Better Mobile App

[Full Mod + Root + OTA block] Snowball-mod: Full Modification Root [1/6/2012]

I've been spending a long 3~4 days working on an install process to make applying /system changes quick, easy, painless, and automated. It then occurred to me that I could wrap it into a rooting process, and automate nearly the whole thing, to ensure that people don't accidentally trip up somewhere, and send their Nook Tablet into a bootloop, or lockup, or something like that.
The process was because a number of binaries that are typically standard with CM7 are not included in any of the roots so far. Having them around helps out a lot during development. (Like parted, vim, bash, sqlite3.)
So, I present to you the culmination of my work so far: Snowball-mod (thanks to dj_segfault on IRC for coming up with the name)
This borrows heavily from Indirect's Nook&Zergy root process. He deserves a ton of thanks for setting it all up, and bringing things together, and figuring stuff out. 100 internets to Indirect. (Don't kill me for stealing so much of your process, and .BAT coding wizardry. ... I stand upon the shoulders of giants.)
BIG WARNING:
THIS IS A FULL MOD, IT WILL REMOVE ALL BARNES & NOBLE CONTENT, DO NOT APPLY IT TO SOMEONE ELSE'S NOOK, OR A SHARED NOOK WITHOUT PERMISSION!​
They really probably will freak out that their Nook Tablet looks far more like a CyanogenMod7 tablet than a Nook Tablet anymore. Especially, when they can't access their B&N content anymore. Don't say I didn't warn you, the process even warns you itself!
First, install the ADB drivers on your machine as has been explained in various other posts. Snowball-mod will work with Windows, Linux, or Mac. (I have not tried the later two, but if NARS works for you, then Snowball-mod should as well.)
Features:
* Installs extra packages from CM7
* Installs extra commands from CM7
* Installs busybox, with links. (BusyBoxInstaller.apk is also installed so you can update the binaries later, it can also be uninstalled.)
* Installs revcompgeek's hack that makes the soft buttons to always stay on, and the n button works as home, without homecatcher, and without bringing up the bar.
* Uses kenblat's hack to mount into the 12GB data area so you can recover some of that space for your own use. (/data/usrdata hack) It shows up at /mnt/internal (NOTE! Most apps still don't recognize this mount's existence.)
* Optionally, using my own hack, the command "setup-sd-ext" will let you setup a card image that is FAT32 formated, and appears at /mnt/sd-ext, similar to a secondary SD Card. (NOTE! Most apps still don't recognize this mount's existence.)
* Fixes the invisible submenus with white text on a while background
* Automatically applies OTA blocking to change your Version to report as 9.9.9 No further action required on your part to apply this.
* Supports both Windows, Linux and Mac with nearly the same process.
* Sets your browser homepage to "about:blank", and deselects "Remember form data" and "Remember passwords". (I think these are way more sane values.)
Includes:
* ADWLauncher (You can replace it the same as any CM7 install.)
* Android Terminal Emulator
* Button Savior
Needed files for root:
You need drivers first:
http://dl.dropbox.com/u/15069134/usbdrivers.zip
Here is an app to pull up usb debugging menu
http://li362-167.members.linode.com/gapps/non_google/tgps_launcher.apk
Code:
<robertely> Also note, that while that box will remain checked, the setting is not persistant.
<robertely> So you have to flick the top 'Usb Development' box twice to get it working.
Download Link for rooting script:
http://dl.dropbox.com/u/54958574/snowball-mod.zip
Code:
MD5SUM: 7f0090051e6141d6bfeb280355a04b18 *snowball-mod.zip
Instructions to root:
0. Make sure that you have a 1.4.0 Nook Tablet. If you don't, then find one of the posts to recover to 1.4.0, and start from there. The less interference from Barnes & Noble involved the better... they've already done plenty enough.
1. Download the "usbdrivers" zip
2. Download the "snowball-mod.zip"
3. Extract both to a folder C:\ntroot\
4. Now you should see the following files and folders inside c:\ntroot:
5. Run "runmefirst.bat" and follow the instructions.
6a. When the batch file opens the device manager, If you don't see a broken device icon next to "NOOK Tablet" then you may have some other generic drivers taking over. Not sure how to remove them so you will have to move to another PC that has never had a tablet hooked up and start over.
6b. If you do see NOOK Tablet with a broken device icon.. then right click and choose "update driver". Choose "Let me specify where the driver is" and browse to the c:\ntroot\usbdriver folder and hit ok. It should install and you can click "OK" to the warning about unsigned drivers.
7. Run "snowball.bat" and follow the instructions
7a. If you see a long string of numbers/letters it's your device
8. After the rooting process is complete, your nook tablet will reboot, and should start up straight into ADW Launcher.
Want to install your own apps, too?
The rooting scripts will take care of all that needs to be done if you just put your .apk files into the "apks/" directory of the snowball-mod directory. They will be installed automatically at the end of the rooting process.
Should I install this?
I really wouldn't recommend this rooting process for anyone who wants to keep any Barnes and Noble apps on their Nook Tablet. Also, if you've been using your tablet for awhile already, then it might not be a good idea to install this root process as well. It is intended for a clean and fresh Nook Tablet, and I cannot take responsibility for it wiping out something important. You have been warned that this is a drastic full modification.
Instructions to update:
1. Download snowball-update.zip from http://dl.dropbox.com/u/54958574/snowball-update.zip
Code:
MD5SUM 572793e71a0715185e03de4248c09aa2 *snowball-update.zip
2. Extract onto your computer.
3. Plugin your Nook Tablet with USB debugging mode activated
4a. On Windows double click "update.bat"
4b. On Linux/Mac/Cygwin open up a Terminal, cd to the directory, and enter "sh ./update.sh"
5. If you see "INSTALLATION SUCCESSFUL", then it's all done, and updated.
Screenshot
Someone wanted to see a screenshot. Rather than reroot just to get it a silly picture of an empty stock ADW launcher, I just recreated the screen to the best of my ability. The background is weird, I don't think it's scaled right, and for some reason, it's showing up as purple here. But it's just the same blue background as your nook had at the first install.

