Update: While this still works, there's an easier method here. Please try that first.
Disclaimer #1: KingoRoot, dr.fone, and most other one-click rooting tools are characterized as malware. Should you use these tools? That decision is yours and yours alone. I do not own any of the tools that follow. All the links are to files that are publicly available.
Disclaimer #2: This is a risky undertaking. If you encounter issues or, worse, end up with a brick, I (or the others here) will try to help you, but the risk is all yours.
Disclaimer #3: This approach is not for everyone. If you lack a half-decent linear combination of (1) troubleshooting skills, (2) patience, (3) reading-comprehension skills, and (4) some love of risk, please stop here.
Disclaimer #4: I have only tried this on the 2017 HD 10. If you try this on another device type and it works, please post in the appropriate forum. If you try this on another device type and it does not work, don't be shocked.
NAQ (Never-Asked Questions):
a. What is "offline" rooting?
-- Rooting your device without needing access to the Internet (i.e., the rooting process requires no Internet connection; not on the phone/tablet, not on the computer).
b . Aren't there a gazillion rooting threads for the 2017 HD 10, each claiming to be easier than its predecessors? Why even bother with this fancy "offline" stuff?
-- All of those rooting threads use tools that require Internet access on the PC. What if those tools stop working because of server issues on their end?
-- More importantly, it's well known that these one-click rooting tools extract and transmit a ton of device-identifying information (e.g., IMEI, Serial Number, ...) that is not central to the rooting process. Why give that up?
For a few weeks now, I have been trying to come up with a rooting process that does not require any Internet access on the computer (we know KingoRoot and dr.fone need Internet access on the computer). I have finally figured out how. As a result, we should be able to root the 2017 HD 10 even if these rooting options cease to exist (assuming Amz updates are blocked at 5.6.0.1).
While Kingo does a good job of hiding its root exploits (i.e., the scripts it fetches from the cloud), the good doctor is a bit more generous (its files are downloaded onto a folder on the disk). I copied everything from that folder after a successful root attempt on my test tablet and examined each file. I was able to tinker with the scripts and binaries after moving them to /data/local/tmp on my tablet, but wasn't able to achieve anything meaningful ... until tonight. Noting the presence of some weirdly-named files in that folder, I did a simple Google search and came up with this hit. Of particular interest is method 2 (ELF). Based on that reading and armed with the files from the folder on the disk, I was able to achieve root without Internet access on my computer. I have done so multiple times, w/ and w/o a fresh sideload of the 5.6.0.0 update .bin. The process succeeds more often than it fails (when it does fail, a reboot and retry usually works), not unlike failures with Kingo or the doctor. It's the same exploit after all.
I am guessing Kingo uses a similar process, but does enough to make its scripts difficult to obtain offline. Access to the doctor's scripts and some clarity on the rooting procedure should help others on this forum make even greater progress.
Update: See my post #10 in this thread for Kingo-related instructions. To do this with Kingo, you would complete steps 4 and 5 in this OP and then move to the steps in post #10.
You will need to download a few files (for which you will, of course, need Internet on your computer):
1. Download the exploits here (it's clear that the exploit that's working for the 2017 HD 10 is Dirty COW: CVE-2016-5195): 20165195.zip and SuperSU_18+.zip and extract to their respective folders.
2. Copy all the files from the SuperSU_18+ folder into the 20165195 folder (overwriting wsroot.sh). Rename 20165195 to something simpler, say c. Inside the c folder, you should have the following binaries and scripts: ddexe, debuggerd, fileWork, install-recovery.sh, Matrix, pidof, start_wssud.sh, su, su_arm64, Superuser.apk, supolicy, toolbox, and wsroot.sh. You can delete Superuser.apk (we will be downloading SuperSU next).
3. Download the SuperSU 2.82 SR5 apk from here (or search for another source). Move it to the c folder.
4. Install the Fire's drivers and ADB+fastboot from here (if you haven't already done so).
You will not need Internet access from this point forward.
You should now have the c folder with 12 files and the SuperSU apk handy. If you lose root for whatever reason (or if you just want to test this out), you do not need KingoRoot or dr.fone. Follow these steps:
5. Do the basics:
-- Fire up your Fire.
-- On your first boot, start the process by clicking on Continue, then click on any of the WiFi choices, click Cancel, choose Not Now, and then Skip. Once the Fire gets to the home screen, pull down the notification bar and enable airplane mode.
-- Become a developer by tapping Serial Number (in Device Options) 7 times, go to Developer Options, and Enable ADB.
-- Go to Security in Settings and enable Apps from Unknown Sources.
-- Connect your Fire to the computer, Allow USB debugging on the tablet, check the popup box to Always allow from this computer (if this does not happen here, it will when you start adb next).
-- Type adb shell in an administrative command prompt. You should enter the tablet as a user.
6. On your computer, copy all the files from the c folder to the Fire's internal storage (/sdcard). Next, go to the command prompt with adb shell and copy the files to /data/local/tmp:
Code:
cp /sdcard/c/* /data/local/tmp
cd /data/local/tmp
ls -l
7. Change permissions:
Code:
chmod 755 *
8. This is the ballgame: Run:
Code:
./Matrix /data/local/tmp 2
This tells Matrix to look for files in /data/local/tmp, with "2" installing su in /system/xbin ("1" installs su8 in /system/xbin). Wait for the process to complete (it will take a minute or two). If it's successful, you will see something like the following as it completes:
Code:
[*] exploited 0x7f83021000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
If it does not report success as depicted above (note that the memory address exploited might be different, but the end result has to be a "0" and "Done"), delete everything from /data/local/tmp/, (hard) reboot the tablet, and retry (starting from step 5). Failure is likely if an exploit check takes greater than 30 seconds, in which case the device may have to be manually rebooted.
This is a sample of the entire output that should be generated:
Code:
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f8325c008 end:7f8325c2d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 210148 /data/local/tmp/load1
fwrite is count 54204 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 408a0 load1 = 334e4 load2 = d3bc
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:264352
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:208
find logd pid : d0
_inject_start_s:0x7f8325c008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 210148
[*] mmap 0x7f83055000;
[*] exploit (patch)
[*] currently 0x7f83055000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f83055000 210148
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f83055000=f97cff8c
[main]p_vdso_addr:0x7f8325a000 p_vdso_buffer:0x400000
[*]set_ret_jmp
[*]set_ret_jmp 400410
[*]set_ret_jmp 400420
[main] write 1
Parent is over..status == 0
socket: No such file or directory
socket = 7
ret = ffffffff
connect
: No such file or directory
ret = ffffffff
find coe f
[main] write 2
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load2
warning: new file size (54204) and file old size (210148) differ
size: 54204
[*] mmap 0x7f83236000;
[*] exploit (patch)
[*] currently 0x7f83236000=8f97cff8c
sched_setaffinity: Function not implemented[*] madvise = 0x7f83236000 54204
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
sched_setaffinity: Function not implementedmadviseThread() done
procselfmemThread() done
[*] exploited 0x7f83236000=8600a5
find coe 36
Parent is over..status == 0
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/cp_sepolicy
size: 210148
[*] mmap 0x7f83021000;
[*] exploit (patch)
[*] currently 0x7f83021000=10007008600a5
checking the patch ... exploit
sleep 1s
sched_setaffinity: Function not implementedsched_setaffinity: Function not implemented[*] madvise = 0x7f83021000 210148
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
check done
madviseThread() done
procselfmemThread() done
[*] exploited 0x7f83021000=f97cff8c
end!!!!!!!
<WSRoot><Exploit>0</Exploit></WSRoot>
<WSRoot><Done>0</Done></WSRoot>
9. Confirm by getting to a root shell:
Code:
su
10. Install SuperSU from /sdcard/c/ (you can just click on Docs on your home screen, go to local storage, then the c directory, and install the apk).
11. Open SuperSU and update binary as Normal (should be successful).
12. Click to reboot.
13. Set SuperSU to Grant as default access.
14. Delete the two wondershare directories in /data/data-lib/:
Code:
cd /data/data-lib
rm -r com.wondershare.DashRoot
rm -r wondershare
15. Not required: Perform other cleanup as needed (look for files in /system/xbin, /system/bin, /data, ... based on install date/time, etc.). Mount /system writable if you're going to be cleaning up items in /system:
Code:
su
mount -w -o remount /system
This is great. A nice framework to add new exploits and fuzz existing ones for previously non rootable devices.
