The novel CAT S22 Flip was released in September, and is pretty much the only of its kind. It actually has an unlocked bootloader, and I was excited to try to root it. However, there's no version of TWRP designed specifically for it! Having never rooted anything before, does anyone know my options in this case to get TWRP for this phone? (Or another method of root I'm not aware of would also be fine.) Thanks!
Shoitah said:
The novel CAT S22 Flip was released in September, and is pretty much the only of its kind. It actually has an unlocked bootloader, and I was excited to try to root it. However, there's no version of TWRP designed specifically for it! Having never rooted anything before, does anyone know my options in this case to get TWRP for this phone? (Or another method of root I'm not aware of would also be fine.) Thanks!
Click to expand...
Click to collapse
Hey. I'm in the same boat. I need to add su binary but looks like the only way to do it is with TWRP. Have you succeeded? I keep trying to find a way to do it, so far no luck.
TWRP isn't needed at all to push ( suitable ) SU binary onto Android's filesystem: you achieve this by means of ADB, too
jwoegerbauer said:
TWRP isn't needed at all to push ( suitable ) SU binary onto Android's filesystem: you achieve this by means of ADB, too
Click to expand...
Click to collapse
Sweet!!! How does it look like?
I just tried adb sideload <file.zip> while in recovery mode and i'm getting this
adb: sideload connection failed: closed
adb: trying pre-KitKat sideload method...
adb: pre-KitKat sideload connection failed: closed
When check adb devices its shows that device is unauthorized. But it's only unauthorized in recovery mode.
Actually looks like I have a problem with recovery mode. Instead I'm getting "No command" screen. It's not even getting into recovery
To perform a ADB Sideload - what is used to flash a Stock ROM - phone must get booted into Sideload mode at 1st
Code:
adb devices
adb reboot sideload
adb sideload <STOCK-ROM-ZIP>
adb reboot
Oh cool. Didn't know that I could reboot stratight to sideload and bypass initial recovery menu. Thank you!
As for my previous issue with "No command" error on recovery boot, I managed to resolve it. When It's gets to "No command" screen, you need to hold Power + Volume Down just long enough to tap Volume Up. And then recovery menu will appear. So Press Power + Volume Down and then tap Volume Up.
When I tried to sideload su binary with
Code:
adb sideload <file.zip>
On the mobile screen i'm getting this error
Code:
E:failed to verify whole-file signature. Update package verification took 0.5 s ( result 1)
E:Signature verification failed
E: error: 21
Looks like recovery not allowing to install unsigned packages. Is there a way around it? Do I need to source another su binary or there is a way to sign it?
Ok. I think I'm getting closer to the core issue. I thought that I rooted the device, but I only unlocked the bootloader. So device is not rooted. As per original thread topic, looks like there is still no TWRP yet and boot.img is not accessible to modify. Tried to get boot.img directly from the device, but getting - permission denied.
Any other walkarounds i should try?
SU binary isn't a signed package. It's a ~110KB file you have to push onto Android OS, preferred to /data/local/tmp directory and afterwards have to make it executable.
I've downloaded Chainfire SuperSu Zip packages, unpacked it and got a su file from arm64 folder. As you mentioned, su file is 108.5KB =)
I've pushed it to /data/local/tmp and made it executable
Code:
S22FLIP:/ $ ls -la /data/local/tmp
total 114
drwxrwxrwx 2 shell shell 3488 2022-12-22 09:36 .
drwxr-x--x 4 root root 3488 1970-01-01 12:15 ..
-rwxrwxrwx 1 shell shell 108496 2008-02-29 03:33 su
Maybe I'm missing something, I still get
Code:
S22FLIP:/ $ su
/system/bin/sh: su: inaccessible or not found
You must tell Android where the SU binary is located
Code:
cd /data/local/tmp & su
or
Code:
/data/local/tmp/su
jwoegerbauer said:
You must tell Android where the SU binary is located
Code:
cd /data/local/tmp & su
or
Code:
/data/local/tmp/su
Click to expand...
Click to collapse
Hi. I am trying to root the phone. I tried with QFIL to get the boot.img file with no luck.... I am trying now with su. I put the su binary where you said and execute it.
