mode, you have to use the volume down to cycle through the menu items, the volume up to select it. You should see the following choices, if the menu is different from below, please let us know
a. reboot system now
b. wipe data/factory reset
c. wipe cache partition
d. repair software by sdcard
e. maintenance
4. use the volume down key to move to maintenance, then use volume up to select it. You should now be asked to enter the password. Again, use the volume buttons to enter the code you got. Remember to select OK at the end. If you got kicked out back to the original menu, then the code didn`t work, and proceed to step 5 below. I have no idea what it would look like if the code works though, but I imagine you will have a new menu system. Please let us know either way.
5. Las thing to try is the repair software by sdcard option. Use the volume buttons to select that, it will first ask you to confirm, volume down to yes and you will be prompted to enter password once again. Enter your code and let us know if it works.
Well, I won`t hold much hope on it, but it`s worth a try. if either option works, then we can compare your IMEI with the code, and maybe derive a pattern out of it. I know another NEC phone model is like that.
thanks for your help, crossing fingers
Click to expand...
Click to collapse

Related

[CONCEPT] Root automatically from SD Card or from PC

I'm thinking of creating a small archive of files, that when extracted to the SD card root, and applied, will root the phone and apply a firmware in only three steps.
It will only contain four files - the RC29 DREAIMG.nbh file necessary for downgrading, an update.zip that contains the latest SPL and Radio, the latest Cyanogen Recovery image, and a simple script that applies root, SPL/Radio, and your favorite firmware.
I'm not sure if it will work, but constructive criticism and ideas are welcome.
_______________________________________
First method: Root from SD card
This method puts all the necessary files on an SD card, and does not require a computer after that.
Basically, in a zip file, you have the RC29 DREAIMG.nbh, update.zip, and root script.
You extract this to the root of a FAT32-formatted SD card.
You reboot with camera+power, apply the DREAIMG.nbh, reboot.
Once the phone is booted, type in "sh /sdcard/root.sh".
From the exposed root terminal, it will begin the following:
Write the Cyanogen recovery image to flash, move image to system/recovery.img, remove image file
Place commands in /cache for recovery to apply the radio/spl combo package and if it exists, a custom firmware, in the correct order
reboot recovery, performing the above tasks automatically.
Benefits include:
- No telnet app required, not opening up a telnetd, more secure
- Only one command to enter
- No(?) risk on flashing the Hero-compatible radio/SPL out of order and bricking that way, as both are flashed at the same time
- Automates several of the processes in rooting, allowing for a quicker root
- Can be placed on a special "rootkit" sdcard, and used to quickly root your friend's phone in a matter of minutes, anywhere
_______________________________________
Second method: Root from PC
Another method I thought of uses no manual copying to the sdcard, but requires a PC with fastboot(?) and adb.
First, it pushes the RC29 DREAIMG.nbh to the sdcard, and issues a reboot to bootloader.
You press a few keys to write the image, and reboot.
--OR--
First, it pushes an update.zip containing the update just before T-Mobile patched the root kernel exploit, then it puts the commands to flash it and reboots into recovery. After that flashes, it reboots again.
From this point on, it's all automatic.
The script waits for the device to be ready, and adb install's the auto-root exploit apk, and launches the intent through adb shell am start [...]
At this point, the WiFi settings are probably not capable of downloading the Cyan recovery in the case of those of us without data plans, so it will need to be pushed.
Once the autoroot apk flashes the recovery, we must write parameters to flash the radio/spl combo package, and the custom firmware (if applicable), to /cache, and reboot.
At this point, the radio, SPL, and firmware should be pushed and written, so the script exits.
_______________________________________
If this sounds stupid, doesn't make sense, will auto-brick your phones, start global thermonuclear war, make all random numbers generated by your phone divisible by three, cause your meticulously placed lineup of G1 dominoes to collapse prematurely, or boot up the LHC and wind up creating a black hole, I am terribly sorry, but it's an idea I had at 2 in the morning, and it took me this time to research some things and write this post. It's about 5:30 AM now.
This is only an experimental concept. Some things might not be completely thought out. I'm tired, and hungry. I may create a proof-of-concept implementation of this, if I knew a bit more about the syntax of describing intents to launch in 'am', or the command syntax of the package:/META-INF/com/google/android/update-script file.
dont forget that for root from SDcard, EU users need a goldcard, so its still not that easy..
even for insta root from PC, you still need to downgrade, and for that we'll need a goldcard.
why not just use 1click root?
First you have one click root which does give you access to recovery with security off so possible to somehow go from there instead of downgrading and all that hassle. I personally to do not care to see the advancement of this app for the simple fact that there are already a wave of people that can not read and expect hand holding every second of the way and you want to make it even easier to confundle their minds.............are you nuts....
I already have a rooting sdcard for rooting other people's phone that contains one click recovery flasher, cyan 4.04 and the hard spl and it takes me 10 mins to do it just cause off the first boot up takes so long
also you cant have your pc reading the sdcard at the same time that the phone is
The concept is good but...theres many complications to have it done automatically.
I sure would like to see something like this. I have a G1 that I rooted the long way and a MT3G rooted with the one click method. I have enough knowledge to follow instructions and read, I partitioned my own card, so the G1 was doable. I dont have the time or the knowledge to go the long route with the MyTouch gold card ADB route and would love to be able to flash Hero ROMS when I get the bug. I have Cyan's latest on the MT now and its awesome like all his stuff but I would have played with Drizzy's ROMs. For someone like me with a little ability but far less than most people on here, something like this would be the bomb!
not sure if its possible or anything, but there should be some way for the script to check if the phone has a pvt board or not, and if not, it prevents the new spl from being flashed, should reduce noob bricks.
Leave root the way it is I think the harder it is to root your phone the less peaple are going to do it. I spent alot of time reading before I rooted, not so much to learn how to do it, but to decide if I wanted to make the jump. During this reading process I learned the ways of XDA, use search, where to place the right questions and where NOT to and finally read first then ask. With an autonatic root I would have loaded it then freaked out if something went wrong and started posting root questions all over the place. Leave well enough alone... Learning to root give you the right to pursue other adventures.
maybeoneday said:
Leave root the way it is I think the harder it is to root your phone the less peaple are going to do it.