Now we just need meltdown code..
Sent from my iPhone using Tapatalk
@retyre - Great effort!
I am eagerly awaiting the report of your findings!
I am surprised that Amazon has not started pushing out a new OTA, it's been 4 weeks now since the first rooting report. Xmas must have gotten in the way, or the guy who knew how to patch holes quit
Btw, there is the oldie but goodie - an effort to capture Kingoroot actions, you may try to follow it, if you have a bit of time:
https://forum.xda-developers.com/general/general/kingo-root-steals-imei-t3268525
bibikalka said:
[MENTION=3497316]... I am eagerly awaiting the report of your findings! ...
Click to expand...
Click to collapse
As I wrote in the OP, this is confirmed working. That's not what I am worried about here. It's this:
-- Given the widespread characterization of one-click rooting tools (like KingoRoot, dr.fone, etc.) as malware, I am worried it's "bad form" for me to be posting such binaries and scripts on this forum.
-- As shady as KingoRoot and dr.fone are, do they have IP rights (esp. the latter in this case) that I would be violating by posting these files here?
Check your PM.
retyre said:
As I wrote in the OP, this is confirmed working. That's not what I am worried about here. It's this:
-- Given the widespread characterization of one-click rooting tools (like KingoRoot, dr.fone, etc.) as malware, I am worried it's "bad form" for me to be posting such binaries and scripts on this forum.
-- As shady as KingoRoot and dr.fone are, do they have IP rights (esp. the latter in this case) that I would be violating by posting these files here?
Check your PM.
Click to expand...
Click to collapse
OK, thanks!
My bigger worry is that Amazon will grab these, and plug the holes faster
Btw, if the files have IP issues (or other ones ...), the most that'd happen is that the moderators here would just take it down.
The OP has been updated with all the steps and links to the required files. Please read the disclaimers before you begin.
retyre said:
The OP has been updated with all the steps and links to the required files. Please read the disclaimers before you begin.
Click to expand...
Click to collapse
Wow, you actually got direct links to dr.fone exploits, straight on their web site!!!
I am amazed that it's DirtyCow, it's been ages, I thought it got patched on Fires way back, in 2016.
Update:
Here is the most "official" link to SuperSu 2.82-SR5 :
https://download.chainfire.eu/1220/SuperSU/SR5-SuperSU-v2.82-SR5-20171001224502.zip
Any reason to use this SuperSu version vs the prior options?
bibikalka said:
Wow, you actually got direct links to dr.fone exploits, straight on their web site!!!
I am amazed that it's DirtyCow, it's been ages, I thought it got patched on Fires way back, in 2016.
Update:
Here is the most "official" link to SuperSu 2.82-SR5 :
https://download.chainfire.eu/1220/SuperSU/SR5-SuperSU-v2.82-SR5-20171001224502.zip
Any reason to use this SuperSu version vs the prior options?
Click to expand...
Click to collapse
Yes. URL snooping is part art, part science.
That's the flashable zip, not the apk. Do you have an official link to the apk? I searched, but couldn't locate one.
I thought we were using 2.79 because of the difficulty in replacing Kingo? That's not an issue here, and it updates successfully (does not report installation failed).
retyre said:
Yes. URL snooping is part art, part science.
That's the flashable zip, not the apk. Do you have an official link to the apk? I searched, but couldn't locate one.
I thought we were using 2.79 because of the difficulty in replacing Kingo? That's not an issue here, and it updates successfully (does not report installation failed).
Click to expand...
Click to collapse
Yes, correct, 2.79 did not complain about Kingo's su when replacing it. Btw, I was flashing 2.82 via FF, after patching it a bit. To get SuperSu.apk, you just need to unpack zip, and it'll be sitting there, in E:\tmp\SR5-SuperSU-v2.82-SR5-20171001224502\common (or whatever).
Btw, I've edited build.prop a bit, first to remove arm64 in abilong (this would enable the stock SuperSu to work in FF, without patching), and then to disable OTAs via the version number:
http://www.aftvnews.com/how-to-bloc...k-by-setting-a-custom-fire-os-version-number/
Once I enabled OTA (renaming apk_ back to apk), it promptly downloaded 17 or 18 apks, and updated the Amazon apps. Now, I am on FireOS 5.5., and it did not download 5.6, meaning the version number trick works fine. So it'll freeze the ROM, but will continue updating apps.
"Offline" rooting with Kingo
This method is not as offline as the method in the OP, but here's how you can perform a variant of "offline" rooting with Kingo. I will begin by mentioning that Kingo's files are not easily accessible to the user, so you will have to have these files handy before you begin. Sadly, these files can only be obtained while Kingo is doing online rooting. Most (but not all, from what I have seen thus far) of these files are in your AppData\Local\Kingosoft\Kingo Root\files folder, but with different names.
I figured out the actual file names by matching the file sizes in the \files folder on my PC with the files created by Kingo in /data/local/tmp on the tablet while the online Kingo rooting process is _ongoing_ (ls -al). As I mentioned earlier, not every file in /data/local/tmp is in \files, though (could be in other folders on the PC; I haven't looked yet). Following this post, I also did a hex dump of the traffic over USB, but nearly all of it was Kingo transferring its files to /data/local/tmp..
Why does this have to be done while the rooting is in progress? Because Kingo cleans up the /data/local/tmp directory after the rooting is complete. In other words, you will have to copy the files from /data/local/tmp to /sdcard before the rooting completes. If you can do that, these are the files you will obtain: KingoUser.apk, busybox, ddexe, debuggerd, kingo, kingo_1b90d7d01 (likely a copy of KingoUser.apk), kingorootname, mkdevsh, su, suarm64, supolicy, suv7, install-recovery.sh, and libsupol.so (emphasis added to denote the required files). Some information is here as well.
So, what's the best way to obtain these files at this point? Sadly, by rooting (again) with Kingo. (Since these files are not publicly available, I do not think it's right for me to upload them somewhere.) If you can get a hold of these files and save them off the tablet, your future Kingo rooting can be completely offline ... and _mucho_ simpler than the procedure currently in the OP.
Here's what you would do with the aforementioned files:
-- Do steps 4 and 5 in the OP.
-- Download the SuperSU 2.79 apk from here and copy it to /sdcard.
-- Copy all the files Kingo files to a folder on /sdcard (say, k).
-- Copy everything from /sdcard/k to /data/local/tmp:
Code:
cp /sdcard/k/* /data/local/tmp/
cd /data/local/tmp
ls -l
-- Change permissions to execute:
Code:
chmod 755 *
-- This is the actual rooting command:
Code:
./kingo
This should be done in less than a minute, after which you will be back at the shell prompt.
-- Test root:
Code:
su
-- Mount /system writable to check:
Code:
mount -w -o remount /system
-- Install SuperSU 2.79 to get around the "su binary occupied" issue with later SuperSU versions. You should see installation failed (as usual), but things should be fine after the reboot.
-- Set default access to Grant in SuperSU's settings.
I have tested this multiple times. Works every time. Like I said, much easier than the method currently in the OP, but with the added challenge of obtaining non-public rooting files.
How does Kingo root, you ask? The mkdevsh file in /data/local/tmp (it's not on the computer as far as I can tell) is the only script I could find. At this time, I do not know the exploit being used here; it appears to be significantly more efficient than the doctor's remedy, that's for sure. Anyone interested in reversing the "kingo" binary?
retyre said:
Why does this have to be done while the rooting is in progress? Because Kingo cleans up the /data/local/tmp directory after the rooting is complete. In other words, you will have to copy the files from /data/local/tmp to /sdcard before the rooting completes. If you can do that, these are the files you will obtain: KingoUser.apk, busybox, ddexe, debuggerd, kingo, kingo_1b90d7d01 (likely a copy of KingoUser.apk), kingorootname, mkdevsh, su, suarm64, supolicy, suv7, install-recovery.sh, libsupol.so. (The apk is not needed.) Some information is here as well.
...
