Hello XDA!
Samsung has been semi SamPWND again!
Disclaimer:
This root method was developed and tested on the N960U model. This is the only model I have that is a Samsung device. I do have friends and other devs however that have tested this method on various other Samsung devices on both Qualcomm and Exynos chipsets and it has worked on a good number of them meaning this method is not limited to the Note 9. With that being said, due to all the time I have already spent on this and not having any other devices, I will ONLY be supporting the N960U. So do not get upset if I do not respond to you if you have a Samsung A8934839K312 on 7.1 Android (aka a device I have never even heard of before.)
Disclaimer 2:
This root method is mainly for dev's or those who like to tinker and figure things out. The reason I say this is because at this time, you are REQUIRED to be on a factory/combination firmware to mess with the root method. I will ignore any comments/questions for people who do not read this disclaimer and ask me how to root stock etc. as that is what I have been trying to do for over a month now. If you need your phone for work or a daily then I suggest only messing with this root method if you have a lot of spare time since it involves flashing combo firmware at which mobile services and other stuff will not be functional. You have been warned!
Disclaimer 3:
This thread/poc are essentially to get you the ability to use root apps and have a root shell, that is it. If I have time and see some questions that are legit questions I will try to provide help in a timely manner. This POC simply pushes busybox binary from Magisk.zip and SuperSU (the last version chains released before retirement) and installs it in sbin/daemon mode. There is also a way to install MagiskSU in daemon mode as well as ways to install root to /system/xbin for example and do mods such as Xposed that typically need to modify the system partition but that is not the purpose of this thread and these methods are a bit more involved (require modifying the root script as well as setting up bind mounts and other stuff.) Hopefully once this is released and some devs chime in I hope there will eventually be others contributing with various root scripts, install methods etc. and of course HOPEFULLY find a way to write to system/odm/vendor partitions so we can eventually run root on stock!
Disclaimer 4:
I am NOT responsible if you break your phone, wipe your IMEI, hard brick etc. etc.! Also, I spent months to get to this point and already had someone steal my files from AFH (I know, my fault for not hiding them) so please do not take my work as your own. If you want to use it in any way/shape/form just ask for permission and/or give credits in your thread is all I ask! If you are however using someone else's modified files and in here trying to get help I might turn you away (back to the person who provided the modified files) just an FYI!
I think that is enough disclaimers for now!
Note: This thread will most likely be ugly for a bit as I am terrible with making these things look pretty... Hopefully as time goes I will keep improving it or find someone who is trustworthy I can make a "contributor" so they can fix it up for me haha.
Now, Let's Get To It!
Technical Details:
This is sort of a spawn from an exploit I found and reported to Samsung back on the Tab S3 that I never released on XDA. That method (long story short) involved modifying the Persist partition and flashing it in ODIN as ODIN did not check it for integrity. Of course it was patched by Samsung who gave me some $$$ and gave me a shout out on their security bulletin which was pretty cool!
This method is similar to "Persist Root" except we are not flashing any modified partitions in ODIN. Instead, on many Samsung combination firmwares there is an init rc script on /system. If you want to know if your device is compatible a good starting point would be to look for a file called "init.lab.rc" which is typically located at "/system/etc/init/init.lab.rc" like so:
-rw-r--r-- 1 root root ubject_r:system_file:s0 14784 2008-12-31 10:00 init.lab.rc
As it stands, we cannot edit this script. I noticed something cool however when I was reading it one day. Specifically one thing that caught my eye was this:
chmod 777 /data/lab/run_lab_app.sh
There are MANY files and scripts at /data/lab. Luckily, the init.lab.rc sets permissions to "0777" and sets ownership to system on the entire /data/lab directory! If you are still with me, this means all the contents of this directory are world readable/writeable and we can modify any of the files in this DIR without elevated privileges!
Now I am showing the "run_lab_app.sh" script specifically for a reason. We know we can modify any scripts on /data/lab, but how can we execute it with elevates privileges? Going back to the init.lab.rc, if you scroll to the bottom of the rc file you will see this:
service start_abc /system/bin/sh /data/lab/run_lab_app.sh factory abc+
user system
group system
disabled
oneshot
on property:sec.lab.abc.start=1
start start_abc
setprop sec.lab.abc.start 0
Now what that means is, when you set the property "sec.lab.abc.start" to "1" it executes the abc service as system user and more specifically it will start by executing the "run_lab_app.sh" script! Therefore, after you modify the script to your liking, push it to /data/lab/run_lab_app.sh, then do a "setprop sec.lab.abc.start 1" your script will be executed as system user!
Now system obviously is not "root". Now that we can execute as system user we have more attack vectors to elevate privileges even more. Ideally, I remembered how I rooted the Tab S3 about a year ago using Persist partition. As it stands, we are not able to read/write on persist. If we were to set permissions however on /persist using the run_lab_app.sh script, then we can gain access to it! Therefore, one would only need to add this command to the run_lab_app.sh script and execute it using the setprop command:
chmod -R 0777 /persist
As soon as you modify the script, push it and execute the setprop command, it will change permissions on the /persist DIR to be world readable/writeable!
Now, the reason why I like to use Persist, there is a script that is executed by INIT on every reboot automatically (this means it is executed by root!) The script in question is this one "/persist/coresight/qdss.agent.sh." (I am not sure if this script itself is a Qualcomm specific script or not.) Modifying this script has no ill effects on anything from what I have seen.
Now to see how the script is executed you can look in "/vendor/etc/init/hw/init.qcom.test.rc" and you will see some interesting stuff including this:
crownqltesq:/vendor/etc/init/hw # cat init.qcom.test.rc | grep persist
service cs-early-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh early-boot /vendor/bin/init.qcom.debug.sh
service cs-post-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh post-boot /vendor/bin/init.qcom.debug.sh
write /persist/coresight/enable 1
write /persist/coresight/enable 0
crownqltesq:/vendor/etc/init/hw #
As I stated earlier, due to this init script, the qdss.agent.sh script is executed by init context/root user automatically during early boot and post boot. This means once you get everything set up, you won't need to keep reinstalling root (unless you mess something up) on each reboot. This is ideal since we don't have a way yet to modify system/vendor/odm partitions yet. Think of it as a "systemless" root.
For the POC I have provided in this thread for example, it contains the bare minimum SU files. The files in the attached zip are simple: SamPWND.bat, sampwnd1.sh, sampwnd2.sh, /sampwnd which contains su, sukernel, supolicy, libsupol.so and busybox. The way it works is this:
1) You double click the .bat file and it should do everything for you! The .bat file will:
- Push sampwnd1.sh to /data/lab/run_lab_app.sh
- Execute the lab script by doing "setprop sec.lab.abc.start 1"
- Push sampwnd2.sh to /persist/coresight/qdss.agent.sh
- Push root files in "sampwnd" folder to /persist/coresight/sampwnd
- Set permissions on the files we just pushed to Persist to 0777
- Reboot the device (Note: The .bat file reboots the device at this point since everything is in place to root when the device reboots, it's that simple!)
After the device reboots, you should now be able to use a root shell as well as sideloading any root apps will work (apps such as TiBu, Root Explorer, Flashfire etc. etc.)
When the device reboots, the qdss.agent.sh script does the following automatically:
1) Mounts rootfs and sets permissions to 0777 so we can access /sbin
2) Pushes the contents of the root files folder "sampwnd" to /sbin
3) Sets permissions to the files we just moved to /sbin
4) Exports the LIB path to /sbin due to the libsupol.so being needed to patch the sepolicy with supolicy
- The export command is "export LD_LIBRARY_PATH=/sbin"
- Once the script is over and you use another app or go into a shell etc. the LIB path will be gone/reset so you don't need to
worry.
5) Patches the sepolicy for SU
6) Installs SU by executing "su --install"
7) Executes the SU daemon by running "su --daemon"
8) Lastly, remounts rootfs back to RO.
As stated earlier, these commands are all automatically executed by init/root each time you reboot the device. Essentially, whatever we put into the qdss.agent.sh script will be executed on boot by init/root. If for some reason permissions are lost, we should still have our lab script and we would only need to run "setprop sec.lab.abc.start 1" to change permissions on persist again!
The initial files I provide today are just a simple root install script. I have successfully used the root script to install MagiskSU, Xposed (using bind mounts to overlay on /system) and other tests. I also at one point made a backup script that backed up all the partitions on the device into a folder which I extracted to my PC for safe keeping, you get the picture! Once you have root however, you can do these things easier as you will have root access.
Now that you know the workings of the exploit (err exploits?) I will explain briefly what is needed and how to test it.
Pre-requisites:
1) Download links will be in 2nd post.
2) For the purpose of this thread and the only device I personally have, you should have a N960U/U1/W on a rev1 bootloader (there isn't a rev2 BL yet so most should be good to go.)
3) A vulnerable Combo Firmware. I linked the one I use in Post 2. I use 1ARG4 Factory/Combo firmware. Of course you will need ODIN to flash the combo.
4) The root files/7z linked in post 2.
5) Stock firmware for when you are done playing, testing, etc. etc.
6) Almost forgot, you will need ADB. I will not go into details on this, if you don't have a working ADB Google is your friend. I recommend setting it to your path so you can use ADB from anywhere on the PC.
Install Instructions:
1) Extract the root files 7z into a DIR of your choice.
2) Flash whichever vulnerable combo firmware you are using via ODIN.
3) Once it boots up, make sure your device is seen by adb by running "adb devices"
4) Double click the .bat file.
5) That's it! Your device will reboot and you should be rooted!
If for some reason it is not working and you are on a N960U/U1/W, there could be a number of reasons. If you are not using the 1ARG4 combo I linked then it's possible the combo you are using is not vulnerable. It could also be an issue with ADB. Sometimes if things get crazy throughout your testing you might need to reflash /persist in ODIN or reflash the combo firmware in ODIN then re-run the .bat file (I only experience this typically when I get crazy with the root script and end up losing permissions to everything or something I added in the root script is causing the device to boot-loop etc. etc.)
Now donations are not required but feel free to throw me some beer money if you want! My paypal email/link is in a few places, you shouldn't have any trouble finding it!
TELEGRAM LINK
https://t.me/joinchat/DxwvAlhtzHjg4EI9973BGQ
We will use the TGRAM to provide support, ideas, share scripts/files and HOPEFULLY, we can all figure out together how to turn this into rooting the stock firmware as this is the goal and will be the primary focus of the chat!
Credits:
@samsung - for letting us PWND them time and time again!
@chainfire - SuperSU of course
@topjohnwu - MagiskSU of course
@me2151 - For all the time and help he is going to be putting in with us! Such a great guy! lol
@jrkruse - For everything! Everything from EDL support, ROM support, Root support you name it!
@partcyborg - For also spending countless hours helping answer questions in here so I don't have to hahah
@mweinbach - He writes great articles for XDA! He is a good kid who gets his hands on cool things frequently
@"mysecretfriendfromfaraway - I will not name him haha, he knows who he is. He always helps out and gets great things!
XDA:DevDB Information
SamPWND N960U Root, Tool/Utility for the Samsung Galaxy Note 9
Contributors
elliwigy
Version Information
Status: Testing
Created 2019-05-05
Last Updated 2019-05-05
Downloads:
1) 1ARG4 Factory/Combo Firmware
MD5: bf0702b4e85ac1547b5706bb4859f554
2) Root Files
MD5: 342f15e13c72f3d0f9194d8a14058ac9
Mine also...
Nice job!
Thank you @elliwigy !!!
Your determined effort is soooooooooooooooo much appreciated. :good:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
noidodroid said:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
Click to expand...
Click to collapse
not possible.. sampwnd used rev1 eng firmware lol. it was done soon as they incremented the bootloader
elliwigy said:
not possible.. sampwnd used rev1 eng firmware lol. it was done soon as they incremented the bootloader
Click to expand...
