Better Mobile App

[UTIL] New Root Method as of 8/13! -> UPDATED 12/30 for NOOBS! <-

Hello everyone!
You may or may not know me, however I have secretly been working behind the scenes with ChiefzReloaded to learn how Android works. Together we have been trying to develop new ways to root the Slide, primarily because we both landed in a sticky situation that left us both without root and without a way to revert to root.
After many long hours of trying to restore my phone, I have now ported the exploid exploit to the MyTouch Slide! This means that you can gain root on any version of the Slide, INCLUDING the latest OTA! However, this isn't necessarily "easy" as in the One-Click Root program, but there are reasons for this. While Android is running we cannot write to /system and even if we force Linux to let us, the NAND protection will prevent Linux from completing the write!
To get started, please see the bottom of this post for the link and download it. You will want to download it to your computer and not your phone's SD card. Also, you will need the tools from the Android SDK. I would suggest extracting the file from my zip at the bottom of this page into the Android SDK's tools directory.
Extract the zip
Make sure your phone is in USB debugging mode AND you are in "Charge Only" mode.
Connect your phone to your computer.
Make sure you're in the same directory as where exploid is extracted before continuing to the next step.
Issue the following command: adb push exploid /sqlite_stmt_journals. Note: It MUST be in that directory - NO exceptions.
Run: adb shell
Run: cd /sqlite_stmt_journals
Run: chmod 0755 exploid
Run: ./exploid
Toggle your phone's Wifi (on or off, however you wish to do that).
Now (again) run: ./exploid (if prompted for a password enter: secretlol)
The next line should now begin with a pound (#) - if not, then something isn't setup right. Make sure to follow the directions verbatim. If you suspect you did follow them correctly, please reply to this post letting me know.
You should now be root! At this point you can do many things, but if you're looking to flash a custom ROM, continue to these instructions:
[NEW 10/18/2010:]
Steps 1-12 are intended to get you the ability to flash mtd0.img (which previously required using the SimpleRoot method) by gaining root inside of Android. By following the instructions in the rest of this section, it will allow you to flash a ROM or S-OFF your device:
The files you need are at: http://forum.xda-developers.com/showthread.php?t=703076- download both files linked in there (ESPRIMG.zip and SlideEng-package.zip)
Extract the contents of SlideEng-package.zip to a place of your choosing on your computer.
Place the entire (unextracted) ESPRIMG.zip on your SDcard.
Now push the files 'flash_image' and 'mtd0.img' that you just extracted from SlideEng-package.zip to /data/local using 'adb push'. (Noob? Instead of using 'adb push', install Droid Explorer and, using that utility, copy the 'flash_image' and 'mtd0.img' files to /data/local on your Slide)
Now I'm going to assume your phone is at root prompt (#) using steps 1-12. So now do (without typing the '#' symbols in front of both lines - they're just there to remind you that you need to be at a '#' prompt):
Code:
# cd /data/local
# chmod 04755 flash_image
# ./flash_image misc mtd0.img
Before you reboot make sure that the ESPRIMG.zip is on your SDcard!
Now turn off the phone.
Then press Volume-Down + Power.
The phone will power on and after about 5 minutes of verifying ESPRIMG.zip it will ask you if you want to flash it.
Press Volume-Up for 'YES' and wait until it finishes (ABSOLUTELY DO NOT POWER DOWN WHILE IT'S STILL FLASHING!!!).
Now when you go into recovery it should allow you to 'Apply update.zip from sdcard' (booting into Clockwork). If you don't have the Clockwork update.zip, here it is: http://www.4shared.com/file/OTRU7T3y/update_2.html (rename to update.zip after downloading since it's currently update_2.zip, then place it on your sdcard).
[/NEW 10/18/2010]
[NEW 12/30/2010]
Optional: Now that you're rooted you might want to disable all flash memory protections so you can permanently flash Clockworkmod (recovery - no more using an update.zip!) as well as other random things. Check here for details: http://forum.xda-developers.com/showthread.php?t=798168
[/NEW 12/30/2010]
CREDIT GOES TO:
[*] ChiefzReloaded! (For helping me learn the intricacies of Android and patiently answering all of my questions)
[*] 743C (For developing the original exploit)
Source code: (Yes, it's hackish. I was just trying to figure out why the system kept rebooting and haven't cleaned up the code since) download
DOWNLOAD:
http://www.4shared.com/file/CZsxSq-f/exploid.html
DONATE:
(Anything helps!)
(Some people may wonder why this is special compared to the One Click Root application. What's important is that One Click Root doesn't work on Slides running production/retail software, likely the same problem I had to fix to get exploid to work in my version.)

