EDIT: This does work for us.. Confirmed! Screenshot page 2.
Thanks @Turge for the help with this. Great Mod!!
Turge has posted a way to change radios on the OneX+ which is still s-on. Does anyone with some dev smarts know if this procedure could be ported to the one? Thought it was interesting and wanted to share. Hopefully it helps. Turge's original thread for One X+ http://forum.xda-developers.com/showthread.php?t=2240968
Turge said:
Description:
This mod enables you to switch radios without actually flashing the radio partition (which requires S-OFF).
How does it work?
The mod flashes the radio files to /system/mdm. On boot up, if the radio exists in this location, the radio partition will be unmounted and a symbolic link will be created from /firmware/mdm to /system/mdm.
Boot.img Specifications:
Unsecured
init.d support
Requirements:
Unlocked bootloader
Custom boot.img with init.d support (see Downloads below)
Busybox (see Downloads below)
New AT&T (1.19.502.1) or Telus (1.20.661.1) build (Other builds have not been qualified yet)
See my thread: http://forum.xda-developers.com/showthread.php?p=40450319#post40450319
Install:
Download and flash custom boot.img with init.d support for your current build
Example:
Code:
fastboot flash boot c:\boot-1.20.661.1.img
Reboot to Recovery
Flash Busybox zip
Flash desired radio zip
Reboot
Profit
Downloads:
Custom boot.img with init.d support:
AT&T 1.19.502.1: http://www.androidfilehost.com/?fid=22909751817930309 (5MB)
Telus 1.20.661.1: http://www.androidfilehost.com/?fid=22909751817930305 (5MB)
Busybox Install:
Busybox_Install.zip: http://www.androidfilehost.com/?fid=22909751817930298 (2MB)
Radios:
AT&T/Telus 1.09.55.17: http://www.androidfilehost.com/?fid=22909751817930300 (19MB)
AT&T 2.14.55.01: http://www.androidfilehost.com/?fid=22909751817930299 (19MB)
Telus 2.15.55.11: http://www.androidfilehost.com/?fid=22909751817930301 (19MB)
Click to expand...
Click to collapse
nugzo said:
Turge has posted a way to change radios on the OneX+ which is still s-off.. Does anyone with some dev smarts know if this procedure could be ported to the one? Thought it was interesting and wanted to share. Hopefully it helps.
http://forum.xda-developers.com/showthread.php?t=2240968
Click to expand...
Click to collapse
Send me the boot.img and I'll let you know..
Turge said:
Send me the boot.img and I'll let you know..
Click to expand...
Click to collapse
https://dl.dropboxusercontent.com/u/10203258/boot.img Thanks for quick reply. Guess i shoulda asked you first A
Are you just on the ball like that or do you get a notification when someone posts your name lol
Ahh the quote probably did it
nugzo said:
https://dl.dropboxusercontent.com/u/10203258/boot.img Thanks for quick reply. Guess i shoulda asked you first A
Are you just on the ball like that or do you get a notification when someone posts your name lol
Ahh the quote probably did it
Click to expand...
Click to collapse
Shouldn't be a problem. I can create something, but need some more info:
1. Which radio do you want to flash? Do you have a link to the firmware? Maybe the OTA? All I'm looking for is the mdm*.img file.
2. Does your boot.img have init.d support? I can update this one and add init.d support if desired.
3. If I'm repackaging the boot.img, how does it get flashed? Can it be flashed via recovery or only through fastboot?
4. Do you need a busybox installer? Busybox/init.d is required for my mod
5. Can you send me an update-binary from the META-INF folder of a working custom ROM? I don't want to download a 1GB zip just for it.
Turge
We want T-Mobile radio! I want to see if a T-Mobile radio will enable penta band on AT&T or dev edition phones.
Sent from my HTC One X
ECEXCURSION said:
We want T-Mobile radio! I want to see if a T-Mobile radio will enable penta band on AT&T or dev edition phones.
Sent from my HTC One X
Click to expand...
Click to collapse
Do you have a link to the ruu?
Turge said:
Shouldn't be a problem. I can create something, but need some more info:
1. Which radio do you want to flash? Do you have a link to the firmware? Maybe the OTA? All I'm looking for is the mdm*.img file.
2. Does your boot.img have init.d support? I can update this one and add init.d support if desired.
3. If I'm repackaging the boot.img, how does it get flashed? Can it be flashed via recovery or only through fastboot?
4. Do you need a busybox installer? Busybox/init.d is required for my mod
5. Can you send me an update-binary from the META-INF folder of a working custom ROM? I don't want to download a 1GB zip just for it.
Turge
Click to expand...
Click to collapse
boot.img gets flashed through fastboot. I dont have any particular radio in mind yet, just wanted to share your MOD. I am having some LTE speed issues but not sure if international radio will work for me, Probably not. I'm in the US (AT&T) and all the custom roms and kernels are from Non-US bases. This is a unique phone, ATT and International can use the same roms finally. (unlike one x+)
Yes the kernel has init.d support. Not sure about busy box.
This is the rom i'm using atm. But If you want to test anything i can change roms to whatever you request. Here is the update_binary https://dl.dropboxusercontent.com/u/10203258/update-binary
And here is Mike1986 firmware package from the latest wwe ruu. My CID is not supported so cant flash the firmware package. I think that's everything you needed..
Well on the rom i'm using i guess kernel can flash through recovery.. this is from the rom details: "Kernels get flashed through recovery (thanks xHausx)"
Turge said:
Do you have a link to the ruu?
Click to expand...
Click to collapse
Unfortunately I couldn't find an RUU. :-/ but it seems Tachi91 is under the impression that this will not enable all bands anyway. I just thought it was worth a try.
nugzo said:
boot.img gets flashed through fastboot. I dont have any particular radio in mind yet, just wanted to share your MOD. I am having some LTE speed issues but not sure if international radio will work for me, Probably not. I'm in the US (AT&T) and all the custom roms and kernels are from Non-US bases. This is a unique phone, ATT and International can use the same roms finally. (unlike one x+)
Yes the kernel has init.d support. Not sure about busy box.
This is the rom i'm using atm. But If you want to test anything i can change roms to whatever you request. Here is the update_binary https://dl.dropboxusercontent.com/u/10203258/update-binary
And here is Mike1986 firmware package from the latest wwe ruu. My CID is not supported so cant flash the firmware package. I think that's everything you needed..
Well on the rom i'm using i guess kernel can flash through recovery.. this is from the rom details: "Kernels get flashed through recovery (thanks xHausx)"
Click to expand...
Click to collapse
Give this a shot: http://www.androidfilehost.com/?fid=22909751817930629 (23MB)
If it doesn't change the frmware version, run "adb shell busybox sh /system/etc/init.d/00firmware" and post the output.
You can also post the output of "adb shell mount"
To get rid of the mod, delete "/system/etc/init.d/00firmware" or "/system/mdm" or both.
Turge said:
Give this a shot: http://www.androidfilehost.com/?fid=22909751817930629 (23MB)
If it doesn't change the frmware version, run "adb shell busybox sh /system/etc/init.d/00firmware" and post the output.
You can also post the output of "adb shell mount"
To get rid of the mod, delete "/system/etc/init.d/00firmware" or "/system/mdm" or both.
Click to expand...
Click to collapse
Ok thanks so much. Just gave it a shot. Radio version did not change. Ran command adb shell busybox sh /system/etc/init.d/00firmware and got this.
