i am in no way responsible if you brick, break or just plain blow up your device. it's your device and your responsibility. if you blame me i am gonna die laughing!
Disclaimer! the exploits in the rar may be flagged as a virus by your virus software. just add an exception for them! they are not a virus
T-Mobile/MetroPCS Root, TWRP and Deodexed Stock Roms
Cannot Stress this Enuff but Read this Entire Post, when done read it again, and finally read it once more for good measure
ok all. this is dirtycow exploit for the t-mobile k428 - works on the 10g firmware(works for the metropcs ms428 as well - Must have 10c kdz flashed first). the exploit method is almost the same as the v20
i have personally done this multiple times on my t-mobile k10 without issues to make sure it is 100% working
all the needed files you need are in this rar. just extract it to the root of your C drive Download Me
this requires an unlocked bootloader and on the t-mo variant it's very easy to do. check this forum. you'll find instructions on how to do it
Now lets get started!!
copy the supersu file to your sdcard
open a command prompt window.
now copy and paste each line except the lines surrounded by "< >"
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process32 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb push twrp-3.1.0-0.img /sdcard/twrp.img
adb shell
cd /data/local/tmp
chmod 0777 *
./dirtycow /system/bin/applypatch recowvery-applypatch
"<Note! wait for to finish>"
./dirtycow /system/bin/app_process32 recowvery-app_process32
"<Note! wait for to finish, it should appear to crash, however
the crash will not happen, you have to force the crash.
to do this wait for the exploit to finish. now press and hold
the power button until you see the t-mo logo screen and hear
the jingle. now it's crashed and you can continue onto the next
step>"
exit
adb logcat -s recowvery
"<wait for it to tell you it was successful - Then Press>"
"[CTRL+C]"
adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
adb shell
getenforce
"<it should say Permissive>"
cd /data/local/tmp
./dirtycow /system/bin/run-as recowvery-run-as
run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
run-as su
run-as exec dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
"<wait for it to complete>"
reboot recovery
"<once in twrp do the following>"
click install
select supersu 2.79-sr3.zip
reboot
setup your phone and enjoy
thats it. enjoy root!
Stock Deodexed Roms
Features:
Deodexed
Debloated(if thats what you want to call it) i've removed what i don't want so
Magisk v12.0 with magisk manager 4.3.0
Note! (make sure to enable hide magisk in magisk manager settings) - pass's safetynet check - android pay will work along with pokemon go and any other apps that look for root
Busybox 1.26.2 installed by default
dolby atmos 6.5
Viper4Android 2.5.0.5
Includes a custom app for a reboot menu that ties into the actual power button
As always to install either rom you'll want to wipe system, data, dalvik and cache(this is normal for any rom)
T-Mobile Rom
T-Mobile K10 K428sg 10h rom - Weather Widget has been removed due to deodexing issues. PLZ use an Alternate Weather Widget
K428sg10h Removed Files
MetroPCS Rom
MetroPCS K10 ms428 10h rom - Weather Widget has been removed due to deodexing issues. PLZ use an Alternate Weather Widget
MetroPCS Removed Files
for anyone interested you can freely use these rom as a starting point base for a custom rom.
Thanks to @pvineeth97 - for working twrp, @Chainfire - for supersu, @topjohnwu - for magisk, and everyone else i forgot to mention. sorry guys i'm tired!
reserved 1
OvrDriVE said:
reserved 1
Click to expand...
Click to collapse
I just didn't remember that dirtycow could be used to root MetroPCS 428! Thanks for the guide
actually the metropcs twrp you did works like a charm on the t-mo 428. ty for that btw.
i wasn't sure if this worked for metropcs or not but since you say it does i'll mention it as well
OvrDriVE said:
actually the metropcs twrp you did works like a charm on the t-mo 428. ty for that btw.
i wasn't sure if this worked for metropcs or not but since you say it does i'll mention it as well
Click to expand...
Click to collapse
I don't have a MetroPCS 428 phone but I compiled TWRP for it. I happy it works for you guys
---------- Post added at 03:14 PM ---------- Previous post was at 02:47 PM ----------
@OvrDriVE
Edit the guide properly whenever you are free.
Can you contact me on hangouts: [email protected].
On the very first command I'm already facing issues:
Code:
adb push dirtycow /data/local/tmp
adb: error: cannot stat 'dirtycow': No such file or directory
GuyInDogSuit said:
On the very first command I'm already facing issues:
Code:
adb push dirtycow /data/local/tmp
adb: error: cannot stat 'dirtycow': No such file or directory
Click to expand...
Click to collapse
make sure your running cmd from the adb dir. also you need to make sure usb debugging is enabled in dev options along with oem unlock
OvrDriVE said:
make sure your running cmd from the adb dir. also you need to make sure usb debugging is enabled in dev options along with oem unlock
Click to expand...
Click to collapse
I am running it from the adb directory. And USB debugging and OEM unlock are enabled.
GuyInDogSuit said:
I am running it from the adb directory. And USB debugging and OEM unlock are enabled.
Click to expand...
Click to collapse
then it should work as the file is in that folder if you grabbed my zip at the top of OP
OvrDriVE said:
then it should work as the file is in that folder if you grabbed my zip at the top of OP
Click to expand...
Click to collapse
I got it! The "dirtycow" file was being removed by ESET. You should add a disclaimer in the OP about it possibly being flagged by antivirus software.
GuyInDogSuit said:
I got it! The "dirtycow" file was being removed by ESET. You should add a disclaimer in the OP about it possibly being flagged by antivirus software.
Click to expand...
Click to collapse
yeah it's a false positive. anyway disclaimer added.
OK, now I'm stuck. The part where I'm supposed to hold the power button? It doesn't reboot. It just brings up the power menu and stays there.
GuyInDogSuit said:
OK, now I'm stuck. The part where I'm supposed to hold the power button? It doesn't reboot. It just brings up the power menu and stays there.
Click to expand...
Click to collapse
redo the exploit line right before your supposed to hold the power button. wait for it to finish then hold the power button to crash the phone
It takes about 2-3 minutes for the "./dirtycow /system/bin/app_process32 recowvery-app_process32" command to finish. It doesn't appear to crash. I'm still waiting for it to happen.