-- This is the actual rooting command (I got this from here):
Code:
./kingo kingo
...
Click to expand...
Click to collapse
Do you think the 'su' above will end up in /system/xbin/su ? Or are those packed inside kingo executable?
Btw, I've studied dr.fone's exploit, and it's using 'su' by Chainfire, there is a text like this inside it.
I suspect these tools are recycling quite a bit of borrowed code, that's why they carefully clean up after they are done.
bibikalka said:
Do you think the 'su' above will end up in /system/xbin/su ? Or are those packed inside kingo executable?
Click to expand...
Click to collapse
IIRC, Kingo puts its su somewhere else (not in /system/xbin), hence the commands that follow. If I do this again (I guess I will; my test tablet doesn't know about Amendment VIII), I will look to see which su binary it's using.
retyre said:
IIRC, Kingo puts its su somewhere else (not in /system/xbin), hence the commands that follow. If I do this again (I guess I will; my test tablet doesn't know about Amendment VIII), I will look to see which su binary it's using.
Click to expand...
Click to collapse
OK, but would not SuperSu find whatever 'su' there is (left by Kingoroot), and update it? Why do you need to do it manually?
Code:
cp /data/local/tmp/su /system/xbin/
chmod 755 /system/xbin/su
I gotta say, it looks like Kingo is much more professional malware outfit , dr.fone appears very amateurish in that regard. But regardless, given how well the other Fires held up post-DirtyCow, the good exploits are becoming quite scarce.
bibikalka said:
OK, but would not SuperSu find whatever 'su' there is (left by Kingoroot), and update it? Why do you need to do it manually?
Code:
cp /data/local/tmp/su /system/xbin/
chmod 755 /system/xbin/su
I gotta say, it looks like Kingo is much more professional malware outfit , dr.fone appears very amateurish in that regard. But regardless, given how well the other Fires held up post-DirtyCow, the good exploits are becoming quite scarce.
Click to expand...
Click to collapse
Correct, SuperSU will find Kingo's su binary (in /sbin) and update it, so the manual copy is not needed. To answer your earlier question, Kingo uses the su binary from /data/local/tmp (but the "kingo" binary might well contain the same su). It looks like Kingo's su binary is the arm64 version, and the one from SuperSU is arm.
I am thinking the 2017 HD 10 may have multiple exploits. Clearly, dr.fone is using Dirty COW (and this memory exploit fails at times), but given the ease (and 100% success) with which Kingo is rooting, it may have found an easier exploit.
retyre said:
Correct, SuperSU will find Kingo's su binary (in /sbin) and update it, so the manual copy is not needed. To answer your earlier question, Kingo uses the su binary from /data/local/tmp (but the "kingo" binary might well contain the same su). It looks like Kingo's su binary is the arm64 version, and the one from SuperSU is arm.
I am thinking the 2017 HD 10 may have multiple exploits. Clearly, dr.fone is using Dirty COW (and this memory exploit fails at times), but given the ease (and 100% success) with which Kingo is rooting, it may have found an easier exploit.
Click to expand...
Click to collapse
For some reason, SuperSu could not install correctly the arm64 version of 'su'. What's in use after SuperSu is actually 'armv7'. I guess I did not try SR5-2.82 zip yet, perhaps, it'd work.
For the multiple exploits theory, it's interesting that Kingo also cannot root any other Fires right now, just this one (same as dr.fone). So either Fire HD10 2017 is choke full of old holes, or Kingo just has a more efficient DirtyCow implementation and does its thing quicker.
I am sort of hoping that with the upcoming OTA, Amazon would make FireOS a bit more like a proper 64 bit Android thinggy, without this hybrid stuff that's seems to be throwing off a lot of misc apps (such as FlashFire and Xposed).
has anyone tried the offline root on the 8? if not i am going to soon for sureeeee
Ae3NerdGod said:
has anyone tried the offline root on the 8? if not i am going to soon for sureeeee
Click to expand...
Click to collapse
I just tried the OP's offline root instructions 3 times on my Fire HD 8 running 5.6.0.0 and it failed all 3 times. Here's the error code if you are curious:
Code:
[HIDE]---try 1---
C:\android\platform-tools>adb shell
[email protected]:/ $ ls -l /data/local/tmp
-rwxr-xr-x shell shell 1126000 2017-11-13 17:41 busybox
[email protected]:/ $ cp /sdcard/c/* /data/local/tmp
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ ls -l
-rw-rw---- shell shell 109400 2018-01-19 21:15 Matrix
-rw-rw---- shell shell 6488979 2018-01-19 21:15 Superuser.apk
-rwxr-xr-x shell shell 1126000 2017-11-13 17:41 busybox
-rw-rw---- shell shell 67 2018-01-19 21:15 ddexe
-rw-rw---- shell shell 1756 2018-01-19 21:15 debuggerd
-rw-rw---- shell shell 202824 2018-01-19 21:15 fileWork
-rw-rw---- shell shell 629 2018-01-19 21:15 install-recovery.sh
-rw-rw---- shell shell 13592 2018-01-19 21:15 pidof
-rw-rw---- shell shell 1912 2018-01-19 21:15 start_wssud.sh
-rw-rw---- shell shell 75348 2018-01-19 21:15 su
-rw-rw---- shell shell 108480 2018-01-19 21:15 su_arm64
-rw-rw---- shell shell 101852 2018-01-19 21:15 supolicy
-rw-rw---- shell shell 177316 2018-01-19 21:15 toolbox
-rw-rw---- shell shell 38830 2018-01-19 21:15 wsroot.sh
[email protected]:/data/local/tmp $ chmod 755 *
[email protected]:/data/local/tmp $ ls -l
-rwxr-xr-x shell shell 109400 2018-01-19 21:15 Matrix
-rwxr-xr-x shell shell 6488979 2018-01-19 21:15 Superuser.apk
-rwxr-xr-x shell shell 1126000 2017-11-13 17:41 busybox
-rwxr-xr-x shell shell 67 2018-01-19 21:15 ddexe
-rwxr-xr-x shell shell 1756 2018-01-19 21:15 debuggerd
-rwxr-xr-x shell shell 202824 2018-01-19 21:15 fileWork
-rwxr-xr-x shell shell 629 2018-01-19 21:15 install-recovery.sh
-rwxr-xr-x shell shell 13592 2018-01-19 21:15 pidof
-rwxr-xr-x shell shell 1912 2018-01-19 21:15 start_wssud.sh
-rwxr-xr-x shell shell 75348 2018-01-19 21:15 su
-rwxr-xr-x shell shell 108480 2018-01-19 21:15 su_arm64
-rwxr-xr-x shell shell 101852 2018-01-19 21:15 supolicy
-rwxr-xr-x shell shell 177316 2018-01-19 21:15 toolbox
-rwxr-xr-x shell shell 38830 2018-01-19 21:15 wsroot.sh
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f9a42c008 end:7f9a42c2d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 209221 /data/local/tmp/load1
fwrite is count 54048 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 40465 load1 = 33145 load2 = d320
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:263269
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:188
find logd pid : bc
_inject_start_s:0x7f9a42c008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 209221
[*] mmap 0x7f9a225000;
[*] exploit (patch)
[*] currently 0x7f9a225000=8f97cff8c
sched_setaffinity: Invalid argument[*] madvise = 0x7f9a225000 209221
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s
<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Invalid argument<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
<WSRoot><Exploit>0x00000881</Exploit></WSRoot>
<WSRoot><Done>0x00000172</Done></WSRoot>
1|[email protected]:/data/local/tmp $ ls
Bridge_wsroot.sh
Matrix
Superuser.apk
busybox
cp_sepolicy
ddexe
debuggerd
fileWork
fileWork.
