Related
Hello everyone!
You may or may not know me, however I have secretly been working behind the scenes with ChiefzReloaded to learn how Android works. Together we have been trying to develop new ways to root the Slide, primarily because we both landed in a sticky situation that left us both without root and without a way to revert to root.
After many long hours of trying to restore my phone, I have now ported the exploid exploit to the MyTouch Slide! This means that you can gain root on any version of the Slide, INCLUDING the latest OTA! However, this isn't necessarily "easy" as in the One-Click Root program, but there are reasons for this. While Android is running we cannot write to /system and even if we force Linux to let us, the NAND protection will prevent Linux from completing the write!
To get started, please see the bottom of this post for the link and download it. You will want to download it to your computer and not your phone's SD card. Also, you will need the tools from the Android SDK. I would suggest extracting the file from my zip at the bottom of this page into the Android SDK's tools directory.
Extract the zip
Make sure your phone is in USB debugging mode AND you are in "Charge Only" mode.
Connect your phone to your computer.
Make sure you're in the same directory as where exploid is extracted before continuing to the next step.
Issue the following command: adb push exploid /sqlite_stmt_journals. Note: It MUST be in that directory - NO exceptions.
Run: adb shell
Run: cd /sqlite_stmt_journals
Run: chmod 0755 exploid
Run: ./exploid
Toggle your phone's Wifi (on or off, however you wish to do that).
Now (again) run: ./exploid (if prompted for a password enter: secretlol)
The next line should now begin with a pound (#) - if not, then something isn't setup right. Make sure to follow the directions verbatim. If you suspect you did follow them correctly, please reply to this post letting me know.
You should now be root! At this point you can do many things, but if you're looking to flash a custom ROM, continue to these instructions:
[NEW 10/18/2010:]
Steps 1-12 are intended to get you the ability to flash mtd0.img (which previously required using the SimpleRoot method) by gaining root inside of Android. By following the instructions in the rest of this section, it will allow you to flash a ROM or S-OFF your device:
The files you need are at: http://forum.xda-developers.com/showthread.php?t=703076- download both files linked in there (ESPRIMG.zip and SlideEng-package.zip)
Extract the contents of SlideEng-package.zip to a place of your choosing on your computer.
Place the entire (unextracted) ESPRIMG.zip on your SDcard.
Now push the files 'flash_image' and 'mtd0.img' that you just extracted from SlideEng-package.zip to /data/local using 'adb push'. (Noob? Instead of using 'adb push', install Droid Explorer and, using that utility, copy the 'flash_image' and 'mtd0.img' files to /data/local on your Slide)
Now I'm going to assume your phone is at root prompt (#) using steps 1-12. So now do (without typing the '#' symbols in front of both lines - they're just there to remind you that you need to be at a '#' prompt):
Code:
# cd /data/local
# chmod 04755 flash_image
# ./flash_image misc mtd0.img
Before you reboot make sure that the ESPRIMG.zip is on your SDcard!
Now turn off the phone.
Then press Volume-Down + Power.
The phone will power on and after about 5 minutes of verifying ESPRIMG.zip it will ask you if you want to flash it.
Press Volume-Up for 'YES' and wait until it finishes (ABSOLUTELY DO NOT POWER DOWN WHILE IT'S STILL FLASHING!!!).
Now when you go into recovery it should allow you to 'Apply update.zip from sdcard' (booting into Clockwork). If you don't have the Clockwork update.zip, here it is: http://www.4shared.com/file/OTRU7T3y/update_2.html (rename to update.zip after downloading since it's currently update_2.zip, then place it on your sdcard).
[/NEW 10/18/2010]
[NEW 12/30/2010]
Optional: Now that you're rooted you might want to disable all flash memory protections so you can permanently flash Clockworkmod (recovery - no more using an update.zip!) as well as other random things. Check here for details: http://forum.xda-developers.com/showthread.php?t=798168
[/NEW 12/30/2010]
CREDIT GOES TO:
[*] ChiefzReloaded! (For helping me learn the intricacies of Android and patiently answering all of my questions)
[*] 743C (For developing the original exploit)
Source code: (Yes, it's hackish. I was just trying to figure out why the system kept rebooting and haven't cleaned up the code since) download
DOWNLOAD:
http://www.4shared.com/file/CZsxSq-f/exploid.html
DONATE:
(Anything helps!)
(Some people may wonder why this is special compared to the One Click Root application. What's important is that One Click Root doesn't work on Slides running production/retail software, likely the same problem I had to fix to get exploid to work in my version.)
Thats whats up!!
If you be trollin then YOU BES TRAWLLIN
But if not then good job nb!
Sent from my T-Mobile myTouch 3G Slide using XDA App
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
falken98 said:
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
Click to expand...
Click to collapse
Sure, I was getting around to that - and I understand your concern. I'll post it in a second.
falken98 said:
Can you provide the source? No offense, but I tend not to run homebrew C programs that I didn't compile myself.
Thanks for all the work!
Click to expand...
Click to collapse
You think nb is distributing a virus disguised as a root method?
Waaaaaat
Sent from my T-Mobile myTouch 3G Slide using XDA App
r0man said:
You think nb is distributing a virus disguised as a root method?
Waaaaaat
Click to expand...
Click to collapse
It is a bit funny, but I do understand his concern. I've posted the source code into the original post. Compiling it should result in the same hash as the binary I posted.
Good to see this I suggested this in another thread glad to see it in use thanks a bunch
nbetcher said:
It is a bit funny, but I do understand his concern. I've posted the source code into the original post. Compiling it should result in the same hash as the binary I posted.
Click to expand...
Click to collapse
Ill take a look at it when I get home.
ilostchild said:
Good to see this I suggested this in another thread glad to see it in use thanks a bunch
Click to expand...
Click to collapse
I actually had to do a lot of work on it. It doesn't quite work the same as the original exploid simply because the original exploid crashes the entire system and reboots. This causes the rootshell to never be committed to NAND and thus you get no where. I had to keep playing with things until I found a different method that works. It took several hours of me being upset with it, but watched the latest Burn Notice, came back to it, and BAM I had a stroke of genius.
where is rootshell? i can't exicute rootshell nor can i "cp" any files from sdcard however i do have a # instead of a $
Armyjon88 said:
where is rootshell? i can't exicute rootshell nor can i "cp" any files from sdcard however i do have a # instead of a $
Click to expand...
Click to collapse
Ignore that portion of the instructions provided by the program. As I stated, this is not intended for non-developers at this point. The # is your indication that you're running as root.
I am headed to work, but I don't usually have much going on there - I will be setting up a much cleaner system/environment for non-developers to work with and perma-root their phones with over the next few hours. Stay tuned!
