Can't get ADB Root Access in certain ROMs? - Nexus 7 Q&A, Help & Troubleshooting

I've noticed with a lot of CM10-based ROM's (possibly even others), I am unable to get root ADB access.
On the ROM's that have it, I set the Root access to Apps and ADB
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I can reboot, fix permissions, clear caches, but no matter what, Android Commander is never able to get Root access
This isn't the case on some ROM's I've tried though. Android Commander is able to get Root access just fine without me needing to do anything.
To name some ROM's that I can't get Root access with:
CyanogenMod 10 Nightly (9/4)
AndroidME CM10 N7 1.0.0
As for what ROM's had working Root access, I can't exactly recall correctly :/ But I think these had it working:
Codename Android 3.4.1
Team EOS 3 *JELLYBEAN* Nightlies (confirmed working ADB root)
Is there something else I should possibly be doing to get Root access on CM10-based ROM's?

Boot a unsigned kernel then ./adb remount
PS: it is effective until you reboot
Sent from my Nexus 7 using Tapatalk 2

"The Root access : No" because you'r using the rom which have a "secured adb" (even when you'r rooted)
Download the "adbd insecure" in this thread and "Enable insecure adbd", you can get "Root access: OK" in any rom
http://forum.xda-developers.com/show....php?t=1687590

adb root
The real reason behind adb root or insecure adb is the adb daemon in the device running at root permissions. In pre-Android 4.1 versions, this is usually decided by some initialisation script(like init.rc) at boot time. The script checks for value in default.prop,local.propand other environment variables.
If it finds build.prop,default.prop or local.prop property file with ro.secure=0 adbd is allowed to run as root. You'll get adb root and hence will be able to do commands like adb remount,adb root and adb shell's prompt'll be # by default. The user may be displayed as [email protected] or [email protected] adb GUIs like Android Commander and QtADB will get to work in Root mode.
But,if it's ro.secure=1, adb daemon is made to work in secure mode, and adb won't change to root mode on issuing adb root command. However, if su binary is present in $PATH, u can still call su command from adb shell. But, it's not enough for Android Commander to get Root Access. It is possible to attain adb root through any one of the following methods:
1.For CyanoGenMod based ROMs there is an option in Settings->Developer Settings->Root access to control root access. Choose ADB only or Apps and ADB in options to get adb root.
2.Else use adbd Insecure app by chainfire if you have a rooted device. This is useful, especially for Android 4.1+ devices.
3.Or, you may manually edit default.prop to set it's value to 0, but original default.prop will be restored from boot partition everytime you reboot(this is the reason why adb Insecure cannot permanently do adb root, though there is an option to repeat the rooting procedure everytime the device boots). This method is called temporary adb root. On pre-Android 4.0 ROMs default.prop file was located in / directory. I read that from Android 4.x this file is in ramdisk and so more difficult to edit. But Android 4.0 has local.prop which is easier to modify than default.prop( See method 5)
4.For permanent adb root, you'll have to extract boot.img, change default.prop, repack and then flash it back to device.
5. In Android 4.0 there's local.prop file in /data partition. Setting ro.secure=0 in this file will do adb root permanently. Else you can set another property ro.kernel.qemu=1 in the same file. But, this value makes the system think that it is running in an android emulator. Many exploits and root methods set this property temporarily to gain root. But, it may cause side effects if used permanently. Setting ro.secure=0 is recommended. Do this command in terminal app or adb shell:
echo ro.secure=0 >/data/local.prop
or you can manually copy a local.prop file with ro.secure=0 as it's content to /data.
6.Note that method 3,4 and 5 won't work in Android 4.0 Jelly Bean onwards. According to Dan Rosenburg(drjbliss in XDA),the researcher who discovered adb root emulator exploit and many other exploits, Jelly Bean doesn't parse any property files to set the ownership of adb daemon. The stock adbd will have to be replaced with an insecure one to gain adb root. But still,as adbd is located in /sbin whose contents are reloaded everytime on reboot from boot.img, it won't be permanent.
7. For permanent adb root, you may flash an insecure boot.img(one that contains and insecure adbd)
8. If you're really desperate and can't get adb root to work with any of the above methods use an exploit. Most of the adb based rooting methods utilise some exploit to make the adb daemon run as root. By studying the exploit and implementing it you could gain adb root atleast temporarily.I'm not recommending this method but as a last resort you could try them.
Acknowledgements: Thanks to Dan Rosenberg for explaining the reasons behind adb root, especially the one in Jelly Bean.

get root access with root commander
Question to that fantastic answer above.http://forum.xda-developers.com/images/smilies/good.gif
How do I push back my modified build.prop?
I have HDC S3 Ex v2 hung in bootloop, after changing vm heapsize to 60 from 64.(Tried 128 but it didn´t stick, so tried this and it unfortunately worked)
I have managed to start in recovery mode even though it´s chinese there, don´t understand, I can communicate through Android commander to pull the files but cannot push them back due to no "root access".
I installed the "insecure ADB" via Commander but it does no good when I can´t load android.
I have no backup. It is rooted Android 4.1.2 by Fastcardtech. has busybox installed

Use su in adb shell
Use adb shell and elevate to root access by using su
Code:
su
.
Now, if you get # prompt instead of $ sign you have root on adb shell. But, still you don't have adb root. So, don't try to push the files or use Android Commander. Instead we use shell commands to do the same.
First Remount /system partition as writeable.
i.To do this first type
Code:
mount
and find out system's device name and file system from the list. In case of my device (and many Stock ICS devices) this device name would be /dev/block/mtdblock?. ? varies for each device. I had /system as mtdblock8 with ext3 file system.
ii. Now type the following command
Code:
mount -o remount,rw -t <filesys> /dev/block/mtdblock? /system
use the number you have for '?' and the filesystem for <filesys>.
Now Copy the modified file to some readable location on the device, say /sdcard or /data/local/tmp. Then copy the build.prop to /system using cat command
Code:
cat /sdcard/build.prop > /system/build.prop
Hope it works!