Click to expand...
Click to collapse
Frankly, I didn't root my phone to feel special, so I don't see any benefit whatsoever in less people doing it.
I don't think this will work though. There's too many variables. As described it will only root US phones. UK phones would need RC7, so you'd have to include both and check if the current OS is CRC1 or CRC37 (or respective older/newer versions). But European phones outside the UK (like my German G1) will be on CRC37 too, and those won't take RC7 without a goldcard, so you'd have to automate goldcard creation as well. I'm sure the complications don't end here.
Also, shoving Haykuro's SPL onto inexperienced/unsuspecting/ignorant users' devices is just begging for trouble. Just use HardSPL - the rooting kit won't be able to run Hero-ROMs right away, but at least that won't brick the phone if flashing some rom downgrades the radio. (E.g., I know some official updates do that.)
1 click root is so simple and idiot proof (and im a total panzy noob lol)
i don t think there is any simpler way to do this lol
Frenchtom, nothing is idiot proof, have you been over to the q and a section, if there is a way to do something and good instructions, it will get screwed up cause of people not taking the time to read the complete directions and then read them twice to make sure they comprehend them
Okay, thanks for your input, everybody.
I did know about 1-click root, however I thought that depended on a kernel vulnerability that was already patched in the OTAs. I was looking at a more universal(ish) method, and I did not know about the "goldcard" issue. I did know that UK phones would need RC9, but I failed to include that as I really just wanted to get to bed.
Also, I don't think that root is anything "special", i.e. some sort of elitist egotist symbol that says "I haz root fone and I better than u". Seriously, more people should be allowed to use the more advanced features of their device at their own choosing, knowing that there are risks involved.
People who walk up to someone, say "I got a root phone", shows off some massive demo of awesomeness (i.e. Hero), and doesn't teach others to root the G1 themselves (or worse, charges for instructions that could be found free here) are really the antithesis of an open-minded community of developers adding more features as they feel, for what little donation money they get and the credit of doing something cool for other G1 users.
I do however agree that pushing features that can potentially insta-kill the device on the average person and their grandma, people that wouldn't know what the benefits of root are, and people who would never even have known that their G1 ran Linux (or what Linux is, for that matter), is just asking for trouble. A fair balance between educating people about the phone's internals and making easy-to-install root packages and stuff should be kept.
I learned a lot about Windows Mobile and embedded software when I first flashed a custom ROM to my HTC Wizard years ago. And I actually had a fear that if any small detail were left out, or if I breathed on the phone the wrong way, the flash would fail, white-screen, and brick out.
The G1 is no different, even though the flashing process has come a long way, we still have an IPL, SPL, bootloader mode, many different variations, board revisions, regional changes and operator customizations/lockdowns (I had a Cingular 8125 G3 btw), and many versions of Consumer, Engineering, and HardSPL that have to be treated very, very carefully, just like on the Wiz.
Anyway, anyone's free to try and build a better mousetra--- err, rootkit using my ideas. And thanks plenty to the dedicated developers here, the more enlightened users for helping me find out why this wouldn't work, all the users, without whom, we wouldn't have a reason to develop, and the 17%-or-so of you that dislike my idea.
When I learn a bit more, I might get into making something useful for Android.
repack dreamimg.nbh with everything, so one just has to flash the one image
Oh I am not saying that I think I am special just cause I have a rooted phone, I am also a person that is on here always trying to help walk someone through any issues that may arise,just saying making easier for people to break something because they did not read the instructions is quite common and think that it should take a little bit of work so that you learn in the process

How to Root Non-Sprint (Cellular South, Bluegrass Cellular, etc) CDMA Hero

Update (October 7, 2010)
Use ngholson's guide to root: http://forum.xda-developers.com/showthread.php?t=581869&page=53#post8358998
Posts in the first 40 or so pages of this thread are old old old. Try browsing through the last 10 or so pages if you have any problems.
I may put a guide for using an App to root in this first post, but I don't have time right now.
OLD OLD OLD Manual Root:
This will still work, but ngholson's guide is a lot easier and you should definitely try it first.
NOTICE / WARNING / READ THESE:
1. I give no guarantees for anything that may or may not result from following these instructions (or any mistakes made).
2. Doing this will probably void your warranty, BUT as long as you don't run some other carrier's RUU (not talking about ROMs here, talking about the official upgrade files. what's important is that your hboot version doesn't change) you can always just flash your carrier's RUU to go back to unrooted completely stock.
Known issues:
NONE! This is a clean procedure that leaves your current rom as is. Any issues you have will be related to whatever ROMs you choose to flash or additional packages you choose to flash to your current rom
Steps:
1. Upgrade to 2.1
We know this works with the initial 2.1 updates, but later updates may patch it. If you have installed additional updates from your carrier, you may have to flash the original RUU to be able to root.
2. Download and extract the Android SDK
http://developer.android.com/sdk/index.html
You really only need this for the adb binary. If anyone can suggest a better way to get it than downloading the entire SDK, let me know.
3. Download and install HTC Sync
Some carriers have specific versions of HTC Sync (I know Cellular South does).
You could also just install the adb drivers.
4. Download the hack and extract it to your SDK tools directory. (or wherever you have adb)
It's attached to this post.
5. Turn on USB Debugging on your phone
Settings -> Applications -> Development -> USB Debugging
6. Plug your phone in USB
7. Run the script
For Windows this is runindos.bat. You should be able to just double click it.
That's it. This will flash the Darch version of AmonRA's recovery.
8. BACKUP
At this point you should probably backup your current stock rom (see Recovery guide below) and backup your PRL. (navalynt has good instructions on this in his root guide).
Now you can flash a custom rom or just flash the provided su.zip (see Recovery guide below) for Superuser Permissions (root) within your current rom.
Recovery
Recovery is where you can backup, restore, and flash ROMs or additional app zips.
To enter Recovery mode on your phone, power the phone off. Then hold home and press the power button. Keep holding home until you get the recovery screen.