Thats whats up!!

If you be trollin then YOU BES TRAWLLIN
But if not then good job nb!
Sent from my T-Mobile myTouch 3G Slide using XDA App

Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!

falken98 said:
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
Click to expand...
Click to collapse
Sure, I was getting around to that - and I understand your concern. I'll post it in a second.

falken98 said:
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
Click to expand...
Click to collapse
You think nb is distributing a virus disguised as a root method?
Waaaaaat
Sent from my T-Mobile myTouch 3G Slide using XDA App

r0man said:
You think nb is distributing a virus disguised as a root method?
Waaaaaat
Click to expand...
Click to collapse
It is a bit funny, but I do understand his concern. I've posted the source code into the original post. Compiling it should result in the same hash as the binary I posted.

Good to see this I suggested this in another thread glad to see it in use thanks a bunch

nbetcher said:
It is a bit funny, but I do understand his concern. I've posted the source code into the original post. Compiling it should result in the same hash as the binary I posted.
Click to expand...
Click to collapse
Ill take a look at it when I get home.

ilostchild said:
Good to see this I suggested this in another thread glad to see it in use thanks a bunch
Click to expand...
Click to collapse
I actually had to do a lot of work on it. It doesn't quite work the same as the original exploid simply because the original exploid crashes the entire system and reboots. This causes the rootshell to never be committed to NAND and thus you get no where. I had to keep playing with things until I found a different method that works. It took several hours of me being upset with it, but watched the latest Burn Notice, came back to it, and BAM I had a stroke of genius.

where is rootshell? i can't exicute rootshell nor can i "cp" any files from sdcard however i do have a # instead of a $

Armyjon88 said:
where is rootshell? i can't exicute rootshell nor can i "cp" any files from sdcard however i do have a # instead of a $
Click to expand...
Click to collapse
Ignore that portion of the instructions provided by the program. As I stated, this is not intended for non-developers at this point. The # is your indication that you're running as root.
I am headed to work, but I don't usually have much going on there - I will be setting up a much cleaner system/environment for non-developers to work with and perma-root their phones with over the next few hours. Stay tuned!

Sweet
Sent from my T-Mobile myTouch 3G Slide using XDA App

having # and running as root as stated before u can actually follow with eng and then custom recovery and ur choice's rom..pls correct me if im wrong..thanx

statuzz said:
having # and running as root as stated before u can actually follow with eng and then custom recovery and ur choice's rom..pls correct me if im wrong..thanx
Click to expand...
Click to collapse
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.

nbetcher said:
Ignore that portion of the instructions provided by the program. As I stated, this is not intended for non-developers at this point. The # is your indication that you're running as root.
I am headed to work, but I don't usually have much going on there - I will be setting up a much cleaner system/environment for non-developers to work with and perma-root their phones with over the next few hours. Stay tuned!
Click to expand...
Click to collapse
Let me know if you want to work together on some kind of one-click root app for the Slide. If the commands work through the terminal on the phone itself rather than via adb, I could probably make this into an app already, but since you're working on a more non-developer-friendly version, I'll just wait until that's out

televate said:
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
Click to expand...
Click to collapse
I'm delaying the release of my non-developer program for another couple hours.
As far as what you said above, all you need to do after gaining the # prompt is (in a separate window):
adb push flash_image /data/local
adb push mtd0.img /data/local
(switch back to your # adb shell, then type
cd /data/local
chmod 04755 flash_image
./flash_image misc mtd0.img
Then reboot and apply the ESPRIMG.zip. All of these files are found on the same post that I referenced in my OP. These instructions are all in that same page.

televate said:
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
Click to expand...
Click to collapse
Im also stuck since im not sure if you can update to eng from the ota..But first i want to personally thank the OP & CR for providing this.

