I installed Z4 mod and ran it and it says my g-tab is rooted. I have read that custom ROMS are pre-rooted. In my limited linux experience - being root gives you total control over the machine. I ran Terminal Emulator and cd / to get me to the top of the file structure. I tried to mkdir test and I was denied because the file system is read only. Next I went into the system folder because a lot of stuff in there looks familiar. I again tried mkdir test and was denied because the file system is read only. It would seem that to be root I would need a password and Z4 didn't offer to give me one or let me set it. Thinking further, I wonder if the file system is mounted for read only and that is why I can't create a new directory. When I am running the rom (Vegan) I can write there (understanding that I am writing to the sdcard that is mounted - presumably with RW access. So, what is all this rooting talk about then? What is the purpose of being root if you still do not have access to the file system?
You need Superuser.apk, as well. Think of Superuser as similar to Windows UAC, and rooting as making yourself an administrator. Even though you have root (admin) access, UAC (Supeuser.apk) still needs to let you through.
You also need "root aware" apps. Perfect example is Titanium Backup and that's usually my "litmus test" for verifying if I really have root or not on a device.
yup, in my limited rooting experience (droid1 and gtablet), after the process, there was always a new icon in the app tray entitled "superuser". i didnt have to install it separately, it showed up after the rooting process. if you don't have the superuser app, im betting the root process was unsuccessful.
my memory tells me i had some problems with z4root rooting my tablet, and i had to do it a few times before it actually worked. that was back in december tho, so i dont know if the current version of z4 is different than the one i used, and if so, if kinks were worked out...
so yeah, i probably helped none.
I always though z4root and Superuser were kind of a package deal.
I use them on my Cowon D3, as Cowon completely locks down their recovery process. boo to that.
rodzero,
With z4root you install it first. Then, you install a file manager program like "Root
Explorer" and when it comes up you click to "Allow" it. After that, you can go in
through Root Explorer and create and change R/O to R/W as needed. Same same
with Titanium Backup, once you have "allowed" it you can do what you need
to with the program.
Rev
More Investigation.
Thanks for the fast responses! I do have Superuser installed and it pops up from time to time when an app wants su access. Using terminal emulator, I worked my way into and what do I find but su! I ran su and got was granted su rights in the terminal. I felt pretty smug so I headed into the etc folder thinking I would make a simple change to the hosts file just to see if I could do it. I'm used to using nano in Ubuntu but no nano here. I tried vi (which I really don't know how to use) and I got some strange display but I don't think it was an editor. So, for the sake of closing the loop - if I wanted to edit the hosts file and add a new host - how would I do it. The Terminal Emulator now seems to be in the list to be granted su whenever I type it in. I know how to move around the file system. What kind of text editor would I invoke to actually alter the file? OK.... I went and downloaded TED and worked my way back to the hosts file, added a line but TED doesn't have su rights to save the file. So it looks like su exists but I don't see how to run an app in su mode except for terminal where I can invoke it by a text command. What's the missing piece to get TED to ask for su access?
Just a guess, but TED need to ask for elevation of privileges. It's probably an app issue.
Related
hi. i can't believe i'm the first person to ask this but i've searched as best i can through these forums, and on google, and cannot find a definitive answer. there are lots of pages giving high level descriptions of rooting a phone like "gives admin access", "allows access to the root filesystem", etc. but, when you root a phone, what actually happens ? does it simply make the "su" binary available so that apps can call it to access the root user ? eg. i've got a samsung galaxy s2, if i install an insecure kernel, then add su to /system/xbin, and then reinstall a stock kernel, is that technically a rooted phone ? this is actually what i did on my phone, although i installed superuser and busybox from the market after adding su. i am aware that there are various threads in the sgs2 forums on how to root, i'm just using my phone as an example, i'm just trying to understand generically what is meant when someone says a phone has been rooted. cheers.