INB4, this steals a lot from Indirect. I know this. You don't have to say it. His root is way better for a minimal rooting experience and keeping the B&N Nook Tablet much the way it is stock, for people who just want to protect sideloading, etc.
This is for people who would rather install a custom ROM. Until then, this is about as close as you will get.
BUGS:
* There seems to be a bug in setup-sd-ext right now. It is not taking into account the "M" in the count. This could be a problem of running the wrong dd. I'm investigating it now. *** RESOLVED WITH v2.0.2 ***
* Nook for Android app won't startup up, not even FCs, it just doesn't start up. This is possibly something to do with the B&N code preventing it from starting up. (internal app name: bn.ereader-1.apk)
* Get rid of the "book" button at the bottom in the status bar: Easy enough, just replace the graphics to get rid of it.
* Move the "adb push ___.zip" to move to /data/local/tmp rather than /mnt/media ... it seems some people are confused, and accidentally leave their device automounted while attempting to install. Moving the push to /data/local/tmp will allow itself to install even when this is done. *** RESOLVED WITH UPDATE TO INSTALL SCRIPTS ***
* adb shell "snowball-ver" seems to be reporting in DOS file format even on linux, which causes a spurious "\r" to end up in the file name. *** RESOLVED WITH UPDATE TO INSTALL SCRIPTS ***
* check to see if the user is already up-to-date, if they are, then report so, and exit out. *** RESOLVED WITH UPDATE TO INSTALL SCRIPTS ***
* detect if something went wrong with installation, and don't report "success" unless it actually did succeed! *** RESOLVED WITH UPDATE TO INSTALL SCRIPTS ***
* ensure that any local $adb in snowball scripts are a+x prior to using them.
* some /bin/sh implementations do not support $OSTYPE. Consider switching to the NARS script version of using "uname -o", as this will likely end up being more universally supported. (Rather than assuming everyone's /bin/sh is bash.)
CHANGELIST
2012-06-01: v2.1.1
* Install script updates to better detect the adb binary, and ensure that it is executable.
* ipctool and viewmem included from the "Basic Hacking Tools" thread
* Reduced snowball-mod size due to removing text-to-speech, wallpapers, and other spurious content. The update process will not remove these, but future versions will continue to not carry these files. This is intended to reduce the size of the binary to decrease the odds of another dropbox shut down for excessive traffic.
* This update is a trivial update and is predominantly only changes to the installer, and a reduction in package size. You do not have to apply this update for any real reason at all, which is good, because it won't be up for a couple days.

Very nice, what is the risk of using this on a already rooted and ota blocked tablet, would going back to stock be the best bet? It rooted using the zergy method as well. The instrucstions seem simialar up until running snowball.bat could I just pick it up from there?
Sent from my BNTV250 using xda premium

The risks are fairly minimal, but still kind of there. About the biggest one would be clobbering your Browser.apk preferences.
Plus, just like the Nook&Zergy root, you can't run it on a system that is already rooted.
The nook-update-package.zip however in the snowball-mod pack can be extracted, copied to your Nook and executed by hand with a simple "sh install", which will do all the heavy lifting of the process. If you don't want it to wipe your browser preferences then you could delete the "data/data/com.android.browser" directory as well.
It's really barebones, and relies upon the filesystem structure to take care of just about everything.

And the sh install is a terminal command correct? I've used Ubuntu so im somewhat familiar with doing things by hand lol
Sent from my BNTV250 using xda premium

Yes, indeed the "sh install" is a Terminal command. In fact, I suppose if I say "sh ./install" then it will make sure it only works in the proper directory as well, lol.
Actually, I had been using this method for the process up until yesterday, when I started working the rooting process around it.

Nice! What version does this work on?

Do you have any screen shots of this or even a video of how it looks after doing this? Also, just an assumption that the normal 1.4.0 file would take us completely back to stock if we so desired?

This only works on 1.4.0
The screen shot is basically just an empty ADW Launcher as if it were just a stock installed CM7, but with the nook status bar.

cfoesch said:
This only works on 1.4.0
Click to expand...
Click to collapse
May I suggest adding that somewhere in the first post?

Thanks for your work. I tried 3 times and every one looks the same:
Your device is a Nook Tablet meaning we can continue!
Now, just making sure you WANT to root it!
__THIS_WILL_WIPE_ALL_OF_BARNES_AND_NOBLES_STUFF_FROM_YOUR_NOOK_TABLET__
__DO_NOT_INSTALL_THIS_ON_SOMEONE_ELSES_NOOK_TABLET__
(Y/N)? Y
1441 KB/s (0 bytes in 23056.000s)
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x40119cd4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd193a3 0xafd3908f
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
Installing superuser and su...
1817 KB/s (0 bytes in 843503.000s)
1397 KB/s (0 bytes in 22364.000s)
1397 KB/s (0 bytes in 22364.000s)
Installing and setting up busybox...
1780 KB/s (0 bytes in 1994516.001s)
754 KB/s (0 bytes in 12066.000s)
Uploading nook-update-package...
2518 KB/s (0 bytes in 43198793.016s)
Extracting nook-update-package...
Installing nook-update-package...
Installing extra apps...
2868 KB/s (0 bytes in 413129.000s)
2772 KB/s (0 bytes in 1241892.000s)
2031 KB/s (0 bytes in 195032.000s)
Blocking OTAs...
1 KB/s (0 bytes in 1153.001s)
Setting up /data/usrdata...
Rebooting Nook Tablet...
Nothing happens / no reboot. After a manual reset nook stuck on boot.
Any idea?

