Related
Ran across this thread in the evo section, seeing how we also have htc's flash lite. It made me hopeful of attaining root. Ive tried every card mentioned as being successful on three different systems:-(
http://forum.xda-developers.com/showthread.php?t=718889
bowtieduece said:
Ran across this thread in the evo section, seeing how we also have htc's flash lite. It made me hopeful of attaining root. Ive tried every card mentioned as being successful on three different systems:-(
http://forum.xda-developers.com/showthread.php?t=718889
Click to expand...
Click to collapse
Even though I didn't really think it would work, I gave it a shot anyway. Naturally, it was unsuccessful. The Eris take FOREVER to load that website, and it never triggers the shell script to ask for a reload, therefore permission is denied for the second part when you reboot with adb shell.
Interesting exploit, though. I wonder if there is some way to modify it for the Eris. Maybe you could contact the devs.
Really, nobody else is interested in this?
MyFixofAndroid said:
Yep that's what I expected. Yea there's gotta be someone here that can do the changes to the EVO files so they work with Eris, and upload the proper files to file sites and have us downloading in no time, so we can get root finally. Yes please anyone here up and willing
Click to expand...
Click to collapse
Toastcfh used to do some work for the Eris someone may want to start there since he provided what looks to be a pretty main part of the EVO root.
sickbox said:
Toastcfh used to do some work for the Eris someone may want to start there since he provided what looks to be a pretty main part of the EVO root.
Click to expand...
Click to collapse
Thanks for the tip. I sent him a PM. Will report back when I find something.
Anyone with an Eris can help out - rooted or unrooted.
I looked at those scripts last night - what seems like the necessary conditions for the beginning of the exploit (part1) are:
(1) there is a directory read/write/traversal permission security flaw in the data area for flash-lite;
(2) apparently, when flash-lite is running it must have root privilege at a moment when it performs a file "chmod" operation
So, an unprivileged user goes in, and makes a symlink (at the correct moment in time) in flash-lite's data area that points to a mtd partition - moments later, flash-lite "chmods" what it thinks is a file in it's data area, but instead, it is chmod'ing the target of a symlink - the normally protected mtd partition.
This allows use of flash_image to write whatever is wanted to that partition - even as an unprivileged user.
It should be easy enough for someone with Linux/Unix command line scripting experience to test to see if these conditions prevail on the Eris. You don't even need to be root - make your symlink point to something in /data/local if you are worried about something bad happening to a mtd partition. Chmod it initially to 600, and see if it get's changed by flash-lite when (and if) you drop the symlink into place.
I would do it, but I've got to go buy all the parts for ( & build) a new computer (no dev station as of last night ).
bftb0
bftb0 said:
Anyone with an Eris can help out - rooted or unrooted.
bftb0
Click to expand...
Click to collapse
Thank you for the detailed explanation. I'll have a look at the scripts, though it's more about learning new things for me, as this exceeds the current state of my unix knowledge. Hope others with more immediate knowledge of the subject will take a crack at it.
The shell script points to sharedobjects within /data/data/com.android.browser/flashlite, but sharedobjects, nor any folder for that matter, exists within that directory on the Eris. Is there a different place this could point; does the Eris have the same objects stored in a different location?
UPDATE: I'm searching my filesystem on my Eris right now to find it. I will report back later with results.
Also If we find a sharedobjects folder (and the right one) then we can point the script in the proper direction and have root very soon.
MyFixofAndroid said:
Maybe the "sharedobjects" folder and other missing folders are really on the Eris, one of you should look for them. Use ASTRO or a different file manager and search most of the whole filesystem and see if you can find "sharedobjects" on your Erises.
In the meantime I'll try the same thing. Maybe there's a search engine for the file system of the Eris that you can get in the Android Market, that would do the trick. A file and/or folder search engine.
If we find a sharedobjects folder (and the right one) then we can point the script in the proper direction and have root very soon.
Click to expand...
Click to collapse
From what I see (and this may just be my eris), the directory probably does exist but we can't touch it:
ls -l
...
drwxrwx--x system system 2010-04-15 02:23 data
...
No read or write permissions to the directory using adb or Astro.
I do have permissions for /sdcard/data on my Eris:
d---rwxr-x system sdcard_rw 2010-06-26 13:26 data
but it doesn't contain the referenced folders and I don't think the browser downloads temporary files to the SD card.
I checked on my other Eris which is rooted. It seems that these may be the directories that we are looking for. However I don't find anything in an app-cache directory.
