ZTE Maven root (Z831) - Android General

Here's how I got my zte maven 2 (ATT) rooted.
Disclaimer: This method worked for me but may not work for others, I am not responsible if your device is bricked as a result of this. Also, this method does seem to be a bit finicky and inconsistent.
I rooted this phone twice, and it took about 15-20 tries each time for it to finally work. This is not a root you can do in 5 minutes (unless you are extremely lucky) Plan to set aside an hour or two, and a lot of patience, if you want this to work.
Credit to @madvane20 his post here helped me get root for this phone. He also got his phone rooted before I did, be sure to give him thanks.
Credit to @ZTE Girl for finding a way to remove ads from King root and keeping perm root.
With KingRoot you can get perm root, but personally I hate KingRoot, so at the end there is a method to replace KingRoot with SuperSu. Unfortunately SuperSu root resets on reboot, but a quick, 10 second adb command will reroot your phone with SuperSu
Edit: @ZTE Girl found that using lucky patcher to remove ads from King root worked for her and kept permroot.
Step 1: Enable USB debugging on your phone, and download adb and ZTE drivers to your PC.
2: Download KingRoot from KingRoot.net (download the apk for android)
3: Connect your phone to ADB, and run this command in terminal adb shell make sure you get no errors and accept any USB debugging requests.
4: Now type reboot disemmcwp This will reboot your phone without write protection.
5: When your phone reboots, run adb shell again, and install the kingroot APK. Google will give you a warning about this app being unsafe, install it anyways.
6: Now, here's the finicky part, sometimes KingRoot works, sometimes it doesn't, you just have to keep trying. Make sure your phone is still connected to the computer through adb shell, and then click try root in KingRoot. While KingRoot is attempting to get root: in adb shell keep typing su and pressing enter. Just spam this, It will keep giving errors, but eventually it (should) work. Make sure to accept any prompts on your device while you do this.
7: When you are able to successfully get into su, wait a bit, just to make sure your device doesn't restart
8: Now type getprop ro.product.name, the response should be Z831
9: Now type setprop persist.sys.k Z831, then type getprop persist.sys.k It should say Z831
10: Now type cd /dev/block/platform/soc.0/7824900.sdhci/by-name/
11: Then type dd if=recovery of=/sdcard/recovery.img This will backup your recovery, I highly recommend that you copy the backup to your computer in case something goes wrong.
12: Now type dd if=boot of=recovery, this will write boot to recovery. This part can be risky, it worked for me, but if it bricks your device, you can't say I didn't warn you with that said, don't let that scare you away from finally rooting this device and getting all the advantages that come with it
13: Now type this reboot recovery Your device my blackscreen and not boot after this, personally mine did, and I fixed it by removing the battery, and after puttting it back in, it booted normally.
14: When your phone boots up, type adb shell again, and then type su
15: Type id response should be "uid=0(root) gid=0(root) context=u:r:shell:s0" Note: I don't think my uid showed when I did this, if yours doesn't show, don't worry, it should work fine.
16: Now type setenforce 0
17: After that, type getenforce, it should respond back with "permissive"
18: To test if system is writable, type mount -o remount,rw /system, if you get no errors, everything is working , if you get an error, type reboot disemmcwp, and then try to mount system RW again.
19: I would recommend removing the update service now, so an update doesn't come and screw up your root.
20: Read this: Now you should have permroot with kingroot, however, as you will soon find, kingroot has a ton of ads, and can get very annoying. So, if you want SuperSu and no kingroot, keep reading. If you want to keep KingRoot, then you are done, have fun with your rooted Maven 2
Edit: @ZTE Girl found that you can use lucky patcher to remove ads from Kingroot while still keeping permroot.
21: Download the KingToSuperSu zip in attachments, I have modified it slightly from the original zip so it works better. You will see a folder inside the zip named "mrw" copy this folder to the root of your /sdcard (must be copied to the root of /sdcard)
22: Now go into adb shell again, and then type su
23: Type mount -o remount,rw /system
24: If you get no errors, simply type sh /sdcard/mrw/root.sh, you will see a lot of errors in the script, no need to worry, now you should have SuperSu. Note: sometimes you get a notification saying "com.eu.chainfireSuperSu has stopped" or something like that, run the command again, and it should work.
25: SuperSu will say binary needs to be updated, but the update always fails, however you can click no thanks, and it will work fine.
26: SuperSu root will go away after you reboot, however, to get root back, simply type adb shell (while connected to your computer of course) then su and then sh /sdcard/mrw/root.sh and just like that, you're rooted again. Note: I couldn't get this to work in a terminal emulator, and it would only work in adb shell for me.
Edit: If you want stock recovery back, run this command in adb shell with su dd of=recovery if=/sdcard/recovery.img. I haven't tested this, and it might unroot/brick your device. This is at your own risk.
This guide was long and complicated, sorry for that, if you need any help, just ask me and I will try to help the best I can.
If this guide helped, please clicks thanks, it means a lot to me
Proof: http://imgur.com/a/zecyU

btw easy way to get rid of ads diasbale the charging thing in king settings and adaway its what i did on the warp 7

carrier iq
this phone has carrier iq, i was able to get temp root without write using kingroot, so i was able to delete, disable apps, and also, remove carrier iq with the quide you can find on the: androidexplained website. i could not actually delete the files in the last two steps but it seemed to work anyway. this is my first post so i can't put links.
Question1: i don't like typing cause i make stupid mistakes, but im assuming i could put all your command in individual batch files ending with a pause on each, and prefixing all you commands with "adb.exe shell su". that way i could stop and see what happened and then continue.
Question2:
dd if=recovery of=/sdcard/recovery.img
seems to mean copy the boot partion to an image file on the internal sd card. am i correct?
and
dd if=boot of=recovery
seems to mean overwrite the boot partition with an image- (file)?
if so what image file?
sorry, im new to all this, i guess i probably don't have enough confidence to do this, my z831 works very well without all the bloat anyway. and yes i understand the risks if i do decide to proceed, anyway. i have 3 $10 and $20 phones that are not bricked but i forgot to reenable the system apps before i removed root and reset, so they might as well be bricked cause they cant do anything after they boot.
btw, you mentioned in one step to wait, to see if it reboots, to see if it is stable before continuing:
for me i remember that either having too many apps running or stopping too many system apps, seemed to make this z831 unstable and reboot, while it had temp root.
Question last: do i need to start the process as you said while kingroot is in the process of rooting, or can i wait till it is finished getting it's root?

