Related
hello!!
is there someone that managed to obtain root acces? if that's true, please tell me what method you used and how it went...
Root Access is quite easy to Achieve.
[GUIDE] All Tattoo questions and answers see here (from A to Z)!
http://forum.xda-developers.com/showthread.php?t=716282
1. How can I root my phone?
1.1 General information/Basic adb-commands
Rooting a phone enables you to do things, which normally aren't possible for the average user like:
- Removing apps which were preinstalled by the provider (like Orange, Vodafone, etc.). My Tattoo had Vodafone apps for buying music and other sh*t, which was installed on the system partition (to which a "normal" user has no rights to write to, including deleting).
The Tattoo was successfully rooted by a bunch of guys here, namely -bm-, mainfram3 and Coburn64 (maybe, I don't remember quite correctly ). Also the Tattoo was the first phone having a security mechanism hindering a user to mount the filesystems as read/write, which had to be overridden by remapping the read only memory region to a read/write one. This is done by the module Tattoo-hack.ko, also made by mainfram3. He also created the first boot.img, which enabled su directly from adb and loading Tattoo-hack directly from boot on.
A few words about adb:
ADB is a tool for communicating from the PC with the mobile phone. For this a service is running on the phone enabling the communication via Terminal Emulator. Here are the most useful adb-commands:
Click to expand...
Click to collapse
Code:
adb push localFileFromPC /path/on/mobilephone
-> pushes a file "localFileFromPC" to a specified location on the phone
adb pull /path/to/file pathFromPC
-> receives a file from the phone and stores it to "pathFromPC"
adb remount
-> This is only possible in custom ROMs, remounts the file system to r/w automatically
adb shell "command"
-> executes "command" and returns to the computer shell
adb shell
-> opens a shell session on the phone (from here on you have to be very careful! Also you can execute now normal linux commands like rm, mv, ls, chmod and so on, but not cp (this can done through busybox)). You will have to use this more often, so get used to it ;)
I know that this is for second edition but I don't seen a forum for the first edition so this seems to be the closest match. Anyway I am trying to root my Nook Classic (the one with a E-ink display on the top and color touch screen on the bottom). I am following the instructions on nookdevs for rooting the Nook Classic on all hardware and firmware versions (I can't post the link here as I am new but PM me and I can pass it that way if you need). The method is that sometimes when the web browser browses a certain type of website it crashes and sometimes starts adbd and you can connect adb at that point.
I have managed to get adb to connect, pull the init.rc file, make the needed change, but when I try to push the ratc.bin file adb says it goes though but then the second command $ cd /sqlite_stmt_journals (after starting adb shell) says it is not found. So I can't go any further. ratc.bin is what gives root access long enough to push the init.rc back and without being able to run that, well I am up a creek.
Any ideas?
dob43 said:
I know that this is for second edition but I don't seen a forum for the first edition so this seems to be the closest match. Anyway I am trying to root my Nook Classic (the one with a E-ink display on the top and color touch screen on the bottom). I am following the instructions on nookdevs for rooting the Nook Classic on all hardware and firmware versions (I can't post the link here as I am new but PM me and I can pass it that way if you need). The method is that sometimes when the web browser browses a certain type of website it crashes and sometimes starts adbd and you can connect adb at that point.
I have managed to get adb to connect, pull the init.rc file, make the needed change, but when I try to push the ratc.bin file adb says it goes though but then the second command $ cd /sqlite_stmt_journals (after starting adb shell) says it is not found. So I can't go any further. ratc.bin is what gives root access long enough to push the init.rc back and without being able to run that, well I am up a creek.
Any ideas?
Click to expand...
Click to collapse
>> http://www.mobileread.com/forums/forumdisplay.php?f=209
>> http://www.the-ebook.org/forum/viewforum.php?f=44&sid=e250da1c3a4967da22dae8ca2d104ac8
Thanks osowiecki, I did find a thread on Mobile read shortly after I posted this. The other is non-english I am afraid, and sadly I only speak english.
Anyway I did mange to root my nook today. And I am posting here as I hope it will help someone in the future:
Yessssssssssssssss! I finally hacked my Nook Classic (Nook First Edition called by some)! I followed most of the instructions at http://nookdevs.com/Rooting_B&N_revision_1.4_to_1.7_on_any_hardware
I only tweeked in a few places. Here is a general list of what I did:
1. Look at the site above and grab the linked file (ratc.bin). Then go to this thread http://forum.xda-developers.com/showthread.php?t=1474956 and at the top there grab the adb + fasboot + drivers.zip. The reason I used this is because it is much smaller than the full Andriod SDK (which is over 500mb btw) and I figured this would work since it works for Nook Tablets. I didn't install the drivers or anything though. Just used adb.
2. Went with nook browser to http://nookadb.suspended-chord.info/ to crash the browser. If this should ever be down I see on the nookdevs page there is a discussion with the code that is on the crash page so you can put it on any web server and still do this procedure.
3. Once it crashed I went to cmd (comand prompt) and navigated to the folder that had the adb package I downloaded and decompressed earlier. I suggest putting this folder on your desktop for easy use. I gave the command
adb connect yournookip:5555 please note that the nookdevs instructions are not specific in that you NEED the :5555 after the IP. If it doesn't connect, keep crashing the browser by going to that page until it connect.
4. extracted the init.rc file with the command
adb pull /init.rc then edited as per the instructions on nookdevs
5. Now here is where things are different. I tried to push the ratc.bin file and while that seemed to work the commands after it didn't. It would keep saying the file wasn't there. I was cut and pasting the commands direct from the website so I don't think that was the issue. So what I did was grab the bat file at www.mobileread.com/forums/showthread.php?t=121655&page=2 by Jackr and edit it slightly removing the bit about location of adb and placed the bat in the same folder as adb on my desktop and ran it.
