Database Info

Samsung Behold 2 Rooting

Here is the commands I used:
cd\
cd androidsdk\tools
adb push try3.dat /data/local
adb shell chmod 0755 /data/local/try3
adb shell
/data/local/try3 /system/bin/sh
mount -o rw,remount /dev/st9 /system
chmod 04755 /system/bin/sh
cat /sdcard/su.dat > /system/bin/su1
cat /sdcard/su.dat > /system/bin/su
chmod 04755 /system/bin/su
su
cat /system/bin/playlogo > /system/bin/playlogo_real
/system/bin/chmod 0755 /system/bin/playlogo_real
echo “#!/system/bin/sh
/data/local/try3.dat /system/bin/sh
mount -o rw,remount /dev/st9 /system
chmod 04755 /system/bin/sh
cat /system/bin/su1 > /system/bin/su
chmod 04755 /system/bin/su
/system/bin/playlogo_real” > /system/bin/playlogo
exit
exit
exit
adb install Superuser.apk
adb shell reboot
It said Superuser.apk installed successful. When I tried to reboot it said permission denied.
Here is the CMD pasted. Please help me I have no idea what I am doing wrong.
C:\AndroidSDK>cd\
C:\>reboot
'reboot' is not recognized as an internal or external command,
operable program or batch file.
C:\>cd\
C:\>cd androidsdk\
C:\AndroidSDK>adb shell
error: device not found
C:\AndroidSDK>adb shell
error: device not found
C:\AndroidSDK>adb shell
$ su
su
su: permission denied
$ exit
exit
C:\AndroidSDK>adb devices
List of devices attached
SGH-T939 device
C:\AndroidSDK>adb shell
$ su.dat
su.dat
su.dat: permission denied
$ exit
exit
C:\AndroidSDK>adb shell
$ su
su
su: permission denied
$ su.dat
su.dat
su.dat: permission denied
$ exit
exit

Rooting the HTC DESIRE Z, VISION, G2 with Super Tool under Linux

I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.
Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!
A summary:
To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.
Some experiments
I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.
I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278 device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
./adb remount
remount succeeded
./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
[COLOR="Red"]/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0[/COLOR]
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[I][...many lines snipped out...][/I]
# exit
So, /system is now r/w. Let's push "su".
Code:
./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
./adb shell "chown root.shell /system/bin/su"
./adb shell "chmod 06755 /system/bin/su"
./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
./adb shell "ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
[COLOR="Red"]-rw-rw-rw- root root 22228 2011-11-10 12:53 su[/COLOR]
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root shell 22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
[COLOR="Red"]lrwxrwxrwx root root 2011-12-30 16:48 su -> /system/bin/su[/COLOR]
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root root 7221765 2011-08-02 01:08 Settings.apk
[I][...many lines snipped out...][/I]
-rw-r--r-- root root 296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root root 785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root root 551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root root 255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
[COLOR="Red"]-rw-r--r-- root root 785801 2011-11-10 12:54 Superuser.apk
[/COLOR]# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
[B][COLOR="Red"]su: permission denied[/COLOR][/B]
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root shell 5392 2011-08-02 01:09 schedtest
[I][...many lines snipped out...][/I]
lrwxrwxrwx root shell 2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root shell 5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root shell 192 2010-09-23 06:51 svc
lrwxrwxrwx root shell 2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root shell 5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root shell 5536 2011-08-02 01:11 crasher
-rwxr-xr-x root shell 60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root shell 22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".
Doing this with scripts
I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.
The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.
The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.

G2 Temp Root
Hi, I got a tmo g2 2.3.4
i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.
Any way to combine this temp root with older options to gain a perm root?

Cool man! Thanks!

HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
Click to expand...
Click to collapse
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...

Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.

fkereki said:
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.
I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:
Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree
# ./data/local/gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... [B][COLOR="Red"]Failed.
Module failed to load: No such file or directory[/COLOR][/B]
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Click to expand...
Click to collapse
well that sucks!

[Q] Nabi XD root

So I have been working on rooting for the Nabi XD. Specifically to grab a dd of mmcblk0p1 and p2 so I can extract kernel and ramdisk to build a TWRP.
The 2 options I have tried are 1) Bin4ry root many Android, 2) Build TWRP based off the different Nabi2 kernel to gain access to /system
Bin4ry exploit fails with mount: Permission denied, when attempting to remount rw with busybox. The device is 4.1.1 so they must have patched it or cherry picked a patch. The build was this year.
The TWRP will boot but with a blank screen. Comparing the config.gz for kernel builds explains the blank screen. ADB is however is up and running, but the internal storage is not seen as a block device. cat proc/partitions is blank.
The third thing of interest is that there is a bin in xbin called su2. su2 -v yields an output of 3.3.
Code:
[email protected]:/system/xbin $ su2 -v
su2 -v
3.3
[email protected]:/system/xbin $ su2 -help
su2 -help
Usage: su [options] [--] [-] [LOGIN] [--] [args...]
Options:
-c, --command COMMAND pass COMMAND to the invoked shell
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default /system/bin/sh
-v, --version display version number and exit
-V display version code and exit,
this is used almost exclusively by Superuser.apk
[email protected]:/system/xbin $ ls -l su2
-rwxr-xr-x root shell 91728 2013-02-02 07:03 su2
How can I put this to use? Just running su2 over adb results in nothing, and through Term.apk as permission denied. I obviously need the associated Superuser.apk to grant access, but it seems hardcoded to look for su. I looked through the source to see if I could recompile to look for su2, but I don't know if it's as simple as that.
Any thoughts?

