A public service announcement.
A new tool (mtk-su) by @diplomatic (link) is able to achieve a temporary yet full featured root shell on any OS version for the original BLU R1 (and most likely, on BLU R1 PLUS), see this post for proof. Use mtk-su_r11.zip, version in armv7-kernel folder, and you will get a rooted shell. To install permanent root, you will need to unlock your bootloader.
Perhaps, @mrmazak would be kind enough to update his R1 bootloader unlock tool to all OS versions It should be possible to update bootloader unlock for R1 PLUS up to the latest OS version (@lopestom), given that there is now a full featured root shell with rw system access.
bibikalka said:
A public service announcement.
A new tool (mtk-su) by @diplomatic (link) is able to achieve a temporary yet full featured root shell on any OS version for the original BLU R1 (and most likely, on BLU R1 PLUS), see this post for proof. Use mtk-su_r11.zip, version in armv7-kernel folder, and you will get a rooted shell. To install permanent root, you will need to unlock your bootloader.
Perhaps, @mrmazak would be kind enough to update his R1 bootloader unlock tool to all OS versions It might also be possible to accomplish bootloader unlock for R1 PLUS, given that there is now full featured root shell.
Click to expand...
Click to collapse
since you have your R1 powered up already, can you let me know if that temp root shell gives access to /dev/block.
as in can you test if a dd command to /dev/block is allowed. if it is then this will make a nice replacement to dirty-cow method..
mrmazak said:
since you have your R1 powered up already, can you let me know if that temp root shell gives access to /dev/block.
as in can you test if a dd command to /dev/block is allowed. if it is then this will make a nice replacement to dirty-cow method..
Click to expand...
Click to collapse
Yep, seems to work OK:
Code:
[email protected]_HD:/data/local/tmp $ ./mtk-su_arm7 -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 7
Building symbol table
...
New UID/GID: 0/0
starting /system/bin/sh
[email protected]_HD:/data/local/tmp # dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin
32768+0 records in
32768+0 records out
16777216 bytes transferred in 3.630 secs (4621822 bytes/sec)
This is way better than DirtyCow !
bibikalka said:
Yep, seems to work OK:
Code:
[email protected]_HD:/data/local/tmp $ ./mtk-su_arm7 -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 7
Building symbol table
...
New UID/GID: 0/0
starting /system/bin/sh
s[email protected]_HD:/data/local/tmp # dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin
32768+0 records in
32768+0 records out
16777216 bytes transferred in 3.630 secs (4621822 bytes/sec)
This is way better than DirtyCow !
Click to expand...
Click to collapse
that seems soo simple.
changed the dirty-cow section of the tool to use this mtk-su
and based on the read-me says, this command should work, as an all in one.
Code:
example based on file name used in tool
adb shell "/data/local/tmp/mtk-su -c dd if=/data/local/tmp/unlock of=/dev/block/mmcblk0p17"
can you test it?
Code:
adb push mtk-su /data/local/tmp/mtk-su
adb shell chmod 0777 /data/local/tmp/mtk-su
adb shell "/data/local/tmp/mtk-su -c dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin"
mrmazak said:
that seems soo simple.
changed the dirty-cow section of the tool to use this mtk-su
and based on the read-me says, this command should work, as an all in one.
Code:
example based on file name used in tool
adb shell "/data/local/tmp/mtk-su -c dd if=/data/local/tmp/unlock of=/dev/block/mmcblk0p17"
can you test it?
Code:
adb push mtk-su /data/local/tmp/mtk-su
adb shell chmod 0777 /data/local/tmp/mtk-su
adb shell "/data/local/tmp/mtk-su -c dd if=/dev/block/mmcblk0p7 of=/sdcard/p7t.bin"
Click to expand...
Click to collapse
Just tested the last bit of code, all worked properly! Ended up reading mmcblk0p7 as expected! So please proceed
bibikalka said:
Just tested the last bit of code, all worked properly! Ended up reading mmcblk0p7 as expected! So please proceed
Click to expand...
Click to collapse
I think it is ready.
Biggest unknown part is, weather it works on V9.x
We assume the only change made was the kernel patch that blocked dirty-cow. what if bootloader has unlock codes removed.
Any how I put it up on the unlock thread, And it needs a tester.
mrmazak said:
I think it is ready.
Biggest unknown part is, weather it works on V9.x
We assume the only change made was the kernel patch that blocked dirty-cow. what if bootloader has unlock codes removed.
Any how I put it up on the unlock thread, And it needs a tester.
Click to expand...
Click to collapse
Well - it's not like the bootloader is set in stone You can overwrite any /dev/block, so if there are issues, why not return all stuff - preloader & bootloaders to the V6.6 ? Then even the MTK tool would work. I don't recall there was anti-rollback protection implemented. I guess your tool tries to be the least invasive, but the full featured root gives options for a total downgrade.
bibikalka said:
Well - it's not like the bootloader is set in stone You can overwrite any /dev/block, so if there are issues, why not return all stuff - preloader & bootloaders to the V6.6 ? Then even the MTK tool would work. I don't recall there was anti-rollback protection implemented. I guess your tool tries to be the least invasive, but the full featured root gives options for a total downgrade.
Click to expand...
Click to collapse
one of the options in the tool , is to roll-back the pre-loader.
did that long ago.
didn't try with shell , only with twrp. Similar to the way the OTA changed it. and it requires you to unlock again. but it has been repeatable process.
Would this work with r1 hd from Amazon?
Hey guys, looking for little bit f help.