You'll see several options, but the first thing you'll want to use is Backup.I've always used the nandroid option, not sure of the differences between it and bart. Backing up does exactly what you'd expect: copies your current ROM to your sd card. It doesn't change anything on the phone. It does take a few minutes so be patient.
Most roms will suggest you wipe first, and there is a menu option for that in recovery also. Just choose wipe, then factory reset. This does nothing to your sd card and only wipes application data (app installed from the market, settings for any app, etc).
After you've backed up, Recovery is also where you flash new ROMs or additions to your current ROM. It's easiest to pick a rom you want on your pc, and transfer it to your phone over usb. you can either do this the normal way, or if you're already in recovery, there is a USB-MS option you can use. Some Recoveries require flashable zips to be in the root of your sd card (not in any directory). After the ZIP is on your sd card, choose "install zip from sdcard" and pick the zip of the ROM you want. That's it. After it's done flashing, reboot your phone. If you wiped and flashed a full ROM, the first will take several minutes.
If you flash a ROM and either get stuck in a boot loop or just don't like it, go back into recovery under the Backup option and choose nandroid restore. Pick the option you get (it's a directory named with your phone's serial number) and you'll see a list of backups named with the date/time they were created. Choose which one you want to restore, wait a few minutes, then reboot and you'll be back to exactly where you were.
I've learned that the exploit used on the Sprint Hero doesn't work on the CS Hero because it uses mmap_min_addr. This means that exploits which rely on a null pointer dereference (like the Sprint exploit) won't work.
So here's what I think I need:
1) I'll be watching bugtraq, etc... for non null pointer dereference local kernel vulnerabilities. (I don't think I know 100% what that means yet.)
2) I also need to learn how to know if a vulnerability is applicable. Like this one http://www.securityfocus.com/bid/36834 . I don't even know really where to begin to see if I can use that.
3) Once I've found a vulnerability, how do I exploit it? I realize there will probably be proof of concept for the exploit, but how will I turn that into something that executes a specified command like asroot2 does. Is the source available for asroot2?
4) I wonder if I need to bother figuring out if the source used to build the kernel for CS is different from Sprint. Is a change in config.gz enough to legally require HTC to provide me with source specific to the CS version?
Keep up the good work
I know there aren't many of us, but I'm really hoping to root my hero sometime soon. I wish I could help but I picked my engineering field because it didn't require learning any computer languages haha
cdiamond333 said:
I know there aren't many of us, but I'm really hoping to root my hero sometime soon. I wish I could help but I picked my engineering field because it didn't require learning any computer languages haha
Click to expand...
Click to collapse
Glad to see at least one person interested enough to join XDA!
Though I'm afraid we're going to end up waiting until someone roots the Droid and/or Droid Eris and hope that works for us as well.
Can anyone give us an idea about where to find the RUU specific to Cellular South? Do those come from HTC, the carrier, or do they just "magically" make their way to the net from whoever happens to have access to them?
Really Like To See a Root
I would also like to see some success to this post as well... I have been with cellular south for years and this is the best phone they have produced! It only needs root access! Im a computer engineer a Miss. State, and I would love to see what I could do with this phone.
Maybe I could find an exploit... but it might take me longer to find it seeing that I am still in the beginning stages of my discipline.
But all I wanted to say is: LETS GET THIS ROOT!!
Root cellular south hero
I agree I have the htc hero from cellular south and would like to share the internet with my computer but cant tether unless phone is rooted
Hey guys!
I, too, am a CellSouth Hero haver... and I'm searching high and low for the procedure as well! I'll be checking back here and also searching round and posting anything I find.
If anyone gets an update, please email me at [email protected]
Help
I too own a CS hero and i am looking all over the net for a way to root this phone. if a way can be found will any roms work on it or will new CS specific roms have to be developed. If that is the case then i am afraid we CS users won't gain access to this for awhile as the customer base is quite small compared to sprint
OBSt4l0n said:
I too own a CS hero and i am looking all over the net for a way to root this phone. if a way can be found will any roms work on it or will new CS specific roms have to be developed. If that is the case then i am afraid we CS users won't gain access to this for awhile as the customer base is quite small compared to sprint
Click to expand...
Click to collapse
Well I've been surprised by the response to this thread, so hopefully there is more interest specific to CS than we may realize.
Ideally, ROMs made with Sprint Hero in mind will work on the CS Hero. I haven't put much effort into it without having root access yet, but when I get a chance I'm going to take the time to compare things like the radio image, etc and see just how much they differ from one to the other. If nothing else, hopefully we can replace the different pieces in the custom ROMs and be able to use them.
I will update this thread with what I find, and hopefully others will contribute as well.
??
Any news??
MrDanger said:
Any news??
Click to expand...
Click to collapse
I know, right? Seriously, is anyone out there?
i have posted treads at various sites, and they all get buried fairly quickly.
Would love to solve this issue... surely someone out there would find this to be a challenge worth taking up...
i hope.
Oh, and happy thanksgiving...
markachee message
Check Ur profile for a message that I left u.
It's just going to be a waiting game.
First someone has to find an exploit, most likely in the Linux kernel. This doesn't have to be something specific to our phone. It's more likely that it will be a generic thing that will work for us, Droid, and Droid Eris (as well as Linux in general).
It's not likely I'd be able to discover one of these exploits, so I'm watching for exploits coming out (bugtraq, etc) that might work for us. There really hasn't been anything at all since the pipe.c vulnerability that worked for the Sprint Hero.
Really one thing we need that we should be able to get now is an RUU specific to Cellular South's Hero. From what I understand, an RUU lets you reset your phone to a factory/updated image in the event something goes wrong. It wouldn't directly help us get root, but it would be a "safety net" for those of us screwing with our phones trying to get root.
Anything you guys could help dig up on where/how to find it would be awesome.