Code:
D:\Storage\Android Stuff\ASDK\platform-tools>adb shell busybox sh /system/etc/in
it.d/00firmware
sh: applet not found
And adb shell mount
Code:
D:\Storage\Android Stuff\ASDK\platform-tools>adb shell mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
none /dev/timer_group cgroup rw,relatime,timer_slack 0 0
/dev/block/mmcblk0p35 /system ext4 ro,relatime,nobarrier,data=ordered 0 0
/dev/block/mmcblk0p37 /data ext4 rw,nosuid,nodev,noatime,discard,nobarrier,noaut
o_da_alloc,data=ordered 0 0
/dev/block/mmcblk0p36 /cache ext4 rw,nosuid,nodev,noatime,nobarrier,data=ordered
0 0
/dev/block/mmcblk0p22 /devlog ext4 rw,nosuid,nodev,noatime,nobarrier,errors=cont
inue,data=ordered 0 0
tmpfs /data/qcks tmpfs rw,relatime,size=20480k,mode=750,gid=1000 0 0
tmpfs /data/efs tmpfs rw,relatime,size=20480k,mode=750,gid=1000 0 0
tmpfs /data/secure/data tmpfs rw,relatime,mode=755,gid=1000 0 0
/dev/fuse /storage/sdcard0 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1
023,default_permissions,allow_other 0 0
/dev/block/mmcblk0p16 /firmware/q6 vfat ro,relatime,fmask=0000,dmask=0000,allow_
utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro
0 0
DxDrmServerIpc /data/DxDrm/fuse fuse.DxDrmServerIpc rw,nosuid,nodev,relatime,use
r_id=0,group_id=0,allow_other 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
D:\Storage\Android Stuff\ASDK\platform-tools>
2 more:
adb shell busybox sh
adb shell ls -l /system/etc/init.d
Sent from my HTC One X using Tapatalk 2
Turge said:
2 more:
adb shell busybox sh
adb shell ls -l /system/etc/init.d
Sent from my HTC One X using Tapatalk 2
Click to expand...
Click to collapse
D:\Storage\Android Stuff\ASDK\platform-tools>adb shell busybox sh
sh: applet not found
D:\Storage\Android Stuff\ASDK\platform-tools>adb shell ls -l /system/etc/init.d
-rwxrwxrwx root shell 621 2008-08-01 08:00 00firmware
-rwxrwxrwx root shell 2572 2008-08-01 08:00 01renovate
-rwxrwxrwx root shell 1878 2008-08-01 08:00 85sqlite
-rwxrwxrwx root shell 598 2008-08-01 08:00 90initdtest
-rwxrwxrwx root shell 1601 2008-08-01 08:00 99pure
-rwxrwxrwx root shell 66 2008-08-01 08:00 99sysctl
D:\Storage\Android Stuff\ASDK\platform-tools>
Edit: just realized i didnt have busybox installed. Installing now and gonna reflash mod.
Same result.
Turge said:
2 more:
adb shell busybox sh
adb shell ls -l /system/etc/init.d
Sent from my HTC One X using Tapatalk 2
Click to expand...
Click to collapse
Is the busybox in the playstore the same as the one you posted in your mod thread? i had to use the one from play store because mid check failed during aroma install for the one in your thread.
Turge said:
Give this a shot: http://www.androidfilehost.com/?fid=22909751817930629 (23MB)
If it doesn't change the frmware version, run "adb shell busybox sh /system/etc/init.d/00firmware" and post the output.
You can also post the output of "adb shell mount"
To get rid of the mod, delete "/system/etc/init.d/00firmware" or "/system/mdm" or both.
Click to expand...
Click to collapse
Ok after manually pushing the busybox from your installer to xbin.. i get this when i run the busybox commands
Code:
D:\Storage\Android Stuff\ASDK\platform-tools>adb shell busybox sh
/system/bin/sh: busybox: can't execute: Permission denied
D:\Storage\Android Stuff\ASDK\platform-tools>adb shell busybox sh /system/etc/in
it.d/00firmware
/system/bin/sh: busybox: can't execute: Permission denied
Gonna wipe everything and start from scratch.
And if it's successful am i looking for the build number to change or the baseband numbers to change?
Edit. Tried everything again and baseband nor build number changed
nugzo said:
Gonna wipe everything and start from scratch.
And if it's successful am i looking for the build number to change or the baseband numbers to change?
Click to expand...
Click to collapse
Try running adb shell and typing "su" then run the commands above without the "adb shell" part
Sent from my HTC One X using Tapatalk 2
Turge said:
Try running adb shell and typing "su" then run the commands above without the "adb shell" part
Sent from my HTC One X using Tapatalk 2
Click to expand...
Click to collapse
getting same thing. applet not found. I installed busybox from playstore. If i push your busybox to the xbin folder i get the permision denied response when running the commands.
nugzo said:
getting same thing. applet not found. I installed busybox from playstore. If i push your busybox to the xbin folder i get the permision denied response when running the commands.
Click to expand...
Click to collapse
Tell me your radio version before applying the mod. You need to find a different radio to verify if it works. Meanwhile, try this:
adb shell
$ su
# sh /system/etc/init.d/00firmware
Ignore the $ and # signs
Sent from my HTC Flyer P512 using xda app-developers app
Namit1994 said:
Tell me your radio version before applying the mod. You need to find a different radio to verify if it works. Meanwhile, try this:
adb shell
$ su
# sh /system/etc/init.d/00firmware
Ignore the $ and # signs
Sent from my HTC Flyer P512 using xda app-developers app
Click to expand...
Click to collapse
My radio should be different, ATT radio 4A 14.3250.13_10.33.1150.01L
[email protected]/# /system/etc/init.d/00firmware
/system/etc/init.d/00firmware
00firmware
**VENOM: mdmFolder: /system/mdm
**VENOM: Flag File: /system/mdm/radiover.cfg
**VENOM: Mounting /system/mdm to /firmware/mdm
[email protected]/#
nugzo said:
My radio should be different, ATT radio 4A 14.3250.13_10.33.1150.01L
[email protected]/# /system/etc/init.d/00firmware
/system/etc/init.d/00firmware
00firmware
**VENOM: mdmFolder: /system/mdm
**VENOM: Flag File: /system/mdm/radiover.cfg
**VENOM: Mounting /system/mdm to /firmware/mdm
[email protected]/#
Click to expand...
Click to collapse
Looks like the script ran but but the radio from Turge's package is also 4A 14.3250.13 (same as your AT&T). We cannot be sure if it worked because the radio is the same version anway. We need to mount an older radio with a different number.
---------- Post added at 11:53 PM ---------- Previous post was at 11:43 PM ----------
Turge said:
Do you have a link to the ruu?
Click to expand...
Click to collapse
Turge, it seems your package uses the same radio that nugzo's device already has. Would you mind creating a new package from an older radio with a different version number?
This is the link to the RUU with a different radio version (4A.13.3231.20 instead of 4A.14.3250.13):
http://www.androidfiles.org/ruu/sec...0_10.30.1131.05_release_309365_signed_2_4.exe
Related
Before I start, can we please keep the n00bish comments away from this thread. I have experience in doing this, and if I/we find a solution to this rooting drama, I'll post a how-to. A simple "Thanks, this will keep my fingers crossed" post is all that's enough to spark a chain reaction and fuel the fire knowing that we've got a strong user base that can help us test out our hacks.
Let's get down to business, shall we?
Mount Points:
This is the list of mount points that can be retrieved by issuing a simple 'mount' command on the adb shell, while your device is in USB Debugging (Settings > Applications > Development). Or in a terminal emulator.
rootfs / rootfs ro 0 0
[X]tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
[!] tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
[!!]/dev/block/mtdblock3 /system yaffs2 ro 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,uid=1000,gid=1015,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8 0 0
Click to expand...
Click to collapse
I've added [X], [!] and [!!] to point out what we can do. The one with the cross is a no-go, despite being a tmpfs (TeMPorary File System), we can't write to it, and /dev/shm doesn't exist either. /dev/shm is commonly on Linux systems, a ram drive - anything written there goes bye-byes on reboot.
The second one, /sqlite_stmt_journals, which is mounted as RW, aka Read Write. Yes, we can run shell scripts, you do 'sh myscript.sh' from a terminal emulator or the adb shell to get them to run. Surpise - No noexec (no executables) flag, we can *possibly* run some custom non-root software! Downside? Only 4MB to play with. Shoot.