Actually I hardbricked by R1 plus accidentanly. Unable to find it's firmware anywhere on the internet. Xepirifirm didn't had this model in it previously. Could you please let me know where could I find it ROM and also how to boot up my phone again?
Related
Hi there...
I'm finally considering rooting, however all the guides lead to flashing a custom rom... but actually I don't want to flash a custom ROM, I want to keep everything as it is, with the difference that I (and preferably only I) can become super user on the shell when I need to do some changes (like fixing the stock widget bug in the internal database).
I've read this right now:
http://forum.xda-developers.com/showthread.php?t=724741
And they say I can flash this files called EngTools.zip
Does this also work on the Hero assuming the guide (PossibleGSMRoot or something... fromt he villainforum) works on my phone?
I don't even want to permanently have some kind of AmonRa blabla recovery boot image on my phone. If I need it while I get root that's fine, but I want to get rid of it afterwards. I really don't need root for any applications liek overclocking etc. etc. just for smaller dives into the files system and changes there via adb.
olafos said:
Hi there...
I'm finally considering rooting, however all the guides lead to flashing a custom rom... but actually I don't want to flash a custom ROM, I want to keep everything as it is, with the difference that I (and preferably only I) can become super user on the shell when I need to do some changes (like fixing the stock widget bug in the internal database).
I've read this right now:
http://forum.xda-developers.com/showthread.php?t=724741
And they say I can flash this files called EngTools.zip
Does this also work on the Hero assuming the guide (PossibleGSMRoot or something... fromt he villainforum) works on my phone?
I don't even want to permanently have some kind of AmonRa blabla recovery boot image on my phone. If I need it while I get root that's fine, but I want to get rid of it afterwards. I really don't need root for any applications liek overclocking etc. etc. just for smaller dives into the files system and changes there via adb.
Click to expand...
Click to collapse
Hmmm. If you are on 2.1, then you can use the GSM root i posted over at VR. The recovery needs to be flashed to the phone though, so you can flash zips to the phone from there.
As for your wish to get rid of the patched recovery afterwards, you're missing out a lot, but if you can find the stock recovery img file, you can simply flash that using
"flash_image recovery FilenameHero.img" via the phone's shell or adb (once rooted, presuming you added the flash_image binary).
As for that file, I don't know, as I've never checked if that will work on the hero.
I'd be inclined to say DON'T TRY IT, since it will contain a kernel, and flashing the wrong kernel can brick your device's radio, essentially ruining it.
But if you locate the correct files for the GSM hero, and package them similarly, you could flash that onto your phone via recovery
Bear in mind the stock HTC ROM is basically full on the system partition, so you might have issues actually fitting the files on.
I've been a lurker for some time here but just before I had thought about exactly the same issue as OP... I always wondered why there's no way to just get root access temporarily. Most people told me I'd have to flash a custom ROM.
So today I finally looked into the matter and based on your (anon2122) post on VillainROM and the Eris exploits etc. I managed to do exactly what I wanted... and thought it's time to get an account...
I only really needed root for the Stock app currency issue: [HTTP]://forum[DOT]xda-developers[DOT]com/showthread[DOT]php?t=719149 which I was now able to fix.
HTC Hero GSM soft root guide by ixampl
(... credits belong to / based on: [HTTP]://www[DOT]villainrom[DOT]co[DOT] uk/viewtopic[DOT]php?f=110&t=2096)
1 Flashing a custom recovery image
1.1 Backup (1)
Code:
adb shell mkdir /data/local/backup
adb shell cat /data/local/rights/mid.txt > /data/local/backup/mid.txt
1.2 Uploading custom recovery image and image flashing tool and setting correct permissions
Code:
adb push recovery-RA-hero-v1.6.2.img /data/local/
adb push flash_image /data/local/
adb shell chmod 777 /data/local/recovery-RA-hero-v1.6.2.img
adb shell chmod 777 /data/local/flash_image
1.3 Center piece of the permissions exploit for the recovery ROM
Code:
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
1.4 Normal reboot
Code:
adb reboot
1.5 Now that the recovery ROM (/dev/mtd/mtd1) is accessible: Backup (2)
Code:
adb shell cat /dev/mtd/mtd1 > /data/local/backup/recovery.img
1.6 Flashing the previously uploaded custom recovery image
Code:
adb shell /data/local/flash_image recovery /data/local/recovery.img
1.7 Rebooting into recovery mode
Code:
adb reboot recovery
2 Adding root shell (optional)
2.1 Mounting all devices
Code:
adb shell mount -a
2.2 Adding rootsh
Code:
adb shell cat /system/bin/sh > /system/bin/rootsh
adb shell chmod 4755 /system/bin/rootsh
2.3 Rebooting into system
Code:
adb reboot
After this you can flash the recovery.img you backed up in step 1.5 just as you flashed in step 1.6 (adjust the parameters accordingly).
ixampl said:
I've been a lurker for some time here but just before I had thought about exactly the same issue as OP... I always wondered why there's no way to just get root access temporarily. Most people told me I'd have to flash a custom ROM.
So today I finally looked into the matter and based on your (anon2122) post on VillainROM and the Eris exploits etc. I managed to do exactly what I wanted... and thought it's time to get an account...
I only really needed root for the Stock app currency issue: [HTTP]://forum[DOT]xda-developers[DOT]com/showthread[DOT]php?t=719149 which I was now able to fix.