GuyInDogSuit said:
It takes about 2-3 minutes for the "./dirtycow /system/bin/app_process32 recowvery-app_process32" command to finish. It doesn't appear to crash. I'm still waiting for it to happen.
Click to expand...
Click to collapse
ok, make sure your screen is on and doesn't shutoff. that may help. the crash that happens on the v20 doesn't happen on the k10 unless ypou hold the power button to force it
and you'll know you crashed it because the white t-mo logo screen will pop up and you'll hear part of the t-mo jingle and then phone will appear to be froze
OvrDriVE said:
ok, make sure your screen is on and doesn't shutoff. that may help. the crash that happens on the v20 doesn't happen on the k10 unless ypou hold the power button to force it
and you'll know you crashed it because the white t-mo logo screen will pop up and you'll hear part of the t-mo jingle and then phone will appear to be froze
Click to expand...
Click to collapse
I set the screen to stay on. I'm actually using an MS428, the MetroPCS variant. Nothing happening, still. I've run the command four times now.
---------- Post added at 09:53 AM ---------- Previous post was at 09:47 AM ----------
I think I'll need to downgrade. I let the phone update once since I got it. And there's a new 57.1 MB update today.
GuyInDogSuit said:
I set the screen to stay on. I'm actually using an MS428, the MetroPCS variant. Nothing happening, still. I've run the command four times now.
---------- Post added at 09:53 AM ---------- Previous post was at 09:47 AM ----------
I think I'll need to downgrade. I let the phone update once since I got it. And there's a new 57.1 MB update today.
Click to expand...
Click to collapse
you may need to. i did this on a k428 t-mo version with 10g and i havn't tryed on 10h yet but i gaurentee it works on t-mo. was told it works on metropcs however they could have been wrong on that.
Once rooted, will I lose root if I update? I kinda figure I will.
GuyInDogSuit said:
Once rooted, will I lose root if I update? I kinda figure I will.
Click to expand...
Click to collapse
it actually shouldn't update because of the modified recovery. although it may still complain about there being an update you can just ignore it
OvrDriVE said:
it actually shouldn't update because of the modified recovery. although it may still complain about there being an update you can just ignore it
Click to expand...
Click to collapse
Oh, right, the recovery. Yeah. Alright.
---------- Post added at 10:46 AM ---------- Previous post was at 10:10 AM ----------
I'm on 10g already and it's not working. I tried downgrading, which said it completed, but I'm still on the same version. WTF. And this still isn't working.
Related
Silly HTC. THIS EXPLOIT MAY NOT LAST FOREVER. ATT COULD KILL THIS. DO IT NOW.
Warning: If something goes wrong, whatever you do, do NOT install the update that this process finds. If you DO, you will be stuck on 2.20 with no chance for root (currently)
What you need:
HOX on ATT 1.85
su binary from http://dl.dropbox.com/u/don'tusemeimabadsubinary
EDIT: The su binary above has issues. Use this one instead: http://dl.dropbox.com/u/9060692/su
Make sure HTC sync is NOT RUNNING (down in system tray)
Make sure phone is set to "charge only" and usb debugging is enabled!
Put su in same directory as ADB. Get to adb command prompt and cd into that directory
NEW - pull sim card
NEW - do factory reset
NEW - when reset is complete, do not replace sim, do NOT connect to wifi. Go through setup, go to settings, enable USB debugging. When that's done:
adb shell rm /data/data/com.redbend.vdmc/lib/libvd*
adb reboot
After the device reboots:
adb shell ln -s /data/local.prop /data/data/com.redbend.vdmc/lib/libvdmscomo.so
(If you get file doesn't exist after the FIRST command don't worry - they may not be there)
Now, on the phone, go to settings and check for software update. It will tell you you need to connect to network. Now, replace the SIM OR connect to wifi. Have it check for software update again. When it's done, do NOT click "yes" or "ok" on the phone. Simply:
adb shell ls -l /data/local.prop
IF AND ONLY IF you get "file not exists" or anything like that then set your phone's date 2 days ahead and reboot the phone and start over. If you get file info, you're golden. Proceed....
adb shell "echo 'ro.kernel.qemu=1' > /data/local.prop"
Now it's time to reboot
adb reboot
After phones reboots
adb remount
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell rm /data/local.prop
adb reboot
Congrats, you have root. Install supersu and busybox installer from the market (or Play store).
If you pledged a bounty in the bounty thread, note the instructions here:
Please pay bounty to make a wish foundation
http://www.wish.org/help/donate
Please choose the "Make a Wish Foundation of America" (don't select a chapter). You can use Paypal as well.
Special thanks to designgears as well for being my tester and also writing the one click. He has several hours of work in this project as well. Consider a donation to him, too - http://rootzwiki.com/store
ADDED: Please let me know if this works for you!
ADDED: If you already pushed the wrong binary it's easiest just to start over with the correct binary.
SWEEEEEEEEEEET!
You have just made a lot of people. SCC/FGFD
where do we get the su binary. I have a supersu zip to gain root after unlock
Great job guys!!!
Do terminal apps need root to run? Can I do this with terminal and avoid ADB?
I got "no updates found" and permission denied...
-rw------- system system 1196598 2012-05-25 12:36 local.prop
beaups you are the ****ing best!!!
AWESOME. Thank you so much!
Where do we get su binary?
I'm thinking maybe from a rooted phone? I have a rooted HTC Inspire.
shgadwa said:
AWESOME. Thank you so much!
Where do we get su binary?
I'm thinking maybe from a rooted phone? I have a rooted HTC Inspire.
Click to expand...
Click to collapse
I added the link to op
shgadwa said:
AWESOME. Thank you so much!
Where do we get su binary?
I'm thinking maybe from a rooted phone? I have a rooted HTC Inspire.
Click to expand...
Click to collapse
It's in the op
Sent from my HTC One X using Tapatalk 2
2nd line after adb shell i get no device found. USB debugging is enabled.
Very awesome. Hard work and dedication finally paid off. Thanks to who all that contributed to this.
Omg. Awesome. Who discovered this exploit?
My brother, give us your PayPal so we can donate. This is awesome.
Anyway to put the setting up of ADB in lamens terms for some of us that aren't familiar? I am ok with the commands, I just don't know how to get ADB to command prompt and where to place the files.