6. This actually worked and the bat prompted me to crash the browser again. I kept trying it took a while but as soon as I did it pushed the modifyed init.rc to the nook. The another reason why I think the bat/script is important as my nook totally froze a second after I crashed it. I think that if I was trying to paste that command manually after connecting I would still be trying lol.
7. After reboot I was fully rooted and I installed a bunch of apps from nookdevs using adb. Just make sure the apk (app file) is in the same directory as adb and use the command install nameofapp.apk
8. If you want to use nookmarket app to install files by itself then you need to:
adb connect nookIP:5555
adb shell
then type this after the #
/system/xbin/sqlite3 /data/data/com.android.providers.settings/databases/settings.db "update secure set value=1 where name='install_non_market_apps'"
It will allow nookmarket to install apps on the fly over the net. If you ever want to turn it back off just change the value=1 to value=0 in the above command. Of course you can always use adb, but it can be handy.
Of all the apps I would definitely suggest Nooklibary and wifilocker along with Nooksync. There are several other good nook apps such as trook. Oh I should also mention that Nook Browser still works fine. I think using the batfile/script helped with that situation.
I hope this helps someone who is thinking of taking the plunge (and trying to find out HOW). I wouldn't have bothered if B&N actually continued to update the Nook Classic and add the features that we BEGGED for (and are in NookLibrary). Instead of spending time adding things we didn't like games.
I've tried a thousand times, but always get "failed to copy 'init.rc' to '//init.rc': Permission denied" so RATC must not be working. And I'm on mac, so no bat. Any ideas?
lolbutts said:
I've tried a thousand times, but always get "failed to copy 'init.rc' to '//init.rc': Permission denied" so RATC must not be working. And I'm on mac, so no bat. Any ideas?
Click to expand...
Click to collapse
I would suggest looking at the bat, and creating the equivalent in apple script. If I remember right Mac's still have that option. Another option would be to run say WinXP in emulation (with virtual box for example) and do it that way.
How to root the original Nook tablet (model number: BNRZ100)
dob43 said:
Yessssssssssssssss! I finally hacked my Nook Classic (Nook First Edition called by some)! I followed most of the instructions at http://nookdevs.com/Rooting_B&N_revision_1.4_to_1.7_on_any_hardware
Click to expand...
Click to collapse
Okay, since nookdevs.com has apparently been down for sometime now, I was checking out the mobileread.com link that was shared above and found out the info that I have been searching for to find out how to root the Nook. Be forewarned that I have not tried this yet, but I am about to, and afterwards I will post the results, I am just posting it as sort-of a guide for myself and anyone interested at this point. I will edit this post accordingly once I am successfully rooted.. Please see below for links / details.
Disclaimer: I am not responsible for any damage that is done by you to your Nook, either physically or otherwise. I am just showing you what I have researched and if you choose to follow these directions it is at your own risk.
Which Nook Device Do You Have?
click here to find out:
http://glyde.com/glydecast/how-to/which-nook-do-you-have/
Remember, this is for the first generation only (model number: BNRZ100)
Here is a visual aid that will help you find the SD card that you need to look for once you get the Nook opened up (yes, you will need to open your Nook and access the motherboard):
http://www.wired.com/2009/12/nook-torn-open-hacked-and-rooted/
How to open the Nook up:
https://www.youtube.com/watch?v=GEDqiNiQFHk
Hint: you don't need to take to front panel / bezel off, just the back section because all we need is access to the motherboard to be able to remove the internal SD card, which contains the file that we will be editing.
Finally, the info that you need to root the device (also posted below the link for quick reference, and just in case the link gets broken):
http://www.mobileread.com/forums/showthread.php?t=128210
How to root the Nook, after you figute out how to open it up:
Just you need a microSD Card reader + Linux (any linux ) !
just you should remove the System file MicroSD ( which is inside the Nook )
put it in your PC , change the "init" file with Any txt editor !
just find "service adbd /sbin/adbd" and change the "disable" to "enable" ...
you are done !
Wow I had no idea that Nookdevs went down. Thankfully I did archive all the information on that page. While the method you mentioned is great, and the best, only the earliest nook classic's had removable system SD cards. After the first batch they were soldered chips instead.
With that in mind I am posting what was contained in the link I posted before on NookDevs since it is not available on the internet archive.
------------
This method of rooting is known to work on B&N firmware revisions 1.4-1.7, on all hardware versions. Unlike the other rooting methods, this one involves an element of luck -- it takes advantage of a memory-corrupting bug in the web browser, and its success depends on the current contents of the memory which depends on more variables than we can control. As such, the method requires a little bit of (or more) patience. Warning: After this root is completed, the web browser will be irreversibly damaged.
Contents
1 Preparation
2 Enable adbd on the Nook
3 Pull and modify /init.rc
4 Getting root access
4.1 Keeping root access
5 Your rooted Nook
6 Notes
Preparation
Install Google's Android platform tools from developerdotandroiddotcom. These include many useful utilities, such as the ADB control software.
Open up a terminal to use ADB
Open a command prompt
Navigate to the directory that you installed, then go into the platform-tools subdirectory. This is where the adb executable lives.
Connect your nook to the same WiFi that your computer is on. You need direct (non-firewalled) access to the Nook's IP address to connect via ADB.
Find your Nook's IP address (How to find our your nook's IP address)
Write it down somewhere.
Enable adbd on the Nook
This is the luck portion of the root. adbd is the other half of ADB: ADB runs on your computer, and tries to connect with adbd on the nook. Once connected, you can issue commands, shuffle files, and install applications. Our final goal is to be able to start and stop adbd at will[1].
Open the Nook's web browser and navigate to the web site nookadb.suspended-chord.info. You may want to bookmark the page for a quicker access.