HTC Hero GSM soft root guide by ixampl
(... credits belong to / based on: [HTTP]://www[DOT]villainrom[DOT]co[DOT] uk/viewtopic[DOT]php?f=110&t=2096)
1 Flashing a custom recovery image
1.1 Backup (1)
Code:
adb shell mkdir /data/local/backup
adb shell cat /data/local/rights/mid.txt > /data/local/backup/mid.txt
1.2 Uploading custom recovery image and image flashing tool and setting correct permissions
Code:
adb push recovery-RA-hero-v1.6.2.img /data/local/
adb push flash_image /data/local/
adb shell chmod 777 /data/local/recovery-RA-hero-v1.6.2.img
adb shell chmod 777 /data/local/flash_image
1.3 Center piece of the permissions exploit for the recovery ROM
Code:
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
1.4 Normal reboot
Code:
adb reboot
1.5 Now that the recovery ROM (/dev/mtd/mtd1) is accessible: Backup (2)
Code:
adb shell cat /dev/mtd/mtd1 > /data/local/backup/recovery.img
1.6 Flashing the previously uploaded custom recovery image
Code:
adb shell /data/local/flash_image recovery /data/local/recovery.img
1.7 Rebooting into recovery mode
Code:
adb reboot recovery
2 Adding root shell (optional)
2.1 Mounting all devices
Code:
adb shell mount -a
2.2 Adding rootsh
Code:
adb shell cat /system/bin/sh > /system/bin/rootsh
adb shell chmod 4755 /system/bin/rootsh
2.3 Rebooting into system
Code:
adb reboot
After this you can flash the recovery.img you backed up in step 1.5 just as you flashed in step 1.6 (adjust the parameters accordingly).
Click to expand...
Click to collapse
That is a nice method.
I've long thought about making something similar, so maybe today I'll try, as an idea has come back to me...
I am thinking that I can avoid the whole recovery flashing, though I'm not going to say the idea till I've thought it through, as someone might try it before I realise how stupid an idea it is...
But I'll certainly see if it can get permanent root sorted out on the phone, although it won't give root adb access, as that is defined in the boot.img, though I guess I could flash that while I'm at it...
Good work.
Thanks!
Yes, a method to (safely) acquire super user access without flashing anything would be highly appreciated There's a small risk involved with flashing. Granted it usually causes no issues, but there is the slight possibility of bricking your phone.
Good work.
Click to expand...
Click to collapse
Thanks, although - as you know - I really didn't do anything special there
[...] although it won't give root adb access [...]
Click to expand...
Click to collapse
Yes, that's a minor annoyance, but really minor ... for the currency fix I naturally couldn't do
Code:
adb pull /data/data/com.htc.dcs.service.stock/databases/stock.db stock.db
or
Code:
adb push stock.db /data/data/com.htc.dcs.service.stock/databases/stock.db
but it's not that hard to just work around that via /data/local:
Code:
adb shell
$ rootsh
# cat /data/data/com.htc.dcs.service.stock/databases/stock.db > data/local/stock.db
then pull from there etc.
I really think "rooting" is a misnomer for most of the current guides.
I can see that most people "root" their phone in order to get custom ROMs (and I have no issue with that, it's just too much overkill for someone who just wanted to fix a small bug ) but In fact most people don't care about rooting per se, they care about flashing a recovery image which enables them to flash custom ROMs.
I actually wanted to try:
Code:
adb shell ln -s /dev/mtd/mtd3 /data/local/rights/mid.txt
...and see what happens if I remount after boot. If it causes the system to follow back the link with user permissions for the recovery ROM, maybe the system ROM could be (write-)accessed as well. Then again, it was my first venture into rooting so naturally there would have been no way to fix a broken system image safe for reflashing the 1.5 RUU.
Do you have any details about what the original purpose of the (original) mid.txt was? I mean, it was there, sitting in a directory named rights... quite an invitation (of course, we didn't actually "set" rights in that file or anything for the exploit, but still...)
Is it safe to delete mid.txt and will it be recreated with some default values by the system?
Click to expand...
Click to collapse
HOW TO ROOT YOUR LENOVO IDEATAB A1000
<DISCLAIMER>
By attempting these steps, your warranty will be void. Even worse than that, it might cause crashes, freezes, random explosions, 2nd degree burns, or even turn your beloved tab into $100+ paperweight. What works on mine might not work on yours, so don't attempt if you don't know what you're doing. Do at your own risk. Corrections are welcome. I must admit that I'm not an expert, so any info I posted might be wrong, and I can't offer you much help. I'm not responsible for anything arising from the use of this how-to. I can only wish you good luck.
<WHY ROOT?>
- Without root or OTA upgrades (at time of writing, Indonesian customers still can't get it), you'll be stuck with ~500MB internal memory. That's annoying.
- You're stuck with the default IO scheduler (cfq) and governor (hybrid, haven't heard that one..)
- You have an incredibly large amount of bloatware you can't get rid of, in that already cramped up internal storage
- Did I mention freedom?
<REQUIREMENTS>
This method is originally used to root Acer Iconia B1-A71. Somehow I noticed that the two actually has the same chipset, MTK8317 (if it really was relevant ). So I tried the method, and through sheer n00b's luck, it worked like a charm!
Lenovo IdeaPad A1000-G --> 4GB storage, 2G/EDGE. This method haven't been tested on A1000-T/F, different storage cap (16GB, etc.) or other variants, but it should work with slight modification. Screenshots of my specs are attached below. Remember, proceed at your own risk!
A Linux System. Never tried on Windows or Mac. I personally used Linux Mint 15. The source post uses Ubuntu.
working ADB (android-tools-adb). You can get this from synaptics, apt-get, etc. If your system can detect adb devices, you should be fine.
