Hey guys,
I was looking at the newly patched (for 4.4.3) exploit.
It is patched in our .402 firmware but is exploitable in .69.
Update: Exploit is released, see primary thread: http://forum.xda-developers.com/showthread.php?t=2781109
-----------------------------------------------------------------------------------------
With it me and a friend have managed to take out SELinux:
Code:
[email protected]:/data/local/tmp $ getenforce
Permissive
Edit: And now, my device is rooted! Sweet Time to backup TA.
Edit#2
I/sh (12494): I am running as..
I/sh (12494): uid=0(root) gid=0(root) context=u:r:vold:s0
I/sh (12494): Backing up TA..
I/sh (12494): lrwxrwxrwx root root 1970-03-20 09:35 TA -> /dev/block/mmcblk0p1
I/sh (12494): 4096+0 records in
I/sh (12494): 4096+0 records out
I/sh (12494): 2097152 bytes transferred in 0.065 secs (32263876 bytes/sec)
I/sh (12494): Created /data/local/tmp/TA.img -- Checking MD5..
I/sh (12494): 215c7526bb9abea4ae6363c25987bbd0 /dev/block/platform/msm_sdcc.1/by-name/TA
I/SemcPhoneInterfaceManager(12500): QcSemcService is connected.
I/sh (12494): 215c7526bb9abea4ae6363c25987bbd0 /data/local/tmp/TA.img
Click to expand...
Click to collapse
WOW! this is the most exciting news on this forum yet! Do you have a link to a guide for this exploit?
Sent from my MI 2S using Tapatalk
I would really like to make it a simple process. Right now it is *VERY* ugly!
You have to take out selinux and then replace some files (specific to .69) that let you run root commands from a bash file.
Right now it's just a collection of scripts, an apk and a tar.gz. No checks at all to make sure they are being run correctly.
From what I can tell, this method I am using will work for ALL phones using Android 4.4.2 (unpatched) or earlier.
Although it is using Sony files for the exploit for no other reason than I only cared about rooting my device.
Nice. Hope you can get it polished enough to share soon! Maybe ask for donations too. I'm ordering one soon and I would love root without killing my warranty.
Sent from my MI 2S using Tapatalk
SANGER_A2 said:
Nice. Hope you can get it polished enough to share soon! Maybe ask for donations too. I'm ordering one soon and I would love root without killing my warranty.
Click to expand...
Click to collapse
Is this good enough?
https://mega.co.nz/#!zBZVnDTZ!tajRYy0F3_lgYDITHlqj3UTPv3bDiEQBUW-bj6JqMKQ
xsacha said:
Is this good enough?
https://mega.co.nz/#!zBZVnDTZ!tajRYy0F3_lgYDITHlqj3UTPv3bDiEQBUW-bj6JqMKQ
Click to expand...
Click to collapse
Cool. Can't wait to try it out. Will be a while as I'm not ordering the tablet for about a week. I'm fine with linux, but ADB looks like a complete PITA to install on it, plus having to mess around configuring the USB to talk to the tablet. I've used ADB lots on Windows with no issues and will probably run the commands from there instead. I don't quite understand the "&& \" at the end of each adb command. Is that needed if using ADB in windows?
I'm trying to figure out how it all works and I can understand most of what you have done. I assume the exploit.apk gives su. Is this temporary until a reboot or permanent? And does it mean we have to have the app installed permanently or can it be uninstalled afterwards? Then, you copy and make the scripts & binaries executable. But you don't seem to run the scripts? Do the scripts need to be run on the device in a terminal emulator to backup the TA partition and mount the new volume with vold?
Damn, already updated to .402. Is there anyway to go back to .69?
Greato work btw.
star85 said:
Damn, already updated to .402. Is there anyway to go back to .69?
Greato work btw.
Click to expand...
Click to collapse
Yes, just flash .69. I was on .402 as well and found the exploit patched.
SANGER_A2 said:
Cool. Can't wait to try it out. Will be a while as I'm not ordering the tablet for about a week. I'm fine with linux, but ADB looks like a complete PITA to install on it, plus having to mess around configuring the USB to talk to the tablet. I've used ADB lots on Windows with no issues and will probably run the commands from there instead. I don't quite understand the "&& \" at the end of each adb command. Is that needed if using ADB in windows?
I'm trying to figure out how it all works and I can understand most of what you have done. I assume the exploit.apk gives su. Is this temporary until a reboot or permanent? And does it mean we have to have the app installed permanently or can it be uninstalled afterwards? Then, you copy and make the scripts & binaries executable. But you don't seem to run the scripts? Do the scripts need to be run on the device in a terminal emulator to backup the TA partition and mount the new volume with vold?
Click to expand...
Click to collapse
There was absolutely zero configuration on my Linux distro. In Ubuntu, adb comes in the repos. You don't need drivers on Linux because they are detected as usbnet by default. It literally just works out of the box.
The "&& \" is actually for bash. The && only continues if the previous command succeeds. The \ breaks to next line.
On Windows, you'd use a caret (^) instead of a backslash.
The exploit.apk is used to deploy a shared library owned by system because when a system app tries to load its library, it needs to be owned by system and this is the only way I know how to achieve that.
The exploit is all in vdc (a shell command), which allows us to overwrite files anywhere on the system. So in this instance, ServiceMenu is used. Its library is overwritten with one from exploit.apk. The library simply turns off selinux and then runs whatever is in 'log.command' prop which is in this instance, a shell script. In the script it continues on to the root.
Basically: All apps have system libraries but they can't execute system code unless a system app runs it. System user can turn off selinux. Turning off selinux is required to run as root.
Yes, the scripts get run indirectly. You don't run them yourself because you are only a mere shell user. Vold is not used for anything. It's simply the vehicle for running as root.
Sonny, you win the internets. If I had donation money it would go straight to you.
Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?
I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!
Sent from my MI 2S using Tapatalk
SANGER_A2 said:
Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?
I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!
Sent from my MI 2S using Tapatalk
Click to expand...
Click to collapse
Definitely not permanent. Resets on reboot.