# find / -name *flashlite
find / -name *flashlite
/data/data/com.android.browser/flashlite
find: /proc/851: No such file or directory
# find / -name com.android.browser
find / -name com.android.browser
/data/data/com.android.browser
Well this appears to be the deal breaker then. Because non-root users of Eris cannot access /data as non-root, they cannot see anything in app-cache, and therefore cannot root yet, at least with this particular method unless there's another way to do it.
We should think of a way to still exploit Flash Lite on Eris, but use a different folder/folders in the Part? scripts that they point to for the operations of the script. This may be possible to do, however, still unlikely to work, and it is still going to be hard at this point.
But does anyone want to give my modified EVO method but for Eris a try? One of you should, so that we can root this thing and get it over with.
jimbonj said:
From what I see (and this may just be my eris), the directory probably does exist but we can't touch it:
ls -l
...
drwxrwx--x system system 2010-04-15 02:23 data
...
No read or write permissions to the directory using adb or Astro.
I do have permissions for /sdcard/data on my Eris:
d---rwxr-x system sdcard_rw 2010-06-26 13:26 data
but it doesn't contain the referenced folders and I don't think the browser downloads temporary files to the SD card.
Click to expand...
Click to collapse
I dont think we would need read write permissions to begin with to use this root, if we had them to start we would be rooted
Because is he using a exploit in flash lite to write to a restricted folder, hes not just found a folder where the permissions aren't set correctly.
If flash lite can invoke admin access and we can exploit it there should be a way to root this.
I am going to the bar going to get some beers for my friends birthday, when I get home I am going to see if I can modify this into an eris root
Yeah JVWARD!
On your rooting effort, all the better, try modifying it for Eris and let all of us know if you succeed, hope you can, so we can get root too. Keep trying it with different changes until you get it to work.
Thanks.
You are able to cd directly into /data/data/com.android.browser/ and then ls, so all hope may not be lost yet. The flashlite directory does not show up, I'm guessing because I haven't used my browser yet so I need to try and get to a flash site and see if it is created. I'm having some problems with the touch screen my leak Eris right now that I'm trying to fix right now if anyone else wants to give it a shot.
You are able to cd directly into /data/data/com.android.browser/ and then ls, so all hope may not be lost yet. The flashlite directory does not show up, I'm guessing because I haven't used my browser yet so I need to try and get to a flash site and see if it is created. I'm having some problems with the touch screen my leak Eris right now that I'm trying to fix right now if anyone else wants to give it a shot.
Click to expand...
Click to collapse
Yes sickbox, by all means, keep trying stuff, and finding that "flashlite" directory etc. till you get it to root. Hope your touchscreen returns to normal, and that you can create the directory that you mentioned in your previous post by using a flash site.
Hey guys, I know this is a tall order, but I want to help. Any chance you could do a "step by step" set of instructions, or at least copy & paste the Evo instructions with the appropriate changes to try this on the Eris? I'm still not rooted, and the SD card Timing root method isn't working for me. I'd like to try something different.
hey can someone with a rooted Eris using a an almost 100% stock Rom setup dump there file system and post it. Anyone using a highly customized Rom don't bother.
Sent from my Eris using Tapatalk
lostpilot28 said:
Hey guys, I know this is a tall order, but I want to help. Any chance you could do a "step by step" set of instructions, or at least copy & paste the Evo instructions with the appropriate changes to try this on the Eris? I'm still not rooted, and the SD card Timing root method isn't working for me. I'd like to try something different.
Click to expand...
Click to collapse
Link to the Evo instructions is in the OP. Currently working to see if it's possible on the Eris, so that's a no-go for now.
Stay tuned.
Team,
I've been working with the scripts with the awesome folks on IRC and have currently gotten thus far:
Part1 - http://pastebin.com/FUJWM3zW
Part2 - http://pastebin.com/6h07zrdm
I believe at this point I've screwed up my FlashLite plugin with my testing, so I'm going to try to recover that and keep moving along.
LR
I wonder if other people are having these issues, story follows.
I was trying to install the updated ADW.launcher via the adb install command and was getting errors such as "/sbin/sh pm not found". This led to an investigation and it turns out that all the standard applications used to install stuff under android are in /system/bin BUT... The path in the CM6 rom does not have /system/bin in the PATH variable. The only path element as far as I can tell is /sbin. So the solution I came up with was to copy over all the tools from /system/bin to /sbin and this worked.