Strange they left the su binary there.
But first : show me a "ls -l su2", we need to see if it has correct permissions or if it is just there and cannot do anything
Second: just try "su2 -c /system/bin/sh", if you are lucky it starts a rootshell.
Regards

I thought it was weird too that is was left behind, and hopefully an easy way to even gain temp root. If I can just dd the boot partition it's smooth sailing.
[email protected]:/system/xbin $ ls -l su2
-rwxr-xr-x root shell 91728 2013-02-02 07:03 su2
No setuid bit set? Should be -rwsr-sr-x?
I tried the second thing via adb. It just echos the command and prompt stays $. Using something like Term.apk yields permission denied. Tried different quotes for passing -c. Any symlinking tricks?
[email protected]:/system/xbin $ su2 -c /system/bin/sh
su2 -c /system/bin/sh
1|[email protected]:/system/xbin $ su2 -c '/system/bin/sh'
su2 -c '/system/bin/sh'
1|[email protected]:/system/xbin $ su2 -c "/system/bin/sh"
su2 -c "/system/bin/sh"
1|[email protected]:/system/xbin $

[Q] Zygote Restrict slave mountspace

Has anybody tried to implement this in KitKat ?
When I mount my server by sshfs on my Nexus 5 I can see this mount only in su, every other App/User is not seeing the mountpoint.
As explained here http://forum.xda-developers.com/showthread.php?t=2106480 this is a "Security-Feature" for MultiUser-Support.
So I've applied the Dalvik-Patch in android-4.4_r1 and compiled a new libdvm.so for my Nexus 5 und modified my boot.img (init.rc).
But this does not solve the Problem as expected.
Anybody has patched this in KitKat or has in depth knowlege of Zygote and Dalvik and could explain?

I've digged a litte deeper and found those threads:
http://forum.xda-developers.com/showthread.php?t=1781411
http://forum.xda-developers.com/showthread.php?t=2062768
http://forum.xda-developers.com/showthread.php?t=2107224
All of those basicly say that it is possible to mount using adb and all apps will be able to access them, because adb is not running as a child-process of dalvik.
This is why mounts are not visible to other apps when an app run by dalvik mounts them.
What I don't really get is why mounts by sshfs are not visible to other processes even when I use adb to run sshfs:
[email protected]:~$ adb shell
[email protected]:/ $ su
[email protected]:/ # sshfs [email protected]: /sdcard/mountpoint
[email protected]:/ # mount
...
sshfs#[email protected]: /storage/emulated/legacy/mountpoint fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0 0 0
...
[email protected]:/ # exit
[email protected]:/ $ mount
...
<sshfs mount not listed>
....
So why is the mount only visible when I'am root (in su)?

I'am still working on it and tried the following without using sshfs, but even bind-mounts are not accessible by other users.
Does anyone know why and how to workaround it?
[email protected]:~$ android/android-sdk-linux/platform-tools/adb shell
[email protected]:/ $ su
[email protected]:/ # mount -o rw,remount /
[email protected]:/ # mkdir /mnt/test
[email protected]:/ # chown media_rw:media_rw /mnt/test/
[email protected]:/ # chmod 777 /mnt/test/
[email protected]:/ # busybox mount --bind /mnt/sdcard/ /mnt/test
[email protected]:/ # ls /mnt/test/ -la
drwxrwx--- root sdcard_r 2013-11-06 14:10 .MySecurityData
-rw-rw---- root sdcard_r 33 2013-11-20 18:17 .bugsense
drwxrwx--- root sdcard_r 2013-11-21 14:00 .estrongs
drwxrwx--- root sdcard_r 1970-01-02 01:01 Alarms
drwxrwx--x root sdcard_r 2013-11-06 01:12 Android
drwxrwx--- root sdcard_r 2013-11-12 18:10 DCIM
drwxrwx--- root sdcard_r 2013-11-18 23:38 Download
...
[email protected]:/ # exit
[email protected]:/ $ ls /mnt/test -la
[email protected]:/ $

[Q] Error while remount a partition read only

I have a rooted HTC and need to create a custom file in /system/xbin. I execute a mount command (for read-write permission on /system), create the file, remount /system in readonly and after that my file magically disappear. Here are the commands I wrote in a su shell via adb.
Code:
[email protected]:/system/xbin # mount | grep system
/dev/block/mmcblk0p35 /system ext4 ro,seclabel,relatime,data=ordered 0 0
[email protected]:/system/xbin # mount -o rw,remount /dev/block/mmcblk0p35 /system
[email protected]:/system/xbin # cd /system/xbin
[email protected]:/system/xbin # echo test > myfile
[email protected]:/system/xbin # ls
daemonsu
dexdump
dexus
myfile <- 'myfile' is created
nc
su
[email protected]:/system/xbin # cat myfile
test
[email protected]:/system/xbin # mount -o ro,remount /dev/block/mmcblk0p35 /system
[email protected]:/system/xbin # ls
daemonsu
dexdump
dexus
nc
su
PUFF after remounted /system in readonly my file is disappeared. Any idea about this?
NOTE: If I try to re-execute the commands, my HTC restarts itself ... EDIT 2: As you could see in the 'ls' command output, in /system/xbin exist 'su' installed with a root tool. How could this root tool install 'su' permanently?