I couldn't find anywhere to stick the su binary. /system can't be remounted rw by root. All the other partitions don't let me setuid. If anyone knows where to stick, that would be appreciated.
Afaik unlocking bootloader shouldn't void warranty? Isn't that one of the reasons for TA. When we flash it back, warranty is valid again?
SANGER_A2 said:
Thanks for the explanation Sacha. Can't wait to try it. So this let's us backup TA. Does it also provide permanent root or do we still need to unlock the bootloader and break the warranty to get that?
I'll have a play putting adb on Linux tonight. All the guides I found were pretty old!
Click to expand...
Click to collapse
If your distro doesn't have it in the repos just download and install the official Android SDK. There you only install the "platform-tools".
Thank you very much for this, that's really great news!! As soon as I have time and found out how to flash back to .69 I will try it out. Is there a way to donate to you for your work?
Nevertheless if I understood it right, this persists only until a reboot so if I root it and then update back to .402 it will be gone, so there is no way to have root on .402 with locked bootloader?
Or is it possible to root and backup ta, flash .402 restore ta and lock bootloader AND keep root? That would be awesome!
Thanks
Fleckdalm
fleckdalm said:
Thank you very much for this, that's really great news!! As soon as I have time and found out how to flash back to .69 I will try it out. Is there a way to donate to you for your work?
Nevertheless if I understood it right, this persists only until a reboot so if I root it and then update back to .402 it will be gone, so there is no way to have root on .402 with locked bootloader?
Click to expand...
Click to collapse
I guess you can donate if you want I didn't put much time in to this and I didn't discover the Android exploit. Most my projects (like Dingleberry for rooting) have a full UI and everything. I have a donate link on my blog: http://www.qtness.com/blog/
That's correct. if you upgrade to 402, you will not be able to do it. It's a tethered root but being able to backup TA means you can unlock bootloader and lock it again with everything preserved.
xsacha said:
I guess you can donate if you want I didn't put much time in to this and I didn't discover the Android exploit. Most my projects (like Dingleberry for rooting) have a full UI and everything. I have a donate link on my blog: http://www.qtness.com/blog/
That's correct. if you upgrade to 402, you will not be able to do it. It's a tethered root but being able to backup TA means you can unlock bootloader and lock it again with everything preserved.
Click to expand...
Click to collapse
Yeah I will support your good work!
So that means I can flash 69 using flash tool and backup ta using your script, then i can flash 402, unlock bootloader, flash cwm and root? But how should I continue then? How can I relock bootloader and restore ta? And are you sure that root and cwm isn't lost during this process? Is there really no way to find out if bootloader was unlocked after doing this (for warranty reasons)? Has somebody successfully tried out this procedure?
Oh and an other problem, I can't find a 69 ftf anywhere for the Wifi only model sgp511?
BTW I have just donated to you
fleckdalm said:
Yeah I will support your good work!
So that means I can flash 69 using flash tool and backup ta using your script, then i can flash 402, unlock bootloader, flash cwm and root? But how should I continue then? How can I relock bootloader and restore ta? And are you sure that root and cwm isn't lost during this process? Is there really no way to find out if bootloader was unlocked after doing this (for warranty reasons)? Has somebody successfully tried out this procedure?
Oh and an other problem, I can't find a 69 ftf anywhere for the Wifi only model sgp511?
BTW I have just donated to you
Click to expand...
Click to collapse
For the bootloader locking questions, I'm not the best to ask. I am asking about warranty myself on another thread. This is my first sony device so not sure how they operate.
Don't know. I use sgp521.
Technically anything before firmware .402 should work.
Success!
xsacha, GREAT work!
Successfuly unlocked my bootloader and restored DRM keys! Thanks a lot! really appreciate your work:good:
And about the warranty: if you lock the bootloader before bringing the device to the service center the won't be able to find any traces of bootloader unlock! So with your help we don't need to void our warranty.
nos1609 said:
xsacha, GREAT work!
Successfuly unlocked my bootloader and restored DRM keys! Thanks a lot! really appreciate your work:good:
Click to expand...
Click to collapse
So you have done it like this?
flash 69 using flash tool and backup ta using the script, then flash 402, unlock bootloader, flash cwm and root.
But how should I continue then? How can I relock bootloader and restore ta?
fleckdalm said:
But how should I continue then? How can I relock bootloader and restore ta?
Click to expand...
Click to collapse
Just put the backup on your INTERNAL sdcard and then from adb under su type: "dd if=/sdcard/TA.img of=/dev/block/platform/msm_sdcc.1/by-name/TA"
nos1609 said:
Just put the backup on your INTERNAL sdcard and then from adb under su type: "dd if=/sdcard/TA.img of=/dev/block/platform/msm_sdcc.1/by-name/TA"
Click to expand...
Click to collapse
Thanks! I will try it out as soon as I get a 69 ftf for my model...
Related
Hi all!
First off, I'm new to xda Developers so please excuse me if this is in the wrong forum! I thought I'd post information about a tool I wrote here which roots stock 4.0.3 leak on the A500, A501 and assumingly the A200 too. Its literally one click - just enable USB debugging. "ICS Root" also installs, optionally, FaceLock and Trebuchet (although FaceLock doesn't want to work. It lets you set it up though =P)
Since version 5.0.1 this also now works with the new 0.022.00 leak!
The full post is over at TegraOwners: http://forum.tegraowners.com/viewtopic.php?f=30&t=350
The only real system requirements are Windows (with .Net Framework 4) and an Iconia on the stock 4.0.3 leak. I hope somebody finds this useful its been tested by myself and a couple of TegraOwners users and it works well.
In terms of the technique used, it uses the great Jay Freeman's mempodroid exploit to gain root at which point it mounts /system rw and installs su, busybox and Superuser.apk so no real surprises there. Installing Trebuchet adds that apk to /system/app and installing FaceLock installs the apk to /system/app before installing the pittpatt folder to the flexrom (mounted as /system/vendor). I plan to open source it when all the requested features have been implemented and the code has been cleaned up.