So here is the real question. How do I change the path on the android device? I have already tried export PATH=$PATH:/system/bin but this does not stick after I close the adb shell.
Update: oh great when you reboot the phone all the copied tools disappear and you have to do it all over again to install another file. Did not expect that one. This makes my need to change the path even more urgent.
Update2: I found it easier to just push the new file over top of the old one in /system/app. This will work for system apps and if I need to install other apps I can just load them from the sdcard.
Is there a reason you are not installing it from market? ADW is the default launcher in CM6, so the one from market is not the same, but they can coexist.
so the one from market is not the same, but they can coexist.
Click to expand...
Click to collapse
Yea I was not really sure about that so I felt it was safer to download the one for CM6. If that works I will do that in the future. I ended up just doing a push over the older version in /system/app, this worked fine.
Is there a reason this rom does not have /system/bin in its path? Is it to avoid toolbox?
anika200 said:
Yea I was not really sure about that so I felt it was safer to download the one for CM6. If that works I will do that in the future. I ended up just doing a push over the older version in /system/app, this worked fine.
Is there a reason this rom does not have /system/bin in its path? Is it to avoid toolbox?
Click to expand...
Click to collapse
It is in the path.
# echo $PATH
/sbin:/system/sbin:/system/bin:/system/xbin
#
Can you help me to change the path? Mine is only /sbin for some reason.
Normal export command did not work for me. Thanks
Maybe its baked into the boot.img? What about the init scripts? Any clues where to start? Maybe I will just flash on a new nightly, would that over write the existing path info?
Ok, I found some clues. A document on the android init scripts describes the path settings. I will poke around in there and see what I can muck up. http://www.netmite.com/android/mydroid/1.6/system/core/init/readme.txt
Sent from my Liberty using XDA App
Answered my own post.
To change the path you need to edit init.rc and add the correct path.
For some reason the nightly I was using had the wrong path in there and would not let me use adb install correctly. I would get an error back "/sbin pm not found". The adb installer was looking for a tiny program (a shell script really) named "pm" but it could not find it because pm is located in /system/bin which was not in the search path. Probably would have caused other problems too.
On a side note, why could I not get an answer to this simple question on a developement thread. Seems like rom creators/moders would know this second hand. Not complaining just makes me wonder.
Sounds a lot like a complaint to me.
I've been busy working on issues that are not isolated to a bad nightly, such as why we can't read telnos and contacts from the sim card.
/system/bin/sysinit gets pulled in from the cm6 repository, so things on nightlies are very fluid - I never know what to expect. Looking at my build, there is no way I could answer your question in any definitive way that would explain the discrepancy. Since I could not verify the problem, I deemed it a non-issue and moved on.
That did sound like a complaint, sorry. It was not really directed at you as I assume there is more than one developer on this site. I got it solved no problems. Maybe this will help someone else down the road. I have seen a few of these posts around and never saw a concrete answer.
I am surprised the phone ran so well with the path mangled so bad. I am also a little surprised that init.rc gets touched at all on a nightly cycle. One of those things I guess.
anika200 said:
I am also a little surprised that init.rc gets touched at all on a nightly cycle. One of those things I guess.
Click to expand...
Click to collapse
I was a little surprised as well.
I've been trying to get a custom hosts file to the phone but things aren't working out very well. Root explorer is saying that in /system/etc there's not enough free space to complete the operation. I've also tried with other file managers to no avail. I've tried adb push, shell cp and it says permission denied. I know I'm rooted. I looked in /system/etc and there isn't a stock hosts file, in fact a search says there isn't a hosts file in / and sub directories. I've tried su and sudo and it still gives me the finger. Anyone have any suggestions?
I'm doing everything the same way I've done it with my moment, evo, and epic with 2.1 and now it's not working. I thought that maybe there's a update needed for root explorer like was needed when the epic was first released except other file managers aren't working either. Argh
herbthehammer said:
I've been trying to get a custom hosts file to the phone but things aren't working out very well. Root explorer is saying that in /system/etc there's not enough free space to complete the operation. I've also tried with other file managers to no avail. I've tried adb push, shell cp and it says permission denied. I know I'm rooted. I looked in /system/etc and there isn't a stock hosts file, in fact a search says there isn't a hosts file in / and sub directories. I've tried su and sudo and it still gives me the finger. Anyone have any suggestions?
I'm doing everything the same way I've done it with my moment, evo, and epic with 2.1 and now it's not working. I thought that maybe there's a update needed for root explorer like was needed when the epic was first released except other file managers aren't working either. Argh
Click to expand...