Can you open up the log.txt and copy it to a pastebin? The log.txt has _WAY_ more information in it. (But it's a bit long to post here in the forums.) Alternatively, you could just upload the log.txt file somewhere, and give a link.

Hmmmm this is looking like a ten failed boots kind of day...
Nice work man. I thought I was going to be OK with home catcher and pretending the BN stuff wasn't there... this is going to make that cognitive dissonance a no-go.
Sent from my MB860 using xda premium

beatphreek said:
Hmmmm this is looking like a ten failed boots kind of day...
Click to expand...
Click to collapse
Is that a good thing or a bad thing?
Nice work man. I thought I was going to be OK with home catcher and pretending the BN stuff wasn't there... this is going to make that cognitive dissonance a no-go.
Click to expand...
Click to collapse
Yeah, I'm a perfectionist... I don't seem to do well with "good enough"... me and him don't get along...

* Fixes the invisible submenus with white text on a while background
Click to expand...
Click to collapse
What did you do to fix this? Did you modify framework images?

xdahgary said:
What did you do to fix this? Did you modify framework images?
Click to expand...
Click to collapse
Indeed. Also, this means hacking the bootanimation was trivial as well, so I included a custom bootanimation as well.

Works now. I got only the Google-Services-Framework FC

Yeah... who knows what is causing the Google Framework Services FC... I think it is in part related to the Android Market keeping track of what you have installed, and not. It seems like every time I install a new app though, it FCs.

I've been thinking about re-rooting my Nook.
Does the script install GAPPS, or does it give you the option to install? Do contacts work?

cfoesch said:
Yeah... who knows what is causing the Google Framework Services FC... I think it is in part related to the Android Market keeping track of what you have installed, and not. It seems like every time I install a new app though, it FCs.
Click to expand...
Click to collapse
You are correct. It doesn't FC if you don't log in to market.

[SOLVED] Upgrade Fujitsu Arrows F-01D to ICS

Firstly a big thank you macexplorer who again found the relevant links amongst much Japanese.
See the original thread on rooting the F-01D:
http://forum.xda-developers.com/showthread.php?t=1611484
Following are quick instructions on how to upgrade the device to ICS. All your data will remain intact, but the /system partition is completely wiped.
NB: YOU WILL LOSE ROOT IF YOU FOLLOW THESE INSTRUCTIONS. YOU WILL NOT GET ROOT BACK.
To be clear, at the present moment in time, you need to CHOOSE BETWEEN ICS OR ROOT, you can't have both. The official upgrade below completely reflashes the system partition, so tools like OTA RootKeeper will not help you. The new release is more secure than ever and at current we don't know a new way to get root. If anyone finds any new information, please speak up
DISCLAIMER: Following these instructions might brick your device, void your warranty, etc. This is unlikely since you're basically installing an official update, but to be clear, I disclaim any and all responsibility for any (permanent) damage that might be caused by these instructions. DO AT YOUR OWN RISK.
The original instructions are here (or see in Google Translate)
http://spf.fmworld.net/fujitsu/c/update/nttdocomo/f-01d/update1/top/index.html
My instructions are slightly different, aimed at more advanced users, and serves the file direct from my server (I found the original server quite picky in terms of refer and user agent, and also slow. I'm also serving the unzipped version, since compression was 0% anyways).
PRE-REQUISITES
At least 50% battery (ideally more in case things go wrong...).
Settings -> About, make sure Android version is 3.2, and Build number is either V28R43A (as recommended on the official page) or V19R36D (what I had; it worked for me but YMMV).
Settings -> Storage, at least 1.5 GB free in "Built in storage" (try installing first to external SD card and let me know if it works.. it's a lot safer).
ICS UPGRADE FOR F-01D
Download F01D_TO_SP_ICS1.enc and put it in /sdcard (md5sum: 2014d0254568a4ef955b21476012a9b5)
Boot into recovery (power off, hold down both volume keys and power up), select "update firmware" and press the power button agin.
Pay attention... the first time I tried this, it rebooted back in to recovery part way.... if this happens, just repeat step 2 above and make sure the progress bar completes all the way.
After this, it will reboot a few times, don't worry. Boot 1 will do the "optimizing android apps" screen, Boot 2 will be "upgrading calendar, contacts, etc..." and Boot 3 will say "finishing upgrade" and let you use the system.
If anyone has any leads on re-rooting the device, speak up. From my initial observations security is tighter than ever, so this might be a problem... but there are clever people out there

Regarding root
No leads for now. We can create /data/local.prop using the ICS/JB restore technique, but unfortunately the new firmware is completely ignoring either this file or the ro.kernel.qemu property.
If I understood the google translated Japanese correctly, this guy got to the same conclusion, and is now looking for other solutions. I wish him luck because after spending the day on this I have to get back to my real work
http://blog.huhka.com/2012/09/arrows-tab-lte-f-01d-icsshell-root.html

Temporary Root
This link in xda works to get a temporary root:
http://forum.xda-developers.com/showthread.php?t=1886310
i think to get permanent root, need the lsm_disabler.ko for ICS kernel.
Update:
ICS kernel has blocked loading kernel modules; so cannot insmod a custom kernel.
so cannot remount /system, and cannot get permanent root..
shame on the dandroids..