Click to collapse
Yup. =] I don't know though. Always something new that pops out of Sammys goodie bag and lands in someones lap and crawls its away onto XDA. Like you I have a silentguywhospeaksanotherlanguage that always seems to amaze me... the past 14 years. Would be awesome. Could be something kewl. Time will tell.
Definitely going to test out and report back! Sent you some money for some beers lol :highfive:
still no ones tried? lol i thought ppl would b all over it haha
elliwigy said:
still no ones tried? lol i thought ppl would b all over it haha
Click to expand...
Click to collapse
Im gonna try it when i get off work
Incredible!! Wow this alone is awesome, and that word doesn't justify it. The talent you all have for this is really impressive. Thanks to all who had a major role in this alone. I will be posting results as soon as i can, hopefully tonight. Its all possible!!
Thank You
noidodroid said:
You are the man! This has got to be the first out. I dont think i have seen anything else. As usual you have done something remarkable for Samsung and this time the Note 9 of all. I wish there was the ability to get root on U5 for the S8/S8+ with SamPWND. Have you researched any more into that lately?
Click to expand...
Click to collapse
Im PRETTY sure samfail works via edl rom from @jrkruse
Trying to install right now... So for the Combo Firmware, I am on BUild N960USQS1CSD1 . How do i find the Combo firmware for that ? is that just finding the stock firmware ?
Yeteneğiniz hayranlık uyandırdı bende. Takdir ediyorum. Tebrik ediyorum sizi.
Cihazımı test ederken yapmam gerekenleri şu şekilde sıralayabilirmiyiz kısaca?
1) 1ARG4 Factory/Combo Firmware
Odin ile telefonuma flash yapmalıyım.
2) Flashlama işlemi bittikten sonra cihazımın açılmasını beklemeliyim.
3) Cihazım açıldıktan sonra Root dosyasını cihazıma Pc üzerinden anlattığınız şekilde uygulamalıyım.
4) Root işlemi cihazımı yeniden başlattıktan sonra stok yazılım yüklemeliyim.
5) Mutlu Son.
---------------------‐---------------------------------------------
Your talent has aroused admiration. I appreciate. I congratulate you.
When I test my device, can I sort the things I need to do in the following way?
1) 1ARG4 Factory / Combo Firmware
I need to do a flash with Odin on my phone.
2) After flashing, I have to wait until my device is turned on.
3) After opening my device, I need to apply the root file to my device in the same way as I told it on PC.
4) After the root process reboot my device, I need to install the stock software.
5) Happy End
Raz12 said:
Trying to install right now... So for the Combo Firmware, I am on BUild N960USQS1CSD1 . How do i find the Combo firmware for that ? is that just finding the stock firmware ?
Click to expand...
Click to collapse
will be easiest to just use the combo linked in second post.. newrr combos r most likely patched.. also, if csd1 is pie then there will never be a pie combo so ull need to flash an oreo combo either way
axioneer said:
Yeteneğiniz hayranlık uyandırdı bende. Takdir ediyorum. Tebrik ediyorum sizi.
Cihazımı test ederken yapmam gerekenleri şu şekilde sıralayabilirmiyiz kısaca?
1) 1ARG4 Factory/Combo Firmware
Odin ile telefonuma flash yapmalıyım.
2) Flashlama işlemi bittikten sonra cihazımın açılmasını beklemeliyim.
3) Cihazım açıldıktan sonra Root dosyasını cihazıma Pc üzerinden anlattığınız şekilde uygulamalıyım.
4) Root işlemi cihazımı yeniden başlattıktan sonra stok yazılım yüklemeliyim.
5) Mutlu Son.
---------------------‐---------------------------------------------
Your talent has aroused admiration. I appreciate. I congratulate you.
When I test my device, can I sort the things I need to do in the following way?
1) 1ARG4 Factory / Combo Firmware
I need to do a flash with Odin on my phone.
2) After flashing, I have to wait until my device is turned on.
3) After opening my device, I need to apply the root file to my device in the same way as I told it on PC.
4) After the root process reboot my device, I need to install the stock software.
5) Happy End
Click to expand...
Click to collapse
read the op. id say its pretty easy/clear..
also, it is not possible to have root on stock firmware right now, this was also clear in op.
the root only works on combo firmware.. if u need to use ur phone then i suggest not using this root method until we figure out how to make it work on stock
elliwigy said:
will be easiest to just use the combo linked in second post.. newrr combos r most likely patched.. also, if csd1 is pie then there will never be a pie combo so ull need to flash an oreo combo either way
Click to expand...
Click to collapse
Yikes, i see the difference now. I mean it's done but it's not like a normal android it seems. I see what you mean. Well I guess ill just go back to stock pie. Good work though man, you are doing great ! Just to see though, It went to a factory binary screen then to this lime green and showing all this info. That's it right ?
I hope this leads to root for normal u1 firmware. ??????
Raz12 said:
Yikes, i see the difference now. I mean it's done but it's not like a normal android it seems. I see what you mean. Well I guess ill just go back to stock pie. Good work though man, you are doing great ! Just to see though, It went to a factory binary screen then to this lime green and showing all this info. That's it right ?
Click to expand...
Click to collapse
it was prolly green due to battery being low.. it changes the color once it dips below a certain %
and yea, i assume uve never been on a combo firmware before lol they are all like that
Related
The information provided in this thread is no longer up to date, although useful troubleshooting information can be found for those having issues. For those who would prefer to have the most up-to-date versions of CM9, CM10 or ParanoidAndroid supported by an awesome developer, go here
WARNING: IF YOU UPDATE YOUR TABLETS TO THE LATEST v03 UPDATES OF THE OFFICIAL ROM, YOU WILL LOSE THE ABILITY TO ROOT IT USING THE SUPERBOOT METHOD AND IT WILL BECOME A HUGE PAIN TO RE-INSTALL CWM/CUSTOM ROMS. INSTRUCTIONS FOR THIS SITUATION ARE PRESENTED BELOW, BUT PLEASE KEEP THIS IN MIND AND TRY TO READ THE THREAD CAREFULLY BEFORE MAKING SUCH CHANGES.
For those who need it, you can find a nandroid backup of Vodafone Romania's stock ROM for the v71a, here
Hello friends. With great thanks to utkanos, Koush and mobilx we now have a public alpha CWM and root available on both the ZTE V11A and the V71A, also known as the SFR StarTab 7/10, Vodafone SmartTab 7/10, as well as Sprint's (ZTE) V55 with credits due to utkanos for porting CWM, mobilx for being arguably the most motivated searcher of the holy root grail, and PaulOBrien from modaco and his superboot solution. We also thank alterbridge86 and eldarerathis for their advice and support. Additionally, credits go to joe.stone for custom kernel with loop device support, OC, touched voltages and a few other goodies.
Also, for interested developers, I have made the source code of the kernel available in a more easily accessible fashion. The source code (3 parts, contains the source for both models) is available here:
Part 1, Part 2, Part 3.
INSTALLING CWM:
A new optimized version of CWM for 7"and 10" tabs has been put together by joe.stone. I will also keep utkanos' links available below for those who prefer his versions or wish to thank him for his early efforts in making our tablets awesome
joe.stone said:
For those who have troubles with cwm recovery (freeze while backup ) i have created a new version. Flashable from fastboot.
10" CWM Recovery
7" CWM Recovery
Credit goes to joe.stone.
Click to expand...
Click to collapse
joe.stone said:
If you updated your tablet ROM via OTA or updater exe and can no longer install CWM, follow the following instructions:.
In firmware v03b fastboot flash is disabled and from a running system flash_image will fail too.
Download the twrp recovery http://goo.im/devs/joestone/twrp/v71_recovery.img
download the twrp recovery zip flashable version too
http://goo.im/devs/joestone/twrp/V71A_TWRP.zip
download kernel #60
http://www.4shared.com/zip/tzrUo5_N/v7_kernel_60.html?
copy the two zip files to the sdcard
If you want flash kernel#60 then do the following:
adb reboot bootloader
the tablet will reboot and you will get only a blank screen . Be sure that the drivers are installed from windows update for the fastboot interface.
check it with : fastboot devices. If you get waiting for device the drivers are not installed.
fastboot boot v71_recovery.img
The twrp recovery comes up. Now you can install twrp by selecting install menu. Browse to the v71twrp.zip on the sd and install it. Now you have permanent twrp recovery.
now go back to install menu browse to the v7_kernel_60.zip and install it.
reboot and enjoy.
These are kernel #60 links for the other models :
Sprint Optik (V55)
http://www.4shared.com/zip/RTZrSXyV/v55_kernel_60.html?
SmartTab10 (V11A)
http://www.4shared.com/zip/PrW1TWHF/v10_kernel_60.html?
OR
You can flash cwm using adb , you need root rights .The best is when adbd is running in root mode (for eaxample kernel#60).
Download this :flash_image binary
then turn on usb debugging.
to flash cwm you need the following commands:
adb push CWMrecovery.img /data/local/tmp
(where cwmrecovery.img is the name of the cwm image file name.)
adb push flash_image /data/local/tmp
adb shell chmod 755 /data/local/tmp/flash_image
adb shell (you need # not $ for flashing , so if you got $ type su to get #)
cd /data/local/tmp
./flash_image /dev/block/mmcblk0p18 CWMrecovery.img
Dont forget to remove the install-recovery.sh file from /system/etc othervise it will install stock recovery at system start if it has not the stock recovery.
To revert the bootloader you need to flash NON-HLOS.bin"to "/dev/block/mmcblk0p1" and "emmc_appsboot.mbn" to "/dev/block/mmcblk0p7" from a previous version .
Click to expand...
Click to collapse
Utkanos' v11a version is here.
Utkanos' v71a version is here.
Credit goes to utkanos, mobilx and koush. I have also attached these files at the end of the post.
Also attached, is the original 7-inch stock recovery file, for users who may wish to return to stock and have not performed backup.
--> Plug your tablet into usb, launch a command line, and use "adb reboot bootloader"
--> Download the CWM Recovery image from the link that fits your device.
--> Place it into the adb/fastboot folder (I am assuming you have downloaded fastboot already from the link above, during the root procedure).
--> In the command line, navigate to that folder (use "cd <path>").
--> input the command "fastboot flash recovery <filename>".
--> Reboot into recovery mode (should be Power + Volume down).
--> You should now be in CWM Recovery, and can now attempt to perform a nandroid backup.
Also, in order to prevent a possible hang, you should:
--> Reboot the tablet into the Android OS;
--> Mount it through USB;
--> Go into the clockworkmod folder;
--> Create an empty file with no extension called ".hidenandroidprogress"
After a period of testing this will be submitted to the Koush's Rom Manager. Source code is also available herehere, linked from utkanos' post.
What works:
Nandroid backup/restore on internal sdcard
Battery stats wipe
Dalvik wipe
Cache wipe
etc.
What does not work so far:
USB mass storage
credits:
utkanos
Koush
Click to expand...
Click to collapse
Modified Kernel Available, all credits to joe.stone, give him thanks here:
joe.stone said:
Here it is.
There is a new kernel version available. The new version is #60 and flashable from cwm recovery .
Changelog :
-Revert GPU overclock
-Revert change of system audio files (because of bootloops on some devices after installation #55)
-Increased system volume on kernel level
-Changed VMALLOC_RESERVE=0x19000000 to VMALLOC_RESERVE=0x10000000
-Added Apple Magicmouse HID support
-Added Microsoft HID support
-Changed cpu minimum freq 345MHz to 432 MHz to avoid the black screen effect (the screen does not wake up , you have to reset )
V55_kernel_60.zip Hope will work fine on v55.
V7_kernel_60.zip
V10_kernel_60.zip
Click to expand...
Click to collapse
Also, Benny3 has put together a CWM-flashable ROM package for the V55 tablet, including Joe's kernel #60 and a number of useful goodies. You can thank him and download the package from here.
Both device (v71, v11) were migrated into one kernel tree , so they both use the same source. (In case of v71 it is much newer source)
The whole kernel source was updated from the v55 sources .
