Hi, I just found this post on packetstormsecurity with the code of an ingenious local root exploit for HTC Wildfire, which uses a flaw in the hotplug subsystem...
packetstormsecurity.org/files/view/98106/androidwildfire-exec.txt
I'm wondering if this could be the first step for a new 1-click root app for Wildfire...
Bye
bruno820 said:
Hi, I just found this post on packetstormsecurity with the code of an ingenious local root exploit for HTC Wildfire, which uses a flaw in the hotplug subsystem...
packetstormsecurity.org/files/view/98106/androidwildfire-exec.txt
I'm wondering if this could be the first step for a new 1-click root app for Wildfire...
Bye
Click to expand...
Click to collapse
sounds promising
Martin Eve's official blog about the exploit:
martineve.com/2010/08/15/htc-wildfire-stage-1-soft-root/
Erwin
i dont have linux now, can someone compile it and put binary here as addon ?
yes, i have linux... is it just a normal gcc compile? shouldn't it have a flag for arm cpu?
tell me how to do it and i will post the binary
maybe take flags and settings from here:
http://forum.xda-developers.com/showpost.php?p=7611978&postcount=75
ErwinP said:
martineve.com/2010/08/15/htc-wildfire-stage-1-soft-root/
Erwin
Click to expand...
Click to collapse
..........
but look at this date:
http://www.exploit-db.com/author/?a=3158
I made it!
Here is the binary
PS: Ubuntu Maverick has everything needed to build for arm architecture, just apt-get it...
$ sudo apt-get install gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
did you tried to run it ?
No, I didn't... I'm trying to understand what to do next
Edit: it seems that I need the USB cable to use adb tool... I will try later when I will be at home.
I tried with terminal:
cat /sdcard/exploid > /sqlite_stmt_journals/exploid
chmod 0755 /sqlite_stmt_journals/exploid
/sqlite_stmt_journals/exploid
BUT this directory does not exist,error.
there is no sqlite_stmt_journals directory in wf
Maybe you have to connect the device to adb to make that directory appear.
the same while adb
No way
I connected my Wildfire to adb...
$ ./adb push exploid /sqlite_stmt_journals/exploid
failed to copy 'exploid' to '/sqlite_stmt_journals/exploid': No such file or directory
I guess that HTC has fixed this bug... please, someone contradict me!
hmmm..
the blog is dated by: August 15, 2010 ...
Ok, I managed to run the executable (I recompiled it, it's attached)... this is the output from adb:
$ ./exploid
[*] Android local root exploid (C) The Android Exploid Crew
[*] Modified by Martin Paul Eve for Wildfire Stage 1 soft-root
[+] Using basedir=/data/local/tmp, path=/data/local/tmp/exploid
[+] opening NETLINK_KOBJECT_UEVENT socket
[+] sending add message ...
[*] Try to invoke hotplug now, clicking at the wireless
[*] settings, plugin USB key etc.
[*] You succeeded if you find /system/bin/rootshell.
[*] GUI might hang/restart meanwhile so be patient.
[1] + Stopped (signal) ./exploid
[1] Segmentation fault ./exploid
$
I copied the executable to /data/local/tmp/ because i can't find /sqlite_stmt_journals/ on my device...
And finally.... invoking hotplug (wifi on/off) does nothing!! But at least it runs...
Code:
cut
* Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run.
* Or use /data/local/tmp if available (thx to ioerror!) It is important to
* to use /sqlite_stmt_journals directory if available.
cut
find this in exploid file....give it a try
use /data/local/tmp if available....
i've tried with no success no root access, no superuser, no titanium backup...
saluti, mario
Yes, I did it indeed.
I'm starting to think that this hack is for the stock Eclair, not for Froyo...
Lol martin did this method for the soft root ages ago.
Sent from my HTC Wildfire using XDA App
Ok ok, I know... but the code has been modified and put online again on 2/2/2011 (you can read this too).
My hope was that it had been adapted to 2.2, but it seems I was wrong... we would have never know without trying
Related
WE ARE ROOTED!!!
Okay, we have successfully found root for the Kyocera Echo (We have reached our goal folks!!!) So here is the Root method!
DISCLAIMER: This has to be done correctly, or you will have to reset your phone in order to run the Exploit again! Follow all instructions below please.
Credits:
All credits go to zergRush of XDA, Saridnour for his dedicated work to H.T.E. (Which will soon be Hear OUR Echo), and all who tested this to confirm its functionality and show me the proper way to do it!
A little Information:
I will be using my directory to my SDK folder for this tutorial (C:\sdk\tools) but whatever your directory is to SDK is what you will use.
