Better Mobile App

[HOW-TO] Root FRGxx builds without unlocking bootloader

EDIT: Great news! We have an on-device one-click root again!
Simply download VISIONary from (edit: used to be in the Market) Modaco. I tried it on FRG83 stock. It works. No ADB, no external computer required, no fuss. Thanks to the developers!
EDIT again: Sorry, the FRG83D build no longer works with VISIONary - BUT - the overall rageagainstthecage method still works via ADB. I also hear that SuperOneClick works but it requires a Windows machine.
----
Ok it's been established that Universal Androot / exploid / freenexus no longer works on FRG33/FRG83 etc. And it's been established that "rageagainstthecage" does still work. So far I'm not aware of a one-click method to implement the latter exploit.
So I'm starting this thread to centralize everyone's experiences. I don't personally need these instructions but other folks apparently do. I've quoted a rooting guide in post #2. If you think any refinements are necessary or you have a better way of writing it out, please feel free to add to this thread.

Thanks to efrant for pointing the way to this guide. Based on comments below, I'm quoting another revised version.
hmanxx said:
Hi OP,
You may want to edit your post #2, I have inserted the mounting commands in the thread i posted previously. this will help novice users to get thing right out of box without figuring why permission denied.
I have just tried out the additional mounting steps..things are working fine..
Tidy up step by step rooting
1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz
2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.
3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250
Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}
[*] Searching for adb ...
[+] Found adb as PID 64
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
Follow the following steps to install Superuser.apk, busybox,su
F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit
F:\ADB>adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
# exit
exit
Click to expand...
Click to collapse
And below are the previous contents of this post, prior to editing.
-------------
Many respondents on this thread have indicated that the instructions don't work the first time. If you get to the step where you are supposed to get a root shell (#) but you instead get a non-root shell ($), start from the top and try the exploit once or twice more. Apparently if you are persistent it will work.
I'm also told these instructions are missing adb remount before the steps where you push busybox, su and so forth.
hmanxx said:
Tidy up step by step rooting
1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz
2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.
3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250
Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}
[*] Searching for adb ...
[+] Found adb as PID 64
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#
Follow the following steps to install Superuser.apk, busybox,su
F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit
F:\ADB>adb shell
# su
su
# exit
exit
Click to expand...
Click to collapse

I too am interested in this info. Looking forward to any info provided....

There is detailed step-by-step info in many threads as to how to use the rageagainstthecage exploit to root your device, e.g.: http://forum.xda-developers.com/showpost.php?p=8300203&postcount=55
Why start a new thread?

efrant said:
There is detailed step-by-step info in many threads as to how to use the rageagainstthecage exploit to root your device, e.g.: http://forum.xda-developers.com/showpost.php?p=8300203&postcount=55
Why start a new thread?
Click to expand...
Click to collapse
Actually that's perfect, thanks.
I started a new thread because the step-by-step info is buried in other threads and many folks post questions asking about it because they can't find said guides. I figured if I could start a new thread with a proper title, it would be located more easily.

All the info is located in Nexus One Wiki, under "Guides" / "Rooting". Direct link to the post with complete data. So I still don't see any need for the post, that will be buried in forum depths. My signature..
But since you posted it, and it's more detailed - I'll change the link to point to it.
[edit 2] The Wiki is damn slow after the forum crash...
[edit 3] It refuses to accept the submit, complaining about "session data loss". Time to complain to admins..

Heh well if the Wiki is crashy at the moment, all the more reason to have a redundant post here.
If you look back to the linked posts, I was the one who suggested which instructions for ali3nfr3ak to follow after a successful push of rageagainstthecage, and then ali3nfr3ak reported success on FRG33, and then hmanxx seems to have stripped out the irrelevant/unnecessary lines. So it's teamwork =)
One thing I'm not sure of - I see the original "exploid"/"freenexus" instructions included a cleanup by removing /system/bin/rootshell. Should something similar be done after rageagainstthecage to clean up?

@ cmstlst This is a good idea, because when I did this I had like 3 different pages open as all the information was spread everywhere, hopefully this will make it easier for everyone to follow, good one

I used the steps posted here to restore root access to a Nexus One which had been previously rooted with 1-click. It was running stock FRF91. It was a fairly smooth process, especially since the update to FRG83 did not delete my Superuser.apk, su, or busybox files. The permissions had just been turned down, so with the RageAgainstTheCage exploit active, I was able to change the permissions as indicated and was off and running.
The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
for the read/write mount and was then able to turn up the permissions. And, in the interests of completeness, to mount /system read-only again afterward:
mount -o remount,ro -t yaffs2 /dev/block/mtdblock4 /system
Thanks much for consolidating the procedure where it was easy to find.

anyway to re-lock the Bootloader

highvista said:
The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
Click to expand...
Click to collapse
It's mtdblock3, not mtdblock4, though for some reason the mount worked for me even on 6. But in any case, much better and easier done using ADB command:
adb remount
Finally the Wiki is also back to work, the "Rooting FRG83" link is updated to point to this thread.