Now they are in cwm recovery flashable format , because this package updates the kernel modules too in /system/lib/modules and enables to use the agps and NTP server setting was corrected . It points to europe.pool.ntp.org instead of the test one . Now my tab finds position within seconds . With the new kernel for me it seems the touchscreen is much better , but as before I am waiting for the feedbacks. Other fixes include: Touchscreen sensitivity, USB Charging etc.
Installation :
download the zip file
copy it to your tab's internal storage
start the tab in clockworkmod recovery
select install zip from sdcard
select the file for your model
install
reboot
and stock kernel for 10" :
stock kernel[/QUOTE]
Finally, if you want to obtain a dump of boot.img, please consider the following advice, also by mobilx, here:
mobilx said:
It is a mmcblk device not mtdblock
dd if=/dev/block/mmcblk0p8 of=/sdcard/boot_backup.img
dd if=/dev/block/mmcblk0p18 of=/sdcard/recovery_backup.img
Click to expand...
Click to collapse
ROOTING:
mobilx said:
It is recommended that you skip these steps and proceed to flashing clockwork mod for your respective device from the start using fastboot, and from inside CWM install joe's kernel (or custom rom), which you can find below. Joe's kernels and rom already come with significant updates to stock Vodafone systems, and are pre-rooted.
We will use superboot to root. What does superboot do? It puts the SU binary and makes a 'insecure' kernel to be loaded temporarily on to the device through ADB remount. So it's only purpose is to make ROOT. After execution, you will still be on the stock kernel, only with root privileges.
This method is for the advanced users only who want to have root before we have a fully functional CWM running. With the CWM the root method will be easier.
IMPORTANT!
At this point we have no way to repair a broken device to a factory state. We can unroot and that is it. It is advisable do make dump of your rom before making any changes to the system. We are not responsible for any damage that can occur in the root process and after that.
What will you need?
--> Download Fastboot+Superboot.img from here.
--> Install ADB through the SDK, download from here, although the ADB included with the ZTE drivers should also work.
--> Install the ZTE drivers, you can find them here, although they should already be included on your device when first mounting it.
--> don't forget to enable USB debugging in the tablet's application settings.
--> Put the fastboot.exe and the superboot.img files in the working directory you will be running adb from (Default should be at "C:\Program Files\ZTE Handset USB Driver".
--> Open a Command Line (Start Menu > Run > CMD) and navigate to the working directory. (Use "cd C:\Program Files\ZTE Handset USB Driver" or alter the path accordingly).
--> Write the following commands withing the command line:
--> adb reboot bootloader
--> fastboot boot superboot.img
--> The device should now boot with the Superuser.apk installed and SU in the /system/xbin/su, as well as allowing you adb root commands. Now run the following:
--> adb remount
--> adb shell
--> ln -s /system/xbin/su /system/bin/su
--> You can now exit the ADB shell and reboot the tablet.
--> Install busybox from the market and check the SU binary version with the Superuser.apk - try to update. If it succeed you are done.
Credits:
sangemaru
utkanos
PaulOBrien from modaco and his superboot solution
Click to expand...
Click to collapse
Reserved for future posts
I have ZTE V11A aka Vodafone Smart Tab 10 in my possession
I'm very interested in obtaining root for this device, so if I can be of any help, please let me know.
I hope that whis device will gain more popularity in the near future, because of it's excellent hardware and low price.
Is there any progress going on with rooting this device?
P.S. Two more questions,
Has anyone found where to buy 40pin to hdmi cable/connector? (because you don't get one in the box)
Does any of you experience clock drift with your device after some time, mine is drifting forward about 20min per day with no automatic Network Sync.
Thank you.
assdksl said:
I have ZTE V11A aka Vodafone Smart Tab 10 in my possession
I'm very interested in obtaining root for this device, so if I can be of any help, please let me know.
I hope that whis device will gain more popularity in the near future, because of it's excellent hardware and low price.
Is there any progress going on with rooting this device?
Click to expand...
Click to collapse
Currently, me and mobilx are trying to put aside time to either:
obtain a dump of the boot.img that we can inject su and superuser.apk into;
compile the source code into a flashable rom that we can inject su and superuser.apk into;
get clockworkmod working on the device;
Due to time constraints, I haven't made much headroom this week, but I'm taking a couple of days off work and hope to make some progress.
P.S. Two more questions,
Has anyone found where to buy 40pin to hdmi cable/connector? (because you don't get one in the box)
Does any of you experience clock drift with your device after some time, mine is drifting forward about 20min per day with no automatic Network Sync.
Thank you.
Click to expand...
Click to collapse
Haven't looked for it, but so far accessories for this line of devices seem to be lacking. With the popularization by Vodafone and the launch of the new Sprint V55 and similar tablets, these accessories should become more popular.
I haven't had any problems with the time on my device, sounds really weird.
assdksl said:
Does any of you experience clock drift with your device after some time, mine is drifting forward about 20min per day with no automatic Network Sync.
Click to expand...
Click to collapse
Clock drift is happening due to Network-provided time setting. Im not sure what is causing this. It could be related to a Vip network or a failure of a process which obtains time from the network. If you want this not to happen just untick that option in settings.
Thank you both for quick answering my questions.
mobilx said:
Clock drift is happening due to Network-provided time setting. Im not sure what is causing this. It could be related to a Vip network or a failure of a process which obtains time from the network. If you want this not to happen just untick that option in settings.
Click to expand...
Click to collapse
Yes, indeed, but when I untick sync with Network-provided time, clock is ticking faster then it should.
It seems that clock chip on my device is not calibrated well or there is some other bug, it seems that it is HW issues... this is little more explained here:
http://blogs.keynote.com/mobility/2...wrist-watch-android-doesnt-keep-the-time.html
It seems that I was unfortunate and get device with bad clock, also without root I'm unable to use ClockSync app that will solve my problem.
But what is bugging me, is the fact that I also have SGS I9000, and it is synchronizing with Vip network just fine.
Mobilx are you experiencing time drift issue with network-provided time sync, but with manual time settings it is working fine?
sangemaru said:
Currently, me and mobilx are trying to put aside time to either:
obtain a dump of the boot.img that we can inject su and superuser.apk into;
compile the source code into a flashable rom that we can inject su and superuser.apk into;
get clockworkmod working on the device;
Due to time constraints, I haven't made much headroom this week, but I'm taking a couple of days off work and hope to make some progress.
Click to expand...
Click to collapse
I am a software developer, and I have some Android programming knowledge, but I'm not experienced much with Linux and compiling flashable Roms, but I can try In any case, if I can help, just let me know.
assdksl said:
Mobilx are you experiencing time drift issue with network-provided time sync, but with manual time settings it is working fine?
Click to expand...
Click to collapse
Yes it happend to me once. First I unticked the network-provided time sync and after restart I ticked it again. The clock is fine since than.
assdksl said:
I am a software developer, and I have some Android programming knowledge, but I'm not experienced much with Linux and compiling flashable Roms, but I can try In any case, if I can help, just let me know.
Click to expand...
Click to collapse
Well, so far what possible leads we have that I can think of are these:
mobilx suggested this thread http://forum.xda-developers.com/showthread.php?t=443994 for packing/unpacking boot.img
to quote Alterbridge of Team Overcome: "I presume the ZTE tablet uses boot.img format for its kernels, in which case you can extract the initramfs using mkbootimg (there are a number of scripts floating around). from there you can modify whatever you want in the initramfs and then repackage the boot.img and be on your way."
eldarerathis gave me some more instructions: "You basically need to extract the ROM's zip and add su/Superuser in the proper folders (su in /system/bin, Superuser in /system/app). You'll probably also have to look at the updater-script and add something to give su executable permission. It's usually something like 'set_perm(0, 0, 6755, "/system/bin/su");' that you need to add. The updater-script should be in the zip under /META-INF somewhere."
These are some of the useful bits of advice I received that could probably be put to good use when I have some free time. If you feel that anything is helpful, feel free to try it out.
sangemaru said:
Well, so far what possible leads we have that I can think of are these:
mobilx suggested this thread http://forum.xda-developers.com/showthread.php?t=443994 for packing/unpacking boot.img
to quote Alterbridge of Team Overcome: "I presume the ZTE tablet uses boot.img format for its kernels, in which case you can extract the initramfs using mkbootimg (there are a number of scripts floating around). from there you can modify whatever you want in the initramfs and then repackage the boot.img and be on your way."
eldarerathis gave me some more instructions: "You basically need to extract the ROM's zip and add su/Superuser in the proper folders (su in /system/bin, Superuser in /system/app). You'll probably also have to look at the updater-script and add something to give su executable permission. It's usually something like 'set_perm(0, 0, 6755, "/system/bin/su");' that you need to add. The updater-script should be in the zip under /META-INF somewhere."
Click to expand...
Click to collapse
Thank you, I will do some reading for a start.
We are sure that bootloaders are unlocked?
sangemaru said:
Currently, me and mobilx are trying to put aside time to either:
obtain a dump of the boot.img that we can inject su and superuser.apk into;
compile the source code into a flashable rom that we can inject su and superuser.apk into;
get clockworkmod working on the device;
Click to expand...
Click to collapse
Did you consider getting clockworkmod working in more details? Is it simpler then above method?
I have found this article regarding putting clockwork mode to new devices, I just read it briefly...
http://www.koushikdutta.com/2010/10/porting-clockwork-recovery-to-new.html
assdksl said:
Thank you, I will do some reading for a start.
We are sure that bootloaders are unlocked?
Did you consider getting clockworkmod working in more details? Is it simpler then above method?
I have found this article regarding putting clockwork mode to new devices, I just read it briefly...
http://www.koushikdutta.com/2010/10/porting-clockwork-recovery-to-new.html
Click to expand...
Click to collapse
That's fine. We have a dev utkanos who agreed to build the CWM for our device. He is very experienced in this stuff. The only way to build a proper CWM is to get a boot.img dumped or extracted from a leaked ROM.
So what we need to do:
Get root via some exploit (there is none for 3.2 HC yet) , dump boot.img and build CWM, flash CWM with fastboot, or
Find leaked ROM , extract boot.img, build CWM, flash CWM with the fastboot, root device with Update.zip
Yes the fastoboot is working and the bootloader is unlocked.
I have tried these exploits so far:
GingerBreak
psneuter
zergRush
Also I have tried:
Acer iconia 100 method ADB
Acer iconia 500 method
All ideas are welcome.
Ladies and gentleman the ROOT is here Device is successfully rooted with the superboot method.
Thanks to my friend sangemaru who made this possible.
Expect CWM soon. utkanos is working on it.
Need some testing, before this goes to public
That's great news mobilx! Looking forward to a root and ICS sometime in the future
Congrat`s guys,nice work and many thanks from all users.
This is a beginning of a beautiful friendship with SmartTab
We expect nice custom roms and maybe in a short time and ICS rom for this excellent tablet.
If I or we (other members) can help with something,please,let us know,i dont know programming but i can use Paint (just kidding)
Jeeej!!! I'm looking forward to it!
Ok lets roll
While we are waiting for CWM to be build we can root ZTE V11A/V71A aka Vodafone SmartTab 10/7 with the superboot.
What the superboot does? It puts SU binary and makes a 'insecure' kernel to be loaded temporally on to device( ADB remount). So it's only purpose is to make ROOT. After reboot you are on your old kernel but with the root.
This method is for the advanced users only who want to have root before we build a CWM. With the CWM the root method will be easier.
IMPORTANT!
At this point we have no way to repair a broken device to a factory state. We can unroot and that is it. It is advisable do make dump of your rom before making any changes to the system. We are not responsible for any damage that can occur in the root process and after that.
What we need?
ADB installed through SDK
Zte drivers installed --> debugging ticked in options
fastboot + superboot.img --> Put files in the adb working dir
>adb reboot bootloader
>fastboot boot superboot.img
Device should boot with Superuser.apk installed and SU in the /system/xbin/su.