The second one, is the main target. /system is where Android is held, locked up in a RO filesystem. RO is Read Only. In other words, we can look but can't touch. (Bummer.) This is where we try to get into (with superuser apk and such), but it restricts us. If we can remount this sucker RW... Well, I did try:
$ mkdir /sdcard/test && mount -t yaffs2 -o rw /dev/block/mtdblock /sdcard/test
mkdir failed for /sdcard/test, File exists
$ mount -t yaffs2 -o rw /dev/block/mtdblock3 /sdcard/test
mount -t yaffs2 -o rw /dev/block/mtdblock3 /sdcard/test
mount: Operation not permitted
$ mount -t yaffs2 -o ro /dev/block/mtdblock3 /sdcard/test
mount -t yaffs2 -o ro /dev/block/mtdblock3 /sdcard/test
mount: Operation not permitted
$
Click to expand...
Click to collapse
...But it failed. /sdcard/test was the mount point on my sdcard that I wanted it to be accessed from, so I could just simply go "bang bang bang woot! GOLD! ". But no. Silly HTC.
Teh fastboot way of life:
Power off your HTC Tattoo and hold VOL Down while pressing the End Call/Power Button to enter the bootloader menu. Let the device scan for some DIAG ramdisk images (Test/Diagnostics mode?). After that, press the back button to enter the fastboot USB menu. While there, open a command prompt (on PC), change to the path where you downloaded fastboot (you can nab the said tool by downloading modaco's superboot 1.2 zip file in a thread in this category). Replace fastboot-windows with fastboot-linux, etc.
C:\Users\Coburn\Downloads\Tattoo>fastboot-windows oem boot tattoo.superboot.img
... INFOsetup_tag addr=0xA0000100 cmdline add=0x8D05E538
INFOTAG:Ramdisk OK
INFOTAG:smi ok, size = 0
INFOTAG:hwid 0x1
INFOTAG:skuid 0x1FC04
INFOTAG:hero panel = 0x0
INFOTAG:engineerid = 0x0
INFOMCP dual-die
INFOMCP dual-die
INFOTAG:mono-die = 0x0
INFODevice CID is not super CID
INFOCID is VODAP001
INFOsetting.cid::VODAP001
INFOserial number: HT99SLG03779
INFOcommandline from head: no_console_suspend=1 console=null
INFOcommand line length =404
INFOactive commandline: board_bahamas.disable_uart3=0 board_baha
INFOmas.usb_h2w_sw=0 board_bahamas.disable_sdcard=0 diag.enabled
INFO=0 board_bahamas.debug_uart=0 smisize=0 androidboot.baseban
INFOd=3.35.07.20 androidboot.cid=VODAP001 androidboot.carrier=VO
INFODA-UK androidboot.mid=CLIC10000 androidboot.keycaps=qwerty a
INFOndroidboot.mode=normal androidboot.serialno=HT99SLG03779 and
INFOroidboot.bootloader=0.52.0001 no_console_suspend=1 console=n
INFOull
INFOaARM_Partion[0].name=misc
INFOaARM_Partion[1].name=recovery
INFOaARM_Partion[2].name=boot
INFOaARM_Partion[3].name=system
INFOaARM_Partion[4].name=cache
INFOaARM_Partion[5].name=userdata
INFOpartition number=6
INFOValid partition num=6
INFO0
INFO0
INFO69466957
INFO69784520
INFO69007473
INFO7473
INFO0
INFO0
INFO0
INFO0
INFO0
INFO0
[....]
FAILED (status read failed (Too many links))
Click to expand...
Click to collapse
Oh my! Look at that! Did I just get a kernel parameter dump?! I tried the oem boot method using paul's superboot boot.img, and that's the data that it spat back. When it rebooted, it did the vibration like it would do on a cold boot. There was a lot of INFO0s though... Then it died with "Too many links". Aww. A Misc Partition?! WHAT?! Who knows what's there... (HTC, what are you hiding from us that you shouldn't be?)
Also, if we can force a custom kernel parameter with the "fastboot -c <something to make kernel remount system rw> oem boot" command, we may have a idea.
reboot-bootloader doesn't seem to work... "FAILED: remote (not allow)."
See below:
usage: fastboot [ <option> ] <command>
commands:
update <filename> reflash device from update.zip
flashall flash boot + recovery + system
flash <partition> [ <filename> ] write a file to a flash partition
erase <partition> erase a flash partition
getvar <variable> display a bootloader variable
boot <kernel> [ <ramdisk> ] download and boot kernel
flash:raw boot <kernel> [ <ramdisk> ] create bootimage and flash it
devices list all connected devices
reboot reboot device normally
reboot-bootloader reboot device into bootloader
options:
-w erase userdata and cache
-s <serial number> specify device serial number
-p <product> specify product name
-c <cmdline> override kernel commandline
-i <vendor id> specify a custom USB vendor id
Click to expand...
Click to collapse
I'm tapped. I hope this helps us in any way, it took about an hour to type (and copy/paste from CMD on Windows 7).
Remember: It's our phone, not theirs. We're breaking free - if Android is open source, why isn't the hardware?
Cheers (and please don't forget to buy me a coffee! ),
Coburn64.
Thanks coburn and f..k HTC
Good investigative work!
One point tho...
Coburn64 said:
The second one, /sqlite_stmt_journals, which is mounted as RW, aka Read Write. Yes, we can run shell scripts, you do 'sh myscript.sh' from a terminal emulator or the adb shell to get them to run. Surpise - No noexec (no executables) flag, we can *possibly* run some custom non-root software! Downside? Only 4MB to play with. Shoot.
Click to expand...
Click to collapse
What does this allow that we can't already do on /data? We can already push executables to /data/local and chmod and execute them... I believe this approach has already been tried for trying asroot2, try3 etc. exploits and the like.
The Tattoo seems pretty tight (altho of course nothing is impenetrable), our best bet is likely to be a leak of a S-OFF bootloader or an as yet unpatched kernel exploit?
P
List of options for "fastboot oem":
Code:
$ ./fastboot.exe oem h
... INFOcommand list
INFOkeytest
INFOheap
INFOboot
INFOreset
INFOpowerdown
INFOrebootRUU
INFOenableqxdm
INFOrtask
INFOtask
OKAY
rebootRUU is particulary usefull, it enables RUU mode without having to go through "adb shell reboot oem-78".
@modaco: Every time I tried to write something in /data/local, I kept getting the message "Permission Denied" like I didn't have write permissions or anything. How did you manage to do this?
@mainfram3: Nice work! I know 'fastboot oem boot' reboots the phone to flashed ROM (even if you try to force a custom image down it's throat) but this is rather interesting.
I wonder what 'fastboot oem enableqxdm' does? I'll try it out tonight...
EDIT: Looking at some exploits, there's a 2.4/2.6 kernel "sock_sendpage() NULL pointer dereference" exploit here on milw0rm.com. Does anyone know what kernel source version on HTC's Dev site is?
enable qxdm enables support for the Qualcomm qxdm debug tool.
Hmmm, like I say, I don't have a tattoo yet, but you can normally write to /data/local. Strange!
P
Coburn64 said:
EDIT: Looking at some exploits, there's a 2.4/2.6 kernel "sock_sendpage() NULL pointer dereference" exploit here on milw0rm.com. Does anyone know what kernel source version on HTC's Dev site is?
Click to expand...
Click to collapse
That's a very nice find! From the source, Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable. Our Tattoos are running 2.6.29
We need a skilled kernel developer to port this to the Android, since the exploit relies on low level assembly code :S
mainfram3 said:
That's a very nice find! From the source, Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable. Our Tattoos are running 2.6.29
We need a skilled kernel developer to port this to the Android, since the exploit relies on low level assembly code :S
Click to expand...
Click to collapse
Confirmed, we're running 2.6.29 on the offical ROMs. This looks promising.
mainfram3 said:
That's a very nice find! From the source, Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 are vulnerable. Our Tattoos are running 2.6.29
We need a skilled kernel developer to port this to the Android, since the exploit relies on low level assembly code :S
Click to expand...