Sweet
Sent from my T-Mobile myTouch 3G Slide using XDA App
having # and running as root as stated before u can actually follow with eng and then custom recovery and ur choice's rom..pls correct me if im wrong..thanx
statuzz said:
having # and running as root as stated before u can actually follow with eng and then custom recovery and ur choice's rom..pls correct me if im wrong..thanx
Click to expand...
Click to collapse
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
nbetcher said:
Ignore that portion of the instructions provided by the program. As I stated, this is not intended for non-developers at this point. The # is your indication that you're running as root.
I am headed to work, but I don't usually have much going on there - I will be setting up a much cleaner system/environment for non-developers to work with and perma-root their phones with over the next few hours. Stay tuned!
Click to expand...
Click to collapse
Let me know if you want to work together on some kind of one-click root app for the Slide. If the commands work through the terminal on the phone itself rather than via adb, I could probably make this into an app already, but since you're working on a more non-developer-friendly version, I'll just wait until that's out
televate said:
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
Click to expand...
Click to collapse
I'm delaying the release of my non-developer program for another couple hours.
As far as what you said above, all you need to do after gaining the # prompt is (in a separate window):
adb push flash_image /data/local
adb push mtd0.img /data/local
(switch back to your # adb shell, then type
cd /data/local
chmod 04755 flash_image
./flash_image misc mtd0.img
Then reboot and apply the ESPRIMG.zip. All of these files are found on the same post that I referenced in my OP. These instructions are all in that same page.
televate said:
i'm also wondering the same thing, because i got the exploid working, and i have the # in the shell, but when i go to follow the instructions to flash the eng-release, i can't cd to any different dirs, nor can i push any files to the phone. i have the ESPRIMG.zip copied to my sdcard, so could i just reboot into recovery and flash the nbh from there? any help is appreciated.
Click to expand...
Click to collapse
Im also stuck since im not sure if you can update to eng from the ota..But first i want to personally thank the OP & CR for providing this.
This would be great for a One Click method
this would be nice to work into a one click root!
And This did work for me!
Does this root method gets /system moumted when android running?In short do we finaly get metamorph and root explorer working?
https://sites.google.com/site/mophocorner/
Site to help with everything Motorola Photon 4G.
Hoping to help with newbies that want to flash, root, unlock, etc. before they get stuck and have to wait for replies to fix there phone, Hopefully this guide will just work and they wont HAVE to post for help. That is the point of this at least! Let me know if there is anything I can add or change and I will gladly give it some thought!
Thanks!
I have updated the page, just so everyone knows!! Check it out!!! Let me know if I am missing anything.
Sent from my Xoom using XDA
The photon torpedo method is needed to root the 2.3.5 version just released.
Sent from my MB855 using Tapatalk 2
THANKS!
Thank you for that. Added the Torpedo root method! =]
Thanks for putting all that info into one spot! Definitely helps out that much more as it is somewhat easier to refer to rather than bouncing from one post to another here in the forums! I would imagine it'll help out many people (including me!).
I'm still fairly new to some things and some times the added explanation of certain topics and/or issues is what's needed to get the job done!
Also, as far as the *photon-torpedo* root method goes... I used that method without an issue on Android 2.3.4. After updating to Android 2.3.5 the other day, I used that same method again without issue and it worked perfectly! Unfortunately (at least from what I've read), being that I updated to 2.3.5, I won't be able to unlock the bootloader as if right now. Not really something I'm too concerned about, being that I hadn't prior to the update anyway.
Sent from my MB855 using Tapatalk 2
I hate to be that guy but this is certainly relevant to the discussion at hand. I used the Photon Torpedo method originally when it first came out. Since then I have kept it stock and performed the OTA updates as they come. After each update I just run the last two commands:
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Always worked in the past. I just got updated to the new "2.3.5" and I can't seem to get root back. The photon-torpedo script has multiple errors "libpcprofile.so cannot be loaded as audit interface" and "permission denied". Consequently the install-su script doesn't succeed. Can't mount /system as RW and everything is permission denied.
Worst part is that the SU binary still exists in /system/bin/su but I can't use it. I get permission denied on everything I try.
Am I borked? Is there something I have forgotten?
Jleeblanch, are you using the new update from Motorola from the soak test?
Grep,
To answer your question, yes. The new update unroots your device so you will have to re-root using the photon-torpedo method again.
I was rooted prior to the update with that method and after the update I was un-rooted! Trying to re-root using Terminal Emulator on device wouldn't work. Got "permissions denied" when running the tar command. But, using adb on the computer worked without a problem!
So basically, just redo the torpedo root method from step 1 and you'll successfully get root back guaranteed!!
Hope that helps!
Also, I had the SU binary in place as you did along with other root specific apps. Those apps are pretty much worthless until you gain root again.
It has been confirmed in the "soak" that 2.3.5 update will completely un-root your device...
Sent from my MB855 using Tapatalk 2
nice. should come in handy for others. even me cuz im kind of a noob.... waiting for way around locked bootloader after 2.3.5 ota
Sent from my Motorola Electrify using XDA
Grep_The_Truth said:
I hate to be that guy but this is certainly relevant to the discussion at hand. I used the Photon Torpedo method originally when it first came out. Since then I have kept it stock and performed the OTA updates as they come. After each update I just run the last two commands:
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Always worked in the past. I just got updated to the new "2.3.5" and I can't seem to get root back. The photon-torpedo script has multiple errors "libpcprofile.so cannot be loaded as audit interface" and "permission denied". Consequently the install-su script doesn't succeed. Can't mount /system as RW and everything is permission denied.
Worst part is that the SU binary still exists in /system/bin/su but I can't use it. I get permission denied on everything I try.
Am I borked? Is there something I have forgotten?
Jleeblanch, are you using the new update from Motorola from the soak test?
Click to expand...
Click to collapse
Sent from my MB855 using Tapatalk 2
Root
You could always use root-keeper from the market if your lazy like me.
the link to the download torpedo is not working
spursrob said:
the link to the download torpedo is not working
Click to expand...
Click to collapse
The Imperium has your back. I will be upping a new guide and Root-Unlock-Relock pack soon but hosting is changing servers so for now torpedo is attached to this post.
Lokifish Marz said:
The Imperium has your back. I will be upping a new guide and Root-Unlock-Relock pack soon but hosting is changing servers so for now torpedo is attached to this post.
Click to expand...
Click to collapse
Clearly, I am retarded....I have studied this post 15 times but I can't find any way to see an attachment. Where is it?
cool old lady said:
Clearly, I am retarded....I have studied this post 15 times but I can't find any way to see an attachment. Where is it?
Click to expand...
Click to collapse
try it now, post 6. Are you on 2.3.4 or 2.3.5? If you're on 2.3.4 then just use the root/unlock/relock pack (the link is at the top of post 6.