>adb remount
>adb shell
#ln -s /system/xbin/su /system/bin/su
Install busybox from the market and check the SU binary version with the Superuser.apk - try to update. If it succeed you are done.
#exit
$exit
>adb reboot
Device will reboot with the stock kernel but rooted.
Credits:
sangemaru
utkanos
PaulOBrien from modaco and his superboot solution
Thx mobilx! Hvala
All it's OK
It's working also on v71a.......LOL
10x man
urs71 said:
It's working also on v71a.......LOL
10x man
Click to expand...
Click to collapse
I can also confirm this working on 7 inch
urs71 said:
It's working also on v71a.......LOL
10x man
Click to expand...
Click to collapse
jakaka said:
I can also confirm this working on 7 inch
Click to expand...
Click to collapse
That is great guys. sangemaru will be very happy because he owns A71A
So you can confirm that it boots and the touchscreen is working? That means the kernel is the same for those two variants.
V17A
YES, all work perfectly...........setcpu, blackmarkt,root uninstaller, lucky patcher, etc
The only differences between v11a and v71a is the size of the display
we are wating for CWM..........10x again
v71a
Here's how I got my zte maven 2 (ATT) rooted.
Disclaimer: This method worked for me but may not work for others, I am not responsible if your device is bricked as a result of this. Also, this method does seem to be a bit finicky and inconsistent.
I rooted this phone twice, and it took about 15-20 tries each time for it to finally work. This is not a root you can do in 5 minutes (unless you are extremely lucky) Plan to set aside an hour or two, and a lot of patience, if you want this to work.
Credit to @madvane20 his post here helped me get root for this phone. He also got his phone rooted before I did, be sure to give him thanks.
Credit to @ZTE Girl for finding a way to remove ads from King root and keeping perm root.
With KingRoot you can get perm root, but personally I hate KingRoot, so at the end there is a method to replace KingRoot with SuperSu. Unfortunately SuperSu root resets on reboot, but a quick, 10 second adb command will reroot your phone with SuperSu
Edit: @ZTE Girl found that using lucky patcher to remove ads from King root worked for her and kept permroot.
Step 1: Enable USB debugging on your phone, and download adb and ZTE drivers to your PC.
2: Download KingRoot from KingRoot.net (download the apk for android)
3: Connect your phone to ADB, and run this command in terminal adb shell make sure you get no errors and accept any USB debugging requests.
4: Now type reboot disemmcwp This will reboot your phone without write protection.
5: When your phone reboots, run adb shell again, and install the kingroot APK. Google will give you a warning about this app being unsafe, install it anyways.
6: Now, here's the finicky part, sometimes KingRoot works, sometimes it doesn't, you just have to keep trying. Make sure your phone is still connected to the computer through adb shell, and then click try root in KingRoot. While KingRoot is attempting to get root: in adb shell keep typing su and pressing enter. Just spam this, It will keep giving errors, but eventually it (should) work. Make sure to accept any prompts on your device while you do this.
7: When you are able to successfully get into su, wait a bit, just to make sure your device doesn't restart
8: Now type getprop ro.product.name, the response should be Z831
9: Now type setprop persist.sys.k Z831, then type getprop persist.sys.k It should say Z831
10: Now type cd /dev/block/platform/soc.0/7824900.sdhci/by-name/
11: Then type dd if=recovery of=/sdcard/recovery.img This will backup your recovery, I highly recommend that you copy the backup to your computer in case something goes wrong.
12: Now type dd if=boot of=recovery, this will write boot to recovery. This part can be risky, it worked for me, but if it bricks your device, you can't say I didn't warn you with that said, don't let that scare you away from finally rooting this device and getting all the advantages that come with it
13: Now type this reboot recovery Your device my blackscreen and not boot after this, personally mine did, and I fixed it by removing the battery, and after puttting it back in, it booted normally.
14: When your phone boots up, type adb shell again, and then type su
15: Type id response should be "uid=0(root) gid=0(root) context=u:r:shell:s0" Note: I don't think my uid showed when I did this, if yours doesn't show, don't worry, it should work fine.
16: Now type setenforce 0
17: After that, type getenforce, it should respond back with "permissive"
18: To test if system is writable, type mount -o remount,rw /system, if you get no errors, everything is working , if you get an error, type reboot disemmcwp, and then try to mount system RW again.
19: I would recommend removing the update service now, so an update doesn't come and screw up your root.
20: Read this: Now you should have permroot with kingroot, however, as you will soon find, kingroot has a ton of ads, and can get very annoying. So, if you want SuperSu and no kingroot, keep reading. If you want to keep KingRoot, then you are done, have fun with your rooted Maven 2
Edit: @ZTE Girl found that you can use lucky patcher to remove ads from Kingroot while still keeping permroot.
21: Download the KingToSuperSu zip in attachments, I have modified it slightly from the original zip so it works better. You will see a folder inside the zip named "mrw" copy this folder to the root of your /sdcard (must be copied to the root of /sdcard)
22: Now go into adb shell again, and then type su
23: Type mount -o remount,rw /system
24: If you get no errors, simply type sh /sdcard/mrw/root.sh, you will see a lot of errors in the script, no need to worry, now you should have SuperSu. Note: sometimes you get a notification saying "com.eu.chainfireSuperSu has stopped" or something like that, run the command again, and it should work.
25: SuperSu will say binary needs to be updated, but the update always fails, however you can click no thanks, and it will work fine.
26: SuperSu root will go away after you reboot, however, to get root back, simply type adb shell (while connected to your computer of course) then su and then sh /sdcard/mrw/root.sh and just like that, you're rooted again. Note: I couldn't get this to work in a terminal emulator, and it would only work in adb shell for me.
Edit: If you want stock recovery back, run this command in adb shell with su dd of=recovery if=/sdcard/recovery.img. I haven't tested this, and it might unroot/brick your device. This is at your own risk.
This guide was long and complicated, sorry for that, if you need any help, just ask me and I will try to help the best I can.
If this guide helped, please clicks thanks, it means a lot to me
Proof: http://imgur.com/a/zecyU
btw easy way to get rid of ads diasbale the charging thing in king settings and adaway its what i did on the warp 7
carrier iq
this phone has carrier iq, i was able to get temp root without write using kingroot, so i was able to delete, disable apps, and also, remove carrier iq with the quide you can find on the: androidexplained website. i could not actually delete the files in the last two steps but it seemed to work anyway. this is my first post so i can't put links.
Question1: i don't like typing cause i make stupid mistakes, but im assuming i could put all your command in individual batch files ending with a pause on each, and prefixing all you commands with "adb.exe shell su". that way i could stop and see what happened and then continue.
Question2:
dd if=recovery of=/sdcard/recovery.img
seems to mean copy the boot partion to an image file on the internal sd card. am i correct?
and
dd if=boot of=recovery
seems to mean overwrite the boot partition with an image- (file)?
if so what image file?
sorry, im new to all this, i guess i probably don't have enough confidence to do this, my z831 works very well without all the bloat anyway. and yes i understand the risks if i do decide to proceed, anyway. i have 3 $10 and $20 phones that are not bricked but i forgot to reenable the system apps before i removed root and reset, so they might as well be bricked cause they cant do anything after they boot.
btw, you mentioned in one step to wait, to see if it reboots, to see if it is stable before continuing:
for me i remember that either having too many apps running or stopping too many system apps, seemed to make this z831 unstable and reboot, while it had temp root.
Question last: do i need to start the process as you said while kingroot is in the process of rooting, or can i wait till it is finished getting it's root?
duane2064 said:
this phone has carrier iq, i was able to get temp root without write using kingroot, so i was able to delete, disable apps, and also, remove carrier iq with the quide you can find on the: androidexplained website. i could not actually delete the files in the last two steps but it seemed to work anyway. this is my first post so i can't put links.
Question1: i don't like typing cause i make stupid mistakes, but im assuming i could put all your command in individual batch files ending with a pause on each, and prefixing all you commands with "adb.exe shell su". that way i could stop and see what happened and then continue.
Question2:
dd if=recovery of=/sdcard/recovery.img
seems to mean copy the boot partion to an image file on the internal sd card. am i correct?
and
dd if=boot of=recovery
seems to mean overwrite the boot partition with an image- (file)?
if so what image file?
sorry, im new to all this, i guess i probably don't have enough confidence to do this, my z831 works very well without all the bloat anyway. and yes i understand the risks if i do decide to proceed, anyway. i have 3 $10 and $20 phones that are not bricked but i forgot to reenable the system apps before i removed root and reset, so they might as well be bricked cause they cant do anything after they boot.
btw, you mentioned in one step to wait, to see if it reboots, to see if it is stable before continuing:
for me i remember that either having too many apps running or stopping too many system apps, seemed to make this z831 unstable and reboot, while it had temp root.
Question last: do i need to start the process as you said while kingroot is in the process of rooting, or can i wait till it is finished getting it's root?
Click to expand...
Click to collapse
i have a batch script i made for the warp 7 that i think will work for this phone but i never posted any of it cause he released the guide first so i told him to keep it and no the boot to recovery overwrites recovery with boot image from boot then after everything has perm root u can flash the recovery back to recovery. do we need a batch script no do we need to mess with other files risking a brick no kingroot is fine til we can find a way to get access to bootloader for fastboot as well as get a twrp built for the phone. theres ways to make kingroot not as annoying ad blocker disable notifications from kingroot and disable fastcharging lock screen. but u more than welcome to tamper just be aware u brick ur phone in the process theres no fix. as well if it makes it easier for people i will write a batch script that walks them through the process with the pauses shows them what it does so they can learn for future purpose but i m0ean the guides pretty simple
---------- Post added at 01:55 PM ---------- Previous post was at 01:51 PM ----------
wait is this thread maven or maven 2?
step 9 is different than yours, why?
Question for madvane20
XCnathan32's step 9: "Now type
setprop persist.sys.k Z831
BUT in your bat file:
adb.exe shell su
setprop ro.product.name Z831
of course swaping out ZTE_BEAM for Z831
is one better than the other or should they both be done?
yea i think i need to maybe fix the bat but im working on stuff atm got rl stuff im busy with but once im done i will finish a bat for the warp 7 and one for this phone. but yes u swap the name of the phone out for what phone u have.
---------- Post added at 03:26 PM ---------- Previous post was at 03:25 PM ----------
the warp 7 has different name etc so yea the warp 7 post is different im trying to work on everything as well keep working on my huawei ascend xt as well real life stuff
Question for madvane20, im sorry, i meant persist.sys.k OR setprop ro.product.name, this is the discrepancy in the two instructions.
did u read the guide for the zte maven 2 and also look at the guide for the warp 7 u will see the difference it just takes u to read them then u shouldnt have any questions
is this syntax correct, before i try it?
batch.txt:
https://dl.xda-developers.com/4/2/2/0/4/0/3/batchfiles.txt?key=NgPk58hMrJO5QXnvDcnCPw&ts=1500762566
if anyone wants to ask me questions just pm me or get ahole of me on hangouts im listed as dav ril or madvane20
I have used Wugfresh's NRT with my previous Nexus devices with stellar results and I downloaded ADB to try your guys method with a Z831 however, I need ti know if this guide is Android version specific? I recently went from 5.1.1 to 7.1.1 in like 3 OTA AT&T updates, so this device is running Nougat. Also, is PIE something new to 7.0 ? I read somewhere this affects the root process. Why do they have "Unlock bootloader" option in Dev settings ? Can I just run an ADB command to enable Write permission to delete 40-50 #/System/App .apk's?
Yo OP, I genuinely appreciate you sharing this. I found that everything has worked perfectly. I managed to get perm root and I just tried to install SU, gonna see if it worked. Thanks bro
Sent from my N9519 using Tapatalk
So, is it working? please let me know because i also want to root it.
---------- Post added at 04:36 AM ---------- Previous post was at 04:27 AM ----------
How to install adb and Zte drivers on your computer? please reply
379068 said:
So, is it working? please let me know because i also want to root it.