When you load this web page, the browser will crash. (It may automatically reload itself a few times first.) After it crashes, it might enable adbd.
Go back to the command prompt on your computer, and type:
adb connect <nook's IP>
One of two things will happen:
You will get the message unable to connect to <ip address>:5555.
In this case, restart your web browser and load the web page again (from the history or the bookmark). You may have to do this a dozen times or more, so keep at it!
You will get the message connected to <ip address>:5555.
Success!
At this point you have (temporarily) access the nook via ADB, can now enter commands on your PC for the Nook, and can move files back and forth. If you reboot the nook, adbd (the nook companion to ADB) will not be running.
Pull and modify /init.rc
If this isn't your first time through, and you have a modified copy of init.rc, skip this step.
Now that you can connect into the Nook, you will want to pull and edit the /init.rc file. This file is run when the nook turns on, and includes an option to enable adbd (disabled by default). Download the file to your PC with:
adb pull /init.rc
Open this file with Notepad (or a different plain text editor), and find the part the lines:
service adbd /sbin/adbd
disabled
Change 'disabled' to 'enabled' and save the file.
Getting root access
You got the web browser to launch adbd, but you only have the privilege level of the web browser's user - system. To install software and to start adbd when the Nook reboots, you need root access. Rage Against the Cage will give you root access. Next, you'll restart adbd, and push the modified init.rc back to the nook. After that, reboot the nook and you're done!
Download [ratc.zip].
Extract it to the same directory that adb is stored in, then go back to the command prompt:
adb push ratc.bin /sqlite_stmt_journals
adb shell
$ cd /sqlite_stmt_journals
$ /system/bin/chmod 777 ./ratc.bin
$ ./ratc.bin
(several lines of output follow -- don't do anything, a few seconds later adb will disconnect you.)
Keeping root access
If everything went well, you should have root access on the Nook. However, the Nook is now relatively unstable and may stop working at any point, so work quickly!
The nook may crash - just reboot, then restart the process from scratch. (Remember, you don't need to pull init.rc again.)
First, you need to stop your PC's ADB server. It still thinks that it's connected to the nook.
adb kill-server
Second, you need to re-establish the connection with adbd on the nook and then push init.rc file. You can do this by typing these commands[2]:
adb connect <nook IP>
adb push init.rc /
Perform the browser crash procedure again. After each attempt, check if the computer successfully transferred init.rc. If it did, you're done!
If the nook crashes before the transfer completes (so you are not able to connect to your nook), go back to "Enabling adbd on the Nook". You can skip "Pull and modify /init.rc", but do the other steps.
If the adb push gives a permission denied error, redo the "Getting root access", and try again. You may have to do this quite a few times until the whole process succeeds.
Your rooted Nook
Assuming everything worked, you now have a rooted Nook with adbd running on reboot, with root access. You should be able to establish the connection with adbd on the nook without jumping through any other hoops.
What's next? Browse the applications, and install to your heart's content.
Suggestions:
Mynook.ru Launcher A polished replacement launcher. You must replace the launcher to access additional applications with the nook.
Trook A RSS feed reader for the nook, and much more! It can install applications, too. Just go into the nookdevs feed.
NookLibrary A replacement library for the nook. If unifies sideloaded books with Barnes & Noble content, and offers other improvements.
NookMarket A program that allows you to easily install everything on nookdevs. Trook offers more functionality (imho)
Games There are a few games on the applications page.
Notes
↑ There's also a Python script to automate the process: root-nook-eink.tar.xz (Updated Jun 6 , 2011)
↑ You may want to run a script that automatically issues the following commands, reducing the chances of the nook crashing before init.rc has been pushed to it. In this case, extract this [batch file] to the same directory as ADB. Run it by typing:
push.bat
It will prompt you for your nook's IP address, then try connecting. Every few seconds, ADB will complain that it can't connect to the nook. Let's fix that.
------------------------------------------------
The above is from Nookdevs.com and I did not write it I am only posting it here as the site has went down.
I am also posting the html file that is needed to do this (although here it is in txt format). If the the site listed above ever dies you can put this on a website somewhere to use it. And the ratc.bin file needed.
And finally I am adding the apps that make rooting the nook classic worth while. The improved library definitely. Which btw are two parts, the library app and the nooksync which enables you to download from B&N directly. Otherwise you need to use the normal nook library app to download then you can read with the nookdev version. I am not sure which version of the library works best, been a while since I installed it so I included both.
Also wifilocker is great to turn wifi on/off not to mention lock it and keep the nook from going to sleep while you are connected to adb. I definitely suggest installing that as well. The others are handy. Trook can connect to calibre and download books from your desktop. The nook browser is a improved web browser for nook classic, although I never really bothered with it.
Nook notes is good for quick little notes when you don't have any other device handy. Txt reader reads txt files, not the best but it is handy. Personally I just make epubs of anything with calibre. But if you don't want to bother making a epub first, this is handy.
Hope this helps someone!
I downloaded files and rat.bin has malware in it.
I also have hard time understanding the ones that are explained above. Is there any easier way to do it? Does anybody have a good tutorial video or "fool-proof" instruction on this? I have Nook classic wifi version.
I would like to read kindle books on nook as well as the nook books. Is this even possible on this model?
Thanks for the help
kidollt said:
I downloaded files and rat.bin has malware in it.
I also have hard time understanding the ones that are explained above. Is there any easier way to do it? Does anybody have a good tutorial video or "fool-proof" instruction on this? I have Nook classic wifi version.
I would like to read kindle books on nook as well as the nook books. Is this even possible on this model?
Thanks for the help
Click to expand...
Click to collapse
Er of course rat.bin would be flagged as malware, because technically it is. You are hacking a system that is designed not to let you in. But in this case all rat.bin will do is let you in so you can get root of your own device, nothing else. No back doors for anyone else or making your device do odd things.