This would be great for a One Click method
this would be nice to work into a one click root!
And This did work for me!

Does this root method gets /system moumted when android running?In short do we finaly get metamorph and root explorer working?

[Q] Questions on the custom boot and system.ext2 images

I read in the bootloader development thread that it'd reached a level where it could almost boot into a custom system image stored on the SD card. Some questions about that:
1. The creation of that image, is it similar to how it's done for use with the XDAndroid project? (The porting of Android to HTC WinMo devices)
2. Is there a way to avoid having to reflash the device after every attempt? It looks like the boot-scripts take control pretty early in the process so having a choice if you want to proceed would be awesome, especially since I can't figure out how to get hold of a bootlog.
Thanks

ddewbofh said:
1. The creation of that image, is it similar to how it's done for use with the XDAndroid project? (The porting of Android to HTC WinMo devices)
Click to expand...
Click to collapse
I have no clue how they do it for XDAndroid, but here's how I created mine:
dd if=/dev/zero of=rootfs.ext2 bs=1M count=512 (for 512Mb fixed size)
mkfs.ext2 rootfs.ext2 (press y to accept)
mount somewhere
copy your stuff into
umount
ddewbofh said:
2. Is there a way to avoid having to reflash the device after every attempt? It looks like the boot-scripts take control pretty early in the process so having a choice if you want to proceed would be awesome, especially since I can't figure out how to get hold of a bootlog.
Click to expand...
Click to collapse
You don't need to re/flash at all. Pressing any key during the bootup will cancel the script and get you back into old good SE's 1.6

zdzihu said:
You don't need to re/flash at all. Pressing any key during the bootup will cancel the script and get you back into old good SE's 1.6
Click to expand...
Click to collapse
I've tried hammering all the keys without any success, since it works for you maybe I'm doing it at the wrong time. Where in the boot process do you do it?
And thanks for the tip about the image, didn't want to risk messing something up since I had to reflash after every try.

ddewbofh said:
I've tried hammering all the keys without any success, since it works for you maybe I'm doing it at the wrong time. Where in the boot process do you do it?
Click to expand...
Click to collapse
Bash them for a while as soon as you see SE logo appearing
ddewbofh said:
And thanks for the tip about the image, didn't want to risk messing something up since I had to reflash after every try.
Click to expand...
Click to collapse
Make sure you either name your image rootfs.img (not .ext2) or edit the init in the ramdisk accordingly.
Cheers

Thanks, that should make things much, much easier.

zdzihu said:
I have no clue how they do it for XDAndroid, but here's how I created mine:
dd if=/dev/zero of=rootfs.ext2 bs=1M count=512 (for 512Mb fixed size)
mkfs.ext2 rootfs.ext2 (press y to accept)
mount somewhere
copy your stuff into
umount
You don't need to re/flash at all. Pressing any key during the bootup will cancel the script and get you back into old good SE's 1.6
Click to expand...
Click to collapse
is there different form flash?