duane2064 said:
this phone has carrier iq, i was able to get temp root without write using kingroot, so i was able to delete, disable apps, and also, remove carrier iq with the quide you can find on the: androidexplained website. i could not actually delete the files in the last two steps but it seemed to work anyway. this is my first post so i can't put links.
Question1: i don't like typing cause i make stupid mistakes, but im assuming i could put all your command in individual batch files ending with a pause on each, and prefixing all you commands with "adb.exe shell su". that way i could stop and see what happened and then continue.
Question2:
dd if=recovery of=/sdcard/recovery.img
seems to mean copy the boot partion to an image file on the internal sd card. am i correct?
and
dd if=boot of=recovery
seems to mean overwrite the boot partition with an image- (file)?
if so what image file?
sorry, im new to all this, i guess i probably don't have enough confidence to do this, my z831 works very well without all the bloat anyway. and yes i understand the risks if i do decide to proceed, anyway. i have 3 $10 and $20 phones that are not bricked but i forgot to reenable the system apps before i removed root and reset, so they might as well be bricked cause they cant do anything after they boot.
btw, you mentioned in one step to wait, to see if it reboots, to see if it is stable before continuing:
for me i remember that either having too many apps running or stopping too many system apps, seemed to make this z831 unstable and reboot, while it had temp root.
Question last: do i need to start the process as you said while kingroot is in the process of rooting, or can i wait till it is finished getting it's root?
Click to expand...
Click to collapse
i have a batch script i made for the warp 7 that i think will work for this phone but i never posted any of it cause he released the guide first so i told him to keep it and no the boot to recovery overwrites recovery with boot image from boot then after everything has perm root u can flash the recovery back to recovery. do we need a batch script no do we need to mess with other files risking a brick no kingroot is fine til we can find a way to get access to bootloader for fastboot as well as get a twrp built for the phone. theres ways to make kingroot not as annoying ad blocker disable notifications from kingroot and disable fastcharging lock screen. but u more than welcome to tamper just be aware u brick ur phone in the process theres no fix. as well if it makes it easier for people i will write a batch script that walks them through the process with the pauses shows them what it does so they can learn for future purpose but i m0ean the guides pretty simple
---------- Post added at 01:55 PM ---------- Previous post was at 01:51 PM ----------
wait is this thread maven or maven 2?

step 9 is different than yours, why?
Question for madvane20
XCnathan32's step 9: "Now type
setprop persist.sys.k Z831
BUT in your bat file:
adb.exe shell su
setprop ro.product.name Z831
of course swaping out ZTE_BEAM for Z831
is one better than the other or should they both be done?

yea i think i need to maybe fix the bat but im working on stuff atm got rl stuff im busy with but once im done i will finish a bat for the warp 7 and one for this phone. but yes u swap the name of the phone out for what phone u have.
---------- Post added at 03:26 PM ---------- Previous post was at 03:25 PM ----------
the warp 7 has different name etc so yea the warp 7 post is different im trying to work on everything as well keep working on my huawei ascend xt as well real life stuff

Question for madvane20, im sorry, i meant persist.sys.k OR setprop ro.product.name, this is the discrepancy in the two instructions.

did u read the guide for the zte maven 2 and also look at the guide for the warp 7 u will see the difference it just takes u to read them then u shouldnt have any questions

is this syntax correct, before i try it?
batch.txt:
https://dl.xda-developers.com/4/2/2/0/4/0/3/batchfiles.txt?key=NgPk58hMrJO5QXnvDcnCPw&ts=1500762566

if anyone wants to ask me questions just pm me or get ahole of me on hangouts im listed as dav ril or madvane20

I have used Wugfresh's NRT with my previous Nexus devices with stellar results and I downloaded ADB to try your guys method with a Z831 however, I need ti know if this guide is Android version specific? I recently went from 5.1.1 to 7.1.1 in like 3 OTA AT&T updates, so this device is running Nougat. Also, is PIE something new to 7.0 ? I read somewhere this affects the root process. Why do they have "Unlock bootloader" option in Dev settings ? Can I just run an ADB command to enable Write permission to delete 40-50 #/System/App .apk's?

Yo OP, I genuinely appreciate you sharing this. I found that everything has worked perfectly. I managed to get perm root and I just tried to install SU, gonna see if it worked. Thanks bro
Sent from my N9519 using Tapatalk

So, is it working? please let me know because i also want to root it.
---------- Post added at 04:36 AM ---------- Previous post was at 04:27 AM ----------
How to install adb and Zte drivers on your computer? please reply

379068 said:
So, is it working? please let me know because i also want to root it.
---------- Post added at 04:36 AM ---------- Previous post was at 04:27 AM ----------
How to install adb and Zte drivers on your computer? please reply
Click to expand...
Click to collapse
The ZTE drivers should be on your phone. One of the mount options, when you plug in your phone is to install drivers.

This method really works. You can copy your recovery back after, you do not loose root. You are also able to re-root and make it permanent again after a factory reset, it is just takes many more exploit attempts. You can also install Xposed through Xposed Installer.
Anybody bought and tried Super-Sume Pro with this phone yet?

can thsi be done on other mavens?
Can you do this on a Maven 3 running nougat?

Is the root method working with ZTE Maven 3?
Anyone tried this on ZTE Maven 3? Got 2 from Bestbuy, would like to have them rooted.
Thanks.
Logos Ascetic said:
Can you do this on a Maven 3 running nougat?
Click to expand...
Click to collapse

I recently dissected the partition index and firmware structure of the ZTE Maven 3, in hopes of discovering a viable root exploit. Because it ships with stock Android Nougat, systemless root via patched boot image would be preferable. But, because the bootloader does not appear to be unlockable by any known method or exploit, systemless root is not currently an option. Accordingly, I focused on the less desirable method of system-mode rooting, which injects the SU daemon and corresponding root binaries to the Android OS by way of the /system partition directly. Again, an obstacle ensued: the stock kernel of the ZTE Maven 3 is secured by AVB 2.0/dm-verity (device mapping), which checks the /system partition for any modifications whatsoever prior to allowing the OS to boot. So, if /system is modified in any way, or so much as mounted r/w, a perpetual boot loop will commence via dm-verity.
So, in short, due to the locked bootloader state and verified boot/device mapping, safely & effectively rooting the stock Android Nougat OS of the ZTE Maven 3 doesn't presently appear to be feasible.
Note: I realize that the OP designated this as a ZTE Maven 2 thread, and I apologize to the OP if I'm off topic. I only addressed the Maven 3 because of the number of questions in the thread.

I have the z831 through at&t. I'm pretty sure I unlocked the bootloader in developer options as nothing would root the phone until I turned it on. Everything worked, but is there a custom recovery or rom?

kingroot.net even if you choose english gives you a chinese app

Related

n00b rooting assistance - modified su utility

Hello all,
I've been a bit of a lurker this last couple of weeks since I ordered my HTC Magic and managed to last about a week after receiving it before trying to root it. I think the main part (taken from the Magic rooting wiki) went fine as I now have root from adb on my desktop PC.
However, in following the instructions for root access on the device from this page I seem to have come across a problem.
First of all, I can follow the instructions fine (most of the time I only get an echo of my command from adb), even getting the same su permissions as in the wiki, i.e.:
Code:
-rwsr-sr-x root root 76200 2009-05-30 11:28 su
However, giving the 'sync' command when asked to in those instructions gives me just an echo back of 'sync' (this may be normal, I'm not sure) and then when I enter "reboot" at the prompt the reply I get is "reboot: not found".
Even if I manually reboot the phone after this point, I still cannot get root at the terminal emulator on the phone.
So I have two questions: Firstly, does anyone know where I'm going wrong?
Secondly, is local root access necessary for flashing a new ROM (e.g. Ion) or is it only required for root apps (e.g. tether/overclocking apps)?
Bump bump...?
drewstiff said:
Hello all,
I've been a bit of a lurker this last couple of weeks since I ordered my HTC Magic and managed to last about a week after receiving it before trying to root it. I think the main part (taken from the Magic rooting wiki) went fine as I now have root from adb on my desktop PC.
However, in following the instructions for root access on the device from this page I seem to have come across a problem.
First of all, I can follow the instructions fine (most of the time I only get an echo of my command from adb), even getting the same su permissions as in the wiki, i.e.:
Code:
-rwsr-sr-x root root 76200 2009-05-30 11:28 su
However, giving the 'sync' command when asked to in those instructions gives me just an echo back of 'sync' (this may be normal, I'm not sure) and then when I enter "reboot" at the prompt the reply I get is "reboot: not found".
Even if I manually reboot the phone after this point, I still cannot get root at the terminal emulator on the phone.
So I have two questions: Firstly, does anyone know where I'm going wrong?
Secondly, is local root access necessary for flashing a new ROM (e.g. Ion) or is it only required for root apps (e.g. tether/overclocking apps)?
Click to expand...
Click to collapse
I have the same problem "reboot: not found" and I can't get su in terminal. I followed the EXACT instructions in the Wiki, on two brand new phones, and get the same result. Someone please advise.
One other thing: I noticed that the original su has -rwsr-xr-x permissions (instead of -rwsr-sr-x), and I am relly sure I didn't do anything to it. Does it make any difference? Are these things related?
I have this problem as well the reboot command doesn't work on my Magic either...
i believe the reboot command was taken out of 1.5
but so what. just switch the phone off. home-on. select reboot

build.prop restore - rooted phone but cannot gain SU or root in adb.