The problem you are having is not using rat.bin, without that you might as well not try. I also only managed to do it with a BAT file so that it would keep trying to push the init.rc RIGHT AFTER the rat.bin was used. Generally you can't type fast enough to do the push. The window of opportunity is very very small.
This does work but is tricky as the window of opportunity is very small. I tried for hours trying to get it to work, then I used the BAT file to make the push automatic and on the second try it worked. Rooting the Nook Classic is the toughest device to root that B&N made. If you have one of the really early models that has a removable internal SD card then you can pull that, made modifications (install a old version of the ROM, make a modification to init.rc), and reinstall the SD card. I forget the serial numbers of the models that this worked with, but I do know it was the first batch of Nooks B&N made. If you got yours after the first Christmas, then it is likely it doesn't have a internal SD card that you can remove. Later on they soldered them to the board.
As for reading kindle books, no. There isn't a mobi reading app that I have found, let alone kindle books with DRM. The better bet is to use Calibre calibre-ebook.com to convert your kindle books to epub. But they can't be encrypted/DRM. If they are, then you have to remove that. There are scripts for Calibre that can do it for nook and kindle. I use calibre to convert my mobi/kindle books to epub then side load them. Another benefit of rooting a nook classic, you can then browse and download wireless from your calibre library with the took app. Although I never bothered and just did the transfers via USB.
Hi!
I would like to ask for help in this case:
I followed all the instructions here, however for some reasons I wanted to install this app first using the command "adb push Home.apk /system/app" pushing the app found here: Github
Now it turns on/off, shows "Home", batter and time at the top bar, but everything else is black both the Eink screen and the touchscreen as well.
It does not connect to wifi automatically so I can't connect via ADB to switch back to the original Home apk
Please help me, what should I do?
Is 1.7 software not rootable?
I can't get adb to come on, no matter how many browser crashes I do. Even wrote a script for it:
@echo off & setlocal
set IP=192.168.0.119
set loopcount=0
set s
:loop
set /a loopcount=loopcount+1
echo Connecting %loopcount% time...
adb connect %IP% | find /i "connected to" > %s
if errorlevel 1 (
echo Not successful + %ERRORLEVEL% + %s%
goto loop
) else (
echo Successful + %ERRORLEVEL% + %s%
adb shell
goto exitloop
)
:exitloop
pause
Click to expand...
Click to collapse
Is OTA rooting (by redirect on sync.barnesandnoble.com) not possible any longer as well?
Sorry for the late response, for some reason the email telling me there was a post here just arrived TODAY lol.
It should be, I did it with 1.7. The script I have I modded a little from another one I found online here is mine:
Code:
@echo off
echo The website hack seems to work on the round right after it has an instant crash.
echo.
adb kill-server
adb start-server
set /p ip=Enter the IP here.
:CON
cls
echo Crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto INT
echo.
goto CON
:INT
if exist ratc.bin (set f1=1) else (set f1=0)
if exist init.rc (set f2=1) else (set f2=0)
if %f1%==%f2% (if %f1%==1 (goto RTT) else (goto 2fi)) else (goto 2fi)
:2fi
if %f1%==0 (echo "The ratc.bin file is not in the %cd% directory.") else (echo Ratc.bin file present.)
echo.
if %f2%==0 (echo "The init.rc file has not been pulled from the device to the %cd% directory, pulling now.") else (echo Init.rc file present.)
if %f2%==0 adb pull /init.rc
echo.
echo Please add the required files and restart this batch. If init.rc was just pulled, you will need to modify the file.
cmd
:RTT
adb push ratc.bin /sqlite_stmt_journals
adb shell cd /sqlite_stmt_journals
adb shell /system/bin/chmod 0777 /sqlite_stmt_journals/ratc.bin
adb shell /sqlite_stmt_journals/ratc.bin
adb kill-server
adb start-server
goto CO2
:CO2
cls
echo Re-crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto PSH
echo.
goto CO2
:PSH
adb push init.rc /
adb shell reboot
echo.
echo Congrats! The device is now rooted.
echo.
cmd
It is RANDOM on the browser crashes. Sometimes it happens fast, another time it look me a hour or two to get a good crash and root the nook. Also if it doesn't seem to be doing it for a long time, try rebooting the nook (hold down the power until the screen blanks then press the button again to restart it). In my opinion, this is the toughest Nook to root, but definitely worth it. Especially now that B&N ended support some time ago. Also make sure the ADB, this script, and the ratc.bin is in the same folder. I used a folder on the desktop as it made it much easier/faster to get to. Also after you get the init.rc and modded, that should be in the same folder as well.
As for OTA rooting, I have no idea if it will work or not. I never used that method. But if it depended on any sort of connection from B&N, I doubt it will work now since they have abandoned the Nook classic.
If you need any of the nook apps that were on the nook developer site let me know. I downloaded all the apps before the site went down.
dob43 said:
Sorry for the late response, for some reason the email telling me there was a post here just arrived TODAY lol.
It should be, I did it with 1.7. The script I have I modded a little from another one I found online here is mine:
Code:
@echo off
echo The website hack seems to work on the round right after it has an instant crash.
echo.
adb kill-server
adb start-server
set /p ip=Enter the IP here.