install-recovery.sh
krdirtyCow32
krdirtyCow64
libsupol.so
load
load1
load2
my.sh
mysupolicy
patch_script.sh
pidof
root3
sepolicy
start_wssud.sh
su
su_arm64
supolicy
toolbox
wsroot.sh
[email protected]:/data/local/tmp $ rm *
[email protected]:/data/local/tmp $ ls
[email protected]:/data/local/tmp $ exit
C:\android\platform-tools>adb reboot
---try 2---
C:\android\platform-tools>adb shell
[email protected]:/ $ cp /sdcard/c/* /data/local/tmp
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ ls -l
-rw-rw---- shell shell 109400 2018-01-19 21:37 Matrix
-rw-rw---- shell shell 6488979 2018-01-19 21:37 Superuser.apk
-rw-rw---- shell shell 67 2018-01-19 21:37 ddexe
-rw-rw---- shell shell 1756 2018-01-19 21:37 debuggerd
-rw-rw---- shell shell 202824 2018-01-19 21:37 fileWork
-rw-rw---- shell shell 629 2018-01-19 21:37 install-recovery.sh
-rw-rw---- shell shell 13592 2018-01-19 21:37 pidof
-rw-rw---- shell shell 1912 2018-01-19 21:37 start_wssud.sh
-rw-rw---- shell shell 75348 2018-01-19 21:37 su
-rw-rw---- shell shell 108480 2018-01-19 21:37 su_arm64
-rw-rw---- shell shell 101852 2018-01-19 21:37 supolicy
-rw-rw---- shell shell 177316 2018-01-19 21:37 toolbox
-rw-rw---- shell shell 38830 2018-01-19 21:37 wsroot.sh
[email protected]:/data/local/tmp $ chmod 755 *
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7f7acc6008 end:7f7acc62d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 209221 /data/local/tmp/load1
fwrite is count 54048 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 40465 load1 = 33145 load2 = d320
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:263269
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:188
find logd pid : bc
_inject_start_s:0x7f7acc6008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 209221
[*] mmap 0x7f7aabf000;
[*] exploit (patch)
[*] currently 0x7f7aabf000=8f97cff8c
sched_setaffinity: Invalid argument[*] madvise = 0x7f7aabf000 209221
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s
<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Invalid argument<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>
--- try 3 ---
C:\android\platform-tools>adb shell
[email protected]:/ $ cp /sdcard/c/* /data/local/tmp
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 *
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2
<WSRoot><Command>0</Command></WSRoot>
<WSRoot><InitResource>0</InitResource></WSRoot>
Decrypt Success: /data/local/tmp/fileWork
Output File Name: /data/local/tmp/fileWork.
<WSRoot><Decrypt>0</Decrypt></WSRoot>
extracting: /data/local/tmp/Bridge_wsroot.sh
extracting: /data/local/tmp/krdirtyCow32
extracting: /data/local/tmp/krdirtyCow64
extracting: /data/local/tmp/libsupol.so
extracting: /data/local/tmp/my.sh
extracting: /data/local/tmp/mysupolicy
extracting: /data/local/tmp/patch_script.sh
extracting: /data/local/tmp/root3
<WSRoot><Decompression>0</Decompression></WSRoot>
execute string: /data/local/tmp/root3 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1
ro.build.version.sdk :22
ro.product.cpu.abi :arm64-v8a
is x64
execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30
WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1
path : /data/local/tmp/
path : /data/local/tmp
[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp
rm: /data/local/tmp/sepolicy: No such file or directory
rm: /data/local/tmp/load: No such file or directory
supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire
Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ...
-permissive:zygote=ok
-permissive:kernel=ok
-permissive:init=ok
-permissive:su=ok
-permissive:init_shell=ok
-permissive:shell=ok
-permissive:servicemanager=ok
- Success
find_opcode offset:2d0 opcode:aaffbbee
find ok star:7fa3584008 end:7fa35842d8 size:2d0
sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 209221 /data/local/tmp/load1
fwrite is count 54048 /data/local/tmp/load2
find_opcode offset:2b4 opcode:eaeaeaea
find_opcode offset:2b8 opcode:ebebebeb
find_opcode offset:22d opcode:abababab
load = 40465 load1 = 33145 load2 = d320
find_opcode offset:2b0 opcode:efefefef
find_opcode offset:24d opcode:cdcdcdcd
find_opcode offset:2bc opcode:acacacac
init_shellcode
loadsize:263269
loadpath:/data/local/tmp/load
shpath:/data/local/tmp/my.sh /data/local/tmp 2
shpath:2bc
open /proc
PID:188
find logd pid : bc
_inject_start_s:0x7fa3584008
Copying /sepolicy to /data/local/tmp/cp_sepolicy
cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1
size: 209221
[*] mmap 0x7fa337d000;
[*] exploit (patch)
[*] currently 0x7fa337d000=8f97cff8c
sched_setaffinity: Invalid argument[*] madvise = 0x7fa337d000 209221
checking the patch ... exploit
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
sleep 1s
exit fork(), loop time more then 30s
<WSRoot><Exploit>0x00000332</Exploit></WSRoot>
check done
sched_setaffinity: Invalid argument<WSRoot><Exploit>0x00000382</Exploit></WSRoot>
FAIL : load1 --> /sepolicy
<WSRoot><Exploit>0x00000341</Exploit></WSRoot>[/HIDE]
got the same thing.
i even tried other dirtyc0w versions and compiling my own. do i need to use different files to overwrite on the HD 8?
and btw im running 5.3.3.0 FireOS kernel 3.18, should totally be vulnerable right OP?
any chance of helping us sort this out on the 8?
Ae3NerdGod said:
got the same thing.
i even tried other dirtyc0w versions and compiling my own. do i need to use different files to overwrite on the HD 8?
and btw im running 5.3.3.0 FireOS kernel 3.18, should totally be vulnerable right OP?
any chance of helping us sort this out on the 8?
Click to expand...
Click to collapse
The 2017 HD 10 is the only Fire tablet I have access to. These are the other exploits the doctor downloads (if the one in the OP fails; it usually doesn't fail on the 2017 HD 10, but one can manually delete files in /system to force it to fail): 6301805.zip, 21486085.zip, 1805PXN.zip, 7083636.zip.
Try each .zip, repeating the steps in the OP. See the OP for the output that should be generated when you execute the files in 20165195.zip.
Keep in mind that many of these CVE are years old and have been patched (or so they claim). For some reason, the 2017 HD 10 is still vulnerable.
Thanks for the post. I already rooted using the kingoroot method in the other thread, otherwise I would try this. One question though, after following that other root method I am stuck with having to set the supersu access mode to "Grant" which honestly bugs me. Had I followed your guide would I have been able to set the access mode to "Prompt"?
Oh one more thing, we cannot flash custom recovery on this device right? locked bootloader and all?
Related
I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.
Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!
A summary:
To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.
Some experiments
I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.
I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278 device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
./adb remount
remount succeeded
./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[COLOR="Red"]/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0[/COLOR]
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[I][...many lines snipped out...][/I]
# exit
So, /system is now r/w. Let's push "su".
Code:
./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
./adb shell "chown root.shell /system/bin/su"
./adb shell "chmod 06755 /system/bin/su"
./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
./adb shell "ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
[COLOR="Red"]-rw-rw-rw- root root 22228 2011-11-10 12:53 su[/COLOR]
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root shell 22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
[COLOR="Red"]lrwxrwxrwx root root 2011-12-30 16:48 su -> /system/bin/su[/COLOR]
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root root 7221765 2011-08-02 01:08 Settings.apk
[I][...many lines snipped out...][/I]
-rw-r--r-- root root 296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root root 785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root root 551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root root 255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
[COLOR="Red"]-rw-r--r-- root root 785801 2011-11-10 12:54 Superuser.apk
[/COLOR]# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
[B][COLOR="Red"]su: permission denied[/COLOR][/B]
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".
Doing this with scripts
I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.
The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.
The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.
G2 Temp Root
Hi, I got a tmo g2 2.3.4
i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.
Any way to combine this temp root with older options to gain a perm root?
Cool man! Thanks!
HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
Click to expand...
Click to collapse
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...
Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
fkereki said:
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Click to expand...
Click to collapse
well that sucks!
Hi,
I'm having an issue with all terminal emulators (Android Terminal Emulator, ConnectBot, ...) after upgrading my Nexus 10 from Android 4.2.2 to 4.3.
The terminal is not recognizing the actual size of the screen and it is fixed to 80 columns and 20 rows. I can temporarily fix it typing "stty cols 180 rows 35", but those values depend on the screen rotation, font size, etc.
This is really weird, and I wasn't having this issue before the upgrade.