Post upgrade restart errors?
Hi, slightly off-topic but related - has anyone had issues after upgrading with google maps? Whenever I start google maps it will hang and then restart my tablet.
Essentially google maps is now unusable which is very annoying. Please let me know if anyone has experienced this too and if so if they have a solution to the problem.
Many thanks in advance!

I lost boot after upgrade the device to ICS :crying:
anyone help me repaid boot
Thanks:laugh:

longdau12 said:
I lost boot after upgrade the device to ICS :crying:
anyone help me repaid boot
Thanks:laugh:
Click to expand...
Click to collapse
Help me :crying:

macexplorer said:
This link in xda works to get a temporary root:
http://forum.xda-developers.com/showthread.php?t=1886310
i think to get permanent root, need the lsm_disabler.ko for ICS kernel.
Update:
ICS kernel has blocked loading kernel modules; so cannot insmod a custom kernel.
so cannot remount /system, and cannot get permanent root..
Click to expand...
Click to collapse
FINALLY..ROOT on F-01D for V08R31A
I hope someone is still using the F-01D. So here's to you diehards.
After many many failed attempts, i finally managed to get a more permanent root.
Probably others have got this to root, but I havent seen anything come up via searches.
Main stumbling block has been in getting the address of 'ptmx_fops'. Finally got it thro, rootkitXperia_20131207.zip (get_root..this prints but fails in ptrace; ptrace is blocked in f01d)
I have just managed to get a permanent root. The steps maybe little approx. Do verify and let me know. Its non-destructive, so no harm done.
but do at your own risk..and other standard disclaimers apply
Steps:
1. do the temp root as per : http://forum.xda-developers.com/showpost.php?p=33071441&postcount=3
2. get the exploit source from https://github.com/fi01/unlock_security_module
(recursive download)
3. compile the source. this will generate a libs/armeabi/unlock_security_module binary
4. add the following recs to the device_database/device.db
these are kallsyms kern func addresses; most are avail direct from kallsyms, except for ptms_fops.
Code:
sqlite3 device_database/device.db
insert into supported_devices values(187,'F-01D','V08R31A');
insert into device_address values(187,'commit_creds',3221986012);
insert into device_address values(187,'prepare_kernel_cred',3221985196);
insert into device_address values(187,'ptmx_fops',3229222484);
insert into device_address values(187,'remap_pfn_range',3222251308);
insert into device_address values(187,'vmalloc_exec',3222293708);
5. push device.db and unlock_security_module to /data/local/tmp/
6. simply run from /data/local/tmp: ./unlock_security_module as the root obtained temp earlier.
7. after sometime, this will say LSM disabled!!
8. now remount /system as rw. carefully copy su binary to /system/xbin/ (pref use the latest version from SuperSu).
Also copy Superuser.apk to /system/app
>>carefully copy means: chown/chgrp /system/xbin/su to "0"; set perms: chmod 06755 /system/xbin/su.
9. copy busybox from /data/local/tmp to /system/xbin; and install (./busybox --install -s /system/xbin/
10. At this stage, su doesnt seem to work for newer shell connections (must do _su and then su). probably due to the exploit messing up the kernel.
11. reboot. and enjoy your newly permanent rooted status.
12. after reboot, still cannot do system remount as lsm is back to original. rerun the unlock_security_module should disable this.
maybe even move this to /system/xbin/;
But this seems to destabilise the system.
Its not possible to use a lsm disabler ko insmod. the kernel sec mech validates the module with path and hash.
So it has to be: unlock security; do your thing with /system etc., reboot.
(not sure yet if any changes to /system/buid.prop will help)
Do let me know how this works out and point out errors in the steps.
And as luck would have it there is a new ICS release out on 5-Feb.
https://www.nttdocomo.co.jp/support/utilization/product_update/list/f01d/index.html
http://spf.fmworld.net/fujitsu/c/update/nttdocomo/f-01d/update1/top/data/download.html
(F01D_TO_SP_ICS2.zip)
This moves the version to V12R33B.
Do not hazard to update to this, if you want to keep this root. this release probably fixes many of the exploits.
the wifi model seems to have got 4.1..wonder is something will trickle down to f01d.

[Q] Is possible to root jelly bean?

I have just updated my Prime and I did not have rooted it with ICS. Is possible to root JB without previous rooting?

No. You must back up root using OTA Rootkeeper in order to regain root in JB. There is no known exploit for JB yet.

without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need

tonesy said:
without restoring root with ota rootkeeper, try http://matthill.eu/mobile/root-trans...lybean-update/ and follow the instructions, follow the links for the files you need
Click to expand...
Click to collapse
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.

If you Unlock the Bootloader or already have an Unlocked Bootloader, you can get root.
I haven't seen any exploits posted for the Prime in JB yet, so this may be your only way for now.

hx4700 Killer said:
lol, must be a joke.... dead link.
I have been actively pursuing this. Without bootloader unlock i dont beleive so.
Click to expand...
Click to collapse
He posted a bad link but doesnt work if you have no root access at all. This is just a "regain root if you have partial root" guide:
http://matthill.eu/?s=jelly+bean

Thread moved
Thread moved. This is clearly belonging into Q&A. Please post in correct Sub-Forum.
peace
jotha - forum moderator

Does any one know if one person with development capabilty is trying to find a way to root JB ?

I talked to bin4ry about his root method in hopes of working with him on modifications for the prime but he is telling me his mod is making the change he is exploiting according to what I am seeing but possibly ASUS disabled the emulator mode in this version of the OS. This is what would give you root access via ADB so changes can be made.
I couldnt get out of him what exactly his "restore timing exploit" is but I understand everthing after that
Outside of anything coming up I would say if you must have it now and don't mind voiding your warranty then use the unlocker tool and follow one of many guides on here to do it from an unlocked device.