Here, the rageagainstthecage didn't work.
I followed these steps:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}[*] Searching for adb ...
[+] Found adb as PID 64[*] Spawning children. Dont type anything and wait for reset![*][*] If you like what we are doing you can send us PayPal money to[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.[*] If you are a company and feel like you profit from our work,[*] we also accept donations > 1000 USD![*][*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#
Click to expand...
Click to collapse
But, I didn't get root shell (#), when I typed "adb shell" I still got ($).
I'm in FRG83, Android 2.2.1.
Any ideas?

cmstlist said:
Thanks to efrant for pointing the way to this guide.
Click to expand...
Click to collapse
Thank you for posting this. It was a big help. I lost my root after 2.2.1 and this worked great. I did have to execute the .bin file 3 times. The first time, I got $, and the second time as well. It was only on the 3rd execute that I got the # prompt. I read that others had the same problem, that it only worked after a few times.
highvista said:
I used the steps posted here to restore root access to a Nexus One which had been previously rooted with 1-click. It was running stock FRF91. It was a fairly smooth process, especially since the update to FRG83 did not delete my Superuser.apk, su, or busybox files. The permissions had just been turned down, so with the RageAgainstTheCage exploit active, I was able to change the permissions as indicated and was off and running.
The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
for the read/write mount and was then able to turn up the permissions. And, in the interests of completeness, to mount /system read-only again afterward:
mount -o remount,ro -t yaffs2 /dev/block/mtdblock4 /system
Thanks much for consolidating the procedure where it was easy to find.
Click to expand...
Click to collapse
Thank you for this. I was in the same situation and I was not able to set the premissions. Then I saw your post. I am not a Linux/Unix guy, so it was step-by-step for me. Curiously, why is it necessary to change the premission for su, busybox, etc.?
Thanks guys.

Atento said:
Here, the rageagainstthecage didn't work.
I followed these steps:
But, I didn't get root shell (#), when I typed "adb shell" I still got ($).
I'm in FRG83, Android 2.2.1.
Any ideas?
Click to expand...
Click to collapse
I had this, too. Like the above poster said, I got # after several tries. However something went wrong midway through the other steps from efrant, and I went back and lost #, only had $.
Also looking for ideas.

Xel'Naga said:
I had this, too. Like the above poster said, I got # after several tries. However something went wrong midway through the other steps from efrant, and I went back and lost #, only had $.
Also looking for ideas.
Click to expand...
Click to collapse
I would try the process over again from the beginning. Once you get the #, follow highvista's information to mount the file system as RW, and do the chmods. After you are done, re-mount as RO.

snovvman said:
I would try the process over again from the beginning. Once you get the #, follow highvista's information to mount the file system as RW, and do the chmods. After you are done, re-mount as RO.
Click to expand...
Click to collapse
Yup, had to reboot the device and try again about four times and then it finally all stuck. Now rooted on 2.2.1.

snovvman said:
Thank you for posting this. It was a big help. I lost my root after 2.2.1 and this worked great. I did have to execute the .bin file 3 times. The first time, I got $, and the second time as well. It was only on the 3rd execute that I got the # prompt. I read that others had the same problem, that it only worked after a few times.
Thank you for this. I was in the same situation and I was not able to set the premissions. Then I saw your post. I am not a Linux/Unix guy, so it was step-by-step for me. Curiously, why is it necessary to change the premission for su, busybox, etc.?
Thanks guys.
Click to expand...
Click to collapse
Thanks for your replies! I'm rooted now.
Thanks for all!!!

Hi OP,
You may want to edit your post #2, I have inserted the mounting commands in the thread i posted previously. this will help novice users to get thing right out of box without figuring why permission denied.
I have just tried out the additional mounting steps..things are working fine..
Tidy up step by step rooting
1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/...nstTheCage.tgz
2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.
3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/show...&postcount=250
Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)
F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}[*] Searching for adb ...
[+] Found adb as PID 64[*] Spawning children. Dont type anything and wait for reset![*][*] If you like what we are doing you can send us PayPal money to[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.[*] If you are a company and feel like you profit from our work,[*] we also accept donations > 1000 USD![*][*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server
F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *
F:\ADB>adb shell
#mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
Follow the following steps to install Superuser.apk, busybox,su
F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit
F:\ADB>adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
# exit
exit

Thanks, I'll fix it up when I'm at a desktop computer again and less occupied by the Masters thesis I'm defending in just over 2 weeks
Sent from my Nexus One using XDA App

hehe oh noes. I gave the cage file a go 3 times, failed, so I got pissed and unlocked the bootloader, then now I read about the remounting of the file system.. didn't think about that.
well.. now I can't undo the unlocking :/

rooting the Streak Froyo build (official)

As the froyo upgrades are rolling out now, you'll find that universal androot doesn't work.
If you are using windows, then its very easy to root the new builds using superoneclick.
http://forum.xda-developers.com/showthread.php?t=803682
you can do it with linux but its quicker to do it manually.
I'll post instructions later for that.. see post #3
I'll also update with some tweaks that help with battery life and speed