Thanks!
~blackthund3r
EDIT 14/05/2012: ICS Root 7 is out enjoy!
Sent from my A500 using Tapatalk
cwm version?
why would it not work with cwm version?
With this tool does system remain writeable after rooting?
What about flashing CWM with acer recovery installer once rooted? I guess it would screw the bootloader...
lowsum said:
What about flashing CWM with acer recovery installer once rooted? I guess it would screw the bootloader...
Click to expand...
Click to collapse
If you are on the cwm with the HC boot loader it should work as Its Magic will be run..
if you are on the new boot loader as in the full non modded leak.. It will give you secure boot error ..
The new boot loader Blocks its magic.
Thanks
Hey this worked easy. I had to re-install USB drivers and make sure I had the latest from Google. Other then that, hit the button, wait about 1.5 minutes, and it rebooted! No problems thus far! Thanks Again!
JeanBubu said:
why would it not work with cwm version?
Click to expand...
Click to collapse
It would but the cwm one, afaik, is prerooted?
Sent from my A500 using Tapatalk
root doesnt work like its supposed to. i know its only half root due to the bootloader, but terminal emulator flat out says i'm not rooted after this despite sixasis working and titanium backup/root checker both saying i have root and busybox. i'm going to post this on TO as well for you incase you dont check here often.
nifterific said:
root doesnt work like its supposed to. i know its only half root due to the bootloader, but terminal emulator flat out says i'm not rooted after this despite sixasis working and titanium backup/root checker both saying i have root and busybox. i'm going to post this on TO as well for you incase you dont check here often.
Click to expand...
Click to collapse
That's storage cos terminal works for me and running su in an adb shell works great too.
Code:
[email protected]:/ $ export PATH=/data/local/bin:$PATH
[email protected]:/ $ su
# exit
[email protected]:/ $ su
#
Sent from my A500 using Tapatalk
SteamBishop said:
Hey this worked easy. I had to re-install USB drivers and make sure I had the latest from Google. Other then that, hit the button, wait about 1.5 minutes, and it rebooted! No problems thus far! Thanks Again!
Click to expand...
Click to collapse
You're welcome and I'm glad it worked!
Sent from my A500 using Tapatalk
After reading the other post, I have found that I cannot write to the system directory from the device itself. The folder attributes indicate that it is set to write, however File Explorer HD will not let me. I have tried to create a folder in the /system and it will not accept the addition. The strange thing is that Root Check says it is rooted, File Explorer HD accepts putting it into Root Explore, but that is it. It is odd. I will try to reapply the Root to see if that makes a difference.
SteamBishop said:
After reading the other post, I have found that I cannot write to the system directory from the device itself. The folder attributes indicate that it is set to write, however File Explorer HD will not let me. I have tried to create a folder in the /system and it will not accept the addition. The strange thing is that Root Check says it is rooted, File Explorer HD accepts putting it into Root Explore, but that is it. It is odd. I will try to reapply the Root to see if that makes a difference.
Click to expand...
Click to collapse
Please, read the op before bringing this up. This method is for half root, its the only way possible right now on stock leak ics. There is a special script you need to use to mpunt system. You can find it in the stock leak thread, run it in terminal or use rom toolbox and set it as a script to run at boot because rebooting loses write privileges.
nifterific said:
Please, read the op before bringing this up. This method is for half root, its the only way possible right now on stock leak ics. There is a special script you need to use to mpunt system. You can find it in the stock leak thread, run it in terminal or use rom toolbox and set it as a script to run at boot because rebooting loses write privileges.
Click to expand...
Click to collapse
Sorry for offending you and whoever else it did. Thank you for pointing that script out in that post. My intent was to offer a second comment to your assessment..
nifterific said:
Please, read the op before bringing this up. This method is for half root, its the only way possible right now on stock leak ics. There is a special script you need to use to mpunt system. You can find it in the stock leak thread, run it in terminal or use rom toolbox and set it as a script to run at boot because rebooting loses write privileges.
Click to expand...
Click to collapse
I have a better script which I'll be releasing as an update to the root app this morning hopefully. It'll be a terminal command to remount rw.
Sent from my A500 using Tapatalk
New update out!!
blackthund3r said:
I have a better script which I'll be releasing as an update to the root app this morning hopefully. It'll be a terminal command to remount rw.
Sent from my A500 using Tapatalk
Click to expand...
Click to collapse
Version 3 came out this morning
It features some bug fixes as well as a completely new remount menu which mounts /system rw properly on the fly. Tested with a busybox installer app
Enjoy!
Thanks for your tool blackthund3r !
I tried it with the new leak from this morning and it doesn't seem to work anymore
Edit :
Just to be a little more specific, the app says the process was OK and state that the tablet is rooted but the tablet doesn't reboot by itseld and su is not installed. I tried to install su manually but it's unable to find a previous su package on the system.
paugustin said:
Thanks for your tool blackthund3r !
I tried it with the new leak from this morning and it doesn't seem to work anymore
Edit :
Just to be a little more specific, the app says the process was OK and state that the tablet is rooted but the tablet doesn't reboot by itseld and su is not installed. I tried to install su manually but it's unable to find a previous su package on the system.
Click to expand...
Click to collapse
ah okay it appears a completely new leak has been released. It is possible that the mempodroid exploit has been patched up. I'm gonna look into it soon. I can't much tonight - I have school work. I'll see what can be done and what the differences between leaks are.
Sent from my A500 using Tapatalk
EDIT: mempodroid hasn't been patched See ICS Root v3.1
Hi blackthund3r
Thanks for the update 3.1 but could you please fix the problem on your hosting website? clicking on this file send to an error warning.
The other files can be downloaded though.
can someone post a mirror to the 3.1 version? current link is not working.
can somebody also confirm, if i root with this tool, i will be able to reinstall my clockworkmod recovery through 'acer recovery installer' and flash any other cwm rom? or do i have to downgrade to honeycomb 3.01, install iconiaroot for honeycomb and then acer recovery installer?
Gersma,
I'll be able to answer to your question as soon as I'll be able to download this tool and test it.