Full control over your system
Ability to alter system files. You can replace many parts of the "Android Core" with this including:
Themes
Core apps (maps, calendar, clock etc)
Recovery image
Bootloader
Toolbox (linux binary that lets you execute simple linux commands like "ls") can be replaced with Busybox (slightly better option)
Boot images
Add linux binaries
Run special apps that need more control over the system
SuperUser (lets you approve or deny the use of root access to any program)
Task Manager For Root (Lets you kill apps that you otherwise could not kill)
Tether apps (like the one found at [android-wifi-tether.googlecode.com])
<there are more but I cannot think of any right now>
Backup your system
You can make a folder on your sdcard and backup all of your .apk files to your sdcard (helps if an author decides to "upgrade" you to a version that requires you to pay to use the version you just had)
Relocate your (browser/maps/market) cache to your /sdcard
Relocate your installed applications to your /sdcard
Reboot your phone from the terminal app easily (su <enter> reboot <enter>)
Copied and pasted from google... it is your friend.
thanks for the response however, i'm trying to understand what actually changes on the phone when you root it, rather than simply the benefits of rooting a phone.
Carrot Cruncher said:
thanks for the response however, i'm trying to understand what actually changes on the phone when you root it, rather than simply the benefits of rooting a phone.
Click to expand...
Click to collapse
Unrooted phone is like logging on as user in a computer. By rooting you have "administrative" rights, just like using sudo command in Ubuntu. Some binaries which are important in gaining administrative rights are installed in the phone.
sent from my nokia 3210
If you come from Windows, you're familiar with the Administrator account. A user that can do everything on the system, as opposed to other users than only have limited privileges. In Linux, that account is called "root". That's all there is to it. It's a user that can do everything on the system.
@Panos_dm: Actually, it's *not* like using sudo. Sudo gives elevated privileges to your existing user account, whereas "root" is a whole separate account.
Nope, sudo actually switches users
i'm a linux user and have been a linux admin in the past so understand the difference between su and sudo. sorry to sound pedantic but i'm still not clear on exactly what happens when you root a phone, i.e. what exactly happens during the rooting process ?
It opens your phone to a whole new array of possibilities.
Sent from my HTC Sensation 4G using xda premium
Carrot Cruncher said:
but i'm still not clear on exactly what happens when you root a phone, i.e. what exactly happens during the rooting process ?
Click to expand...
Click to collapse
In a gist? The "su" binary and the Superuser.apk app get installed. Sometimes doing so requires exploiting a vulnerability via a trigger. Rageagainstthecage is a common trigger. I once had a link that explained what exactly rageagainstthecage does, but I don't have it anymore.
If you really want to know all the details, here's the script I used to root my Defy: http://pastebin.com/G3m9v4FQ
Hmm, I see the script contains a link to the explanation of what rageagainstthecage does. Cool.
many thanks for confirming my understanding of the process.
It looks like we have to move our discussion here, so I went ahead and started a thread.
As of now, there is root for the mediapad, but the only way to root the springboard is by flashing it with a rooted mediapad cust.img - which gives you root but loses your 4g.
So for us Springboard users, we either need root or a way to get 4g back if flashing it as a mediapad. Anybody with thoughts or leads or any know-how?
Finally,
Special room for Huawei Media Pad created,
Thanks to TS
I'm very glad,
Now i'm waiting the master in here to modified this device
cause i still newbie
Actually I Prefer The 3G More THan The 4G For Some Reason I Felt 4G Wasnt Stable Enough....So Im Enjoiying My Mediapad In 3G More Than My Springboard In 4G......
from the other thread, Rumbi wrote:
Yap, only thing you have to do is install Superuser and Busybox from Market and copy "su" from /hwcust/oversea_hk/preload/fixed/bin/ to /system/xbin (e.g. with ES File Explorer with root and r/w enabled), and you are ready to go
I've installed SU & BusyBox. I cannot move the SU file over to /system/xbin. A message tells me that I am not root.
However, when I run Root Check Basic I am told I have root.
I ran Root Check before & after I installed S7-301u V100R001C232B012(Root_version) and Root Check said I did not have root.
So the real question is, How do I really know if I have root?
*****
Actually I installed BusyBox Installer. I'm asked to pick a version to install:
1.19.3
1.19.2
1.18.5
1.18.4
1.17.1
None of these will install.
I also have the option to install a "Custom Tune" is there one? I'd gladly pay for BusyBox pro to get BusyBox running
*******
I powered off the device. Put my sdCard back in (the rooted firmware was removed from it). Then installed the SuperUser update from the market.
Ran that - it said everything was OK. Then I forced it to update - it crashed - so I force closed it. I then realized I could not run the original SuperUser app anymore.
Next, I opened up Root Explorer and was able to move the su file over to the xbin. But now BusyBox is not acting right - It said that it was having problems installing, and I'd need to reflash (or reload - I can't recall) the rom.