Things you will need:
Android SDK (already set up)
A Kyocera Echo (duh!)
zergRush (XDA root exploit)
Root method:
1. Download zergRush and put the file (not the zip) in your tools folder of sdk
Open your CMD promt, then redirect to SDK (just type exactly what I type after you're in SDK)
(cd c:\sdk\tools) <-- SDK redirect
adb shell rm -r /data/local/temp/*
adb push zergRush /data/local/temp/zergRush
adb shell
chmod 755 /data/local/temp/zergRush
/data/local/zergRush
then you should see this:
[**] Zerg rush - Android 2.2/2.3 local root [**] (C) 2011 Revolutionary. All rights reserved. [**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew. [+] Found a GingerBread ! 0x00017118[*] Sending 149 zerglings ...[*] Trying a new path ...[*] Sending 149 zerglings ...[*] Trying a new path ...[*] Sending 149 zerglings ...[*] Trying a new path ...[*] Sending 149 zerglings ... [+] Zerglings caused crash (good news): 0x401219c4 0x0054[*] Researching Metabolic Boost ... [+] Speedlings on the go ! 0xafd260a9 0xafd39f9f[*] Poping 24 more zerglings[*] Sending 173 zerglings ... [+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root..enjoy!
3. Afterwards, you will have to manually push SuperUser and Busybox (DO NOT UNPLUG THE PHONE)
find the SU and Busybox files here
Then, ADB push them with these commands:
Type: adb push GingerBreak /data/local/tmp/GingerBreak
Type: adb push Superuser.apk /data/local/tmp/Superuser.apk
Type: adb push su /data/local/tmp/su
Type: adb push busybox /data/local/tmp/busybox
AND THERE YOU HAVE IT, YOUR PHONE IS NOW ROOTED. HAVE FUN MODDING AND DOING WHATEVER ELSE. AS SOON AS SARIDNOUR AND H.T.E. COME OUT WITH THE RECOVERY, WE ARE ON TO CUSTOM ROMS!!!!
Thanks for supporting us this whole time,
BFG SgtRecon
First
. . . .
Amazing my girl wants to cook up her own rom ......well wants me to..
Good job all would worked on this
Sent from my PC36100 using xda premium
There is also a one-touch method that is easy to use and free. Just go to the forums at heartheecho.webs.com. Register for free, and the software and instructions are easy to find in the Tutorials section of the forums.
Sent from my M9300 using XDA App
I know, the guy named saridnour built it. (I own hear the echo, or am the creator of it rather, my name on there is BFG SgtRecon on the site though)
Sent from my PG86100 using XDA App
just use z4root
Z4root work only for froyo, but not for GB
Windows Must Die! Why??? http://www.youtube.com/watch?v=ET0UAdzQkpQ&feature=youtube_gdata_player
Look for my three step process on next gen xda or android central
Sent from my M9300 using Tapatalk 2
I have try to edit my lines in build.prop to get better android market success, however I bricked my device after reboot.
The kindle stay in blank screen after show the kindle fire logo, it still can access through adb , and superoneclick detected it's root , but the system folder is read-only therefore I can't restore the build.prop.
I tried to use su / mount command but it can't do anything except permission denied
Is that possible to use fastboot to restore the system folder?
I tried to rename the kindle official bin to update.zip but fastboot cannot regonize it.
Anyone have a kindle fire system image dump which can be use with fastboot?
Thanks!!! and sorry for my bad english
http://forum.xda-developers.com/showthread.php?t=1356257
Sent from my Kindle Fire using xda premium
tried many time’ but it's not working, zergrush can't root the device anymore... thx
This very same thing just happened to me today, here is my fix. I know you said that zergRush isn't rooting your device but I suspect that you are missing a step somewhere.
-Make sure that zergRush is in the same folder as adb (probably /android-sdk/platform-tools)
-follow steps 1 and 2 here
-now you need to mount /system as R/W
Code:
adb shell
su
mount -o remount,rw -t yaffs2 /dev/block/mtdblock1 /system
chmod 777 /system
then type
Code:
exit
to get out of shell
then you should be able to push build.prop to /system (make sure you have build.prop in the same folder as adb)
Code:
adb push build.prop /system
then reboot
Code:
adb reboot
Worked perfect for me!
Let me know if you have any other questions
Here is what I get when I run ./zergRush :
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[-] No path found, let's hope ...
[*] Sending 149 zerglings ...
[-] No path found, let's hope ...
[*] Sending 149 zerglings ...
[-] Zerglings did not leave interesting stuff
What is that means?
Thanks
Someone please help, I bricked my Kindle Fire with a bad build.prop as well, but when I try to run ./zergRush, it gives me the error that it is not a 2.0/2.3 Android and quits . Any ideas?
all this bricking is making me want to a wait a couple weeks till i root my fire, things don't seem real stable right now.
krighton said:
all this bricking is making me want to a wait a couple weeks till i root my fire, things don't seem real stable right now.
Click to expand...
Click to collapse
Things are only as stable as those using them! These bricks are all USER error and are not true bricks.
SikYou said:
Things are only as stable as those using them! These bricks are all USER error and are not true bricks.
Click to expand...
Click to collapse
oh i'm sure that's the case, i rooted my nook but only after it was stable across the board, knowing my own limitations. I'll keep tabs on the progress.