Thanks for this Mate

here's how to root the froyo streak builds manually.. so useful to linux / mac users and anyone who doesn't want to use the superoneclick
Code:
GET ECLAIR/FROYO version of Superuser.apk and su
from http://forum.xda-developers.com/showthread.php?t=682828 extract the two files to the directory you're working from..
GET rageagainstthecage from
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz
extract the rageagainstthecage-arm5.bin to the same directory you're working from
open a terminal/command line
adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
adb push Superuser.apk /data/local/tmp/Superuser.apk
adb push su /data/local/tmp/su
adb push busybox /data/local/tmp/busybox
adb shell chmod 700 /data/local/tmp/rageagainstthecage
adb shell chmod 700 /data/local/tmp/busybox
adb shell
cd /data/local/tmp
./rageagainstthecage
******this will kill adb server but manually kill it anyway and restart it ******
adb kill-server
adb start-server
* daemon not running. starting it now *
* daemon started successfully *
adb shell
mount -o remount,rw -t yaffs2 /dev/block/mtdblock6 /system
**********Follow the following steps to install Superuser.apk, busybox,su ****************
cd /data/local/tmp
./busybox cp busybox /system/bin/
chmod 4755 /system/bin/busybox
busybox cp Superuser.apk /system/app/
busybox cp su /system/bin/
chmod 4755 /system/bin/su
exit
exit
then reboot streak
************to remount filesystem as readonly,*************
adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock6 /system
# exit
exit

This is supposed to be a helpful thread to help people who want a simple easy way of rooting the froyo releases.
Not a discussion on why you cant find something
Orionbg I have no idea whether that one works as the two ways I've suggested do work..
Lets keep it simple, think about those who really struggle rather than confusing them with more info than needed ;-)
Lufc can you lock it and add it to the stickies so as not to let it spiral away.
I'd rather keep it clear and easy for people to follow...

[Q] Rooting x10i via shell need some help

hello at all
i have a little problem. i buyed a used x10i with older firmware but rooted. first of all i only have debian linux 6 64bit and an virtual windows xp. could update to newest firmware 2.1.1.a.0.6 with seus on virtualbox (i did the "repair"). then the root was gone. so i tryed out every version of superoneclick on virtual windows but not working, it freezes everytime. also tried z4mod and flashtool, not working
so i tried manual with adb (i have installed android sdk). i used the binaries from superoneclick 1.9.5. i think the best is when i post my cmd-session:
(i have to replace the shell-prompt from debian with [debian]$, because the forum says me this is an external link...)
Code:
[debian]$ adb push psneuter /data/local/tmp
1635 KB/s (585731 bytes in 0.349s)
[debian]$ adb push su-v1 /sdcard/
430 KB/s (26256 bytes in 0.059s)
[debian]$ adb push su-v2 /sdcard/
579 KB/s (26264 bytes in 0.044s)
[debian]$ adb push su-v3 /sdcard/
437 KB/s (26324 bytes in 0.058s)
[debian]$ adb push Superuser.apk /sdcard/
2063 KB/s (196521 bytes in 0.092s)
[debian]$ adb shell
$ busybox chmod +x /data/local/tmp/psneuter
$ /data/local/tmp/psneuter
property service neutered.
killing adbd. (should restart in a second or two)
[debian]$ adb shell
# mount -o remount,rw -t yaffs2 /dev/block/mmcblk0p12 /system
# mv /system/bin/su /system/bin/su.bak
# mv /system/xbin/su /system/xbin/su.bak
# busybox cp /sdcard/su-v* /system/xbin
# cd /system/xbin
# busybox chmod +x su-v*
# su-v1
reloc_library[1245]: 3712 cannot locate '_ZNK7android6Parcel15setDataPositionEj'...CANNOT LINK EXECUTABLE
# exit
[debian]$ adb shell
# su-v2
# exit
# su-v3
# exit
# rm /system/xbin/su-v1
# rm /system/xbin/su-v2
# mv /system/xbin/su-v3 /system/xbin/su
# busybox cp /sdcard/Superuser.apk /system/app
# busybox chmod 06755 /system/xbin/su
# busybox chown 0.2000 /system/xbin/su
# busybox ln -s /system/xbin/su /system/bin/su
# su
# exit
# reboot
[debian]$ adb shell
$ su
Permission denied
$
you can see i get a rootshell and mount system, copy su and everything, but when i reboot everything is gone. if i don't reboot and check with "root-checker" it says me that i don't have root access.
what i'm doing wrong? i'm a noob in "hacking" phones but have some knowledge with linux&shells
thanks a lot for some help

could solve it: was using superoneclick on a windows-pc from my friend.works great.. but still iterested in a linux-only solution because i want to develop a shell-script for rooting for linux users

[DEV] Current Progress and Guides: CRACKED UBOOT!!! Roms and Kernels Comming Soon

This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self. REMEMBER I DO THIS FOR FUN, please respect the thread as well as others opinions
OLD UPDATES AT THE END OF THIS POST.
First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
Also you should look at the http://www.nooktabletdev.orgfor information on the Nook Tablet Development process. - Thanks to dj_segfault
Rooting Scripts​Windows: Root, OTA block, De-bloat, Gapps Thanks to Indirect
Mac/Linux: Rooting script Thanks to t-r-i-c-k
Mac/Linux: Root,OTA Block, Gapps
CURRENT PROGRESS
adb connection: COMPLETE
adb root: COMPLETE
busybox:COMPLETE
permanent root: COMPLETE BY INDIRECT
GApps and Market: COMPLETE BY INDIRECT & Anlog
recovery mode: COMPLETE BY nemith
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
THANKS TO NEMITH
bootloader: Locked and Signed Irrelevant
uboot: CRACKED BY BAUWKS
THANKS TO BAUWKS​
Loglud said:
bauwks method uses the flashing_boot.img to his advantage, and since it is not checked by security, effectively he has made an insecure uboot. While this is not an unlocked bootloader, it is a way to get around the security, and enable custom recovery and higher level processes to be run.
I have been looking at this line of code for a long time, and as im sure hkvc and bauwks saw it is a large (but 100% necessary) flaw:
distro/u-boot/board/omap4430sdp/mmc.c: 559 : setenv ("bootcmd", "setenv setbootargs setenv bootargs ${sdbootargs}; run setbootargs; mmcinit 0; fatload mmc 0:1 0x81000000 flashing_boot.img; booti 0x81000000");
Without this line of code, it would be impossible for any one but the factory whom could JTAG flash (but since it is secured, most likely they also have to make a flashing_boot.img).
Click to expand...
Click to collapse
12/9/11:
UBUNTU is here, thanks to ADAMOUTLER
http://www.youtube.com/watch?v=PwUg17pVWBs&hd=1
Keep in mind this is only an overlay verson but it is prof that one day we might be able to push roms and kernels over existing ones, then hijack then (next work) and then use them.​
Please PM me or post if you know anything else, and or want to add anything.