I'm rebooting, and going to try to install BusyBox....to be clear on which BusyBox..it's this one:
https://market.android.com/details?...t=W251bGwsMSwyLDEsInN0ZXJpY3Nvbi5idXN5Ym94Il0.
*****
Just realized in Root Explorer, to tap the little gray box at the top. After you tap it it should read "Mount R/O"
Now you can long press a folder/file and change the read/write permission.
Rumbi,
You said to r/w enabled the su file....is that check ALL the boxes?...Read, Write, Execute Special?????
IIRC, i had some problems with busybox, too. Copy the file from the attachment to /system/xbin and try the installer again.
And i said to enable r/w support for the /system folder. There are two checkboxes in ES File Explorer. First checkbox is enable root permission for ES File Explorer and second checkbox is "Mount / and /system writable".
Now you should be able to copy whatever file you want to /system/xbin. That's how i have done it. If you have any further questions, feel free to ask. I'll try to explain.
PS. You don't ne to alter file permissions of the su-binary but mine are "rwx r-x r-x".
Rumbi, how do you feel about the High resloution mode, does it slow the tablet down? Have you had a chance to use any tegra 2 devices and if so how does the mediapad with the snapdragon compare when in standerd/high-res mode?
Nothing to complain about the Hi-Res-Mode but i don't have any Tegra2-Devices to compare, sorry.
Haven't tried any games in hi-res-mode but normal usage is just fine.
Thanks. Ill try this out. When i try to install busybox it hangs first, then i force close and run again. Then i get the message about reflashing Rom. But i know i have root. I installed connectbot and ran su and got #
Heres how i got root (im away from my pc right now so i try to be as accurate as possible) :
Installed Hauwei modified rom (its the one that says "(root) " in the file name.
Installed Root explorer
Installed Superuser
Install busybox
Install Connectbot
Put my microsd back in (with the firmware AKA dloa folder removed)
I could not get root explorer to allow rw permissions until i slid the sd card out and back in whil the device was on.
Then i ran connectbot as local and typed su hit enter then superuser popped up asking fo allow connectbot to access. Hit allow an type su hit enter an you should get # This took 3 reinstalls of the firmware to work wjthout errors. The first times resulted in superuser needing to be force closed.
I also ran superuser and went into settings and updated it eventhouh its not neede. There i got a read out saying that busybox is not installed, but it does say i have root.
Sent from my HUAWEI MediaPad using xda premium
Honestly i havent noticed a big difference between high resolution an standard.
The only issue with high res is the small icons and buttons are difficult to hit sometimes
Sent from my HUAWEI MediaPad using xda premium
Do i need to unzip this file first?....
.... Nevermind... I unzipped it and put the busybox file in th system/xbin folder.
I installed busybox installer by JRummy16. This time and it worked!!!!!!!
Now its on to figuring out 4G and tryiying to use it as a phone.
What is the xml file i need to edit?
Sent from my HUAWEI MediaPad using xda premium
Good, that you have worked it out now What exactly do you want to do? To get to the hidden menu, you have to open the calculator and type: ()()2846579()()=
To edit the XML-Files, you have to extract the cust.img... But now that you have root, yo can edit whatever is available via root explorer
€dit: To get 4G working again, maybe with someone with an original Springboard (not a flashed one) can copy the folder /system/lib/. This should be possible even without root. I think it has something to do with the ril-files...
after updating my mediapad to S301uV100R001C232B012, i have problem with 2x Client (RDP client) now, few second after conecting to rdp session, is app 2X client crashing, with error 2x Client has stopped unexpectedly (process com.tux.client), is here anybody with this problem? thanks...
Rumbi said:
€dit: To get 4G working again, maybe with someone with an original Springboard (not a flashed one) can copy the folder /system/lib/. This should be possible even without root. I think it has something to do with the ril-files...
Click to expand...
Click to collapse
How about this - link
I'll look at it, thank you And these are the libs from an unmodified Springboard, aren't they?
yes indeed. I broke the silly thing, so I haven't played with it much. guess I will have to call about how to get it fixed.
knoxjon said:
How about this - link
Click to expand...
Click to collapse
Even though I have no clue of what to do with this, THANKS! I tried to open an .so file in notepad, but no luck, but I'm assuming that the geniuses here know what to do.