Anyone else has this problem or know how to solve it?
Thanks!
Ok, i've been doing some tests.
It seems to be a 'su' bug, it is not receiving the SIGWINCH signal.
If I type without su:
trap 'echo sigwinch' SIGWINCH
It is executed every time I rotate the tablet or popup the keyboard.
But, under su, the same command is not working.
It may be a permission issue.
Any ideas?
I can confirm having the same issue with my Nexus 10 and android 4.3. As soon as I run su - from the terminal (Android Terminal Emulator) the lines start wrapping at 80 characters.
Hi,
i've been working on this trying to find a solution.
Here is what I saw:
Every time I enter su or enter chroot (i have a chrooted debian), the tty number is changed to another one. That isn't the usual tty behavior!
So, if the normal user is in /dev/pts/0 , root could be in /dev/pts/1 and chroot in /dev/pts/2.
If I rotate the screen /dev/pts/0 cols and rows are changed even if I am as root, I can verify that by typing:
stty -F /dev/pts/0 -a
But, if I am at /dev/pts/1 i'm not receiving that SIGWINCH signal. In common linux distributions, that is not happening as pts number doesn't change.
Here is my (not so perfect) solution for the chrooted debian:
Write a fix_stty.sh script as root:
#!/bin/bash
sttypath=/bin
tty0=$(ls --sort time /dev/pts/ | head -n 1 | awk '{print $1}')
stty0=$($sttypath/stty -F /dev/pts/$tty0 -a | head -n1)
rows=$(echo $stty0 | sed -e 's:.*rows\ \([0-9]\+\).*:\1:g')
cols=$(echo $stty0 | sed -e 's:.*columns\ \([0-9]\+\).*:\1:g')
$sttypath/stty rows $rows cols $cols
Save it in /usr/local/bin
Make it executable:
chmod +rx /usr/local/bin/fix_stty.sh
Add to ~/.bashrc this line:
trap '/usr/local/bin/fix_stty.sh' DEBUG
Or if you use non-root users:
trap 'sudo /usr/local/bin/fix_stty.sh' DEBUG
And add to sudoers file:
%sudo ALL = (ALL) NOPASSWD: /usr/local/bin/fix_stty.sh
Logout and login again, and it will fix the rows and columns before each command.
----
For su, outside the chrooted linux write a script fix_stty.sh:
sttypath=/system/xbin
tty0=$(/system/xbin/busybox ls -t /dev/pts | head -n1)
stty0=$($sttypath/stty -F /dev/pts/$tty0 -a | head -n1)
rows=$(echo $stty0 | sed -e 's:.*rows\ \([0-9]\+\).*:\1:g')
cols=$(echo $stty0 | sed -e 's:.*columns\ \([0-9]\+\).*:\1:g')
$sttypath/stty rows $rows cols $cols
Save it to /system/xbin
(You should remount /system as rw: mount --remount -orw /system)
Then, make it exec:
chmod 755 /system/xbin/fix_stty.sh
And, finally you should type at each su login:
trap '/system/xbin/fin_stty.sh' SIGINT
(i don't know why DEBUG isn't here)
So you have to press Ctrl+C to fix it.
----
Alternatively, you can write an infinite loop or a simple daemon to fix it, but i don't like daemons on my tablet.
If anyone has a better solutions, please post it.
Hi all. I've been mulling over this problem as well. I believe the issue is because in 4.3, SuperSU now uses a "proxy", where commands are sent form the process which called su to daemonsu, which is launched at system startup. Chainfire explains a bit more in his G+ posts the reasons for doing this, but I think the key here is that root processes are now launched on a different tty, because they are launched by a different process (namely, daemonsu). Starting a root shell (whether system shell or ubuntu/debian chroot) now results in the creation of three pts devices, as opposed to the usual one. However, other shells not launched locally are fine. For example, starting the SSH server in my chroot and logging in via SSH is always fine.
I'm still trying to figure out a permanent solution to this problem. I still don't have a full understanding of the problem as I'm still trying to wrap my head around how Linux handles terminals and TTYs. I do have a few ideas floating around my head, though:
Change daemonsu and su to support full termios/line-discipline/whatever-we-need through the "pts bridge" that he is using
Create TTY(pts) pairs on demand, and have a modified Terminal Emulator connect to those directly when we want a shell
Have a background-ed process in the original terminal catch SIGWINCH and pass it to the root terminal
Still quite a bit a figure out though. I may just go through Terminal Emulator's source code to see how it work to get a better picture too. But that's gonna take time. I've also created a little native utility which creates two pts pseudo-TTYs and shuffles data between them. I'm still experimenting. Will post more as I learn more.
Just to let you all know that I've got a system working for myself: http://blog.tan-ce.com/android-root-shell/
The way I'm doing it uses a daemon, much like the su daemons ChainFire and Koush are using. The benefit of doing it this way is that I'm not confined by the application container, which is good for security when used by applications, but is annoying when you are using the terminal itself. I remember having to do hacks with adb servers to get around those.
But if you don't want a daemon, you can still set one up manually, just look at the last section of the README on how to use pts-wrap and pts-exec.
I gave this a try.
First, I've noticed that pts-wrap and pts-exec symbolic links were missing.
And I don't think the line '/system/etc/install-recovery-2.sh' in pts-daemon-start file is needed at all.
I'm using ChainFire SuperSU and pts-shell is not working as expected or catching SIGWINCH signals. I just don't see any difference with the standard shell. Maybe I misunderstood how it works.
alf_tux said:
I gave this a try.
First, I've noticed that pts-wrap and pts-exec symbolic links were missing.
And I don't think the line '/system/etc/install-recovery-2.sh' in pts-daemon-start file is needed at all.
Click to expand...
Click to collapse
My mistake, I forgot to create the symlinks for those two.
install-recovery-2.sh is an idea I took from CharinFire's SuperSU. Basically, it seems as if people are using install-recovery.sh to install startup scripts, and having the script try to call install-recovery-2.sh allows you to chain recovery scripts. For example, if you install this on a system with SuperSU, it will be installed as install-recovery-2.sh. If the system doesn't already have an install-recovery.sh, it'll install itself as install-recovery.sh.
Anyway, I've fixed and uploaded a new zip.
alf_tux said:
I'm using ChainFire SuperSU and pts-shell is not working as expected or catching SIGWINCH signals. I just don't see any difference with the standard shell. Maybe I misunderstood how it works.
Click to expand...
Click to collapse
Are you running pts-shell from a regular (non-root) shell, or from a root shell? It should be run from a non-root shell. (It will give you a root shell once it runs.) Only pts-passwd and pts-daemon is meant to be run as root.
tan-ce said:
Are you running pts-shell from a regular (non-root) shell, or from a root shell? It should be run from a non-root shell. (It will give you a root shell once it runs.) Only pts-passwd and pts-daemon is meant to be run as root.
Click to expand...
Click to collapse
Yes, here is my the terminal output:
[email protected]:/ $ ps | grep pts
root 136 1 760 180 ffffffff 00000000 S /system/xbin/pts-daemon
[email protected]:/ $ pts-shell /system/bin/sh
(pts-shell) /system/bin/sh
Could not connect to socket: Permission denied
255|[email protected]:/ $ su pts-shell /system/bin/sh
[email protected]:/ #
As you see, I can only run pts-shell as root.
alf_tux said:
Yes, here is my the terminal output:
[email protected]:/ $ ps | grep pts
root 136 1 760 180 ffffffff 00000000 S /system/xbin/pts-daemon
[email protected]:/ $ pts-shell /system/bin/sh
(pts-shell) /system/bin/sh
Could not connect to socket: Permission denied
255|[email protected]:/ $ su pts-shell /system/bin/sh
[email protected]:/ #
As you see, I can only run pts-shell as root.
Click to expand...
Click to collapse
Sorry, I realized that the correct command should be:
[email protected]:/ $ su -c pts-shell /system/bin/sh
(pts-shell) /system/bin/sh
(pts-shell) Enter your password:
[email protected]:/ #
Anyway I can only run this as root.