Now what should I do? If you can help me, I will be grateful
IMO you can't root a phone ( a conglomerat of hardware pieces ) but only enable Android OS to run system commands as root ( will say with elevated rights if those are required ) by means of su.
Knowing this you would open a terminal window in Android and type out
Code:
<FULLPATH-TO-SU-BINARY-HERE>/su -c "<SHELL-COMMAND-THAT-REQUIRES-ELEVATED-RIGHTS-HERE>"
Example:
Code:
/data/local/tmp/su -c "mount -o remount,rw -t auto /system"
jwoegerbauer said:
IMO you can't root a phone ( a conglomerat of hardware pieces ) but only enable Android OS to run system commands as root ( will say with elevated rights if those are required ) by means of su.
Knowing this you would open a terminal window in Android and type out
Code:
<FULLPATH-TO-SU-BINARY-HERE>/su -c "<SHELL-COMMAND-THAT-REQUIRES-ELEVATED-RIGHTS-HERE>"
Example:
Code:
/data/local/tmp/su -c "mount -o remount,rw -t auto /system"
Click to expand...
Click to collapse
Doesn't work. It looks like the su binary doesn't grant system commands root
I really don't know what to do......
Related
Quick question about rooting and clockwork. I managed to gain root on 2.3.3 without using clockwork a while back (i find it buggy sometimes) but the current re-rooting guide for 2.3.4 assumes clockwork usage. Does it matter if I use the procedure in http://forum.xda-developers.com/showthread.php?t=1007782 but bypass clockwork? I.e. using vanilla recovery.
Actually you don't need clockworkmod -- or even recovery mode -- for rooting. The process of rooting is simply putting the su binary into /system/bin directory and install Superuser app.
You could try to install zip from stock recovery, I'm pretty sure it won't hurt even the installation is not successful. For me, I always do the rooting by:
Code:
adb remount
adb push su /system/bin/
adb shell chmod 6755 /system/bin/su
Then install the Superuser app from Market.
suksit said:
Actually you don't need clockworkmod -- or even recovery mode -- for rooting. The process of rooting is simply putting the su binary into /system/bin directory and install Superuser app.
You could try to install zip from stock recovery, I'm pretty sure it won't hurt even the installation is not successful. For me, I always do the rooting by:
Code:
adb remount
adb push su /system/bin/
adb shell chmod 6755 /system/bin/su
Then install the Superuser app from Market.
Click to expand...
Click to collapse
Does the bootloader need to be unlocked w/this method?
suksit said:
Actually you don't need clockworkmod -- or even recovery mode -- for rooting. The process of rooting is simply putting the su binary into /system/bin directory and install Superuser app.
You could try to install zip from stock recovery, I'm pretty sure it won't hurt even the installation is not successful. For me, I always do the rooting by:
Code:
adb remount
adb push su /system/bin/
adb shell chmod 6755 /system/bin/su
Then install the Superuser app from Market.
Click to expand...
Click to collapse
Thanks for that. But for the n00b part of me, could you tell me which directory I need to launch that command from? I.e. which directory of the android sdk.
From memory it was something like c:\program files (x86)\android\android-sdk\tools... or something.
EDIT: mm, I just tried initating those commands from within both the \\tools and \\platform-tools and in both instances I either get "unrecognised command" or "error: device not found" or "remount failed: operation not permitted"; depending on whether the device is fully booted or just in recovery. Any ideas?
I've unlocked my phone via HTCDev, which to my understanding should give enough permissions and whatnot for adb to work on system files too.
I'm trying to push application to replace system application, I know the application works, I got both signed & unsigned versions of it but same thing with either one of them.
adb remount says "remount failed: operation not permitted" and adb push [file] /system/apps says "failed to copy '[file]' to '/system/apps/': read-only file system
--
What am I doing wrong, or do I really have to root the phone just to get one damn application replaced with modified one?
Bump
Have you rooted?
frazzeld said:
Have you rooted?
Click to expand...
Click to collapse
This^
You need to have SU# access, which be definition needs root permissions. If you haven't already, use the all in one tool kit to flash clockwork and root that beech. Then when in ADB you enter SU and you will get a prompt like this #, indicating you have root privileges.