Hello!
How can one root official 2.3.5 rom without connecting to usb and adb?
The goal is to install custom ICS on U8800 that has no usb port - completely broken and even not charging phone. No warranty and repair cost is close to actual phone cost. So repairing is not an option.
Wireless adb app requires root first - so it is not an option for me also.
Any help is appreciated - I need ISC because I need ipsec vpn which is npt available in gingerbread.
I am ready to test any operation you suggest - I don't fear to brick the phone, need no backups.
It's impossible. I have one USB broken u8800 and that's why I use cm7 (.32) on it.
Sent from my U8800 using Tapatalk 2
Qqqxxxzzz said:
It's impossible. I have one USB broken u8800 and that's why I use cm7 (.32) on it.
Sent from my U8800 using Tapatalk 2
Click to expand...
Click to collapse
There is nothing impossible I believe
Maybe we could find the trick - gingerbreak works on some roms - another fine exploit maybe.
I don't know - worth a try I think.
tranced1 I might have 1 possible solution for you. I've rooted my 2.3.5 some time ago and I've done a backup of boot.img.
I remember with froyo we could root it with boot.img "rooted". I bet this won't work on 2.3.5, but who knows right?
If you want to give it a try, I upload that boot.img for you.
EDIT: darn! Totally forgot you can't access bootloader directory without root & damaged usb port
Can't remember another way out... sorry
tranced1 said:
There is nothing impossible I believe
Maybe we could find the trick - gingerbreak works on some roms - another fine exploit maybe.
I don't know - worth a try I think.
Click to expand...
Click to collapse
Gingerbreak and z4root doesn't work. Only solution is build your own exploit.
Sent from my U8800 using Tapatalk 2
Is there any way to flash zip from stock recovery? I saw this root method for some samsung phones.
Does anybody know how to compile such .zip file?
tranced1 said:
Is there any way to flash zip from stock recovery? I saw this root method for some samsung phones.
Does anybody know how to compile such .zip file?
Click to expand...
Click to collapse
compiling zip is easy. Your problem is that we don't know how to sign it correctly.
Sent from my GT-P1000 using Tapatalk 2
I believe that you can use terminal emulator and zergrush exploit to root the phone.
The automatic root methods basicaly push the needed files on /data/local change permissions etc... All can be done with linux commands which are available from a terminal emulator. So I don't think that you need the usb cable to root the device. You can try investigate the runme.bat file from doomlord's root method and give the commands manually after you have put the files from files directory on sdcard.
dancer_69 said:
I believe that you can use terminal emulator and zergrush exploit to root the phone.
The automatic root methods basicaly push the needed files on /data/local change permissions etc... All can be done with linux commands which are available from a terminal emulator. So I don't think that you need the usb cable to root the device. You can try investigate the runme.bat file from doomlord's root method and give the commands manually after you have put the files from files directory on sdcard.
Click to expand...
Click to collapse
adb can access the phone as root user - from terminal file system is read-only, so even first step permission denied
Yes, you have right about that.
But, check this thread:
http://forum.xda-developers.com/showthread.php?t=1716068
the last post.
EDIT:
After reading the discription on first post of gingerbreak, I had another Idea.
Seems that gingerbreak uses sd card to temporary store the necessary for root files. So, maybe you can replace these files(and especially the exploit) whith those of doomlord's root app, before you press the root button, so to use the working zergrush exploit.
This is the B528 root bat script:
http://pastebin.ca/raw/2163499
@adb wait-for-device
@echo --- DEVICE FOUND
@echo --- reboot to bootloader
@adb reboot-bootloader
@echo --- flash the rooted bootimage
@fastboot boot boot.img
@echo --- reboot to nomal mode
@fastboot reboot
@echo --- wait for adb connect
@adb wait-for-device
@echo --- DEVICE FOUND
@adb remount -t yaffs2 /dev/block/mtdblock3 /system
Click to expand...
Click to collapse
You're problem is in red... you have to flash the exploited boot image. The rest is just installing busybox, su and SuperUser.apk.
You have the stock recovery which allows you to flash .zip files, but they have to be signed correctly and I don't think that's possible.
VuDuCuRSe said:
This is the B528 root bat script:
http://pastebin.ca/raw/2163499
You're problem is in red... you have to flash the exploited boot image. The rest is just installing busybox, su and SuperUser.apk.
You have the stock recovery which allows you to flash .zip files, but they have to be signed correctly and I don't think that's possible.
Click to expand...
Click to collapse
To boot a different boot image, you have to use USB, atleast on fastboot.
dancer_69 said:
Yes, you have right about that.
But, check this thread:
http://forum.xda-developers.com/showthread.php?t=1716068
the last post.
EDIT:
After reading the discription on first post of gingerbreak, I had another Idea.
Seems that gingerbreak uses sd card to temporary store the necessary for root files. So, maybe you can replace these files(and especially the exploit) whith those of doomlord's root app, before you press the root button, so to use the working zergrush exploit.
Click to expand...
Click to collapse
Thanks for clues but seems there is no way - I cant execute exploit via ssh - permission denied I cant even chmod it.
Gingerbreak completely not working - no files created on sdcard.
Ι didn't find any other way on net. There are several discussions for this problem but not a solution. I think that the only way is to do it for an app. You can contact with the creator of gingerbreak or z4root to ask for it. Also I'll try to make an app myself, but my android developing knowledge is very basic, so don't count too much on this. If I have some kind of success I'll contact you via PM.
EDIT:
Try this mod, and if you are lucky...
dancer_69 said:
Ι didn't find any other way on net. There are several discussions for this problem but not a solution. I think that the only way is to do it for an app. You can contact with the creator of gingerbreak or z4root to ask for it. Also I'll try to make an app myself, but my android developing knowledge is very basic, so don't count too much on this. If I have some kind of success I'll contact you via PM.
EDIT:
Try this mod, and if you are lucky...
Click to expand...
Click to collapse
No I am obviously not the lucky one
My android development knowledge is zero, so if you can run zergRush from executable area it will be a very good start.