:CON
cls
echo Crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto INT
echo.
goto CON
:INT
if exist ratc.bin (set f1=1) else (set f1=0)
if exist init.rc (set f2=1) else (set f2=0)
if %f1%==%f2% (if %f1%==1 (goto RTT) else (goto 2fi)) else (goto 2fi)
:2fi
if %f1%==0 (echo "The ratc.bin file is not in the %cd% directory.") else (echo Ratc.bin file present.)
echo.
if %f2%==0 (echo "The init.rc file has not been pulled from the device to the %cd% directory, pulling now.") else (echo Init.rc file present.)
if %f2%==0 adb pull /init.rc
echo.
echo Please add the required files and restart this batch. If init.rc was just pulled, you will need to modify the file.
cmd
:RTT
adb push ratc.bin /sqlite_stmt_journals
adb shell cd /sqlite_stmt_journals
adb shell /system/bin/chmod 0777 /sqlite_stmt_journals/ratc.bin
adb shell /sqlite_stmt_journals/ratc.bin
adb kill-server
adb start-server
goto CO2
:CO2
cls
echo Re-crash the browser.
echo.
adb connect %ip%
for /f "tokens=2" %%A in ('adb devices') Do (Set dev=%%A)
if %dev%==device goto PSH
echo.
goto CO2
:PSH
adb push init.rc /
adb shell reboot
echo.
echo Congrats! The device is now rooted.
echo.
cmd
It is RANDOM on the browser crashes. Sometimes it happens fast, another time it look me a hour or two to get a good crash and root the nook. Also if it doesn't seem to be doing it for a long time, try rebooting the nook (hold down the power until the screen blanks then press the button again to restart it). In my opinion, this is the toughest Nook to root, but definitely worth it. Especially now that B&N ended support some time ago. Also make sure the ADB, this script, and the ratc.bin is in the same folder. I used a folder on the desktop as it made it much easier/faster to get to. Also after you get the init.rc and modded, that should be in the same folder as well.
As for OTA rooting, I have no idea if it will work or not. I never used that method. But if it depended on any sort of connection from B&N, I doubt it will work now since they have abandoned the Nook classic.
If you need any of the nook apps that were on the nook developer site let me know. I downloaded all the apps before the site went down.
Click to expand...
Click to collapse
Does this still work? I recently dug up my old nook 1st edition, I tried the website and it didn't crash my browser, it just sat there forever loading.. I looked at the site, now it's using TLS 1.3, but old nook 1st edition is stuck with TLS 1.2... I tried for many hours just couldn't "crash" the web browser at all...
Hi there, I'm trying to pull root directories like /system and /data without any luck. My purpose it to have them on my PC as a backup, and be able to browse them to pull out apps and pieces of data as necessary if it ever becomes necessary.
Device: Nexus 6P (North American version)
ROM: Stock 6.0.1 Rooted, using Wugfresh Nexus Root Toolkit and SuperSU
PC OS: Windows 7 PC (64 bit)
Adb is working properly and I can easily pull non-root directories like "/sdcard" and so on. I'd like to be able to backup the entire root directory ("/") or at least the child directories (like "/system" and "/data", etc.) Unfortunately, when I try
Code:
adb pull -p "/system" "C:\somewhere"
it skips a bunch of files, so I need to come up with a better method.
I've tried
Code:
adb root
and it tells me it's already running in root mode.
I try
Code:
adb remount
and it does this properly, but doesn't change the effects of all the commands I've tried.
When I run
Code:
adb shell
it enters shell and gives me # by default, so seemingly it is giving me su permission by default?
*** Oddly, when I enter "su" while in shell, it tells me "/sbin/sh: su: not found" which seems odd to me. I think it's possibly that SuperSU is installed as systemless root, or there's something else screwy here, so I guess I'm not sure how to proceed. Still, if that were case, why would adb already be running as root, and why would shell automatically give me the #?
Any help is appreciated!!
Thanks!
@Heisenberg I figured I'd tag you because of your extensive experience with the Nexus 6P in particular (and rooting.) Not sure if you may be able to shed some light on the issue here?
Hi all, I came across this root tutorial in a post from last year and was hoping to get some feedback on it. Risks involved? Potential for brick or boot loop? The tutorial uses supersu and I'm aware that it may now have security risks. This radio will never be online so it's not a concern. The tutorial was posted in a 8227L thread so it was supposedly done on this model but there wasn't much follow up.
According to AIDA64 my device specs are:
Model: alps 8227L demo
4x ARM Cortex A7 @ 1118mhz
32 bit ARMv7
CPU Revision: r0p3
1GB RAM
16GB ROM
Android Version: 6.0 Marshmallow
Kernel: 3.18.22
API Level 23
Android Security Patch Level: 2017-11-05
Build ID: YT9218_00002_V001
##############TUTORIAL###############
ROOT!
Root has to be done through ADB.
Attention! Incorrect actions can lead to a bootloop (endless loading) of the radio. To fix it, you will need a flashing and, as a result, a complete erase of all data; so, proceed at your own risk!
Requirements: P.C. (I prefer my laptop) and your head unit must be able to connect to the same wifi as the PC (I used my mobile phone's hotspot for wifi and connected my laptop and headunit to it)
Download adb (platform-tools-latest-windows.zip) from here
Download SuperSU apk and SuperSU zip files from here
Extract platform-tools-latest-windows.zip to C:\adb
Extract SR5-SuperSU-v2.82-SR5-20171001224502.zip.
Open the armv7 folder
Select all files in the armv7 folder and right click, Copy
Paste the files into the c:\adb directory
In the same folder, create a notepad file and paste in the following text:
Code:
service rooting /system/bin/su --daemon
class main
priority 10
user root
oneshot
seclabel ubject_r:system_file:s0
now save this file as "rooting.rc"
Open command prompt on your PC as administrator (in windows 10, in the "type here search" type "cmd")
type in "cd c:\adb"
Move over to the headunit and download "What is my IP address" from the google play store.
open up what is my ip address and write down your headunit's ip address (should be something like 192.168.3.4)
Go back to the play store and download "Terminal Emulator for Android"
open Terminal Emulator for Android
Go back to your pc and in the command prompt window, execute the following code:
(my adb worked without additional commands, immediately after opening the emulator)
(any sentences to the right of // means NOTE; so, don’t copy that part)
Code:
adb connect <IP devices>: 5555 // For example adb connect 192.168.3.4/10555
adb shell // Go to Shell
su @#zxcvbnmasdfghjklqwertyuiop1234567890,. // In the shell, we switch to superuser mode using the password
remount // Remount so that all further commands are immediately executed from the superuser
adb shell setenforce 0 // Further on the instruction manual from the articles
adb push su /system/xbin/su
adb push su /system/bin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb push rooting.rc /system/etc/init/rooting.rc
get back on you headunit,
get the SuperSU apk we downloaded from before and get it installed onto your headunit. (I put mine onto my google drive and downloaded and installed from there)
open it and look for a GRANT command.