---------- Post added at 05:52 PM ---------- Previous post was at 05:52 PM ----------
gunnyman said:
Omg. Awesome. Who discovered this exploit?
Click to expand...
Click to collapse
beaups and dg
I updated to op to fix a wrong instruction.
when I put in the first line it says device not found. It's weird I can boot into boot into bootloader and everything but can't do that line
gunnyman said:
Omg. Awesome. Who discovered this exploit?
Click to expand...
Click to collapse
Once we get a few success stories I'll be claiming bounty (charity).
OMG GOOD JOB!!!! Im already rooted but im proud of you guys!!! GOOD JOB!! Hopefully Me and a Simonsimons will be releasing S=OFF SOON! fingers crossed
SkizzMcNizz said:
when I put in the first line it says device not found.
Click to expand...
Click to collapse
Try again, updated instructions.
UPDATE: I created a tool based on this method. Head over to the new thread.
---
WARNING: This is WIP for now. Don't run it if you aren't comfortable with the possibility of having something go wrong and having to re-Odin back to stock or worse. I was already rooted and had Busybox installed, so even though I temp-unrooted first, I don't know for certain if this will work on a stock device. If anyone wants to flash back to pure stock and give it a shot, I'd appreciate it. If it works, I'll try and make it easier to use.
NOTE: This may give you the custom unlock screen! I'm not 100% certain it was this root method that did it, though, as I had installed BusyBox and frozen several system apps with TiBu before my most recent reboot. I need someone willing to test. I don't have time to backup, flash to stock, and retry at the moment.
Background: Since some people seem to have mysterious issues after flashing the root66 image, I've been looking at existing ICS root methods which don't require flashing ROMs to see if any work on the GSIII. I think I've found one.
This is an adaptation of miloj's root method for the Asus TF300T. All credit goes to him and anyone else he mentioned in his post.
Instructions:
Install the USB drivers if you don't have them already: Verizon_Wireless_I535_GSIII_Samsung_USB_Driver_v1_4_6_0.exe
Download the attached binary package and extract them somewhere
Set up adb and make sure you can see your phone
Run the following commands in a shell. Red is a prompt you will see on the screen, black is something you type, blue is a comment.
Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell
[COLOR="Red"]$[/COLOR] cd /data/local/
[COLOR="Red"]$[/COLOR] mv tmp tmp.bak
[COLOR="Red"]$[/COLOR] ln -s /dev/block/mmcblk0p14 tmp
[COLOR="Red"]$[/COLOR] exit
adb reboot
[COLOR="RoyalBlue"]... wait for phone to reboot ...[/COLOR]
adb shell
[COLOR="Red"]$[/COLOR] cd /data/local
[COLOR="Red"]$[/COLOR] toolbox chmod 755 /data/local/debugfs
[COLOR="Red"]$[/COLOR] /data/local/debugfs -w /data/local/tmp
[COLOR="Red"]debugfs:[/COLOR] cd xbin
[COLOR="Red"]debugfs:[/COLOR] rm su
[COLOR="Red"]debugfs:[/COLOR] write /data/local/su su
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su mode 0106755
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su uid 0
[COLOR="Red"]debugfs:[/COLOR] set_inode_field su gid 0
[COLOR="Red"]debugfs:[/COLOR] quit
[COLOR="Red"]$[/COLOR] rm /data/local/tmp
[COLOR="Red"]$[/COLOR] mv /data/local/tmp.bak /data/local/tmp
[COLOR="Red"]$[/COLOR] exit
adb reboot
[COLOR="RoyalBlue"]... wait for phone to reboot ...[/COLOR]
adb shell
[COLOR="Red"]$[/COLOR] /system/xbin/su
[COLOR="Red"]#[/COLOR] id
[COLOR="RoyalBlue"]You should see: id=0(root) gid=0(root) ....[/COLOR]
[COLOR="Red"]#[/COLOR] exit
[COLOR="Red"]$[/COLOR] rm /data/local/su
[COLOR="Red"]$[/COLOR] rm /data/local/debugfs
[COLOR="Red"]$[/COLOR] exit
This is using miloj's insecure su, so you should install the superuser app and immediately use its binary update feature to install a proper binary. Otherwise, you're just asking to get malware.
I very much like this root method. Would be interested to see if anyone else is able to get this successfully done on their stock devices.
Worst case, I'll be getting a replacement phone on Wednesday due to some minor screen issues, so I'll be forced to try it then.
Let US know if it works...I have slow connection that times out at 80% because of these huge Rom files
Sent from my SCH-I535 using xda app-developers app
Thanks for working on this Ninja, and thanks for sharing with us. :good:
Sounds like it will be the cleanest root method yet.
$ mv /data/local/tmp.back /data/local/tmp
should be
$mv /data/local/tmp.bak /data/local/tmp
---------- Post added at 05:46 PM ---------- Previous post was at 05:38 PM ----------
This is CONFIRMED working on my VIRGIN SGS3 I got today. had to fix the one typo above. No problems yet. just don't break things freezing too many apps. Somone script up a one click root. If you dont, I will tonight. (In about 3 or four hours or so.)
FlyingPoo said:
$ mv /data/local/tmp.back /data/local/tmp
should be
$mv /data/local/tmp.bak /data/local/tmp
Click to expand...
Click to collapse
The perils of copy/pasting half from the original post and half from my local shell.
FlyingPoo said:
This is CONFIRMED working on my VIRGIN SGS3 I got today. had to fix the one typo above. No problems yet. just don't break things freezing too many apps. Somone script up a one click root. If you dont, I will tonight. (In about 3 or four hours or so.)
Click to expand...
Click to collapse
I'm working on one now. It's about 2/3 done. I have to go run a couple errands before I can finish it, though.
alrighty, cool beans!
FlyingPoo, did you get the "custom unlock" boot screen after adding the su binary?
May have to try this one out! Thanks
Tool here: http://forum.xda-developers.com/showthread.php?t=1792342
Did not want to post in the tool thread to confuse people so maybe this can be used a basic research to make this method as seamless as possible? Let us know what you prefer Ninja.
Wanted to give some more details on the "custom unlock" boot screen. There was some new findings from Lee (aka ralekdev) who is working on unlocking the bootloader.