Update, I have rooted, stock rom still though
If I use adb shell, I get $, but writing "su" in shell gives me #
still, I've tried both the adb remount and in shell mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
the latter seems to work, but however still when I try to push something to /system/app it still says permission denied
edit:
not quite sure what I did, but i finally got SUCCESS from installing from shell
how did you install through the shell
I recently received my Transformer back after RMA-ing it for a non functioning screen. Of course, even though the problem lied with the hardware, they still unrooted and reinstalled stock firmware on it. Everything on it works, except for the USB cable that seems to be either not working, or because they installed all my apps and settings back on the tablet, something's wrong. This is a problem when it comes to rooting it again. What I'm trying to do is run the commands through the Terminal Emulator, but here is what happens:
Code:
[email protected]: /sdcard $ adb start-server
* Daemon not running, starting it on port 5038 *
* Daemon started successfully *
[email protected]: /sdcard $ adb connect localhost:5038
connected to localhost:5038
[email protected]: /sdcard $ adb push su /data/local/tmp
error: device not found
So my question is, is it even possible to do this? If not, is there another way to do it?
Thanks in advanced for any help!
adb is the android debugging bridge what it does is changes your shell from your computer to your device so you do not need to run anything that refers to adb from your device
Hmm, run Wolf's exploit but remove 'adb' from all the commands, pretend you're already in the shell. (Because you are)
Thing O Doom said:
Hmm, run Wolf's exploit but remove 'adb' from all the commands, pretend you're already in the shell. (Because you are)
Click to expand...
Click to collapse
Yeah, I've tried that too.
Code:
/system/bin/sh: push: not found
aldude999 said:
Yeah, I've tried that too.
Code:
/system/bin/sh: push: not found
Click to expand...
Click to collapse
push is an adb command not a terminal command
mrevankyle said:
push is an adb command not a terminal command
Click to expand...
Click to collapse
I understand that.
I've been trying mv with no luck:
Code:
mv /sdcard/su /data/local/tmp
failed on '/sdcard/su' - Cross-device link
Download a Recovery.zip you want, and then extract the file called 'recoveryblob' out of it. (I highly recommend Rouge XM touch)
Place it on the root of your internal storage /sdcard/.
Run this:
Code:
mv /data/local/tmp /data/local/tmp.bak
ln -s /dev/block/mmcblk0p4 /data/local/tmp
exit
reboot the tab, get back in, run this:
Code:
dd if=/sdcard/recoveryblob of=/dev/block/mmcblk0p4
reboot again, then you see a blue bar if it worked.
Then you can access CWM recovery that you just flashed with dd, and use that to install the Superuser or SuperSU .zip
Thing O Doom said:
Download a Recovery.zip you want, and then extract the file called 'recoveryblob' out of it. (I highly recommend Rouge XM touch)
Place it on the root of your internal storage /sdcard/.
Run this:
Code:
mv /data/local/tmp /data/local/tmp.bak
ln -s /dev/block/mmcblk0p4 /data/local/tmp
exit
reboot the tab, get back in, run this:
Code:
dd if=/sdcard/recoveryblob of=/dev/block/mmcblk0p4
reboot again, then you see a blue bar if it worked.
Then you can access CWM recovery that you just flashed with dd, and use that to install the Superuser or SuperSU .zip
Click to expand...
Click to collapse
Code:
mv /data/local/tmp /data/local/tmp.bak
failed on '/data/local/tmp' - Permission denied
EDIT: Also, I've tried chmod, and I get an Operation not permitted error.
This is a TF101 correct? What stock firmware is it running?
You need to get USB working again.
Thing O Doom said:
This is a TF101 correct? What stock firmware is it running?
You need to get USB working again.
Click to expand...
Click to collapse
Yes It's running completely up to date (unfortunately) 9.2.1.24.
aldude999 said:
Yeah, I've tried that too.
Code:
/system/bin/sh: push: not found
Click to expand...
Click to collapse
It might help to understand what is going on. In this case, adb push su /data/tmp becomes "cp su /data/tmp/" if you are running from the terminal. You'll need stronger linux-fu.
You might also need a few extra /'s at the end of *some* of your commands.
sent from my transformer
gee one said:
It might help to understand what is going on. In this case, adb push su /data/tmp becomes "cp su /data/tmp/" if you are running from the terminal. You'll need stronger linux-fu.