I bricked my kindle too a few days ago with a bad build.prop. Well, in my case, I somehow managed to move my build.prop to the wrong folder and thus was left with an unbootable kindle. I had root, but I was unable to give ADB permission to use root, so in practice I really didn't have root.
What I ended up doing to fix my kindle was booting into fastboot and then flashing a valid system.img to the system partition of the kindle. Ask around and see if anyone is willing to offer up a system.img and then search for instructions on how to flash a system.img to your fire (I think the command is:
flash -i 0x1949 system path/to/system.img
I was able to fully recover by following the instructions on this post
http://forum.xda-developers.com/showpost.php?p=19974461&postcount=23
If anyone has any questions I can answer I will do my best to do so. I kinda had to piece together information from a bunch of different posts because there is all-inclusive guide on fixing a build.prop error.
Update: I have now also made a Linux port for DooMLoRD's rooting of ICS phones.(Sony Xperia only)
Please see attached file: Xperia-2011-ICS-ROOT-emu-Linux.zip
Note: You need flashtool for linux. Procedure remains the same as for windows.
Original script thread: http://forum.xda-developers.com/showthread.php?t=1601038
Rooting procedure: http://talk.sonymobile.com/thread/41119?start=0&tstart=0
Please update Superuser app as well as SU binary to the latest version after rooting is done successfully.
Update: Updated as per DooMLoRD's v4.0 script with zergRush binary of 21 Nov 2011 and with makespace which deletes Google Maps if there is not enough space.(< 6MB).
Hello
I am completely new to Android but not at all new to Linux.
I used paxchristos script (ran commands manually though) to root my Sony Ericsson Live with Walkman. (WT19i / Android 2.3.4 / Build 4.0.2.A.0.58)
Source threads used:
http://forum.xda-developers.com/showthread.php?t=1319653
http://forum.xda-developers.com/showthread.php?p=18615502
In an attached file, I fixed/modified/added few things in paxchristos script. Here is the detail:
1) Fixed error in symlinking su. (source/destination were same)
2) Don't delete (and recreate) /data/local/tmp/ directory unnecessarily, just delete its contents.
3) Create /data/local/tmp if it does not exist.
4) Uses dd instead of cp (because DooMLoRD's script does, dont know why!). Update: as per anantshri, dd is used because cp has been known to give errors.
5) If your system already has 'adb' then it uses system 'adb' instead of one in zip-archive.
6) Updated zip archive to contain the latest files from DooMLoRD's archive (paxchristos archive seemed old)
Please try/verify and let me know if I missed something.
Thanks.
Very nice to know that fellow *nixers are on xda.
Thanks, I am still getting used to this forum.
Have already found answers to many of my questions regarding Android.
One thing that shocked me is Android uses Java and not C. I would have preferred C anyday.
ohk so few things
1) yes java is used mainly in Android, However look at NDK if you are a C fan.
2) dd command is used in scripts to avoid cp related issues. coz last i remember we encountered multiple errors based on scenarios where cp used to fail but dd used to work. so dd is defacto there.
@doomLord, Correct me if i am wrong.
Ah that clears dd confusion. Till now I was wondering why he chose dd? I thought may be because dd was faster for internal memory to internal memory transfer.
Since DooMLoRD is good programmer I knew there has to be a reason. And that is why I changed paxchristos script to use dd.
Updated to match with DooMLoRD's v4 script. See update on first post for details.
Just used this script on my Galaxy S 2 Skyrocket. Worked great!
Have used the script with Sony Ericsson Xperia Mini E10a Latin America.
Script runned, ADB found the device, device has rebooted correctly but... no root after reboot. Checked with Root Checker from Market.
Anyway, great script! Should work for some models.
On my phone (Milestone 2 with Gingerbread 2.3.6) the root process worked, but part of the space check it returns 90% of free space, the software does not correctly identify and delete my google maps. The following screen to evaluate and correct the bug. And congratulations for the initiative, I'd have to do it by hand when I found your script ready.
---------------------------------------------------------------
Easy rooting toolkit (v4.0)
created by DooMLoRD
using exploit zergRush (Revolutionary Team)
This script has been ported by paxchristos and modified by amish
Credits go to all those involved in making this possible!
---------------------------------------------------------------
[*] This script will:
(1) root ur device using latest zergRush exploit (16 Nov)
(2) install Busybox (1.18.4)
(3) install SU files (binary: 3.0.3 and apk: 3.0.6)
(4) some checks for free space, tmp directory
(will remove Google Maps if required)
[*] Before u begin:
(1) make sure u have installed adb drivers for ur device
(2) enable 'USB DEBUGGING'
from (Menu\Settings\Applications\Development)
(3) enable 'UNKNOWN SOURCES'
from (Menu\Settings\Applications)
(4) [OPTIONAL] increase screen timeout to 10 minutes
(5) connect USB cable to PHONE and then connect to PC
(6) skip 'PC Companion Software' prompt on device
---------------------------------------------------------------
CONFIRM ALL THE ABOVE THEN
PRESS ENTER WITHIN 120 seconds TO CONTINUE OR ctrl-c to cancel
--Starting---
---Killing the adb server to make sure that there are no problems---
---Waiting for Device---
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
---Cleaning out any previous zergRush attempts---
mkdir failed for /data/local/tmp, File exists
rm failed for /data/local/tmp/*, No such file or directory
---Pushing zergRush---
531 KB/s (23060 bytes in 0.042s)
---Fixing permissions for zergRush---
---Running zergRush---
If it gets stuck here for a long time then try:
1)disconnect usb cable and reconnect it
2)toggle 'Usb Debugging' (first disable it then reenable it)
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00000118
[*] Scooting ...