OK - I see it now and I've downloaded it - thank you very much. I am on 2.3.5 from the soak test.
Are these still the correct/only instructions? If so I may still be in trouble...my "favorite method....into /data/tmp"? I don't know any method, much less have a favorite.
Instructions:
Use your favorite method to get photon-torpedo.tar into /data/tmp
Install Superuser from the Market
Install Android Terminal Emulator from the Market
Run Android Terminal Emulator
Run cd /data/tmp
Run /bin/tar xf /data/tmp/photon-torpedo.tar
Run /data/tmp/photon-torpedo.sh
Run /data/tmp/install-su.sh
I'm actually on my way to bed. I will write a more detailed walkthrough tomorrow and post it in the Photon Compendium. Eventually I plan to script the entire process but am working on unified webtop stuff right now.
Grep_The_Truth said:
I hate to be that guy but this is certainly relevant to the discussion at hand. I used the Photon Torpedo method originally when it first came out. Since then I have kept it stock and performed the OTA updates as they come. After each update I just run the last two commands:
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Always worked in the past. I just got updated to the new "2.3.5" and I can't seem to get root back. The photon-torpedo script has multiple errors "libpcprofile.so cannot be loaded as audit interface" and "permission denied". Consequently the install-su script doesn't succeed. Can't mount /system as RW and everything is permission denied.
Worst part is that the SU binary still exists in /system/bin/su but I can't use it. I get permission denied on everything I try.
Am I borked? Is there something I have forgotten?
Jleeblanch, are you using the new update from Motorola from the soak test?
Click to expand...
Click to collapse
Me to, had to used one click Root (20 times)
Navigate to the Android Market and install the “Superuser” application from ChainsDD
Download and extract 22MB Root-Unlock-Relock.zip from the Imperium website
Go to the "rsd drivers" folder located in the Root-Unlock-Relock folder and install the drivers for your system (32bit or 64bit windows)
Download photon-torpedo.tar
Place photon-torpedo.tar in the "AIO Root" folder located in the Root-Unlock-Relock folder
On your phone, in menu/settings/applications/development make sure usb debugging is checked
Connect your phone to your computer and select "charging" mode from the connections options in notifcations
From the "AIO Root" folder, double click the "Command Prompt" shortcut
Type the following commands:
adb push photon-torpedo.tar /data/tmp
adb shell
cd /data/tmp
/bin/tar xf /data/tmp/photon-torpedo.tar
/data/tmp/photon-torpedo.sh
/data/tmp/install-su.sh
Ignore the errors when running torpedo and let the process complete.
Once I get some free time I'll write a single script covering everything from rooting to SBFing back to stock. My goal is to get any given process down to ten keystrokes or less.
Hmph. Well....I think it worked. Root Checker says "congrats" - but wasn't it supposed to wipe all my stuff from the phone or something?
no root doesn't wipe data. (neither does unlock if done right)
Sent from my mopho
Yep, you read that right and I'm not trolling. THE ZMAX IS ROOTED!!
Discaimer and N00Bproof warning:
We have root, yes, but that doesn't mean get hasty. At the moment, there are partition images (system, boot and recovery) in my and other users' possession (free of access to all), but we don't have a working recovery at the moment and this process involves deleting the stock recovery (it will make sense later). So, if you screw up and get root-happy, there's no way to recover until we get a recovery and a custom rom, and even then you might be screwed because we don't have access to the bootloader to use fastboot. Things may change, but root-use with caution.
Also, once you root, DO NOT TAKE ETAs from T-Mo and ZTE!!!!!!! Now that we have root, we can capture the OTA and make it root-friendly. To make a long story short, the updater-script (thing that tells your recovery where and how to flash stuff) has a list of stuff it has to... well... flash. If you, for example, delete the stock ZTE Music app, and the ETA replaces the app with a new version, it's going to stop (because the script requires a REPLACEMENT and not a PLACEMENT, computers don't have the best common sense), then it will interrupt and you will likely be bricked. This shouldn't be a problem because you don't have a recovery to begin with, but I'm not taking chances here.
NOW! Let's Root. This is a long process, so don't expect to do anything for a good 10-20 minutes.
FIRST: KINGROOT
This is one of those things where your mileage may very, there have been many different ways to get KingRoot (not King"O"Root, two different apps) to work, but this one was the one that worked for me. I'll also place alternate KingRoot methods in the second post if you wanna try those. Just for the sake of knowledge, this was run on a T-Mobile ZTE ZMAX, Android 4.4.2, build 22. I don't know if it makes a difference that I factor reset my phone before doing another round of root attempts (not this one specifically, maybe a couple hours worth of attempts).
Credits to @fire3element for this method.
1) Download KingRoot APK from here (the first one with the image of the phone if you are on the desktop site).
2) Install KingRoot and run it. It will restart the phone, and it will fail (or, if you have some Android God luck, it may succeed), this is supposed to happen.
3) Clear KingRoots cache and data (in that order) and power off the phone (not reboot). Then, power it back on again.
4) Now this is where things get... well complicated for this part. You are going to need to load your RAM with a bunch of processor heavy stuff. The person that made this method used CounterSpy and Final Fantasy Type-0 in the PPSSPP v1.0.1-411 emulator, but for those of you that don't have access to that, get creative and load up. Here is what I had running (all at the same time, mind you).
Note: Force Stop Task Manager in the app settings first or it will purge to free memory automatically and this won't work.
1. Next Launcher Lite
2. Apex Launcher
3. Nova Launcher
4. Cheetah Launcher
5. CM Launcher
6. Mi Launcher
7. 25 tabs on Google Chrome (No joke)
8. Both Temple Runs
9. Fruit Ninja
10. Google Play Store
11. Google Now
12. Google Play
13. Amazon
14. Google Play Music
Mine was definitely a bit extreme but I knew all of this stuff would guarantee a good memory hogging.
5) Run all of your apps at the same time. The TL;DR for this is that apparently it's some exploit that the app uses as a buffer overflow. Now, go to settings and Force Stop KingRoot. Then Run it again. If it works, you should go from 0 to 100 real quick (no pun intended). It shouldn't progess slowly or reboot the phone to do this, but your journey does not stop here.
Click to expand...
Click to collapse
If you did it correctly, the screen from a successful root will have a green checkmark. Run RootChecker to verify root status.
SECOND: PERMA-ROOT
Now you need to permanently root the phone. This method was all @jcase, and simplified by another user. I encourage you to read JCase's original G+ post to learn something, as this guy is the master of exploits, and we are on XDA to learn.
Credits to @xtremeasure for the simplification of JCase's process.
1) Plug phone into computer...
2) Open cmd type "adb shell" (without quotes, moving forward, type all commands without quotes). This will open a terminal for the phone.