---------- Post added at 04:36 AM ---------- Previous post was at 04:27 AM ----------
How to install adb and Zte drivers on your computer? please reply
Click to expand...
Click to collapse
The ZTE drivers should be on your phone. One of the mount options, when you plug in your phone is to install drivers.
This method really works. You can copy your recovery back after, you do not loose root. You are also able to re-root and make it permanent again after a factory reset, it is just takes many more exploit attempts. You can also install Xposed through Xposed Installer.
Anybody bought and tried Super-Sume Pro with this phone yet?
can thsi be done on other mavens?
Can you do this on a Maven 3 running nougat?
Is the root method working with ZTE Maven 3?
Anyone tried this on ZTE Maven 3? Got 2 from Bestbuy, would like to have them rooted.
Thanks.
Logos Ascetic said:
Can you do this on a Maven 3 running nougat?
Click to expand...
Click to collapse
I recently dissected the partition index and firmware structure of the ZTE Maven 3, in hopes of discovering a viable root exploit. Because it ships with stock Android Nougat, systemless root via patched boot image would be preferable. But, because the bootloader does not appear to be unlockable by any known method or exploit, systemless root is not currently an option. Accordingly, I focused on the less desirable method of system-mode rooting, which injects the SU daemon and corresponding root binaries to the Android OS by way of the /system partition directly. Again, an obstacle ensued: the stock kernel of the ZTE Maven 3 is secured by AVB 2.0/dm-verity (device mapping), which checks the /system partition for any modifications whatsoever prior to allowing the OS to boot. So, if /system is modified in any way, or so much as mounted r/w, a perpetual boot loop will commence via dm-verity.
So, in short, due to the locked bootloader state and verified boot/device mapping, safely & effectively rooting the stock Android Nougat OS of the ZTE Maven 3 doesn't presently appear to be feasible.
Note: I realize that the OP designated this as a ZTE Maven 2 thread, and I apologize to the OP if I'm off topic. I only addressed the Maven 3 because of the number of questions in the thread.
I have the z831 through at&t. I'm pretty sure I unlocked the bootloader in developer options as nothing would root the phone until I turned it on. Everything worked, but is there a custom recovery or rom?
kingroot.net even if you choose english gives you a chinese app
Hello XDA!
Samsung has been semi SamPWND again!
Disclaimer:
This root method was developed and tested on the N960U model. This is the only model I have that is a Samsung device. I do have friends and other devs however that have tested this method on various other Samsung devices on both Qualcomm and Exynos chipsets and it has worked on a good number of them meaning this method is not limited to the Note 9. With that being said, due to all the time I have already spent on this and not having any other devices, I will ONLY be supporting the N960U. So do not get upset if I do not respond to you if you have a Samsung A8934839K312 on 7.1 Android (aka a device I have never even heard of before.)
Disclaimer 2:
This root method is mainly for dev's or those who like to tinker and figure things out. The reason I say this is because at this time, you are REQUIRED to be on a factory/combination firmware to mess with the root method. I will ignore any comments/questions for people who do not read this disclaimer and ask me how to root stock etc. as that is what I have been trying to do for over a month now. If you need your phone for work or a daily then I suggest only messing with this root method if you have a lot of spare time since it involves flashing combo firmware at which mobile services and other stuff will not be functional. You have been warned!
Disclaimer 3:
This thread/poc are essentially to get you the ability to use root apps and have a root shell, that is it. If I have time and see some questions that are legit questions I will try to provide help in a timely manner. This POC simply pushes busybox binary from Magisk.zip and SuperSU (the last version chains released before retirement) and installs it in sbin/daemon mode. There is also a way to install MagiskSU in daemon mode as well as ways to install root to /system/xbin for example and do mods such as Xposed that typically need to modify the system partition but that is not the purpose of this thread and these methods are a bit more involved (require modifying the root script as well as setting up bind mounts and other stuff.) Hopefully once this is released and some devs chime in I hope there will eventually be others contributing with various root scripts, install methods etc. and of course HOPEFULLY find a way to write to system/odm/vendor partitions so we can eventually run root on stock!
Disclaimer 4:
I am NOT responsible if you break your phone, wipe your IMEI, hard brick etc. etc.! Also, I spent months to get to this point and already had someone steal my files from AFH (I know, my fault for not hiding them) so please do not take my work as your own. If you want to use it in any way/shape/form just ask for permission and/or give credits in your thread is all I ask! If you are however using someone else's modified files and in here trying to get help I might turn you away (back to the person who provided the modified files) just an FYI!
I think that is enough disclaimers for now!
Note: This thread will most likely be ugly for a bit as I am terrible with making these things look pretty... Hopefully as time goes I will keep improving it or find someone who is trustworthy I can make a "contributor" so they can fix it up for me haha.
Now, Let's Get To It!
Technical Details:
This is sort of a spawn from an exploit I found and reported to Samsung back on the Tab S3 that I never released on XDA. That method (long story short) involved modifying the Persist partition and flashing it in ODIN as ODIN did not check it for integrity. Of course it was patched by Samsung who gave me some $$$ and gave me a shout out on their security bulletin which was pretty cool!
This method is similar to "Persist Root" except we are not flashing any modified partitions in ODIN. Instead, on many Samsung combination firmwares there is an init rc script on /system. If you want to know if your device is compatible a good starting point would be to look for a file called "init.lab.rc" which is typically located at "/system/etc/init/init.lab.rc" like so:
-rw-r--r-- 1 root root ubject_r:system_file:s0 14784 2008-12-31 10:00 init.lab.rc
As it stands, we cannot edit this script. I noticed something cool however when I was reading it one day. Specifically one thing that caught my eye was this:
chmod 777 /data/lab/run_lab_app.sh
There are MANY files and scripts at /data/lab. Luckily, the init.lab.rc sets permissions to "0777" and sets ownership to system on the entire /data/lab directory! If you are still with me, this means all the contents of this directory are world readable/writeable and we can modify any of the files in this DIR without elevated privileges!
Now I am showing the "run_lab_app.sh" script specifically for a reason. We know we can modify any scripts on /data/lab, but how can we execute it with elevates privileges? Going back to the init.lab.rc, if you scroll to the bottom of the rc file you will see this:
service start_abc /system/bin/sh /data/lab/run_lab_app.sh factory abc+
user system
group system
disabled
oneshot
on property:sec.lab.abc.start=1
start start_abc
setprop sec.lab.abc.start 0
Now what that means is, when you set the property "sec.lab.abc.start" to "1" it executes the abc service as system user and more specifically it will start by executing the "run_lab_app.sh" script! Therefore, after you modify the script to your liking, push it to /data/lab/run_lab_app.sh, then do a "setprop sec.lab.abc.start 1" your script will be executed as system user!
Now system obviously is not "root". Now that we can execute as system user we have more attack vectors to elevate privileges even more. Ideally, I remembered how I rooted the Tab S3 about a year ago using Persist partition. As it stands, we are not able to read/write on persist. If we were to set permissions however on /persist using the run_lab_app.sh script, then we can gain access to it! Therefore, one would only need to add this command to the run_lab_app.sh script and execute it using the setprop command:
chmod -R 0777 /persist
As soon as you modify the script, push it and execute the setprop command, it will change permissions on the /persist DIR to be world readable/writeable!
Now, the reason why I like to use Persist, there is a script that is executed by INIT on every reboot automatically (this means it is executed by root!) The script in question is this one "/persist/coresight/qdss.agent.sh." (I am not sure if this script itself is a Qualcomm specific script or not.) Modifying this script has no ill effects on anything from what I have seen.
Now to see how the script is executed you can look in "/vendor/etc/init/hw/init.qcom.test.rc" and you will see some interesting stuff including this:
crownqltesq:/vendor/etc/init/hw # cat init.qcom.test.rc | grep persist
service cs-early-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh early-boot /vendor/bin/init.qcom.debug.sh
service cs-post-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh post-boot /vendor/bin/init.qcom.debug.sh
write /persist/coresight/enable 1
write /persist/coresight/enable 0
crownqltesq:/vendor/etc/init/hw #
As I stated earlier, due to this init script, the qdss.agent.sh script is executed by init context/root user automatically during early boot and post boot. This means once you get everything set up, you won't need to keep reinstalling root (unless you mess something up) on each reboot. This is ideal since we don't have a way yet to modify system/vendor/odm partitions yet. Think of it as a "systemless" root.
For the POC I have provided in this thread for example, it contains the bare minimum SU files. The files in the attached zip are simple: SamPWND.bat, sampwnd1.sh, sampwnd2.sh, /sampwnd which contains su, sukernel, supolicy, libsupol.so and busybox. The way it works is this:
1) You double click the .bat file and it should do everything for you! The .bat file will:
- Push sampwnd1.sh to /data/lab/run_lab_app.sh
- Execute the lab script by doing "setprop sec.lab.abc.start 1"
- Push sampwnd2.sh to /persist/coresight/qdss.agent.sh
- Push root files in "sampwnd" folder to /persist/coresight/sampwnd
- Set permissions on the files we just pushed to Persist to 0777
- Reboot the device (Note: The .bat file reboots the device at this point since everything is in place to root when the device reboots, it's that simple!)
After the device reboots, you should now be able to use a root shell as well as sideloading any root apps will work (apps such as TiBu, Root Explorer, Flashfire etc. etc.)
When the device reboots, the qdss.agent.sh script does the following automatically:
1) Mounts rootfs and sets permissions to 0777 so we can access /sbin
2) Pushes the contents of the root files folder "sampwnd" to /sbin
3) Sets permissions to the files we just moved to /sbin
4) Exports the LIB path to /sbin due to the libsupol.so being needed to patch the sepolicy with supolicy
- The export command is "export LD_LIBRARY_PATH=/sbin"
- Once the script is over and you use another app or go into a shell etc. the LIB path will be gone/reset so you don't need to
worry.
5) Patches the sepolicy for SU
6) Installs SU by executing "su --install"
7) Executes the SU daemon by running "su --daemon"
8) Lastly, remounts rootfs back to RO.
As stated earlier, these commands are all automatically executed by init/root each time you reboot the device. Essentially, whatever we put into the qdss.agent.sh script will be executed on boot by init/root. If for some reason permissions are lost, we should still have our lab script and we would only need to run "setprop sec.lab.abc.start 1" to change permissions on persist again!
The initial files I provide today are just a simple root install script. I have successfully used the root script to install MagiskSU, Xposed (using bind mounts to overlay on /system) and other tests. I also at one point made a backup script that backed up all the partitions on the device into a folder which I extracted to my PC for safe keeping, you get the picture! Once you have root however, you can do these things easier as you will have root access.
Now that you know the workings of the exploit (err exploits?) I will explain briefly what is needed and how to test it.
Pre-requisites:
1) Download links will be in 2nd post.
2) For the purpose of this thread and the only device I personally have, you should have a N960U/U1/W on a rev1 bootloader (there isn't a rev2 BL yet so most should be good to go.)
3) A vulnerable Combo Firmware. I linked the one I use in Post 2. I use 1ARG4 Factory/Combo firmware. Of course you will need ODIN to flash the combo.
4) The root files/7z linked in post 2.
5) Stock firmware for when you are done playing, testing, etc. etc.
6) Almost forgot, you will need ADB. I will not go into details on this, if you don't have a working ADB Google is your friend. I recommend setting it to your path so you can use ADB from anywhere on the PC.
Install Instructions:
1) Extract the root files 7z into a DIR of your choice.
2) Flash whichever vulnerable combo firmware you are using via ODIN.
3) Once it boots up, make sure your device is seen by adb by running "adb devices"
4) Double click the .bat file.
5) That's it! Your device will reboot and you should be rooted!