[*] Sending 149 zerglings ...
[*] Sending 189 zerglings ...
[+] Zerglings found a way to enter ! 0x18
[+] Overseer found a path ! 0x000151e0
[*] Sending 189 zerglings ...
[+] Zerglings caused crash (good news): 0x4011ccd4 0x0074
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd19413 0xafd3925f
[*] Sending 181 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
---Waiting for Device---
---Pushing busybox---
2011 KB/s (1075144 bytes in 0.522s)
---Fixing busybox permissions---
---remounting system---
---checking free space on /system---
10 KB/s (439 bytes in 0.040s)
--- Free space on /system : 90% bytes
test: 90%: bad number
--- NOT enough free space on /system!!!
--- making free space by removing Google Maps
---copying busybox to /system/xbin---
2099+1 records in
2099+1 records out
1075144 bytes transferred in 0.084 secs (12799333 bytes/sec)
---fixing ownership and permissions---
---installing busybox---
---cleaning up---
---pushing SU binary---
546 KB/s (22228 bytes in 0.039s)
---correcting ownership and permissions for SU---
---correcting symlinks---
---Pushing Superuser app---
2160 KB/s (785801 bytes in 0.355s)
--cleaning---
---rebooting---
---All done, your Xperia has been rooted by DooMLoRD---
---This script has been ported by paxchristos and modified by amish!!---
---If have any questions, feel free to email me @ [email protected]---
Umm.... Freespace checking script was not developed by me. I have copied it directly from DooMLoRD script AS IS (had not tested it either). I think we dont need it anyway. It will be very rare that person rooting wud have run out of space. Person can re-install Google Maps (so no big harm done by bug)
But when I get the time I will check the DooMLoRD's script if there exist a bug.
Please click on THANKS if u liked my script
Your script has saved me a lot of work, because I'm tired of borrowing the notebook of my wife for flashing my phone and was looking for solutions for linux, missing root can do, I do not want to use SuperOneclick (did not want to install it just for Mono ) and go on to adapt the script DoomLord for Linux, which you did very well done. Now I can do everything on my computer with linux, what about the bug, I realized that the program was part of the original script, but I made a warning to those who wish, like me, deactivate the check room not to lose Google Maps (or have to reinstall the Market).
adb drivers in linux ?
Hy ! Can I use this script to root my Galaxy Note ? And can you say me how to install adb drivers in linux, plz ?
Just try it.
ADB is already there with script.
If you have fedora then u can install adb by running:
yum install android-tools
OK
Thank you, i will try. I didn't realize that "ADP" is the same as "ADP drivers".
well in linux there is nothing like drivers u can say
very few hardware require driver.
and when android itself is born from linux, linux shud already have support for it
Everything went well, thank you very much! We should just specify the need to execute the file "runme-linux" as root (with "sudo") ;-).
I would not to abuse, but would it be possible to have the same thing for unroot, please ?
Easy unroot for linux
Hy,
I used Amish translation to do the same for the DooMLoRD's Unrooting Script. I succesfully tried it with my phone, but REMEMBER YOU ARE DOING THIS AT YOUR OWN RISK (I suppose you know this song ;-))
DooMLoRD's instructions :
so here is the unrooting script to be USED ONLY AND ONLY IF U HAVE USED MY FILES (Easy Rooting Toolkit) FOR ROOTING
[ WARNING ]
if u have used any other way/solution for rooting then PLEASE DO NOT RUN THIS... you MIGHT END UP with damaged system...
(thats cause some ppl create symlinks for busybox in /system/bin/ which wipes out stock symlinks to /system/bin/toolbox and breaks/damages system)
More informations here http://forum.xda-developers.com/showthread.php?p=18615502 and here http://forum.xda-developers.com/showthread.php?t=1329360
I havent unrooted but I think unrooting wud be nothing but removing busybox symlinks (and busybox itself) and removing su binary and superuser.apk.
btw there is no need to run "runme-linux" as super user.
it works as normal user (recommended)
amishxda said:
btw there is no need to run "runme-linux" as super user.
it works as normal user (recommended)
Click to expand...
Click to collapse
If I run the script without sudo, the script block just after "* daemon started successfully *"
You can see below the console log :
Code:
---------------------------------------------------------------
Easy rooting toolkit (v4.0)
created by DooMLoRD
using exploit zergRush (Revolutionary Team)
This script has been ported by paxchristos and modified by amish
Credits go to all those involved in making this possible!