Usefull threads
Usefull threads:
ROOTING:
Full root for Nook Tablet. [11/20/11] [Yes this is a permanent root!] Thanks to indirect
Noot Tablet - Easy root & Market on MAC (1 download, 1 script to run) Thanks to t-r-i-c-k
[Windows/Linux] Unroot and uninstall gApps for the nook tablet [Scripts] Thanks to indirect
MODS to Default Rom:
[Full Mod + Root + OTA block] Snowball-mod: Full Modification Root [1/6/2012] Thanks to cfoesch
[DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! Thanks to [DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! 1 Attachment(s) (Multi-page thread 1 2 3 ... Last Page)
Originally Posted By: diamond_lover
Kernels:​Coming Soon​
ROMS:​Coming Soon​
APPS:
[Tutorial][WIP] Installing alternative Keyboards on the NT. Thanks to robertely
[DEV] - HomeCatcher Redirect n Button to any Launcher Thanks to gojimi
Hidden Settings App Updated 12/30/11 Thanks to brianf21
Replacement SystemUI.apk v2: Permanent back and menu buttons, n as Home button Thanks to revcompgeek
DEVELOPMENT:
[Dev]Files of interest in the system Thanks to indirect
[REF] Nook Tablet Source Code Thanks to diamond_lover
BHT Installer (Basic Hacking Tools) Thanks to AdamOutler
[Stock Firmware]Restore Barnes & Nobel Nook 1.4.0 from SDCard Thanks to AdamOutler​