This looks promising. At least have some people in this thread that know enough to be able to compile for the phone:
http://forum.xda-developers.com/showthread.php?p=5034122
Also, realized I never mentioned I was looking at the "enlightenment" exploit set from http://www.grsecurity.com/~spender/
Just chiming in, had my Cell South hero for about a month and have been following this thread with the hope of seeing our phones rooted. I am a technician/admin with some coding and linux experience, but I am unfamiliar with rooting cellphones. anything I can do to help let me know.
tether
you can usb tether useing pda net from the market without root
I have seen pda net, i'm not interested in just tethering but thank you.
mine comes in tuesday
markachee said:
This looks promising. At least have some people in this thread that know enough to be able to compile for the phone:
http://forum.xda-developers.com/showthread.php?p=5034122
Also, realized I never mentioned I was looking at the "enlightenment" exploit set from http://www.grsecurity.com/~spender/
Click to expand...
Click to collapse
Here's the compiled programs within that exploit

TF700 with Dev Build

I just received my new TF700 shipped from BestBuy.com
I've already noticed several funny behaviors, as compared with the TF300 I tested out last month.
Battery was at 0% when I opened the box
No typical Android first-time welcome screen stuff
Gallery has a picture taken of a camera calibration test pattern
Dev Options had USB Debugging, Stay Awake, and Allow Mock Locations all checked.
Cannot set the Screen Lock>Slide
Screen seems to flicker a bit when I return to the home screen.
Serial number is reported as 11111111111111111
ADB also identifies the device as 11111111111111111
Several generic actions cause crashes, such as accessing Settings>Accounts and Sync
Browser crashes directly after opening
Red border around the screen, similar to this thread
http://forum.xda-developers.com/showthread.php?t=1442185
Numerous pre-loaded apps that look well outside of standard
AtCmdSender
ATS_Discharge
ATS_MMI_TF700
bmmi.v2.3
BTtest
Command
DevTools (I know this one, but can't remember if this is included as standard app now or not, I doubt it)
FTM
GPS Test v5.12
Log Tool 2.21.1
MTTestTool
RunIn_v2.5
Spare Parts (as with DevTools, I know this one but don't think this is standard)
TF700_Gsensor_TestV1.22
TF700T (ATS logo)
TF700T_Ecompas_Kv1.3
TF700T_GsensorKv1.23
WLAN RF Test Tool BCM4329
And of course, the Build Number is identified as
OPEN_epad-eng 4.0.3 IML74K OPEN_epad-9.0.4.104.15-20120618 test-keys
Several other threads I found regarding OPEN_epad builds
http://forum.xda-developers.com/showthread.php?t=1577386
http://forum.xda-developers.com/showthread.php?t=1685600
http://www.transformerforums.com/forum/transformer-pad-300-help/24112-solved-update-firmware.html
http://www.transformerforums.com/fo...prime-not-offering-update-new-firmware-2.html
I would like to get this thing into a more standard operating condition for myself (before I start looking at custom ROMs, of course).
I thought I would post in case any Devs here thought there might be useful stuff I could dump.
I'll also try freenode.net #asus-transformer
reserved
I don't know the status of root, or whether the bootloader is unlocked.
Looks like the device is NOT unlocked.
ADB just spit back
Code:
/system/bin/sh: cp: not found
so maybe I need some BusyBox up in here to keep working
UPDATE: So now it looks like I'm finding that the tab won't charge past 59%.... :/
If your device is unlocked, you can see it in the upper right corner when turning the device is turned on
"Your device is unlocked"
Sent from my ASUS Transformer Pad TF700T using xda premium
hillbicks said:
If your device is unlocked, you can see it in the upper right corner when turning the device is turned on
"Your device is unlocked"
Sent from my ASUS Transformer Pad TF700T using xda premium
Click to expand...
Click to collapse
Upper left corner
Not unlocked
I got the same advice about upper left corner on IRC.
Doesn't look like the tablet is unlocked right now. Of course, that may change
Can you zip some of those apps and post them somehwere please? Would like to take a look if you don't mind. PM me.
EDIT: and eng in the firmware typically means an engineering build.
If the bootloader comes pre unlocked, you've found yourself a pretty good device. Warranty+custom roms.
system-app and data-app
I pulled everything from these two folders.
data-app.zip
15,307 kB
system-app.zip
136,636 kB
UPDATE: removed links to DL files, may replace later
PM sent
Sent from my ASUS Transformer Pad TF700T using xda app-developers app
Dev apps
I've PM'd links to download everything from /data/app and /system/app to a couple of people.
I'll be curious to know if anyone finds anything interesting or useful.
Is there anything else I should try to dump from this tab?
I'd like to start using it (which probably means wiping), but want to make sure I pull all of the helpful stuff for XDA members first.
ScottHW said:
I've PM'd links to download everything from /data/app and /system/app to a couple of people.
I'll be curious to know if anyone finds anything interesting or useful.
Is there anything else I should try to dump from this tab?
I'd like to start using it (which probably means wiping), but want to make sure I pull all of the helpful stuff for XDA members first.
Click to expand...
Click to collapse
Hi,i'm not a developer and so far most of that soft looks like diagnostic tools but a dev should know better.As for using the tablet i don't know if it's a good idea to keep it (i would return it) mostly because of the serial number (have you checked the logs to see if the device try to communicate with Asus server?) and because is clear that such a device was used for testing so maybe it was an early sample...anyway it's your call.If you keep it you can try to root ,unlock and than install the custom recovery so you can do a nandroid backup before wipe everything.
I would root, try to unlock get recovery installed and take a backup and post it.
Sent from my ASUS Transformer Pad TF700T using xda app-developers app
Return.... Nandroid
Thanks for the suggestions, that is basically what I was thinking.
I agree that this will most likely get returned. Just want to get all the goodies first.
I do think I'll have to return it. Too many screwy things going on here.
As for dumping, I thought the same lines a la Nandroid.
Of course, if I unlock the bootloader to install a custom recovery, then I wouldn't be able to return it....
ScottHW said:
Thanks for the suggestions, that is basically what I was thinking.
I agree that this will most likely get returned. Just want to get all the goodies first.
I do think I'll have to return it. Too many screwy things going on here.
As for dumping, I thought the same lines a la Nandroid.
Of course, if I unlock the bootloader to install a custom recovery, then I wouldn't be able to return it....
Click to expand...