Click to collapse
I wrote to author of FlashRec. Waiting for answer)
5[Strogino] said:
I wrote to author of FlashRec. Waiting for answer)
Click to expand...
Click to collapse
Awesome. What's flashrec anyway?
I was feeling adventous and decided to try some other rooting attempts that have succeeded on other phones. The fun thing was, I could get so close to the finishing line, when the Tattoo would kill the process (asroot2, try3, etc).
Damn. However, we can't give up - the goal is just in sight, we'll get there - we need to reroute the plan.
Coburn64 said:
Awesome. What's flashrec anyway?
I was feeling adventous and decided to try some other rooting attempts that have succeeded on other phones. The fun thing was, I could get so close to the finishing line, when the Tattoo would kill the process (asroot2, try3, etc).
Damn. However, we can't give up - the goal is just in sight, we'll get there - we need to reroute the plan.
Click to expand...
Click to collapse
FlashRec it's application for HTC Magic with exploit inside, to install custom recovery on systems with old Cupcake ROMs.
http://zenthought.org/content/project/flashrec
When HTC closed down a hole, that flashrec has been used, it become out-of-use
But mainfram3 found a new hope. Not only Tattoo users, Magic users (who stucked at new Hboot 1.76.00XX) have this hope too)
5[Strogino] said:
But mainfram3 found a new hope.
Click to expand...
Click to collapse
You meant Coburn64
And also let's not forget Droid Eris users, they're stuck in the same place we are, and they seem to be a much larger group.
this is personal now!!
i know that they just have added support for the sprint hero in flashrec i think it's on version 1.4 now!
all we need is just to find a small hole in the system making us able to write directly to the device and passing all the security sh*t
i have been in contact with htc tech center but have not been able to come through yet
i will request a eng S-off and matching radio!
i will also take take a look at the exploit code for the 2.6.29 kernel
I really hope we will get this working as i already have made custom ROM and recovery.img for it! hehe...
/data/local is writable, so is /sqlite_stmt_journals. The latter is restricted to 4MB, while the first has a lot of space (the rest of the /data partition).
Oh, and I can write to the data/local directory, I have to use adb push to get files on there.
Oddly enough, it allowed me to install a Hero super user APK on my Tattoo. Now, this is getting fun. Could someone disguise asroot2 or something inside an app, package it up as a APK and get android to install it?
I tried the asroot2, try3 and such but I got:
[1] Killed /data/local/asroot2
Click to expand...
Click to collapse
...like there's some watchdog feature inside the kernel or something. :-/
UPDATE: I'm working on a busybox hack for the tattoo. The aim of this is to get busybox installed on the device, so I can dump the NAND chip partitions and get that SPL.
Fingers crossed, and we also have found the debugging ROM for the Tattoo! So yeah, hehe...
Coburn64 said:
UPDATE: I'm working on a busybox hack for the tattoo. The aim of this is to get busybox installed on the device, so I can dump the NAND chip partitions and get that SPL.
Fingers crossed, and we also have found the debugging ROM for the Tattoo! So yeah, hehe...
Click to expand...
Click to collapse
Respect!! Hope for success, thanks for your effort
Thank you for your hard work!
I thought the rooting of tattoo died when benham ceased to exist in another tattoo-related forum and now i stumble upon this!
Crossing fingers!^^
Musenkishi said:
Thank you for your hard work!
I thought the rooting of tattoo died when benham ceased to exist in another tattoo-related forum and now i stumble upon this!
Crossing fingers!^^
Click to expand...
Click to collapse
Heh.
BUMP: My Busybox Hack is now live! Get it and install the sucker on your phone!
I need the following directories of a stock phone (no custom recovery/boot applied):
Tar it up and send them my way.
/.info
/lib
/lib/modules
/res
/res/images
/sbin
/sbin/images
Any files found in the / (root) directory.
my phone is stock minus the apps I've removed. I don't know how to copy this info but I will be happy to figure it out and get it done if no one else is already doing this.
If rooted is alright, let me know and I will get you what you need.
What is the best way to get the files to you?
What program can get that information on a stock vibrant? Or would we need root?
Sent from my Vibrant using xda app
I think you need at least root to have busybox installed that gives you the cp function but I could be wrong.
Without root which busybox comes with.. I don't know that the software allows a copy feature.
If nobody gets them to you by the time I get home from work then I will pull them for you.
Sent from my SGH-T959 using XDA App
Koush said:
I need the following directories of a stock phone (no custom recovery/boot applied):
Tar it up and send them my way (ignore the numbers, just note the directory name).
dir /.info 755 0 0
dir /dev 755 0 0
dir /lib 755 0 0
dir /lib/modules 755 0 0
dir /mnt 755 0 0
dir /mnt/.lfs 755 0 0
dir /proc 755 0 0
dir /res 755 0 0
dir /res/images 755 0 0
dir /sbin 755 0 0
dir /sbin/images 755 0 0
dir /sd-ext 755 0 0
dir /sys 755 0 0
dir /system 755 0 0
dir /system/etc 755 0 0
dir /tmp 755 0 0
dir /tmp/bootchart 755 0 0
Click to expand...
Click to collapse
pulling as I type
EDIT: ok, I was able to pull everything except /mnt, /info, and /sd-ext. I have the .tgz file. where do I send it? it's over 300mb
jroid did you just make a new folder with
mkdir then use cp of those requested folders? Newbie just trying to make sure I'm doing something the best way.
thanks
jroid said:
pulling as I type
EDIT: ok, I was able to pull everything except /mnt, /info, and /sd-ext. I have the .tgz file. where do I send it? it's over 300mb
Click to expand...
Click to collapse
I was having an issue grabbing the /proc directory for some reason. Since he got the others I am attahcing /mnt and /.info.
/sd-ext I could not find......
msw1382 said:
I was having an issue grabbing the /proc directory for some reason. Since he got the others I am attahcing /mnt and /.info.
/sd-ext I could not find......
Click to expand...
Click to collapse
/mnt my terminal said it was pulled, but the folder i extracted it to didn't show anything. so i'm assuming it didn't pull. Thanks
rsfaze said:
jroid did you just make a new folder with
mkdir then use cp of those requested folders? Newbie just trying to make sure I'm doing something the best way.
thanks
Click to expand...
Click to collapse
no I adb pulled everything seperately
Koush,
I can help you. But, when i try to adb pull these things. Esp in proc. the process just stops.
If i remove proc from the list. the it pulls some then just reboots
Is there a special way to do so?
Thanks
I went and trimmed down what I need to just this following list:
/.info
/lib
/lib/modules
/res
/res/images
/sbin
/sbin/images
That should make the resultant package less than 20mb. Let me know!
A raw dump of the boot area would also help (this is completely safe, just type it properly):
dd if=/dev/block/bml7 of=/sdcard/bml7.img
Then send me /sdcard/bml7.img
Koush said:
A raw dump of the boot area would also help (this is completely safe, just type it properly):
dd if=/dev/block/bml7 out=/sdcard/bml7.img
Then send me /sdcard/bml7.img
Click to expand...
Click to collapse
OLD: dd if=/dev/block/bml7 out=/sdcard/bml7.img
NEW: Should be dd if=/dev/block/bml7 of=/sdcard/bml7.img
Here you go.
Don't know if this is what you want but I thought I'd throw you completely stock no root up here... Astro let me copy them no problems.
img of course can't be made without root
daropedia said:
Don't know if this is what you want but I thought I'd throw you completely stock no root up here... Astro let me copy them no problems.
img of course can't be made without root
Click to expand...
Click to collapse
Awesome! Can you also send me the files in the root directory? Ie, init.rc, recovery.rc, and whatever else you find?
here you go
thanks for the hard work.. heres mine
xspeed9190 said:
thanks for the hard work.. heres mine
Click to expand...
Click to collapse
The directory structure isn't preserved in this properly (seems all mashed together). All I need now is the files in the root directory!
Koush said:
The directory structure isn't preserved in this properly (seems all mashed together). All I need now is the files in the root directory!
Click to expand...