On an off-root topic - How do you take a screen cap? I accidentally did it yesterday while my MediaPad was lagging, but don't know how I did it.
The Hi Suite that comes with the device can do this, but require a computer and usb hooked up. Useful, but not as practical as doing it from the tablet itself.
The *.so files are a bit like drivers for the internal components. I'll try to find differences between T-Mobile and Huawei so maybe we get 4G working again.
tedbone said:
Even though I have no clue of what to do with this, THANKS! I tried to open an .so file in notepad, but no luck, but I'm assuming that the geniuses here know what to do.
On an off-root topic - How do you take a screen cap? I accidentally did it yesterday while my MediaPad was lagging, but don't know how I did it.
The Hi Suite that comes with the device can do this, but require a computer and usb hooked up. Useful, but not as practical as doing it from the tablet itself.
Click to expand...
Click to collapse
I'm not sure how to screencap. It's so easy on CM that I've gotten lazy. Plus I rarely do it. I know there are a ton of apps for that, tho. But you could probably google "gingerbread screen capture" and find a better answer. But not with gingerbread. I'm blanking on the name for this version of android.
knoxjon said:
I'm not sure how to screencap. It's so easy on CM that I've gotten lazy. Plus I rarely do it. I know there are a ton of apps for that, tho. But you could probably google "gingerbread screen capture" and find a better answer. But not with gingerbread. I'm blanking on the name for this version of android.
Click to expand...
Click to collapse
Honeycomb
I've been Googling searches like that, and end up with actual screen shots of Honeycomb os..I'll keep looking...
Tried this (from here), but no luck:
Screen capture
Android natively supports the ability to capture a screenshot by method of pressing both the power and volume-down buttons at the same time on an Android device. This native support was first included within the Android 4.0 (Ice Cream Sandwich) update, which is first seen on the Galaxy Nexus smartphone.[86] Previously, Android did not feature native support for screen capturing which would have likely been due to security concerns. Furthermore, prior manufacturer and third-party customizations as well as using a PC connection (DDMS developer's tool) were the only known methods of capturing a screenshot on Android.
I've looked through the *.so files and many of them are exactly the same, but some are different. One file caught my interest. I've attached it here for anyone who wants to try. Please only use it, if you have a T-Mobile Springboard with flashed root Firmware. Copy the content of the zip-file to /system/lib and overwrite the existing file. But make a backup first! After copying you have to set the correct file permission (rw- r-- r--) and reboot the tab. Hopefully 4G works again with this little trick.
Hi XDA Community,
Your forums have helped me in the past and I spent some time scouring the posts before posting this one as I couldn't find anything that was specific to my issue. Since this is my first post, I thought that I would save a ping pong of responses, by being fairly expansive on what the problem is and what I have tried; thus hoping to pinpoint my issue a little quicker.
Device Details:
---------------------
Model Number: GT-I9100
Android Version: 4.0.3
Kernel Version: [email protected] #3
Build Number: IML74K.XWLP3
ROM Firmware: Samsung-Updates.com-GT-I9100_O2U_1_20120326173406_jiut50pyip.zip (via Samsung Kies)
Rooting Method / Kernel: Odin3v185 / CF-Root-SGS2_XX_XEO_LPQ-v5.3-CWM5
Summary
--------------
Since the beginning of July 2012, I successfully upgraded from Gingerbread v2.3.6 to ICS v4.0.3 using Samsung Kies then initiated root privileges by using the CF-Root Kernel via Odin (versions shown above) - All has been working fine 100%.....
However, it appears that I seem to have lost my SU permissions and may have disabled my root access, even though my device was rooted and I would appreciate any assistance from anyone who might have time to shed some light on the situation.
Behaviour of Apps I have tried that require root
-------------------------------------------------------------------
SuperSU
SuperSU Pro v0.96 lists in the 'Apps' tab (denoted by a green # symbol) that I have granted all relevant Apps that require SU privileges. This includes AdFree, BusyBox Pro, Root Checker Basic, Root Explorer, SetCPU, Terminal Emulator, Titanium Backup, Triangle Away.