Oh yeah, I found the bug. Sorry, my bad. I've fixed it and uploaded a new copy of the update ZIP, but you don't have to upgrade if you don't want to. Running
Code:
# chmod 0701 /data/pts
should be sufficient to fix the problem. Then you should be able to run pts-shell from a regular (non-root) shell.
tan-ce said:
Oh yeah, I found the bug. Sorry, my bad. I've fixed it and uploaded a new copy of the update ZIP, but you don't have to upgrade if you don't want to. Running
Code:
# chmod 0701 /data/pts
should be sufficient to fix the problem. Then you should be able to run pts-shell from a regular (non-root) shell.
Click to expand...
Click to collapse
I don't think that was the the bug:
[email protected]:/ $ su
[email protected]:/ # ls -l /data/pts
-rw------- root root 61 2013-08-28 19:09 passwd
srw-rw-rw- root root 2013-08-28 18:59 pts
[email protected]:/ # chmod 0701 /data/pts
[email protected]:/ # ls -l /data/pts
-rw------- root root 61 2013-08-28 19:09 passwd
srw-rw-rw- root root 2013-08-28 18:59 pts
[email protected]:/ # ^D
[email protected]:/ $ pts-shell /system/bin/sh
(pts-shell) /system/bin/sh
Could not connect to socket: Connection refused
255|[email protected]:/ $
I have also tried:
chmod 0701 /data/pts/pts
And
chmod 0701 /data/pts/*
I'm getting the same connection refused. Maybe you can send me a debug version, I can run it just to find what is going on.
alf_tux said:
I'm getting the same connection refused. Maybe you can send me a debug version, I can run it just to find what is going on.
Click to expand...
Click to collapse
That's strange. Could you show me the output of ls -la? (The "a" is needed to see the permissions for /data and /data/pts itself)
After that, perhaps you could try "chmod 0711 /data/pts"
There isn't a debug version. The error message comes from the part of the code which tries to open a unix socket located at /data/pts/pts. For this to work, /data and /data/pts must have the execute bit set, and /data/pts/pts needs to have the readable and writable bit set for you. Otherwise you'll get a "permission denied".
Perhaps it might be easier for me to just move the socket to /dev like what koush does for Superuser... it's possible the permissions on my /data is non-standard.
On a side note, I'm also currently trying to contribute to koush's Superuser project to fix terminal handling. With any luck, I (or someone else?) will succeed and we won't really need my pts-multi tools anymore.
tan-ce said:
That's strange. Could you show me the output of ls -la? (The "a" is needed to see the permissions for /data and /data/pts itself)
After that, perhaps you could try "chmod 0711 /data/pts"
There isn't a debug version. The error message comes from the part of the code which tries to open a unix socket located at /data/pts/pts. For this to work, /data and /data/pts must have the execute bit set, and /data/pts/pts needs to have the readable and writable bit set for you. Otherwise you'll get a "permission denied".
Perhaps it might be easier for me to just move the socket to /dev like what koush does for Superuser... it's possible the permissions on my /data is non-standard.
On a side note, I'm also currently trying to contribute to koush's Superuser project to fix terminal handling. With any luck, I (or someone else?) will succeed and we won't really need my pts-multi tools anymore.
Click to expand...
Click to collapse
Yes, I agree that fixing su would be better.
I don't have my tablet right know, i don't remember well /data /data/pts and /data/pts/pts read and exec bits. I will see better whan I have my tablet with me.
Here is the output:
/data:
drwxrwx--x system system 2013-08-28 18:59 data
/data/pts:
drwxr-xr-x root root 2013-08-28 19:06 pts
[email protected]:/ $ ls -la /data/pts
-rwxrwxrwx root root 61 2013-08-28 19:09 passwd
srwxrwxrwx root root 2013-08-28 18:59 pts
[email protected]:/ $ pts-shell /system/bin/sh
(pts-shell) /system/bin/sh
Could not connect to socket: Connection refused
255|[email protected]:/ $
I suppose it isn't a permission problem.
alf_tux said:
I suppose it isn't a permission problem.
Click to expand...
Click to collapse
You're probably right, my Nexus 10 could be a bit different because of the semi-botched update I went through. Well, good news on two fronts: First, I updated pts-multi (latest update zip here) to use /dev/pts-daemon as the socket instead of /data... It works on mine, and I think it should work on yours, because Superuser puts its socket there too.
Second, I finished some modifications to the su binary in Superuser (source code here), and I've submitted a pull request to Koush. He says he'll do a code review of my changes, and we'll see how it goes.
tan-ce said:
You're probably right, my Nexus 10 could be a bit different because of the semi-botched update I went through. Well, good news on two fronts: First, I updated pts-multi (latest update zip here) to use /dev/pts-daemon as the socket instead of /data... It works on mine, and I think it should work on yours, because Superuser puts its socket there too.
Second, I finished some modifications to the su binary in Superuser (source code here), and I've submitted a pull request to Koush. He says he'll do a code review of my changes, and we'll see how it goes.
Click to expand...
Click to collapse
T/hanks! I tried your new update and I think it's working!
Can you add a passwordless option? Or if password is blank just don't ask for it
alf_tux said:
T/hanks! I tried your new update and I think it's working!
Can you add a passwordless option? Or if password is blank just don't ask for it
Click to expand...
Click to collapse
Ok, but I took the easiest way out... If you set the environment variable PTS_AUTH, pts-shell will read the password from there instead of prompting you for it. So, if you're writing a script to spawn a root shell, do:
Code:
#!/system/bin/sh
export PTS_AUTH="your password here"
pts-shell /system/bin/sh
The latest update zip is here.
Thanks a lot tan-ce!!
It's working just as I expected!
Glad to hear it.
Edit: Someone pointed out the title is not completely accurate, so I changed it to be more descriptive and I will add a list of devices this root method will work with here
Edit2: Thanks to @Rortiz2 for the automated method! You can download it here! Simply extract the files and run MTK-SU.bat to install the SuperSU app and root your device. Once you reboot after the batch script has completed, simply open SuperSU, go to settings, and ensure that default root access for apps is set to grant.
Fire HD 8 8th gen (2018) (thanks @xyz`)
Fire HD 8 7th gen (2017)
Fire HD 8 6th gen (2016) (thanks @bibikalka)
Fire HD 10 7th gen (2017) (thanks @bibikalka)
Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to firmware 5.2.6.9
Fire 7 9th gen (2019) (thanks @Michajin)
Before trying this root method, please read through this entire post: 5 and make sure it will work for your device!
Note: I did not create these methods, all credit goes to @diplomatic and @dutchthomas
I simply wanted to put it into a single forum post with easy instructions.
With that out of the way, lets get started.
Only use this for Fire OS 5.x.x.x, I haven't tested it with the latest version, but it should still work.
First, follow these instructions by diplomatic:
After you have verified that you have access to a root shell (The '[email protected]:/ $' will change to '[email protected]:/ #) you can follow these steps by dutchthomas:
1. Install SuperSu from Playstore (if you do not have the playstore installed, you can follow the guide by @Gilly10 here https://forum.xda-developers.com/amazon-fire/general/how-to-install-google-play-store-fire-t3486603)
2. Download SuperSu and unzip somewhere (download the .zip from here)
3. Inside the UPDATE-SuperSU-v2.79-20161211114519.zip there should be an arm64 folder. Copy that folder to your platform-tools folder
Most of this is just going to be copy paste commands
4. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
5. adb shell
6. cd /data/local/tmp
7. ./mtk-su
8. The $ after [email protected] should change to a #, if it doesn't, close the terminal and start again from step 5.
9. mount -o remount -rw /system
10. cp /data/local/tmp/su /system/xbin/su
11. cp /data/local/tmp/su /system/xbin/daemonsu
12. cp /data/local/tmp/supolicy /system/xbin/
13. cp /data/local/tmp/libsupol.so /system/lib/
14. cp /data/local/tmp/libsupol.so /system/lib64/
15. chmod 0755 /system/xbin/su
16.
Code:
chcon u:object_r:system_file:s0 /system/xbin/su
17.
Code:
chcon u:object_r:system_file:s0 /system/xbin/su
18.