Hi all,
I have been through douzens of threads and forums looking for a solution to this.
I followed some instructions to modify the build.prop file on my Huawei G535-L11 to disable Huawei theme manager in order to get Xsposed working fully (changed ro.config.hwtheme: 0). I did a backup of my original build.prop before hand, and my phone was rooted and unlocked but running the stock rom.
Unfortunately, it rebooted but won't go past the first 'EE' splash screen (just turns off again).
I can inconsistently get in to both fastboot and Android recovery, so I have been trying to use adb to push the original build.prop to /system/ on the phone.
However, this fails as /system/ is apparently RO. I have now discovered that I can't get SU permissions despite my phone being rooted.
If I try:
adb shell
$ su
nothing happens and it goes back to a $ prompt.
If I try:
adb root
I get the message (paraphrased):
adb cannot run as root in production builds.
So I can't push or do any adb method of restoring the build.prop file?! I don't understand why it is acting as if it is not rooted. I had Link2sd, Gravity Box, No Frills Cpu Controller all set up and working before, so I'm fairly sure I did truly have root.
I have also tried flashing a TWRP recovery, which apparently is successful, but when I go in to recovery it is still the Android Recovery.
Does anyone have any ideas what I could do to get my phone working again please?! This is my last gasp before the phone gets filed under 'B' in the cylindrical cabinet in the corner of the room! :crying:
Any assistance greatly appreciated!
Bumpty bump?
So what ro.debuggable should be 0 with ro.secure

BLU Advance 5.0 HD

It looks to me like the best phone $80 can buy I spent couple hours trying to figure out how to enable Multi User module.
My understanding is that adding this to /system/build.prop would bring users module back:
fw.max_users=3
fw.show_multiuserui=1
None of the commonly used apps can root this phone.
Without root I cannot remount /system to read-write to edit build.prop
Stock recovery can mount /system
There are options in recovery to run update from sd card or to update via adb sideload but the phone does not show in adb devices while in recovery. There is also fastboot option.
I also tried dirty cow exploit but it fails with "only position independent executables (PIE) are supported"
I am into this for only couple hours, so I know I am missing a lot. Any pointers that could get me closer to enabling Users module would be welcome.
So, after some reading, i figured I should be able to apply update form recovery that will replace build.prop with modified one. For start, to test things out, I just want to copy file from update.zip to /system/build.prop.test
I created update.zip with update-script and the file I want to add to /system.
Here is update.zip: www . filedropper.com /update_10
I signed update.zip using this:
www . learn2crack.com /2014/02/sign-android-apk-zip.html
I get error "Signature verification failed". Is the problem that keys are test keys or that they are outdated? Is some special manufacturer key required to sign updates?
I am not looking for someone to do this, I just need to be pointed in the right direction.
I have multiple users now :
- downloaded TWRP from bluroms.info
- connected the phone, enabled USB debugging and OEM unlocking in developer options
- run "adb reboot bootloader"
- after phone booted in fastboot mode
fastboot oem unlock (followed instructions on screen / all data wiped)
fastboot boot blutwrp.img (downloaded TWRP)
- twrp started...
- mounted /system
adb pull /system/build.prop
- edited build.prop
adb push build.prop /system/build.prop
adb reboot
- phone got stuck on logo after reboot
removed battery and started the phone again and all seems good
@sasha_ Hey I know this isn't about how to root but could you tell me exactly how you managed to root your Blu Advance 5.0 HD? PM me.
mrfunnybone said:
@sasha_ Hey I know this isn't about how to root but could you tell me exactly how you managed to root your Blu Advance 5.0 HD? PM me.
Click to expand...
Click to collapse
If by rooting you mean, installing supersu so that apps can request root access, i did not do that, because i do not need it. There must be some tutorial around about installing supersu once you root access to the /system - and the steps I described can you get there.
sasha_ said:
If by rooting you mean, installing supersu so that apps can request root access, i did not do that, because i do not need it. There must be some tutorial around about installing supersu once you root access to the /system - and the steps I described can you get there.
Click to expand...
Click to collapse
So is getting root access to system like booting recovery TWRP? then pressing the Mount button and checking System? Sorry I'm a newb at this.
I'd love to gain root on this phone I have twrp installed but can't seem to find a root method that works
Just in case you guys are still watching this, I posted my experience with this phone here
https://forum.xda-developers.com/showpost.php?p=75164672&postcount=26

[ROOT][SamPWND][N960U][WIP-Combo Needed]