Closer...
HEXcube said:
Use adb shell and elevate to root access by using su
Code:
su
.
Now, if you get # prompt instead of $ sign you have root on adb shell. But, still you don't have adb root. So, don't try to push the files or use Android Commander.
Copy the modified file to some readable location on the device, say /sdcard or /data/local/tmp. Then copy the build.prop to /system using cat command
Code:
cat /sdcard/build.prop > /system/build.prop
Hope it works!
Click to expand...
Click to collapse
Thank you! But...
After more than one hour installing android-sdk, I got the # ( I thought the shell through android-commander was the same first)
but it says Read only file system
Another thread suggested "remount rw" before pushing but thats not something adb shell recognices "not found".
Am I only missing the adress of my device when trying remount?
Any suggestions?

Renount /system as rw
Oh, i forgot! You've to remount /system as Read Write. I've edited the above post to include that.
You need not have installed the whole Android SDK(unless you develop for Android). It's the same adb that Android Commander or QtADB uses. You can even use adb as a standalone tool along with the required libraries(dlls on windows). Now that you have installed the Android SDK, it doesn't matter.

Yes! Yes! Yes!
HEXcube said:
Oh, i forgot! You've to remount /system as Read Write. I've edited the above post to include that.
Click to expand...
Click to collapse
:good::good::good::victory::victory::victory:
It worked! Thank you so much! A new phone useless was really disappointing, but happy again
Set heap size back to 64. Maybe I´ll dare set it to 128 another day... The phone has horrible ram performance, hoping that would cure it.
Uninstallation of an app of 6-7 mb takes at least 45 sec. My old Blade with cyanogen does that in less than 10.
Hard part was understanding my system name /dev/block/mmcblk1p1 cause it wrote /storage/sdcard vfat after it.
I saw ext4 in other part and asssumed it was that system cause it had "ro" after it.
Thank you again. You now introduced me into some new territory. Not just flashing modded roms in recovery mode.
But I will search out one modded rom so I can overclock some.

Related

Temp root on 2.3.20 firmware

It's not pretty, but I managed to get the exploit used by Archangel to work on the 2.3.20 firmware. Hopefully someone can think of something to automate this process, or knows of a better way to do this.
I believe what Archos is doing is simply restricting your ability to execute the Archangel application in the required directories, with the addition of the psneuter exploit, you can get around this.
This exploit requires that you have ADB setup, the Archangel APK, and the psneuter exploit.
Create a folder on your computer titled archosroot (or anything you would like)
Download Archangel from http://forum.xda-developers.com/showthread.php?t=928767 rename the apk to zip and extract the files.
From the extracted files navigate to "res" then to "raw"
In this folder copy "ls" and "su" to your "archosroot" folder
Download psneuter from http://www.thinkthinkdo.com/trac/project1/attachment/wiki/psneuter/psneuter.zip and extract the files.
Copy the extracted psneuter to your "archosroot" folder.
Enable USB Debugging on your Archos, and connect it to your computer with USB.
From a command prompt, navigate to the directory ADB is installed in.
Verify that the device is connected by running
adb devices
Your archos should be listed, if not please refer to the forum on how to setup ADB for the archos
Once your archos is detected run the following commands.
adb push pathto\archosroot\psneuter /data/local/tmp
(replace pathto with the location your archosroot folder is in, for example c:\archosroot\psneuter)
adb shell chmod 777 /data/local/tmp/psneuter
adb shell /data/local/tmp/psneuter
This may take a few moments
Copy ls and su to your sdcard
adb push pathto\archosroot\ls /sdcard
adb push pathto\archosroot\su /sdcard
Connect to the shell
adb shell
move ls and su to /tmp
mv /sdcard/ls /tmp/
mv /sdcard/su /tmp/
Execute the ls exploit
/tmp/ls 0x62c7a315 0x260de680
Install the superuser application from the market (if you don't already have it)
You should now be able to run su to get root access from a terminal.
Note 1: I was previously rooted with archangel so I already had these files, I have not tried without the files being installed at all, however since this is only a temp root, the process should be the same.
Note 2: I was not able to get Titanium Backup to work, it could be the psneuter exploit prevents the application from properly requesting the right permissions.
This is good, but you should post this in the developer sup-forum
its too hard to do this for beginners
Thanks! It's very simple instruction, will try it today. As easy as install Urukdroid.
I postponed to upgrage to 2.3.20 just due to lack of root method without SDK.
I need the root just for copy some scripts to \system\bin
this has already been done in the following thread with perm root.
http://forum.xda-developers.com/showthread.php?t=897877
Firmwares have already been made that include overclock as well, the first post reveals all.
cool.
the_Danzilla , the way you pointed to requires SDE installation. I don't want to use SDE.
Inciner8Fire said:
Download psneuter from http://www.thinkthinkdo.com/trac/project1/attachment/wiki/psneuter/psneuter.zip and extract the files.
Copy the extracted psneuter to your "archosroot" folder.
Enable USB Debugging on your Archos, and connect it to your computer with USB.
From a command prompt, navigate to the directory ADB is installed in.
Verify that the device is connected by running
adb devices
Your archos should be listed, if not please refer to the forum on how to setup ADB for the archos
Once your archos is detected run the following commands.
adb push pathto\archosroot\psneuter /data/local/tmp
(replace pathto with the location your archosroot folder is in, for example c:\archosroot\psneuter)
adb shell chmod 777 /data/local/tmp/psneuter
adb shell /data/local/tmp/psneuter
Click to expand...
Click to collapse
From what I can read psneuter is a root exploit for the adbd service. So you don't need archangel to complete the root.
Can you verify what user adbd is running after you execute psneuter.
adb shell whoami
The other thing that is mentioned in the first lines of the source code of psneuter is that it effectively disables reading the settings this will probably affect a lot of programs and probably is the reason Titanium backup is not working. So this method is effectively useless to have a working root.
wdl1908 said:
From what I can read psneuter is a root exploit for the adbd service. So you don't need archangel to complete the root.
Can you verify what user adbd is running after you execute psneuter.
adb shell whoami
The other thing that is mentioned in the first lines of the source code of psneuter is that it effectively disables reading the settings this will probably affect a lot of programs and probably is the reason Titanium backup is not working. So this method is effectively useless to have a working root.
Click to expand...
Click to collapse
I was doing some more looking and you are right that because of breaking the settings this is not a good long term root.
However I would not call it useless, since you should be able to manually back up an application.
Perhaps the property file that this setting is in can be modified with this, so that it can be rooted using a more standard method.
Not sure what I did, but I was able to get root with the properties intact.
My archos had froze today and I was forced to power it off so I know the properties were no longer be neutered. I was looking at some of the properties files and for the heck of it I tried running su from a terminal, and it worked.
I opened Titanium backup and it prompted for root permissions.
Perhaps something about the forced power cycle?
I found out that when I connect to a wireless network (as required by archangel) if the disable network shares option is chosen it's not possible to root.
However it would appear that if you connect and don't select this option Archangel will still work.
I suppose there could be something else I did without realizing it, but this has worked after rebooting 5 times so far.