Click to collapse
I would try running the rageagainstthemachine exploit and then immediately try to adb push to system- right after the exploit abd should run as root and you should not get the permission denied (after reboot abd will no longer run as root)
I opened up the run.bat and edited it. I added the push of the hosts file after the rage and root files and chmod it for good measure. Saved the bat then ran it. Permission denied. It's not letting me push the file into /system/etc in one click 2.5.2
damn
stubborn bugger!
Is it possible that an updated exploit is needed? I tried and failed to run ryanza's z4root prog too. Some progs aren't showing up in the market either... I'm sure that's in a post somewhere else too
try doing it manually- that exploit should work- I'm assuming for protected apps to show in market u will have to wait till google officially recognizes this rom
Sent from my SPH-D700 using XDA App
Here's what I found out. The version tar I was using was the odin one. I flashed it on top of di18 with everything erased. For some reason there wasn't a hosts file. I got pissed off and clockworked the di18 I had then entered username and password then nandroided a restore point I had before upgrading. It worked fine as it did before. I ran sprint navigation to get the gps working. Then I dl the update 90 mb file that was hosted on google. I applied that in clockwork on top of everything without erasing everything. Then I had to one click and the pus of hosts failed again because it was a read only filesystem. Things didn't look right and it appeared the one click didn't take the first time. I suspect it was because I let the phone lock and turn off screen. Rebooted phone and one clicked again. This time it took. Looked in /system/etc and there was a hosts file. I don't know if it was stock or one lft over from di18. I tried again to copy modded hosts over on top of existing one with root explorer. It took this time. There must have been something wrong with the odin flash. Noobs clockwork modded update locked up my phone hard at the stock recovery screen. Anyways I'm going to give this a try and see what happens. Browsing in stock and dolphin seem much slower putting the page together and moving around. We will have to wait and see if someone runs a diff between this update and the one that comes with sprint and see what's up.
I need to try and remove flash out of here because the web pages are almost bringng the phone to its knees with flash advertisements.
herbthehammer said:
I need to try and remove flash out of here because the web pages are almost bringng the phone to its knees with flash advertisements.
Click to expand...
Click to collapse
You try the ondemand setting for plugins within the browser?
I just checked in stock browser and it was on demand. I will try off and see what happens.
Here... flash this and problems solved
http://db.tt/EDNJNdk
Sent from my VIPERrom [TRiNiTY] DK28 3.0
I know there are many threads pertaining to rooting with bootloader 0.86.. andos version 2.2.1, but i simply cannot do it...
I have tried visionary and can gain temp root but obviously cant get it to permaroot.
I am very new to this (again obviously). I downloaded androzip and unzipped the gfree files, to sdcard, but when i try to move them to /data/ it wont allow me to do it, even when temp rooted, keeps telling me its not allowed.
I have tried time and time again, just cant do it, can anyone dumb it down for me, more so than before... im just missing something, def doing it wrong lol.
Thanks!
The method that only worked for me wasn't on this forum. It was on youtube or google or something. Try googling mt4groot.zip or youtube mytouch 4g root, the video has a little views.
Rainbowbright081 said:
I know there are many threads pertaining to rooting with bootloader 0.86.. andos version 2.2.1, but i simply cannot do it...
I have tried visionary and can gain temp root but obviously cant get it to permaroot.
I am very new to this (again obviously). I downloaded androzip and unzipped the gfree files, to sdcard, but when i try to move them to /data/ it wont allow me to do it, even when temp rooted, keeps telling me its not allowed.
I have tried time and time again, just cant do it, can anyone dumb it down for me, more so than before... im just missing something, def doing it wrong lol.
Thanks!
Click to expand...
Click to collapse
you need to have "set system set to r/w" checked when you temp root. VISIONary will not let you have r/w access to the /system folders until you do that. you also need to use a Root Access File Manager like Super Manager to move/edit/delete stuff from the /system folder grouping.
I don't think I have seen any mention of this idea yet. Sorry if I missed it...
In a recent thread about the 6.2.2 update and people wanting to prevent it, I thought I read that someone saw the file show up in the update directory. I'm assuming this means the same 'kindleupdates' directory you could manually drop the update into -- but if not, the idea is the same. Why not just take some step to prevent access to this directory?
The exact step to take would depend on how smart the developers were about dealing with problems in the update process
The easiest step would be to chmod 555 it. But of course if the update process is running as root it is under no requirement to honor those permissions! (My experience in the unix world tells me that about half the time, programs running as root do honor the permissions even though technically root overrides them).