Click to collapse
IMO you've done your best to help the community so just return it and start enjoy your tablet. Also i don't think that the tablet is a developement enviroment so it can't be such a valuable resource for devs.
Update and/or return
Pretoriano80 said:
IMO you've done your best to help the community so just return it and start enjoy your tablet. Also i don't think that the tablet is a developement enviroment so it can't be such a valuable resource for devs.
Click to expand...
Click to collapse
Glad to do what I can to help. I really appreciate those whose skills exceed my own, and do the dev work from which we all benefit.
Another way of saying that: I can't wait to get some sweet sweet CM up on this tab!
Only problem is... BestBuy doesn't have these in stock, which is why I had to order it shipped from BestBuy.com
Now I'll have to wait more days for another one to ship
I might try to "update" the software OTA, but I've read several other threads mentioning that OPEN_epad cannot be easily updated OTA.
I don't have any internet connection on this thing turned on yet, in case it tries to dial home and updates before I dump useful stuff, or gets remotely locked and/or wiped.
I'll flip on some wifis and see what System Update does for me.
UPDATE: System Firmware Update simply returns "There is no update available for your device currently." Guess I'll have to try harder to wipe away the OPEN_epad build.
adb pull /system
I just pulled everything on /system. A log is attached.
If anyone wants anything in there, let me know.
/system
413,136,276 bytes
UPDATE: I had a problem pulling /data, so here's a list for now (attached)
[email protected]:/ # cd /data
[email protected]:/data # ls -alR
UPDATE: removed attached lists of files for security
dumps
Alright.... I got some help and I dumped /system /data first32 (half the bootloader, recovery, boot, provisioning certificate...)
The dev I worked with over on freenode.net#asus-transformer is much more skilled than I, so now these are .img dumps, rather than just pulling individual files.
If anyone thinks they can find diamonds in that rough, let me know.
ScottHW said:
Alright.... I got some help and I dumped /system /data first32 (half the bootloader, recovery, boot, provisioning certificate...)
The dev I worked with over on freenode.net#asus-transformer is much more skilled than I, so now these are .img dumps, rather than just pulling individual files.
If anyone thinks they can find diamonds in that rough, let me know.
Click to expand...
Click to collapse
PM sent
Sent from my GT-P1000 using xda app-developers app
ScottHW said:
Alright.... I got some help and I dumped /system /data first32 (half the bootloader, recovery, boot, provisioning certificate...)
The dev I worked with over on freenode.net#asus-transformer is much more skilled than I, so now these are .img dumps, rather than just pulling individual files.
If anyone thinks they can find diamonds in that rough, let me know.
Click to expand...
Click to collapse
Thanks alot. I will take a look. You can pull your Dropbox links if you would like so you don't use up your bandwidth.
Go ahead and proceed with what you want to do...will let you know if I find anything interesting to us
so two weeks have passed did you get a replacement for the tablet or updated or something? how that went.
also : was any of those files useful for developers?

[Q] Exchange the whole UI stack on Android

Hi
I am new to hacking android. I have built linux distros in the past, and have worked with Linux for 15 years,
I have just rooted a ZTE V965. It doesn't come pre-installed with Play store, and has all sorts of ZTE-specific Chinese apps. It has a good baseband circuit, a good screen, reasonable camera and I think is a great value phone, apart from the awful UI.
It is an android phone, although heavily customised. It has an MTK6589 processor coupled with 4Gb ROM and 512Mb RAM.
I have other phones which operate a much more "Vanilla" android. For example, the Guophone 9105 which also uses an MTK6589. This has a troubling tendency to reboot every random interval. Approx 6 times a week.
I have had success in the past running Linux systems built for much earlier kernels on later kernels. This suggests the ABI (application binary interface) for the Linux kernel changes rather slowly.
I am wondering how well the userland apps are separated from the kernel and drivers on Android.
Specifically, is it feasible to dump all the UI stuff from one phone onto another then change the init to launch the other UI?
Would this risk bricking the phone, or would the shell commands and ADB infrastructure still likely operate?
I guess I should change the bootloader to one that supports fastboot first, right? Is ther a how-to on achieveing this from the root shell?
Thanks for any thoughts
Nick.
Nick Hill said:
Hi
I am new to hacking android. I have built linux distros in the past, and have worked with Linux for 15 years,
I have just rooted a ZTE V965. It doesn't come pre-installed with Play store, and has all sorts of ZTE-specific Chinese apps. It has a good baseband circuit, a good screen, reasonable camera and I think is a great value phone, apart from the awful UI.
It is an android phone, although heavily customised. It has an MTK6589 processor coupled with 4Gb ROM and 512Mb RAM.
I have other phones which operate a much more "Vanilla" android. For example, the Guophone 9105 which also uses an MTK6589. This has a troubling tendency to reboot every random interval. Approx 6 times a week.
I have had success in the past running Linux systems built for much earlier kernels on later kernels. This suggests the ABI (application binary interface) for the Linux kernel changes rather slowly.
I am wondering how well the userland apps are separated from the kernel and drivers on Android.
Specifically, is it feasible to dump all the UI stuff from one phone onto another then change the init to launch the other UI?
Would this risk bricking the phone, or would the shell commands and ADB infrastructure still likely operate?
I guess I should change the bootloader to one that supports fastboot first, right? Is ther a how-to on achieveing this from the root shell?
Thanks for any thoughts
Nick.
Click to expand...
Click to collapse
Hi Nick, I have the same phone. I'm also very new to android, last phone was iOS and before that windows. I managed to root the V965 using Vroot. I also managed to install SuperSU and CWM. However, the CWM is not fully functional, I can only do a factory reset, not install any packages or roms. Probably the phone has a locked bootloader. I can't check, because the USB driver with the phone doesnt support fastboot.
I really need to get google play working in this phone, read a lot of stuff, tried many things, but I havent succeeded yet. Please let me know if you make any progress.
In China they are flashing this phone, found some ROMs even, but I am not sure how they manage and google translate isn't much help there.
http://www.romjd.com/Device/zte-v965/hot/all/1
Hmmm my V965 is having some issues now
After a factory reset, the setup wizard keeps crashing. Even after another resest. So I can't get in the phone anymore.