3) While in ADB Shell, type "su" to gain root shell privileges
4) Type "getprop ro.build.fingerprint"
Output for that command should be...
zte/P892T57/draconis:4.4.2/KVT49L/20140804.141306.18686:user/release-keys (the part with P892T57 may be different depending on what model ZMAX You have). If you haven't updated that number will be different, this ok, just replace the number in the next command with whatever your output is.
5) type "setprop persist.sys.k P892T57"
6) type "getprop persist.sys.k" and your output should be your build number
7) type "cd /dev/block/platform/msm_sdcc.1/by-name/" to change directories so that we can back up your recovery image (remember I said something about that?) and set the boot to our recovery partition.
8) type "dd if=recovery of=/sdcard/recovery.img" to backup the recovery image.
9) type "dd if=boot of=recovery" to set recovery as boot. Another TL;DR is that this disables the write protection set by the stock recovery, allowing you to write to the system. It will mount the /system partition upon boot.
DELETE KINGUSER NOW
10) type "reboot recovery" and restart your phone. YOU MUST RESTART WITH THIS COMMAND!!!!! It will boot straight into Android, this is good, that means you haven't screwed up anything.
11) Reopene the adb shell (using "adb shell") in your command prompt or terminal (for OSX and Linux) and type "Id". If your output is "uid=0(root) gid=0(root) context=u:r:shell:s0" then It worked...
12) Remount system as writable "mount -o rw,remount /system"
13) Manual install for supersu you can get that here: http://download.chainfire.eu/supersu
14) Type "exit" into the terminal/command and it should drop you back to your normal cmd...unzip the su zip anywhere you want in your cmd switch to that directory...
14B) I advise taking the "su" binary and "install-recovery.sh" file from the superSU folder you downloaded and putting them in the same place (on the desktop or wherever your adb.exe is if you didn't set $PATH on your computer). su can be found in the "arm" folder and install-recovery.sh can be found in the "common" folder. It is important to note that where ever your files are, you will have to type that path (if it isn't in the same directory as your adb). So, as an example, I put mine on the desktop, so I have to type "adb push ~/Desktop/su /data/local/tmp/su". If you do not know how to do that, then stop what you are doing and research it, as that's just too much to explain.
15) "adb push su /data/local/tmp/su"
16) "adb push install-recovery.sh /data/local/tmp"
17) Reenter adb shell with "adb shell"
18) Make sure system is mounted writable with "mount -o remount,rw /system"
19) Move the so files into place with these commands
"cat /data/local/tmp/su > /system/xbin/su"
"cat /data/local/tmp/su > /system/xbin/daemonsu"
"cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh"
20) Give them all permissions
"chmod 755 /system/xbin/su"
"chmod 755 /system/xbin/daemonsu"
"chmod 755 /system/etc/install-recovery.sh"
21) Reboot your phone to complete install with "reboot"
22) After rebooting go into the play store and install the supersu app. It's going to tell you the su binary is out of date to fix that we need to open the adb shell on our pc again with "adb shell"
23) Reboot into recovery (you're really rebooting the system with r/w privileges) using "reboot recovery"
24) Once rebooted open the app and update your binaries one finished reboot add your done 100% perm rooted
Click to expand...
Click to collapse
Now, you are rooted! If you did everything right, you should be good. Now people are going to ask, "Is there a script for this?" The short answer is No, don't hold your breath for something immediate. There was a user that said he would be happy to make one for the second half, but the writing, testing and verification of success alone on that will take some time, as the wrong line of code can make you end up with a good old fashioned paperweight. I can verify Xposed works fine, Viper4Android works fine, and if you try to delete system apps, they will just reinstall themselves (I recommend using "System App Remover (ROOT)" on the play store, as it will actually tell you which apps are and aren't safe to install. If you have any questions, after searching of course, feel free to ask. If I can't answer, some freaking body can lol.
CREDITS:
@tech_yeet for showing us the KingRoot
@jcase for his amazing work
@xtremeasure for his method
@fire3element for his method
@the zMAX Community for staying dedicated when the going got tough, it's been a long road. Here's to custom roms and a TWRP recovery!
Please share this with others, as there is a big community of people begging for this info, let's share the love . If I forgot to credit you, let me know and I'll fix that!
ADDITIONAL INFORMATION
If you by some chance flash the TWRP Recovery Image (found in post 2), and would like to revert back to root ability (being able to write to system). Please follow the steps below:
1. cd /dev/block/platform/msm_sdcc.1/by-name
2. su
3. dd if=/sdcard/recovery.img of=recovery
4. reboot recovery
Please make sure you have the recovery in your sdcard root folder.
Alternate Root Methods and ZTE Custom ROMs/Kernels/etc
If the above first part doesn't work for you, you can find alternative root methods
Alternate Method 1 HERE
Alternate Method 2 HERE
As I see more added, I'll add them here.
CUSTOM STUFF
TWRP Image for ZTE ZMAX
Q&A/Other [UDPATED MAY 13, 2015 @ 5:45PM]
If A question is asked and you feel like it needs to be here, please tag or DM me with the Q AND THE A so that I can do so.
OTHER:
Original Discussion Thread for the ZTE ZMAX
Please see fire3element's post on what each screen in the KingRoot app means
WHAT THE SCREENS MEAN IN THE APP
That's a whole lot to swallow but I'm glad to see y'all can finally get rooted. Definitely not a method for noobs or the faint of heart but its a HUUUGE step in the right direction. Thanks to everyone responsible for this.
Hroark13 has TWRP - http://androidforums.com/threads/zte-zmax-twrp.918537/
mingolianbeef said:
Yep, you read that right and I'm not trolling. THE ZMAX IS ROOTED!!
Discaimer and N00Bproof warning:
We have root, yes, but that doesn't mean get hasty. At the moment, there are partition images (system, boot and recovery) in my and other users' possession (free of access to all), but we don't have a working recovery at the moment and this process involves deleting the stock recovery (it will make sense later). So, if you screw up and get root-happy, there's no way to recover until we get a recovery and a custom rom, and even then you might be screwed because we don't have access to the bootloader to use fastboot. Things may change, but root-use with caution.
Also, once you root, DO NOT TAKE ETAs from T-Mo and ZTE!!!!!!! Now that we have root, we can capture the OTA and make it root-friendly. To make a long story short, the updater-script (thing that tells your recovery where and how to flash stuff) has a list of stuff it has to... well... flash. If you, for example, delete the stock ZTE Music app, and the ETA replaces the app with a new version, it's going to stop (because the script requires a REPLACEMENT and not a PLACEMENT, computers don't have the best common sense), then it will interrupt and you will likely be bricked. This shouldn't be a problem because you don't have a recovery to begin with, but I'm not taking chances here.
NOW! Let's Root. This is a long process, so don't expect to do anything for a good 10-20 minutes.