Guides
Table of Contents
Enableing adb Connection (eab1)
Rooting using zergRush (rug2)
Installing busyboxy (ibb3)
Permanent root (pr4) THANKS TO INDIRECT
Installing GApps (aga5) THANKS TO ANLOG
Full system restore/wipe (fsr6) THANKS TO INDIRECT
Enableing adb Connection (eab1)
Install the andriod SDK that is required for your Operating system.
NOTE: This will requries the SDK, and JDK both of which can be downloaded by clicking the links, downloading and installing it.
Run the andriod SDK Manager and Install "Andriod SDK Platform-tools"
[*]Modify your adb_usb.ini file to read such as the following:
Code:
# ANDROID 3RD PARTY USB VENDOR ID LIST -- DO NOT EDIT.
# USE 'android update adb' TO GENERATE.
# 1 USB VENDOR ID PER LINE.
0x2080
This will be in your /home/{username}/.andriod/ folder for mac and linux
This will be in your C:/Users/{username}/.andriod folder for Windows.
ADB is now enabled for your device, however it is not ON your device. YOU MUST DO THIS EVERY TIME YOU WISH TO ADB INTO YOUR DEVICE.
[*]To do this you will need to download any app, and attempt to install it.
You can use this app if you need.
[*]Click on the Package Installer, and then a prompt will pop up asking if you want change the settings to allow 3rd party apps.
*DO NOT ENABLE IF YOU WISH TO ACCESS ADB*
I am working on a way to have it enabled by default.
[*]In the settings page you should see *2* USB Debuggin modes.
[*]Press them both and accept the prompt.
[*]PLUG IN YOUR DEVICE.
Note* You should see the Android Development icon on the bottom of the screen.
ADB will now be able to see your device. How ever you will need to restart the server before it sees it.
Rooting using zergRush (rug2)
This is for the poeople whom have access to adb. You will also need this file. Unzip the file.
Type in the following command (while in the folder with the zergRush Binary):
Code:
adb push ./zergRush /data/local
[*]Once thats installed run this:
Code:
adb shell chmod 777 /data/local/tmp
[*]And lastly:
Code:
adb shell /data/local/zergRush
[*]You are now rooted (only for this reboot)
Installing busyboxy (ibb3)
You will need root and the following busybox file.
Type in the following command while in the location where busy box was downloaded to:
Code:
adb push ./busybox /data/local
[*]Busybox works by calling binaries from a file outside of /system/bin/. We must make this file by issuing the following command:
Code:
adb shell mkdir /data/busybox
[*]Lets make sure we can install busybox without permission probles:
Code:
adb shell chmod 777 /data/local/busybox
[*]Next install busybox in the folder:
Code:
adb shell /data/local/busybox --install
[*]We now need to take the /system/folder, and mount it as a writeable folder:
Code:
adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
[*]Link it into bin:
Code:
adb shell ln -s /data/local/busybox /system/bin/busybox
You now have busybox installed
Permanent root (pr4)
THANKS TO INDIRECT for Files and Scripts
We will need SU and Superuser.apk
First we need to install the Superuser.apk:
Code:
adb wait-for-device install Superuser.apk
adb remount
[*]Next lets go ahead and push the su application up to the /data/local/ folder
Code:
adb push su /data/local/
[*]Next we will need to change the permissions and cp su from the /data/local/ folder to the /system/bin/
Code:
adb shell chmod 4755 /data/local/su;mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system;busybox cp /data/local/su /system/bin
Installing GApps (eab1)
THANKS TO ANALOG and INDIRECT for Scripts
First things first we need to download the GAPPS. The most reacent one is this one or get the most recent one here.
[*] Unzip and navigate to the most root folder of that package in your shell.
[*]We need to verify that adb is booting into root. To do this we can issue the command:
Code:
adb shell id
If id doesn't return root then you will need to re-zergRush your device
[*]Now it is time for us to export the apps to the directories.
Code:
adb shell mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system
adb push system/app/CarHomeGoogle.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/app/FOTAKill.apk /system/app/
adb shell chmod 644 /system/app/FOTAKill.apk
adb push system/app/GenieWidget.apk /system/app/
adb shell chmod 644 /system/app/GenieWidget.apk
adb push system/app/GoogleBackupTransport.apk /system/app/
adb shell chmod 644 /system/app/GoogleBackupTransport.apk
adb push system/app/GoogleCalendarSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleCalendarSyncAdapter.apk
adb push system/app/GoogleContactsSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleContactsSyncAdapter.apk
adb push system/app/GoogleFeedback.apk /system/app/
adb shell chmod 644 /system/app/GoogleFeedback.apk
adb push system/app/GooglePartnerSetup.apk /system/app/
adb shell chmod 644 /system/app/GooglePartnerSetup.apk
adb push system/app/GoogleQuickSearchBox.apk /system/app/
adb shell chmod 644 /system/app/GoogleQuickSearchBox.apk
adb push system/app/GoogleServicesFramework.apk /system/app/
adb shell chmod 644 /system/app/GoogleServicesFramework.apk
adb push system/app/LatinImeTutorial.apk /system/app/
adb shell chmod 644 /system/app/LatinImeTutorial.apk
adb push system/app/MarketUpdater.apk /system/app/
adb shell chmod 644 /system/app/MarketUpdater.apk
adb push system/app/MediaUploader.apk /system/app/
adb shell chmod 644 /system/app/MediaUploader.apk
adb push system/app/NetworkLocation.apk /system/app/
adb shell chmod 644 /system/app/NetworkLocation.apk
adb push system/app/OneTimeInitializer.apk /system/app/
adb shell chmod 644 /system/app/OneTimeInitializer.apk
adb push system/app/Talk.apk /system/app/
adb shell chmod 644 /system/app/Talk.apk
adb push system/app/Vending.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/etc/permissions/com.google.android.maps.xml /system/etc/permissions/
adb push system/etc/permissions/features.xml /system/etc/permissions/
adb push system/framework/com.google.android.maps.jar /system/framework/
adb push system/lib/libvoicesearch.so /system/lib/
Now you have GApps installed from Anlog's. All Credits go to him and Indirect
Full system restore/wipe (fsr6)
THANKS TO INDIRECT
WARNING THIS WILL WIPE YOUR ENTIRE FILESYSTEM!!!
Go into adb shell or terminal emulator.
Issue command:
Code:
echo -n '0000' > /bootloader/BootCnt
Next reboot your device by conventional methods or issue:
Code:
reboot
Your nook will now restart and tell you it is resetting.
You now have a clean slate!

Got some links for howto's on the adb connection/root.

Yeah - if someone has details on how to adb connect and root, it'd be helpful to include links. I've yet to see specifics for either.

Reserved
Sent from Tapatalk, NOOK Color CM7 Nightly's!

I aplogize im still typing them up

Damn loglud, I ended up beating you to the root lol. Sorry about that! D:

The Droid 2 and Droid X had locked bootloaders with the 'e-fuse' and Koush got around them and installed CWM with this...
http://www.koushikdutta.com/2010/08/droid-x-recovery.html
What do you guys think? I don't have a NT yet to try anything (probably won't get one until sometime around x-mas).

l
Indirect said:
Damn loglud, I ended up beating you to the root lol. Sorry about that! D:
Click to expand...
Click to collapse
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?

Loglud said:
l
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Click to expand...
Click to collapse
Superoneclick...love!
Sent from my Nook Tablet using Tapatalk

Loglud said:
l
Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?
Click to expand...
Click to collapse
Not at all so long as you give proper credits.