Code:
chcon u:object_r:system_file:s0 /system/xbin/daemonsu
19. daemonsu --auto-daemon
20. Back on your device, open the SuperSU app and allow it to update its binaries.
After updating the SuperSU binaries, reboot your device. Once you are back to your main screen, open SuperSU, go to settings, Then scroll down to Access. Click the [Grant] option for Default Access. You need to do this because for unknown reasons the Kindle Fire is unable to show the root access popup. Your device is now fully rooted!
https://forum.xda-developers.com/showpost.php?p=79441935&postcount=629
The original thread is here: https://forum.xda-developers.com/hd8-hd10/orig-development/experimental-software-root-hd-8-hd-10-t3904595. The title of the current thread does not accurately reflect which tablets can rooted by this method. This information is in the first post of the original thread.
MontysEvilTwin said:
The original thread is here: https://forum.xda-developers.com/hd8-hd10/orig-development/experimental-software-root-hd-8-hd-10-t3904595. The title of the current thread does not accurately reflect which tablets can rooted by this method. This information is in the first post of the original thread.
Click to expand...
Click to collapse
Thanks for the feedback, I updated the post to be more informative!
Rortiz2 said:
https://forum.xda-developers.com/showpost.php?p=79441935&postcount=629
Click to expand...
Click to collapse
Added a link and credit to you on my post, thanks for the script!
SirHappyCatIII said:
Added a link and credit to you on my post, thanks for the script!
Click to expand...
Click to collapse
Ok.
Correction
I now realize it was obvious, but it took me a while to realize there shouldn't be two identical commands.
Instruction #17 should be #18
And #18 should be
Code:
chmod 0755 /system/xbin/daemonsu
Thanks got my Fire HD 8 (6th Gen) running Fire OS 5.3.6.4 (626536720) rooted
deleted
Hi, i followed the steps for my Fire HD 8 8th gen (2018), FireOS 6.3.0.0.
I was able to obtain temporary root access using mtk-su. Prompt is now #.
Step 9 (9. mount -o remount -rw /system) returns this error.
mount: '/dev/block/dm-0'->'/system' : Device or resource busy.
I also tried " "mount -o rw,remount /system"
And it returns this error '/dev/block/dm-0' is read-only.
So I cannot proceed any further. Your help is greatly appreciated.
PS: Your step 1 says install SuperSu from PlayStore. But it seems there isn't a ChianFire SuperSu available in PlayStore. And how is this related to the rest of the steps?
mxj_xda said:
Hi, i followed the steps for my Fire HD 8 8th gen (2018), FireOS 6.3.0.0.
I was able to obtain temporary root access using mtk-su. Prompt is now #.
Step 9 (9. mount -o remount -rw /system) returns this error.
mount: '/dev/block/dm-0'->'/system' : Device or resource busy.
I also tried " "mount -o rw,remount /system"
And it returns this error '/dev/block/dm-0' is read-only.
So I cannot proceed any further. Your help is greatly appreciated.
PS: Your step 1 says install SuperSu from PlayStore. But it seems there isn't a ChianFire SuperSu available in PlayStore. And how is this related to the rest of the steps?
Click to expand...
Click to collapse
what are you looking to do? If you have root access then you can unlock... This thread is kind of old....
https://forum.xda-developers.com/hd...nlock-fire-hd-8-2018-karnak-amonet-3-t3963496
i get this error when i try and download the release 22 zip file
C:\Users\cod3w\AppData\Local\Temp\kKb_tka2.zip.part could not be saved, because the source file could not be read.
Try again later, or contact the server administrator.
Can this be used on the Fire HD 10 8TH GEN?
This guide should be updated. There's no more SuperSU on the Play store. I believe that it hasn't been updated for quite a while before it was taken down. There should be a more updated guide somewhere.
Hi.
I have a Fire HD 8 (6th Generation) ...OS 5.6.8.0 (626542120).
please i use which prosedure for root?
I get a question mark after the 1st command.
PS C:\adb> adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
[ ?] /data/local/tmp/libsupol.so
If i continue, it will fail with:
[email protected]:/data/local/tmp $ ./mtk-su
/system/bin/sh: ./mtk-su: not found
Will keep digging, i'm on a fire hd 8 6th gen on 5.3.6.4
I'm only using a very small adb pack, maybe it's that, but i am able to commuinicate.
Will keep at it.
PS: Thank you so much for making this guide, hopefully i can breath some life into this now quite slow tablet.
EDIT: MTK was missing from all folders?
Heres the whole list of commands, now fails on the last part, daemon
PS C:\adb> adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
[ ?] /data/local/tmp/libsupol.so
PS C:\adb> adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ ./mtk-su
UID: 0 cap: 3fffffffff selinux: permissive
[email protected]:/data/local/tmp # mount -o remount -rw /system
[email protected]:/data/local/tmp # cp /data/local/tmp/su /system/xbin/su
[email protected]:/data/local/tmp # cp /data/local/tmp/su /system/xbin/daemonsu
[email protected]:/data/local/tmp # cp /data/local/tmp/supolicy /system/xbin/
[email protected]:/data/local/tmp # cp /data/local/tmp/libsupol.so /system/lib/
[email protected]:/data/local/tmp # cp /data/local/tmp/libsupol.so /system/lib64/
[email protected]:/data/local/tmp # chmod 0755 /system/xbin/su
[email protected]:/data/local/tmp # chcon ubject_r:system_file:s0 /system/xbin/su
[email protected]:/data/local/tmp # chcon ubject_r:system_file:s0 /system/xbin/su
[email protected]:/data/local/tmp #
hcon ubject_r:system_file:s0 /system/xbin/daemonsu <
[email protected]:/data/local/tmp # daemonsu --auto-daemon
/system/bin/sh: daemonsu: can't execute: Permission denied
126|[email protected]:/data/local/tmp #
Need to allow permissions i guess but not sure how.
Have tried the other mtk method in the thread mentioned in the OP and have this in powershell, different response to the adb push.
PS C:\adb> adb push .\mtk-su /data/local/tmp
[100%] /data/local/tmp/mtk-su
PS C:\adb> adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su
UID: 0 cap: 3fffffffff selinux: permissive
[email protected]:/data/local/tmp #
help
Ok so i managed to root using the mtk-su app from here:
Releases · JunioJsv/mtk-easy-su
Get bootless root access with few clicks. Contribute to JunioJsv/mtk-easy-su development by creating an account on GitHub.
github.com
Now i do have magisk and super su installed but there is no prompt from any root request, however it does say i am rooted according the supersu root checker, plus magisk safetynet fails, so i'm at a loss now.
Hi All
two days ago I rooted my LAB Onepluse 7 pro , after that we succeed to connect trough ADB shell .
to connected as like as root (sudo ) we re edited the build.prop (ro.secure=0 and ro.debuggable=1 ) but after changing the ro.secure to 0 we failed to connect at all via adb ( adb devices not showing the phone ) and if we are setting only the
ro.debuggable=1 we are able to do adb shell but if we are trying to do adb root we are losing the adb connectivity .
First i suggest u to install TWRP through fastboot. And interact with it. Also check Magisk utility for better ROOT contol.
Before the build.prop was modified
jimmy123322 said:
First i suggest u to install TWRP through fastboot. And interact with it. Also check Magisk utility for better ROOT contol.
Click to expand...
Click to collapse
First the mobile was rooted with
twrp - 3.4.0.0 img , twrp-3.4.0.0 installer and Magisk-v20.4
After that i used prop editor to allowing the su root access
but unfortunately I able to access only to the shell with no option to access like adb root
and when the ro.secure is modified to 0 there is no option to access via ADB at all .
can you please be more accurate what to do.
Someone can answer
I'm quite new and have to know what to do
[email protected] said:
I'm quite new and have to know what to do
Click to expand...