Press GRANT to allow superuser access.
NOTE: If you get a request to update the binary file, click reject
go back to your pc. we are going to Reboot your headunit with the reset command
Code:
adb shell reboot
The radio will reboot twice, don't panic.
check with root checker
You should be ROOTED!
EDIT: here is a video:
the text file should contain:
Code:
service rooting /system/bin/su --daemon
class main
priority 10
user root
oneshot
seclabel u:object_r:system_file:s0
nismo2013 said:
the text file should contain:
Code:
service rooting /system/bin/su --daemon
class main
priority 10
user root
oneshot
seclabel u:object_r:system_file:s0
Click to expand...
Click to collapse
it works..no need to find the ip address or use a terminal emulator..you do have to add a extra line of code..
but since your at Android 6, just use KingRoot..much easier
codecxbox said:
but since your at Android 6, just use KingRoot..much easier
Click to expand...
Click to collapse
Thanks for the reply. I used kingroot on an old samsung galaxy s4 I had years ago and it made my device run like garbage. I would prefer the adb method above. In your other comment you sad no ip or terminal emulator is needed. Then you said I do need an extra line of code. Do you mean an extraline of code in order to skip the ip and terminal em? Or the tutorial above needs one more line of code as it is?
nismo2013 said:
Thanks for the reply. I used kingroot on an old samsung galaxy s4 I had years ago and it made my device run like garbage. I would prefer the adb method above. In your other comment you sad no ip or terminal emulator is needed. Then you said I do need an extra line of code. Do you mean an extraline of code in order to skip the ip and terminal em? Or the tutorial above needs one more line of code as it is?
Click to expand...
Click to collapse
you skip the ip add line and the use of the terminal emulator..
you should use these extra lines:
adb push su /vendor/bin
chmod 0677 su /vendor/bin
btw, you have to enable OEM Bootloader unlock at the usb debugging menu..press 4 times the build number and usb debugging will be enabled..after that, connect your cable to your pc, turn off and on your head unit, you should be able to adb devices with a serial number...
I recommend you to do each step copypasting at the adb prompt and pressing enter at each one..as soon you get adb superuser enabled, youre good to go...DONT UPDATE SUPERSU IF IT TELLSVYOU THAT THE BINARY NEEDS TO BE UPDATED!
your build 9816 Im never did that one, but probably you wont need to [email protected], cuz these builds 9*** already have su built in, but there not system wide..test # at adb shell before anything, and then push your su to all partitions..
codecxbox said:
you skip the ip add line and the use of the terminal emulator..
you should use these extra lines:
adb push su /vendor/bin
chmod 0677 su /vendor/bin
btw, you have to enable OEM Bootloader unlock at the usb debugging menu..press 4 times the build number and usb debugging will be enabled..after that, connect your cable to your pc, turn off and on your head unit, you should be able to adb devices with a serial number...
I recommend you to do each step copypasting at the adb prompt and pressing enter at each one..as soon you get adb superuser enabled, youre good to go...DONT UPDATE SUPERSU IF IT TELLSVYOU THAT THE BINARY NEEDS TO BE UPDATED!
Click to expand...
Click to collapse
Thanks for the additional info. I'm still a beginner when it comes to rooting and have never done adb. The reason I wanted to use the network method is the head unit is installed in my car and I only have a desktop pc. I could borrow a laptop but its not readily available. I'd also have to buy a M to M usb cable since the otg usb on the radio is full size.
One of the first things I did was enable developer options and unlock the oem bootloader. But thanks for the heads up! I also read to not undate the super su binary. Random question.. but can magisk manager be installed on top of supersu? On magiskroot.net in the install info it says it can hide supersu root.
Can you please do an edit to the lines I enter into command prompt so I'm sure I get it right? I entered the actual ip address of the head unit. Can you please correct the formatting if it's wrong?I thought I want port 5555 but in the tut above he's using /10555. My current commands are:
Code:
adb connect 192.168.0.3/5555
adb shell
su @#zxcvbnmasdfghjklqwertyuiop1234567890,.
remount
adb shell setenforce 0
adb push su /system/xbin/su
adb push su /system/bin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb push rooting.rc /system/etc/init/rooting.rc
*NEXT INSTALL SUPERSU ON HEAD UNIT AND GRANT SUPER USER ACCESS - DO NOT UPDATE BINARY - FOLLOWED BY*
adb shell reboot
First, try to get your firmware, it may be full or update, doesnt matter..just in case your hu bricks..
Second, like I told you, check if superuser is already enabled..
If you only have a desktop pc, download adb lite, and decompress it to c:/adb
Get a usb to usb cable, or cut 2 usb data cables and twist or solder green to green, white to white, red to red and black to black..
I highly reccomend you to download these apks..
busybox.apk from sterikson
CX Explorer.apk or Mixplorer.apk (these you need to obtain system modifications)
Magisk doesnt play well with HU, cuz these android builds contains su watchdogs that turn off any apps that attempt to modify system files..if your goal is to install Viper4Android, then its going to be a battle but it can be done..