Click to collapse
Well, hopefully this helps, here are all the random files I found in my root dir.
Thanks for the hard work.
cheers!
hello
i'm new to android and i'm interested in rooting and flashing custom roms but i need some help
i have a T-mobole G1 with :
FW version: 1.6
baseband version: 62.50SC.20.17H_2.22.23.02
kernel version: 2.6.29-00479-g3c7df37
[email protected] #19
build number: DMD64
i googled a lot on how to root and flash custom rom and i saw that i need to downgrade and then root and flash, and also i saw that some people are having trouble downgrading.. but still thats not the issue ..
my question that i couldn't find an answer to is:
when i put the DREAIMG.nbh in the sd and flash , it will flash an older version of android , but as i understood this will not affect the radio.. the question is , do i have to downgrade the radio as well or not ? will i brick the phone if i downgrade the firmware but not the radio ?
here and on the unlockr , the radio wasn't mentioned in the guides..
and as you can see in "[How-to] downgrade T-Mobile G1 from Donut (1.6) to Cupcake (1.5) and get root" on gphone, the radio version was older.. so idk..
any help would be appreciated
thanks in advance
bobo122 said:
hello
i'm new to android and i'm interested in rooting and flashing custom roms but i need some help
i have a T-mobole G1 with :
FW version: 1.6
baseband version: 62.50SC.20.17H_2.22.23.02
kernel version: 2.6.29-00479-g3c7df37
[email protected] #19
build number: DMD64
i googled a lot on how to root and flash custom rom and i saw that i need to downgrade and then root and flash, and also i saw that some people are having trouble downgrading.. but still thats not the issue ..
my question that i couldn't find an answer to is:
when i put the DREAIMG.nbh in the sd and flash , it will flash an older version of android , but as i understood this will not affect the radio.. the question is , do i have to downgrade the radio as well or not ? will i brick the phone if i downgrade the firmware but not the radio ?
here and on the unlockr , the radio wasn't mentioned in the guides..
and as you can see in "[How-to] downgrade T-Mobile G1 from Donut (1.6) to Cupcake (1.5) and get root" on gphone, the radio version was older.. so idk..
any help would be appreciated
thanks in advance
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1098899Guide to downgrade and root to latest radio and hboot
agin, the radio is not mentioned in downgrading .. the guide says downgrade from 1.6 to 1.5 then update the radio to 2.22.23.02, but i already have this (2.22.23.02) radio installed on my phone and as i understood , flashing a new FW doesn't change the radio..
my question still the same, will downgrading the FW version to 1.5 , without downgrading the radio, brick my phone ? should i downgrade the radio as well or there is no relationship between the radio version and the FW version ?
more info:
this is what i get when i turn the phone on while holding the camera botton:
DREA100 PVT 32B
HBOOT-0.95.0000
CPLD-4
RADIO-2.22.23.02
Sep 2 2008
thanks for the reply
bobo122 said:
agin, the radio is not mentioned in downgrading .. the guide says downgrade from 1.6 to 1.5 then update the radio to 2.22.23.02, but i already have this (2.22.23.02) radio installed on my phone and as i understood , flashing a new FW doesn't change the radio..
my question still the same, will downgrading the FW version to 1.5 , without downgrading the radio, brick my phone ? should i downgrade the radio as well or there is no relationship between the radio version and the FW version ?
more info:
this is what i get when i turn the phone on while holding the camera botton:
DREA100 PVT 32B
HBOOT-0.95.0000
CPLD-4
RADIO-2.22.23.02
Sep 2 2008
thanks for the reply
Click to expand...
Click to collapse
yes you have firmware 1.6 and you need to downgrade to 1.5 in order to root the device!! trust me i promise you that is what you are trying to do!! in that guide you get radio 2.22.23.02 again after rooting so you can install the danger spl withouth bricking!! than you can upgrade to the latest radio after danger spl is flashed!!
what i understand from what you are telling me is that flashing 1.5 fw will downgrade the radio
is that correct ? cuz thats what confusing me since the beginning! i don't know if downgrading the fw will downgrade the radio too or not (and if not, idk if my phone will get bricked if i don't downgrade it too)
thanks
Method 1:
ANDROOT
+
Rom Manger
+
install a custom recovery via rom manger
+
install 1.33.2003 (link to 1.33.2003 is on the 2708+ kernel/radio thread) [this only works on t-mobile dreams; rogers or other dreams with 3.xx radio this will cause a brick]
+
follow instrucitons on 2708+ thread to install the new radio and rom;
Method 2:
make gold card
+
put orange NBH on gold card as DREAIMG.nbh [link on 2708+ thread]
+
flash orange NBH
+
follow instructions on 2708+ thread to install the new radio and rom
No downgrade needed. No need for ancient radio, no need to get stuck needing to use and old telnet hack, and no need to blindly install danger (aka death) spl
(and of a small note: nbh files contain a radio that is flashed.. but since its flashed from the bootloader; also flashes the SPL and rom/recovery; and will not force you to boot into recovery.. it usually dosn't cause bricks.. unless you have other hardware problems)
Downgrading a ROM from 1.6 to 1.5 will not cause a brick. You may create a brick, when you flash a non compatible SPL / radio using recovery.
As long as your SPL is compatible to your radio everything will be fine. If you want to be sure that you won't create a brick, you want to flash SPL and radio images only by using fastboot.
Edit: Follow Terry's instructions. He was faster than me and his instructions are much more detailed.
Sent from my Gingerbread on Dream using XDA App
bobo122 said:
what i understand from what you are telling me is that flashing 1.5 fw will downgrade the radio
is that correct ? cuz thats what confusing me since the beginning! i don't know if downgrading the fw will downgrade the radio too or not (and if not, idk if my phone will get bricked if i don't downgrade it too)
thanks
Click to expand...
Click to collapse
when downgrading to 1.5 you flash the DREAIMG.nbh first which brings your device to fw 1.0 and yes it downgrades your radio also!! to
radio- 1.22.12.29
hboot- 0.95.0000
than when you flash the update.zip it updates you to fw 1.5
radio- 2.22.19.26I
hboot- 0.95.0000
than you go to market download 'oi file manager' so you can flash recovery and that is how to root your device (Step 1.)
than step 2. upgrades your radio and hboot and installs danger spl
radio- 2.22.23.02
hboot- 1.33.2005
than from there you follow to step 3. and upgrade to latest radio and hboot
radio- 2.22.28.25
hboot- 1.33.0013d
than you are free to flash rom
There is no need to install DangerSPL! If you would like to install an engineering SPL, use 1.33.2003(!), otherwise follow Terry's instructions.
Sent from my Gingerbread on Dream using XDA App
AndDiSa said:
There is no need to install DangerSPL! If you would like to install an engineering SPL, use 1.33.2003(!), otherwise follow Terry's instructions.
Sent from my Gingerbread on Dream using XDA App
Click to expand...
Click to collapse
you need the danger spl to upgrade to latest radio(2.22.28.25) via recovery.. if youdont have it a warning will pop up while flashing radio file
ldrifta said:
you need the danger spl to upgrade to latest radio(2.22.28.25) via recovery.. if youdont have it a warning will pop up while flashing radio file
Click to expand...
Click to collapse
Makes no sense ... if you have an engineering SPL you can flash the radio using fastboot without any risk, so why would you flash it using recovery?
Sent from my Gingerbread on Dream using XDA App
AndDiSa said:
Makes no sense ... if you have an engineering SPL you can flash the radio using fastboot without any risk, so why would you flash it using recovery?
Sent from my Gingerbread on Dream using XDA App
Click to expand...
Click to collapse
its for the people who dont know how to use fastboot... just an alternative guide to upgrading via recovery.. when i first started doing this i had no clue what fastboot was lol it kinda like a last resort i guess.. lol
sorry for the late reply, i've been a little busy with homeworks
thanks for the help guys , i guess i got what i needed
will look for the methods and choose 1 the next weeked since its my brothers phone , and i'm in the university till then ..
i'm getting "an error occurred while attempting to run privileged commands!"
in rom manager v4.3.2.1 when trying to flash clockworkmod recovery ..
any idea ?
bobo122 said:
i'm getting "an error occurred while attempting to run privileged commands!"
in rom manager v4.3.2.1 when trying to flash clockworkmod recovery ..
any idea ?