Terminal Emulator
Terminal Emulator displays the following and when I enter the su command at the prompt, I just see a carriage return with a grey block. In other words, I do not see the # symbol denoting I have su privileges.
a/local/bin:$PATH
[email protected]:/ $su
Root Explorer
Root Explorer no longer displays a directory listing and simply displays a pop up from SuperSU after tapping on Root Explorer, "Root Explorer has been granted superuser permission for an interactive shell." then the following message from Root Explorer itself:
"Root Explorer has not yet managed to obtain root access. Because of issues with Superuser, this often happens the first time the app is run but is usually fine from then on."
Root Checker Basic
Apart from the App stating "Please wait for Root Check to be complete. Systems appears to be running very slow" after tapping on the [Verify Root Access] button. It never seems to provide an output after a few minutes waiting. My conclusion is that it cannot get su permissions.
BusyBox Pro
SuperSU displays the message that Titanium Backup has been given root access, however I get the following message:
"Asking for root rights..."
Then after a few minutes I receive this most enlightening output:
"Sorry, I could not acquire root privileges. This application will *not* work! Please verify that your ROM is rooted and includes BusyBox and try again.
This attempt was made using the "/system/xbin/su" command."
I read somewhere that Titanium Backup uses it's own BusyBox installation and not the system wide BusyBox package so I went in to the Titanium Backup preferences and selected 'Troubleshooting settings' then chose 'Force system BusyBox' to see if my issue was a BusyBox specific problem. Again, it failed so not sure if it is BusyBox or my SU permissions that have somehow got corrupted or been disabled.
Additional Information
-------------------------------
Using 'ES File Explorer', I can confirm that the following file's exist at the appropriate location paths:
/system/xbin/su
/system/xbin/busybox
Conclusion so far
-------------------------
It appears that on the face of it that I have lost my root permissions, so I removed apps from SuperSU, then uninstalled the App (e.g. Root Explorer, Terminal Emulator et al.); then performed the rooting procedure again via ODIN and the CF-Root kernel. The process itself worked flawlessly and so after it rebooted, I installed the Apps in question from the Google Play Store again and they prompted to be granted SuperSU privileges. Unfortunately, the same issues arose where it appears that it cannot communicate with either the su command or BusyBox to do what it requires.
Does anyone have any ideas as the phone is fine apart from this and although performing a Titanium Backup backup around two weeks ago, I would sooner not have to wipe everything if I can help it. I wonder if it is an update that somehow confused things...Either way, I cannot use Titanium Backup to backup/restore due to it requiring SU/root permissions, of which I do not seemingly have anymore.
Any ideas please as I am scratching my head and have gone blurry eyed at spending hours viewing various forums and posts?
follow this steps:
1. Unroot your phone with the unroot method here
2. To be sure, unroot again with the method here
3. ROOT your phone again using Any of the Rooting methods in the links provided in step 1 or 2.
Good luck
ICS 4.0.3 Lost su permissions even though device was rooted - Resolved
:good: Issue Resolved :good:
Many thanks for contributing to my issue. I had come across the post before in your links and although the directions were not completely related, there was a section pertaining to a zip file that I must have missed.
Conclusion
----------------
As can be read in the post, I was unsure if my issue related to losing root, a possible corrupt su file itself or BusyBox. As you will see on the link below, Busy Box actually creates hundreds of symbolic links (symlinks) and due to my perhaps overzelous approach to wanting a quick fix; I must have inadvertently created too many links with different versions of Busy Box and therefore when an App that was correctly added and granted SU permissions within SuperSU, when it then communicated with Busy Box / su to authenticate; I can only imagine it got confused and was lost with all the dead symlinks. The net result was that although SuperSU stated that it had granted permissions to the Apps requiring root, it never got to communicate with the su file contained within /system/xbin. I hope that makes sense, well at least I am pretty sure that is what happened.
Solution
------------
Firstly, I cleared all entries contained within SuperSU and therefore removing all Apps from being granted with root access (they didn't have it anyway at the moment).
I saved the zip file contained at the following link on to my external SD card and choosing to 'install zip from sd card' within the CWM Recovery (Volume Up + Power + Home button); effectively this uninstalls Busy Box completely from your device, including hundreds of symlink files - including many which in my instance was causing issues with Apps that required root to function correctly.
Busy Box Uninstaller v1.0 here
I restarted my device and downloaded Busy Box from Google Play Store and when I opened Root Explorer and the other aforementioned Apps shown in this post, they prompted to be granted root permissions (SuperSU) and voila....it worked ! :good:
I hope this may help other droid users experiencing similar symptoms.