Superuser Binary
Busybox Binary (You can get these two from the links on original post. XDA says noobs can't post links :'( )
ORIGINAL THREAD
<CREDITS>
XDA Senior Member entonjackson, for writing such a noob-friendly how-to for rooting Acer Iconia B1-A71 and for allowing me to use it for this how-to.
XDA Member alba81, for discovering the method as acknowledged on the original post by entonjackson
All awesome gurus on XDA which I can't mention one by one.
<THE STEPS>
1. Extract the android sdk to your home folder, e.g. a user named Bob will use like /home/bob
2. Open a terminal
3. Now plug your A1000 into your machine and turn on Debugging Mode (Go into Settings -> Developer Tools, turn on Developer tools, then turn on USB Debugging Mode)
4. Now back at the keyboard of your Linux machine in your terminal type:
Code:
sudo adb devices
The output should be something like:
Code:
123456789ABCDEF device
If it's not, google for it. Somehow your Linux hasn't detected the A1000, although the android sdk for Linux brings all needed drivers with it.
If your device was found, congratulations. The adb connection between your linux machine and your tablet is intact.
5. Now extract the downloaded busybox archive to your home folder, in it there should be a busybox binary. So Bob does:
Code:
sudo ./adb push /home/bob/busybox /data/local/tmp
Code:
sudo ./adb shell
Code:
chmod 755 /data/local/tmp/busybox
6. You should copy the busybox binary into a directory where you can access it as a plain non-root user on the tablet. We need this binary. so we can apply unix tools like telnet, dd, cat, etc. But for now we need it to establish a telnet session between our tablet and our linux machine.
(This point is written on original post. Seems important, but as soon as I finished step 5, I can use those tools)
7. Dial *#*#3646633#*#* to enter Engineer Mode
8. Go to Connectivity -> CDS Information -> Network Utility
9. type the following command:
Code:
/data/local/tmp/busybox telnetd -l /system/bin/sh -p 1234
Advice from original poster: copy and paste it from the browser on your tablet, because dependent on which keyboard app installed, this can be freakin tricky. In the next step you will learn, why it's so important why this command should be correct.
10. Tap on Run. You won't get any feedback, so you will never know if the entered command runs properly or not. That's why you should make sure the command is ok.
Now we have started our telnet server on the tablet.
11. Back in the terminal type:
Code:
/data/local/tmp/busybox telnet 127.0.0.1 1234
If you now get an error like couldn't find busybox or something, then either adb push failed or you forgot to chmod, in step 5
12. Now enter:
Code:
cat /proc/dumchar_info
You should get a bunch of lines, try to find a line containing the partition named android
{..... partition list .....}
android 0x0000000028A00000 0x00000000020E8000 2 /dev/block/mmcblk0p3
{..... partition list .....}
13. We will create a dump of our android system. This is the point where different variants *MIGHT* have different parameters. This step is important, as wrong parameter will result in unmountable image.
Stop. Take a deep breath. If you're not familiar with dd, find a good doc of it. There's a plethora of them.
Get yourself a programmer's calculator (Linux Mint 15 has one built in).
Here's what you'll do :
Convert the hex number on the 3rd column into decimal. In my case (0x20E8000) will yield 34504704. Divide by 4096. The result (8424) goes to the skip parameter.
Convert the hex number on the 2nd column. In my case (0x28A00000) will yield 681574400. Divide by 4096. The result (166400) goes to the count parameter.
So the full dd command will look like :
Code:
dd if=/dev/block/mmcblk0 bs=4096 skip=8424 count=166400 | gzip > /cache/system.img.gz
Do a full sanity check before hitting enter! It will take about 5 minutes.
14. After it's finished we must make the image readable for adb, so we do:
Code:
chmod 777 /cache
and
Code:
chmod 777 /cache/system.img.gz
15. Leave the telnet, and then adb shell session by:
Code:
exit
Code:
exit
16. Now we pull our image by
Code:
sudo adb pull /cache/system.img.gz
wait 1-2 minutes.
It should be then located inside /home/bob. It did for me. If not, do a search . It should be a .gz, extract it right there (or /home/bob if it isn't there)
17. Now we need to modify our system image by adding the tiny but helpful su binary. Extract the SU binary to /home/bob.
18. We create a folder where we will mount our system image to. To create it do:
Code:
sudo mkdir /media/a1000
19. Now we mount it:
Code:
sudo mount -o loop /home/bob/system.img /media/a1000
if it fails, then you entered wrong parameters on step 13
20. Now we copy our SU binary to our mounted system image:
Code:
sudo cp /home/bob/su /media/a1000/bin
21. the su binary needs to have the proper rights to make it usable, so we 'suid' it with:
Code:
sudo chmod 06755 /media/a1000/bin/su
22. Let's unmount our baby by:
Code:
sudo umount /media/a1000
and because bob doesn't like a messed up system, he does:
Code:
sudo rm -rf /media/a1000
because he hopefully won't need it anymore.
23. We have to gzip it again to bring it back to where it belongs to. this we do by:
Code:
cd /home/bob
Code:
gzip /home/bob/system.img
24. So here we are now, we made it to the final Boss fight! The next steps are dangerous and should be performed with caution. We copy back our modified system image, which can brick your device, if you do a mistake! Enter adb shell again :
Code:
sudo adb shell
25. Remove the old boring image:
Code:
rm /cache/system.img.gz
26. Leave adb shell
Code:
exit
27. copy our cool new system image containing the su binary:
Code:
sudo adb push /home/bob/system.img.gz /cache
28. Enter adb shell again
Code:
sudo adb shell
29. Usually the telnet server on the tablet is still running, at least in my case it's been like that. That's why we can directly connect to the telnet server with:
Code:
/data/local/tmp/busybox telnet 127.0.0.1 1234
If this doesn't work, then obviously your telnet server isn't running anymore. So on your tablet if the telnet command is still entered (see step 9), tap on Run again and repeat step 29.