---------------------------------------------------------------
[*] This script will:
(1) root ur device using latest zergRush exploit (16 Nov)
(2) install Busybox (1.18.4)
(3) install SU files (binary: 3.0.3 and apk: 3.0.6)
(4) some checks for free space, tmp directory
(will remove Google Maps if required)
[*] Before u begin:
(1) make sure u have installed adb drivers for ur device
(2) enable 'USB DEBUGGING'
from (Menu\Settings\Applications\Development)
(3) enable 'UNKNOWN SOURCES'
from (Menu\Settings\Applications)
(4) [OPTIONAL] increase screen timeout to 10 minutes
(5) connect USB cable to PHONE and then connect to PC
(6) skip 'PC Companion Software' prompt on device
---------------------------------------------------------------
CONFIRM ALL THE ABOVE THEN
PRESS ENTER WITHIN 120 seconds TO CONTINUE OR ctrl-c to cancel
--Starting---
---Killing the adb server to make sure that there are no problems---
---Waiting for Device---
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
^C [COLOR="Red"](because no reaction after 5 minutes)[/COLOR]
error: protocol fault (no status)
---Cleaning out any previous zergRush attempts---
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
error: insufficient permissions for device
error: insufficient permissions for device
---Pushing zergRush---
error: insufficient permissions for device
---Fixing permissions for zergRush---
error: insufficient permissions for device
---Running zergRush---
If it gets stuck here for a long time then try:
1)disconnect usb cable and reconnect it
2)toggle 'Usb Debugging' (first disable it then reenable it)
error: insufficient permissions for device
---Waiting for Device---
^C
If I run the same script as root (with "sudo"), the script continues without problem.
HOW TO ROOT YOUR LENOVO IDEATAB A1000
<DISCLAIMER>
By attempting these steps, your warranty will be void. Even worse than that, it might cause crashes, freezes, random explosions, 2nd degree burns, or even turn your beloved tab into $100+ paperweight. What works on mine might not work on yours, so don't attempt if you don't know what you're doing. Do at your own risk. Corrections are welcome. I must admit that I'm not an expert, so any info I posted might be wrong, and I can't offer you much help. I'm not responsible for anything arising from the use of this how-to. I can only wish you good luck.
<WHY ROOT?>
- Without root or OTA upgrades (at time of writing, Indonesian customers still can't get it), you'll be stuck with ~500MB internal memory. That's annoying.
- You're stuck with the default IO scheduler (cfq) and governor (hybrid, haven't heard that one..)
- You have an incredibly large amount of bloatware you can't get rid of, in that already cramped up internal storage
- Did I mention freedom?
<REQUIREMENTS>
This method is originally used to root Acer Iconia B1-A71. Somehow I noticed that the two actually has the same chipset, MTK8317 (if it really was relevant ). So I tried the method, and through sheer n00b's luck, it worked like a charm!
Lenovo IdeaPad A1000-G --> 4GB storage, 2G/EDGE. This method haven't been tested on A1000-T/F, different storage cap (16GB, etc.) or other variants, but it should work with slight modification. Screenshots of my specs are attached below. Remember, proceed at your own risk!
A Linux System. Never tried on Windows or Mac. I personally used Linux Mint 15. The source post uses Ubuntu.
working ADB (android-tools-adb). You can get this from synaptics, apt-get, etc. If your system can detect adb devices, you should be fine.
Superuser Binary
Busybox Binary (You can get these two from the links on original post. XDA says noobs can't post links :'( )
ORIGINAL THREAD
<CREDITS>
XDA Senior Member entonjackson, for writing such a noob-friendly how-to for rooting Acer Iconia B1-A71 and for allowing me to use it for this how-to.
XDA Member alba81, for discovering the method as acknowledged on the original post by entonjackson
All awesome gurus on XDA which I can't mention one by one.
<THE STEPS>
1. Extract the android sdk to your home folder, e.g. a user named Bob will use like /home/bob
2. Open a terminal
3. Now plug your A1000 into your machine and turn on Debugging Mode (Go into Settings -> Developer Tools, turn on Developer tools, then turn on USB Debugging Mode)
4. Now back at the keyboard of your Linux machine in your terminal type:
Code:
sudo adb devices
The output should be something like:
Code:
123456789ABCDEF device
If it's not, google for it. Somehow your Linux hasn't detected the A1000, although the android sdk for Linux brings all needed drivers with it.
If your device was found, congratulations. The adb connection between your linux machine and your tablet is intact.
5. Now extract the downloaded busybox archive to your home folder, in it there should be a busybox binary. So Bob does:
Code:
sudo ./adb push /home/bob/busybox /data/local/tmp
Code:
sudo ./adb shell
Code:
chmod 755 /data/local/tmp/busybox
6. You should copy the busybox binary into a directory where you can access it as a plain non-root user on the tablet. We need this binary. so we can apply unix tools like telnet, dd, cat, etc. But for now we need it to establish a telnet session between our tablet and our linux machine.