And I want to thank everybody for your support.
So, it doesn't work?
I just updated the file, so give it another try.
Also, check if you have logcat and usb debuging enabled(is needed for other methods, so maybe needed here too)
dancer_69 said:
So, it doesn't work?
I just updated the file, so give it another try.
Also, check if you have logcat and usb debuging enabled(is needed for other methods, so maybe needed here too)
Click to expand...
Click to collapse
Logcat: Cannot copy boomsh. : Permission Denied
I will revert to first beta now - and will test if it will work
I suppose this logat message is for z4root fail. Unfortunately I don't know what boomsh is. I just decompiled the apk and replaced the exploit, busybox, superuser, and su files with these from doomlord's root files directory.
So, easy solution didn't work. If I have something else I'll let you know.
EDIT:
I get some info about "cannot copy boomsh"
The exploit creates this file when run. This message appears when this file already exists and needed to be deleted from /data/local/tmp.
I checked z4root-mod on my device(which is already rooted and with ICS custom rom), and I get this message too.
The problem is that this file doesn't exist on my device, so I cannot delete it.
---------- Post added at 04:16 PM ---------- Previous post was at 03:17 PM ----------
I read on a forum that these apps(as z4root) run better after a fresh boot. So, install the latest apk(has newer files), reboot the device and run z4root again.
z4root is a froyo root exploit (I think) and seems "dead" for a long time.
Check Chainfire's Gingerbreak: http://forum.xda-developers.com/showthread.php?t=1044765
Hey
So I WAS rooted until KitKat update and now I'm not. Wasn't a problem as I wasn't doing things that needed root access for a while, but I need to now.
Only issue is that I don't have access to any PC/laptop right now.
Is there a way I can root/gain superuser without a PC? I could have sworn I did this once before but it eludes me now.
Bootloader is already unlocked
Sent from my Nexus 7 using xda app-developers app
Xiorell said:
Hey
So I WAS rooted until KitKat update and now I'm not. Wasn't a problem as I wasn't doing things that needed root access for a while, but I need to now.
Only issue is that I don't have access to any PC/laptop right now.
Is there a way I can root/gain superuser without a PC? I could have sworn I did this once before but it eludes me now.
Bootloader is already unlocked
Sent from my Nexus 7 using xda app-developers app
Click to expand...
Click to collapse
Framaroot? Dunno if it works with KitKat but u could try it out.
Merry Christmas!
Smack that thanks button If I helped!
Always make a nandroid backup before trying anything risky.
I do respond to questions (most) via PM.
Sent from my fabulous N7105 powered by Illusion ROM and Plasma Kernel.
Sent from dat small country called Singapore.
P.S. Quote my post for replies ASAP.
If you still have a custom recovery installed, download SuperSU from http://download.chainfire.eu/supersu and flash it in recovery.
farmerbb said:
If you still have a custom recovery installed, download SuperSU from http://download.chainfire.eu/supersu and flash it in recovery.
Click to expand...
Click to collapse
How the heck are u getting custom recovery without root?
Smack that thanks button If I helped!
Always make a nandroid backup before trying anything risky.
I do respond to questions (most) via PM.
Sent from my fabulous N7105 powered by Illusion ROM and Plasma Kernel.
Sent from dat small country called Singapore.
P.S. Quote my post for replies ASAP.
Irwenzhao said:
How the heck are u getting custom recovery without root?
Smack that thanks button If I helped!
Always make a nandroid backup before trying anything risky.
I do respond to questions (most) via PM.
Sent from my fabulous N7105 powered by Illusion ROM and Plasma Kernel.
Sent from dat small country called Singapore.
P.S. Quote my post for replies ASAP.
Click to expand...
Click to collapse
custom recovery can be installed without root too... after going to recovery it gives option to root
IF you do not have a custom recovery installed and you have no access to fastboot then you need to find a root exploit to run under the installed OS which gives you a privilege escalation.
If I was aware of one, I would say so, but I really haven't been looking around. Seems like it might be easier to "borrow" a PC to get the job done.
One of the curiosities of working with devices like the Nexus series is that because they are so easily unlocked & flashed using sanctioned vendor methods, there are few N7 devs/hackers that concern themselves with "rooting" the factory ROM. Why bother, right?
So, when there is a widespread linux kernel exploit or generic Android exploit, the Nexus series owners get the benefit of devs developing working exploits for other devices, but not usually until then.
BTW, if you can "borrow" a friend's machine, you don't need to screw it up installing the SDK and a bunch of drivers - you can simply put the linux version of fastboot (plus your "flashables") onto a thumbdrive, boot that PC into a linux "live CD" distro, and run fastboot from linux. No drivers needed; just run fastboot as the "root" user. Hopefully it's not a UEFI-only BIOS.
That sidesteps having to muck someone else's Win-doze box up. You just borrow their hardware, not their operating system. Just mount the USB key, copy the fastboot executable someplace ( /tmp ?), chmod 755 it) and run it as root.* A lot of those "live" CDs (e.g. Ubuntu) have a file explorer on the desktop that allow you to mount different media devices it detects (including USB sticks, etc), so you don't really need to be much of linux wizard to use this approach.
good luck
* some time ago, it seemed that you may have needed to make sure to also grab supporting link-libraries along with the linux fastboot executable, as it is dynamically linked. I remember doing this in the past, e.g.
assuming you have "fastboot" executable, it's supporting libs and your custom recovery image on the root folder of a USB key:
Code:
$ sudo /bin/bash
# mkdir /tmp/foo
# cp /mnt/usbstorage/* /tmp/foo
# chmod 755 /tmp/foo/fastboot
# export LD_LIBRARY_PATH=/tmp/foo:/lib:/usr/lib:/usr/lib/i386-linux-gnu
# cd /tmp/foo
# ./fastboot devices
# ./fastboot flash recovery ./custom-recovery-image.img
I just checked fastboot on my Ubuntu 12.04 VM, and
Code:
$ objdump -x `which fastboot` | grep NEEDED
NEEDED libstdc++.so.6
NEEDED libm.so.6
NEEDED libgcc_s.so.1
NEEDED libc.so.6
all of those libs are included in various places in the distro, so even though the fastboot binary is dynamically linked, you don't need to provide the dynamic link libraries (or use LD_LIBRARY_PATH) in that case.