[Q] I deleted my launcher. [Resolved]

I was deleting unused apps from my phone and, like an idiot, I deleted my only installed launcher. The phone boots and I can access the settings. I have a launcher installed and it shows up in menu/ settings/ app but it wont start and I don't know how to start it. I do have adb and fastboot though I don't have wireless internet. This device is not activated and there is no gmail account linked to this device. I did create a zip of a launcher and tried to flash it through recovery but that didn't work. I do not have a custom recovery installed but I did root the device. Is there a way to get a launcher installed and working so I can use this device again?
Grab the APK file for the stock launcher (or any launcher of your choice), connect your phone to the computer via USB with debugging on and install the launcher using this ADB command:
adb install launcher.apk
Make sure to replace launcher.apk with the exact name of the APK file, of course. You might need to copy the launcher to your SDK's platform-tools folder and run this command while in that directory as well, if the folder hasn't already been added to your PATH variable.
Once done, reboot your device. You can then use any root-enabled file manager to simply copy the launcher's APK file into /system/app to make sure you have one installed as a system app all the time, though make sure to fix its permissions to rw-r--r-- (644).
HQRaja said:
Grab the APK file for the stock launcher (or any launcher of your choice), connect your phone to the computer via USB with debugging on and install the launcher using this ADB command:
adb install launcher.apk
Make sure to replace launcher.apk with the exact name of the APK file, of course. You might need to copy the launcher to your SDK's platform-tools folder and run this command while in that directory as well, if the folder hasn't already been added to your PATH variable.
Once done, reboot your device. You can then use any root-enabled file manager to simply copy the launcher's APK file into /system/app to make sure you have one installed as a system app all the time, though make sure to fix its permissions to rw-r--r-- (644).
Click to expand...
Click to collapse
Thank you for your reply.
I already pushed the the launcher apk through adb and it installed on my phone from everything I can see. However even though it installed I do not know how to start it. I do not know how to gain access to a file manager as I do not access to any of my apps through the app drawer. Is there a way to activate and use an app without being able to access it in the drawer?
That's weird. Did you restart your phone? Upon every restart, Android looks for any installed launcher apps and if there's only a single one installed, it automatically loads it up. In case there are multiple launchers installed, Android loads a default one if set, or offers you to select one if you haven't set any as default. If you have installed a launcher via ADB by now, it should be loading upon device reboot. Try a different launcher's APK maybe? If it still doesn't work, try fixing permissions manually via ADB, or via recovery. Also, try installing it as a system app i.e. adb push Launcher.apk /system/app/ and don't forget to fix permissions to rw-r--r-- (644).
HQRaja said:
That's weird. Did you restart your phone? Upon every restart, Android looks for any installed launcher apps and if there's only a single one installed, it automatically loads it up. In case there are multiple launchers installed, Android loads a default one if set, or offers you to select one if you haven't set any as default. If you have installed a launcher via ADB by now, it should be loading upon device reboot. Try a different launcher's APK maybe? If it still doesn't work, try fixing permissions manually via ADB, or via recovery. Also, try installing it as a system app i.e. adb push Launcher.apk /system/app/ and don't forget to fix permissions to rw-r--r-- (644).
Click to expand...
Click to collapse
I will get right to doing that, and see how it turns out thank you and please stay tuned.
Update: I attempted the command to push it to the system/app and my return read "failed to copy 'apex.apk' to ' /system/app/apex.apk': Read-only file system"
It sounds to me upon reading that, that if I fix permission to make the file system read/write then this command will work. However, I do not know the commend to make that change.
No, you don't get read/write access by fixing permissions. The error that you get asically means you don't have system write access via ADB at the moment. Try this:
Code:
adb remount
adb push Launcher.apk /system/app/
adb shell
su
chmod 644 /system/app/Launcher.apk
exit
exit
adb reboot
The above method should work if your current kernel is an insecure one (i.e. it allows ADBD running as root and thus, the use of adb remount command for full system read/write access). If that doesn't work, try this:
Code:
adb push Launcher.apk /sdcard/
adb shell
su
mount -o remount,rw /system
mv /sdcard/Launcher.apk /system/app/Launcher.apk
chmod 644 /system/app/Launcher.apk
exit
exit
adb reboot
HQRaja said:
No, you don't get read/write access by fixing permissions. The error that you get asically means you don't have system write access via ADB at the moment. Try this:
Code:
adb remount
adb push Launcher.apk /system/app/
adb shell
su
chmod 644 /system/app/Launcher.apk
exit
exit
adb reboot
The above method should work if your current kernel is an insecure one (i.e. it allows ADBD running as root and thus, the use of adb remount command for full system read/write access). If that doesn't work, try this:
Code:
adb push Launcher.apk /sdcard/
adb shell
su
mount -o remount,rw /system
mv /sdcard/Launcher.apk /system/app/Launcher.apk
chmod 644 /system/app/Launcher.apk
exit
exit
adb reboot
Click to expand...
Click to collapse
I will try both commands and report back thank you!
These are my returns:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You could also try installing a launcher from the Google Play website and hopefully it will install on your phone. Then once you have a working launcher you could more easily restore the factory one.
spunker88 said:
You could also try installing a launcher from the Google Play website and hopefully it will install on your phone. Then once you have a working launcher you could more easily restore the factory one.
Click to expand...
Click to collapse
I can't use Google play because this I have not had this phone registered at all. I only used it to play games and media and never had my account linked to it. I now wish I would have because I agree with you, having done that would ahve made this entire thing a non situation I think.
That's kinda weird. Try the same command with 'cp' instead of 'mv', perhaps that'll help.
According to adb it worked, however I can not access home and the launcher is no longer in my list of installed apps. Very confusing to me
It seems then that you have deleted some other system-critical APK as well, perhaps. A good idea would be to reinstall the ROM now. If you are already running a custom ROM, you can do so without the need to wipe data, by installing the same ROM. In case of stock ROM, you should find a flashable zip file of the same version or a later update, and flash it without wiping data too. Though if that doesn't work either, a ROM flash followed by a full data+cache+dalvik-cache wipe should do it.
Oh speaking of that, try wiping cache and dalvik cache from recovery and rebooting to see if it helps, before you attempt the above.
HQRaja said:
It seems then that you have deleted some other system-critical APK as well, perhaps. A good idea would be to reinstall the ROM now. If you are already running a custom ROM, you can do so without the need to wipe data, by installing the same ROM. In case of stock ROM, you should find a flashable zip file of the same version or a later update, and flash it without wiping data too. Though if that doesn't work either, a ROM flash followed by a full data+cache+dalvik-cache wipe should do it.
Oh speaking of that, try wiping cache and dalvik cache from recovery and rebooting to see if it helps, before you attempt the above.
Click to expand...
Click to collapse
I was already thinking that so I finally found a stock firmware file and am currently attempting to flash it now. I will report back with the results.
Update: The results are in and.....it is now working! This is what I wanted to do from the start but I had a very hard time finding a good link to a stock rom. Mr. Raja I am very thankful for all your help and time you spent with me on this issue.
kingnarkissos said:
I was deleting unused apps from my phone and, like an idiot, I deleted my only installed launcher. The phone boots and I can access the settings. I have a launcher installed and it shows up in menu/ settings/ app but it wont start and I don't know how to start it. I do have adb and fastboot though I don't have wireless internet. This device is not activated and there is no gmail account linked to this device. I did create a zip of a launcher and tried to flash it through recovery but that didn't work. I do not have a custom recovery installed but I did root the device. Is there a way to get a launcher installed and working so I can use this device again?
Click to expand...
Click to collapse
you need to simply install the launcher..
adb install apex.apk
that is all.
kingnarkissos said:
I was already thinking that so I finally found a stock firmware file and am currently attempting to flash it now. I will report back with the results.
Update: The results are in and.....it is now working! This is what I wanted to do from the start but I had a very hard time finding a good link to a stock rom. Mr. Raja I am very thankful for all your help and time you spent with me on this issue.
Click to expand...
Click to collapse
I'm glad it worked out for you. You must have deleted some other system-critical APK as well, otherwise simply reinstalling the launcher via ADB should have worked just fine. In the future, it'll be a good idea not to delete any APKs from /system/app that you aren't absolutely sure about. =)
jimmydafish said:
you need to simply install the launcher..
adb install apex.apk
that is all.
Click to expand...
Click to collapse
That was the first thing I did and it did not work. The app did show up under the installed apps list, but I could not get it to start so it was never running. Therefor I couldn't gain access to it or any area of the device other than settings when the phone booted up. I stated such in the first post of this thread. Believe me I tried all the easy stuff first.
Mr.Raja I do agree with you. I must have deleted more than I thought I did because I agree with you and everyone else who is saying a simple adb flash will work. It should have worked. So whatever I did to it forced me to reflash a rom onto it. I am just thankful to you and everyone else who tried to help me. I appreciate the time spent assisting me.
How I fixed this issue was RSDlite and the rom from this link http://forum.xda-developers.com/showthread.php?t=2017200 and it worked like a charm.
This issue is resolved!

[EXPERIMENTAL] Full ADB Root, System RW, and DM-VERITY Off for ALL G5's!!!