FIRST: KINGROOT
This is one of those things where your mileage may very, there have been many different ways to get KingRoot (not King"O"Root, two different apps) to work, but this one was the one that worked for me. I'll also place alternate KingRoot methods in the second post if you wanna try those. Just for the sake of knowledge, this was run on a T-Mobile ZTE ZMAX, Android 4.4.2, build 22. I don't know if it makes a difference that I factor reset my phone before doing another round of root attempts (not this one specifically, maybe a couple hours worth of attempts).
Credits to @fire3element for this method.
If you did it correctly, the screen from a successful root will have a blue envelope with a checkmark. Run RootChecker to verify root status.
SECOND: PERMA-ROOT
Now you need to permanently root the phone. This method was all @jcase, and simplified by another user. I encourage you to read JCase's original G+ post to learn something, as this guy is the master of exploits, and we are on XDA to learn.
Credits to @xtremeasure for the simplification of JCase's process.
Now, you are rooted! If you did everything right, you should be good. Now people are going to ask, "Is there a script for this?" The short answer is No, don't hold your breath for something immediate. There was a user that said he would be happy to make one for the second half, but the writing, testing and verification of success alone on that will take some time, as the wrong line of code can make you end up with a good old fashioned paperweight. I can verify Xposed works fine, Viper4Android works fine, and if you try to delete system apps, they will just reinstall themselves (I recommend using "System App Remover (ROOT)" on the play store, as it will actually tell you which apps are and aren't safe to install. If you have any questions, after searching of course, feel free to ask. If I can't answer, some freaking body can lol.
CREDITS:
@tech_yeet for showing us the KingRoot
@jcase for his amazing work
@xtremeasure for his method
@fire3element for his method
@the zMAX Community for staying dedicated when the going got tough, it's been a long road. Here's to custom roms and a TWRP recovery!
Please share this with others, as there is a big community of people begging for this info, let's share the love . If I forgot to credit you, let me know and I'll fix that!
Click to expand...
Click to collapse
I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.
Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.
has anyone else gotten this!? have any of you got a clue how to fix?
Here is some more info for those of you wondering what the KingRoot app is doing.
Screenshots will follow.
Text ABOVE the screenshot is for the image directly under it.
Let's begin -------------->
FIRST SCREEN WHEN YOU OPEN KINGROOT
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
SECOND SCREEN
- CLICK BUTTON TO BEGIN ROOT -
ROOTING IN PROGRESS...
ROOT FAILURE
[Blue Button]: SUBMIT (submits the error report to KingRoot devs)
ROOT FAILURE
ROOT FAILURE
NO DATA CONNECTION (WiFi or cellular singnal required)
[Blue Button]: ANDROID SETTINGS MENU
SUCCESSFUL ROOT
IF YOU SEE THIS MESSAGE POP UP DURING ROOTING, JUST LEAVE IT ALONE. LET THE ROOT FINISH
SUCCESSFUL ROOT
[trash can]: [...]: [...]:
SUCCESSFUL ROOT
[Blue Button]: PURIFICATION (I believe this is similar to fixing permissions)
- CLICK IT AND LET IT RUN -
^ from clicking blue button above ^
PURIFICATION PROCESS
xIP- said:
I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.
Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.
has anyone else gotten this!? have any of you got a clue how to fix?
Click to expand...
Click to collapse
Should just be mount -o remount,rw /system
No extra slash
Sent from my Z970 using XDA Free mobile app
---------- Post added at 04:40 PM ---------- Previous post was at 04:36 PM ----------
I would the recovery image restore commands added.. If people feel the need to recover and try again they should run these
cd /dev/block/platform/msm_sdcc.1/by-name
su
dd if=/sdcard/recovery.img of=recovery
reboot recovery
*edited to remove a potentially harmful commands per jcase's advice*
Sent from my Z970 using XDA Free mobile app
xtremeasure said:
Should just be mount -o remount,rw /system
No extra slash
Sent from my Z970 using XDA Free mobile app
---------- Post added at 04:40 PM ---------- Previous post was at 04:36 PM ----------
I would the recovery image restore commands added.. If people feel the need to recover and try again they should run these
cd /dev/block/platform/msm_sdcc.1/by-name
su
dd if=boot of=boot
dd if=/sdcard/recovery.img of=recovery
reboot recovery
Sent from my Z970 using XDA Free mobile app
Click to expand...
Click to collapse
even with just one slash I still have a problem
Sent from my Z970 using XDA Free mobile app
Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.
@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.
---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------
UPDATE UPDATE!!!
Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info
fire3element said:
Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.
@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.
---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------
UPDATE UPDATE!!!
Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info
Click to expand...
Click to collapse
Remember remove kinguser after you run the dd commands but before you reboot recovery...
Sent from my Z970 using XDA Free mobile app
xtremeasure said:
Remember remove kinguser after you run the dd commands but before you reboot recovery...
Click to expand...
Click to collapse
Just so this is clear... full Root uninstall through the KingUser app, or just uninstall it through android app settings menu.
^ In case someone else has the same question ^
fire3element said:
Just so this is clear... full Root uninstall through the KingUser app, or just uninstall it through android app settings menu.
^ In case someone else has the same question ^
Click to expand...
Click to collapse
I would do a full root uninstall....
The backdoor keeps root for adb so installing the new su shouldn't be an issue
Sent from my Z970 using XDA Free mobile app
Got it. Will report back after this headache is done. *slams head on desk*
I just read the boot flash advice, I am not going to do it because I know that's a stupid idea, but if it does in fact let us flash boot.IMG, omg overclocking, custom kernels, full read write, awesome recovery, dual boot custom Roms with custom kernels here we come.
Unlocked boot.IMG
Can you Ya hoooouoo
And subscribed.
Sent from my Z970
[email protected]:/ # id
uid=0(root) gid=0(root) context=u:r:init:s0
fire3element said:
Ok, so I am about to flash back the stock recovery from my backup and see if I can go through all these steps again to figure out what is going wrong.
I have a theory as to where and why KingUser is locking down SU in xbin. After I restore stock recovery, I will then Factory Reset and attempt to log my progress.
Stay tuned and I will try to report back later today. Hopefully with more insight on this problem.
@xIP-
Are you talking about pushing "su" , "daemonsu" , and "install-recovery.sh" files to /system ?
Keeps saying permission denied?
If that is the case, you can not. KingUser has a lock on system and is already in place as SU in /system/xbin
You will most likely need to factory reset and try again.
---------- Post added at 12:57 PM ---------- Previous post was at 12:37 PM ----------
UPDATE UPDATE!!!
Do not run the dd if=boot of=boot command
Could brick your device. As per Jcase warning. Wait for more info
Click to expand...
Click to collapse
Is there anyway to do it without a factory reset? Could I just remove kinguser? or it must be factory reset? and will I have to reroot with factory reset?