Another easy step would be to delete it altogether. But they probably thought of that (if it's /mnt/sdcard/kindleupdates where someone could easily accidentally delete it) and recreate it if it's missing.
One trick that is often done is to replace the directory with a file. Some programmers do not think to check this kind of condition - they see there is something there, but they get an error opening it as a directory, and they just declare it's an error.
A more subtle trick would be to replace the directory with a symlink that points to a read-only directory (such as /system). In this case, they could open it as a directory, and just fail to write there. The programmer probably would not have thought to check whether it's a link vs. a real directory. One possible gotcha is if you point to /system, and /system is r/w, then the update could screw something up under /system. So maybe mount /system r/w, mkdir /system/kindleupdates, remount /system r/o, then link the update dir to /system/kindleupdates.
And finally, I don't know if Android has any kind of loopback filesystem capability, but loopback-mounting something read/only on that directory would certainly fake the OS into thinking there was a directory there; it would definitely be read/only, and I don't think they would ever think to check whether there is actually some filesystem mounted there! (and if there was, all you need is an app that constantly accesses some file you put there, which would make it busy so that it couldn't be unmounted).
The first method won't work because the sdcard partition is fat32 and doesn't accept unix permissions.
it downloads to the /cache folder - this folder is also used for other things like market downloads, logs from twrp and i don't know what else
btw. there are a lot of threads about this from the 6.2.1 update
make a short search for "prevent ota update" - you'll have a lot to read ...
well, i just deregistered my kindle acount and i'm still in 6.2.1...
b63 said:
it downloads to the /cache folder - this folder is also used for other things like market downloads, logs from twrp and i don't know what else
Click to expand...
Click to collapse
Ah, that makes this less practical. Still, perhaps when the next update comes out I can try a variation on this but it requires the filename to be known.
If the update is downloaded as a single file to /cache, which is named the same as the file you can manually grab, then someone who hasn't gotten 6.2.2 (and is not averse to this failing) can try this in a root shell:
mkdir /cache/update-kindle-6.2.2_D01E_3205220.bin
mkdir /cache/update-kindle-6.2.2_D01E_3205220.bin/blah
The purpose here is to put something unremovable in the way of the file it wants to download. Most likely if the update sees something with the existing name there it would probably want to blow it away (after determining it's incomplete) - and since any update there would normally be a regular file, they probably would do nothing more complicated than a simple unlink syscall to delete it before re-downloading. However, since it's a directory with something in it, that unlink will fail. In actuality, making the subdirectory (second command above) should be unnecessary because the unlink should not work for directories; there's a special rmdir syscall for them.
btw. there are a lot of threads about this from the 6.2.1 update
make a short search for "prevent ota update" - you'll have a lot to read ...
Click to expand...
Click to collapse
I did read a lot of that last time and I don't think I actually saw a definitively successful method. If there is one it should be stickied
My interest in this is a little different from most of you guys - I have very limited satellite internet and I don't like these unscheduled 185-meg downloads so I want to be able to update only when I want mostly to control that. This kind of means looking for the least-intrusive way to accomplish this.
/cache/update-kindle-6.2.2_D01E_3205220.bin is exactly where it downloads
if you find a way to even prevent the download, that would be greatly appreciated
Unfortunately I already got the update so I can't try it this time.
at least you could try your method with a dummy file of an other name and try to overwrite it with adb - if you can't overwrite it there's a good chance
I think I'm about the only one who prevented 6.2.1. I did it by constantly checking the cache folder. Found the update by chance and deleted it before it updated. Waited over a week for it to come back. Never did. An app that watched the cache folder for the updates and then moved/deleted them would work fine
Sent from my SGH-I897 using xda premium
jcase already work a way around this automatic OTA update, so when FIREMOD is ready to replace burrito I think we will have no more problem with this OTA issue. (you can find jcase announcement in the kindle developer section)
Heres what I have done to prevent this.
1) Droidwall (white list only the apps you want to allow internet access)
2) Removed "otacerts.zip" from /system/etc/security/otacerts.zip.
3) I removed "OTASilentInstall.apk" /system/app
4) Installed this 6.2.2 based Rom http://forum.xda-developers.com/showthread.php?t=1439916
Hopefully this eliminates the OTA. I had my Fire rooted on 6.2.1 with twrp and it OTA'd on its own, broke root and twrp. So I rerooted with burritoroot2 and installed CWM based recovery.