Hello XDA!
Samsung has been semi SamPWND again!
Disclaimer:
This root method was developed and tested on the N960U model. This is the only model I have that is a Samsung device. I do have friends and other devs however that have tested this method on various other Samsung devices on both Qualcomm and Exynos chipsets and it has worked on a good number of them meaning this method is not limited to the Note 9. With that being said, due to all the time I have already spent on this and not having any other devices, I will ONLY be supporting the N960U. So do not get upset if I do not respond to you if you have a Samsung A8934839K312 on 7.1 Android (aka a device I have never even heard of before.)
Disclaimer 2:
This root method is mainly for dev's or those who like to tinker and figure things out. The reason I say this is because at this time, you are REQUIRED to be on a factory/combination firmware to mess with the root method. I will ignore any comments/questions for people who do not read this disclaimer and ask me how to root stock etc. as that is what I have been trying to do for over a month now. If you need your phone for work or a daily then I suggest only messing with this root method if you have a lot of spare time since it involves flashing combo firmware at which mobile services and other stuff will not be functional. You have been warned!
Disclaimer 3:
This thread/poc are essentially to get you the ability to use root apps and have a root shell, that is it. If I have time and see some questions that are legit questions I will try to provide help in a timely manner. This POC simply pushes busybox binary from Magisk.zip and SuperSU (the last version chains released before retirement) and installs it in sbin/daemon mode. There is also a way to install MagiskSU in daemon mode as well as ways to install root to /system/xbin for example and do mods such as Xposed that typically need to modify the system partition but that is not the purpose of this thread and these methods are a bit more involved (require modifying the root script as well as setting up bind mounts and other stuff.) Hopefully once this is released and some devs chime in I hope there will eventually be others contributing with various root scripts, install methods etc. and of course HOPEFULLY find a way to write to system/odm/vendor partitions so we can eventually run root on stock!
Disclaimer 4:
I am NOT responsible if you break your phone, wipe your IMEI, hard brick etc. etc.! Also, I spent months to get to this point and already had someone steal my files from AFH (I know, my fault for not hiding them) so please do not take my work as your own. If you want to use it in any way/shape/form just ask for permission and/or give credits in your thread is all I ask! If you are however using someone else's modified files and in here trying to get help I might turn you away (back to the person who provided the modified files) just an FYI!
I think that is enough disclaimers for now!
Note: This thread will most likely be ugly for a bit as I am terrible with making these things look pretty... Hopefully as time goes I will keep improving it or find someone who is trustworthy I can make a "contributor" so they can fix it up for me haha.
Now, Let's Get To It!
Technical Details:
This is sort of a spawn from an exploit I found and reported to Samsung back on the Tab S3 that I never released on XDA. That method (long story short) involved modifying the Persist partition and flashing it in ODIN as ODIN did not check it for integrity. Of course it was patched by Samsung who gave me some $$$ and gave me a shout out on their security bulletin which was pretty cool!
This method is similar to "Persist Root" except we are not flashing any modified partitions in ODIN. Instead, on many Samsung combination firmwares there is an init rc script on /system. If you want to know if your device is compatible a good starting point would be to look for a file called "init.lab.rc" which is typically located at "/system/etc/init/init.lab.rc" like so:
-rw-r--r-- 1 root root ubject_r:system_file:s0 14784 2008-12-31 10:00 init.lab.rc
As it stands, we cannot edit this script. I noticed something cool however when I was reading it one day. Specifically one thing that caught my eye was this:
chmod 777 /data/lab/run_lab_app.sh
There are MANY files and scripts at /data/lab. Luckily, the init.lab.rc sets permissions to "0777" and sets ownership to system on the entire /data/lab directory! If you are still with me, this means all the contents of this directory are world readable/writeable and we can modify any of the files in this DIR without elevated privileges!
Now I am showing the "run_lab_app.sh" script specifically for a reason. We know we can modify any scripts on /data/lab, but how can we execute it with elevates privileges? Going back to the init.lab.rc, if you scroll to the bottom of the rc file you will see this:
service start_abc /system/bin/sh /data/lab/run_lab_app.sh factory abc+
user system
group system
disabled
oneshot
on property:sec.lab.abc.start=1
start start_abc
setprop sec.lab.abc.start 0
Now what that means is, when you set the property "sec.lab.abc.start" to "1" it executes the abc service as system user and more specifically it will start by executing the "run_lab_app.sh" script! Therefore, after you modify the script to your liking, push it to /data/lab/run_lab_app.sh, then do a "setprop sec.lab.abc.start 1" your script will be executed as system user!
Now system obviously is not "root". Now that we can execute as system user we have more attack vectors to elevate privileges even more. Ideally, I remembered how I rooted the Tab S3 about a year ago using Persist partition. As it stands, we are not able to read/write on persist. If we were to set permissions however on /persist using the run_lab_app.sh script, then we can gain access to it! Therefore, one would only need to add this command to the run_lab_app.sh script and execute it using the setprop command:
chmod -R 0777 /persist
As soon as you modify the script, push it and execute the setprop command, it will change permissions on the /persist DIR to be world readable/writeable!
Now, the reason why I like to use Persist, there is a script that is executed by INIT on every reboot automatically (this means it is executed by root!) The script in question is this one "/persist/coresight/qdss.agent.sh." (I am not sure if this script itself is a Qualcomm specific script or not.) Modifying this script has no ill effects on anything from what I have seen.
Now to see how the script is executed you can look in "/vendor/etc/init/hw/init.qcom.test.rc" and you will see some interesting stuff including this:
crownqltesq:/vendor/etc/init/hw # cat init.qcom.test.rc | grep persist
service cs-early-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh early-boot /vendor/bin/init.qcom.debug.sh
service cs-post-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh post-boot /vendor/bin/init.qcom.debug.sh
write /persist/coresight/enable 1
write /persist/coresight/enable 0
crownqltesq:/vendor/etc/init/hw #
As I stated earlier, due to this init script, the qdss.agent.sh script is executed by init context/root user automatically during early boot and post boot. This means once you get everything set up, you won't need to keep reinstalling root (unless you mess something up) on each reboot. This is ideal since we don't have a way yet to modify system/vendor/odm partitions yet. Think of it as a "systemless" root.
For the POC I have provided in this thread for example, it contains the bare minimum SU files. The files in the attached zip are simple: SamPWND.bat, sampwnd1.sh, sampwnd2.sh, /sampwnd which contains su, sukernel, supolicy, libsupol.so and busybox. The way it works is this:
1) You double click the .bat file and it should do everything for you! The .bat file will:
- Push sampwnd1.sh to /data/lab/run_lab_app.sh
- Execute the lab script by doing "setprop sec.lab.abc.start 1"
- Push sampwnd2.sh to /persist/coresight/qdss.agent.sh
- Push root files in "sampwnd" folder to /persist/coresight/sampwnd
- Set permissions on the files we just pushed to Persist to 0777
- Reboot the device (Note: The .bat file reboots the device at this point since everything is in place to root when the device reboots, it's that simple!)
After the device reboots, you should now be able to use a root shell as well as sideloading any root apps will work (apps such as TiBu, Root Explorer, Flashfire etc. etc.)
When the device reboots, the qdss.agent.sh script does the following automatically:
1) Mounts rootfs and sets permissions to 0777 so we can access /sbin
2) Pushes the contents of the root files folder "sampwnd" to /sbin
3) Sets permissions to the files we just moved to /sbin
4) Exports the LIB path to /sbin due to the libsupol.so being needed to patch the sepolicy with supolicy
- The export command is "export LD_LIBRARY_PATH=/sbin"
- Once the script is over and you use another app or go into a shell etc. the LIB path will be gone/reset so you don't need to
worry.
5) Patches the sepolicy for SU
6) Installs SU by executing "su --install"
7) Executes the SU daemon by running "su --daemon"
8) Lastly, remounts rootfs back to RO.
As stated earlier, these commands are all automatically executed by init/root each time you reboot the device. Essentially, whatever we put into the qdss.agent.sh script will be executed on boot by init/root. If for some reason permissions are lost, we should still have our lab script and we would only need to run "setprop sec.lab.abc.start 1" to change permissions on persist again!