Ralekdev said:
In other news, I found what keeps resetting the 16 byte encrypted romtype in param.img. It's libcordon.so, which is from /system/app/SysScope.apk (it'll also be copied to /system/lib/libcordon.so). It's using quite a few checks to see if you've modified your system.
There's an adb scanner, checking to see if you've changed the ro.secure or ro.debuggable props.
The root process scanner checks running processes and returns true if any are found running as root that are not one of:
"debuggerd", "init", "installd", "servicemanager", "vold", "zygote", "netd", "ueventd", "dock_kbd_attach", "pppd", "pppd_runner", "mpdecision", "thermald", "hdmid", "sec_keyboard", "seccmmond", "mfsc", "mfdp"
There's also a partition check, kernel checker, su scanner, and a file scanning mechanism using data from a sqlite db
So to completely remove the Samsung custom screen on bootup and 5 second delay you'd need to disable the SysScope.apk, then encrypt and write the 16 bytes yourself using 0xFF000000 as the first int to mark yourself as official
Click to expand...
Click to collapse
If I understand correctly, there is a SysScope.apk that does various checks detailed in that post so I'm assuming if that apk is disabled on a "virgin" system after doing this process would ensure that the custom flag never gets touched. There is also mention of a system dynamic library that does some checks but not sure impact of disabling that as well, maybe makes more sense to see what would other process would be using it besides SysScope.apk.
Interesting stuff. Sounds like just freezing/removing them will still give custom unlock, but it might be possible to write replacements which don't actually do the checks.
Unfortunately, I won't have a huge amount of time to spend on research for the next two weeks, but I'll see what I can do, and see what the other devs have done with reversing SysScope and libcordon.
This root method reminds me of Motorola's infamous "zergRush" root exploit. A great way to root the device without even touching the ROM.
Noxious Ninja said:
Interesting stuff. Sounds like just freezing/removing them will still give custom unlock, but it might be possible to write replacements which don't actually do the checks.
Unfortunately, I won't have a huge amount of time to spend on research for the next two weeks, but I'll see what I can do, and see what the other devs have done with reversing SysScope and libcordon.
Click to expand...
Click to collapse
Sounds good.
I could be wrong but I'd imagine that since that by default the flag is not set so we should be good by just disabling them. I might just be the guinea pig and immediately rename SysScope and the libcordon after rooting to see if flag gets tripped.
Based on Lee's analysis what doesn't add up is why people who flash the full rooted "stock image" have not reported this flag being tripped yet...
lowg said:
Sounds good.
I could be wrong but I'd imagine that since that by default the flag is not set so we should be good by just disabling them. I might just be the guinea pig and immediately rename SysScope and the libcordon after rooting to see if flag gets tripped.
Based on Lee's analysis what doesn't add up is why people who flash the full rooted "stock image" have not reported this flag being tripped yet...
Click to expand...
Click to collapse
It might be that if you disable them while you don't have custom unlock, it works, but if you already have custom unlock you would have to reset it somehow.
If you decide to try it, see if you can still bring up the Settings ––> About device ––> Status menu to see Device status, or if that crashes.
Noxious Ninja said:
It might be that if you disable them while you don't have custom unlock, it works, but if you already have custom unlock you would have to reset it somehow.
If you decide to try it, see if you can still bring up the Settings ––> About device ––> Status menu to see Device status, or if that crashes.
Click to expand...
Click to collapse
Ok, after rooting, I immediately disabled only SysScope.apk by renaming it, installed Superuser from market and updated binary, rebooted no unlock screen. Settings -> About device -> Status works fine. Device status section shows "Scanning..." for about two minutes after rebooting then simply "Modified".
After this tried soft reboot, hard reboot numerous times and still no "custom unlock" boot screen.
lowg said:
FlyingPoo, did you get the "custom unlock" boot screen after adding the su binary?
Click to expand...
Click to collapse
hmm. actually i do. Altho my Device status says normal.
FlyingPoo said:
hmm. actually i do.
Click to expand...
Click to collapse
hmmm, maybe it does have something to do with that apk then. originally that's all I renamed but since then froze a lot of apps and still no unlock, only showing modified status
Sent from my SCH-I535
FlyingPoo can you post more about what you did after rooting?
Did you immediately installs the ChainsDD version of su (via the binary updater in the Superuser market app) or did you stick with the version of su that came with the script for a while?
Did you ever enter "Odin/Download" mode of your device?
Just trying to figure out how our devices could have a different status if we both started from "virgin" GS3s.. Don't want to assume it's just SysScope either since I never disabled the libcordon.so and maybe it's used in other places in the system...
**moderators if this in wrong place feel free to move it**
as we know sprint and att variants have locked bootloaders I am posting this for a knowledge base, and hopefully to have some devs jump aboard and help get root and or recovery for us as well.
Here is what I have so far
Default.prop lines:
ro.oem_unlock_supported=1
ro.secure=1
security.perf_harden=1
ro.adb.secure=1
ro.allow.mock.location=0
ro.debuggable=0
persist.sys.usb.config=boot
pm.dexopt.install=speed
pm.dexopt.first-boot=speed
Adb getprop output lines:
ro.boot.authorized_kernel]: [true]
[ro.boot.baseband]: [msm]
[ro.boot.bootdevice]: [624000.ufshc]
[ro.boot.console]: [ttyHSL0]
[ro.boot.ddr_info]: [0x6]
[ro.boot.ddr_size]: [4294967296]
[ro.boot.dlcomplete]: [0]
[ro.boot.flash.locked]: [1]
[ro.boot.hardware]: [elsa]
[ro.boot.revision]: [12]
[ro.boot.rpmb_state]: [1]
[ro.boot.serialno]: [LGLS997e5161ca]
[ro.boot.svelte]: [1]
[ro.boot.verifiedbootstate]: [green]
[ro.boot.veritymode]: [enforcing]
I have experimented with @jcandduo dirty cow exploit for the tmob devices and get error when tryimg to execute
Chmod 0777 *
and
Chmod 0777*
also dont know if its related or not but the last command
$ ./dirtycow /system/bin/run-as recowvery-run-as $ run-as exec ./recowvery-applypatch boot "<wait for it to flash your boot image this time>"
Did not work the rest of the steps flashed succesfully
And get enforce was enforcing as well
My hopes behind this thread is to get some help and maybe get a root for this device.