Click to expand...
Click to collapse
uhh did you unroot your device? can only install custom recovery on 1.5 firmware
i think its root-related issue.. i rooted using "universal androot"
after some googling i found that i can check if i'm rooted or not but downloading teminal emulator and typing "su" , first time i tried it i got permission denied (that tells its not rooted) , then i rooted again , and tried "su" again but this time i got "segmentation fault" and then i tried flashing again but got the same error
here is the content of the log file
Code:
Go for root !
Version: Universal Androot - v1.6.2 beta 5
Detected OS version:4
ls -l /system/etc
-r-xr-x--- root shell 1176 2009-10-04 18:15 init.goldfish.sh
-r--r----- bluetooth bluetooth 935 2009-06-01 13:48 dbus.conf
-rw-r--r-- root root 183 2008-08-01 15:00 pvasflocal.cfg
-rw-r--r-- root root 7276 2009-10-04 18:15 event-log-tags
drwxr-xr-x root root 2008-08-01 15:00 ppp
-r--r--r-- radio audio 44542 2009-06-01 13:48 AudioPara4.csv
-rw-r--r-- root root 2037 2009-10-04 18:15 bookmarks.xml
-r-xr--r-- root root 415 2008-08-01 15:00 install-recovery.sh
-rw-r--r-- root root 6521 2009-10-04 18:15 apns-conf.xml
drwxr-xr-x root root 2008-11-01 04:03 wifi
drwxr-xr-x root root 2008-11-01 04:03 location
-rw-r--r-- root root 1898 2008-11-01 04:03 AudioFilter.csv
drwxr-xr-x root root 2008-11-01 04:03 dhcpcd
drwxr-xr-x root root 2008-11-01 04:03 firmware
-rw-r--r-- root root 25 2008-11-01 04:03 hosts
-rw-r--r-- root root 85 2008-08-01 15:00 01_qcomm_omx.cfg
drwxr-xr-x root root 2010-01-28 17:36 security
-rw-r--r-- root root 60559 2010-01-28 17:36 NOTICE.html.gz
-rw-r--r-- root root 368 2008-08-01 15:00 vold.conf
-rw-r--r-- root root 5220 2008-08-01 15:00 AudioPreProcess.csv
drwxr-xr-x root root 2008-08-01 15:00 permissions
-rw-r--r-- root root 1321 2008-08-01 15:00 contributors.html
-rw-r--r-- root root 682 2008-08-01 15:00 contributors.css
drwxr-xr-x root root 2008-08-01 15:00 bluez
-rw-r--r-- root root 232 2009-06-01 13:48 gps.conf
-rw-r--r-- root root 473 2008-08-01 15:00 pvplayer.cfg
ls -l /system/bin/reboot
lrwxrwxrwx root root 2009-06-01 13:49 reboot -> toolbox
cat /proc/sys/kernel/osrelease
2.6.29-00479-g3c7df37
getprop ro.product.model
T-Mobile G1
getprop ro.product.brand
tmobile
getprop ro.product.name
kila
getprop ro.product.manufacturer
HTC
getprop ro.build.product
dream
ls -l /sqlite_stmt_journals
-rws--x--x root root 16224 2011-06-18 05:19 rootshell
ls -l /data/local/tmp
opendir failed, Permission denied
ls -l /app-cache
/app-cache: No such file or directory
run mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
none /dev/cpuctl cgroup rw,cpu 0 0
/dev/block/mtdblock3 /system yaffs2 ro 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8 0 0
run df
/dev: 49192K total, 0K used, 49192K available (block size 4096)
/sqlite_stmt_journals: 4096K total, 16K used, 4080K available (block size 4096)
/system: 69120K total, 68940K used, 180K available (block size 4096)
/data: 76544K total, 58920K used, 17624K available (block size 4096)
/cache: 69120K total, 28952K used, 40168K available (block size 4096)
/sdcard: 991488K total, 956912K used, 34576K available (block size 16384)
Preparing Exploit ... :true
Preparing busybox binary ... :true
User selected: Cupcake
Preparing Su binary ... :true
Preparing Superuser apk ... :true, resid:2131034117
Preparing root toolkit script ... :true
Trying to get mount point:/data
/dev/block/mtdblock5 /data yaffs2 rw,nosuid,nodev 0 0
Trying to get mount point:/system
/dev/block/mtdblock3 /system yaffs2 ro 0 0
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
mkdir /system/xbin
cat su > /system/xbin/su
chmod 04755 /system/xbin/su
ln -s /system/xbin/su /system/bin/su
mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
mount -o remount,rw,nosuid,nodev -t yaffs2 /dev/block/mtdblock5 /data
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
rm /system/bin/su
rm /system/xbin/su
Preparing to execute exploit, do chmod
Executing exploit..
cmd: /data/data/com.corner23.android.universalandroot/files/getroot /dev/block/mtdblock5 yaffs2
[*] Android local root exploid (C) The Android Exploid Crew
[*] Modified by shakalaca for various devices
[+] Using basedir=/sqlite_stmt_journals, path=/data/data/com.corner23.android.universalandroot/files/getroot
[+] opening NETLINK_KOBJECT_UEVENT socket
[+] sending add message ...
[*] Try to invoke hotplug now, clicking at the wireless
[*] settings, plugin USB key etc.
[*] You succeeded if you find /system/bin/rootshell.
[*] GUI might hang/restart meanwhile so be patient.
Wifi enabled ...
mkdir failed for /system/xbin, File exists
rm failed for /system/app/Superuser.apk, No such file or directory
write: No space left on device
rm failed for /data/local/tmp/rootshell, No such file or directory
Exploit delete success
Install/Uninstall rootkit: true
ls -l /sqlite_stmt_journals
-rws--x--x root root 16224 2011-06-18 05:20 rootshell
ls -l /data/local/tmp
opendir failed, Permission denied
ls -l /app-cache
/app-cache: No such file or directory
run mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
none /dev/cpuctl cgroup rw,cpu 0 0
/dev/block/mtdblock3 /system yaffs2 ro 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8 0 0
run df
/dev: 49192K total, 0K used, 49192K available (block size 4096)
/sqlite_stmt_journals: 4096K total, 16K used, 4080K available (block size 4096)
/system: 69120K total, 69084K used, 36K available (block size 4096)
/data: 76544K total, 58912K used, 17632K available (block size 4096)
/cache: 69120K total, 28952K used, 40168K available (block size 4096)
/sdcard: 991488K total, 956912K used, 34576K available (block size 16384)
i got that error when i tried rooting it , then i tried unrooting and then rooting again.. did unrooting cause the problem and the only way to fix it now is downgrading
sorry for the double reply, i posted the log using my cellphone ..
thanks
bobo122 said:
i got that error when i tried rooting it , then i tried unrooting and then rooting again.. did unrooting cause the problem and the only way to fix it now is downgrading
sorry for the double reply, i posted the log using my cellphone ..
thanks
Click to expand...
Click to collapse
it ok lol so whats the situation now? are you rooted? do you have an active data plan?
"did unrooting cause the problem and the only way to fix it now is downgrading "
that supposed to be a question lol
anyway, no i'm not rooted yet, i'm trying to get it rooted using that 1 click root method (much less risky) , but i'll have no choice but to do it the hard way , then i'll do it the hard way..
i keep getting the same errors everytime i try rooting / unrooting using universal androot .. i don't know whats wrong ..
i posted the log, its always the same log .. as i can see in the log some commands are failing for some reason which i don't know , that must be what's causing the problem ...
i'm not from the USA .. i bought the cellphone on ebay, from the US (i unlocked it and i'm using it now in my country) .. i have 3g here with np (i could sign in my gmail account using 3g to activate the cellphone the first time i used it since it was wiped)
thanks
ok so i found some time since i'm in exams time ..
i just had an idea to try to soft root and try "su" in terminal .. IT WORKED!!
i installed the clockwork 2.5.0.7 custom recovery using rom manager .. then after reboot the root is gone since it was soft root .. then i tried normal root and it worked like a charm!
so, to everyone whose having my problem: soft root , reboot , root again (normal root this time)
i'll keep you posted with the rest of the process
I've tried just about every automated/one click/whatever method for rooting my spiffy new Captivate, and they all failed for one reason or another. I finally got it to work using adb & the command line. Here's how I did it. Oh, and before someone asks "Why didn't you just use Windoze?", it's because all my computers run Linux so that's not an option.