Loglud said:
This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self.
First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
CURRENT PROGRESS
adb connection: COMPLETE
adb root: COMPLETE
busybox: COMPLETE
permanent root: IN PROGRESS
bootloader: Locked and Signed
By the bootloader being locked and signed it is very difficult to design anything that will boot besides nook roms. In order to solve this some of the Devs have suggested the following:
kexec: RESEARCHING
2nd init: RESEARCHING
CWM: NOT STARTED
Please PM me or post if you know anything else, and or want to add anything.
Click to expand...
Click to collapse
hopefully it is cracked soon cause i dont want to buy this if i can't have a full custom rom, all of the verizon motorola phones run roms off of 2nd init and it just isnt the same to be honest. you can never run a full custom rom with second init(well you can but you have to build the rom to fit the kernel) and honestly i want my device to be mine
you should tweet cvpcs or someone who makes and maintains 2nd init roms to get more info on it though

Can't get busybox installed
I'm stuck... I get errors for #3 for busybox... errors like...
Code:
$ adb shell /data/local/busybox --install
busybox: /data/busybox/[: No such file or directory
busybox: /data/busybox/[[: No such file or directory
busybox: /data/busybox/addgroup: No such file or directory
.....
busybox: /data/busybox/yes: No such file or directory
busybox: /data/busybox/zcat: No such file or directory
busybox: /data/busybox/zcip: No such file or directory
So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!
Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?
(I'm running from OSX, if that matters)
EDIT: and of course I'm getting...
Code:
$ adb shell ln -s /data/local/busybox /system/bin/busybox
link failed Read-only file system
$ adb remount
remount failed: Operation not permitted

kgingeri said:
I'm stuck... I get errors for #3 for busybox... errors like...
Code:
$ adb shell /data/local/busybox --install
busybox: /data/busybox/[: No such file or directory
busybox: /data/busybox/[[: No such file or directory
busybox: /data/busybox/addgroup: No such file or directory
.....
busybox: /data/busybox/yes: No such file or directory
busybox: /data/busybox/zcat: No such file or directory
busybox: /data/busybox/zcip: No such file or directory
So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!
Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?
(I'm running from OSX, if that matters)
EDIT: and of course I'm getting...
Code:
$ adb shell ln -s /data/local/busybox /system/bin/busybox
link failed Read-only file system
$ adb remount
remount failed: Operation not permitted
Click to expand...
Click to collapse
Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw

Still some glitches installing busybox...
Loglud said:
Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw
Click to expand...
Click to collapse
Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?
After the initial 'push' command, I could install via:
Code:
mac-osx$ adb shell
$ su root
# cd /data/local
# chmod 755 busybox
# ls -l
-rwxr-xr-x shell shell 1745016 2011-11-21 00:21 busybox
# mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
# mkdir ../busybox
# ./busybox --install
Also, is the line:
Code:
# ln -s /data/local/busybox /system/bin/busybox
not supposed to be
Code:
# ln -s /data/busybox /system/bin/busybox
Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.
EDIT: PS my mount on data is as follows..
Code:
# mount|grep /data
/dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0
EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...
Code:
# cd /
# ls -l | grep '\<data\>'
drwxrwx--x system system 2011-11-21 18:25 data
# chmod 777 data

kgingeri said:
Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?
After the initial 'push' command, I could install via:
Code:
mac-osx$ adb shell
$ su root
# cd /data/local
# chmod 755 busybox
# ls -l
-rwxr-xr-x shell shell 1745016 2011-11-21 00:21 busybox
# mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
# mkdir ../busybox
# ./busybox --install
Also, is the line:
Code:
# ln -s /data/local/busybox /system/bin/busybox
not supposed to be
Code:
# ln -s /data/busybox /system/bin/busybox
Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.
EDIT: PS my mount on data is as follows..
Code:
# mount|grep /data
/dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0
EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...
Code:
# cd /
# ls -l | grep '\<data\>'
drwxrwx--x system system 2011-11-21 18:25 data
# chmod 777 data
Click to expand...
Click to collapse
ok so whats happening? i modified the guides and i was hopping that would help you. The command is
Code:
# ln -s /data/local/busybox /system/bin/busybox
and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.

Loglud said:
ok so whats happening? i modified the guides and i was hopping that would help you. The command is
Code:
# ln -s /data/local/busybox /system/bin/busybox
and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.
Click to expand...
Click to collapse
Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...
Here you are as it happens
MBAir$ ls busybox
busybox
MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)
MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied​
Of course there is no point continuing until I do the following...
MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit
MBAir$ adb shell mkdir /data/busybox
MBAir$ adb shell chmod 777 /data/local/busybox
MBAir$ adb shell /data/local/busybox --install
MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted​
To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)

kgingeri said:
Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...
Here you are as it happens
MBAir$ ls busybox
busybox
MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)
MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied​
Of course there is no point continuing until I do the following...
MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit
MBAir$ adb shell mkdir /data/busybox
MBAir$ adb shell chmod 777 /data/local/busybox
MBAir$ adb shell /data/local/busybox --install
MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted​
To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)
Click to expand...
Click to collapse
re run zergRush exploit. your adb shell is defaulting to the shell username. by rerunning the zergy you will allow for yourself to use the adb shell as root. make sure you dont run it as the root user though. you are also more then welcome to hop in irc and ask questions.

Any one having difficulty rooting or see anything that needs to be updated?

[Q]Ihelp, I can't root my HDX 8.9, /system/bin/sh: chmod: not found

I have rooted my hdx8.9, and then I reroot it. Now I have some problem, I want to root my hdx again, but Ican't root it again, I have pushed the 4 files, but it didn't continue. It shows
Waiting for device ...
Pushing files ...
push: .\scripts\superuser/superuser.sh -> /data/local/tmp/superuser.sh
push: .\scripts\superuser/Superuser.apk -> /data/local/tmp/Superuser.apk
push: .\scripts\superuser/su -> /data/local/tmp/su
push: .\scripts\superuser/exploit -> /data/local/tmp/exploit
4 files pushed. 0 files skipped.
3401 KB/s (2845659 bytes in 0.817s)
/system/bin/sh: chmod: not found
/system/bin/sh: chmod: not found
Running the exploit ...
/system/bin/sh: /data/local/tmp/exploit: can't execute: Permission denied
Check the output. Does it looks fine?
What can I do, I want to full restore to stock rom to fix some proble as the post 'http://forum.xda-developers.com/showthread.php?t=2582773' says, but it
need your device rooted first.
Thanks.