30. Now this is the most dangerous step in this how to (no it wasn't the mkdir one). You can copy following command to make sure everything is fine and paste it into your telnet session on your linux terminal.
<WARNING! SANITY CHECK! MAKE SURE *ALL* THE DD PARAMETERS MATCH THE FIRST DD (STEP 13) OR YOUR A1000 WILL TURN INTO A VERY EXPENSIVE PAPERWEIGHT!>
Code:
[B]/data/local/tmp/busybox zcat /cache/system.img.gz | dd of=/dev/block/mmcblk0 bs=4096 seek=8424 count=166400[/B]
After 1-2 minutes you're done, if your tablet or pc or yourself didn't catch fire, everything's fine.
31. Leave telnet / adb shell by doing
Code:
exit
Code:
exit
32. Reboot your A1000 via ADB, then exit
Code:
sudo adb reboot
Code:
exit
33. Unplug your tablet from PC
34. Install Superuser (No, not SuperSU, cause it won't work!). I personally use Superuser by ChainsDD, from Play Store
35. Be lucky. Your tablet and thus you are now free!
Don't forget to hit thanks, if this helps
hi, after step 13 (i double checked the command), i get this error
Code:
/system/bin/sh: can't create /cache/system.img.gz: Permission denied
/dev/block/mmcblk0: cannot open for read: Permission denied
I have the WiFi 4G version
Im too stuck in step 13.....nothing wrong with the script, can u give me a solution?
Im using A1000G also
@ts
Your guide work perfectl, in windows enviroment but mount step still need linux,
I've question are you using DirectoryBinding? Mine always close when playing Real Racing, its very annoying
You have suggeztion or alternative for DirectoryBinding?
Root with Windows ?
Hi,
I am a new member because i bought this tblet but i can't root. I don't have a linux environment, so there is a solution with W8 Pro 64 ?
Thanks a lot for you help,
ulisez said:
hi, after step 13 (i double checked the command), i get this error
Code:
/system/bin/sh: can't create /cache/system.img.gz: Permission denied
/dev/block/mmcblk0: cannot open for read: Permission denied
I have the WiFi 4G version
Click to expand...
Click to collapse
have you chmod-ed the busybox (or is the chmod successful without error)? Try chmod-ing the /cache before attempting step 13. It seems that you still don't have access to the NAND device (mmcblk0). Have you updated firmware via OTA?
artonelico said:
Im too stuck in step 13.....nothing wrong with the script, can u give me a solution?
Im using A1000G also
Click to expand...
Click to collapse
Do you encounter the same error message like ulisez had? Could you post the screenshot of the partition list (the lines after you execute dumchar_info)?
rmage said:
@ts
Your guide work perfectl, in windows enviroment but mount step still need linux,
I've question are you using DirectoryBinding? Mine always close when playing Real Racing, its very annoying
You have suggeztion or alternative for DirectoryBinding?
Click to expand...
Click to collapse
I personally use Link2SD by Bulent Akpinar to link apps to 2nd partition on my SDcard.
Letsar said:
Hi,
I am a new member because i bought this tblet but i can't root. I don't have a linux environment, so there is a solution with W8 Pro 64 ?
Thanks a lot for you help,
Click to expand...
Click to collapse
The original developer who posted the method (entonjackson) plans to integrate the method in the next release his toolkit, the Acer Iconia Toolkit. I think you should check his thread : http://forum.xda-developers.com/showthread.php?t=2240029
sammymaddog said:
have you chmod-ed the busybox (or is the chmod successful without error)? Try chmod-ing the /cache before attempting step 13. It seems that you still don't have access to the NAND device (mmcblk0). Have you updated firmware via OTA?
Do you encounter the same error message like ulisez had? Could you post the screenshot of the partition list (the lines after you execute dumchar_info)?
I personally use Link2SD by Bulent Akpinar to link apps to 2nd partition on my SDcard.
The original developer who posted the method (entonjackson) plans to integrate the method in the next release his toolkit, the Acer Iconia Toolkit. I think you should check his thread : http://forum.xda-developers.com/showthread.php?t=2240029
Click to expand...
Click to collapse
Link2SD doesn't link app data, do you have any option?
yes i had same message with ulyses, by the way im from indonesia too can i contact you through chat client?
oh yeah im using windows 7 and using cmd as a terminal in linux
thx before bro
sammymaddog said:
The original developer who posted the method (entonjackson) plans to integrate the method in the next release his toolkit, the Acer Iconia Toolkit. I think you should check his thread : http://forum.xda-developers.com/showthread.php?t=2240029
Click to expand...
Click to collapse
Ok, i see his toolkit. It's very good. I'll wait
rmage said:
Link2SD doesn't link app data, do you have any option?
Click to expand...
Click to collapse
I'm not sure whether the stock kernel of our devices supports init.d, thus supports CronMod/Data2SD. Lenovo locked our bootloader, and currently there's no way around it. So I personally think, Link2SD method are the best option for now.
Let's give it several months until our dev gurus bring their miracles upon this device
The attached image shows mt6577 Hardware, can u provide the Soc details please
Hi, Can any one upload Lenovo ideatab A1000 system.img
in step 20, it appears you are writing to a /bin directory on the android system. However such a directory is not visible either through shell or the system telnet account.