I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?
No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.
hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean
Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator
Does any one know if one person with development capabilty is trying to find a way to root JB ?
I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.
Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...
Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.
yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says
Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file
Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627
I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.
my method here will give you a permanent rooted shell and will give you read-only system root which is useful for using root apps to backup data or freeze system apps--works just like real root without being able to delete system contents--freezing apps however works like a charm and should reduce the need for rw root anyway
FOLLOW DIRECTIONS EXACTLY--I WILL NOT RESPOND TO STUPID QUESTIONS--PROBABLY WON'T RESPOND TO ANY QUESTIONS BECAUSE MY DIRECTIONS ARE PERFECT, WORK PERFECTLY WHEN FOLLOWED, AND ARE EASY TO READ. FOLLOW ALL STEPS EXACTLY. IF IT DIDN'T WORK, IT IS BECAUSE OF YOUR ERROR
This works best from a factory reset device, but will work from a already used device but all other root apps and superuser apps must have their data deleted and be uninstalled first
1) make sure device is at least 50% charged--doesn't matter most of the time; better safe than sorry
install latest superuser apk
http://www.mediafire.com/file/dx854fsys5pvxjh/SuperSU.apk
install dirty cow root apk (croowt) [comes from this post https://forum.xda-developers.com/android/software-hacking/root-tool-dirtycow-apk-adb-t3525120
http://www.mediafire.com/file/1hbey829hc7676a/CRooWt.apk
make sure usb debugging is activated in developer settings and make sure you have accepted the debugging access prompt on the phone for the computer you will use
make sure you have an external sdcard installed--the smaller the better for this first time
2) open dirty cow root apk
choose "get root"
choose "method 1"
hit "ok"
choose "ok"
app will direct you to unmount and remount sdcard, choose "ok" and it will take you to storage settings
unmount sdcard
remount sdcard
when finished proceed to step 3
3) open superuser
do not update su binary
go to settings and make the default action "grant"
remove any and all apps from superuser log including the croowt app
3) THIS MUST BE DONE FROM A REAL TERMINAL ON A PC--TERMINAL EMULATORS WILL NOT WORK FOR THIS STEP
from a working pc with adb setup, preferrably linux, input commands exactly as listed
adb shell
su
setprop persist.sys.k P816A06
reboot
5) once rebooted, open dirty cow root apk again
choose get root
choose "method 2"
hit "ok"
choose "ok"
if app asks you to open with a browser, choose one, and choose "always"
screen will go black, systemui will crash and then reboot
6) once systemui is back up and running
you now have read-only root
you can now freeze system apps or backup your data using apps that require root
Your shell will be permanently rooted when accessed from a computer using adb--this will last forever unless you undo the setprop
Your system however will only be temp, read-only rooted until the phone is rebooted.
If you wish to have your temp, read-only root reactivated, all you have to do is repeat step 5 and that is it.
You can do this over and over again.
GIVE STAYBOOGY SOME PROPS FOR MAKING YOUR LIFE WITH THIS PHONE BETTER
Does this only work to back up or freeze applications?
poseidon207 said:
Does this only work to back up or freeze applications?
Click to expand...
Click to collapse
ACTUALLY READ the first sentence of OP
I don't see how freezing system apps would negate the need for a real root method? Is this "Read-Only" root method working with lucky patcher or Kernel Auditor?
Can this be used to bypass the subscription check for tethering? I assume not since system isn't writeable.
Does this method work in the ZTE Maven 3 (Z835)?
I'm doing it wrong, probably
First of all, thank you so much for doing this. I've been following that other thread since it was new, and you've put far more effort into this than the phone or most of us deserve.
I've gotten stuck trying to run Dirty Cow. I have USB Debugging enabled, adb installed on my Linux computer which recognizes my Maven (i.e. I've allowed access on the phone), etc. It eventually goes from "Checking vulnerability" to "Your device is not vulnerable" and I'm unable to proceed to the "Get root" step. What am I doing wrong? Might be some recent system update? Probably less effort to just buy a Galaxy.
Please be gentle. I know I'm a noob.
z812 root
I previously rooted my maven with kingroot and the dirtycow exploit.sh file and today I was overwhelming the device by running multible windows and apps and the phone rebooted and root was still intact....haven't rebooted it again yet but I shall.