(This point is written on original post. Seems important, but as soon as I finished step 5, I can use those tools)
7. Dial *#*#3646633#*#* to enter Engineer Mode
8. Go to Connectivity -> CDS Information -> Network Utility
9. type the following command:
Code:
/data/local/tmp/busybox telnetd -l /system/bin/sh -p 1234
Advice from original poster: copy and paste it from the browser on your tablet, because dependent on which keyboard app installed, this can be freakin tricky. In the next step you will learn, why it's so important why this command should be correct.
10. Tap on Run. You won't get any feedback, so you will never know if the entered command runs properly or not. That's why you should make sure the command is ok.
Now we have started our telnet server on the tablet.
11. Back in the terminal type:
Code:
/data/local/tmp/busybox telnet 127.0.0.1 1234
If you now get an error like couldn't find busybox or something, then either adb push failed or you forgot to chmod, in step 5
12. Now enter:
Code:
cat /proc/dumchar_info
You should get a bunch of lines, try to find a line containing the partition named android
{..... partition list .....}
android 0x0000000028A00000 0x00000000020E8000 2 /dev/block/mmcblk0p3
{..... partition list .....}
13. We will create a dump of our android system. This is the point where different variants *MIGHT* have different parameters. This step is important, as wrong parameter will result in unmountable image.
Stop. Take a deep breath. If you're not familiar with dd, find a good doc of it. There's a plethora of them.
Get yourself a programmer's calculator (Linux Mint 15 has one built in).
Here's what you'll do :
Convert the hex number on the 3rd column into decimal. In my case (0x20E8000) will yield 34504704. Divide by 4096. The result (8424) goes to the skip parameter.
Convert the hex number on the 2nd column. In my case (0x28A00000) will yield 681574400. Divide by 4096. The result (166400) goes to the count parameter.
So the full dd command will look like :
Code:
dd if=/dev/block/mmcblk0 bs=4096 skip=8424 count=166400 | gzip > /cache/system.img.gz
Do a full sanity check before hitting enter! It will take about 5 minutes.
14. After it's finished we must make the image readable for adb, so we do:
Code:
chmod 777 /cache
and
Code:
chmod 777 /cache/system.img.gz
15. Leave the telnet, and then adb shell session by:
Code:
exit
Code:
exit
16. Now we pull our image by
Code:
sudo adb pull /cache/system.img.gz
wait 1-2 minutes.
It should be then located inside /home/bob. It did for me. If not, do a search . It should be a .gz, extract it right there (or /home/bob if it isn't there)
17. Now we need to modify our system image by adding the tiny but helpful su binary. Extract the SU binary to /home/bob.
18. We create a folder where we will mount our system image to. To create it do:
Code:
sudo mkdir /media/a1000
19. Now we mount it:
Code:
sudo mount -o loop /home/bob/system.img /media/a1000
if it fails, then you entered wrong parameters on step 13
20. Now we copy our SU binary to our mounted system image:
Code:
sudo cp /home/bob/su /media/a1000/bin
21. the su binary needs to have the proper rights to make it usable, so we 'suid' it with:
Code:
sudo chmod 06755 /media/a1000/bin/su
22. Let's unmount our baby by:
Code:
sudo umount /media/a1000
and because bob doesn't like a messed up system, he does:
Code:
sudo rm -rf /media/a1000
because he hopefully won't need it anymore.
23. We have to gzip it again to bring it back to where it belongs to. this we do by:
Code:
cd /home/bob
Code:
gzip /home/bob/system.img
24. So here we are now, we made it to the final Boss fight! The next steps are dangerous and should be performed with caution. We copy back our modified system image, which can brick your device, if you do a mistake! Enter adb shell again :
Code:
sudo adb shell
25. Remove the old boring image:
Code:
rm /cache/system.img.gz
26. Leave adb shell
Code:
exit
27. copy our cool new system image containing the su binary:
Code:
sudo adb push /home/bob/system.img.gz /cache
28. Enter adb shell again
Code:
sudo adb shell
29. Usually the telnet server on the tablet is still running, at least in my case it's been like that. That's why we can directly connect to the telnet server with:
Code:
/data/local/tmp/busybox telnet 127.0.0.1 1234
If this doesn't work, then obviously your telnet server isn't running anymore. So on your tablet if the telnet command is still entered (see step 9), tap on Run again and repeat step 29.
30. Now this is the most dangerous step in this how to (no it wasn't the mkdir one). You can copy following command to make sure everything is fine and paste it into your telnet session on your linux terminal.
<WARNING! SANITY CHECK! MAKE SURE *ALL* THE DD PARAMETERS MATCH THE FIRST DD (STEP 13) OR YOUR A1000 WILL TURN INTO A VERY EXPENSIVE PAPERWEIGHT!>
Code:
[B]/data/local/tmp/busybox zcat /cache/system.img.gz | dd of=/dev/block/mmcblk0 bs=4096 seek=8424 count=166400[/B]
After 1-2 minutes you're done, if your tablet or pc or yourself didn't catch fire, everything's fine.