UPDATE: we have found two win32 binaries called Push_File.exe and Send_Command.exe that work with this device in download mode I have confirmed both of them work.....
At this point we are needing busybox binaries for our phone and Root.sh for our device
As of Nov 06th a bounty thread has been created to help assist with this
http://forum.xda-developers.com/v20/how-to/bounty-thread-lg-v20-devices-locked-t3495200/page1
We now have osc for our devices
Sprint
https://www.dropbox.com/s/owthb42l7gah9ey/LGLS997_Nougat_Android.zip?dl=0
Att
https://www.dropbox.com/s/mwm438oktxce9es/LGH910PR_Android_Nougat.zip?dl=0
Reserved
Reserved. I wish I was smarter and could help you guys more. I love the phone without root but that bloat is killing me.
Ryuk359 said:
Reserved. I wish I was smarter and could help you guys more. I love the phone without root but that bloat is killing me.
Click to expand...
Click to collapse
Thats the point behind the thread hopefully if we all put our heads together we can figure a work around out or find a dev that write the code for us
Alright. So, with the bootloader locked, it will not load the custom recovery (temp Permissive boot). It will try to load it, says the error I posted before, then reboots normally. If I hold Power + Vol Down, it'll try to boot recovery, giving the error again, until I let it boot normally. When it gets to Android OS, it's Enforcing, and recovery is flashed back to stock. There are my notes!
pro_granade said:
Alright. So, with the bootloader locked, it will not load the custom recovery (temp Permissive boot). It will try to load it, says the error I posted before, then reboots normally. If I hold Power + Vol Down, it'll try to boot recovery, giving the error again, until I let it boot normally. When it gets to Android OS, it's Enforcing, and recovery is flashed back to stock. There are my notes!
Click to expand...
Click to collapse
Were you able to get chmod 0777 to work?
What if we chown 0777 ?
I believe that the chmod command works you just receive an error when changing the ownership of the 2 files flatland and flatland64 (I think that's what the file names are).
But yeah you never are put into a root shell and therefore the scripts do not change your SELinux to permissive.
What would be a good way to set up a bounty for this? I. E. Kickstarter, gofundme, etc? I think it could help garner support and most folks are willing to kick in a few bucks for it. I know I am.
Ryuk359 said:
What would be a good way to set up a bounty for this? I. E. Kickstarter, gofundme, etc? I think it could help garner support and most folks are willing to kick in a few bucks for it. I know I am.
Click to expand...
Click to collapse
Probably gofund me however i dont know how we would get people to see it i was thinking the same thing
twistedvip said:
I believe that the chmod command works you just receive an error when changing the ownership of the 2 files flatland and flatland64 (I think that's what the file names are).
But yeah you never are put into a root shell and therefore the scripts do not change your SELinux to permissive.
Click to expand...
Click to collapse
Right i was hoping there would be a workaround for that i am going to try chown tonight
rickberg said:
Right i was hoping there would be a workaround for that i am going to try chown tonight
Click to expand...
Click to collapse
Thing is, those files (I believe) should have no effect to the actual dirtycow exploit binaries for the Tmobile variant.
twistedvip said:
Thing is, those files (I believe) should have no effect to the actual dirtycow exploit binaries for the Tmobile variant.
Click to expand...
Click to collapse
He said he updated the binaries yesterday i have not tried with the updated binaries i will try layer
Ok so i tried and this time cant get past the reboot part just hangs the chown 0777 * does do something without that command it says access denied
Did someone grab the root shell from this post? I didn't grab it originally and now it's 404. It would save me some trouble of building my own.
http://forum.xda-developers.com/showpost.php?p=69307743&postcount=109
Basically, the story here is that at this point unless we can get the bootloader unlocked we can't boot into a permissive mode. Bypassing the ATT bootloader seems to be a no-op unless someone has some brilliant idea.
That means your best hope at this point is somehow finding a way to do something really permissive on the system to mod with the dirtycow exploit that could lead to a temp root that would have to be reapplied every boot.
A fully permissive exploit could, in theory, allow you to run 'setenforce 0' to just turn off selinux at runtime. Currently using run-as on my device with the cow exploit does not allow to me to turn off enforcing.
Well I'm posting to follow this thread. I have a sprint lg v20 and I'm highly interested in getting root on this device.
so if we have a locked bootloader, what's the point in having the "Enable OEM unlock" option under Dev options? I'm talking the Sprint model..
maybe u guys should look at something similar to depixel8
elliwigy said:
maybe u guys should look at something similar to depixel8
Click to expand...
Click to collapse
With the VZW pixel, I believe they were able to get into the fastboot screen still - they just were getting error messages of not being allowed to run commands on fastboot.
With our variant of the V20 - the bootloader is locked down. Only way in is through either an eng image or by reverse engineering the SHA keys to allow us into the bootloader screen.
I think it will be much harder to get this bootloader unlocked than how they did depixel8.
Guide that could help us figure out how to enable fastboot.
1. Plug phone in
2. Open CMD as administrator
3. cd to your android sdk platform-tools section
4. Make sure you have USB Debuggin on
5. type adb shell
6. type ls
This allows you to view everything of the phone and I mean everything. If we could compare bootloader section and or fastboot sections with T-Mobile variant we might be able to figure out how to enable these!
SaintZ93 said:
Guide that could help us figure out how to enable fastboot.
1. Plug phone in
2. Open CMD as administrator
3. cd to your android sdk platform-tools section
4. Make sure you have USB Debuggin on
5. type adb shell
6. type ls
This allows you to view everything of the phone and I mean everything. If we could compare bootloader section and or fastboot sections with T-Mobile variant we might be able to figure out how to enable these!
Click to expand...
Click to collapse
I'm going to be quite honest here. Getting into your shell as a regular user is not going to do literally anything for you without an exploit. Currently the dirtycow exploit that is used for root privileges on T-Mobile variant does not work.
Even if there was a way to look at the bootloader section (theres not as a regular user) - you cant modify anything.
When you go into the shell, you're placed into the root directory ('/'). It only shows files on the phone inside that root directory. Most important folders you cannot even go into (or list).
Here's how I got my zte maven 2 (ATT) rooted.
Disclaimer: This method worked for me but may not work for others, I am not responsible if your device is bricked as a result of this. Also, this method does seem to be a bit finicky and inconsistent.