If for some reason it is not working and you are on a N960U/U1/W, there could be a number of reasons. If you are not using the 1ARG4 combo I linked then it's possible the combo you are using is not vulnerable. It could also be an issue with ADB. Sometimes if things get crazy throughout your testing you might need to reflash /persist in ODIN or reflash the combo firmware in ODIN then re-run the .bat file (I only experience this typically when I get crazy with the root script and end up losing permissions to everything or something I added in the root script is causing the device to boot-loop etc. etc.)
Now donations are not required but feel free to throw me some beer money if you want! My paypal email/link is in a few places, you shouldn't have any trouble finding it!
TELEGRAM GROUP IS COMING REAL SOON!
We will use the TGRAM to provide support, ideas, share scripts/files and HOPEFULLY, we can all figure out together how to turn this into rooting the stock firmware as this is the goal and will be the primary focus of the chat!
Credits:
@samsung - for letting us PWND them time and time again!
@chainfire - SuperSU of course
@topjohnwu - MagiskSU of course
@me2151 - For all the time and help he is going to be putting in with us! Such a great guy! lol
@jrkruse - For everything! Everything from EDL support, ROM support, Root support you name it!
@partcyborg - For also spending countless hours helping answer questions in here so I don't have to hahah
@mweinbach - He writes great articles for XDA! He is a good kid who gets his hands on cool things frequently
@"mysecretfriendfromfaraway - I will not name him haha, he knows who he is. He always helps out and gets great things!
XDA:DevDB Information
SamPWND N960U Root, Tool/Utility for the Samsung Galaxy Note 9
Contributors
elliwigy
Version Information
Status: Testing
Created 2019-05-05
Last Updated 2019-05-05
Hello XDA!
Samsung has been semi SamPWND again!
Disclaimer:
This root method was developed and tested on the N960U model. This is the only model I have that is a Samsung device. I do have friends and other devs however that have tested this method on various other Samsung devices on both Qualcomm and Exynos chipsets and it has worked on a good number of them meaning this method is not limited to the Note 9. With that being said, due to all the time I have already spent on this and not having any other devices, I will ONLY be supporting the N960U. So do not get upset if I do not respond to you if you have a Samsung A8934839K312 on 7.1 Android (aka a device I have never even heard of before.)
Disclaimer 2:
This root method is mainly for dev's or those who like to tinker and figure things out. The reason I say this is because at this time, you are REQUIRED to be on a factory/combination firmware to mess with the root method. I will ignore any comments/questions for people who do not read this disclaimer and ask me how to root stock etc. as that is what I have been trying to do for over a month now. If you need your phone for work or a daily then I suggest only messing with this root method if you have a lot of spare time since it involves flashing combo firmware at which mobile services and other stuff will not be functional. You have been warned!
Disclaimer 3:
This thread/poc are essentially to get you the ability to use root apps and have a root shell, that is it. If I have time and see some questions that are legit questions I will try to provide help in a timely manner. This POC simply pushes busybox binary from Magisk.zip and SuperSU (the last version chains released before retirement) and installs it in sbin/daemon mode. There is also a way to install MagiskSU in daemon mode as well as ways to install root to /system/xbin for example and do mods such as Xposed that typically need to modify the system partition but that is not the purpose of this thread and these methods are a bit more involved (require modifying the root script as well as setting up bind mounts and other stuff.) Hopefully once this is released and some devs chime in I hope there will eventually be others contributing with various root scripts, install methods etc. and of course HOPEFULLY find a way to write to system/odm/vendor partitions so we can eventually run root on stock!
Disclaimer 4:
I am NOT responsible if you break your phone, wipe your IMEI, hard brick etc. etc.! Also, I spent months to get to this point and already had someone steal my files from AFH (I know, my fault for not hiding them) so please do not take my work as your own. If you want to use it in any way/shape/form just ask for permission and/or give credits in your thread is all I ask! If you are however using someone else's modified files and in here trying to get help I might turn you away (back to the person who provided the modified files) just an FYI!
I think that is enough disclaimers for now!
Note: This thread will most likely be ugly for a bit as I am terrible with making these things look pretty... Hopefully as time goes I will keep improving it or find someone who is trustworthy I can make a "contributor" so they can fix it up for me haha.
Now, Let's Get To It!
Technical Details:
This is sort of a spawn from an exploit I found and reported to Samsung back on the Tab S3 that I never released on XDA. That method (long story short) involved modifying the Persist partition and flashing it in ODIN as ODIN did not check it for integrity. Of course it was patched by Samsung who gave me some $$$ and gave me a shout out on their security bulletin which was pretty cool!
This method is similar to "Persist Root" except we are not flashing any modified partitions in ODIN. Instead, on many Samsung combination firmwares there is an init rc script on /system. If you want to know if your device is compatible a good starting point would be to look for a file called "init.lab.rc" which is typically located at "/system/etc/init/init.lab.rc" like so:
-rw-r--r-- 1 root root ubject_r:system_file:s0 14784 2008-12-31 10:00 init.lab.rc
As it stands, we cannot edit this script. I noticed something cool however when I was reading it one day. Specifically one thing that caught my eye was this:
chmod 777 /data/lab/run_lab_app.sh
There are MANY files and scripts at /data/lab. Luckily, the init.lab.rc sets permissions to "0777" and sets ownership to system on the entire /data/lab directory! If you are still with me, this means all the contents of this directory are world readable/writeable and we can modify any of the files in this DIR without elevated privileges!
Now I am showing the "run_lab_app.sh" script specifically for a reason. We know we can modify any scripts on /data/lab, but how can we execute it with elevates privileges? Going back to the init.lab.rc, if you scroll to the bottom of the rc file you will see this:
service start_abc /system/bin/sh /data/lab/run_lab_app.sh factory abc+
user system
group system
disabled
oneshot
on property:sec.lab.abc.start=1
start start_abc
setprop sec.lab.abc.start 0
Now what that means is, when you set the property "sec.lab.abc.start" to "1" it executes the abc service as system user and more specifically it will start by executing the "run_lab_app.sh" script! Therefore, after you modify the script to your liking, push it to /data/lab/run_lab_app.sh, then do a "setprop sec.lab.abc.start 1" your script will be executed as system user!
Now system obviously is not "root". Now that we can execute as system user we have more attack vectors to elevate privileges even more. Ideally, I remembered how I rooted the Tab S3 about a year ago using Persist partition. As it stands, we are not able to read/write on persist. If we were to set permissions however on /persist using the run_lab_app.sh script, then we can gain access to it! Therefore, one would only need to add this command to the run_lab_app.sh script and execute it using the setprop command:
chmod -R 0777 /persist
As soon as you modify the script, push it and execute the setprop command, it will change permissions on the /persist DIR to be world readable/writeable!
Now, the reason why I like to use Persist, there is a script that is executed by INIT on every reboot automatically (this means it is executed by root!) The script in question is this one "/persist/coresight/qdss.agent.sh." (I am not sure if this script itself is a Qualcomm specific script or not.) Modifying this script has no ill effects on anything from what I have seen.
Now to see how the script is executed you can look in "/vendor/etc/init/hw/init.qcom.test.rc" and you will see some interesting stuff including this:
crownqltesq:/vendor/etc/init/hw # cat init.qcom.test.rc | grep persist
service cs-early-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh early-boot /vendor/bin/init.qcom.debug.sh
service cs-post-boot /vendor/bin/sh /persist/coresight/qdss.agent.sh post-boot /vendor/bin/init.qcom.debug.sh
write /persist/coresight/enable 1
write /persist/coresight/enable 0
crownqltesq:/vendor/etc/init/hw #
As I stated earlier, due to this init script, the qdss.agent.sh script is executed by init context/root user automatically during early boot and post boot. This means once you get everything set up, you won't need to keep reinstalling root (unless you mess something up) on each reboot. This is ideal since we don't have a way yet to modify system/vendor/odm partitions yet. Think of it as a "systemless" root.
For the POC I have provided in this thread for example, it contains the bare minimum SU files. The files in the attached zip are simple: SamPWND.bat, sampwnd1.sh, sampwnd2.sh, /sampwnd which contains su, sukernel, supolicy, libsupol.so and busybox. The way it works is this:
1) You double click the .bat file and it should do everything for you! The .bat file will:
- Push sampwnd1.sh to /data/lab/run_lab_app.sh
- Execute the lab script by doing "setprop sec.lab.abc.start 1"
- Push sampwnd2.sh to /persist/coresight/qdss.agent.sh
- Push root files in "sampwnd" folder to /persist/coresight/sampwnd
- Set permissions on the files we just pushed to Persist to 0777
- Reboot the device (Note: The .bat file reboots the device at this point since everything is in place to root when the device reboots, it's that simple!)
After the device reboots, you should now be able to use a root shell as well as sideloading any root apps will work (apps such as TiBu, Root Explorer, Flashfire etc. etc.)
When the device reboots, the qdss.agent.sh script does the following automatically:
1) Mounts rootfs and sets permissions to 0777 so we can access /sbin
2) Pushes the contents of the root files folder "sampwnd" to /sbin
3) Sets permissions to the files we just moved to /sbin
4) Exports the LIB path to /sbin due to the libsupol.so being needed to patch the sepolicy with supolicy
- The export command is "export LD_LIBRARY_PATH=/sbin"
- Once the script is over and you use another app or go into a shell etc. the LIB path will be gone/reset so you don't need to
worry.
5) Patches the sepolicy for SU
6) Installs SU by executing "su --install"
7) Executes the SU daemon by running "su --daemon"
8) Lastly, remounts rootfs back to RO.
As stated earlier, these commands are all automatically executed by init/root each time you reboot the device. Essentially, whatever we put into the qdss.agent.sh script will be executed on boot by init/root. If for some reason permissions are lost, we should still have our lab script and we would only need to run "setprop sec.lab.abc.start 1" to change permissions on persist again!
The initial files I provide today are just a simple root install script. I have successfully used the root script to install MagiskSU, Xposed (using bind mounts to overlay on /system) and other tests. I also at one point made a backup script that backed up all the partitions on the device into a folder which I extracted to my PC for safe keeping, you get the picture! Once you have root however, you can do these things easier as you will have root access.
Now that you know the workings of the exploit (err exploits?) I will explain briefly what is needed and how to test it.
Pre-requisites:
1) Download links will be in 2nd post.
2) For the purpose of this thread and the only device I personally have, you should have a N960U/U1/W on a rev1 bootloader (there isn't a rev2 BL yet so most should be good to go.)
3) A vulnerable Combo Firmware. I linked the one I use in Post 2. I use 1ARG4 Factory/Combo firmware. Of course you will need ODIN to flash the combo.
4) The root files/7z linked in post 2.
5) Stock firmware for when you are done playing, testing, etc. etc.
6) Almost forgot, you will need ADB. I will not go into details on this, if you don't have a working ADB Google is your friend. I recommend setting it to your path so you can use ADB from anywhere on the PC.
Install Instructions:
1) Extract the root files 7z into a DIR of your choice.
2) Flash whichever vulnerable combo firmware you are using via ODIN.
3) Once it boots up, make sure your device is seen by adb by running "adb devices"
4) Double click the .bat file.
5) That's it! Your device will reboot and you should be rooted!
If for some reason it is not working and you are on a N960U/U1/W, there could be a number of reasons. If you are not using the 1ARG4 combo I linked then it's possible the combo you are using is not vulnerable. It could also be an issue with ADB. Sometimes if things get crazy throughout your testing you might need to reflash /persist in ODIN or reflash the combo firmware in ODIN then re-run the .bat file (I only experience this typically when I get crazy with the root script and end up losing permissions to everything or something I added in the root script is causing the device to boot-loop etc. etc.)
Now donations are not required but feel free to throw me some beer money if you want! My paypal email/link is in a few places, you shouldn't have any trouble finding it!
TELEGRAM GROUP IS COMING REAL SOON!
We will use the TGRAM to provide support, ideas, share scripts/files and HOPEFULLY, we can all figure out together how to turn this into rooting the stock firmware as this is the goal and will be the primary focus of the chat!
Credits:
@samsung - for letting us PWND them time and time again!