Perhaps we can turn this thread into, or possibly start a new one about the different things people(devs and/or the technically savy) are finding in the quest for an exploit...
We could start with a list of what is known. Of particular interest would be the differences between the complete stock (me btw), was rooted but lost it, was rooted and kept it, and of course anybody who has managed to root it by messing around but not taken notes along the way.
here's what I have found.
from the PC, creating an adb shell allows me to ls /data/local/tmp/ but from a tablet's terminal emulator (shell?) I cant.
Typing id from both it becomes obvious why
From adb shell I get
Code:
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009
(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt)
,3003(inet),3006(net_bw_stats)
from the tablet I get
Code:
uid=10126(u0_a126) gid=10126(u0_a126) groups=1015(sdcard_rw), 1028(sdcard_r),
3003(inet)
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
I have yet to exhaust this avenue. I might be able to create an empty package and sign it as a system app, make it debugable and see what that yeilds but its looking like a convoluted process, espicially considering that run as may not work as intended on prime's JB
PS I want to state that I know precious little about linux and even less about the android layer above it...

Just as an FYI the way bin4rys tool is supposed to work is an exploit in which it makes a symlink to /data/local.prop and injects ro.kernel.qemu=1 in to local.prop then reboots.
This is supposed to put the device in emulator mode and when you connect with adb shell you get a root shell prompt. All the rest is fairly straightforward/standard. Remount file system as RW, install SU and superuser.apk with their permissions set properly in the proper places then break the symlink to local.prop and reboot.
What would help a lot is if someone who is already rooted can make the attempt, set qemu = 1 in the relinked local.prop then adb shell connect to see if you get a root prompt. Trying to confirm that emulator mode is enabled and you get root access as shell to see if this is even worth pursuing.
I would just use the unlocker tool but I am 2 weeks in to ownership of a new unit.

yes I have seen that typing adb root gives the message
Code:
adbd cannot run as root in production builds
it would indeed be interesting to see if changing "qemu" flags it as a non-production build. My sgs is rooted with CM10 nightlies might try toggling the value on that and see what adb says

Run-as
abazz said:
I was getting excited last night (burnt the midnight oil) trying what I thought might be a possible exploit with an android supplied command called "run-as". Its limitaions became obvious when I looked at the source code for it. You need an application pakage that is debugable and it cd's to its directory to run the command and a bunch of other things, so I compiled it on C4droid using just the main functions setresuid() and setresgid() but they both failed no matter what value was plugged into them based on UID and GID found here
http://forum.xda-developers.com/showthread.php?t=442557
Click to expand...
Click to collapse
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm

elschemm said:
Yes. I noticed the permissions on that file as well. I'm not an android person, so I don't know how that end works, but the permissions do look correct (setuid root, and runnable as group shell [which we get via adb, but not locally on terminal].
Based on the little bit that I have read, it seems that it may be getting the permissions assigned to the apk and running the command line with those permissions.
If that is correct, then running it via something with c4droid probably won't work, as it's permissions are whatever group it (c4droid?) was assigned at install.
Click to expand...
Click to collapse
Yes you are correct. setresuid() function will not give you permissions greater than the process its running in
So, how do does one / can one specify that the package is supposed to be root (uid 0). I'd guess (from a standard UNIX security perspective) that you can't just push arbitrary apps to the machine with 'run me as root' permissions. Otherwise, this would be a completely non-issue. But, is there a package which is pre-installed that we can exploit the permissions of to do this? I don't know yet.
Click to expand...
Click to collapse
Its worse than that, the package also has to be debuggable
There is some info out there on how to sing a package with the appropriate system permissions so it would be interesting to actually do this and see what, if anything can be done.
I downloaded the asus unlock package and passed it through the apk tool to see what it does, as it obviously would need root access. As root access is all i require the code it shows is irrelevant really, its the fact that it gains root access with its signature and also the uid that is set in the manifest android.sharedUserID="adroid.uid.system". This and, most importantly android.permission.MOUNT_UNMOUNT_FILESYSTEMS. WIthoput these things we cant change anything in the directories we need
Also, if my readings / assumptions were correct above, we probably don't want to do a setreuid(), but rather call bash/busybox as the 'command' issued in the name of the apk (since it would then run as root, or the uid of the package). Either that, or a system command(s) to chown/chmod the su binary that we can upload via adb (but which comes in as shell.shell).
Click to expand...
Click to collapse
Yes thats what we would do from the run-as command. What I was attempting to see was if I could get a root uid by creating a c program that uses the setresuid() function call thereby bypassing the need to have an appropriate package installed. As it didn't work I'm having dounts whether it would work even if the right package was there. run-as did make reference to package.h which I haven't looked at, so unless there are some system parameters that package.c extracts from the apk I dont really see how this will work...
Did you find the source for run-as somewhere? It would be interesting to look at to see if such a thing is possible. Failing that, it would be interesting to see if there were any sorts of buffer overflows that could be run against it. I've never tried such on arm7, but I've done it under UNIX on x86 and Sparc.
Thanks
Schemm
Click to expand...
Click to collapse
Yeah found the source here
I also searched for linux exploits, there are massive lists of them, most of them patched by now but I assume the linux base in JB would be somewhat different to whats getting around on X86 systems
On anather note I have tried bin4ry's "root many" method , using the restore timing exploit but had no luck.
HX... I looked through the scripts and all the misc files in bin4ry's zip package and could not find anything remotely indicating an injection of the qemu value. It make a symbolic link to the build.prop in com.android.settings...../file99, which was succesfull after pressing restore but thats about it. perhaps I should fire up ubuntu and try the linux script instead of the windows .bat file

Interestingly, this guys root method for the Razr M makes use of Run-as if you look at the batch file.
He is essentially doing a "fake package" install then runs an exe that is some sort of exploit. Finally he uses run-as against what I have to assume is the bug report feature of the droid and asks you to trigger a bug report with a button sequence.
So it seems he is getting something that has root privileges (bug report) to do something that grants SU and also implimenting run-as
http://forum.xda-developers.com/showthread.php?p=32889627#post32889627

I fear that remained a few developers interested in finding a way to root transformer prime with jelly bean, because all of them had tablet already rooted with ics and managed in mantaining rooting across upgrade.