Do I need to understand something else about android to make sense of this.
regards
vidya
one month gone past but the op seems to be in caves or has bricked the device
STOCK ROM
CAN ANY BODY PROVIDE ME A STOCK ROM OF THIS DEVISE
I HV ROOTED SUCCESSFULLY BY A VERY EASY METHOD
BUT SCREWED UP WHILE UPDATING IT SO PLZ PLZ HELP ME OUT
THE DEVICE BOOTS BUT ALL THE APP CRASHES :crying::crying:
VR.gtmini said:
The attached image shows mt6577 Hardware, can u provide the Soc details please
Click to expand...
Click to collapse
VR.gtmini said:
one month gone past but the op seems to be in caves or has bricked the device
Click to expand...
Click to collapse
sorry to make you wait. I'm a last grader university student, and final project stuffs have got me pinned down. Hope you understand
Actually the SoC is MT8317. For some god-knows reason Mediatek have made this SoC with signatures similar to MT6577. But somehow CPU tweaker correctly detects the SoC (MT8317). Maybe it's the CPU-Z bug?
unknown_world said:
Hi, Can any one upload Lenovo ideatab A1000 system.img
Click to expand...
Click to collapse
zod0070 said:
CAN ANY BODY PROVIDE ME A STOCK ROM OF THIS DEVISE
I HV ROOTED SUCCESSFULLY BY A VERY EASY METHOD
BUT SCREWED UP WHILE UPDATING IT SO PLZ PLZ HELP ME OUT
THE DEVICE BOOTS BUT ALL THE APP CRASHES :crying::crying:
Click to expand...
Click to collapse
I'm uploading the modified .img. Let's pray my old HSPA modem won't catch fire by the morning.
vidyadhara said:
in step 20, it appears you are writing to a /bin directory on the android system. However such a directory is not visible either through shell or the system telnet account.
Do I need to understand something else about android to make sense of this.
regards
vidya
Click to expand...
Click to collapse
I think you got it wrong. The write process does not take place on the device. It's on the loop-mounted .img in /mnt/a1000 on your computer (step 18-19). Cheers!
Here's the ALREADY BUSYBOX-ED .img for Ideapad A1000-G 4GB EDGE version. Hope it helps :
www dropbox com/s/rmpnz7c285t5sqz/system.7z
sammymaddog said:
Here's the ALREADY BUSYBOX-ED .img for Ideapad A1000-G 4GB EDGE version. Hope it helps :
www.dropbox.com/s/rmpnz7c285t5sqz/system.7z
Click to expand...
Click to collapse
Thanks for coming back, could u post the MD5 of the system.7z & system.zip.
Also could u provide simple way/steps to directly flash this .img without extracting existing stock system image
My tab A1000-G
do you have stockROM for lenovo A1000G
I need this :crying:
raffly said:
do you have stockROM for lenovo A1000G
I need this :crying:
Click to expand...
Click to collapse
Don't worry, the above link is a stock Lenovo A1000 G ROM, but with pre-root files having no superuser app. Just extract the .7z file
System.7z MD5: 658CA71AC8A230B244F267513857F9A5
im curious if there is any way to push "su" to the the system?
i mean cmon there are pleanty of KITKAT 4.4.2 fastboot files.
i have tried pushing "su" maually with "pwn" exploit.
tried with following exploits
-psneuter
-pwn
but no luck there.
any one pleaseeeee...im dieing here..
our system details.
- LOCKED BOOTLOADER ( )
- KIT KAT 4.4.2
- Blur_Version.183.46.10.XT907.Verizon.en.US ( KDA20.62-10.1 )
what i tried is
Code:
adb devices
adb push pwn /data/local/tmp
adb shell
$ cd /data/local/tmp
$ chmod 777 pwn
$ ./pwn
( NO LUCK GETTING PERMISSION AFTER $ ./pwn )
At this point, the exploit will run and close the shell. You will need to run these commands to restart the ADB server.
adb kill-server
adb devices
Now comes the moment of truth. Use the
adb shell
command to open a shell. If you see a "#" sign, you have root access, so go ahead and continue to the next part.
If not, you can go back and try the previous steps again
We now need to make this root permanent. From the root shell you just opened, type the following commands.
# mount -o remount,rw -t rfs /dev/block/st19 /system
# exit
adb push busybox /system/bin
adb push su /system/bin
adb install Superuser.apk
adb shell
# chmod 4755 /system/bin/busybox
# chmod 4755 /system/bin/su
# mount -o remount,ro -t rfs /dev/block/st19 /system
# exit
adb reboot
gys lets make this happen any how.....lets roll...
even this wont work
http://www.kingoapp.com/
Every root method I've ever found for KK requires an unlocked bootloader, and I'm talking about looking outside the box at all different brands/models of phones too. I guess Google finally figured how to lock things up as well as Apple. I've read XDA user "jcase" had discovered a KK exploit that works on some Motorolas, but he's keeping it secret for some mysterious reason and will be presenting it at a Black Hat conference. Why anyone would rather help companies than consumers is beyond my comprehension, but it is what it is.
GnatGoSplat said:
Every root method I've ever found for KK requires an unlocked bootloader, and I'm talking about looking outside the box at all different brands/models of phones too. I guess Google finally figured how to lock things up as well as Apple. I've read XDA user "jcase" had discovered a KK exploit that works on some Motorolas, but he's keeping it secret for some mysterious reason and will be presenting it at a Black Hat conference. Why anyone would rather help companies than consumers is beyond my comprehension, but it is what it is.
Click to expand...