I rooted this phone twice, and it took about 15-20 tries each time for it to finally work. This is not a root you can do in 5 minutes (unless you are extremely lucky) Plan to set aside an hour or two, and a lot of patience, if you want this to work.
Credit to @madvane20 his post here helped me get root for this phone. He also got his phone rooted before I did, be sure to give him thanks.
Credit to @ZTE Girl for finding a way to remove ads from King root and keeping perm root.
With KingRoot you can get perm root, but personally I hate KingRoot, so at the end there is a method to replace KingRoot with SuperSu. Unfortunately SuperSu root resets on reboot, but a quick, 10 second adb command will reroot your phone with SuperSu
Edit: @ZTE Girl found that using lucky patcher to remove ads from King root worked for her and kept permroot.
Step 1: Enable USB debugging on your phone, and download adb and ZTE drivers to your PC.
2: Download KingRoot from KingRoot.net (download the apk for android)
3: Connect your phone to ADB, and run this command in terminal adb shell make sure you get no errors and accept any USB debugging requests.
4: Now type reboot disemmcwp This will reboot your phone without write protection.
5: When your phone reboots, run adb shell again, and install the kingroot APK. Google will give you a warning about this app being unsafe, install it anyways.
6: Now, here's the finicky part, sometimes KingRoot works, sometimes it doesn't, you just have to keep trying. Make sure your phone is still connected to the computer through adb shell, and then click try root in KingRoot. While KingRoot is attempting to get root: in adb shell keep typing su and pressing enter. Just spam this, It will keep giving errors, but eventually it (should) work. Make sure to accept any prompts on your device while you do this.
7: When you are able to successfully get into su, wait a bit, just to make sure your device doesn't restart
8: Now type getprop ro.product.name, the response should be Z831
9: Now type setprop persist.sys.k Z831, then type getprop persist.sys.k It should say Z831
10: Now type cd /dev/block/platform/soc.0/7824900.sdhci/by-name/
11: Then type dd if=recovery of=/sdcard/recovery.img This will backup your recovery, I highly recommend that you copy the backup to your computer in case something goes wrong.
12: Now type dd if=boot of=recovery, this will write boot to recovery. This part can be risky, it worked for me, but if it bricks your device, you can't say I didn't warn you with that said, don't let that scare you away from finally rooting this device and getting all the advantages that come with it
13: Now type this reboot recovery Your device my blackscreen and not boot after this, personally mine did, and I fixed it by removing the battery, and after puttting it back in, it booted normally.
14: When your phone boots up, type adb shell again, and then type su
15: Type id response should be "uid=0(root) gid=0(root) context=u:r:shell:s0" Note: I don't think my uid showed when I did this, if yours doesn't show, don't worry, it should work fine.
16: Now type setenforce 0
17: After that, type getenforce, it should respond back with "permissive"
18: To test if system is writable, type mount -o remount,rw /system, if you get no errors, everything is working , if you get an error, type reboot disemmcwp, and then try to mount system RW again.
19: I would recommend removing the update service now, so an update doesn't come and screw up your root.
20: Read this: Now you should have permroot with kingroot, however, as you will soon find, kingroot has a ton of ads, and can get very annoying. So, if you want SuperSu and no kingroot, keep reading. If you want to keep KingRoot, then you are done, have fun with your rooted Maven 2
Edit: @ZTE Girl found that you can use lucky patcher to remove ads from Kingroot while still keeping permroot.
21: Download the KingToSuperSu zip in attachments, I have modified it slightly from the original zip so it works better. You will see a folder inside the zip named "mrw" copy this folder to the root of your /sdcard (must be copied to the root of /sdcard)
22: Now go into adb shell again, and then type su
23: Type mount -o remount,rw /system
24: If you get no errors, simply type sh /sdcard/mrw/root.sh, you will see a lot of errors in the script, no need to worry, now you should have SuperSu. Note: sometimes you get a notification saying "com.eu.chainfireSuperSu has stopped" or something like that, run the command again, and it should work.
25: SuperSu will say binary needs to be updated, but the update always fails, however you can click no thanks, and it will work fine.
26: SuperSu root will go away after you reboot, however, to get root back, simply type adb shell (while connected to your computer of course) then su and then sh /sdcard/mrw/root.sh and just like that, you're rooted again. Note: I couldn't get this to work in a terminal emulator, and it would only work in adb shell for me.
Edit: If you want stock recovery back, run this command in adb shell with su dd of=recovery if=/sdcard/recovery.img. I haven't tested this, and it might unroot/brick your device. This is at your own risk.
This guide was long and complicated, sorry for that, if you need any help, just ask me and I will try to help the best I can.
If this guide helped, please clicks thanks, it means a lot to me
Proof: http://imgur.com/a/zecyU
btw easy way to get rid of ads diasbale the charging thing in king settings and adaway its what i did on the warp 7
carrier iq
this phone has carrier iq, i was able to get temp root without write using kingroot, so i was able to delete, disable apps, and also, remove carrier iq with the quide you can find on the: androidexplained website. i could not actually delete the files in the last two steps but it seemed to work anyway. this is my first post so i can't put links.
Question1: i don't like typing cause i make stupid mistakes, but im assuming i could put all your command in individual batch files ending with a pause on each, and prefixing all you commands with "adb.exe shell su". that way i could stop and see what happened and then continue.
Question2:
dd if=recovery of=/sdcard/recovery.img
seems to mean copy the boot partion to an image file on the internal sd card. am i correct?
and
dd if=boot of=recovery
seems to mean overwrite the boot partition with an image- (file)?
if so what image file?
sorry, im new to all this, i guess i probably don't have enough confidence to do this, my z831 works very well without all the bloat anyway. and yes i understand the risks if i do decide to proceed, anyway. i have 3 $10 and $20 phones that are not bricked but i forgot to reenable the system apps before i removed root and reset, so they might as well be bricked cause they cant do anything after they boot.
btw, you mentioned in one step to wait, to see if it reboots, to see if it is stable before continuing:
for me i remember that either having too many apps running or stopping too many system apps, seemed to make this z831 unstable and reboot, while it had temp root.
Question last: do i need to start the process as you said while kingroot is in the process of rooting, or can i wait till it is finished getting it's root?
duane2064 said:
this phone has carrier iq, i was able to get temp root without write using kingroot, so i was able to delete, disable apps, and also, remove carrier iq with the quide you can find on the: androidexplained website. i could not actually delete the files in the last two steps but it seemed to work anyway. this is my first post so i can't put links.