Any chance you can send me the USB drivers that are on the phone? My phone isnt deteceted anymore, so I can't access the drivers, which I want to reinstall. And of course they are not on the ZTE website.
Byte_Me said:
Hmmm my V965 is having some issues now
After a factory reset, the setup wizard keeps crashing. Even after another resest. So I can't get in the phone anymore.
Any chance you can send me the USB drivers that are on the phone? My phone isnt deteceted anymore, so I can't access the drivers, which I want to reinstall. And of course they are not on the ZTE website.
Click to expand...
Click to collapse
Hi
You can temporarily download the ZTE v965 USB drivers from
www dot nickhill dot co dot uk forward slash ztev965usb dot zip
Byte_Me said:
Hi Nick, I have the same phone. I'm also very new to android, last phone was iOS and before that windows. I managed to root the V965 using Vroot. I also managed to install SuperSU and CWM. However, the CWM is not fully functional, I can only do a factory reset, not install any packages or roms. Probably the phone has a locked bootloader. I can't check, because the USB driver with the phone doesnt support fastboot.
Click to expand...
Click to collapse
Fastboot and ADB appear to be standard protocols, at least on my Ubuntu, which don't need special drivers. However, it does appear that the stock boot loaader on the v965 does fail to incorporate the fastboot option.
If you remove the battery, replace it then turn on holding the volume down, you will get a menu, but fastboot is not there.
I don't know for a fact, but I do suspect that if you have access to the running android system as root, then you could in principle change any of the internal flash data. Therefore, in principle, I guess you could replace the boot loader or anything else in the running android system. Anyone please correct me if I am wrong, or confirm if I am right.
The feature set of this phone seems to be the same as the feature set of my Guophone. MTK6589, dual SIM, etc. So this image may be a good place to start if considering a transplant.
If you have ROMs, then perhaps it is possible to flash the ROM from a root terminal. I'm thinking add the uncompressed ROM to the Micro SD card, then using the dd command, block copy it to the appropriate image area on the internal ROM, reboot, reset to factory defaults.
If anyone more experienced than me with the nuts and bolts of Android can confirm or deny this will work, or where it should be put, please let me know.
An important factor is that the NAND is not locked on the ZTE V965. So if you have a root shell on the phone, you can issue the following command:
mount -o remount,rw /[email protected] /system/
Once you have done this, you will have read/write access to the system partition.
The only thing I then need to know is what should I avoid changing that may break the ADB bridge/root console?
And is all the UI stuff kept together, if so, where?
Shuffle it around a bit, make a new ROM
Thanks for the driver!
Unfortuntely it doesn't help
I found out the culprit, I tried to install gapps (google apps package) to the system app folder. I thought these changes would be reversed with a factory reset, but they are not. Setupwizard.apk keeps crashing and is preventing me from accessing my phone, so I must find a way to remove it from the system app folder. However, since this error occurred, I am not able to contact the phone in any way from the PC. Adb toolkit does not detect it, even when I reinstalled your driver. It's quite puzzling, I dont understand why in recovery mode I cannot connect adb-toolkit anymore.
Got my V965 working again, but it was a lot of hassle with shell access. Still not fully functional, no drives detected when i connect to USB, which is quite annoying, but not more than that. If you ever make any progress with google apps or flashing, please keep me informed, that would make this phone much more useable. I'll also keep hacking away at it, but without a bootloader unlock (I still think this is the problem), I don't think it will be possible.
I'm convinced it's possible to flash the phone, it seems they do it a lot in China.
I found a website with a couple of custom ROMs specific for the V965:
http://www.romjd.com/Rom/Detail/17086
And what I suspect is a rooting & flashing tool. Rooting works, I haven't figured out flashing yet.
http://dl.vmall.com/c0xa12brvo
I've also tried flashing from the settings - update menu in the phone, but it never finds the ROM (update.zip)
I did find another problem, I can't be reached on my phone, it always goes to voicemail. Same SIM in another phone works fine. No idea what's causing this.
Byte_Me said:
Got my V965 working again, but it was a lot of hassle with shell access. Still not fully functional, no drives detected when i connect to USB, which is quite annoying, but not more than that. If you ever make any progress with google apps or flashing, please keep me informed, that would make this phone much more useable. I'll also keep hacking away at it, but without a bootloader unlock (I still think this is the problem), I don't think it will be possible.
Click to expand...
Click to collapse
Hi
I might be able to help you with the problem.
I have a mint, unused ZTE v965. I have used MTK Droid root and tools to extract a backup of the entire new phone. It is currently uploading to www dot nickhill dot co dot uk forward slash ZTE-V965_new_backup.zip
You should be able to write this back to your phone using flashtool.exe.
I don't know for sure if this will work, so entirely at your own risk! Just trying to help. If unsure, ask around.
I am new to this forum, so please remember to click the thanks button if you find anything I have done helpful!
Meanwhile, the MTK droid root and tools has a function to remove much of the chinese stuff (once the system has been installed) and there is always the cyanogenmod gapps package. This may be worth investigating.
Nick Hill said:
Hi
I might be able to help you with the problem.
I have a mint, unused ZTE v965. I have used MTK Droid root and tools to extract a backup of the entire new phone. It is currently uploading to www dot nickhill dot co dot uk forward slash ZTE-V965_new_backup.zip
Click to expand...
Click to collapse
The file size should be 635,972,093 bytes and should finish uploading at 04:00 GMT
md5sum 17ecfdd1040d5dbfab70a3adbc24e07a
Thanks for the ROM, i'll give it a go. I will try to install it using the update option in the settings, that seems the safest.
Be careful with gapps. setupwizard.apk + factory reset = a lot of problems (if you install in system app folder)
OMG that tool is awesome. created CWM boot, installed your ROM, then installed a clean ROM, then installed gapps, all working!!!
Byte_Me said:
OMG that tool is awesome. created CWM boot, installed your ROM, then installed a clean ROM, then installed gapps, all working!!!
Click to expand...
Click to collapse
Firstly, I'm glad it's working for you.