You might also need a few extra /'s at the end of *some* of your commands.
sent from my transformer
Click to expand...
Click to collapse
Yeah, I gotcha, but the only command I have that comes close to cp is mv, and all the commands are very strictly limited.
This thread is made in an effort to root the ZTE Grand X 4 (Z957). At this point I've made some progress by using the Dirty Cow exploit to access a root shell via ADB, but have been unable to install su to the system partition.
Notes: stock rom, no custom recovery.
Exploit method:
Follow the instructions posted by Arinerron on GitHub regarding CVE-2016-5195 (under 10 posts, cannot share direct link)
When successful you will see "[email protected]:/ #" as your shell prompt, however the session will hang after any command. That said, /system/run-as is still updated allowing you to do the following:
$ adb shell
[email protected]:/ $ run-as
uid run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
[email protected]:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
you have access to the android system as root within this shell, but this is where I'm getting stuck. I'm not able to find a way to mount the system partition as read/write, and as such unable to install su. Also note that you will need to run the exploit again anytime you reboot the device. I have tried the following methods:
$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system
[email protected]:/ # mount -o rw,remount /system
mount: Permission denied
adb reboot disemmcwp
#still unable to remount the system partition
At this point I'll share what I've been able to do so far and see if anyone else has ideas for a next step.
Have you figured out how to root the z957.
This worked on my ZTE GrandX Max Plus to permanently disable the write protection on the system partition.
Good luck!!
reboot disemmcwp
If you ever want to re-enable being blocked from mounting system rw:
reboot emmcwpenab
Any luck on this root? I am looking to buy a phone on Cricket, but I need one that I can root.
Bump? Would love to see root here!
Bump, I've tried but I also get stuck on the same three methods:
$ adb shell cp /sdcard/Download/su /system/bin/su
cp: /system/bin/su: Read-only file system
[email protected]:/ # mount -o rw,remount /system
mount: Permission denied
adb reboot disemmcwp
#still unable to remount the system partition
Grand X 4
has anyone successfully rooted the grand x ?!
Thought I would post an update: Still no success on my end.
"Rooting" is easy, but breaking out of the selinux context to do anything is hard. ie. I expanded on timwr/CVE-2016-5195 by trying to use vikiroot to break out of the u:r:shell:s0 context. To do this adb push the vikiroot exploit to /data/local/tmp and then use the timwr method to run that exploit as root:
[email protected]:/ # /data/local/tmp/exploit
Unfortunately I could only get the reverse shell to work as a glorified echo. If anyone knows where I could find some c++ code for running a shell in android for me to work off of I'm willing to see how much further I can get in that direction.
As disemmcwp doesn't work I'm wondering if ZTE found a different way to lock down the system partition? Interestingly there is an OEM-specific settings button that is greyed out (find it at *#*#4636#*#*).
I'm running firmware from Wind/Freedom Mobile so I can access the bootloader and unlock it, but I can't install SU or anything from stock. Additionally, there is no TWRP released for this phone yet. I have no idea where to find the board config files for this phone. Without a custom bootloader I'm not sure how to make permanent changes to the rom at this point.
Thanks for your work on this. Stock Rom is pretty clean, but root would be great on this.
I've tried many different ways to root this phone. For weeks, I've tried. Nothing. I personally think that there is no way to, not now at least.
Don't know if this will help but, I found that they lock the bootloader under the developer settings!
Has anyone tried a one click root application like KingoRoot ?
Or is this more for doing it on your own without a service like that?
Previously I had tried a series of one click solutions but I haven't found any that support this device yet. Typically they use the same exploits we've tried to use the hard way
After slacking for awhile I was finally able to poke around some of the internals of the phone in FTM mode using qualcomm developer tools. Lots of nifty things in the embedded file system and plenty of opportunities to flash new boot loaders and roms to the device for those of you who have a locked bootloader, but unfortunately I haven't been able to extract a copy of the stock rom or bootloaders. I'm still lacking the information I need to compile a new one for the phone.
Where I stand:
Can create a root shell, cannot remount system as read/write for permanent root in stock rom.
Can install new boot loader, no twrp or other found for this hardware.