@chainfire - SuperSU of course
@topjohnwu - MagiskSU of course
@me2151 - For all the time and help he is going to be putting in with us! Such a great guy! lol
@jrkruse - For everything! Everything from EDL support, ROM support, Root support you name it!
@partcyborg - For also spending countless hours helping answer questions in here so I don't have to hahah
@mweinbach - He writes great articles for XDA! He is a good kid who gets his hands on cool things frequently
@"mysecretfriendfromfaraway - I will not name him haha, he knows who he is. He always helps out and gets great things!
XDA:DevDB Information
SamPWND N960U Root, Tool/Utility for the Samsung Galaxy Note 9
Contributors
elliwigy
Version Information
Status: Testing
Created 2019-05-05
Last Updated 2019-05-05
Due to the disrespect of certain members I will no longer share the tutorials.
This tutorial is not working for Version 7.
An error message is displayed and the R/O cannot be released.
I have reported the error in the original thread.
I'm not very good at English.
PEACH-PIT said:
This tutorial is not working for Version 7.
An error message is displayed and the R/O cannot be released.
I have reported the error in the original thread.
I'm not very good at English.
Click to expand...
Click to collapse
Try and see if @munjeni has V2. That's what I used and it's working fine. He started having problems after that with V3 and onward. I personally have not tried V7.
It is not possible to try v2.
You should not try v3 or earlier, as they have serious errors.
I reported the error and got v9, but never got the r/w.
This tutorial is not working.
So far, I can't get r/w on moto g 5g.
PEACH-PIT said:
It is not possible to try v2.
You should not try v3 or earlier, as they have serious errors.
I reported the error and got v9, but never got the r/w.
This tutorial is not working.
So far, I can't get r/w on moto g 5g.
Click to expand...
Click to collapse
Here are the files I used of V2. While I did not have an error (and still using my phone) please use this at your discretion and your risk. You will be able to achieve R/O access following my guide with this.
https://forum.xda-developers.com/t/script-android-10-universal-mount-system-read-write-r-w.4247311/
"moto g 5g" can use makeSystemRW v1.31.
It must be used in conjunction with makesysrw_repair.
makesysrw_repair requires linux.
The size option will not work if it is too large or too small.
You need to specify an appropriate size.
Please adjust it by yourself.
I got the right result with 20mb.
adb shell
su
chmod +x /data/local/tmp/makesysrw_1.31/makesysrw.sh
setenforce 0
./data/local/tmp/makesysrw_1.31/makesysrw.sh size=20
https://forum.xda-developers.com/t/...t-system-read-write-r-w.4247311/post-84914345
Perhaps this will eliminate the need for makesysrw_repair.
However, you will need an sd card.
adb shell
su
chmod +x /data/local/tmp/makesysrw_1.31/makesysrw.sh
setenforce 0
cd /data/local/tmp/makesysrw_1.31
./makesysrw.sh size=20 out=/external_sd/super.img
Articul8Madness said:
Update: I used Version 2 with no problems. According to @munjeni there are BIG DANGEROUS ISSUES with Version and newer. Starting at V7 there are clone issues. I have tried Version 9 and had those issues.
Using the V2 method you will be able to delete and remove files. The ability to resize the partitions has not been achieved, so you will be at the mercy of the space limitations in the partition.
This tutorial is for people like me that after rooting the Moto One 5G Ace XT-2113 (MetroPCS Qualcomm Variant) running on stock Android 10 discovered that their root did not grant them Write Access to system files. Starting with Android 10, a new System As Root protocol prohibits users from access all of their files due to Dynamic Partitions and being formatted to EXT4_FEATURE_RO_COMPAT_SHARED_BLOCKS, effectively making root useless. You can read about that here:
https://twitter.com/i/web/status/1170404631865778177
Rest not, a method has been made!
Follow the following at your own risk! I am not responsible for any mishaps with your devices and neither is @munjeni. I also don't know if this will work on other variants, as I only have tried this method on the RETUS and RETEU stock firmware. Also, this will NOT obviously work for Verizon, AT&T, and Cricket phones or other mobile carriers that lock their bootloaders.
I want to thank a couple of people for their big beautiful brains and hard work in figuring this out. First, all the love in the world goes out to @lebigmac. This beautiful soul and I have been back and forth a week trying to get something going on the Moto. I thank him for his patience, his genius, and his tenacity to hang in there with my device even after I threatened a bunch of times to go to Apple and be done with this new cumbersome lockdown AndroidOS. He gave the hope as his method has worked on Asus and Xiaomi variants. It has been an honor to be on his beta test team.
Last, but not least, I want to thank @munjeni whose method finally broke on through to the other side. If it were not for his big beautiful brain I’d be ordering me an iPhone and calling it quits. It is due to his and @lebigmac’s hard work researching and testing that gives us the ability to finally have full root access. Thank you guys. I love you both!
And please visit both of their threads and help them continue support and development on this project for ALL of your Android 10 phones (especially this one).
@lebigmac Method: [SCRIPT][Android 10+] Universal Mount System read write R/W
@munjeni Method: [TOOL][WIN,LIN,AND,DARW] Super image unpack-repack tools
Introduction/Preparation
First, go and prepare by READING EVERYTHING I’M WRITING IN THIS POST BEFORE YOU START. Very important. Don't even jump into this without reading this thread here all the way to the end. This isn’t exactly child’s play if you are not comfortable with the ADB Shell or Linux, and if you type the wrong commands you could do serious, irreparable damage to your device. It also doesn’t hurt to read the original thread for this all the way through, and you can find that here: Munjeni's Superpack Repack Tool
Second, make sure your bootloader is unlocked and you have Magisk root on your device. You can check the forum for tutorials on how to do that. This method will ABSOLUTELY NOT WORK if you are not bootloader unlocked, and rooted with your boot.img patched by Magisk. If you can’t figure out that part of it then you definitely aren’t prepared for this.
***NOTES SO YOU DON'T FREAK OUT***
1. While it hasn’t happened to me, there is the possibility that you can brick your phone doing this. As such, make sure you have your firmware already downloaded and available to flash should something go wrong. This is just a precaution, a break glass in case of emergency situation. It’s better to have the files already ready to go with the flashfile commands converted and not need it than need it and frustrated because you didn’t prepare.
2. There is no custom recovery/TWRP for this variant yet (and trust me I’m trying very hard to work on that), so you will have to use ADB Shell to run the commands we need for this exercise. If you are not familiar with that, please do some research on ADB Shell so you’re comfortable and familiar. Google for once is a friend for that!
Files
Here is a list of things you will need going into it.
1. Windows 7. I did it in Windows 7 and Kali Linux so I can’t speak on whether or not this will work smoothly in other versions. This method is exclusively for Windows 7. Go to the original thread on info on how to use it on other platforms.
2. Get Tiny ADB and Fastboot (it's easier to use than Android SDK and smaller) or whatever fastboot you’re comfortable with.
3. Make sure the drivers for your Moto One 5G Ace are already downloaded and installed on your computer.
4. @munjeni’s Super Unpack Repack Tool. Can’t get anywhere with the method without it. You can download it here from the first post: https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/
5. Root Explorer (or whatever your favorite type of system explorer is). There’s no getting into the system files without it.
6. Busybox. I used Busybox Pro 70 that I had from my MotoG7Power and that worked flawlessly. A newer version of Busybox did not install on my device because I didn’t have Write access going into it but that version I can attest works.
7. Stock Firmware (Just in case, remember?) I used XT2113_KIEV_RETUS_10_QZK30.Q4-40-55_subsidy-DEFAULT_regulatory-DEFAULT_CFC_R1_CFC.xml which is the US Retail software and the XT2113-3_KIEV_RETEU_10_QZKS30.Q4-40-62-2_subsidy-DEFAULT_regulatory-XT2113-3-EU-SAR_CFC.xml instead of MetroPCS's firmware because I hate any branded US carrier bloatware and such and like that factory unlocked from the manufacturer feel. Both of my phones flashed fine with it and you can find it here: Moto One 5G Ace ALL Firmwares. It doesn't matter what your carrier is, they have them all there.
8. The stock charging cable that comes with your phone.
The Process
1. Make sure the phone is at least halfway charged. Last thing you want is the phone to die in the middle of any of this and cause a system error that you might can’t get out of.
2. Make sure your have installed your Root Explorer and Busybox beforehand.
3. Extract @munjeni’s Super Unpack Repack Tool. Copy the file “superrepack.arm64_pie” to your phone.
4. Rename “superrepack.arm64_pie” on your phone to “superrepack” (obviously without quotations).
5. Move “superrepack” file on your phone to /data/local/tmp folder. If you have root and using a root explorer you can’t miss it (obviously without quotations).
6. Connect your phone to your PC via the charging cable.
7. Open TinyADB and Fastboot. Do not open it as an administrator or it will not function correctly getting root access on your device.
8. Type: “adb shell” and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
9. Type: “su” and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ # Make sure you allow permissions if Magisk asks for it or it will give you a permission denied message.
10. Type: “ls -Alg /dev/block/by-name | grep "super"” and press enter since you need to know where your block device is. It should return a result that looks like “lrwxrwxrwx 1 root 16 1970-01-01 08:07 super -> /dev/block/NameOfYourBlock” (obviously without quotations except the quotations in "super" - keep those)
11. Copy and paste somewhere “/dev/block/NameOfYourBlock” (obviously without quotations). You’re going to need that later.
12. Close TinyADB and Fastboot. Now open a fresh instance of it in a new window.
13. Type: “adb shell” (obviously without quotations) and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
14. Type: “su” (obviously without quotations) and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ #
15. Type: “chmod 755 /data/local/tmp/superrepack” (obviously without quotations) and press enter as the chmod command will give us root permissions to run the script. This is VERY IMPORTANT. Don’t worry if it goes to a blank next line that’s normal.
16. Type: “setenforce 0” (obviously without quotations) and press enter as we need to disable selinux. Again, don’t worry if it goes to a blank next line as that’s normal.
17. Type: “/data/local/tmp/superrepack /dev/block/NameOfYourBlock” (obviously without quotations) and press enter. Let the script run to the end.
18. Reboot your phone. Close Tiny ADB and Fastboot.
19. When your phone is rebooted go to Root Explorer (or your explorer).
20. Mount the system in your file explorer! You should have R/W Access in ALL of your partitions.
If Something Goes Wrong And You Have To Reflash Your Phone…
Please refer to the guides in the forum on how to get your phone back to stock. There’s one for flashing, one for root, and a subsequent one for debloat.
If you come up with an error, please go to the original thread https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/ and let @munjeni know what the issue is so he can help.
Hope this brings some love to the Moto One 5G Ace users. We definitely need a boost to lift development spirits.
I will try and answer questions if I can or point you in the right direction.
Click to expand...
Click to collapse
Wow this was the easiest guide to get r/w access. Thanks to everyone involved in this milestone.
I can mount r/w on stock android 10....
Articul8Madness said:
Update: I used Version 2 with no problems. According to @munjeni there are BIG DANGEROUS ISSUES with Version and newer. Starting at V7 there are clone issues. I have tried Version 9 and had those issues.
Using the V2 method you will be able to delete and remove files. The ability to resize the partitions has not been achieved, so you will be at the mercy of the space limitations in the partition.
This tutorial is for people like me that after rooting the Moto One 5G Ace XT-2113 (MetroPCS Qualcomm Variant) running on stock Android 10 discovered that their root did not grant them Write Access to system files. Starting with Android 10, a new System As Root protocol prohibits users from access all of their files due to Dynamic Partitions and being formatted to EXT4_FEATURE_RO_COMPAT_SHARED_BLOCKS, effectively making root useless. You can read about that here:
https://twitter.com/i/web/status/1170404631865778177
Rest not, a method has been made!
Follow the following at your own risk! I am not responsible for any mishaps with your devices and neither is @munjeni. I also don't know if this will work on other variants, as I only have tried this method on the RETUS and RETEU stock firmware. Also, this will NOT obviously work for Verizon, AT&T, and Cricket phones or other mobile carriers that lock their bootloaders.