UPDATE Thanks to @thjubeck for testing this, it seems that this userdebug kernel actually works on all devices running antirollback v0 and running Marshmallow! I only have the Sprint variant, so be careful!!! Enjoy root guys
A bit of a disclaimer is that this is root through adb. dm-verity is off and system is rw, so you can install apps as root, get a hotspot hack to work, and anything through a shell but I am having trouble installing SuperSU. Please try yourself though as I am probably doing something wrong! If there are any bugs you have found please post them, as this phone is my backup and not my daily driver.
So okay, here is the guide:
PLEASE MAKE SURE YOU HAVE A WAY TO GO BACK INCASE THINGS GO WRONG. DO NOT ATTEMPT TO ROOT THIS WITHOUT HAVING A KDZ/TOT FOR YOUR DEVICE THAT YOU KNOW YOU CAN FLASH BACK TO. I AM NOT RESPONSIBLE FOR THINGS GOING WRONG.
Here is the fix for LGUP
1. Download this zip
2. Install Terminal Emulator from the Play Store
(This is modified from the V20 bootloader unlock, HUGE thanks to all of those devs for sharing their dirtysanta code with me and allowing me to modify it!)
3. Copy all the files from inside the "dirtysanta-boot" and paste it into your active ADB directory
4. Plug your device into the computer and verify ADB is working. Then;
On Windows, double-click "RUNMEFIRST.bat, DO NOT CLOSE THE LOG WINDOW THAT OPENS, then double-click "Step1.bat"
On Linux/MacOS ("#" Signifies a comment below)
Code:
./RUNMEFIRST.sh
# OR
bash ./RUNMEFIRST.sh
Open a Separate Terminal next to the RUNMEFIRST terminal, then type:
Code:
./Step1.sh
# OR
bash ./Step1.sh
(When you run The sh or Bat files there may be a Permission denied error on 2 files: Flatland and Flatland64. This is normal and nothing to worry about.)
5. Wait for a shell prompt, then type (or copy):
Code:
run-as con
chmod 0777 /storage/emulated/0/*
6. Open Up Terminal Emulator on your phone
Type:
Code:
id
Check if context is "Untrusted_app". If it is then we're good to go!
7. Type into Terminal Emulator:
Code:
applypatch /system/bin/atd /storage/emulated/0/dirtysanta
8. Watch the RUNMEFIRST dialog for when it tells you to run Step2 (we don't have a step 2)
9. Reboot the phone into recovery mode and wipe data again
BOOM! Now the you have a userdebug kernel running on a userdebug system Time to turn off dm-verity, otherwise you will have a red triangle on reboot (Your device is corrupt. It cannot be trusted and may not boot) and cannot edit /system.
1. Finish setting up the phone and enable USB Debugging in developer options (you should know how to do this)
2. Plug the phone into your computer, and run these commands
Code:
adb root
adb disable-verity
3. Reboot the phone
4. Run
Code:
adb root
adb shell
mount -o rw,remount,rw /system
Bam. Enjoy your FULL UNLIMITED root shell with system set to rw and dm-verity off!!! Just make sure to type "adb root" before "adb shell"
If you ever want to go back, just flash your stock TOT/KDZ with UPPERCUT and you'll be all good!
BUY ME A PIZZA FOR THE HARD WORK: BTC 197ct1uti4zutJu76bYAW51H8NZ6zXeoEV PayPal: [email protected]
THANKS:
@tungkick for the userdebug boot and helping me with the ZV4 TOTs
@autoprime for UPPERCUT
@me2151 @glitschi667 @EMSpilot @elliwigy for their AMAZING work on the V20 and sharing their code!
I'm using a H850, but still - thanks for your work!
Thanks for the amazing work while almost every one lose the hope .
Allow me to ask about the other versions H860 in my case .
Any chance to modified your files to make it work ?
If you need a testing phone to try figure it out Pm me .
Again thanks for this great job
I'm a Canadian H831 owner. Just wanted to post to say great work so far and if you get SuperSU or another SU app installed, enjoy the $850 bounty.
I think I also found an unlimited hotspot hack, so there's that too!
You're doing God's work, sir. :good:
I wish I had that variant... you'be renewed my hope though.
I have a Canadian H831 [Telus], how much of an undertaking is it to rejigger your method for it?
Delete
Honestly Annoying said:
I think I also found an unlimited hotspot hack, so there's that too!
Click to expand...
Click to collapse
Care to share this info?
Sent from my LGE LG-H830 using XDA Labs
Honestly Annoying said:
Hello everyone, finally the moment you've all been waiting for! I know that a certain user who will not be named has been spreading false information about our root progress, so I am taking it upon myself to release what I personally have gotten to work
A bit of a disclaimer is that this is root through adb. dm-verity is off and system is rw, so you can install apps as root, get a hotspot hack to work, and anything through a shell but I am having trouble installing SuperSU. Please try yourself though as I am probably doing something wrong!
So okay, here is the guide:
ONLY FOR SPRINT USERS ON ZV4. YOU WILL HAVE TO WIPE YOUR DEVICE AND THIS IS YOUR WARNING HERE. DEVICE MAY BE UNSTABLE AS IT IS A USERDEBUG BUILD. THIS IS YOUR WARNING
1. Download these files here and unzip them to desktop https://drive.google.com/open?id=0B2OlLU7vg4YzLWdQYW8tWkxTbFU
2. Set up LGUP from Autoprime's guide here http://forum.xda-developers.com/lg-g5/development/uppercut-lgup-loader-g5-variants-t3511295
3. Make sure you have working ADB set up on your computer
3. Put device in download mode and plug in to computer