I've figured out why my phone refuses to go back to normal after testing the chroot. It needs grep and the standard sh doesn't provide it nor is there a grep symlink/binary in /system/bin so I'll add those manually.
Anyways, if anyone has a script or something to do all this it would be very helpful. I'm not looking forward to going over tons of symlinks manually.

ddewbofh said:
I've figured out why my phone refuses to go back to normal after testing the chroot. It needs grep and the standard sh doesn't provide it nor is there a grep symlink/binary in /system/bin so I'll add those manually.
Anyways, if anyone has a script or something to do all this it would be very helpful. I'm not looking forward to going over tons of symlinks manually.
Click to expand...
Click to collapse
How about busybox --install -s /your_destination_dir ?

zdzihu said:
How about busybox --install -s /your_destination_dir ?
Click to expand...
Click to collapse
Awesome, thanks. My knowledge about busybox is limited at best so when I saw install listed as a busybox function I assumed it was the "normal" install command.

In the quest for finding a way to use custom kernels I'm playing around with the splboot module but I need to find a way to get hold of dmesg or kmsg from failed attempts. Is there a reliable way to get any of these logs?
I've tried adding a line in the mount_iso script which cats kmsg to a file right before executing the splboot but I'm seeing nothing that would indicate that I'm running anything but the stock kernel.
Any ideas?

[DEV] ICS rooting for kernel 10 users

I finally did it...
http://forum.xda-developers.com/showthread.php?p=25157446#post25157446
Now let's wait for ICS and hope that Sony's one will be built on a "good" kernel.

looks very promising, great work Nesquick
maybe in a week (or little more..) we could test it in practice!
keep up the good work
br
condi

Not exactly sure what this does, but it seems important so good job

This should be very interesting. Thanks for continuing to stay with it.
Sent from my Sony Tablet S using xda premium

Nesquick95 said:
I finally did it...
http://forum.xda-developers.com/showthread.php?p=25157446#post25157446
Now let's wait for ICS and hope that Sony's one will be built on a "good" kernel.
Click to expand...
Click to collapse
But it seems we are unable to chmod without root. So this would require one of our rooted ICS friends to give us the offsets?
chmod not needed in recovery, but it doesn't get root:
/sdcard/n95-offsets
n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit
./mempodroid 0xd9ec 0xaf47 sh
1|@android:/system/bin $ /sdcard/mempodroid 0xd9ec 0xaf47 sh
/sdcard/mempodroid 0xd9ec 0xaf47 sh
1|@android:/system/bin $
Click to expand...
Click to collapse

Too bad...
Well... That's the copy of a successful session, taken from my Galaxy Nexus (see image attached).
Too bad if the exploit doesn't root our ICS release.
Can you please post your run-as (/system/bin/run-as) binary ? I'll try to get the offsets another way.

Nesquick95 said:
Well... That's the copy of a successful session, taken from my Galaxy Nexus (see image attached).
Too bad if the exploit doesn't root our ICS release.
Can you please post your run-as (/system/bin/run-as) binary ? I'll try to get the offsets another way.
Click to expand...
Click to collapse
I've managed to run your bin, got offsets, but still no root...:
Code:
n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit
./mempodroid 0xd9ec 0xaf47 sh
and then:
Code:
[email protected]:/ $ /data/local/tmp/mempodroid 0xd9ec 0xaf47 sh
/data/local/tmp/mempodroid 0xd9ec 0xaf47 sh
1|[email protected]:/ $

Really too bad
Sony's ICS is built on kernel 2.6.39, normally rootable by this exploit... Maybe they have patched it...
Need a copy of /system/bin/run-as binary to try finding offsets another way, as a last chance. My tablet hasn't got the update (unrootable kernel 10 - French region)

Binary attached.
Since we're unable to chmod under normal boot (operation not permitted), the only way is to run under recovery. Is it possible that mempodroid doesn't work under recovery?

The worst thing that could happend
I don't know if running in recovery can make mempodroid fail... It probably doesn't. But as you can see, Condi has run n95-offsets in "regular" /data/local/tmp without success.
I have verified the offsets in the run-as binary posted with IDA disassembler, the offsets returned by n95-offsets are the good ones.
I think Sony's 2.6.39 kernel is patched, the exploit won't work...
(Maybe) we will find an other one (some day)...