Click to collapse
Every exploit has two sides to it: it can be used more or less legitimately by users to obtain root privileges, but it can be also abused by rogue apps to gain control over someone else's device.
When you find an exploit, the sooner you publish it, the sooner it will be patched in a firmware update, making it unusable any more for gaining root privileges. And since you've published it, the bad guys can make their use of it as well.
Patching existing vulnerabilities by companies is natural and essentially made in favour of user's safety.
The specific timing of releasing details about some found vulnerability can be part of a tactic - you can give users a window for gaining root just after a specific expected firmware release for some device. If an exploit is published too soon, it will be patched in an upcoming firmware update and no one will be able to use it for rooting...
means that there is a possible way of course but the thing is will it could be found by or not......
of course for good reasons.......
So I'll update randomly...
boot.img and recovery.img -> https://drive.google.com/file/d/0B5QYBzdG6RuyZy1TSHc2VDVhY2M/view?usp=sharing
temp root:
Code:
adb push root /data/local/tmp
adb push wpoff /data/local/tmp
adb push fbunlock /data/local/tmp
adb push recovery.img /data/local/tmp
adb push boot.img /data/local/tmp
adb shell
$ [COLOR="Red"]chmod 755 /data/local/tmp/root[/COLOR]
$ [COLOR="Red"]chmod 755 /data/local/tmp/wpoff[/COLOR]
$ [COLOR="Red"]chmod 755 /data/local/tmp/fbunlock[/COLOR]
$ /data/local/tmp/root
...
#
defeat WP:
Code:
# /data/local/tmp/wpoff --unprotect-all
check WP status(optional):
Code:
# /data/local/tmp/wpoff --dump
If you see it's all zeroes there it means good, or if there are many 5555 it means NG.
unlock bootloader:
Code:
# /data/local/tmp/fbunlock
install TWRP and patched boot:
Code:
# dd if=/data/local/tmp/recovery.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
# dd if=/data/local/tmp/boot.img of=/dev/block/platform/msm_sdcc.1/by-name/boot
install SuperSU:
Code:
FLASH SUPERSU LIKE OLD DAYS
Why patch boot?
Cos MIYABI stops ptrace, some apps depends on it won't work properly.
Chinese here:
禁止转载到国内论坛,禁止用于商业用途。日版不会有的。
Note:
a. Remember to rename recovery.00X.zip to recovery.zip.00X before unzipping!
b. If you don't flash boot.img before install SuperSU, you will end up in boot loop. To restore, delete /system/xbin/daemonsu.
Attachments will be uploaded soon.
Hi tewilove, many thanks for publishing this. Amazing work! And a big time saver
tewilove tnx allot !!
hey some one know how can i put su inside in system and then to use SuperSU ?
thank you a lot
thanks but i can not use root app and super su can not install bin su
thank you for your help
tewilove said:
Tested with a 306SH with SW version S4081.
How to:
https://youtu.be/UJs7ruckGgc
This is v1, since the shell code has to be improved yet(WIP).
It only obtains temp root with kernel context. The left things are changing to init context, disable mmc_protect_part, disable miyabi LSM.
There might be v2, which solves all above, if I have time.
And it also works with many other devices.
For example, 305SH, MI4C, SH-01G.
If it keeps crashing, it should be my hard coded offsets.
PS: Please don't reshare this thread.
PS: Chinese: 请不要转载到贴吧,论坛,谢谢。
Click to expand...
Click to collapse
thank you for your help 谢谢某因幡分享
Please I'd like to know how you did that.could you be more clear, a step by step maybe?
Sent from my D6616 using XDA Free mobile app
salmanaman said:
Please I'd like to know how you did that.could you be more clear, a step by step maybe?
Sent from my D6616 using XDA Free mobile app
Click to expand...
Click to collapse
you can watch the video that tewilove make for us .. but we need to wait when some one unlock protect bcs after you restart phone root will disappear..
tewilove said:
Tested with a 306SH with SW version S4081.
Click to expand...
Click to collapse
How can I know that I got the temporary root? Is this step in the input ID?
all step working on my 305sh like youtube video but supersu not working and root checker say me no rooted
soudara said:
all step working on my 305sh like youtube video but supersu not working and root checker say me no rooted
Click to expand...
Click to collapse
yes we know about this .. i try to remount system ( with this command : busybox mount -o remount,rw /system) to get permission but my device is restart when i try .. maybe its from this write protection that @tewilove tell us .. if he can tell us how we can install su in system if its possible for now .. ?
ok so for the moment is useless ?
soudara said:
all step working on my 305sh like youtube video but supersu not working and root checker say me no rooted
Click to expand...
Click to collapse
me too?maybe just kernel root??
---------- Post added at 12:48 PM ---------- Previous post was at 12:31 PM ----------
loonbg said:
yes we know about this .. i try to remount system ( with this command : busybox mount -o remount,rw /system) to get permission but my device is restart when i try .. maybe its from this write protection that tewilove tell us .. if he can tell us how we can install su in system if its possible for now .. ?
Click to expand...
Click to collapse
yea?rootxplore and xposed said no root?
I don't think that folks are understanding what "temp" root means. This solution allows you to achieve root for the current shell session. This does not install the additional binaries to allow other applications to use root access.
With that being said, I am wondering if we can use this temporary elevated access to correct the vulnerability outlined in CVE-2015-1474 affecting /system/lib/libui.so that Sharp has neglected to address in previous OTA updates. The only "corrected" libui.so that I have been able to locate was compiled for v5.0.1 so I am afraid that file would not be compatible with this earlier version of Android on the 306SH. I am not really savvy with in depth programming to be able to fully investigate this and develop a viable solution... anyone who would be able to point me in the right direction would receive many thanks. :banghead:
My apologies if this should have been posted in a separate thread.
awesom! it worked in my 306sh with root permission acquired in shell.
can you use root app and install super su ?