4. Flash LS992ZV4_04.userdebug.tot as UPGRADE
5. Boot phone into recovery mode and wipe data
6. After phone is finished setting up, install Terminal Emulator from the Play Store
(This is copied from the V20 bootloader unlock, HUGE thanks to all of those devs for sharing their dirtysanta code with me and allowing me to modify it!)
7. Copy all the files from inside the "dirtysanta-boot" and paste it into your active ADB directory
8. Plug your device into the computer and verify ADB is working. Then;
On Windows, double-click "RUNMEFIRST.bat, DO NOT CLOSE THE LOG WINDOW THAT OPENS, then double-click "Step1.bat"
On Linux/MacOS ("#" Signifies a comment below)
Code:
./RUNMEFIRST.sh
# OR
bash ./RUNMEFIRST.sh
Open a Separate Terminal next to the RUNMEFIRST terminal, then type:
Code:
./Step1.sh
# OR
bash ./Step1.sh
(When you run The sh or Bat files there may be a Permission denied error on 2 files: Flatland and Flatland64. This is normal and nothing to worry about.)
9. Wait for a shell prompt, then type (or copy):
Code:
run-as con
chmod 0777 /storage/emulated/0/*
10. Open Up Terminal Emulator on your phone
Type:
Code:
id
Check if context is "Untrusted_app". If it is then we're good to go!
11. Type into Terminal Emulator:
Code:
applypatch /system/bin/atd /storage/emulated/0/dirtysanta
12. Watch the RUNMEFIRST dialog for when it tells you to run Step2 (we don't have a step 2)
13. Reboot the phone into recovery mode and wipe data again
BOOM! Now the you have a userdebug kernel running on a userdebug system Time to turn off dm-verity
1. Finish setting up the phone and enable USB Debugging in developer options (you should know how to do this)
2. Plug the phone into your computer, and run these commands
Code:
adb root
adb disable-verity
3. Reboot the phone
4. Run
Code:
adb root
adb shell
mount -o rw,remount,rw /system
Bam. Enjoy your FULL UNLIMITED root shell with system set to rw and dm-verity off!!! Just make sure to type "adb root" before "adb shell"
If you ever want to go back, just flash the LS992ZV4_04.tot with UPPERCUT and you'll be all good!
BUY ME A PIZZA FOR THE HARD WORK: BTC 197ct1uti4zutJu76bYAW51H8NZ6zXeoEV (sorry, no PayPal :/)
THANKS:
@tungkick for the userdebug boot and helping me with the ZV4 TOTs
@autoprime for UPPERCUT
@me2151 @glitschi667 @EMSpilot @elliwigy for their AMAZING work on the V20 and sharing their code!
@schiziodd for showing how to hex edit TOT
Click to expand...
Click to collapse
Hello, I am working on the root for the Verizon V10 and I came across this today. I was wondering how you made the userdebug.tot because I know this will work on it, Dirty Santa works up to the same point as you, so i'm wondering if I could do this and maybe even get supersu to work. Thank you
@Honestly Annoying could it be possible for you to "spoof" the firmware info and change the variant (LS992ZV4) to other locked g5 (such as the h831 h860..) so we can try to flash it via uppercut and see how much it's broken ?
Update: Now works on all devices running antirollback v0!!!!
Honestly Annoying said:
Update: Now works on all devices running antirollback v0!!!!
Click to expand...
Click to collapse
Will this work on Canadian variant? How do we know what version of antirollback we have?
mapleleafs89 said:
Will this work on Canadian variant? What is antirollback v0?
Click to expand...
Click to collapse
I am not sure how to check the antirollback version on on actual phone, you would need @autoprime for that.
Antirollback is basically exactly what it sounds like: It is part of each update that disallows users to rollback to previous versions of their software. This is built off of the first version of antirollback (v0) for the G5, so it will only work on phones with that version. You can test it out yourself, as it won't do any permanent damage, but just make sure you have a working TOT/KDZ to go back on.
*#546368#*850# (hiden menu)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
BrunoSlivar said:
*#546368#*850# (hiden menu)
Click to expand...
Click to collapse
I enter this in the dialer and call, it says USSD code running but then throws an error "Connection problem or invalid MMI code."
BrunoSlivar said:
*#546368#*850# (hiden menu)
Click to expand...
Click to collapse
Thanks for that!
mapleleafs89 said:
I enter this in the dialer and call, it says USSD code running but then throws an error "Connection problem or invalid MMI code."
Click to expand...
Click to collapse
Change the "850" to your model number. Such as "830" for T-Mobile or "992" for Sprint
Aha! 831 Canadian variant running Marshmallow. Almost upgraded to nougat but then saw this thread thankfully, I guess I will hold off if this means it increases my chances of getting root
For those interested, I can confirm that every h831 firmware up to nougat has a rollback count of 0, and from @autoprime :
H850 and H860 are fuse 00 and Sprint ZV3/4 are fuse 00.
Click to expand...
Click to collapse
Anything higher than ZV4 is 01 or higher.
Click to expand...
Click to collapse
I don't know what I missed, but now I get Your device is corrupt. It cannot be trusted and will not boot . I'mma try to flash back my system and try it again.
H860 with Nougat and anti-rollback version 0
P.S : I can't enter recovery or download mode ... how much I'm I screwed ? It just keeps rebooting