Click to collapse
Try an earlier version of twrp
how to executing files via shell
last week i've asked about adb root but i didn't succeed to solve it .
means ro.secure=0 is still blocking my adb shell or adb root.
my question now is that we are trying to running iperf via the shell and not via the vysor.
but we are rejecting because permission deny.
drwxr-xr-x 3 root root 60 1970-04-21 23:37 vendor
1|OnePlus7Pro:/mnt $ ./ipef
/system/bin/sh: ./ipef: inaccessible or not found
127|OnePlus7Pro:/mnt $ ./iperf
/system/bin/sh: ./iperf: can't execute: Permission denied
126|OnePlus7Pro:/mnt $ ./iperf
/system/bin/sh: ./iperf: can't execute: Permission denied
126|OnePlus7Pro:/mnt $ ls -lrt
ls: ./media_rw: Permission denied
ls: ./asec: Permission denied
ls: ./product: Permission denied
total 168
drwxr-xr-x 3 root root 60 1970-04-21 23:37 user
drwx------ 3 root root 60 1970-04-21 23:37 secure
drwxr-xr-x 2 root system 40 1970-04-21 23:37 obb
drwxrwx--x 2 system system 40 1970-04-21 23:37 expand
lrwxrwxrwx 1 root root 21 1970-04-21 23:37 sdcard -> /storage/self/primary
drwx------ 6 root root 120 1970-04-21 23:37 runtime
drwx--x--x 2 root root 40 1970-04-21 23:37 appfuse
drwxr-xr-x 3 root root 60 1970-04-21 23:37 vendor
-rwxr-xr-x 1 root root 170480 2020-07-14 11:06 iperf
1|OnePlus7Pro:/mnt $ cd user
OnePlus7Pro:/mnt/user $ ls
0
OnePlus7Pro:/mnt/user $ cd ..
OnePlus7Pro:/mnt $ cp iperf /mnt/user/
cp: /mnt/user//iperf: Permission denied
1|OnePlus7Pro:/mnt $ cp iperf /mnt/user/
cp: /mnt/user//iperf: Permission denied
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $
1|OnePlus7Pro:/mnt $ exit
MacBook-Pro-de-Victor-2latform-tools root#
MacBook-Pro-de-Victor-2latform-tools root#
MacBook-Pro-de-Victor-2latform-tools root# ./adb shell /data/iperf -h
/system/bin/sh: /data/iperf: can't execute: Permission denied
MacBook-Pro-de-Victor-2latform-tools root#
replaying to my self
Have use x-plore app to changing /data/app permission then iperf file was copied to this folder
1|OnePlus7Pro:/bin $
1|OnePlus7Pro:/bin $ cd /data/app
OnePlus7Pro:/data/app $ ./iperf -h
Usage: iperf [-s|-c host] [options]
iperf [-h|--help] [-v|--version]
Client/Server:
-f, --format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes
-i, --interval # seconds between periodic bandwidth reports
-l, --len #[KM] length of buffer to read or write (default 8 KB)
-m, --print_mss print TCP maximum segment size (MTU - TCP/IP header)
-o, --output <filename> output the report or error message to this specified file
-p, --port # server port to listen on/connect to
-u, --udp use UDP rather than TCP
-w, --window #[KM] TCP window size (socket buffer size)
-B, --bind <host> bind to <host>, an interface or multicast address
-C, --compatibility for use with older versions does not sent extra msgs
-M, --mss # set TCP maximum segment size (MTU - 40 bytes)
-N, --nodelay set TCP no delay, disabling Nagle's Algorithm
-V, --IPv6Version Set the domain to IPv6
Server specific:
-s, --server run in server mode
-U, --single_udp run in single threaded UDP mode
-D, --daemon run the server as a daemon
Client specific:
-b, --bandwidth #[KM] for UDP, bandwidth to send at in bits/sec
(default 1 Mbit/sec, implies -u)
-c, --client <host> run in client mode, connecting to <host>
-d, --dualtest Do a bidirectional test simultaneously
-n, --num #[KM] number of bytes to transmit (instead of -t)
-r, --tradeoff Do a bidirectional test individually
-t, --time # time in seconds to transmit for (default 10 secs)
-F, --fileinput <name> input the data to be transmitted from a file
-I, --stdin input the data to be transmitted from stdin
-L, --listenport # port to receive bidirectional tests back on
-P, --parallel # number of parallel client threads to run
-T, --ttl # time-to-live, for multicast (default 1)
-Z, --linux-congestion <algo> set TCP congestion control algorithm (Linux only)
Miscellaneous:
-x, --reportexclude [CDMSV] exclude C(connection) D(data) M(multicast) S(settings) V(server) reports
-y, --reportstyle C report as a Comma-Separated Values
-h, --help print this message and quit
-v, --version print version information and quit
[KM] Indicates options that support a K or M suffix for kilo- or mega-
The TCP window size option can be set by the environment variable
TCP_WINDOW_SIZE. Most other options can be set by an environment variable
IPERF_<long option name>, such as IPERF_BANDWIDTH.
Report bugs to <[email protected]>
1|OnePlus7Pro:/data/app $
i can't root Samsung galaxy a02 -- SM-A022F/DS Build No: A022FXXU2BUI3 , android 11 , i dont know what to do for rooting and i dont have firmware file (bootloader unlocked)
To get the superuser access ( AKA root ) to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android. An unlocked bootloader isn't needed to root Android.
Here is what you have to do to root your device's Android:
Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5.
This e.g. can get achieved by means of a Windows command script making use of ADB coomands.
jwoegerbauer said:
To get the superuser access ( AKA root ) to be able to control various aspects of Android OS means you need to perform a certain modification that will root your phone's Android. An unlocked bootloader isn't needed to root Android.
Here is what you have to do to root your device's Android:
Replace Android's Toybox binary - what is a restricted version by default - by unrestricted Toybox v0.8.5.
This e.g. can get achieved by means of a Windows command script making use of ADB coomands.
Click to expand...
Click to collapse
hi , i dont know what is toybox or i dont know really what to do can you tell me step by step please? i have ADB already
dleaderp said:
hi , i dont know what is toybox or i dont know really what to do
Click to expand...
Click to collapse
Typically people do a Google search like "Android Toybox" ...
To save you this search: Toybox is a suite of Linux commands ported to Android.
The commands supported are
Code:
acpi arch ascii base64 basename blkid blockdev bunzip2 bzcat cal cat
catv chattr chgrp chmod chown chroot chrt chvt cksum clear cmp comm
count cp cpio crc32 cut date devmem df dirname dmesg dnsdomainname
dos2unix du echo egrep eject env expand factor fallocate false fgrep
file find flock fmt free freeramdisk fsfreeze fstype fsync ftpget
ftpput getconf grep groups gunzip halt head help hexedit hostname
hwclock i2cdetect i2cdump i2cget i2cset iconv id ifconfig inotifyd
insmod install ionice iorenice iotop kill killall killall5 link ln
logger login logname losetup ls lsattr lsmod lspci lsusb makedevs
mcookie md5sum microcom mix mkdir mkfifo mknod mkpasswd mkswap mktemp
modinfo mount mountpoint mv nbd-client nc netcat netstat nice nl nohup
nproc nsenter od oneit partprobe passwd paste patch pgrep pidof ping
ping6 pivot_root pkill pmap poweroff printenv printf prlimit ps pwd
pwdx readahead readlink realpath reboot renice reset rev rfkill rm
rmdir rmmod sed seq setfattr setsid sha1sum shred sleep sntp sort
split stat strings su swapoff swapon switch_root sync sysctl tac tail
tar taskset tee test time timeout top touch true truncate tty tunctl
ulimit umount uname uniq unix2dos unlink unshare uptime usleep uudecode
uuencode uuidgen vconfig vmstat w watch wc which who whoami xargs
xxd yes zcat
As you might see su is the ROOT functionality.
dleaderp said:
can you tell me step by step please? i have ADB already
Click to expand...
Click to collapse
Actually I'm working on a Windows command script that makes use of ADB what does the job. I'll publish it here when finished:
[TOOL][ADB]][Windows] A 100% Safe Non-systemless Root Tool - No Soft-bricked Adroid Guaranteed
Grant Root Privileges to Regular Users Using Devices With Android 6 and up by Simply Upgrading Android's Multi-command Applet Toybox.
forum.xda-developers.com
jwoegerbauer said:
Actually I'm working on a Windows command script that makes use of ADB what does the job. I'll publish it here when finished:
Click to expand...
Click to collapse
happy to hear that xd
i got a last question, i think my phone's storage is shrunked after i used firmware is it possible ? if yes how can i fix it. it was 32 gb now its 8gb
i fixed i used another firmware i'll be wait for your ADB