Sent from my Z970 using XDA Free mobile app
Sorry guys, kinda been running around all day, have a lot of catching up to do I see. I'll fix the thread with updated information that people have so generously contributed!
DroidisLINUX said:
I just read the boot flash advice, I am not going to do it because I know that's a stupid idea, but if it does in fact let us flash boot.IMG, omg overclocking, custom kernels, full read write, awesome recovery, dual boot custom Roms with custom kernels here we come.
Unlocked boot.IMG
Can you Ya hoooouoo
And subscribed.
Sent from my Z970
[email protected]:/ # id
uid=0(root) gid=0(root) context=u:r:init:s0
Click to expand...
Click to collapse
I know right!!! First hurdle... done... second hurdle, bootloader with no fastboot lmao...
a bit unclear on this
are we actually rebooting into recovery or its supposed to go straight back into the phone
i was never able to get into recovery
10) type "reboot recovery" and restart your phone. YOU MUST RESTART WITH THIS COMMAND!!!!! It will boot straight into Android, this is good, that means you haven't screwed up anything.
"cat /data/local/tmp/su > /system/xbin/su"
"cat /data/local/tmp/install-recovery.sh > /system/etc/install-recovery.sh"
getting permission denied when running this.
"chmod 755 /system/xbin/su"
"chmod 755 /system/etc/install-recovery.sh"
as well as operation denied or something along those lines. any help would be nice. also and running id on adb. its showing.
uid=0(root) gid=0(root) context=u:r:init:s0
rather than
uid=0(root) gid=0(root) context=u:r:shell:s0
xIP- said:
I have followed EVERYTHING step by step over and over again, and yet i still cant get this to work.
Basically, everything is fine up until reboot recovery.
it goes into android, but i dont start off as root, i start off as if i wasnt rooted, and i always have to do "su" to gain privledges.
afterwards, mount -o remount,rw /system/ does work but i cant write to it still for some reason.
has anyone else gotten this!? have any of you got a clue how to fix?
Click to expand...
Click to collapse
You have to exit adb shell to push files to /data/local/tmp, which does not require root. That was a major exploit in earlier android versions, as people would push scripts to /data/local/tmp without root, run the exploit in the directory, and it would root. That was patched of course, but that directory can be accessed without root. Once you use "reboot recovery" to reboot, then just plug your phone back up and type "adb shell" to which the phone should respond with a "#" instead of a "$". If you have the $, you are not root and need to go back. If you do, just be patient with it and make sure you are not just copying and pasting (I know this can be the root of the issue at times with command, just type it out). It should work, the second half is the easy part lol.
Hello Fire users
I am not really a newbie but until today I have worked only with Samsung devices.
My daughter got an Fire HD 6 in the christmas days and we started to play around and we have done all updates up to 5.3.1.1. But it's not running perfectly for my wishes. I have read thats it's possible to root the tablet incl. TWRP, xposed framework and go with this up to 5.3.1.1 but it's hard to read out what I have exactly to do because there are many warnings when to do something and when not.
Could you please help what to do exactly? ADB is running and phone is recognizing on Mac and Windows...
Thanks for your help ?
cuki3r3k83bln said:
Hello Fire users
I am not really a newbie but until today I have worked only with Samsung devices.
My daughter got an Fire HD 6 in the christmas days and we started to play around and we have done all updates up to 5.3.1.1. But it's not running perfectly for my wishes. I have read thats it's possible to root the tablet incl. TWRP, xposed framework and go with this up to 5.3.1.1 but it's hard to read out what I have exactly to do because there are many warnings when to do something and when not.
Could you please help what to do exactly? ADB is running and phone is recognizing on Mac and Windows...
Thanks for your help
Click to expand...
Click to collapse
From latest news, OS 5.3.1 can't be rooted(directly). You'll need to downgrade to 4.5.3, root, and go back to 5.3.1 as explained here
If you want to feel android experience, you can either install custom launcher and Play Store from here or just totally install Cyanogenmod 11 from here
Killa8 said:
From latest news, OS 5.3.1 can't be rooted(directly). You'll need to downgrade to 4.5.3, root, and go back to 5.3.1 as explained here
If you want to feel android experience, you can either install custom launcher and Play Store from here or just totally install Cyanogenmod 11 from here
Click to expand...
Click to collapse
@Killa8, as I mentioned HERE in more detail, the procedure for downgrading to 4.5.3 doesn't appear to be explained in the linked tutorial. Any help would be greatly appreciated! I'm trying to root and install CM on my daughter's tablets as they find Android to be far more intuitive than FireOS. Many thanks!!!
Downgrade to 4.5.3 and root as seen here (skip step 1): https://forum.xda-developers.com/fire-hd/general/how-to-downgrade-to-4-5-3-root-device-t3139351
Jump down to the 2nd post here: https://forum.xda-developers.com/fire-hd/general/how-to-upgrade-to-lollipop-root-gapps-t3163950 and install TWRP on your device.
Then go to post 1 where it says "1) boot into TWRP, and, in a single session (!!!!!)" and follow the directions. MAKE SURE YOU USE THE RIGHT BOOTLOADERS!!
Enjoy rooted FireOS 5.3.1
RadRacer said:
Downgrade to 4.5.3 and root as seen here (skip step 1): https://forum.xda-developers.com/fire-hd/general/how-to-downgrade-to-4-5-3-root-device-t3139351
Jump down to the 2nd post here: https://forum.xda-developers.com/fire-hd/general/how-to-upgrade-to-lollipop-root-gapps-t3163950 and install TWRP on your device.
Then go to post 1 where it says "1) boot into TWRP, and, in a single session (!!!!!)" and follow the directions. MAKE SURE YOU USE THE RIGHT BOOTLOADERS!!
Enjoy rooted FireOS 5.3.1
Click to expand...
Click to collapse
Thank you for this! I was having the same issue as the OP and this solved it.:good:
geoyou said:
Thank you for this! I was having the same issue as the OP and this solved it.:good:
Click to expand...
Click to collapse
Can you tell me how you installed TWRP? the 2nd post of the page is confusing to me.
NVM i found a video tutorial
I've seen too many threads mentioning 5.3.1 and implying that 5.3.1.1 is the same.
Even if that is the case, all the tutorials I have read left me scratching my head at various points. So here is a walkthrough of what I just went through to root my Kindle fire HD 6
It's now running 5.3.1.0 and will stay there for the time being (unless I can get solid answers on 5.3.1.1).
I started with this tutorial thread but I found it easy to make mistakes and I ended up bricking my device (fortunately the unbrick iso is very good and the tutorial video is excellent).
So here is my procedure. Doing this on Windows is probably less involved thanks to the bat file in one of the steps.
Start by getting the stuff you will need together.