The initial files I provide today are just a simple root install script. I have successfully used the root script to install MagiskSU, Xposed (using bind mounts to overlay on /system) and other tests. I also at one point made a backup script that backed up all the partitions on the device into a folder which I extracted to my PC for safe keeping, you get the picture! Once you have root however, you can do these things easier as you will have root access.
Now that you know the workings of the exploit (err exploits?) I will explain briefly what is needed and how to test it.
Pre-requisites:
1) Download links will be in 2nd post.
2) For the purpose of this thread and the only device I personally have, you should have a N960U/U1/W on a rev1 bootloader (there isn't a rev2 BL yet so most should be good to go.)
3) A vulnerable Combo Firmware. I linked the one I use in Post 2. I use 1ARG4 Factory/Combo firmware. Of course you will need ODIN to flash the combo.
4) The root files/7z linked in post 2.
5) Stock firmware for when you are done playing, testing, etc. etc.
6) Almost forgot, you will need ADB. I will not go into details on this, if you don't have a working ADB Google is your friend. I recommend setting it to your path so you can use ADB from anywhere on the PC.
Install Instructions:
1) Extract the root files 7z into a DIR of your choice.
2) Flash whichever vulnerable combo firmware you are using via ODIN.
3) Once it boots up, make sure your device is seen by adb by running "adb devices"
4) Double click the .bat file.
5) That's it! Your device will reboot and you should be rooted!
If for some reason it is not working and you are on a N960U/U1/W, there could be a number of reasons. If you are not using the 1ARG4 combo I linked then it's possible the combo you are using is not vulnerable. It could also be an issue with ADB. Sometimes if things get crazy throughout your testing you might need to reflash /persist in ODIN or reflash the combo firmware in ODIN then re-run the .bat file (I only experience this typically when I get crazy with the root script and end up losing permissions to everything or something I added in the root script is causing the device to boot-loop etc. etc.)
Now donations are not required but feel free to throw me some beer money if you want! My paypal email/link is in a few places, you shouldn't have any trouble finding it!
TELEGRAM LINK
https://t.me/joinchat/DxwvAlhtzHjg4EI9973BGQ
We will use the TGRAM to provide support, ideas, share scripts/files and HOPEFULLY, we can all figure out together how to turn this into rooting the stock firmware as this is the goal and will be the primary focus of the chat!
Credits:
 @samsung - for letting us PWND them time and time again!
@chainfire - SuperSU of course
 @topjohnwu - MagiskSU of course
 @me2151 - For all the time and help he is going to be putting in with us! Such a great guy! lol
@jrkruse - For everything! Everything from EDL support, ROM support, Root support you name it!
 @partcyborg - For also spending countless hours helping answer questions in here so I don't have to hahah
 @mweinbach - He writes great articles for XDA! He is a good kid who gets his hands on cool things frequently
@"mysecretfriendfromfaraway - I will not name him haha, he knows who he is. He always helps out and gets great things!
XDA:DevDB Information
SamPWND N960U Root, Tool/Utility for the Samsung Galaxy Note 9
Contributors
elliwigy
Version Information
Status: Testing
Created 2019-05-05
Last Updated 2019-05-05
Downloads:
1) 1ARG4 Factory/Combo Firmware
MD5: bf0702b4e85ac1547b5706bb4859f554
2) Root Files
MD5: 342f15e13c72f3d0f9194d8a14058ac9
Mine also...
Nice job!
Thank you @elliwigy !!!
Your determined effort is soooooooooooooooo much appreciated. :good:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
noidodroid said:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
Click to expand...
Click to collapse
not possible.. sampwnd used rev1 eng firmware lol. it was done soon as they incremented the bootloader
elliwigy said:
not possible.. sampwnd used rev1 eng firmware lol. it was done soon as they incremented the bootloader
Click to expand...
Click to collapse
Yup. =] I don't know though. Always something new that pops out of Sammys goodie bag and lands in someones lap and crawls its away onto XDA. Like you I have a silentguywhospeaksanotherlanguage that always seems to amaze me... the past 14 years. Would be awesome. Could be something kewl. Time will tell.
Definitely going to test out and report back! Sent you some money for some beers lol :highfive:
still no ones tried? lol i thought ppl would b all over it haha
elliwigy said:
still no ones tried? lol i thought ppl would b all over it haha
Click to expand...
Click to collapse
Im gonna try it when i get off work
Incredible!! Wow this alone is awesome, and that word doesn't justify it. The talent you all have for this is really impressive. Thanks to all who had a major role in this alone. I will be posting results as soon as i can, hopefully tonight. Its all possible!!
Thank You
noidodroid said:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
Click to expand...
Click to collapse
Im PRETTY sure samfail works via edl rom from @jrkruse
Trying to install right now... So for the Combo Firmware, I am on BUild N960USQS1CSD1 . How do i find the Combo firmware for that ? is that just finding the stock firmware ?
Yeteneğiniz hayranlık uyandırdı bende. Takdir ediyorum. Tebrik ediyorum sizi.
Cihazımı test ederken yapmam gerekenleri şu şekilde sıralayabilirmiyiz kısaca?
1) 1ARG4 Factory/Combo Firmware
Odin ile telefonuma flash yapmalıyım.
2) Flashlama işlemi bittikten sonra cihazımın açılmasını beklemeliyim.
3) Cihazım açıldıktan sonra Root dosyasını cihazıma Pc üzerinden anlattığınız şekilde uygulamalıyım.
4) Root işlemi cihazımı yeniden başlattıktan sonra stok yazılım yüklemeliyim.
5) Mutlu Son.
---------------------‐---------------------------------------------
Your talent has aroused admiration. I appreciate. I congratulate you.
When I test my device, can I sort the things I need to do in the following way?
1) 1ARG4 Factory / Combo Firmware
I need to do a flash with Odin on my phone.
2) After flashing, I have to wait until my device is turned on.
3) After opening my device, I need to apply the root file to my device in the same way as I told it on PC.
4) After the root process reboot my device, I need to install the stock software.
5) Happy End
Raz12 said:
Trying to install right now... So for the Combo Firmware, I am on BUild N960USQS1CSD1 . How do i find the Combo firmware for that ? is that just finding the stock firmware ?
Click to expand...
Click to collapse
will be easiest to just use the combo linked in second post.. newrr combos r most likely patched.. also, if csd1 is pie then there will never be a pie combo so ull need to flash an oreo combo either way
axioneer said:
Yeteneğiniz hayranlık uyandırdı bende. Takdir ediyorum. Tebrik ediyorum sizi.
Cihazımı test ederken yapmam gerekenleri şu şekilde sıralayabilirmiyiz kısaca?
1) 1ARG4 Factory/Combo Firmware
Odin ile telefonuma flash yapmalıyım.
2) Flashlama işlemi bittikten sonra cihazımın açılmasını beklemeliyim.
3) Cihazım açıldıktan sonra Root dosyasını cihazıma Pc üzerinden anlattığınız şekilde uygulamalıyım.
4) Root işlemi cihazımı yeniden başlattıktan sonra stok yazılım yüklemeliyim.
5) Mutlu Son.
---------------------‐---------------------------------------------
Your talent has aroused admiration. I appreciate. I congratulate you.
When I test my device, can I sort the things I need to do in the following way?
1) 1ARG4 Factory / Combo Firmware
I need to do a flash with Odin on my phone.
2) After flashing, I have to wait until my device is turned on.
3) After opening my device, I need to apply the root file to my device in the same way as I told it on PC.
4) After the root process reboot my device, I need to install the stock software.
5) Happy End
Click to expand...
Click to collapse
read the op. id say its pretty easy/clear..
also, it is not possible to have root on stock firmware right now, this was also clear in op.
the root only works on combo firmware.. if u need to use ur phone then i suggest not using this root method until we figure out how to make it work on stock
elliwigy said:
will be easiest to just use the combo linked in second post.. newrr combos r most likely patched.. also, if csd1 is pie then there will never be a pie combo so ull need to flash an oreo combo either way
Click to expand...
Click to collapse
Yikes, i see the difference now. I mean it's done but it's not like a normal android it seems. I see what you mean. Well I guess ill just go back to stock pie. Good work though man, you are doing great ! Just to see though, It went to a factory binary screen then to this lime green and showing all this info. That's it right ?
I hope this leads to root for normal u1 firmware. ??????
Raz12 said:
Yikes, i see the difference now. I mean it's done but it's not like a normal android it seems. I see what you mean. Well I guess ill just go back to stock pie. Good work though man, you are doing great ! Just to see though, It went to a factory binary screen then to this lime green and showing all this info. That's it right ?
Click to expand...
Click to collapse
it was prolly green due to battery being low.. it changes the color once it dips below a certain %
and yea, i assume uve never been on a combo firmware before lol they are all like that

