I'm trying to help the Replicant project (see redmine[dot]replicant[dot]us for more information) by porting their system to the Optimus Black, and I've just secured myself a P970g, but I'm having trouble installing CyanogenMod 10.0 (a prerequisite). For example, fastboot and adb don't seem to detect the phone; ./fastboot devices doesn't show anything.
The Replicant project is rather picky about the flashing tools they use; they need to be executable on GNU/Linux (which I'm using) and they need to be free software (licensed under the GNU General Public License, or any license that gives the freedoms of use for any purpose, distribution, and/or modification). I have the SDK installed; that's free software. Any software I run on the phone is fine, as long as it's either free and open-source, or the phone can be changed without proprietary software once the process is complete.
So, is there a way to install ClockworkMod on the P970g from my GNU/Linux computer without running proprietary software on it? All of the installation instructions I've seen so far appear to require it.
first, p970 has not been designed to work with fasboot. it works only in flash mode. for adb side, it needs to boot. second, I don't really understand your request because both twrp and cwm are open source so you can compile them from source. from my side, I made a cwm and a twrp flasher package as well for installing one of them easily. The compiler I've used is NSIS (open source too).
my question is, what's the problem ?
I made a cwm and a twrp flasher package as well for installing one of them easily. The compiler I've used is NSIS (open source too).
Click to expand...
Click to collapse
This may be useful. But are the packages themselves free software? If you don't explicitly license them under a free software license (http colon slash slash www dot gnu dot org slash licenses slash license-list dot html) and release the source code, then the Replicant project can't use them. If you have done this, I would appreciate it if you could point me to the download link for these packages.
you know, I don't have much knowledge about licensing, but in that case I don't think it needs any license. What I've made are simple containers with basic instructions. There is no any commercial purpose, restriction or anything else like that, because it's all about contributing freely. I mean, without any kind of charge. You can use or redistribute them, rightly because it's totally free. The source code of my work will be useless here, except if you plan to recompile for your needs. Everything can be done manually or in other ways. Note that the packages are for Windows. 7zip can be used to explore their containing.
http://forum.xda-developers.com/showthread.php?t=1111771
if you want, I can provide you the commands for flashing correctly
I actually do hope to recompile this program for my needs and would very much like to see the source code. You see, the Replicant project prefers that flashing tools support GNU/Linux. If you released the source code under an appropriate license, we could perform the porting and work from there.
You say you don't know so much about licensing? It's actually rather simple: if you decide to release the source code, just put this text as a LICENSE.txt file into the top directory of the repository:
Code:
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
okay, I'll be glad to help your project, but know that NSIS is script based, it's not really coding so I'm not sure if simple script based instructions could be considered as a true source code... you won't be able to recompile as it simply won't work under any linux environment. Although NSIS can be compiled for POSIX platforms, it's still in order to build Windows packages. This is why I proposed to share the commands (they are available around internet though). The main tasks of my packages is to apply known Windows commands with just a few clicks. In other terms, these are setup packages (like Inno etc..).
Just extract an img recovery file and apply proper commands for flashing, simple as that.
Never mind that; our problem is actually semi-solved. Are you the developer of BlackJack? Because that's where we need the source code noq.
yes but the exploit isn't from me. blackjack is obsolete for gingerbread and over, and I'm not a developer
Made in ZR
You see, we've figured out a way to install ClockworkMod using only free and open-source tools. But the device needs to be rooted for it to work. Of course there's a rootkit available for Gingerbread, but our users may be running Froyo, as my phone is. So, we'd still be very happy to see its source code. But it complicates things if you're not the author of the exploit. Do you know who did create it, so we can contact them?
sure, it's written by Scott Wlaker. His twitter and mail (he doesn't seem being registered on xda so I couldn't find him here)
I'm confused. It seems if you install ClockworkMod on a stock phone that you'll get a security error. See thread number 2094640.
Anyways, let me rephrase: I'm looking for a way to install CyanogenMod on a P970g running Froyo that doesn't use proprietary software. (You said you were the developer of Blackjack; even if you could just point me to the front-end code that'd be great.)
Who is the creator of SmartFlash? That could be even more useful if we could obtain its source code.
Roller_REP said:
I'm confused. It seems if you install ClockworkMod on a stock phone that you'll get a security error. See thread number 2094640.
Anyways, let me rephrase: I'm looking for a way to install CyanogenMod on a P970g running Froyo that doesn't use proprietary software. (You said you were the developer of Blackjack; even if you could just point me to the front-end code that'd be great.)