Can compile new twrp, no boardconfig files (handy to avoid bricking your phone)
Can explore EFS and access chip via FTM, not sure how or if possible to download current rom / bootloader from here.
Happy for any tips on what to try next!
Can you tell me which tools you used? I looked at the Qualcomm site and there are plenty to choose from.
If you can get those tools off of the site maybe I'll message you about grabbing a few items on my Christmas list! QPST includes the tools necessary, and the tools to backup the 425 should you accidentally brick your phone (basically impossible to truly brick a qualcomm if you have the right tools). Archive.org has a copy, don't remember where to find the driver pack but you'll need that too (and a windows build).
Read through some notes on marshmellow and sounds like you have to remount system from recovery. I'm camping for the next month but will try talking to the TWRP team about porting a bootloader to the phone when I get back.
Let me know if you make any headway!
try this adb command and see if you get a qualcomm serial port after reboot
Code:
adb reboot edl
if that doesnt work try
Code:
adb reboot bootloader
then run the attached
How did you get into diag mode? Just do the temp root method and setprop sys.usb.config diag,adb?
https://freeandroidroot.com/root-zte-grand-x-4/
This page claims to have a root method but does it actually work? I've tried twice with no success.
How's everyone here? I also am awaiting root for this device. It really needs some shine on it's mid levelness. So here is my friend's zte warp 7 work for root. He also got some killer roms for the Huawei ascend XT. He does great work. I'm sure if he had a grand x 4 he could move this along. Just a suggestion. This man can this done. Just a suggestion for all of us. https://forum.xda-developers.com/showpost.php?p=72560392&postcount=246
---------- Post added at 11:31 PM ---------- Previous post was at 11:10 PM ----------
https://forum.xda-developers.com/member.php?u=7934375
Anyone root this phone yet?
Sent from my Z956 using XDA-Developers Legacy app
Hi, I got a new phone recently, as the name implies it's a CC Core-m5, I would like to root this device but unfortunately there isn't anything on internet and the guys working at CC doesn't want to give me the firmware so that I can patch the boot using magisk.
Can someone help please ?
If someone manage to get temporary root access (even if it can't remount partitions) can he post how he managed to do it ? That way we could build our own TWRP image
Temporary root access is easy to realize: simply put a suitable su binary into Android's filesystem and make it executable:
Code:
adb devices
adb push <FULL-PATH-OF-SU-BINARY-ON-PC> /data/local/tmp/
adb shell "chmod +x /data/local/tmp/su"
xXx yYy said:
Temporary root access is easy to realize: simply put a suitable su binary into Android's filesystem and make it executable:
Code:
adb devices
adb push <FULL-PATH-OF-SU-BINARY-ON-PC> /data/local/tmp/
adb shell "chmod +x /data/local/tmp/su"
Click to expand...
Click to collapse
Thanks a lot, Im gonna try that, I thought of that technic but wasn't sure if it was possible
Hmm, look like this isn't possible anymore, or Im doing it wrong. Im using lineageOS 18.1 su binary, when executing it threw the shell I get the error code 255. Weird
Using the SU binaries you provided in an other thread I get the error code 1. Nothing more
xXx yYy said:
Temporary root access is easy to realize: simply put a suitable su binary into Android's filesystem and make it executable:
Code:
adb devices
adb push <FULL-PATH-OF-SU-BINARY-ON-PC> /data/local/tmp/
adb shell "chmod +x /data/local/tmp/su"
Click to expand...
Click to collapse
xXx yYy said:
Temporary root access is easy to realize: simply put a suitable su binary into Android's filesystem and make it executable:
Code:
adb devices
adb push <FULL-PATH-OF-SU-BINARY-ON-PC> /data/local/tmp/
adb shell "chmod +x /data/local/tmp/su"
Click to expand...
Click to collapse
You won't get root access this way, as root access is allowed for binaries in root partition.
As you can't write this partition <=> you can't put any binary on it.
idem-bis-repetita
As seen in this thread https://forum.xda-developers.com/t/rooting-crosscall-core-m5.4359409/ there is a way to get temporary root access.
@xXx yYy Any further ideas ? Thanks btw
Might be resolved once we get more informations on dirty-cred, as it may affect the android kernel too.
Bricked my phone lol, no working recovery