[CLOSED] Delete Thread.

Due to the disrespect of certain members I will no longer share the tutorials.
This tutorial is not working for Version 7.
An error message is displayed and the R/O cannot be released.
I have reported the error in the original thread.
I'm not very good at English.
PEACH-PIT said:
This tutorial is not working for Version 7.
An error message is displayed and the R/O cannot be released.
I have reported the error in the original thread.
I'm not very good at English.
Click to expand...
Click to collapse
Try and see if @munjeni has V2. That's what I used and it's working fine. He started having problems after that with V3 and onward. I personally have not tried V7.
It is not possible to try v2.
You should not try v3 or earlier, as they have serious errors.
I reported the error and got v9, but never got the r/w.
This tutorial is not working.
So far, I can't get r/w on moto g 5g.
PEACH-PIT said:
It is not possible to try v2.
You should not try v3 or earlier, as they have serious errors.
I reported the error and got v9, but never got the r/w.
This tutorial is not working.
So far, I can't get r/w on moto g 5g.
Click to expand...
Click to collapse
Here are the files I used of V2. While I did not have an error (and still using my phone) please use this at your discretion and your risk. You will be able to achieve R/O access following my guide with this.
https://forum.xda-developers.com/t/script-android-10-universal-mount-system-read-write-r-w.4247311/
"moto g 5g" can use makeSystemRW v1.31.
It must be used in conjunction with makesysrw_repair.
makesysrw_repair requires linux.
The size option will not work if it is too large or too small.
You need to specify an appropriate size.
Please adjust it by yourself.
I got the right result with 20mb.
adb shell
su
chmod +x /data/local/tmp/makesysrw_1.31/makesysrw.sh
setenforce 0
./data/local/tmp/makesysrw_1.31/makesysrw.sh size=20
https://forum.xda-developers.com/t/...t-system-read-write-r-w.4247311/post-84914345
Perhaps this will eliminate the need for makesysrw_repair.
However, you will need an sd card.
adb shell
su
chmod +x /data/local/tmp/makesysrw_1.31/makesysrw.sh
setenforce 0
cd /data/local/tmp/makesysrw_1.31
./makesysrw.sh size=20 out=/external_sd/super.img
Articul8Madness said:
Update: I used Version 2 with no problems. According to @munjeni there are BIG DANGEROUS ISSUES with Version and newer. Starting at V7 there are clone issues. I have tried Version 9 and had those issues.
Using the V2 method you will be able to delete and remove files. The ability to resize the partitions has not been achieved, so you will be at the mercy of the space limitations in the partition.
This tutorial is for people like me that after rooting the Moto One 5G Ace XT-2113 (MetroPCS Qualcomm Variant) running on stock Android 10 discovered that their root did not grant them Write Access to system files. Starting with Android 10, a new System As Root protocol prohibits users from access all of their files due to Dynamic Partitions and being formatted to EXT4_FEATURE_RO_COMPAT_SHARED_BLOCKS, effectively making root useless. You can read about that here:
https://twitter.com/i/web/status/1170404631865778177
Rest not, a method has been made!
Follow the following at your own risk! I am not responsible for any mishaps with your devices and neither is @munjeni. I also don't know if this will work on other variants, as I only have tried this method on the RETUS and RETEU stock firmware. Also, this will NOT obviously work for Verizon, AT&T, and Cricket phones or other mobile carriers that lock their bootloaders.
I want to thank a couple of people for their big beautiful brains and hard work in figuring this out. First, all the love in the world goes out to @lebigmac. This beautiful soul and I have been back and forth a week trying to get something going on the Moto. I thank him for his patience, his genius, and his tenacity to hang in there with my device even after I threatened a bunch of times to go to Apple and be done with this new cumbersome lockdown AndroidOS. He gave the hope as his method has worked on Asus and Xiaomi variants. It has been an honor to be on his beta test team.
Last, but not least, I want to thank @munjeni whose method finally broke on through to the other side. If it were not for his big beautiful brain I’d be ordering me an iPhone and calling it quits. It is due to his and @lebigmac’s hard work researching and testing that gives us the ability to finally have full root access. Thank you guys. I love you both!
And please visit both of their threads and help them continue support and development on this project for ALL of your Android 10 phones (especially this one).
@lebigmac Method: [SCRIPT][Android 10+] Universal Mount System read write R/W
@munjeni Method: [TOOL][WIN,LIN,AND,DARW] Super image unpack-repack tools
Introduction/Preparation
First, go and prepare by READING EVERYTHING I’M WRITING IN THIS POST BEFORE YOU START. Very important. Don't even jump into this without reading this thread here all the way to the end. This isn’t exactly child’s play if you are not comfortable with the ADB Shell or Linux, and if you type the wrong commands you could do serious, irreparable damage to your device. It also doesn’t hurt to read the original thread for this all the way through, and you can find that here: Munjeni's Superpack Repack Tool
Second, make sure your bootloader is unlocked and you have Magisk root on your device. You can check the forum for tutorials on how to do that. This method will ABSOLUTELY NOT WORK if you are not bootloader unlocked, and rooted with your boot.img patched by Magisk. If you can’t figure out that part of it then you definitely aren’t prepared for this.
***NOTES SO YOU DON'T FREAK OUT***
1. While it hasn’t happened to me, there is the possibility that you can brick your phone doing this. As such, make sure you have your firmware already downloaded and available to flash should something go wrong. This is just a precaution, a break glass in case of emergency situation. It’s better to have the files already ready to go with the flashfile commands converted and not need it than need it and frustrated because you didn’t prepare.
2. There is no custom recovery/TWRP for this variant yet (and trust me I’m trying very hard to work on that), so you will have to use ADB Shell to run the commands we need for this exercise. If you are not familiar with that, please do some research on ADB Shell so you’re comfortable and familiar. Google for once is a friend for that!
Files
Here is a list of things you will need going into it.
1. Windows 7. I did it in Windows 7 and Kali Linux so I can’t speak on whether or not this will work smoothly in other versions. This method is exclusively for Windows 7. Go to the original thread on info on how to use it on other platforms.
2. Get Tiny ADB and Fastboot (it's easier to use than Android SDK and smaller) or whatever fastboot you’re comfortable with.
3. Make sure the drivers for your Moto One 5G Ace are already downloaded and installed on your computer.
4. @munjeni’s Super Unpack Repack Tool. Can’t get anywhere with the method without it. You can download it here from the first post: https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/
5. Root Explorer (or whatever your favorite type of system explorer is). There’s no getting into the system files without it.
6. Busybox. I used Busybox Pro 70 that I had from my MotoG7Power and that worked flawlessly. A newer version of Busybox did not install on my device because I didn’t have Write access going into it but that version I can attest works.
7. Stock Firmware (Just in case, remember?) I used XT2113_KIEV_RETUS_10_QZK30.Q4-40-55_subsidy-DEFAULT_regulatory-DEFAULT_CFC_R1_CFC.xml which is the US Retail software and the XT2113-3_KIEV_RETEU_10_QZKS30.Q4-40-62-2_subsidy-DEFAULT_regulatory-XT2113-3-EU-SAR_CFC.xml instead of MetroPCS's firmware because I hate any branded US carrier bloatware and such and like that factory unlocked from the manufacturer feel. Both of my phones flashed fine with it and you can find it here: Moto One 5G Ace ALL Firmwares. It doesn't matter what your carrier is, they have them all there.
8. The stock charging cable that comes with your phone.
The Process
1. Make sure the phone is at least halfway charged. Last thing you want is the phone to die in the middle of any of this and cause a system error that you might can’t get out of.
2. Make sure your have installed your Root Explorer and Busybox beforehand.
3. Extract @munjeni’s Super Unpack Repack Tool. Copy the file “superrepack.arm64_pie” to your phone.
4. Rename “superrepack.arm64_pie” on your phone to “superrepack” (obviously without quotations).
5. Move “superrepack” file on your phone to /data/local/tmp folder. If you have root and using a root explorer you can’t miss it (obviously without quotations).