Is there a flashing bootlogo for MXPE 6.0 Custom Rom & Custom Kernel guide?
Screenshot below as to what I am running on my my phone. I am specically looking to replace the unlock bootloader warning bootlogo with something nice.
About Phone:
Hitti2 said:
Is there a flashing bootlogo for MXPE 6.0 Custom Rom & Custom Kernel guide?
Screenshot below as to what I am running on my my phone. I am specically looking to replace the unlock bootloader warning bootlogo with something nice.
About Phone:
Click to expand...
Click to collapse
This thread has what you need to get rid of the unlocked bootloader warning. Make sure you read carefully and get the marshmallow logo for your rom.
Here's a kernel tuning guide.
jason2678 said:
This thread has what you need to get rid of the unlocked bootloader warning. Make sure you read carefully and get the marshmallow logo for your rom.
Here's a kernel tuning guide.
Click to expand...
Click to collapse
It says its for
LPH23.116-18
Mine is
Hitti2 said:
It says its for
LPH23.116-18
Mine is
Click to expand...
Click to collapse
The one attached to the OP is for lollipop. You need the marshmallow one that Spasticdroid posted about a dozen pages in.
Gotya.
As if you hadnt known,I am new at this.
What can I use to get the location for the logo after downloading.
Is there like a copy url in es file explorer?
Then I can paste then write it down on paper.
Hitti2 said:
Gotya.
As if you hadnt known,I am new at this.
What can I use to get the location for the logo after downloading.
Is there like a copy url in es file explorer?
Then I can paste then write it down on paper.
Click to expand...
Click to collapse
The easiest thing to do would be to download it to a computer, unzip it, and use fastboot to flash logo.bin with the command in the OP of the logo thread.
Alternately you could probably use dd to flash it if you don't have access to a PC or just don't want to use one. I have not tested and would not recommend that.
Fastboot worked fine. It is far too easy to make a typo and trash your phone with dd; it isn't nicknamed disk destroyer for no reason. Assuming you download it to the default folder, unzip it there with a utility like es file explorer, and are the primary user of this device the command would look like this:
Code:
su
dd if=/data/media/0/Download/logo.bin of=/dev/block/mmcblk0p31
If you do go this route and get a command not found for dd, then you probably need to install busybox. Triple check all your inputs if you do this. Typos with dd can be nasty. I've modded plenty of devices this way, but just use fastboot when it is available. The syntax is easier with fastboot, and you don't have to worry about writing to the wrong block device since it handles them all by name.
Thanks a bunch. Be fire i proceed
Is there a way to backup the unlocked bootloader logo?
So if I ever need to replace it back.
Perferrably through fastboot. I've got a pc ready for adb and fastboot.
Hitti2 said:
Is there a way to backup the unlocked bootloader logo?
Click to expand...
Click to collapse
Essentially just reverse the arguments in the command I posted above.
Code:
su
dd if=/dev/block/mmcblk0p31 of=/data/media/0/Download/logo.img
That should leave you with an image of the logo partition in your /sdcard/Download folder.
jason2678 said:
Essentially just reverse the arguments in the command I posted above.
Code:
su
dd if=/dev/block/mmcblk0p31 of=/data/media/0/Download/logo.img
That should leave you with an image of the logo partition in your /sdcard/Download folder.
Click to expand...
Click to collapse
Do I have to use dd to backup the logo? Is there a cmd in fastboot or adb?
Thnx.
Hitti2 said:
Do I have to use dd to backup the logo? Is there a cmd in fastboot or adb?
Thnx.
Click to expand...
Click to collapse
You could use adb shell, but that just lets you use your computer keyboard instead of trying to type in a terminal app. The command to get a single partition remains the same.
There is an app called partitions backup & restore that can handle this without any command line use. Its available on the play store.
jason2678 said:
You could use adb shell, but that just lets you use your computer keyboard instead of trying to type in a terminal app. The command to get a single partition remains the same.
There is an app called partitions backup & restore that can handle this without any command line use. Its available on the play store.
Click to expand...
Click to collapse
Yea, I don't think I can use dd.
http://www.noah.org/wiki/Dd_-_Destroyer_of_Disks#Why_use_dd_instead_of_cp.3F
For linux. I am on a WIn7x64 computer.
And for Partitions Backup & Restore
one comment
Bricked. So it kinda works. It did keep my phone's efs/imei info. But upon reinstalling by phone was stuck in bootloop. I had to set my phone back to Android 4.0 which means some newer apps do not not work. & trying to reinstall different/newer android ROM is now impossible. I was barely able to get it back to working condition, but now slower than before. Unless you know how to reprogram the partitions, i would not mess with this app.
Click to expand...
Click to collapse
I think Ima leave the bootlogo alone.
Hitti2 said:
Yea, I don't think I can use dd.
http://www.noah.org/wiki/Dd_-_Destroyer_of_Disks#Why_use_dd_instead_of_cp.3F
For linux. I am on a WIn7x64 computer.
Click to expand...
Click to collapse
You're correct, dd is part of GNU coreutils, but you'll be able to use it even if you use adb shell from a windows computer. The dd binary resides on your phone (which is pretty much a linux environment, just android/linux instead of GNU/linux), not on the computer.
I don't think dd is there by default in a typical stock rom, but busybox adds the utilities stock android leaves out. I'm using busybox on rails from the play store with this phone.
I've been using linux for about 15 years, so have a comfortable, if uneasy, feeling for using dd. It is a powerful tool, but it is not fault tolerant and you usually have to run it as root to get the job done. Make a little typo or have an absent minded moment and reverse the if and of arguments and you can have a really bad day.
Hello. At first, I did not invent anything new, just checked some my guess on a other motherboard. All thanks and credits to our great developers. As always, all at your own risk.