31. Leave telnet / adb shell by doing
Code:
exit
Code:
exit
32. Reboot your A1000 via ADB, then exit
Code:
sudo adb reboot
Code:
exit
33. Unplug your tablet from PC
34. Install Superuser (No, not SuperSU, cause it won't work!). I personally use Superuser by ChainsDD, from Play Store
35. Be lucky. Your tablet and thus you are now free!
Don't forget to hit thanks, if this helps
hi, after step 13 (i double checked the command), i get this error
Code:
/system/bin/sh: can't create /cache/system.img.gz: Permission denied
/dev/block/mmcblk0: cannot open for read: Permission denied
I have the WiFi 4G version
Im too stuck in step 13.....nothing wrong with the script, can u give me a solution?
Im using A1000G also
@ts
Your guide work perfectl, in windows enviroment but mount step still need linux,
I've question are you using DirectoryBinding? Mine always close when playing Real Racing, its very annoying
You have suggeztion or alternative for DirectoryBinding?
Root with Windows ?
Hi,
I am a new member because i bought this tblet but i can't root. I don't have a linux environment, so there is a solution with W8 Pro 64 ?
Thanks a lot for you help,
ulisez said:
hi, after step 13 (i double checked the command), i get this error
Code:
/system/bin/sh: can't create /cache/system.img.gz: Permission denied
/dev/block/mmcblk0: cannot open for read: Permission denied
I have the WiFi 4G version
Click to expand...
Click to collapse
have you chmod-ed the busybox (or is the chmod successful without error)? Try chmod-ing the /cache before attempting step 13. It seems that you still don't have access to the NAND device (mmcblk0). Have you updated firmware via OTA?
artonelico said:
Im too stuck in step 13.....nothing wrong with the script, can u give me a solution?
Im using A1000G also
Click to expand...
Click to collapse
Do you encounter the same error message like ulisez had? Could you post the screenshot of the partition list (the lines after you execute dumchar_info)?
rmage said:
@ts
Your guide work perfectl, in windows enviroment but mount step still need linux,
I've question are you using DirectoryBinding? Mine always close when playing Real Racing, its very annoying
You have suggeztion or alternative for DirectoryBinding?
Click to expand...
Click to collapse
I personally use Link2SD by Bulent Akpinar to link apps to 2nd partition on my SDcard.
Letsar said:
Hi,
I am a new member because i bought this tblet but i can't root. I don't have a linux environment, so there is a solution with W8 Pro 64 ?
Thanks a lot for you help,
Click to expand...
Click to collapse
The original developer who posted the method (entonjackson) plans to integrate the method in the next release his toolkit, the Acer Iconia Toolkit. I think you should check his thread : http://forum.xda-developers.com/showthread.php?t=2240029
sammymaddog said:
have you chmod-ed the busybox (or is the chmod successful without error)? Try chmod-ing the /cache before attempting step 13. It seems that you still don't have access to the NAND device (mmcblk0). Have you updated firmware via OTA?
Do you encounter the same error message like ulisez had? Could you post the screenshot of the partition list (the lines after you execute dumchar_info)?
I personally use Link2SD by Bulent Akpinar to link apps to 2nd partition on my SDcard.
The original developer who posted the method (entonjackson) plans to integrate the method in the next release his toolkit, the Acer Iconia Toolkit. I think you should check his thread : http://forum.xda-developers.com/showthread.php?t=2240029
Click to expand...
Click to collapse
Link2SD doesn't link app data, do you have any option?
yes i had same message with ulyses, by the way im from indonesia too can i contact you through chat client?
oh yeah im using windows 7 and using cmd as a terminal in linux
thx before bro
sammymaddog said:
The original developer who posted the method (entonjackson) plans to integrate the method in the next release his toolkit, the Acer Iconia Toolkit. I think you should check his thread : http://forum.xda-developers.com/showthread.php?t=2240029
Click to expand...
Click to collapse
Ok, i see his toolkit. It's very good. I'll wait
rmage said:
Link2SD doesn't link app data, do you have any option?
Click to expand...
Click to collapse
I'm not sure whether the stock kernel of our devices supports init.d, thus supports CronMod/Data2SD. Lenovo locked our bootloader, and currently there's no way around it. So I personally think, Link2SD method are the best option for now.
Let's give it several months until our dev gurus bring their miracles upon this device
The attached image shows mt6577 Hardware, can u provide the Soc details please
Hi, Can any one upload Lenovo ideatab A1000 system.img
in step 20, it appears you are writing to a /bin directory on the android system. However such a directory is not visible either through shell or the system telnet account.
Do I need to understand something else about android to make sense of this.
regards
vidya
one month gone past but the op seems to be in caves or has bricked the device
STOCK ROM
CAN ANY BODY PROVIDE ME A STOCK ROM OF THIS DEVISE
I HV ROOTED SUCCESSFULLY BY A VERY EASY METHOD
BUT SCREWED UP WHILE UPDATING IT SO PLZ PLZ HELP ME OUT
THE DEVICE BOOTS BUT ALL THE APP CRASHES :crying::crying:
VR.gtmini said:
The attached image shows mt6577 Hardware, can u provide the Soc details please
Click to expand...