[Q] Samsung Galaxy S2 LTE i9210 root issue

Hi,
I am trying to get my device listed in the title to become rooted and chose root_with_restore_by_bin4ry_v30 and v32 when v30 failed.
In v30 it just get stuck on "running..." after I have chosen to accept the restore on my phone.
And in v32 I get these messages; (Tried postin a picture which I was not allowed to as I'm new)
error: protocol fault (no status)
mount: Operation not permitted
2430 KB/s (104556 bytes in 0.042s)
3686 KB/s (2242263 bytes in 0.594s)
3768 KB/s (1165484 bytes in 0.302s)
remote object '/system/bin/ric' does not exist
.
Going to copy files to it's place
mount: permission denied (are you root?)
Rebooting again, please wait!
Could Not Find C:\Users\Mattias\Desktop\Root_with_Restore_by_Bin4ry_v32\ric
Restoring previous Backup! Please select the RESTORY MY DATA option now on your device!
Now unlock your device and confirm the operation.
Please press any Key when restore is done.
Press any key to continue...
The Restore my data option does not appear after 2nd reboot. And I am also 100% sure that I'm not rooted as I can't unroot and every rootchecker app I test tell me I'm not rooted.
I am wondering what is causing this/these problems. I am very new to rooting as this is the first attempt I've made and it seemed to be the easiest/safest as I only want rootaccess.
I'm sorry if I'm posting in the wrong section or if there's a similar post. I tried searching for a similar entry without success so forgive me if I missed it.
Ryoki

[Q] Getting the Xperia Z2 tablet, some questions

Hello, im about to get this thing tomorrow and just wanted to know the best way to root it and all that. (Used to Samsung Galaxy S3 and Note 3 to root via Odin.)
So first of all i am going to tell you abit of what i'm getting here, it's the Xperia Z2 tablet with LTE/4G Android 4.4.2 pre-installed (i guess it's the international device if there is one) and what i can understand of what the model it's going to be "Castor" right?
So my question now is, what tools do i need to root it and install the recovery? and what recovery do you recommend? is it a damn hassle?
and what specific roms will actually work for this device? im looking for a CM based rom such as AOSP/AOSPA or as close to vanilla 4.4.x
Im also having some questions about the build.prop and DPI
Whats stock DPI?
What's the lowest DPI possible to use (still readable)
What DPI are you using/recommending?
Thanks in advance.
Great regards mattish.91

mattish.91 said:
what tools do i need to root?
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=2784900
mattish.91 said:
Im also having some questions about the build.prop and DPI
Whats stock DPI?
What's the lowest DPI possible to use (still readable)
What DPI are you using/recommending?
Click to expand...
Click to collapse
Stock DPI is 240, and I have actually not changed it so I can't give any advice on that.
Sent from my Xperia Z2 Tablet using Tapatalk

UgloBuglo said:
http://forum.xda-developers.com/showthread.php?t=2784900
Stock DPI is 240, and I have actually not changed it so I can't give any advice on that.
Sent from my Xperia Z2 Tablet using Tapatalk
Click to expand...
Click to collapse
I would be careful which version of the tablet you have. Despite claims to the contrary, it does NOT work with the latest firmware and model information. I highly suggest checking the model numbers of people who got it to work and avoiding model numbers that don't yet work if you need it rooted right now.
EDIT: Actually, maybe it does work on all models. I have SGP561 with Firmware 17.1.D.0.417 and after running it the errors made it look like it failed, but after a reboot and waiting a little while I was able to edit files in Root Explorer (although some editors couldn't edit the files, which was weird) and of course I can't edit bootanimation.zip, but it's mostly rooted by the looks of things.

Elliander said:
I can't edit bootanimation.zip, but it's mostly rooted by the looks of things.
Click to expand...
Click to collapse
I just wanted to let you know that 4.4.x you cant change anything with the bootanimation.zip i have tried on multiple devices and found out that you actually cant unless you use a rom with cm11s features. Im able to change the boot animation trough settings on my note 3 which got some features from cm11s. I would love to see a rom for xperia tablet z2 that is based on temasek71's source. [email protected] @xda and temasek.hopto.org for devices and such. The best rom i have ever used in my life, it's unofficial cm11 and is 90% Of the time stable and fully working.
Thanks for the heads up

mattish.91 said:
I just wanted to let you know that 4.4.x you cant change anything with the bootanimation.zip i have tried on multiple devices and found out that you actually cant unless you use a rom with cm11s features. Im able to change the boot animation trough settings on my note 3 which got some features from cm11s. I would love to see a rom for xperia tablet z2 that is based on temasek71's source. [email protected] @xda and temasek.hopto.org for devices and such. The best rom i have ever used in my life, it's unofficial cm11 and is 90% Of the time stable and fully working.
Thanks for the heads up
Click to expand...
Click to collapse
If I backup the DRM keys, change to a custom ROM, change the boot loader, then restore to an official ROM with DRM keys restored, would the boot loader remain changed?
Is there a simple way to convert a video file to a boot loader?
EDIT: it also appears that I can't copy any files to the root folder. I want to install Ubuntu as a workaround to the fact that flash doesn't work anymore, even the modified version. I was thinking I could install Ubuntu and then install flash on that and get all my flash programs to work again, but for some strange reason I can't mount as read write anything in the root directory even though I can edit files in system. I'm not sure if I could call it being rooted if I don't have access to the root folder.