You will need ROMs from here.
Specifically, the 4.5.3 and 5.3.1.0 ROMs.
The 4.5.3 file name is update-kindle-20.4.5.3_user_453011120.bin
The 5.3.1.0 file name is update-kindle-20.5.5.2_user_552153420.bin
Note: The version number on that second file makes no sense to me, and I made a mistake trying to flash the wrong one in TWRP. Here is the correct name for reference. You might change the file names to reflect the version number.
Go ahead and change the extension of the 5.3.1.0 bin file to zip instead. TWRP will need it this way.
Download the stock recovery image. There is a link at the bottom of the second post in the tutorial thread I linked above. Or you can just click here.
Grab the WindowsAutoTWRP_v03.zip from the tutorial thread (or click here).
It has the Windows ADB executable and drivers in it so it will save you some hassle on a Windows machine.
For Macs, I found a video from RootJunkie.com that linked to tools at http://rootjunkysdl.com/files/?dir=Adb%20Fastboot%20Files. I was able to do everything from my Mac with these.
As a side note, the video I found these on was https://www.youtube.com/watch?v=iv0VcNM8IAw, but it's not important to watch.
It will help to gather zips and APK files you will need right now as well.
Get a copy of ES file explorer, Kingroot (I used the APK, but if you have a windows system, it might be easier to use the Windows version instead), and an android launcher of some sort.
For additional images, you will need the following:
From the tutorial thread: make_space_v02.zip
Supersu.zip linked at https://download.chainfire.eu/696/SuperSU/UPDATE-SuperSU-v2.46.zip
Xposed which if you follow the link from the tutorial through the forum thread should lead you here: http://dl-xda.xposed.info/framework/sdk22/arm/. I grabbed xposed-v87-sdk22-arm.zip
flash Pico (Uni) GAPPS for 5.1 which again, if you follow all the links, will take you here: https://basketbuild.com/filedl/devs?dev=osm0sis&dl=osm0sis/gapps/tk_gapps-modular-pico%28uni%29-5.1.1-20150920-signed.zip.
Make sure you have all the files gathered in one place, it's really helpful.
If you are using a Mac, you will also need Android File Transfer at https://www.android.com/filetransfer/.
Something optional that might help is a USB OTG cable or one of those USB drives that support USB OTG with its own micro USB connector. It's not necessary but it might help if you need to get files to your tablet in TWRP.
At this point, I'm going to go into Mac instruction mode. If you know that the Windows command prompt is sort of like the terminal application on OS X, that you don't use ./ path specifies on windows, etc, you should be able to come up with some
Once you have everything in place, shut down your Kindle Fire 6.
On your computer, open a terminal window and get to where you unzipped your ADB tools.
The simple way is to type cd followed by a space then drag the folder with your tools from finder to the terminal widow so you get something like cd /users/me/abd
The actual path will be dependent on your system.
This terminal window should remain open for the entire process. It will make life easier.
Hold volume up and turn the Kindle Fire on. You should enter recovery.
Back at your computer type ./adb devices
Your kindle should show up there. When it does, go back to your tablet and select "apply update from ADB".
Then, from the terminal, enter ./adb sideload 4.5.3 file name is update-kindle-20.4.5.3_user_453011120.bin
If you just type ./adb sideload then drag the file into the terminal window, it will fill the name and path out for you.
Note that this all seems kind of like the video I linked above but we are downgrading to 4.3.5 instead as the tutorial thread says we should.
Once that's done, you end up back at the recovery screen. I went ahead and did a wipe data/factory reset. I don't know if this is necessary though.
When you get into 4.5.3, you need to shut down wifi if you are not prompted through new device setup.
If you are prompted, just skip it.
You may need to enable debugging. Go to setting, device options, find the serial number field and tap it 7 times.
Open the now revealed developer console and toggle "enable ADB" so it's on.
Install the APKs you downloaded earlier.
Use ./adb install <name of ES file explorer apk>
If you're on Windows, you can go ahead and run the Windows root util.
If you are on a Mac, install the Kingroot APK using the ./adb install command.
If you go the APK route, Kingroot requires a wifi connection. This will expose you to Amazon's OTA updates. You will need to watch your Kindle carefully at this point.
The download with probably download but as long as you don't let it sleep, it should not reboot and install.
Kingroot may take a couple of tries to get root.
As soon as it does, turn off wifi!
After that, open ES file explorer, give it root permissions, then navigate to the root folder, then to cache. Look for a bin file there. If there is nothing, you didn't get the OTA update pushed to you. If you did, delete it. See post 5 in this thread: https://forum.xda-developers.com/kindle-fire-hdx/help/deleting-downloaded-update-t3100573
To prevent any OTA relapses until we can go further, use ES file explorer to rename /system/etc/security/otacerts.zip. I replaces the first o and last p with _ characters.
It should be safe to turn on wifi at this point.
If you deleted a bin file in /cache, you aren't out of the woods yet. The Kindle could still reboot on you and it will give you the red ! but I found booting into recovery then just rebooting the Kindle caused it to work itself out after a couple tries.
We should be good to go for TWRP at this point.
In the terminal type ./adb shell
When the shell opens type su
Grant the shell permissions on the Kindle
Type exit twice.
On a Mac, we cannot run the bat file included in the WindowsAutoTWRP_v03.zip file.
But here are the commands to enter manually:
./adb devices
./adb install gscript-android.apk
./adb shell "mkdir /sdcard/gscript"
./adb push gscript /sdcard/gscript/
./adb shell "cp /sdcard/gscript/flash_453_stay.sh /data/local/tmp/"
./adb shell "ls /data/local/tmp/"
./adb shell "su -c 'chmod 777 /data/local/tmp/flash_453_stay.sh'"
./adb shell "su -c 'sh /data/local/tmp/flash_453_stay.sh'"
Once complete open ES file explorer again
DELETE sdcard/gscripts/s5.4.1_113_stock_recovery_uboot.zip!!!!!!!
It's too easy to mistakenly flash this in TWRP and it WILL brick your kindle.
We will now copy those zip files we downloaded earlier onto the Kindle.
I used the Android file transfer unity to put them in the scripts folder but copying them to Downloads on the Kindle might be easier.
If you are a command line type of person, you can also use the adb push command.
You want to copy over the following:
The 5.3.1.0 file name is update-kindle-20.5.5.2_user_552153420.bin
5.5.2_1534_stock_recovery_uboot.zip
UPDATE-SuperSU-v2.46.zip (or whatever the current version you downloaded is)
make_space_v02.zip
xposed-v87-sdk22-arm.zip (or whatever the version you downloaded is. The version could have changed after I wrote this.)
tk_gapps-modular-pico(uni)-5.1.1-20150920-signed.zip (again, based on what version was available when you downloaded it)
It might be a good time to sideload that extra launcher you downloaded earlier. I didn't need it, but you might.