How do I adb pull root directories (like "/" or "/system"?)

Hi there, I'm trying to pull root directories like /system and /data without any luck. My purpose it to have them on my PC as a backup, and be able to browse them to pull out apps and pieces of data as necessary if it ever becomes necessary.
Device: Nexus 6P (North American version)
ROM: Stock 6.0.1 Rooted, using Wugfresh Nexus Root Toolkit and SuperSU
PC OS: Windows 7 PC (64 bit)
Adb is working properly and I can easily pull non-root directories like "/sdcard" and so on. I'd like to be able to backup the entire root directory ("/") or at least the child directories (like "/system" and "/data", etc.) Unfortunately, when I try
Code:
adb pull -p "/system" "C:\somewhere"
it skips a bunch of files, so I need to come up with a better method.
I've tried
Code:
adb root
and it tells me it's already running in root mode.
I try
Code:
adb remount
and it does this properly, but doesn't change the effects of all the commands I've tried.
When I run
Code:
adb shell
it enters shell and gives me # by default, so seemingly it is giving me su permission by default?
*** Oddly, when I enter "su" while in shell, it tells me "/sbin/sh: su: not found" which seems odd to me. I think it's possibly that SuperSU is installed as systemless root, or there's something else screwy here, so I guess I'm not sure how to proceed. Still, if that were case, why would adb already be running as root, and why would shell automatically give me the #?
Any help is appreciated!!
Thanks!
@Heisenberg I figured I'd tag you because of your extensive experience with the Nexus 6P in particular (and rooting.) Not sure if you may be able to shed some light on the issue here?

How to extract your boot.img from any rom (adb)