A last ray of hope ?
There is something weird in the run-as posted by OCedHrt... His ELF header show an entry point at 0x8000 when the other run-as' that I've seen have their entry point at 0x80C0...
It sounds a little simple but may someone test :
./mempodroid 0xd92c 0xae87 sh
Thx !

Nesquick95 said:
There is something weird in the run-as posted by OCedHrt... His ELF header show an entry point at 0x8000 when the other run-as' that I've seen have their entry point at 0x80C0...
It sounds a little simple but may someone test :
./mempodroid 0xd92c 0xae87 sh
Thx !
Click to expand...
Click to collapse
Tried it, sadly did not work. I also got the latest version of mempodroid off the git, but still didnt work.
EDIT: FOUND a little thing, our offsets (from n95-offsets) are exactly the same as the transformer prime, maybe we can use the exploit they used to root ours?

Nesquick95 said:
I don't know if running in recovery can make mempodroid fail... It probably doesn't. But as you can see, Condi has run n95-offsets in "regular" /data/local/tmp without success.
I have verified the offsets in the run-as binary posted with IDA disassembler, the offsets returned by n95-offsets are the good ones.
I think Sony's 2.6.39 kernel is patched, the exploit won't work...
(Maybe) we will find an other one (some day)...
Click to expand...
Click to collapse
I wonder how he got chmod to work. Well I assume he already had root. Chmod returns operation not permitted for me so I had to try it in recovery.
Sent from my Nexus S using XDA

Maeur1 said:
Tried it, sadly did not work. I also got the latest version of mempodroid off the git, but still didnt work.
EDIT: FOUND a little thing, our offsets (from n95-offsets) are exactly the same as the transformer prime, maybe we can use the exploit they used to root ours?
Click to expand...
Click to collapse
Transformer Prime is probably running the same kernel than our tablet but I guess it has been released earlier than Sony's ICS, when mempodroid was still young and proud (I mean not patched)!
It's hard to figure out, but we must keep on searching, try things like you suggest... I haven't decided yet if I will sell my Sony S or if I will loose some more time on it.

Corrupted Root Access

Hello
To be honest im beginning to wonder why I even bothered rooting my S3 seems to cause more hassle than its worth.
The only reason I rooted it was so that I can use the Vodooo Sim Unlocker App on my handset. I bought it on ebay and rooted the phone and used Vodoo to unlock the network lock all worked fine for a while until last week when I was on holiday I got an OTA update ...so I installed it since then when I start my mobile its asking for the Sim network pin code.
I am trying to get Three to provide this but they say the previous owner (off ebay)has to approve this or they cant do it.
I think that the root access on my mobile is fooked so I downloade dan app called Root Checker Pro results are below:
===========================================================
Root Access is not properly configured or was not granted.
Super User Applications Status:
Superuser application - version 3.1.3 - is installed!
SuperSU application - version 0.91 - is installed!
System File Properties for Root Access:
Standard Location
Check Command: ls -l /system/xbin/su:
Result: -rwxr-xr-x root shell 91980 2008-08-01 13:00 su
Analysis: Setuid attribute NOT present BUT root user ownership is present. Root access is NOT correctly configured for this file!
Standard Location
Check Command: ls -l /system/bin/su:
Result: /system/bin/su: No such file or directory
Analysis: File /system/bin/su does not exist.
Alternative Location
Check Command: ls -l /sbin/su:
Result: /sbin/su: Permission denied
Analysis: File system permissions restricted and denied access.
Alternative Location
Check Command: ls -l /system/xbin/sudo:
Result: /system/xbin/sudo: No such file or directory
Analysis: File /system/xbin/sudo does not exist.
Root User ID and Group ID Status:
SU binary not found or not operating properly
System Environment PATH: /sbin /vendor/bin /system/sbin /system/bin /system/xbin
ADB Shell Default User:
ADB shell setting for standard access, stored in default.prop, is configured as: shell (non root) user - ro.secure=1
===========================================
I have tried to re-root my device by using the same method that worked the first time i.e http://reviews.cnet.co.uk/mobile-phones/how-to-root-your-samsung-galaxy-s3-50008588/ but this does not work now any tips what I can do?