STANDARD DISCLAIMER: If you root your phone, the ceiling will collapse on your head and your family will die. No one should ever follow these instructions. In fact, I should probably be banned for even posting them.
MY SETUP:
Ubuntu 11.04 (natty)
Samsung Captivate i897, stock, KB2
AT&T
1. Download SuperOneClick
http://forum.xda-developers.com/showthread.php?t=803682
I used 1.9.5, only because another poster told me he had successfully rooted his Captivate using that specific version. This may also work with the files from a newer version; I don't see why it wouldn't.
2. Extract everything
Duh.
3. Put adblinux, psneuter, busybox, su-v2, and Superuser.apk in one directory.
I don't know that it has to specifically be su-v2, but that one worked for me, so huzzah.
4. Put the phone in USB debug mode; plug it in to your computer.
Settings -> Applications -> Development (check the box for USB debugging). Linux users need no drivers.
5. Open a terminal, cd into wherever you extracted the SOC files.
6. Let's dance:
Code:
./adblinux push psneuter /data/local/tmp
./adblinux push su-v2 /data/local/tmp
./adblinux push busybox /data/local/tmp
./adblinux shell
$ cd /data/local/tmp
Make everything you just pushed over executable:
Code:
$ chmod 6755 psneuter
$ chmod 6755 su-v2
$ chmod 6755 busybox
Run the exploit:
Code:
$ /data/local/tmp/psneuter
Running psneuter successfully kicked me out of the shell, so go back. You should also notice when you re-enter the shell that your prompt has changed from "$" to "#", indicating psneuter was successful. This also means you have root privileges, at least temporarily, for the rest of your work.
Code:
./adblinux shell
# mount
"mount" should spit out something that looks like this:
mount
rootfs / rootfs ro 0 0
tmpfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
/dev/block/stl6 /mnt/.lfs j4fs rw 0 0
tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
none /dev/cpuctl cgroup rw,cpu 0 0
/dev/block/stl9 /system rfs ro,vfat,llw,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/block/mmcblk0p2 /data rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,ioc
harset=utf8 0 0
/dev/block/stl10 /dbdata rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iocha
rset=utf8 0 0
/dev/block/stl11 /cache rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iochar
set=utf8 0 0
/dev/block/stl3 /efs rfs rw,nosuid,nodev,vfat,llw,check=no,gid/uid/rwx,iocharset
=utf8 0 0
/dev/block//vold/179:1 /sdcard vfat rw,dirsync,nosuid,nodev,noexec,uid=1000,gid=
1015,fmask=0102,dmask=0002,allow_utime=0020,codepa ge=cp437,iocharset=iso8859-1,s
hortname=mixed,utf8,errors=remount-ro 0 0
Click to expand...
Click to collapse
On your phone, that output might look a little different, but you're looking for the line in BOLD. In the example above, "/dev/block/stl9" is the mount point for "/system". If "mount" gives you a different mount point, then use that in the commands below. The stuff after that tells you the properties of "/system"; "ro" is the one we're concerned with. That tells us that "/system" is mounted as "read-only". We need to change that so we can move some files over.
Code:
# mount -o remount,rw /dev/block/stl9 /system
"/system" is now writable. Let's move some files over.
Code:
# /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin
# chmod 6755 /system/xbin/busybox
# /data/local/tmp/busybox chown 0.2000 /system/xbin/busybox
A functional copy of busybox now resides at /system/xbin, so from now on you can just call it with "busybox" instead of having to use the full path to the one we pushed over earlier.
Code:
# busybox mv /data/local/tmp/su-v2 /system/xbin/su
# chmod 6755 /system/xbin/su
# busybox chown 0.2000 /system/xbin/su
# busybox ln -s /system/xbin/su /system/bin/su
IMPORTANT: Do not leave your "/system" mounted as read-write; change it back and exit the shell:
Code:
# mount -o remount,ro /dev/block/stl9 /system
# exit
$ exit
You should be back at your basic Linux command prompt now. Install the Superuser app.
Code:
./adblinux install Superuser.apk
7. Reboot your phone
When everything loads back up, you should have root privileges. Update BusyBox from the market. If everything went according to plan, when you try to install BusyBox you should get a prompt from the Superuser app asking if you want to grant the BusyBox installer superuser privileges. If so, everything worked the way it was supposed to, and you're now a 1337 [email protected]><0r or something.
8. Troubleshooting
Mine didn't take the first time for some reason. After reboot, I installed BusyBox and Titanium Backup, both of which failed to get root privileges. I went back into the phone with adblinux, remounted /system as rw, again set the privileges for "/system/xbin/su" to 6755, then remounted /system as ro and rebooted. It took the second time, so I'm assuming I may have typed something wrong.
Another thing I was keen to try is installing the Superuser app FIRST, then running the hacks to root the phone. The phone does not need to be rooted to install Superuser, only for it to work as designed. I am curious if "SU->root->reboot" would work the first time, instead of "Root->SU->Reboot->Re-Root->Reboot", which is how it's been working now. If I happen to reinstall and try this again, I'll update. If anyone else gives it a whirl, post a comment and I'll update accordingly.
I hope this helps someone else. Please comment below with questions/criticisms/flames.
Thanks bro this is a very handy guide i to use only linux and it kills me how many people say ehh just install windows it easier BLAAA is what i say great work keep it coming...
tkienzle said:
Thanks bro this is a very handy guide i to use only linux and it kills me how many people say ehh just install windows it easier BLAAA is what i say great work keep it coming...
Click to expand...
Click to collapse
I'm with you. I HATE hearing "just use Odin" or "you can buy a copy of Windoze for not much $$$!" If I wanted Windoze, I'd be using it already. If I could use Odin, I'd probably just follow the directions for that and not be asking questions about Heimdall.
+1 thanks. been running linux since 2002, wasn't looking forward to using a friends computer just to root a phone.
I rooted my Moto X 2014 Pure Edition and have SuperSu working. Titanium Backup froze Motorola OTA so I can stay on 4.4.4 (I want to have Xposed) Busy box wasn't easy to install for some reason, but I got it installed (http://forum.xda-developers.com/moto-x-2014/help/busybox-wont-install-t3016800)
I am trying to backup my current progress with TWRP but I get this error:
E: Unable to create folder: /data/media/0/TWRP (errno=13)
E: Failed to make backup folder
Click to expand...
Click to collapse
I am not encrypted and this phone is only a day old. I tried the Fix Permissions in TWRP but that didn't help.
With my prior mentioned issues with BusyBox and now this I am concerned something bigger is wrong. What can I do to fix TWRP backups and debug other issues?
Thanks
What version twrp are you using and what type file system is your data partition? You can find out in twrp, under wipe select change partition and select the data one
dobbs3x said:
What version twrp are you using and what type file system is your data partition? You can find out in twrp, under wipe select change partition and select the data one
Click to expand...
Click to collapse
I'm using TWRP v2.8..4.0 for victara.
According to TWRP the current /data is ext4
Edit: Clockworkmod backups don't work either
fbiryujin said:
I rooted my Moto X 2014 Pure Edition and have SuperSu working. Titanium Backup froze Motorola OTA so I can stay on 4.4.4 (I want to have Xposed) Busy box wasn't easy to install for some reason, but I got it installed (http://forum.xda-developers.com/moto-x-2014/help/busybox-wont-install-t3016800)
I am trying to backup my current progress with TWRP but I get this error:
I am not encrypted and this phone is only a day old. I tried the Fix Permissions in TWRP but that didn't help.