It does not work on the Fire HDX 8.9 (Saturn)!
All steps in this manual are not necessary but they are present for maximum safety. So I highly recommend do anything exactly in this way. Sorry my English as always =)
Update2 - actual method is https://forum.xda-developers.com/showpost.php?p=75284993&postcount=1006
Update: now you can use updated draxie's utility - http://forum.xda-developers.com/kindle-fire-hdx/general/multi-platform-1-click-bootloader-t3241014
Prerequisites for Installation
- Root
- Installed adb and fastboot drivers - official - https://drive.google.com/open?id=0B2twXJIOgv-UWWdwRl9TQS11b0k (if your system language not English, after fail navigate to "Program Files (x86)\Lab126\drivers" and run dpinst.exe /EL or switch to English =) for x64 need to disable driver signature verification before install ) also you can use pdanet drivers - http://forum.xda-developers.com/showpost.php?p=59268023&postcount=8
Manual:
1. Create unlock file following this instruction - https://forum.xda-developers.com/ki...r-firmware-t3463982/post70881555#post70881555
2. Flash old vulnarable aboot and cubed twrp (just in case). Check that all these commands executed without errors. If you'll get one - read second post below. If your firmware <=13(14)3.2.3.2 skip this step.
Download aboot and twrp for Thor (Kindle Fire HDX 7) https://drive.google.com/open?id=0B2twXJIOgv-UMGxXMUZPZTlZTUk or for Apollo (Kindle Fire HDX 8.9) - https://drive.google.com/open?id=0B2twXJIOgv-URzJDQkczNzRLaHM - and put this two files (twrp_cubed.img and aboot_vuln.mbn) into root of your kindle internal storage.
Run:
Code:
adb shell
su
dd if=/sdcard/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
Now you have working twrp recovery. It already works even without unlocked bootloader. You could boot into it by holding volUP during grey kindle logo. But no need to flash anything until unlock. At this point this is just emergency tool if something goes wrong =)
3. Flash unlock file.
Now, if you reboot, you will go straight into fastboot because of old aboot - newest boot.img can't load with it. If your firmware <13(14).4.1.1 you need run "adb reboot bootloader" to boot into fastboot.
Time to flash your unlock file.
Code:
fastboot -i 0x1949 flash unlock 0xmmssssssss.unlock
You must obtain "unlock code is correct".
Grats. You are perfect =)
You can flash:
CM13 - http://forum.xda-developers.com/kin...ment/rom-cm-13-kindle-hdx-2015-11-29-t3259732
CM 12.1 - http://forum.xda-developers.com/kin...ent/rom-cm-12-unofficial-apollo-thor-t3050199
Or stock repacked latest 4.5.5.2 rom - https://drive.google.com/open?id=0B2twXJIOgv-UVFFtN2RYNXNUZ0k (13.x - thor, 14.x - apollo)
Do not flash original stock firmwares.
Regards and thank to all - @dpeddi, @vortox, @draxie, @ggow, @Ralekdev, @jcase, @Hashcode
And greatest thanks for motherboard for my experiments to @MahmudS !
FAQ:1. if your get "not such file or directory" after su in step 2 (this is SAFESTRAP related possibly)- try to use next commands:
Code:
adb shell
su
dd if=/storage/emulated/0/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/storage/emulated/0/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
http://forum.xda-developers.com/showpost.php?p=68751981&postcount=35
I think you can use greatest @draxie tool - http://forum.xda-developers.com/kindle-fire-hdx/general/multi-platform-1-click-bootloader-t3241014 with doing step2 only. But it need to test. Anyway I highly recommend get your hw id's before any actions.
Daredevil
ONYXis said:
Code:
dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
Click to expand...
Click to collapse
Great job! So, simply flashing the vulnerable bootloader "just works"...
Are you absolutely positive?
Although I've been expecting this all along
[but wouldn't dare trying, since the HDX is *still* my only tablet],
I'm wondering what the supposed "rollback protection" after 3.2.8 really covers.
Fixed issue (now hidden)
BTW: I get the exact same MD5 hash for both versions of 'aboot_vuln.mbn' (the two 'cubed_twrp.img' are different).
Code:
66b7df0db97c7c2905d1d61199c816a5 13-aboot_vuln.mbn
66b7df0db97c7c2905d1d61199c816a5 14-aboot_vuln.mbn
087e7125c48fcbebcc2f51a9c46379f2 13-twrp_cubed.img
c06799a4a8d48d9dd55aea002def1caf 14-twrp_cubed.img
H[66b7df0db97c7c2905d1d61199c816a5]=aboot-13.3.2.3.2_user_323001720.mbn
Please double-check to make sure Apollo users won't get fried.
You do say that not all steps are necessary. Can you advise if my thinking below sounds correct?
I'm considering adding this to 1-Click; that's why I'm asking.. (If I could also include a surefire way
to root the device beforehand, we'd be all set for a truly 1-Click experience from scratch, modulo
strange Windows behaviour. [if anybody still cares ;-P])
I suppose getting rid of the potentially dangerous anti-rollback-related files is good measure,
but if they had been making any difference, this method shouldn't really work, right?
So, this may not be needed at all.
I'm also thinking that flashing TWRP in the same step -although nice- is not strictly needed.
Would you agree?
Are you absolutely positive?
Click to expand...
Click to collapse
I tried this with two devices with two firmwares at each after rollback-upgrade proccess to be sure.
Although I've been expecting this
Click to expand...
Click to collapse
Same as I. Just need to be checked.
: I get the exact same MD5 hash for both versions of 'aboot_vuln.mbn
Click to expand...
Click to collapse
Strange, I use same aboots in this tool - http://forum.xda-developers.com/kin...-to-unbrick-kindle-fire-hdx-firmware-t3277197 =) need to fix=)
Re-uploaded aboot from 14.3.2.3.2 - 4A2BE8E374C8D1FCE8E6743AC2D09BB0
Thank you.
'm also thinking that flashing TWRP in the same step -although nice- is not strictly needed.
Click to expand...