If there is any trouble, leave it in the comments, i'll respond
I am not responsible if this crashes, bricks, causes nuclear warfare, or anything else that may happen, I'll try to fix it if you put your problem in the comments
Extract boot.img using a few simple adb commands
Hi XDA, I want to educate you on how to extract your boot.img using adb. Since systemless root and kernels all utilize the boot.img, undoing these changes consist of just flashing the boot.img in TWRP!
I pulled this from a RootJunky video and it worked on my pixel xl on any rom
Prerequisites:
You have to use TWRP (img or install, depending on the method)
Locating the boot.img
There are many tools used for this, I just like using the logs of an installer
Flash the TWRP installer and read the logs
It says "found boot image in *path*" (Usually /dev/block/sda19 or sda20)
If you want confirmation, flash magisk and it should say where your boot.img is
Extraction of the boot.img (2 ways)
Without TWRP installed
fastboot boot twrp.img
Open a terminal (on a computer) and type adb shell
your window should have only a ~#
Type this command in
HTML:
dd if=**boot.img path** of=/sdcard/boot.img
Replace the **boot.img path** with whatever path you found your boot.img in when locating it
This should pull the boot.img to your /sdcard (storage) directory
To transfer to computer, just use your favorite file transfer method!
With TWRP installed
Install TWRP
Reboot to TWRP
Follow the steps listed in the without TWRP installed category
I would like to thank RootJunky for this method, it works flawlessly
There is a method to extract boot.img without TWRP? The tablet that I own doesn't have a any developed custom recovery, is an unsupported low-end device. Thank you for your help.
kingbri said:
If there is any trouble, leave it in the comments, i'll respond
I am not responsible if this crashes, bricks, causes nuclear warfare, or anything else that may happen, I'll try to fix it if you put your problem in the comments
Extract boot.img using a few simple adb commands
Hi XDA, I want to educate you on how to extract your boot.img using adb. Since systemless root and kernels all utilize the boot.img, undoing these changes consist of just flashing the boot.img in TWRP!
I pulled this from a RootJunky video and it worked on my pixel xl on any rom
Prerequisites:
You have to use TWRP (img or install, depending on the method)
Locating the boot.img
There are many tools used for this, I just like using the logs of an installer
Flash the TWRP installer and read the logs
It says "found boot image in *path*" (Usually /dev/block/sda19 or sda20)
If you want confirmation, flash magisk and it should say where your boot.img is
Extraction of the boot.img (2 ways)
Without TWRP installed
fastboot boot twrp.img
Open a terminal (on a computer) and type adb shell
your window should have only a ~#
Type this command in
HTML:
dd if=**boot.img path** of=/sdcard/boot.img
Replace the **boot.img path** with whatever path you found your boot.img in when locating it
This should pull the boot.img to your /sdcard (storage) directory
To transfer to computer, just use your favorite file transfer method!
With TWRP installed
Install TWRP
Reboot to TWRP
Follow the steps listed in the without TWRP installed category
I would like to thank RootJunky for this method, it works flawlessly
Click to expand...
Click to collapse
Very useful guide. No, it's absolutely useless and of no help. THERE IS ZERO NEED TO EXTRACT THE BOOT.IMG IF YOU HAVE ROOT. You NEED THE BOOT.IMG TO ROOT (VIA MAGISK).. If someone has TWRP, just fkn flash magisk right then and there. Rootjunky is useless.
JhinCuatro said:
Very useful guide. No, it's absolutely useless and of no help. THERE IS ZERO NEED TO EXTRACT THE BOOT.IMG IF YOU HAVE ROOT. You NEED THE BOOT.IMG TO ROOT (VIA MAGISK).. If someone has TWRP, just fkn flash magisk right then and there. Rootjunky is useless.
Click to expand...
Click to collapse
Agreed, this is useless. I need the boot.img so that I can patch it with Magisk and then flash onto device. If I have TWRP, I don't need the boot.img.
JhinCuatro said:
Very useful guide. No, it's absolutely useless and of no help. THERE IS ZERO NEED TO EXTRACT THE BOOT.IMG IF YOU HAVE ROOT. You NEED THE BOOT.IMG TO ROOT (VIA MAGISK).. If someone has TWRP, just fkn flash magisk right then and there. Rootjunky is useless.
Click to expand...
Click to collapse
i disagree, having the boot image is usefull if you want to modify it
Likewise, I have to agree...this primer IS useful as being able to extract a boot.img file from a stock rom is imperative for a lot of users with off-brand or rebranded MTK devices. For instance, I have a Blu G80 and there is virtually no dev support for this device and I would personally like to be able to root from the latest (or any) stock ROM or heck, repartition into the new A/B format to absolve myself of OTA updates forever.
Doogee N30: I do not have root, there is no recovery or rom for my phone, Can I extract the boot.img from my phone storage, to patch it with Magisk? Maybe with adb? Idk, please help me, I'm dying here....
This should also help:
Just boot into TWRP and run the following:
Code:
find /dev/block/platform -type d -name by-name
then use
Code:
ls -la /the/path/displayed/from/find