Elliander said:
If I backup the DRM keys, change to a custom ROM, change the boot loader, then restore to an official ROM with DRM keys restored, would the boot loader remain changed?
Is there a simple way to convert a video file to a boot loader?
EDIT: it also appears that I can't copy any files to the root folder. I want to install Ubuntu as a workaround to the fact that flash doesn't work anymore, even the modified version. I was thinking I could install Ubuntu and then install flash on that and get all my flash programs to work again, but for some strange reason I can't mount as read write anything in the root directory even though I can edit files in system. I'm not sure if I could call it being rooted if I don't have access to the root folder.
Click to expand...
Click to collapse
I guess what you'r trying to say is that you have a video that you want to use as boot animation? There is multiple tools to create pictures from a video and compile the pictures to a bootanimation.zip, even IF you got a boot animation zip, you wouldn't be able to replace the original zip if you are running android 4.4.x i don't know why but you can't. I can't really say why you only can edit some files are u Sure you have su binaries updated? If you wan't to change the bootanimation, i would recommend you to find a rom based on cyanogenmod 11s (the oneplus one version of cm) as far as i know there is none for xperia z2 yet, but when i come to the level of developing for android i will definitly try to compile one ^^. Yesterday i wrote to temasek71 and asked if he were intrested in developing for tablet, but i havn't got an answere yet, it's his birthday today ^^

mattish.91 said:
I guess what you'r trying to say is that you have a video that you want to use as boot animation? There is multiple tools to create pictures from a video and compile the pictures to a bootanimation.zip, even IF you got a boot animation zip, you wouldn't be able to replace the original zip if you are running android 4.4.x i don't know why but you can't. I can't really say why you only can edit some files are u Sure you have su binaries updated? If you wan't to change the bootanimation, i would recommend you to find a rom based on cyanogenmod 11s (the oneplus one version of cm) as far as i know there is none for xperia z2 yet, but when i come to the level of developing for android i will definitly try to compile one ^^. Yesterday i wrote to temasek71 and asked if he were intrested in developing for tablet, but i havn't got an answere yet, it's his birthday today ^^
Click to expand...
Click to collapse
So even an unlocked boot loader can't edit bootanimation.zip ?
Ya, I'm pretty sure it's rooted with su binaries. I was able to edit files in system anyway. It's just that I have no access to the root folder and a few other places. Also, as I posted elsewhere, shortly after getting it rooted a new problem developed where random apps on the Play Store would not allow me to install them because it says there is insufficient storage available, even though I have more than 20 gigabytes free space internal and more than 100 gigabytes free space external. Sideloading those apps don't help, but other apps install without a problem. None of the normal solutions work, and there are no traces of the files I can't install that I can find anyway. It seems as though I triggered some kind of security program at Verizon put on the device when I rooted it. It's so bad I am considering either a factory reset or flashing an updated official ROM without the branding, but I don't know if a factory reset would also wipe the carrier unlock ( from what I read it might or might not) and the only images I can find are for a different model number and I don't know if they work and I also don't know if the DRM keys will remain intact. Its so bad that I would advise anyone with a verizon branded z2 who wants to keep stock firmware to avoid rooting at all. I should have just bought an international version instead.
A custom ROM would be great, but aren't there specific apps that you can only install if you have the DRM keys working? I mean, if I could independently buy them I would probably not miss the DRM keys, but aren't these important features like infrared and video quality?