Click to collapse
VR.gtmini said:
one month gone past but the op seems to be in caves or has bricked the device
Click to expand...
Click to collapse
sorry to make you wait. I'm a last grader university student, and final project stuffs have got me pinned down. Hope you understand
Actually the SoC is MT8317. For some god-knows reason Mediatek have made this SoC with signatures similar to MT6577. But somehow CPU tweaker correctly detects the SoC (MT8317). Maybe it's the CPU-Z bug?
unknown_world said:
Hi, Can any one upload Lenovo ideatab A1000 system.img
Click to expand...
Click to collapse
zod0070 said:
CAN ANY BODY PROVIDE ME A STOCK ROM OF THIS DEVISE
I HV ROOTED SUCCESSFULLY BY A VERY EASY METHOD
BUT SCREWED UP WHILE UPDATING IT SO PLZ PLZ HELP ME OUT
THE DEVICE BOOTS BUT ALL THE APP CRASHES :crying::crying:
Click to expand...
Click to collapse
I'm uploading the modified .img. Let's pray my old HSPA modem won't catch fire by the morning.
vidyadhara said:
in step 20, it appears you are writing to a /bin directory on the android system. However such a directory is not visible either through shell or the system telnet account.
Do I need to understand something else about android to make sense of this.
regards
vidya
Click to expand...
Click to collapse
I think you got it wrong. The write process does not take place on the device. It's on the loop-mounted .img in /mnt/a1000 on your computer (step 18-19). Cheers!
Here's the ALREADY BUSYBOX-ED .img for Ideapad A1000-G 4GB EDGE version. Hope it helps :
www dropbox com/s/rmpnz7c285t5sqz/system.7z
sammymaddog said:
Here's the ALREADY BUSYBOX-ED .img for Ideapad A1000-G 4GB EDGE version. Hope it helps :
www.dropbox.com/s/rmpnz7c285t5sqz/system.7z
Click to expand...
Click to collapse
Thanks for coming back, could u post the MD5 of the system.7z & system.zip.
Also could u provide simple way/steps to directly flash this .img without extracting existing stock system image
My tab A1000-G
do you have stockROM for lenovo A1000G
I need this :crying:
raffly said:
do you have stockROM for lenovo A1000G
I need this :crying:
Click to expand...
Click to collapse
Don't worry, the above link is a stock Lenovo A1000 G ROM, but with pre-root files having no superuser app. Just extract the .7z file
System.7z MD5: 658CA71AC8A230B244F267513857F9A5
Hi guys,
i made a small test suite to test vulnerability to CVE-2016-5195 on Linux-based systems.
This is 99.9% the work of the author of the exploit, i just made some minor changes to transform this into a test suite.
Download: DirtyCow Test-Suite
Important: Activate USB-Debugging to get adb-shell running!
How-to-test:
Code:
Download the test suite from above server
Unpack the .zip
Attach your device via USB to your PC
./testvuln.sh
If vulnerable, you should see this:
Code:
202 KB/s (10000 bytes in 0.048s)
131 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
UID=0(root), your device is vulnerable!
Otherwise if not vulnerable something like this:
Code:
140 KB/s (10000 bytes in 0.069s)
133 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]
Source (You can build it yourself via ndk):
https://www.androidfilehost.com/?fid=457095661767106997
Hint: Should work on all ARMv8 devices!
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
tavoc said:
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
Click to expand...
Click to collapse
This elevates privileges of a process. If you want a root shell you must do some modifications to the code, but this can potentially root all DirtyCow affected devices.
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
tavoc said:
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
Click to expand...
Click to collapse
Best thing you can do is fork this, i made some changes which contradict your desire of a root tool.
So this script is not working under Windows, ist that right?
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
DannyWilde said:
So this script is not working under Windows, ist that right?
Click to expand...
Click to collapse
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
sijav said:
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
Click to expand...
Click to collapse
1. Yes
2. Yes
3. Yes, potentially
Tommy-Geenexus said:
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
Click to expand...
Click to collapse
on
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
i get "not found"
on
adb shell /system/bin/run-as
i get "run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]"
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
super_apache said:
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
Click to expand...
Click to collapse
I know. This is not a root tool, this is just to test vulnerability.
Edit: Not sure if this was directed at me or the guy asking the root q, anyway this answers the root q.
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Tommy-Geenexus said:
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
Click to expand...
Click to collapse
Sorry i misunderstood too. I thought you was planning to use it practically to create an exploit for MM.
I don't think it's necessary as we already have an exploit for LP, though it would be nice.
YuriRM said:
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Click to expand...
Click to collapse
"WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE"
they unlock the bootloader using fastboot command
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
wessok said:
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
Click to expand...
Click to collapse
Googleing for hours and didn't understand a simple sentence (in my post above) or the technical reasons behind that (in many threads) ? Stop your search now, unlock it and live happily.