I just read that you have the hu installed to your car..in that case you will have to use ADB WIFI, and process everything from your phone..there is a problem, you might need to get a wifi router, cuz these hu units dont do direct wifi..in that case, you need the real ip address of your hu and adb connect hu ip address
If your goal is to install TRWP, its almost impossible..adb fastload doesnt work, its needs access to a keyboard, and as you happen to experience, these units wont recognize a usb keyboard..the way to install TRWP is forcing it through SP Tool, but you need a very specific TRWP image, most likely you never get one..but its not necessary to obtain root, no problem
Kingroot is sounding better by the minute haha. I may just try that and then use a task kill app to stop the ram sucking crap it tries loading into the backgound processes. If kingroot fails to gain access, I hope you don't mind but I'll be back with more questions on the adb wifi process. I already have a wifi router so I'm good there. The tut above does it over wifi and desktop with the files sitting in c:/adb like you said.
A few things I have discovered about this head unit which may apply to other chinese hu.. As I'm sure you know, the bluetooth stack is missing the HID profile and while I was able to pair a gamepad, I couldn't use it. The same went for bluetooth controlled led strips. The work around for a gamepad or keyboard/mouse on these HU is, get a device that is android compatible but uses a 2.4ghz dongle. I plugged it in, drivers loaded and it started working. Check out the Rii RK707 which is an all in one. $23 on gearbest. Gamepad took getting used to but I installed retroarch and the quake 3 arena port and both worked flawlessly with a gamepad. Dead Trigger also worked perfect. I just google searched for the files and then side loaded to the HU. I also put a 3 port usb splitter on the otg and everything works fine together; storage and gamepad.
I also figured out how to gain 8GB free space. If you go to settings, then storage/internal and scroll to other, I saw mine had 8GB of files. I tapped other and then browse and saw 3 folders called amap, amap8 and amapauto or something like that. These are included chinese gps map files. I deleted the folders and my device went up to having 9GB free space and it's been running fine. I was able to install a bunch of games to verify the free space is actually there. I have seen people trying to re-partition their devices and being happy to gain 2GB free. This is the way to do it. The HU also runs less laggy with the extra space.
For external storage like a usb thumbdrive, I think these units claim to supprt 32GB. I can veryify that up to 128GB works fine. I have a 128GB verbatim store n go and keep all of my mp3 and movie files there.
Hope you find some of this helpful.
codecxbox said:
First, try to get your firmware, it may be full or update, doesnt matter..just in case your hu bricks..
Second, like I told you, check if superuser is already enabled..
If you only have a desktop pc, download adb lite, and decompress it to c:/adb
Get a usb to usb cable, or cut 2 usb data cables and twist or solder green to green, white to white, red to red and black to black..
Click to expand...
Click to collapse
Good idea! I have some phone data cables with broken micro usb plugs I can cut and solder together.
How should I check if superuser is enabled? Can I install the supersu apk and try tapping GRANT? I just assumed I didn't have it because AIDA64 came back with "no root" when I ran it.
nismo2013 said:
Kingroot is sounding better by the minute haha. I may just try that and then use a task kill app to stop the ram sucking crap it tries loading into the backgound processes. If kingroot fails to gain access, I hope you don't mind but I'll be back with more questions on the adb wifi process. I already have a wifi router so I'm good there. The tut above does it over wifi and desktop with the files sitting in c:/adb like you said.
A few things I have discovered about this head unit which may apply to other chinese hu.. As I'm sure you know, the bluetooth stack is missing the HID profile and while I was able to pair a gamepad, I couldn't use it. The same went for bluetooth controlled led strips. The work around for a gamepad or keyboard/mouse on these HU is, get a device that is android compatible but uses a 2.4ghz dongle. I plugged it in, drivers loaded and it started working. Check out the Rii RK707 which is an all in one. $23 on gearbest. Gamepad took getting used to but I installed retroarch and the quake 3 arena port and both worked flawlessly with a gamepad. Dead Trigger also worked perfect. I just google searched for the files and then side loaded to the HU. I also put a 3 port usb splitter on the otg and everything works fine together; storage and gamepad.
I also figured out how to gain 8GB free space. If you go to settings, then storage/internal and scroll to other, I saw mine had 8GB of files. I tapped other and then browse and saw 3 folders called amap, amap8 and amapauto or something like that. These are included chinese gps map files. I deleted the folders and my device went up to having 9GB free space and it's been running fine. I was able to install a bunch of games to verify the free space is actually there. I have seen people trying to re-partition their devices and being happy to gain 2GB free. This is the way to do it. The HU also runs less laggy with the extra space.
For external storage like a usb thumbdrive, I think these units claim to supprt 32GB. I can veryify that up to 128GB works fine. I have a 128GB verbatim store n go and keep all of my mp3 and movie files there.
Hope you find some of this helpful.
Click to expand...
Click to collapse
Didnt know about the 2.4 dongle, thanks for the tip! I guess the dongle should translate a usb keyboard, as its supposed to be HID compliant..give it a try!
My HU didnt contain Chinese maps, but there was a load of Baidu crap I deleted, gained some 250mb..Happy with the results!
nismo2013 said:
Good idea! I have some phone data cables with broken micro usb plugs I can cut and solder together.
How should I check if superuser is enabled? Can I install the supersu apk and try tapping GRANT? I just assumed I didn't have it because AIDA64 came back with "no root" when I ran it.
Click to expand...