Secondly, which tools did you use? Did you unpack the zip, open flashtools, select the scatter file then program the phone, or did you use some other method?
Which clean ROM did you then install, and how did you install it?
Did you then use MobileUncle to install CWM then use the cyanogenmod 10.1 gapps, or did you do something different?
It is useful to remember that MTKdroidtools has a useful function to remove chinese stuff. I think if more people contributed to the list of Chinese files that are safe to remove, that would be blade.
A detailed step-by-step guide might be helpful for anyone else with the same problem. One of the general problems I find is that there are plenty of guides around referring to this program, or that program, but few are detailed enough for someone who doesn't already know about those programs to use.
I pretty much bricked a Lenovo A766 yesterday, and it took several hours to learn about the tools to eventually unbrick it.
I would have rather spent my time understanding what is really going on, rather than spending my time learning vaguely what tool achieves what end result. If I understood more about the Android system, and built that knowledge on my understanding of Linux, I reckon I could achieve much more.
One thing I notice is that tablets and smartphones are actually replacing desktops and laptops. February this year, windows machines were down 7% YOY. I use Ubuntu for my main computer. Using these tools on Windows led me to significant frustration! This has led me to understand why there is a move. Maybe the tools provided for windows need to eventually move to android. We could then potentially use USB OTG to service other android devices. MTKdroidtools and flashtools runnng as a host on a separate Android system would be cool.
Nick Hill said:
Firstly, I'm glad it's working for you.
Click to expand...
Click to collapse
Thanks, me too
Secondly, which tools did you use? Did you unpack the zip, open flashtools, select the scatter file then program the phone, or did you use some other method?
Click to expand...
Click to collapse
I used MTK tools as described in that topic, rooted, made backup, installed CWM
Which clean ROM did you then install, and how did you install it?
Click to expand...
Click to collapse
I used the update tool from CWM to flash this ROM:
http://www.romjd.com/Rom/Detail/17086
That ROM is not very clean though, You might as well clean your own ROM
Did you then use MobileUncle to install CWM then use the cyanogenmod 10.1 gapps, or did you do something different?
Click to expand...
Click to collapse
CWM is installed using MTK Droid Root and Tools:
http://forum.xda-developers.com/showpost.php?p=44660171&postcount=417
This gapps version I installed: gapps-jb-20121011-signed
It's installed using CWM bootloader: install .zip package
It is useful to remember that MTKdroidtools has a useful function to remove chinese stuff. I think if more people contributed to the list of Chinese files that are safe to remove, that would be blade.
Click to expand...
Click to collapse
I used the delete China function, but it didnt catch very much. But with all the functions available now, it's quite easy to clean manually.
A detailed step-by-step guide might be helpful for anyone else with the same problem. One of the general problems I find is that there are plenty of guides around referring to this program, or that program, but few are detailed enough for someone who doesn't already know about those programs to use.
Click to expand...
Click to collapse
Yes, I plan to make a topic for this phone, but at the moment I am still testing many things.
I pretty much bricked a Lenovo A766 yesterday, and it took several hours to learn about the tools to eventually unbrick it. I would have rather spent my time understanding what is really going on, rather than spending my time learning vaguely what tool achieves what end result. If I understood more about the Android system, and built that knowledge on my understanding of Linux, I reckon I could achieve much more.
Click to expand...
Click to collapse
I know how you feel, I was ready to toss this phone in the trash
One thing I notice is that tablets and smartphones are actually replacing desktops and laptops. February this year, windows machines were down 7% YOY. I use Ubuntu for my main computer. Using these tools on Windows led me to significant frustration! This has led me to understand why there is a move. Maybe the tools provided for windows need to eventually move to android. We could then potentially use USB OTG to service other android devices. MTKdroidtools and flashtools runnng as a host on a separate Android system would be cool.
Click to expand...
Click to collapse
I have no idea about the possibilities there. I'm not a programmer, just someone who is good with computers and knows a little bit of everything.
PS. I could also use some thanks as well, maybe get some respect around here
Nick Hill said:
...
Click to expand...
Click to collapse
Did you give it a try yet? Another user did and google apps are working for him, so thats 2 for 2.
Are you still on your original ROM? If so, I have a question for you. Do you get notification badges on your icons, for instance, when you have a missed call, is there a red box with a 1 on the phone icon? Also, do your contacts get ID-ed when they call you? I have some problems with that, caused by the country code prefix. I am still running that ROM I downlaoded from the Chinese forum, but if your ROM doent have these issues, I will switch back ASAP.
Nick Hill said:
Firstly, I'm glad it's working for you.
Click to expand...
Click to collapse
as you are a Lenovo a766 owner, may you help me with this?
http://forum.xda-developers.com/showthread.php?p=49076877#post49076877
Where are configuration settings stored accross factory resets?
I have come to the (perhaps erroneous) conclusion that the user interface and what the user will experience is governed primarily from:
the APKs in
/system/app/
/system/vendor/operator/app/
and the configuration files pertaining to the installed apps, which is located at:
/data/user/0/
I guess that when the android device is factory reset, the /data partition is completely cleared, right?
Is there a set of standard configurations which are unpacked from somewhere into /data/user/0/ after a factory reset, or is it normal for all configurations to be stored in their respective APKs?

Temporary root shell for developers on locked bootloaders.

Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
 @jcadduono - For recowvery, and pointing me in the right direction on IRC.
 @brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.
Very cool work! Glad to see people putting my shell (such as it is) to good use. Wish I had a V20 to try it out
I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).
jcadduono said:
I don't think you'll ever be able to sign a kernel module (SHA512 hash). You'd probably have better luck signing your own boot image.
Here's a theory to toy with:
I think the way to do it would be to gain read access to /init binary allowing you to dirtycow /init with the same init binary but change a very specific (but not vital to system integrity) set of instructions to point back to the setenforce code with a value of 0 without disturbing the rest of the binary/instructions. This way, init should continue running without crashing and taking down the whole system, and you can do something that might trigger that specific instruction set - which would then result in selinux becoming permissive.
This is beyond me, unfortunately. This method would also be very device specific until someone also finds an intelligent way to read init, modify instructions, then dirtycow it back.