Write protection is keeping us from remounting /system as rw. This prevents us from doing anything that would have any type of impact on the current situation. I want to experiment with attempting to mount partitions with the device powered off... but my device is encrypted so I am unable to access the shell with device off until I perform a factory reset. I am planning on doing that tonight so hopefully I will be able to report back with more information soon.
Sent from my 306SH
soudara said:
can you use root app and install super su ?
Click to expand...
Click to collapse
No. We are working on it though.
On another note, I can't get this temp root to work.
Video of what happens is linked. (too large to attach)
https://mega.co.nz/#!blNTjbhS!p2ljioY_43xlWkpu3EWpj8LvfMVP5eushZT23KLPASk
TechInMD said:
Write protection is keeping us from remounting /system as rw.
Click to expand...
Click to collapse
So I assume, from the quoted text, you have tried mounting /system as rw while in the temp root shell session?
Yes. I tried using the mount command both directly from the root shell prompt plus I tried using busybox to mount also. There seem to be slight variations between them. Also, not sure if it is relevant but I attempted it both through adb and in terminal on the device. I can get to the root prompt but not further.
Sent from my 306SH
Hi guys,
i made a small test suite to test vulnerability to CVE-2016-5195 on Linux-based systems.
This is 99.9% the work of the author of the exploit, i just made some minor changes to transform this into a test suite.
Download: DirtyCow Test-Suite
Important: Activate USB-Debugging to get adb-shell running!
How-to-test:
Code:
Download the test suite from above server
Unpack the .zip
Attach your device via USB to your PC
./testvuln.sh
If vulnerable, you should see this:
Code:
202 KB/s (10000 bytes in 0.048s)
131 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
UID=0(root), your device is vulnerable!
Otherwise if not vulnerable something like this:
Code:
140 KB/s (10000 bytes in 0.069s)
133 KB/s (5904 bytes in 0.043s)
Running exploit, may take some time
run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]
Source (You can build it yourself via ndk):
https://www.androidfilehost.com/?fid=457095661767106997
Hint: Should work on all ARMv8 devices!
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
tavoc said:
As I understand this would give a root adb shell and therefore I could root my Z5 Compact and install supersu? I only want to remove some garbage apps without unlocking the Boatloader.
Click to expand...
Click to collapse
This elevates privileges of a process. If you want a root shell you must do some modifications to the code, but this can potentially root all DirtyCow affected devices.
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
tavoc said:
Thanks, I will have a look at your code. Maybe a github account would be nice for Pull request etc.
Click to expand...
Click to collapse
Best thing you can do is fork this, i made some changes which contradict your desire of a root tool.
So this script is not working under Windows, ist that right?
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
DannyWilde said:
So this script is not working under Windows, ist that right?
Click to expand...
Click to collapse
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
sijav said:
So we can get root shell? but I don't think we can change the system partition without kernel changing right?
Or we can?
My question is can we root the device with this method?
Click to expand...
Click to collapse
1. Yes
2. Yes
3. Yes, potentially
Tommy-Geenexus said:
For windows,download adb tools, copy all binary to adb folder and enter following in a terminal:
Code:
adb push dirtycow /data/local/tmp/dirtycow
adb push run-as /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
adb shell /system/bin/run-as
Click to expand...
Click to collapse
on
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
i get "not found"
on
adb shell /system/bin/run-as
i get "run-as: Usage:
run-as <package-name> [--user <uid>] <command> [<args>]"
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
super_apache said:
run-as process has only 2 capabilities(setuid/setgid), also with selinux restriction, it cannot exec any shell even get elevated privilege ...
Click to expand...
Click to collapse
I know. This is not a root tool, this is just to test vulnerability.
Edit: Not sure if this was directed at me or the guy asking the root q, anyway this answers the root q.
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
ninestarkoko said:
Would be nice to have a working root exploit for Marshmallow. Keep us updated please'
To those asking about root (SuperSu) you must remember that with a locked bootloader you can't edit kernel or system partition.
As said elsewhere, there s no way to "root" without unlocking bl
Click to expand...
Click to collapse
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Tommy-Geenexus said:
This is the wrong thread then. I definitly do not have enough knowledge to get any kind of exploit working.
Best ping your favorite hacker and try to convince him to write an exploit.
Click to expand...
Click to collapse
Sorry i misunderstood too. I thought you was planning to use it practically to create an exploit for MM.
I don't think it's necessary as we already have an exploit for LP, though it would be nice.
YuriRM said:
Have a look at this thread. They managed to root the BLU R1 HD v6
http://forum.xda-developers.com/r1-hd/how-to/blu-r1-hd-v6-6-dirtycowed-f-amazon-root-t3490882/
Click to expand...
Click to collapse
"WARNING UNLOCKING YOUR BOOTLOADER WILL WIPE DATA AND FACTORY RESET THE DEVICE"
they unlock the bootloader using fastboot command
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
wessok said:
How's everything going here? After reading various threads and Googling for hours, this seems to be the best chance to be able to permanently root the Z5 Compact with a locked bootloader.
Really hope you're onto something and are well rested after Christmas
Click to expand...
Click to collapse
Googleing for hours and didn't understand a simple sentence (in my post above) or the technical reasons behind that (in many threads) ? Stop your search now, unlock it and live happily.