Then make note of your boot partition, so everything after the arrow ( -> ). If you are using a slotted device, it shouldn't matter which boot slot you pull, but it might help to pull the the boot slot you are actually using.
Then, as stated in the OP
Code:
dd if=/boot/img/path of=/sdcard/boot.img
Src:
adb find phone partitions
I need the command to find the partition of all Android devices For example, on some Samsung phones, you can use the following command to partition the device adb shell ls -al /dev/block/platform/
stackoverflow.com
I just installed Magisk on my OG Pixel. Using the method above, it took me a matter of minutes. I booted into TWRP to do this in adb with root.
EDIT:
I found a more workable solution, as long as you have the "find" command in TWRP or some other ADB session.
This definitely doesn't work if you don't have root in adb. TWRP or equivalent environment is required. If you don't have TWRP for you device, then at a minimum you need some way to root the device. Once you get root, then you can startup ADB, type "su" or other SuperUser command, and then run the "dd" command above (the 3rd code block). Without root, the "dd" command will fail - permission denied.
I've tried this on a Nexus 6P and an OG Pixel so far.
Hello everyone i need help somebody can't u helpme i can't find the bot.img in My device storage i have the SKY elitte p55 i try i'n the websites any guide but no found nothing thanks for helps
adb shell
cd /dev/block/bootdevice
ls
if u found your boot_a/boot_b , proceed reboot to twrp
pull those boot_a/boot_b file to your computer using command adb pull /dev/block/bootdevice/boot_a
push the into the phone , open magisk and patch the file boot_a/boot_b
after magisk done patching , reboot to bootloader
fastboot flash boot magisk-patched.img
now u have magisk on your phone
just sharing what is done on my phone . now pixel experience plus latest on my mojito/sunny device has root
I have Chinese Android TV Boxes like below links, please which TWRP image should I use?
The TWRP site seems to be all oriented about phone recovery images.
The TV boxes appear to be AMLogic ?CPU?
Is there a tutorial that shows ideally with a phone storage diagram the concept for flash vs. backup vs recovery?
Some say you can boot from an external recovery image with fastboot without writing it on the device?
(video is a bit old from 2015)
My current understanding is the "stock recovery partition" does not offer enough functionality to read/write the various partitions (boot,recovery,system,vendor,???) So is that what TWRP recovcery images provide? It does NOT appear they offer a "generic" recovery image.
If I manage to read these partitions can I edit their filesystem content on the PC? if so with which tool? are they standard .zip/rar/tar/iso files?
Currently I am running adb command over WiFi, these boxes come with 2 USB ports and sdcard slot. Can I use USB-A to USB-A cable to connect this boxes to PC, like the phone junkies do?
I don't have the equivalent of pressing volume/power buttons like on phones to boot into recovery or standard, what's the best way of doing that, fastboot/adb/an app on the tvbox?
These boxes already have su when I enter adb shell, su, whoami >displays> root, so that means they are unlocked.
I am bit lost in all of this, otherwise I won't be here. Thank you so much!!!
Amazon.com
Amazon.com
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I tried to follow the info and steps in a video by rootjunky and apply to a chinese tv box however I am not finding the boot/recovery/system/vendor partitions I ?think? I need to back up in order to flash onto another identical box (ie. replicate the various manual setups I did of app launcher, de-installed stock apps, my apk installs, etc...)
According to the below commands and output could you please let me know what pull commands I need to issue to copy the necessary sections onto my PC, thank you so much.
Here is my current wild guess to achieve my backup and replicate goals.
Here are the peek around commands and outputs...
adb -s 192.168.1.120:5555 shell "ls -R /dev/block/platform | grep by-name"
Some output is empty ??? in particular msm_partitions.txt ?
adb -s 192.168.1.120:5555 shell "ls -la /dev/block/platform/soc/fe08c000.mmc/by-name/"
if you need any particular output (eg. adb, or AIDA64, ...) just let me know and I will post.
Video reference...
false. any rom does not have twrp capabilities, like, for example the phone Alcatel 3 2019. You should change the post's title.
In those cases that no twrp is available it is impossible to extract the boot.img afaik.
I know I'm a little late to the party here, but maybe I can provide some insight into this. For starters, until you can mount /system rw properly, ADB just aint gonna work like you want. I have one of these 905w2 boxes (oppen x88plus..) and have been dealing with this for a minute now. If you at least have wireless adb access, you can:
A) get fastboot access
B) get adb sideload access from stock recovery
..and thats about it. You use the right hand USB port. Interestingly, my win11 chimes when I plug in my box when its booted normally, however nothing appears in device manager or usbdevview.
In closing, why dont you just DD the partitions to sd\usb storage? IE:
dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img

Categories

Resources