Show us the script body you're pushing.
If you're using some ready scripts I assume the name of it is superuser.sh

CrashThump said:
Show us the script body you're pushing.
If you're using some ready scripts I assume the name of it is superuser.sh
Click to expand...
Click to collapse
I use the tool from the post “[ROOT] Rooting tutorial - hdx 8.9" 14.3.1.0” http://http://forum.xda-developers.com/showthread.php?t=2545957

@sdcardsd, Did you tried to use expression '/system/bin/toolbox chmod' instead of '/system/bin/chmod' in rootme.sh? For me it seems that you've lost the symlink. This may be caused by some busybox installation and removal.

CrashThump said:
@sdcardsd, Did you tried to use expression '/system/bin/toolbox chmod' instead of '/system/bin/chmod' in rootme.sh? For me it seems that you've lost the symlink. This may be caused by some busybox installation and removal.
Click to expand...
Click to collapse
I don't know whether I use these expression '/system/bin/toolbox chmod' instead of '/system/bin/chmod' in rootme.sh, I only use the tools to root my kindle. But I really installed busybox and then removal it by recovery to the factory reset after I reroot my device. Then I have some problem on my kindle, I think the system files be destoryed, so I want to full restore the original ROM, but I can't root my device again. And if it is caused by losing the symlink, how to fix it ? Thanks.

@sdcardsd, then make a suggested replace

CrashThump said:
@sdcardsd, then make a suggested replace
Click to expand...
Click to collapse
The only way is to replace my device? But it is very inconvenient for me, I'am not in America.

15 8556535
@sdcardsd, just replace '/system/bin/chmod' by '/system/bin/toolbox chmod' in 'rootme.sh' file.

CrashThump said:
@sdcardsd, just replace '/system/bin/chmod' by '/system/bin/toolbox chmod' in 'rootme.sh' file.
Click to expand...
Click to collapse
#!/system/bin/sh
/system/bin/mount -o remount,rw /system
/system/bin/cat /data/local/tmp/su > /system/xbin/su
/system/bin/chown 0.0 /system/xbin/su
/system/bin/chmod 06755 /system/xbin/su
your mean I modify the rootme.sh into
#!/system/bin/sh
/system/bin/mount -o remount,rw /system
/system/bin/cat /data/local/tmp/su > /system/xbin/su
/system/bin/chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 06755 /system/xbin/su

CrashThump said:
@sdcardsd, just replace '/system/bin/chmod' by '/system/bin/toolbox chmod' in 'rootme.sh' file.
Click to expand...
Click to collapse
I have replace the rootme.sh into
/system/bin/sh
/system/bin/mount -o remount,rw /system
/system/bin/cat /data/local/tmp/su > /system/xbin/su
/system/bin/chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 06755 /system/xbin/su
but it didn't work
the display is
======================================================================
======================================================================
Welcome to Kindle Root Utility (Faznx92 version)
Special Thanks to:
jcase
fi01
======================================================================
======================================================================
WARNING THIS WORKS ONLY WITH KINDLE HDX 8.9" version 14.3.1.0
======================================================================
======================================================================
Please connect Device with enabled USB-Debugging to your Computer!
Device connected. Pushing files...
680 KB/s (104564 bytes in 0.150s)
1 KB/s (196 bytes in 0.168s)
2024 KB/s (507888 bytes in 0.245s)
Changing permissions...
/system/bin/sh: chmod: not found
/system/bin/sh: chmod: not found
Executing Exploit (could take some minutes, be patient!)
Hit ENTER to continue
/system/bin/sh: /data/local/tmp/exploit: can't execute: Permission denied
Type "su" to check for root!
/system/bin/sh: /system/etc/mkshrc[8]: id: not found
 @android:/ $
@android:/ $ su
su
/system/bin/sh: su: not found
127 @android:/ $

same for lines 24-25 of runme.bat
Code:
adb shell chmod 755 /data/local/tmp/rootme.sh
adb shell chmod 755 /data/local/tmp/exploit
change to
Code:
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/rootme.sh
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/exploit