Question1: i don't like typing cause i make stupid mistakes, but im assuming i could put all your command in individual batch files ending with a pause on each, and prefixing all you commands with "adb.exe shell su". that way i could stop and see what happened and then continue.
Question2:
dd if=recovery of=/sdcard/recovery.img
seems to mean copy the boot partion to an image file on the internal sd card. am i correct?
and
dd if=boot of=recovery
seems to mean overwrite the boot partition with an image- (file)?
if so what image file?
sorry, im new to all this, i guess i probably don't have enough confidence to do this, my z831 works very well without all the bloat anyway. and yes i understand the risks if i do decide to proceed, anyway. i have 3 $10 and $20 phones that are not bricked but i forgot to reenable the system apps before i removed root and reset, so they might as well be bricked cause they cant do anything after they boot.
btw, you mentioned in one step to wait, to see if it reboots, to see if it is stable before continuing:
for me i remember that either having too many apps running or stopping too many system apps, seemed to make this z831 unstable and reboot, while it had temp root.
Question last: do i need to start the process as you said while kingroot is in the process of rooting, or can i wait till it is finished getting it's root?
Click to expand...
Click to collapse
i have a batch script i made for the warp 7 that i think will work for this phone but i never posted any of it cause he released the guide first so i told him to keep it and no the boot to recovery overwrites recovery with boot image from boot then after everything has perm root u can flash the recovery back to recovery. do we need a batch script no do we need to mess with other files risking a brick no kingroot is fine til we can find a way to get access to bootloader for fastboot as well as get a twrp built for the phone. theres ways to make kingroot not as annoying ad blocker disable notifications from kingroot and disable fastcharging lock screen. but u more than welcome to tamper just be aware u brick ur phone in the process theres no fix. as well if it makes it easier for people i will write a batch script that walks them through the process with the pauses shows them what it does so they can learn for future purpose but i m0ean the guides pretty simple
---------- Post added at 01:55 PM ---------- Previous post was at 01:51 PM ----------
wait is this thread maven or maven 2?
step 9 is different than yours, why?
Question for madvane20
XCnathan32's step 9: "Now type
setprop persist.sys.k Z831
BUT in your bat file:
adb.exe shell su
setprop ro.product.name Z831
of course swaping out ZTE_BEAM for Z831
is one better than the other or should they both be done?
yea i think i need to maybe fix the bat but im working on stuff atm got rl stuff im busy with but once im done i will finish a bat for the warp 7 and one for this phone. but yes u swap the name of the phone out for what phone u have.
---------- Post added at 03:26 PM ---------- Previous post was at 03:25 PM ----------
the warp 7 has different name etc so yea the warp 7 post is different im trying to work on everything as well keep working on my huawei ascend xt as well real life stuff
Question for madvane20, im sorry, i meant persist.sys.k OR setprop ro.product.name, this is the discrepancy in the two instructions.
did u read the guide for the zte maven 2 and also look at the guide for the warp 7 u will see the difference it just takes u to read them then u shouldnt have any questions
is this syntax correct, before i try it?
batch.txt:
https://dl.xda-developers.com/4/2/2/0/4/0/3/batchfiles.txt?key=NgPk58hMrJO5QXnvDcnCPw&ts=1500762566
if anyone wants to ask me questions just pm me or get ahole of me on hangouts im listed as dav ril or madvane20
I have used Wugfresh's NRT with my previous Nexus devices with stellar results and I downloaded ADB to try your guys method with a Z831 however, I need ti know if this guide is Android version specific? I recently went from 5.1.1 to 7.1.1 in like 3 OTA AT&T updates, so this device is running Nougat. Also, is PIE something new to 7.0 ? I read somewhere this affects the root process. Why do they have "Unlock bootloader" option in Dev settings ? Can I just run an ADB command to enable Write permission to delete 40-50 #/System/App .apk's?
Yo OP, I genuinely appreciate you sharing this. I found that everything has worked perfectly. I managed to get perm root and I just tried to install SU, gonna see if it worked. Thanks bro
Sent from my N9519 using Tapatalk
So, is it working? please let me know because i also want to root it.
---------- Post added at 04:36 AM ---------- Previous post was at 04:27 AM ----------
How to install adb and Zte drivers on your computer? please reply
379068 said:
So, is it working? please let me know because i also want to root it.
---------- Post added at 04:36 AM ---------- Previous post was at 04:27 AM ----------
How to install adb and Zte drivers on your computer? please reply
Click to expand...
Click to collapse
The ZTE drivers should be on your phone. One of the mount options, when you plug in your phone is to install drivers.
This method really works. You can copy your recovery back after, you do not loose root. You are also able to re-root and make it permanent again after a factory reset, it is just takes many more exploit attempts. You can also install Xposed through Xposed Installer.
Anybody bought and tried Super-Sume Pro with this phone yet?
can thsi be done on other mavens?
Can you do this on a Maven 3 running nougat?
Is the root method working with ZTE Maven 3?
Anyone tried this on ZTE Maven 3? Got 2 from Bestbuy, would like to have them rooted.
Thanks.
Logos Ascetic said:
Can you do this on a Maven 3 running nougat?
Click to expand...
Click to collapse
I recently dissected the partition index and firmware structure of the ZTE Maven 3, in hopes of discovering a viable root exploit. Because it ships with stock Android Nougat, systemless root via patched boot image would be preferable. But, because the bootloader does not appear to be unlockable by any known method or exploit, systemless root is not currently an option. Accordingly, I focused on the less desirable method of system-mode rooting, which injects the SU daemon and corresponding root binaries to the Android OS by way of the /system partition directly. Again, an obstacle ensued: the stock kernel of the ZTE Maven 3 is secured by AVB 2.0/dm-verity (device mapping), which checks the /system partition for any modifications whatsoever prior to allowing the OS to boot. So, if /system is modified in any way, or so much as mounted r/w, a perpetual boot loop will commence via dm-verity.
So, in short, due to the locked bootloader state and verified boot/device mapping, safely & effectively rooting the stock Android Nougat OS of the ZTE Maven 3 doesn't presently appear to be feasible.