Click to collapse
SuperSU from Chainfire rides upon su, so if su is not properly working, SuperSu reports that theres no root..
a quick way to know if you could be a superuser is looking at the build.prop at /system..if it says ro.xxxx.userdebug instead of ro.xxxx.user, then chances are that su is installed..but you would need to give permissions to su to modify anything, thats why the chmod command..
get to c:\adb
type adb devices you should see devices and a serial number
type adb shell you should see a $ prompt, means you dont have superuser privileges
if you see a # prompt, then you do have superuser
this is my modified routine:
adb shell
su @#zxcvbnmasdfghjklqwertyuiop1234567890,.
remount
adb shell setenforce 0
adb push su /system/xbin/su
adb push su /system/bin/su
adb push su /vendor/bin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell chmod 06755 /vendor/bin/su
adb shell /system/bin/su --install
adb push rooting.rc /system/etc/init/rooting.rc
adb shell reboot system
Reading again, you said that BT devices work, like a dongle..but at the fastboot prompt, neither HID or BT drivers get loaded, its like a safe mode boot..only way to emulate that Key Up, Key Down is opening the HU and search for a test point on the board, usually its works as a Key Down
codecxbox said:
Didnt know about the 2.4 dongle, thanks for the tip! I guess the dongle should translate a usb keyboard, as its supposed to be HID compliant..give it a try!
My HU didnt contain Chinese maps, but there was a load of Baidu crap I deleted, gained some 250mb..Happy with the results!
Click to expand...
Click to collapse
The usb keyboard and mouse also worked! I did quite a bit of research on gamepad and keyboard options once I saw 2.4ghz would work and narrowed it down to these 2. The Rii RK707 which is an all in one. It has a led keyboard and mousepad on one side, and flip it over and its a gamepad. Standard LB and RB plus incremental L and R triggers. Works well but the shape takes time to adjust to. https://www.gearbest.com/keyboards/pp_3002324601977019.html
The other which I'm still waiting to arrive is the EasySMX ESM-9110. Visually it's a copy of an xbox one controller but has nice rgby leds in the ABXY buttons. It also has programmable underside buttons like a scuf. Great reviews. https://www.aliexpress.com/item/4000574045231.html
Each are under $30 if you don't mind waiting for shipping from china. Everything else was either cheap junk or over my budget.
Further research proves this has been done before, although perhaps not on our device. While root in a technical sense, it's severely SElinux-limited & thus not of significant utility as it is. I've made some inroads re. patching init going toward full root, but nothing certain yet. Either way, what exists should be enough to get us to an unlocked bootloader if we can get our hands on the right CID & aboot.
------
This is how I achieved temproot on the P605V. This is not a permanent root as, since our tablets run a Samsung eMMC and are/should be vulnerable to the eMMC bug, if we have the right CID and aboot & if my understanding is correct, we can convert these to developer units and unlock their bootloader!
What this basically does is downgrade to a dirtycow-vulnerable kernel & launch a temporary root shell. At the moment it can't do much as it runs within dnsmasq's SElinux context, but it's a start.
This does not apply if you're on 4.4.2, there are probably better rooting methods then. Do not upgrade to 5.1.1 in that case as you will burn fuses and will be unable to downgrade back to 4.4.2.
However, we can still crossflash between 5.1.1 versions! For our tablet, there are two: P605VVRSDPL1 (latest, patched) and P605VVRUDOH2 (earlier, unpatched). You must downgrade to P605VVRUDOH2. You will need the P605VVRUDOH2 tar.md5 and Odin - this is covered extensively for every Samsung device (including the non-VZW version of ours) so I will not repeat it here.
Once you're on P605VVRUDOH2, go through the initial setup, enable Developer Tools, then enable ADB.
The manual process (compiling from source):
Spoiler
You will need to obtain the following (on Linux, not tested on Windows):
- the Android 22 NDK
- https://github.com/timwr/CVE-2016-5195
- https://github.com/freddierice/trident
0. If you don't yet have it installed, install the Android NDK. I don't usually compile for Android, so I installed Android Studio from https://developer.android.com/studio/#downloads and added NDK 22 from its menus. You can likely (and perhaps should) use an earlier NDK, such as 14 or 15. Your mileage may vary.
1. Extract CVE-2016-5195 and trident
2. In CVE-2016-5195, rename 'run-as.c' to 'old-run-as.c'
3. Copy 'reverse.c' from trident into CVE-2016-5195
4. In CVE-2016-5195, rename the copied 'reverse.c' to 'run-as.c' - we're basically replacing the original payload from CVE-2016-5195 with a reverse shell from trident
5. Edit the Makefile and replace the 'root: push' section as follows:
root: push
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/$(ARCH)/run-as /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/dnsmasq'
6. Run 'make root'
7. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
8. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
9. Run 'adb forward tcp:4040 tcp:4040'
10. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
11. Profit!
The precompiled process (easier, binaries attached to this post):
Spoiler
1. Download and unzip the attached package.
2. Open up a shell/command prompt, change into the directory you unzipped the files into, and run:
adb push dcow /data/local/tmp/dcow
adb push rshell /data/local/tmp/rshell
adb shell 'chmod 777 /data/local/tmp/*'
adb shell '/data/local/tmp/dcow /data/local/tmp/rshell /system/bin/dnsmasq'
3. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
4. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
5. Run 'adb forward tcp:4040 tcp:4040'
6. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
7. Profit!
Keep in mind, this is only temporary; a reboot will clear it and you'll have to exploit again. It is also not an extensive root as my end goal is to unlock the bootloader and get rid of the (awful) stock firmware.
Credits to timwr and all involved in the dirtycow exploit, freddierice for trident, as well as everyone on XDA whose research and comments over the past 4 years pointed me in the right direction. This tablet is still quite decent in 2020/2021, it deserves to be "free"!
----
As I understand it, as per @beaups https://github.com/beaups/SamsungCID & SamDunk, we will need two things - I hope someone in the community will volunteer these!
1. A dev-edition CID
2. An aboot dump from a dev-edition P605V (I'm not sure the regular P605 will work)
@ryanbg has made much inroad here as well. All input/assistance is appreciated!
Should these turn out to be unobtainium in some time, I will look into a permanent root solution.