CrashThump said:
same for lines 24-25 of runme.bat
Code:
adb shell chmod 755 /data/local/tmp/rootme.sh
adb shell chmod 755 /data/local/tmp/exploit
change to
Code:
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/rootme.sh
adb shell /system/bin/toolbox chmod 755 /data/local/tmp/exploit
Click to expand...
Click to collapse
I replace the runme.bat
the display is changed, but it didn't work.
======================================================================
======================================================================
Welcome to Kindle Root Utility (Faznx92 version)
Special Thanks to:
jcase
fi01
======================================================================
======================================================================
WARNING THIS WORKS ONLY WITH KINDLE HDX 8.9" version 14.3.1.0
======================================================================
======================================================================
Please connect Device with enabled USB-Debugging to your Computer!
Device connected. Pushing files...
1041 KB/s (104564 bytes in 0.098s)
2 KB/s (196 bytes in 0.083s)
2128 KB/s (507888 bytes in 0.233s)
Changing permissions...
Executing Exploit (could take some minutes, be patient!)
Hit ENTER to continue
press any key to continue. . .
Device detected: KFAPWI (JDQ39)
Attempt acdb exploit...
KFAPWI (JDQ39) is not supported.
Attempt fj_hdcp exploit...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem
Attempt put_user exploit...
/data/local/tmp/rootme.sh[2]: /system/bin/mount: not found
/data/local/tmp/rootme.sh[3]: can't create /system/xbin/su: Read-only file syste
m
Unable to chown /system/xbin/su: No such file or directory
Unable to chmod /system/xbin/su: No such file or directory
press any key to continue. . .
Type "su" to check for root!
/system/bin/sh: /system/etc/mkshrc[8]: id: not found
 @android:/ $ SU
SU
/system/bin/sh: SU: not found
127 @android:/ $

Hummmm. I'm looking into this but can't this week I'm super busy. I don't have the 8.9" I have the 7" so it is hard for me to test. I'm not sure if moving the rootme.sh was a good idea. I think the exploit code isn't finding it. You may need a rebuild of the exploit file. I say throw your question in here to see if someone can help. Still, just hope for the best.

@sdcardsd,
Code:
#!/system/bin/sh
/system/bin/toolbox mount -o remount,rw /system
/system/bin/toolbox cat /data/local/tmp/su > /system/xbin/su
/system/bin/toolbox chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 6755 /system/xbin/su
/system/bin/toolbox ln -s /system/xbin/su /system/bin/su

CrashThump said:
@sdcardsd,
Code:
#!/system/bin/sh
/system/bin/toolbox mount -o remount,rw /system
/system/bin/toolbox cat /data/local/tmp/su > /system/xbin/su
/system/bin/toolbox chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 6755 /system/xbin/su
/system/bin/toolbox ln -s /system/xbin/su /system/bin/su
Click to expand...
Click to collapse
I replace the rootme.sh into
#!/system/bin/sh
/system/bin/toolbox toolbox mount -o remount,rw /system
/system/bin/toolbox cat /data/local/tmp/su > /system/xbin/su
/system/bin/toolbox chown 0.0 /system/xbin/su
/system/bin/toolbox chmod 06755(or 6755) /system/xbin/su
/system/bin/toolbox ln -s /system/xbin/su /system/bin/su
but it didn't work
======================================================================
======================================================================
Welcome to Kindle Root Utility (Faznx92 version)
Special Thanks to:
jcase
fi01
======================================================================
======================================================================
WARNING THIS WORKS ONLY WITH KINDLE HDX 8.9" version 14.3.1.0
======================================================================
======================================================================
Please connect Device with enabled USB-Debugging to your Computer!
Device connected. Pushing files...
1215 KB/s (104564 bytes in 0.084s)
5 KB/s (284 bytes in 0.050s)
2194 KB/s (507888 bytes in 0.226s)
Changing permissions...
Executing Exploit (could take some minutes, be patient!)
Hit ENTER to continue
press any key to continue. . .
Device detected: KFAPWI (JDQ39)
Attempt acdb exploit...
KFAPWI (JDQ39) is not supported.
Attempt fj_hdcp exploit...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem
Attempt put_user exploit...
link failed File exists
press any key to continue. . .
Type "su" to check for root!
/system/bin/sh: /system/etc/mkshrc[8]: id: not found
 @android:/ $ su
su
[email protected]:/ #

Faznx92 said:
Hummmm. I'm looking into this but can't this week I'm super busy. I don't have the 8.9" I have the 7" so it is hard for me to test. I'm not sure if moving the rootme.sh was a good idea. I think the exploit code isn't finding it. You may need a rebuild of the exploit file. I say throw your question in here to see if someone can help. Still, just hope for the best.
Click to expand...
Click to collapse
Thanks, I will wait for the good news.

@sdcardsd, what didn't work? you've got the su working. you've got the root.

CrashThump said:
@sdcardsd, what didn't work? you've got the su working. you've got the root.
Click to expand...
Click to collapse
I can rostore my device, thanks.

sdcardsd said:
But I didn't have the Superuser，and I can‘t edit the system file， such as the build.prop, it don't have the root right. and the root explorer also can't be opened.
Click to expand...
Click to collapse
this root exploit doesn't auto-install superuser (well it didn't for me), you either have to side-load it or get it through a store. Also if root explorer isn't working have you tried es file explorer? Additionally, you'll have to remount the system folder as rw before you can edit any system files. This can be done through adb shell with the command "mount -o rw,remount /system" after you use the su command. Just as a forewarning, be super careful when editing everything, the kindle is super sensitive to build.prop changes. I boot looped early on, so just as a warning.

S_transform said:
this root exploit doesn't auto-install superuser (well it didn't for me), you either have to side-load it or get it through a store. Also if root explorer isn't working have you tried es file explorer? Additionally, you'll have to remount the system folder as rw before you can edit any system files. This can be done through adb shell with the command "mount -o rw,remount /system" after you use the su command. Just as a forewarning, be super careful when editing everything, the kindle is super sensitive to build.prop changes. I boot looped early on, so just as a warning.
Click to expand...
Click to collapse
Thanks, I have full restore my device, and I think all is ok now.