Click to collapse
Of course. But... why not? and sometimes fastboot flash recovery at very first time don't work.
but if they had been making any difference, this method shouldn't really work, right?
So, this may not be needed at all.
Click to expand...
Click to collapse
This is need to check. I really do not like that factory_provision_tool.
But I agree that all magic is just dd'ing of old aboot.
ONYXis said:
I tried this with two devices with two firmwares at each after rollback-upgrade proccess to be sure.
Click to expand...
Click to collapse
Sounds good.
ONYXis said:
Same as I. Just need to be checked.
Click to expand...
Click to collapse
Indeed! And, that's quite a daring achievement. Big thanks for that!
ONYXis said:
Strange, I use same aboots in this tool - http://forum.xda-developers.com/kin...-to-unbrick-kindle-fire-hdx-firmware-t3277197 =) need to fix=)
Re-uploaded aboot from 14.3.2.3.2 - 4A2BE8E374C8D1FCE8E6743AC2D09BB0
Thank you.
Click to expand...
Click to collapse
I also verified this, just to be sure; and, chose to hide the issue in my post above.
H[4a2be8e374c8d1fce8e6743ac2d09bb0]=aboot-14.3.2.3.2_user_323001720.mbn
ONYXis said:
Of course. But... why not? and sometimes fastboot flash recovery at very first time don't work.
Click to expand...
Click to collapse
I'll see if including the TWRP images in 1-Click pushes the size of the ZIP over the XDA limit.
I suppose I could opt to fetch from the net if it doesn't, but then I need to enable networking for the VM.
ONYXis said:
This is need to check. I really do not like that factory_provision_tool.
But I agree that all magic is just dd'ing of old aboot.
Click to expand...
Click to collapse
Yes. Please check!
draxie said:
Yes. Please check!
Click to expand...
Click to collapse
Ok. So... Another motherboard with stock 3.2.3.2
Updated it through OTA to 3.2.5 > 4.1.1 > 4.5.2 > 4.5.4 > 4.5.5 > 4.5.5.1 > 4.5.5.2
Rollbacked to 3.2.8, updated to 4.5.5.1, Kingroot.
Code:
adb shell
su
dd if=/sdcard/aboot_vuln.mbn of=/dev/block/platform/msm_sdcc.1/by-name/aboot
reboot
Boot into fastboot. At this point need to have id's already!!!
Flash unlock, flash recovery, flash upHDXed 4.5.5.2 rom. Succesfully booted up. :fingers-crossed:
OP edited.
ONYXis said:
Rollbacked to 3.2.8, updated to 4.5.5.1, Kingroot.
Click to expand...
Click to collapse
I don't suppose this rollback is essential, is it?
It should work just as well to stop the update before the currently unrootable 4.5.5.2, right?
ONYXis said:
Flash unlock, flash recovery, flash upHDXed 4.5.5.2 rom. Succesfully booted up. :fingers-crossed:
Click to expand...
Click to collapse
Nice. I'll PM you soon with an updated 1-Click, for testing, if you don't mind.
(I cannot [and don't even want to] test this on my only tablet.)
draxie said:
I don't suppose this rollback is essential, is it?
Click to expand...
Click to collapse
just checked all variations.
I'll PM you soon with an updated 1-Click, for testing, if you don't mind.
Click to expand...
Click to collapse
Of course.
Can it work on hdx 8.9?
Although I have registered my 'thanks' on various posts it seems hollow to not explicitly recognize @ONYXis and @draxie for their tremendous contributions supporting this device both past and present. The ability to unlock virtually any rooted 3rd gen HDX is a true game changer that will revive interest in this discontinued gem that still competes nicely with contemporary offerings. Well done, gents!
wizard_mini said:
Can it work on hdx 8.9?
Click to expand...
Click to collapse
You mean Saturn? No, sorry.
Hi, i cant get the adb driver to work with my german Win 10 64bit
dpinst.exe /EL starts fine but throws an error while installing.
So i wanted to try the pdanet drivers but im not sure how to get my fire into fastboot mode ("- connect your kindle already waiting in fastboot mode with usb cable to pc").
Any help? :>
Maybe you need to disable driver signature verification before install. Google it.
fastboot -
Code:
adb reboot bootloader
ONYXis said:
Maybe you need to disable driver signature verification before install. Google it.
fastboot -
Code:
adb reboot bootloader
Click to expand...
Click to collapse
Thanks, that worked. Now i have the following problem when trying "python.exe cuberHDX.py 0xmmssssssss": (tried with 64 and 32bit Python + gmpy2, because that seems to be the problem sometimes)
File "cuberHDX.py", line 7, in <module>
from gmpy2 import iroot, mpz
ImportError: DLL load failed: %1 ist keine zulõssige Win32-Anwendung. [last part means not a valid win 32 application]
Thanks for your help!
It is python installation related problem, I really not familar with that. You could post your id's and I'll create and attach your unlock-file.
ONYXis said:
It is python installation related problem, I really not familar with that. You could post your id's and I'll create and attach your unlock-file.
Click to expand...
Click to collapse
0x000015
0x1022b00d
Thank you!
RambaaZambaa said:
0x000015
0x1022b00d
Thank you!
Click to expand...
Click to collapse
Welcome.
Need to unarchive.
ONYXis said:
Welcome.
Need to unarchive.
Click to expand...
Click to collapse
Next problem :silly:
As long as im not su i can cd to sdcard folder (or storage/sdcard0). But then i cant use the "dd if=/sdcard/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery" command.
So when im SU the command fails and i also cant enter the sdcard folder (no such file or directory). Strange...
RambaaZambaa said:
Next problem :silly:
As long as im not su i can cd to sdcard folder (or storage/sdcard0). But then i cant use the "dd if=/sdcard/twrp_cubed.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery" command.
So when im SU the command fails and i also cant enter the sdcard folder (no such file or directory). Strange...
Click to expand...
Click to collapse
Sorry, really don't understand )
Pls, provide screenshot of cmd with your error.
And try to follow instructions directly.There is no any cd command.