Correction! It all works!
EDIT: I backed up everything with Titanium Backup (and moved the backup to SD and removed the SD to be safe) and then performed a factory reset. (The APN settings will be wiped, so to anyone reading this: Don't freak out if your mobile data plan doesn't seem to work.) and then performed an Easy Root and this one is looking MUCH cleaner:
Code:
==============================================
= =
= Easy Root Tool v11 =
= Supports various Xperia devices =
= created by zxz0O0 =
= =
= http://forum.xda-developers.com/ =
= showthread.php?p=53448680 =
= =
= Many thanks to: =
= - [NUT] =
= - geohot =
= - MohammadAG =
= - cubeundcube =
= - nhnt11 =
= - xsacha =
= =
==============================================
=============================================
Waiting for Device, connect USB cable now...
Make sure you have only one Android device connected
BlueStacks emulator can also cause problems
=============================================
Device found
=============================================
Getting device variables
=============================================
Device model is SGP561
Firmware is 17.1.D.0.417
=============================================
Sending files
=============================================
35 KB/s (1585 bytes in 0.044s)
3608 KB/s (657704 bytes in 0.178s)
158 KB/s (1133 bytes in 0.007s)
99 KB/s (9496 bytes in 0.093s)
580 KB/s (13672 bytes in 0.023s)
Copying kernel module...
647 KB/s (34473 bytes in 0.052s)
46 KB/s (767 bytes in 0.016s)
948 KB/s (13592 bytes in 0.014s)
Kernel version is 3.4.0-perf-g31245c3
Version does not match 3.4.0-perf-ge4322cd, needs patching...
1+0 records in
0+1 records out
19 bytes transferred in 0.001 secs (19000 bytes/sec)
Kernel module patched.
modulecrcpatch (by zxz0O0)
module_layout: patched to 0xCFADE050
__aeabi_unwind_cpp_pr1: match
kallsyms_lookup_name: not found
printk: not found
mem_text_write_kernel_word: not found
__aeabi_unwind_cpp_pr0: match
successfully patched
=============================================
Loading towelzxperia
=============================================
698 KB/s (13592 bytes in 0.019s)
2639 KB/s (197320 bytes in 0.073s)
=============================================
Waiting for towelzxperia to exploit...
towelzxperia by zxz0O0 (EasyRootTool Version)
libexploit by geohot
libzxploit.so created
doing the magic
creating vm (loljavasucks)
mount: Operation not permitted
cleaning up
done
Checking if device is rooted...
Device rooted.
=============================================
Checking for Sony RIC
=============================================
Sony RIC Service found.
Installing RIC kill script installmount.sh...
Stock mount does not exist. Creating dir and link
Installing of mount.sh finished
Done. You can now unplug your device.
Enjoy root
=============================================
What to do next?
- Donate to the people involved
- Install SuperSU by Chainfire
- Install dualrecovery by [NUT]
- Backup TA partition
Press any key to continue . . .
I then had absolutely NO problems with TA-backup and was able to run adbd-insecure (which I couldn't before) and was able to successfully create the TA.img file for my DRM keys (which I also couldn't before).
I then had no problems editing Platform.XML to restore SD card access, and I have no problems creating folders in the root and moving files into it (although moving very large files to a folder in the root seems to cause the tablet to freeze up and reboot a few minutes later, which bites because I am trying to get Ubuntu. I'm going to have to go with a smaller image.)
Finally, I was able to restore all of my settings and app data without difficulty with Titanium Backup *AND* I was able to freeze or delete the system apps I so hated! (Unfortunately, even after enabling SD write access, Titanium Backup is oddly unable to write to SD. I had to manually copy the backup folder from SD back to internal and then reboot before I could even restore the backups as well. I thought that was very strange. Especially since I have a Pro version.)
Conclusion: The problems I went through were largely related to all of the failed rooting attempts. Don't try anything EXCEPT "Easy Root". It's all you need, and if you start with it you shouldn't have any problems. If you have the problems I had, you will have to do a factory reset before you can fully root the device.
As a side note, it needs to be mentioned that the Xperia Z2 tablet has a "Rooting Status" flag which is a permanent trigger. Even after a factory reset without root the flag remains triggered. If you are concerned about warranty you should be aware of it. Also, after I performed the factory reset I was unable to get rid of the Verizon "Tablet Activation" message permanently. I didn't have it before, but now I have it.

A Rooting Status Flag??
First time I hear about this with Z2. One of the reasons I've chosen this device and not the Galaxy Tab S.
Could you give more information or a link about this?

Vaetheran2107 said:
A Rooting Status Flag??
First time I hear about this with Z2. One of the reasons I've chosen this device and not the Galaxy Tab S.
Could you give more information or a link about this?
Click to expand...
Click to collapse
Well, mine is a Verizon branded factory unlocked SGP561. In:
System > About Tablet >
There is a setting on the bottom that says "Rooting Status" and beneath that, even before I managed to fully unroot it, the status said "Rooted". If you need it I can send a screenshot of the actual status.
After a factory reset it still said it and I assumed the root would have been lost after that (especially since I used the unroot option in SuperSU after), but a few of my bugs related to the bad rooting attempt resurfaced (not as bad though, and it goes away after a reset and restore of data) and after a subsequent factory reset I noticed I still had root access even without using easy root again. I also found that I could not find a way to unroot. I tried Universal Unroot today and it asked for super user privileges, granted it, and restarted itself, but even it couldn't unroot the device. So at this point I don't know if that flag would go away if the device is unrooted because I don't really know how to unroot at this point.
The important thing is that I was able to backup the DRM keys though, so now I have the option of trying other firmwares and later going back to what I had. My next step is going to be flashing an unbranded firmware over the branded firmware and see how that works for me.

well xD
I got my device today and also had some troubles rooting, adb and fastboot but once I got the thing of it, it was pretty easy, I got some good and some bad answers to my questions but now its all good xD running the latest carbon ROM as I type and it works just great, there is no wayim going back to sonys stock pre installed crap xD, just wanted to let you know that I did a backup but not the img file and hopefully won't need it anytime soon xD. Next step is backup and DPI change in my build.prop file to get everything just a bit smaller than it is right now.
Good luck rooting your devices and remember ALWAYS make an backup of your current system, including if you'd just doing an update. :victory:

mattish.91 said:
I got my device today and also had some troubles rooting, adb and fastboot but once I got the thing of it, it was pretty easy, I got some good and some bad answers to my questions but now its all good xD running the latest carbon ROM as I type and it works just great, there is no wayim going back to sonys stock pre installed crap xD, just wanted to let you know that I did a backup but not the img file and hopefully won't need it anytime soon xD. Next step is backup and DPI change in my build.prop file to get everything just a bit smaller than it is right now.
Good luck rooting your devices and remember ALWAYS make an backup of your current system, including if you'd just doing an update. :victory:
Click to expand...
Click to collapse
When you say backup, do you mean anything more than the user + system apps that Titanium backup makes?

Elliander said:
When you say backup, do you mean anything more than the user + system apps that Titanium backup makes?
Click to expand...
Click to collapse
Yes, like a recovery backup. IF you fu** anything up you can always restore that backup from recovery

wow!
I just changed to 180 dpi instead of 240 and it looks awesome so far all apps tested is working flawlessly, defenitly to recommend definitly looks like a tablet now
Look at it here: https://plus.google.com/+MattiasMagnusson