6. Connect your phone to your PC via the charging cable.
7. Open TinyADB and Fastboot. Do not open it as an administrator or it will not function correctly getting root access on your device.
8. Type: “adb shell” and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
9. Type: “su” and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ # Make sure you allow permissions if Magisk asks for it or it will give you a permission denied message.
10. Type: “ls -Alg /dev/block/by-name | grep "super"” and press enter since you need to know where your block device is. It should return a result that looks like “lrwxrwxrwx 1 root 16 1970-01-01 08:07 super -> /dev/block/NameOfYourBlock” (obviously without quotations except the quotations in "super" - keep those)
11. Copy and paste somewhere “/dev/block/NameOfYourBlock” (obviously without quotations). You’re going to need that later.
12. Close TinyADB and Fastboot. Now open a fresh instance of it in a new window.
13. Type: “adb shell” (obviously without quotations) and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
14. Type: “su” (obviously without quotations) and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ #
15. Type: “chmod 755 /data/local/tmp/superrepack” (obviously without quotations) and press enter as the chmod command will give us root permissions to run the script. This is VERY IMPORTANT. Don’t worry if it goes to a blank next line that’s normal.
16. Type: “setenforce 0” (obviously without quotations) and press enter as we need to disable selinux. Again, don’t worry if it goes to a blank next line as that’s normal.
17. Type: “/data/local/tmp/superrepack /dev/block/NameOfYourBlock” (obviously without quotations) and press enter. Let the script run to the end.
18. Reboot your phone. Close Tiny ADB and Fastboot.
19. When your phone is rebooted go to Root Explorer (or your explorer).
20. Mount the system in your file explorer! You should have R/W Access in ALL of your partitions.
If Something Goes Wrong And You Have To Reflash Your Phone…
Please refer to the guides in the forum on how to get your phone back to stock. There’s one for flashing, one for root, and a subsequent one for debloat.
If you come up with an error, please go to the original thread https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/ and let @munjeni know what the issue is so he can help.
Hope this brings some love to the Moto One 5G Ace users. We definitely need a boost to lift development spirits.
I will try and answer questions if I can or point you in the right direction.
Click to expand...
Click to collapse
Wow this was the easiest guide to get r/w access. Thanks to everyone involved in this milestone.
I can mount r/w on stock android 10....
Articul8Madness said:
Update: I used Version 2 with no problems. According to @munjeni there are BIG DANGEROUS ISSUES with Version and newer. Starting at V7 there are clone issues. I have tried Version 9 and had those issues.
Using the V2 method you will be able to delete and remove files. The ability to resize the partitions has not been achieved, so you will be at the mercy of the space limitations in the partition.
This tutorial is for people like me that after rooting the Moto One 5G Ace XT-2113 (MetroPCS Qualcomm Variant) running on stock Android 10 discovered that their root did not grant them Write Access to system files. Starting with Android 10, a new System As Root protocol prohibits users from access all of their files due to Dynamic Partitions and being formatted to EXT4_FEATURE_RO_COMPAT_SHARED_BLOCKS, effectively making root useless. You can read about that here:
https://twitter.com/i/web/status/1170404631865778177
Rest not, a method has been made!
Follow the following at your own risk! I am not responsible for any mishaps with your devices and neither is @munjeni. I also don't know if this will work on other variants, as I only have tried this method on the RETUS and RETEU stock firmware. Also, this will NOT obviously work for Verizon, AT&T, and Cricket phones or other mobile carriers that lock their bootloaders.
I want to thank a couple of people for their big beautiful brains and hard work in figuring this out. First, all the love in the world goes out to @lebigmac. This beautiful soul and I have been back and forth a week trying to get something going on the Moto. I thank him for his patience, his genius, and his tenacity to hang in there with my device even after I threatened a bunch of times to go to Apple and be done with this new cumbersome lockdown AndroidOS. He gave the hope as his method has worked on Asus and Xiaomi variants. It has been an honor to be on his beta test team.
Last, but not least, I want to thank @munjeni whose method finally broke on through to the other side. If it were not for his big beautiful brain I’d be ordering me an iPhone and calling it quits. It is due to his and @lebigmac’s hard work researching and testing that gives us the ability to finally have full root access. Thank you guys. I love you both!
And please visit both of their threads and help them continue support and development on this project for ALL of your Android 10 phones (especially this one).
@lebigmac Method: [SCRIPT][Android 10+] Universal Mount System read write R/W
@munjeni Method: [TOOL][WIN,LIN,AND,DARW] Super image unpack-repack tools
Introduction/Preparation
First, go and prepare by READING EVERYTHING I’M WRITING IN THIS POST BEFORE YOU START. Very important. Don't even jump into this without reading this thread here all the way to the end. This isn’t exactly child’s play if you are not comfortable with the ADB Shell or Linux, and if you type the wrong commands you could do serious, irreparable damage to your device. It also doesn’t hurt to read the original thread for this all the way through, and you can find that here: Munjeni's Superpack Repack Tool
Second, make sure your bootloader is unlocked and you have Magisk root on your device. You can check the forum for tutorials on how to do that. This method will ABSOLUTELY NOT WORK if you are not bootloader unlocked, and rooted with your boot.img patched by Magisk. If you can’t figure out that part of it then you definitely aren’t prepared for this.
***NOTES SO YOU DON'T FREAK OUT***
1. While it hasn’t happened to me, there is the possibility that you can brick your phone doing this. As such, make sure you have your firmware already downloaded and available to flash should something go wrong. This is just a precaution, a break glass in case of emergency situation. It’s better to have the files already ready to go with the flashfile commands converted and not need it than need it and frustrated because you didn’t prepare.
2. There is no custom recovery/TWRP for this variant yet (and trust me I’m trying very hard to work on that), so you will have to use ADB Shell to run the commands we need for this exercise. If you are not familiar with that, please do some research on ADB Shell so you’re comfortable and familiar. Google for once is a friend for that!
Files
Here is a list of things you will need going into it.
1. Windows 7. I did it in Windows 7 and Kali Linux so I can’t speak on whether or not this will work smoothly in other versions. This method is exclusively for Windows 7. Go to the original thread on info on how to use it on other platforms.
2. Get Tiny ADB and Fastboot (it's easier to use than Android SDK and smaller) or whatever fastboot you’re comfortable with.
3. Make sure the drivers for your Moto One 5G Ace are already downloaded and installed on your computer.
4. @munjeni’s Super Unpack Repack Tool. Can’t get anywhere with the method without it. You can download it here from the first post: https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/
5. Root Explorer (or whatever your favorite type of system explorer is). There’s no getting into the system files without it.
6. Busybox. I used Busybox Pro 70 that I had from my MotoG7Power and that worked flawlessly. A newer version of Busybox did not install on my device because I didn’t have Write access going into it but that version I can attest works.
7. Stock Firmware (Just in case, remember?) I used XT2113_KIEV_RETUS_10_QZK30.Q4-40-55_subsidy-DEFAULT_regulatory-DEFAULT_CFC_R1_CFC.xml which is the US Retail software and the XT2113-3_KIEV_RETEU_10_QZKS30.Q4-40-62-2_subsidy-DEFAULT_regulatory-XT2113-3-EU-SAR_CFC.xml instead of MetroPCS's firmware because I hate any branded US carrier bloatware and such and like that factory unlocked from the manufacturer feel. Both of my phones flashed fine with it and you can find it here: Moto One 5G Ace ALL Firmwares. It doesn't matter what your carrier is, they have them all there.
8. The stock charging cable that comes with your phone.
The Process