With my prior mentioned issues with BusyBox and now this I am concerned something bigger is wrong. What can I do to fix TWRP backups and debug other issues?
Thanks
Click to expand...
Click to collapse
I get this error backing up to internal memory with all versions since 2.8.1.0. I have the same config as you. I am now backing up via otg and this works fine with the most recent version.
revengineer said:
I get this error backing up to internal memory with all versions since 2.8.1.0. I have the same config as you. I am now backing up via otg and this works fine with the most recent version.
Click to expand...
Click to collapse
Oh interesting. I' using v2.8.1.0 on the first gen VZW dev edition with no issue.
Just testes v2.8.0.1 and the backup went without issue, but I can't see it in Android File Transfer to copy it to my computer. It shows up in Root Explorer though. Very odd
I also noticed I can't change permissions via root explorer or "busybox chmod" in adb shell
fbiryujin said:
Oh interesting. I' using v2.8.1.0 on the first gen VZW dev edition with no issue.
Just testes v2.8.0.1 and the backup went without issue, but I can't see it in Android File Transfer to copy it to my computer. It shows up in Root Explorer though. Very odd
I also noticed I can't change permissions via root explorer or "busybox chmod" in adb shell
Click to expand...
Click to collapse
You can pull these files over to your pc using adb insecure app. Basically, you need root adb.
revengineer said:
You can pull these files over to your pc using adb insecure app. Basically, you need root adb.
Click to expand...
Click to collapse
Interesting. I'd like to find out why Android File Transfer doesn't work with the folder TWRP created.
It seems that TWRP v2.8.0.1 is storing the TWRP backups in /data/media/0 but /storage/emulated/0 is being reported as the internal sdcard by root explorer (which is also what appears to be where Android File Transfer looks)
The odd thing is that if I go into /storage/emulated/0/Download and "touch test" in adb shell, the file shows up in /data/media/0/Download
It looks like it's the same location but I'm getting a discrepancy for the TWRP folder
mounts:
[email protected]:/ # mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=952780k,nr_inodes=144648,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,size=952780k,nr_inodes=144648,mode=750,gid=1000 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,size=952780k,nr_inodes=144648,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,size=952780k,nr_inodes=144648,mode=755,gid=1000 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nodiratime,journal_checksum,journal_async_commit,nobarrier,noauto_da_alloc,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,nodiratime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 rw,defcontext=ubject_rersist_file:s0,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/modem /firmware ext4 ro,defcontext=ubject_r:modem_file:s0,seclabel,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/pds /pds ext3 rw,defcontext=ubject_rds_file:s0,seclabel,nosuid,noexec,relatime,barrier=1,data=writeback 0 0
/dev/block/platform/msm_sdcc.1/by-name/fsg /fsg ext4 ro,defcontext=ubject_r:modem_file:s0,seclabel,nosuid,nodev,relatime 0 0
/dev/block/platform/msm_sdcc.1/by-name/customize /customize ext4 ro,defcontext=ubject_r:user_config_file:s0,seclabel,nosuid,nodev,noexec,noatime,nodiratime,data=ordered 0 0
/data/media /mnt/shell/emulated esdfs rw,relatime,upper=0:1028:660:771,derive=legacy,nosplit 0 0
/data/media /storage/emulated/legacy esdfs rw,relatime,upper=0:1028:660:771,derive=legacy,nosplit 0 0
tmpfs /storage/emulated tmpfs rw,seclabel,nosuid,nodev,relatime,size=952780k,nr_inodes=144648,mode=050,gid=1028 0 0
/data/media /storage/emulated/0 esdfs rw,relatime,upper=0:1028:660:771,derive=legacy,nosplit 0 0
/data/media /storage/emulated/0/Android/obb esdfs rw,relatime,upper=0:1028:660:771,derive=legacy,nosplit 0 0
/data/media /storage/emulated/legacy esdfs rw,relatime,upper=0:1028:660:771,derive=legacy,nosplit 0 0
/data/media /storage/emulated/legacy/Android/obb esdfs rw,relatime,upper=0:1028:660:771,derive=legacy,nosplit 0 0
Click to expand...
Click to collapse
I had to format system the first time in order to get TWRP functional.
fbiryujin said:
Interesting. I'd like to find out why Android File Transfer doesn't work with the folder TWRP created.
It seems that TWRP v2.8.0.1 is storing the TWRP backups in /data/media/0 but /storage/emulated/0 is being reported as the internal sdcard by root explorer (which is also what appears to be where Android File Transfer looks)
The odd thing is that if I go into /storage/emulated/0/Download and "touch test" in adb shell, the file shows up in /data/media/0/Download
It looks like it's the same location but I'm getting a discrepancy for the TWRP folder
mounts:
Click to expand...
Click to collapse
I noticed the oddities as well, but decided not to chase them down. There is very little support for this recovery, but it's the only one that works.
---------- Post added at 06:48 PM ---------- Previous post was at 06:47 PM ----------
juliospinoza said:
I had to format system the first time in order to get TWRP functional.
Click to expand...
Click to collapse
That's what I have been hearing, but I have not tried. My system is working nicely and this solution is rather intrusive.
revengineer said:
I noticed the oddities as well, but decided not to chase them down. There is very little support for this recovery, but it's the only one that works.
---------- Post added at 06:48 PM ---------- Previous post was at 06:47 PM ----------
That's what I have been hearing, but I have not tried. My system is working nicely and this solution is rather intrusive.
Click to expand...
Click to collapse
well, formating directly from TWRP was the only way that worked for me, you can check on the OP of the recovery and you will find that.
Extracting the backup was incredible simple for me... I restarted the phone directly to recovery and my PC was able to read the internal SD and from there just cut/paste the TWRP directory. (yes, with all the files on it).
juliospinoza said:
well, formating directly from TWRP was the only way that worked for me, you can check on the OP of the recovery and you will find that.
Extracting the backup was incredible simple for me... I restarted the phone directly to recovery and my PC was able to read the internal SD and from there just cut/paste the TWRP directory. (yes, with all the files on it).
Click to expand...
Click to collapse
What steps did you take to format directly from TWRP? I formatted data as ext4 from within TWRP and I still have to use adb to pull the files :/
fbiryujin said:
What steps did you take to format directly from TWRP? I formatted data as ext4 from within TWRP and I still have to use adb to pull the files :/
Click to expand...
Click to collapse
in TWRP go to wipe/advanced wipe and check dalvik, system, internal storage, data and cache
After that you will be able to backup your system without any problem.
In my case I just have to put my phone on recovery and my PC recognices my phone as internal storage and I am able to copy, paste, move, etc files of the system...
juliospinoza said:
in TWRP go to wipe/advanced wipe and check dalvik, system, internal storage, data and cache
After that you will be able to backup your system without any problem.
In my case I just have to put my phone on recovery and my PC recognices my phone as internal storage and I am able to copy, paste, move, etc files of the system...
Click to expand...
Click to collapse
Thanks but wouldn't wiping System remove the ROM from the phone?
fbiryujin said:
Thanks but wouldn't wiping System remove the ROM from the phone?
Click to expand...
Click to collapse
my bad, you are right, wiping system will delete all the system and you will have to flash it again (system.img).
I leave you the official TWRP post of what to flash/ dont flash in any case you want.
http://teamw.in/whattowipe
again, sorry. I wiped system and flashed again via fastboot
juliospinoza said:
my bad, you are right, wiping system will delete all the system and you will have to flash it again (system.img).
I leave you the official TWRP post of what to flash/ dont flash in any case you want.
http://teamw.in/whattowipe
again, sorry. I wiped system and flashed again via fastboot
Click to expand...
Click to collapse
Ok thanks. One last question. Is there a way to do a nandroid or TWRP backup while the phone is running (So if the phone is encrypted, I can still back it up)
Thanks