Again the command is ./adb install <apk file name>
In the terminal, type ./adb reboot recovery.
You *should* end up in TWRP.
These next steps are important to do in one go. Don't exit TWRP until you have installed all the zip files you copied over.
The order in the tutorial thread is the 5.3.1.0 system image, the recovery image, the make_space zip, the Supersu zip, the xposed zip, and the tk_gapps-modular-pico(uni)... zip.
Do all this from the Install menu in TWRP. I did not try to queue up all the zip files at once, I don't know if that would work.
If you forgot to copy a file, TWRP should allow you to copy files via a USB cable to your tablet.
If you do this on a Mac and Android file transfer craps out on you as it did with me, that is where the USB OTG cable comes in handy. But lets hope you copied everything or that the USB connection doesn't crap out on you.
Select the wipe menu, then advanced wipe. Check the cache and dalvik cache. Once done use the back arrow and swath the "swipe to factory reset" slider.
If you are brave, you can just reset and wait through the fire logo.
If you are trying to follow along with the tutorial I linked, reboot while holding volume up to see what recovery you land in. If it's not TWRP, proceed.
When you finally get to Android, you can use ES file explorer as one way to check for root privileges. I'm sure there are others.
I'm no expert, but if you run not problems with the Kindle Fire HD 6 (4th gen) and you started with 5.3.1.1, I can tell you some of the pitfalls I ran into and how I got out of them.
Excellent guide, thanks elementcarbon12!
I'm a total new comer to rooting and getting my hands dirty with android (although I am a long time linux user), and i made it work, and now have a fire hd 6 that I can sort the way I want it!
I did encounter a few problems though, first, I did not do a factory reset /data wipe after the downgrade and ended up in a boot loop. This was easily sorted by using the "adb reboot recovery" command, doing the data wipe/reset and then holding down power for 20 sec.
Everything was smooth sailing again until the reboot out of TWRP after installing the ZIP files. I did the wimps reboot to recovery to make sure I didn't get TWRP, which I didn't, so rebooted to get into android, however I entered a boot loop again. This time a simple hold the power for 20 sec and then turn on worked and the system started it's 'optimization'.
Upon completion, i still had root, although ES and my chosen launcher had gone, so had to reinstall them. No problems there though.
So thank you very much for collection all of the information and links from other pages into this one easy to follow post!
hi guys i have a question I'm on cm11 on fire hd 6 i also have a android backup of 4.5.3 my question is I'm note sure what boot loader i have at one point it did have 5xxx on it but not sure what version can i just side load 5.4.0 and be okay since the stock rom was put back to 4.5.3 thats how i installed cm11 or does it need boot loader from a 5xxx rom
my method here will give you a permanent rooted shell and will give you read-only system root which is useful for using root apps to backup data or freeze system apps--works just like real root without being able to delete system contents--freezing apps however works like a charm and should reduce the need for rw root anyway
FOLLOW DIRECTIONS EXACTLY--I WILL NOT RESPOND TO STUPID QUESTIONS--PROBABLY WON'T RESPOND TO ANY QUESTIONS BECAUSE MY DIRECTIONS ARE PERFECT, WORK PERFECTLY WHEN FOLLOWED, AND ARE EASY TO READ. FOLLOW ALL STEPS EXACTLY. IF IT DIDN'T WORK, IT IS BECAUSE OF YOUR ERROR
This works best from a factory reset device, but will work from a already used device but all other root apps and superuser apps must have their data deleted and be uninstalled first
1) make sure device is at least 50% charged--doesn't matter most of the time; better safe than sorry
install latest superuser apk
http://www.mediafire.com/file/dx854fsys5pvxjh/SuperSU.apk
install dirty cow root apk (croowt) [comes from this post https://forum.xda-developers.com/android/software-hacking/root-tool-dirtycow-apk-adb-t3525120
http://www.mediafire.com/file/1hbey829hc7676a/CRooWt.apk
make sure usb debugging is activated in developer settings and make sure you have accepted the debugging access prompt on the phone for the computer you will use
make sure you have an external sdcard installed--the smaller the better for this first time
2) open dirty cow root apk
choose "get root"
choose "method 1"
hit "ok"
choose "ok"
app will direct you to unmount and remount sdcard, choose "ok" and it will take you to storage settings
unmount sdcard
remount sdcard
when finished proceed to step 3
3) open superuser
do not update su binary
go to settings and make the default action "grant"
remove any and all apps from superuser log including the croowt app
3) THIS MUST BE DONE FROM A REAL TERMINAL ON A PC--TERMINAL EMULATORS WILL NOT WORK FOR THIS STEP
from a working pc with adb setup, preferrably linux, input commands exactly as listed
adb shell
su
setprop persist.sys.k P816A06
reboot
5) once rebooted, open dirty cow root apk again
choose get root
choose "method 2"
hit "ok"
choose "ok"
if app asks you to open with a browser, choose one, and choose "always"
screen will go black, systemui will crash and then reboot
6) once systemui is back up and running
you now have read-only root
you can now freeze system apps or backup your data using apps that require root
Your shell will be permanently rooted when accessed from a computer using adb--this will last forever unless you undo the setprop
Your system however will only be temp, read-only rooted until the phone is rebooted.
If you wish to have your temp, read-only root reactivated, all you have to do is repeat step 5 and that is it.
You can do this over and over again.
GIVE STAYBOOGY SOME PROPS FOR MAKING YOUR LIFE WITH THIS PHONE BETTER
Does this only work to back up or freeze applications?
poseidon207 said:
Does this only work to back up or freeze applications?
Click to expand...
Click to collapse
ACTUALLY READ the first sentence of OP
I don't see how freezing system apps would negate the need for a real root method? Is this "Read-Only" root method working with lucky patcher or Kernel Auditor?
Can this be used to bypass the subscription check for tethering? I assume not since system isn't writeable.
Does this method work in the ZTE Maven 3 (Z835)?
I'm doing it wrong, probably
First of all, thank you so much for doing this. I've been following that other thread since it was new, and you've put far more effort into this than the phone or most of us deserve.
I've gotten stuck trying to run Dirty Cow. I have USB Debugging enabled, adb installed on my Linux computer which recognizes my Maven (i.e. I've allowed access on the phone), etc. It eventually goes from "Checking vulnerability" to "Your device is not vulnerable" and I'm unable to proceed to the "Get root" step. What am I doing wrong? Might be some recent system update? Probably less effort to just buy a Galaxy.
Please be gentle. I know I'm a noob.
z812 root
I previously rooted my maven with kingroot and the dirtycow exploit.sh file and today I was overwhelming the device by running multible windows and apps and the phone rebooted and root was still intact....haven't rebooted it again yet but I shall.