I want to thank a couple of people for their big beautiful brains and hard work in figuring this out. First, all the love in the world goes out to @lebigmac. This beautiful soul and I have been back and forth a week trying to get something going on the Moto. I thank him for his patience, his genius, and his tenacity to hang in there with my device even after I threatened a bunch of times to go to Apple and be done with this new cumbersome lockdown AndroidOS. He gave the hope as his method has worked on Asus and Xiaomi variants. It has been an honor to be on his beta test team.
Last, but not least, I want to thank @munjeni whose method finally broke on through to the other side. If it were not for his big beautiful brain I’d be ordering me an iPhone and calling it quits. It is due to his and @lebigmac’s hard work researching and testing that gives us the ability to finally have full root access. Thank you guys. I love you both!
And please visit both of their threads and help them continue support and development on this project for ALL of your Android 10 phones (especially this one).
@lebigmac Method: [SCRIPT][Android 10+] Universal Mount System read write R/W
@munjeni Method: [TOOL][WIN,LIN,AND,DARW] Super image unpack-repack tools
Introduction/Preparation
First, go and prepare by READING EVERYTHING I’M WRITING IN THIS POST BEFORE YOU START. Very important. Don't even jump into this without reading this thread here all the way to the end. This isn’t exactly child’s play if you are not comfortable with the ADB Shell or Linux, and if you type the wrong commands you could do serious, irreparable damage to your device. It also doesn’t hurt to read the original thread for this all the way through, and you can find that here: Munjeni's Superpack Repack Tool
Second, make sure your bootloader is unlocked and you have Magisk root on your device. You can check the forum for tutorials on how to do that. This method will ABSOLUTELY NOT WORK if you are not bootloader unlocked, and rooted with your boot.img patched by Magisk. If you can’t figure out that part of it then you definitely aren’t prepared for this.
***NOTES SO YOU DON'T FREAK OUT***
1. While it hasn’t happened to me, there is the possibility that you can brick your phone doing this. As such, make sure you have your firmware already downloaded and available to flash should something go wrong. This is just a precaution, a break glass in case of emergency situation. It’s better to have the files already ready to go with the flashfile commands converted and not need it than need it and frustrated because you didn’t prepare.
2. There is no custom recovery/TWRP for this variant yet (and trust me I’m trying very hard to work on that), so you will have to use ADB Shell to run the commands we need for this exercise. If you are not familiar with that, please do some research on ADB Shell so you’re comfortable and familiar. Google for once is a friend for that!
Files
Here is a list of things you will need going into it.
1. Windows 7. I did it in Windows 7 and Kali Linux so I can’t speak on whether or not this will work smoothly in other versions. This method is exclusively for Windows 7. Go to the original thread on info on how to use it on other platforms.
2. Get Tiny ADB and Fastboot (it's easier to use than Android SDK and smaller) or whatever fastboot you’re comfortable with.
3. Make sure the drivers for your Moto One 5G Ace are already downloaded and installed on your computer.
4. @munjeni’s Super Unpack Repack Tool. Can’t get anywhere with the method without it. You can download it here from the first post: https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/
5. Root Explorer (or whatever your favorite type of system explorer is). There’s no getting into the system files without it.
6. Busybox. I used Busybox Pro 70 that I had from my MotoG7Power and that worked flawlessly. A newer version of Busybox did not install on my device because I didn’t have Write access going into it but that version I can attest works.
7. Stock Firmware (Just in case, remember?) I used XT2113_KIEV_RETUS_10_QZK30.Q4-40-55_subsidy-DEFAULT_regulatory-DEFAULT_CFC_R1_CFC.xml which is the US Retail software and the XT2113-3_KIEV_RETEU_10_QZKS30.Q4-40-62-2_subsidy-DEFAULT_regulatory-XT2113-3-EU-SAR_CFC.xml instead of MetroPCS's firmware because I hate any branded US carrier bloatware and such and like that factory unlocked from the manufacturer feel. Both of my phones flashed fine with it and you can find it here: Moto One 5G Ace ALL Firmwares. It doesn't matter what your carrier is, they have them all there.
8. The stock charging cable that comes with your phone.
The Process
1. Make sure the phone is at least halfway charged. Last thing you want is the phone to die in the middle of any of this and cause a system error that you might can’t get out of.
2. Make sure your have installed your Root Explorer and Busybox beforehand.
3. Extract @munjeni’s Super Unpack Repack Tool. Copy the file “superrepack.arm64_pie” to your phone.
4. Rename “superrepack.arm64_pie” on your phone to “superrepack” (obviously without quotations).
5. Move “superrepack” file on your phone to /data/local/tmp folder. If you have root and using a root explorer you can’t miss it (obviously without quotations).
6. Connect your phone to your PC via the charging cable.
7. Open TinyADB and Fastboot. Do not open it as an administrator or it will not function correctly getting root access on your device.
8. Type: “adb shell” and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
9. Type: “su” and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ # Make sure you allow permissions if Magisk asks for it or it will give you a permission denied message.
10. Type: “ls -Alg /dev/block/by-name | grep "super"” and press enter since you need to know where your block device is. It should return a result that looks like “lrwxrwxrwx 1 root 16 1970-01-01 08:07 super -> /dev/block/NameOfYourBlock” (obviously without quotations except the quotations in "super" - keep those)
11. Copy and paste somewhere “/dev/block/NameOfYourBlock” (obviously without quotations). You’re going to need that later.
12. Close TinyADB and Fastboot. Now open a fresh instance of it in a new window.
13. Type: “adb shell” (obviously without quotations) and press enter. This will change C:/TheNameOfYourDirectory to kiev:/ $
14. Type: “su” (obviously without quotations) and press enter. This will change the dollar sign “$” to a sharp symbol “#” and will look like kiev:/ #
15. Type: “chmod 755 /data/local/tmp/superrepack” (obviously without quotations) and press enter as the chmod command will give us root permissions to run the script. This is VERY IMPORTANT. Don’t worry if it goes to a blank next line that’s normal.
16. Type: “setenforce 0” (obviously without quotations) and press enter as we need to disable selinux. Again, don’t worry if it goes to a blank next line as that’s normal.
17. Type: “/data/local/tmp/superrepack /dev/block/NameOfYourBlock” (obviously without quotations) and press enter. Let the script run to the end.
18. Reboot your phone. Close Tiny ADB and Fastboot.
19. When your phone is rebooted go to Root Explorer (or your explorer).
20. Mount the system in your file explorer! You should have R/W Access in ALL of your partitions.
If Something Goes Wrong And You Have To Reflash Your Phone…
Please refer to the guides in the forum on how to get your phone back to stock. There’s one for flashing, one for root, and a subsequent one for debloat.
If you come up with an error, please go to the original thread https://forum.xda-developers.com/t/tool-win-lin-and-darw-super-image-unpack-repack-tools.4120963/ and let @munjeni know what the issue is so he can help.
Hope this brings some love to the Moto One 5G Ace users. We definitely need a boost to lift development spirits.
I will try and answer questions if I can or point you in the right direction.
Click to expand...
Click to collapse
This didn't work for me. My access is no different than when I started. The script showed the third partition was a different type.
Okay I want to give the benefit of doubt here so; what do you mean by V7 having clone issues? I'd say I had clone issues after following this tutorial but a more accurate description would be "hacked". So I'm just a little confused; could you elaborate a little on the "cloning issue" and differences between V2, 7 and 9? Thank you.
Wish we had a working TWRP FOR THE MOTO ACE.. Would open so many doors for this phone...
skinlab said:
Wish we had a working TWRP FOR THE MOTO ACE.. Would open so many doors for this phone...
Click to expand...
Click to collapse
I think it has not been released because it has problems with touch screen operation.
And in the case of motorola, you can't run these tools on twrp.
There is a high possibility that the protection function of the device will kick in and cause an error.
Ok. I got it to work after I reflashed the original ROM. Thanks for you help. I used 3 of your guides to get success! You are to be commended.
clintongsan said:
Okay I want to give the benefit of doubt here so; what do you mean by V7 having clone issues? I'd say I had clone issues after following this tutorial but a more accurate description would be "hacked". So I'm just a little confused; could you elaborate a little on the "cloning issue" and differences between V2, 7 and 9? Thank you.
Click to expand...
Click to collapse
You will have to ask munjeni. I just reposted what he sent me. But its not a hack issue, the superpartitions have a bad habit of reproducing themselves once you mod anything.
PEACH-PIT said:
I think it has not been released because it has problems with touch screen operation.
And in the case of motorola, you can't run these tools on twrp.
There is a high possibility that the protection function of the device will kick in and cause an error.
Click to expand...
Click to collapse
Not true. The Nairo variant of the Moto One 5G has TWRP. The mods over there had to make their own modules. I don't know how to do that, so all I have is an experimental working build with no touchscreen access.
PEACH-PIT said:
https://forum.xda-developers.com/t/script-android-10-universal-mount-system-read-write-r-w.4247311/
"moto g 5g" can use makeSystemRW v1.31.
It must be used in conjunction with makesysrw_repair.
makesysrw_repair requires linux.
The size option will not work if it is too large or too small.
You need to specify an appropriate size.
Please adjust it by yourself.
I got the right result with 20mb.
adb shell
su
chmod +x /data/local/tmp/makesysrw_1.31/makesysrw.sh
setenforce 0
./data/local/tmp/makesysrw_1.31/makesysrw.sh size=20
Click to expand...
Click to collapse
Tried using it in TWRP and it didn't work. Error 73.
Articul8Madness said:
Tried using it in TWRP and it didn't work. Error 73.
Click to expand...
Click to collapse
Why are you using TWRP to run that script?
If you run those scripts in linux, they will work fine.
I'm using BBQlinux.
Unfortunately you can't get r/w unless you use sysrw_repair.
PEACH-PIT said:
Why are you using TWRP to run that script?
If you run those scripts in linux, they will work fine.
I'm using BBQlinux.
Unfortunately you can't get r/w unless you use sysrw_repair.
Click to expand...
Click to collapse
@lebigmac said we could run the script from TWRP. That is how he initially designed it so I gave it a shot.
So, I am brand new here. Just signed up after reading straight for 6.5 hours (give or take). I have also been doing as much research as possible as I want to root my Moto One 5G Ace and it seemed like this forum is the best as far as knowledge and clarity. But it seems that with the multiple guides on here for this same device I am not sure exactly which to follow and where... as well as a few other concerns. But firstly, as I am reading about the R/O aspect, what exactly is the big benefits of going through this process exactly. To my knowledge R/W is one of the biggest benefits to rooting a phone. Not the only one of course but a big one nonetheless. I will hold of with doing anything until I get some opinions on it as well as a definitive answer as to what guide I should be following. Many thanks fellow tinkerers!
Paul_Neocube said:
So, I am brand new here. Just signed up after reading straight for 6.5 hours (give or take). I have also been doing as much research as possible as I want to root my Moto One 5G Ace and it seemed like this forum is the best as far as knowledge and clarity. But it seems that with the multiple guides on here for this same device I am not sure exactly which to follow and where... as well as a few other concerns. But firstly, as I am reading about the R/O aspect, what exactly is the big benefits of going through this process exactly. To my knowledge R/W is one of the biggest benefits to rooting a phone. Not the only one of course but a big one nonetheless. I will hold of with doing anything until I get some opinions on it as well as a definitive answer as to what guide I should be following. Many thanks fellow tinkerers!
Click to expand...
Click to collapse
This phone is great once you have done all the steps. It took me a while to get it all done correctly.
You need to follow the steps in the complete noob guide to rooting. I tried shortcuts that ultimately did not work. Then follow the guide to get read/write access. If you want to debloat, use the guide on using the package manager.
You can also add TWRP recovery. I forgot which guide I chose. I continue to find new dialer, contacts, etc. and remove stock programs. So have fun.