Note: I realize that the OP designated this as a ZTE Maven 2 thread, and I apologize to the OP if I'm off topic. I only addressed the Maven 3 because of the number of questions in the thread.
I have the z831 through at&t. I'm pretty sure I unlocked the bootloader in developer options as nothing would root the phone until I turned it on. Everything worked, but is there a custom recovery or rom?
kingroot.net even if you choose english gives you a chinese app
I tested this on my Dasaita px6 mtce head unit once I installed Android 10
(thanks @Diavol for the tip)
I know that there are other ways to do this, but this is how I accomplished it.
****************DO THIS AT YOUR OWN RISK***********************************
1- On Head Unit: install a terminal emulator and run the three following commands pressing enter each time. (device will reboot). This will open ADB witj root permissions on port 5555
setprop persist.adb.tcp.port 5555
setprop sys.rkadb.root 1
reboot
*******************************************************************************
2- Uzip Su-Magisk folder and place the files on the root directory of your PC ( C:/ )
Open command prompt window on your PC with administrative privileges and enter one line at a time,,,,,, if you get stuck at "adb shell /system/bin/su --daemon", repeat the process on a new command prompt
window. When that is finished install Magisk V 20.4 (20400), after it gets installed it will search for updates and will say that the app is not installed, press on install, a window will pop up, choose to install it as a "Direct Install (Recommended)" when finished, press the yellow reboot button.
cd c:/
adb connect (enter here your ip address number, for example 10.0.0.2)
adb root
adb connect (enter here your ip address number, for example 10.0.0.2)
adb remount
adb shell setenforce 0
adb push su /system/xbin/su
adb push su /system/bin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb shell /system/bin/su --daemon
adb push rooting.rc /system/etc/init/rooting.rc
***************************************************************************
***************************************************************************
Finally, after months of garbage "help me how do I do (the same boring question multiple new members signed up to XDA for - without reading the forums a thoughtful contributing post! Brilliant!
marchnz said:
Finally, after months of garbage "help me how do I do (the same boring question multiple new members signed up to XDA for - without reading the forums a thoughtful contributing post! Brilliant!
Click to expand...
Click to collapse
Yeah, that's how it sometimes goes, I am still testing this stuff.
Для РХ5 тоже подойдет??
Suitable for PX5 too ??
---------- Post added at 09:03 AM ---------- Previous post was at 08:57 AM ----------
I read different forums, and there seems to be a way to make boot.img root (also through Magisk) and flash it into the radio
AndreySanich said:
Для РХ5 тоже подойдет??
Suitable for PX5 too ??
---------- Post added at 09:03 AM ---------- Previous post was at 08:57 AM ----------
I read different forums, and there seems to be a way to make boot.img root (also through Magisk) and flash it into the radio
Click to expand...
Click to collapse
Yes I am aware of that, but why? when I install Magisk it patches directly the stock boot image, or am I wrong? please let me know.
Al Ferro said:
Yeah, that's how it sometimes goes, I am still testing this stuff.
Click to expand...
Click to collapse
I mean, well done, great post!
I wonder how that's gonna work?
Rockchip boot.img or patches are not supported by Magisk.
There must be more experience reports, someone might get a boot loop.
sorry, maybe for the translation I missed something, how do I connect pc and tablet ?, ip address to put I guess is that of the tablet ?.
thanks for your patience.
Have anyone tried to root with this method ?
jamal2367 said:
Have anyone tried to root with this method ?
Click to expand...
Click to collapse
Yeah, me. I' ve done it many ,many times because I am testing stuff, no boot loops or anything so far.:good::laugh:
marcanpaolo said:
sorry, maybe for the translation I missed something, how do I connect pc and tablet ?, ip address to put I guess is that of the tablet ?.
thanks for your patience.
Click to expand...
Click to collapse
Yes, your radio unit's ip address .
Al Ferro said:
Yeah, me. I' ve done it many ,many times because I am testing stuff, no boot loops or anything so far.:good::laugh:
Click to expand...
Click to collapse
I have a PX5.
The problem is that I do not have a test radio where I can test it all the time.
It takes a long time to set up the radio back the way it was before.
The problem is actually that Magisk does not support rockchip ramdisk.
I have tried it several times in the past and it always resulted in boot loops or black screens.
Show this issue on github:
https://github.com/topjohnwu/Magisk/issues/755
Maybe there are differences from radio to radio.
With you it works and with others it doesn't, that's the question.
jamal2367 said:
I have a PX5.
The problem is that I do not have a test radio where I can test it all the time.
It takes a long time to set up the radio back the way it was before.
The problem is actually that Magisk does not support rockchip ramdisk.
I have tried it several times in the past and it always resulted in boot loops or black screens.
Show this issue on github:
https://github.com/topjohnwu/Magisk/issues/755
Maybe there are differences from radio to radio.
With you it works and with others it doesn't, that's the question.
Click to expand...
Click to collapse
It Works wonderful with my Dasaita head unit.
One cannot expect correct answers here, can one?
Grow up and stop acting like a child
jamal2367 said:
One cannot expect correct answers here, can one?
Grow up and stop acting like a child
Click to expand...
Click to collapse
Hey, I am just saying that I have not problems at all running this stuff on my radio unit, I don't know what brand of radio unit you have, I see on the market a lot of cheap stuff that I personally avoid. This guide is for every one that feels confident to try it out, I am not forcing anyone to do it, I can tell you that I am happy that it works for me, let's keep on learning good stuff.:good:
jamal2367 said:
One cannot expect correct answers here, can one?
Grow up and stop acting like a child
Click to expand...
Click to collapse
without testing, you won't get a result. I already sent you a private message about the build test. Yes, we have different CPUs, but if you want results, you must sacrifice time and settings.
Ok i have test it and it´s working without any problems.
Magisk + Magisk Module!
jamal2367 said:
One cannot expect correct answers here, can one?
Grow up and stop acting like a child
Click to expand...
Click to collapse
jamal2367 said:
Ok i have test it and it´s working without any problems.
Magisk + Magisk Module!
Click to expand...
Click to collapse
which method worked?
Diavol said:
which method worked?
Click to expand...
Click to collapse
From this thread. :good:
jamal2367 said:
From this thread. :good:
Click to expand...
Click to collapse
with the stock boot?