I think system server context might be able to read init?
Once you get your permissive selinux, you'll also have to deal with Unix capabilities limitations (find a way around them).
Click to expand...
Click to collapse
if system_server can read init then thats a serious flaw.... Question for you. you said it would be very device specific. does that mean its unique for each individual phone or each model?
EDIT:Unfortunately we only have access to the init.rc not the binary it self.
@jcadduono I appreciate your input and direction in this matter another idea we have been toying with is
We have the aboot boot recovery and system dump. From the tmob variant would it be possible to make a tot from that for our devices changing the props to match our device, build, and carrier info? We can also pull apks from /system/apps and /privapps to our ext sdcard
@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA
roosta said:
@me2151, @jcadduono, @brenns10: Great work guys, keep it up. Good to see some people are trying for root. What model/s are being tested, or should this theoretically work on all models? Whilst you probably aren't doing it for the cash, there is a bounty I hope someone can claim soon, for a functonal root alone (not boot unlock) posted on this board.
RoOSTA
Click to expand...
Click to collapse
It should work on all models. I personally use a sprint model(LS997). I think it MAY have been tested on VZW as well.
I can confirm that work on H990DS
Sent from my MI PAD using XDA-Developers mobile app
We know from earlier LG phone releases that the laf partition when bypassed in some way (corrupted, etc) aboot will boot to fastboot when going into download mode. It was my thought that the bootloader could be unlocked from there. However corrupting laf eliminates device recovery. Catch-22.
I think the best way to proceed is to get a working .TOT first which is just a waiting game. That would ensure device recovery and replacing the bootloader in the .TOT and signing it with something unlockable.
This is a great way to explore the locked phones in the meantime, thanks.
ATT Pretty Please
me2151 said:
Hello All! I am me2151.
I am here to tell you some kind of good news.
We have achieved a temporary root shell using a modified recowvery script. Originally Recowvery installed a custom "recovery" but I have modified it to instead create a temporary root shell using the System_Server SELinux context and disable the flashing portion of the script. Yes we are still limited until we can get Kernel or Init context but I am working on that as well.
This exploit will be useful down the line because of one major thing. WE CAN INSERT KERNEL MODULES!!! But they need to be signed. So I am releasing this out here so we can take the next step into our full root! We also have rw to the /data partition and changes save over a reboot.
If we can get someone to sign a kernel module that the system accepts we can set SELinux to permissive.
This exploit SHOULD work for all variants.
NOTE: This should only be used by devs who know what they are doing.
Instructions(this should work on MacOS and Linux only!):
Download linked file below.
Extract to either adb directory OR a directory you have adb access in.
Give execute permissions to temp.sh.
Run temp.sh.
When you are all done with your exploring and stuff type "Reboot" to reboot normally.
https://drive.google.com/open?id=0B8CP3g3AqMuHcmNJUUJWLUJUelE
Credit:
@jcadduono - For recowvery, and pointing me in the right direction on IRC.
@brenns10 - Wrote the lsh used in the exploit to spawn the shell.
The group over here for ideas and solutions.
Click to expand...
Click to collapse
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!
NRadonich said:
At the moment all I am using root for is to add a line within my build.prop to disable Tethering checks, so I can tether at full 4G speed and not get throttled. Would this be possible using the method above, or would build.prop immediately get replaced at the reboot?
Thanks, and keep up the good work!
Click to expand...
Click to collapse
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario
elliwigy said:
no. it is a tcp root shell that can only do a few things such as kernel modules.. only section we were able to write to and have it stick was the /data partition which wont help you in this scenario
Click to expand...
Click to collapse
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid
markbencze said:
So if we can write to data partition then in theory can we adb push to it using this? I ask because I'd like to install some tbo apps that normally would require flashing. But if we could push them we would be solid
Click to expand...
Click to collapse
Unfortunately its a tcp shell. not a pure adb shell. so we cannot push or pull to those directories
Wow great progress keep up the good work. You guys are helping those assholes from LG sell more phones. Obviously some people have not made the switch because the lack of root. Root users are very influential leaders to get others to try out a new device.
Sent from my LG-LS997 using XDA-Developers mobile app
Works on the LG G5 also...
Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA
roosta said:
Hey guys, with the expectation of many that 'root is coming' to the other v20 models...are we likely to see the same type of root format that applied to the LG G4, where you have to (either) download or rip your own image to a PC. Use commands to insert root, then reflash to the device?
Any root is better than nothing, I know...but I ask because with the amount of software updates for the G4 (v10c software through to v10k before MM came out), meant the sheer amount of times you'd have to go through this process to keep your phone up to date whilst maintaining root was extremely frustrating - as it also meant xposed and related settings/apps needed to be reinstalled each time you performed an OTA update and re-flashed root.
Is this going to be a side effect of dealing with a locked bootloader? PS: If I sound dumb, it's probably because I am.
RoOSTA
Click to expand...
Click to collapse
it shouldnt be an expectation as weve made it clear we do not have root and are hitting hurdles.. we have been advised we need to atack selinux and or the bl but at this point were wanting to try to use debug firmware which hoprfully would allow a bl unlock..
unfortunately nobody can creat a .tot with the debug firmware at al and theres no way at all to flash the images..
we need to somehow leverage an exploit to gain a temp adb root shell before we could even attempt anything and this has not been done in a way thats useful to us..
unfortunately we need more experienced devs at this point.
LG Australia (and as such, Taiwan) have effectively confirmed their H990DS v20 mobile phone's bootloader is confirmed as being unlockable. However (and for no apparent reason) they will not confirm why one region have released a variant of the phone with the bootloader unlock and why they are refusing this to others phones/regions. Because of course, they have zero training and information about anything related to their company expect for goods released in a specific region. That comes from a 'product expert'
Titanium Backup
Howdy,
Just reading through the thread, I understand that it's not quite a "full" root, but would it be enough to run Titanium Backup? I'm hoping to move away from root access with my V20 but it would be really helpful if I could do it temporarily, restore some application and data backups, reboot and uninstall Titanium.
Tim

Categories

Resources