Get your info/rooting methods from xda only, everyone else in the world is stupid.
Flash cf-root and stop blaming root for user error, tbh your post was a case of tl;dr but from what I've experienced its user error 99.9% of the time.
Sent from my GT-I9300 using xda premium

Like I said It was working fine before the OTA update so that was my fault for downloading the upgrade...right ok thanks for your help...

slinkydonkey said:
Like I said It was working fine before the OTA update so that was my fault for downloading the upgrade...right ok thanks for your help...
Click to expand...
Click to collapse
Obviously the OTA broke root access, that's what happens.
Use Odin to flash cf-root 6.4 and Bob's your uncle.
Sent from my GT-I9300 using xda premium

nodstuff said:
Obviously the OTA broke root access, that's what happens.
Use Odin to flash cf-root 6.4 and Bob's your uncle.
Sent from my GT-I9300 using xda premium
Click to expand...
Click to collapse
Ok ill try it again tonight I was going to ask you to send me a link the the official XDA developers way of doing it but might be a bit tricky on a mobile so ill take a look around but im sure ive already tried this but ill try again tonight thanks

im assuming i cant just use? http://forum.xda-developers.com/showthread.php?t=1703488

If you couldn't be arsed learning what you are doing and why, and also learning so that you never get stuck in a situation like this again then work away with the toolkit.
Personally I think its the wrong way to do it.
Find the cf-root thread and do it that way if you want to learn how to do something.
Sent from my GT-I9300 using xda premium

nodstuff said:
If you couldn't be arsed learning what you are doing and why, and also learning so that you never get stuck in a situation like this again then work away with the toolkit.
Personally I think its the wrong way to do it.
Find the cf-root thread and do it that way if you want to learn how to do something.
Sent from my GT-I9300 using xda premium
Click to expand...
Click to collapse
ok ill search it out but to be honest I have enough learning IT at work

slinkydonkey said:
ok ill search it out but to be honest I have enough learning IT at work
Click to expand...
Click to collapse
Well, if you want something easy to use and doesnt require learning then get an iphone Or dont mod your gs3.
If you only rooted to unlock wouldnt it have just made more sense (and less hassle if you don't know what you're doing) just to buy an unlock code for 10 bucks and be done than trying to dive in the deep end without knowing how to doggy paddle to accomplish the same thing?
plus with odin it couldnt be anymore simple especially for an IT guy.
get odin
get the cf root tar
boot the phone in download mode
point odin to the tar file and flash
it's pretty darn simple actually

graffixnyc said:
Well, if you want something easy to use and doesnt require learning then get an iphone Or dont mod your gs3.
If you only rooted to unlock wouldnt it have just made more sense (and less hassle if you don't know what you're doing) just to buy an unlock code for 10 bucks and be done than trying to dive in the deep end without knowing how to doggy paddle to accomplish the same thing?
plus with odin it couldnt be anymore simple especially for an IT guy.
get odin
get the cf root tar
boot the phone in download mode
point odin to the tar file and flash
it's pretty darn simple actually
Click to expand...
Click to collapse
Your right to a point I should of just bought an unlocked S3 off ebay thats my fault ..I had tried the odin method yesterday it didnt work then but today it has so im happy now ive run Vodooo and my mobile is working again. I use the S3 for my small business and partiuclar apps like Barclays app does not work on Rooted phones so maybe I should of get an iphone haha but im not that stupid .. :laugh:

[Q] Is possible to root jelly bean?

I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?

No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.

without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need

tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.

If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.

hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean

Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator

Does any one know if one person with development capabilty is trying to find a way to root JB ?

I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.

Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...

Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.

yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says

Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm

elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file

Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627

I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.