1. Make sure the phone is at least halfway charged. Last thing you want is the phone to die in the middle of any of this and cause a system error that you might can’t get out of.
2. Make sure your have installed your Root Explorer and Busybox beforehand.
3. Extract @munjeni’s Super Unpack Repack Tool. Copy the file “superrepack.arm64_pie” to your phone.
4. Rename “superrepack.arm64_pie” on your phone to “superrepack” (obviously without quotations).
5. Move “superrepack” file on your phone to /data/local/tmp folder. If you have root and using a root explorer you can’t miss it (obviously without quotations).
6. Connect your phone to your PC via the charging cable.
7. Open TinyADB and Fastboot. Do not open it as an administrator or it will not function correctly getting root access on your device.
8. Type: “adb shell” and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
9. Type: “su” and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ # Make sure you allow permissions if Magisk asks for it or it will give you a permission denied message.
10. Type: “ls -Alg /dev/block/by-name | grep "super"” and press enter since you need to know where your block device is. It should return a result that looks like “lrwxrwxrwx 1 root 16 1970-01-01 08:07 super -> /dev/block/NameOfYourBlock” (obviously without quotations except the quotations in "super" - keep those)
11. Copy and paste somewhere “/dev/block/NameOfYourBlock” (obviously without quotations). You’re going to need that later.
12. Close TinyADB and Fastboot. Now open a fresh instance of it in a new window.
13. Type: “adb shell” (obviously without quotations) and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
14. Type: “su” (obviously without quotations) and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ #
15. Type: “chmod 755 /data/local/tmp/superrepack” (obviously without quotations) and press enter as the chmod command will give us root permissions to run the script. This is VERY IMPORTANT. Don’t worry if it goes to a blank next line that’s normal.
16. Type: “setenforce 0” (obviously without quotations) and press enter as we need to disable selinux. Again, don’t worry if it goes to a blank next line as that’s normal.
17. Type: “/data/local/tmp/superrepack /dev/block/NameOfYourBlock” (obviously without quotations) and press enter. Let the script run to the end.
18. Reboot your phone. Close Tiny ADB and Fastboot.
19. When your phone is rebooted go to Root Explorer (or your explorer).
20. Mount the system in your file explorer! You should have R/W Access in ALL of your partitions.
If Something Goes Wrong And You Have To Reflash Your Phone…
Please refer to the guides in the forum on how to get your phone back to stock. There’s one for flashing, one for root, and a subsequent one for debloat.
If you come up with an error, please go to the original thread https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/ and let @munjeni know what the issue is so he can help.
Hope this brings some love to the Moto One 5G Ace users. We definitely need a boost to lift development spirits.
I will try and answer questions if I can or point you in the right direction.
Click to expand...
Click to collapse
This didn't work for me. My access is no different than when I started. The script showed the third partition was a different type.
Okay I want to give the benefit of doubt here so; what do you mean by V7 having clone issues? I'd say I had clone issues after following this tutorial but a more accurate description would be "hacked". So I'm just a little confused; could you elaborate a little on the "cloning issue" and differences between V2, 7 and 9? Thank you.
Wish we had a working TWRP FOR THE MOTO ACE.. Would open so many doors for this phone...
skinlab said:
Wish we had a working TWRP FOR THE MOTO ACE.. Would open so many doors for this phone...
Click to expand...
Click to collapse
I think it has not been released because it has problems with touch screen operation.
And in the case of motorola, you can't run these tools on twrp.
There is a high possibility that the protection function of the device will kick in and cause an error.
Ok. I got it to work after I reflashed the original ROM. Thanks for you help. I used 3 of your guides to get success! You are to be commended.
clintongsan said:
Okay I want to give the benefit of doubt here so; what do you mean by V7 having clone issues? I'd say I had clone issues after following this tutorial but a more accurate description would be "hacked". So I'm just a little confused; could you elaborate a little on the "cloning issue" and differences between V2, 7 and 9? Thank you.
Click to expand...
Click to collapse
You will have to ask munjeni. I just reposted what he sent me. But its not a hack issue, the superpartitions have a bad habit of reproducing themselves once you mod anything.
PEACH-PIT said:
I think it has not been released because it has problems with touch screen operation.
And in the case of motorola, you can't run these tools on twrp.
There is a high possibility that the protection function of the device will kick in and cause an error.
Click to expand...
Click to collapse
Not true. The Nairo variant of the Moto One 5G has TWRP. The mods over there had to make their own modules. I don't know how to do that, so all I have is an experimental working build with no touchscreen access.
PEACH-PIT said:
https://forum.xda-developers.com/t/script-android-10-universal-mount-system-read-write-r-w.4247311/
"moto g 5g" can use makeSystemRW v1.31.
It must be used in conjunction with makesysrw_repair.
makesysrw_repair requires linux.
The size option will not work if it is too large or too small.
You need to specify an appropriate size.
Please adjust it by yourself.
I got the right result with 20mb.
adb shell
su
chmod +x /data/local/tmp/makesysrw_1.31/makesysrw.sh
setenforce 0
./data/local/tmp/makesysrw_1.31/makesysrw.sh size=20
Click to expand...
Click to collapse
Tried using it in TWRP and it didn't work. Error 73.
Articul8Madness said:
Tried using it in TWRP and it didn't work. Error 73.
Click to expand...
Click to collapse
Why are you using TWRP to run that script?
If you run those scripts in linux, they will work fine.
I'm using BBQlinux.
Unfortunately you can't get r/w unless you use sysrw_repair.
PEACH-PIT said:
Why are you using TWRP to run that script?
If you run those scripts in linux, they will work fine.
I'm using BBQlinux.
Unfortunately you can't get r/w unless you use sysrw_repair.
Click to expand...
Click to collapse
@lebigmac said we could run the script from TWRP. That is how he initially designed it so I gave it a shot.
So, I am brand new here. Just signed up after reading straight for 6.5 hours (give or take). I have also been doing as much research as possible as I want to root my Moto One 5G Ace and it seemed like this forum is the best as far as knowledge and clarity. But it seems that with the multiple guides on here for this same device I am not sure exactly which to follow and where... as well as a few other concerns. But firstly, as I am reading about the R/O aspect, what exactly is the big benefits of going through this process exactly. To my knowledge R/W is one of the biggest benefits to rooting a phone. Not the only one of course but a big one nonetheless. I will hold of with doing anything until I get some opinions on it as well as a definitive answer as to what guide I should be following. Many thanks fellow tinkerers!
Paul_Neocube said:
So, I am brand new here. Just signed up after reading straight for 6.5 hours (give or take). I have also been doing as much research as possible as I want to root my Moto One 5G Ace and it seemed like this forum is the best as far as knowledge and clarity. But it seems that with the multiple guides on here for this same device I am not sure exactly which to follow and where... as well as a few other concerns. But firstly, as I am reading about the R/O aspect, what exactly is the big benefits of going through this process exactly. To my knowledge R/W is one of the biggest benefits to rooting a phone. Not the only one of course but a big one nonetheless. I will hold of with doing anything until I get some opinions on it as well as a definitive answer as to what guide I should be following. Many thanks fellow tinkerers!
Click to expand...
Click to collapse
This phone is great once you have done all the steps. It took me a while to get it all done correctly.
You need to follow the steps in the complete noob guide to rooting. I tried shortcuts that ultimately did not work. Then follow the guide to get read/write access. If you want to debloat, use the guide on using the package manager.
You can also add TWRP recovery. I forgot which guide I chose. I continue to find new dialer, contacts, etc. and remove stock programs. So have fun.

Categories

Resources