Who is the creator of SmartFlash? That could be even more useful if we could obtain its source code.
Click to expand...
Click to collapse
You get a security error if you install CWM recovery over LG's official Ice Cream Sandwish ROM, as it has a locked bootloader. This is not a problem for both Froyo and Gingerbread stock ROMS, as they have unlocked bootloader.
About SmartFlash, I don't know. I always thought it was a LG tool.
For ICS (not for Froyo/Gingerbread), this might help:
http://forum.xda-developers.com/showthread.php?t=2160394
Roller_REP said:
I'm confused. It seems if you install ClockworkMod on a stock phone that you'll get a security error. See thread number 2094640.
Anyways, let me rephrase: I'm looking for a way to install CyanogenMod on a P970g running Froyo that doesn't use proprietary software. (You said you were the developer of Blackjack; even if you could just point me to the front-end code that'd be great.)
Who is the creator of SmartFlash? That could be even more useful if we could obtain its source code.
Click to expand...
Click to collapse
As said before, you probably bricked your device after having missed something.
And you're still wrong. I'm not a developer, and never claimed it anywhere. I repeat, my packages are script-based so useless for linux. Smartflash originally needs 3 files to run, but I packed it into an autonomous exe (this version is only available in UPK). This tool is a leak from LG and wasn't destined to the public. It's of course, copyrighted, and there si actually NO other way for unbricking a hard bricked device.
What's required for running the exploit :
ADB
Superuser.apk
su (binary)
bysybox (binary)
sqlite3 (binary)
psneuter exploit (binary)
Superuser from Clockworkmod is open source (not used in blackjack).
Here are the Windows batch cmds for running the exploit properly :
Code:
Reseting server
---------------
adb kill-server
adb start-server
Waiting for device
------------------
adb wait-for-device
Pushing files
-------------
adb push files\busybox /tmp/
adb push files\psneuter /tmp/
adb push files\sqlite3 /tmp/
adb push files\su /tmp/
adb push files\Superuser.apk /tmp/
Running exploit
---------------
adb shell "chmod 0755 /tmp/psneuter"
adb shell "chmod 4755 /tmp/psneuter"
adb shell "/tmp/./psneuter"
[COLOR="Red"]# AT THIS POINT AN EXTERNAL INTERVENTION IS NEEDED FOR RESTARTING ADB (IT'S BASICALLY DESIGNED FOR HTC DEVICES)[/COLOR]
Mounting system
---------------
adb shell "mount -orw,remount -t ext3 /dev/block/mmcblk0p8 /system"
Applying root privileges
------------------------
adb shell "cat /tmp/busybox > /system/bin/busybox"
adb shell "cat /tmp/sqlite3 > /system/bin/sqlite3"
adb shell "cat /tmp/su > /system/bin/su"
adb shell "cat /tmp/Superuser.apk > /system/app/Superuser.apk"
adb shell "chmod 4755 /system/bin/su"
adb shell "chmod 4755 /system/bin/busybox"
adb shell "chmod 4755 /system/bin/sqlite3"
Rebooting
---------
adb reboot
Killing server
--------------
adb kill-server
Remember that this works only for Froyo.
I asked you "Are you the developer of BlackJack?" And you said "yes but the exploit isn't from me."
But thank you very much! As soon as I can find those files, that solves my problem. However, I can't see them in your upgrade kit...
Ilko said:
yes but... I'm not a developer
Click to expand...
Click to collapse
good luck
Made in ZR
Related
This little gem of a phone is a tough little thing to custom install apps on, but that didn't stop the Coburn from being able to get busybox installed.
Therefore, introducing Busybox for your HTC Click/Tattoo!
FOLLOW THIS TUTORIAL CAREFULLY. This guide may brick or NOT brick your Tattoo (most likely the latter), however I cannot assure you that it's 100% fail proof. I have installed it successfully. IN OTHER WORDS: THIS IS NOT FOR THE FAINT HEARTED! IF YOU DO NOT KNOW WHAT 'FLASH','ADB' OR 'HACK' MEANS, PLEASE DO NOT CONTINUE.
Requirements:
1 HTC Tattoo (The Victim)
1 MS Windows Powered Computer (I used Win7 64Bit)
1 HTC Tattoo -> USB Cable (Included with phone... Well, it was in the box).
Download the package attached to this post. Extract all files to a directory like C:\BUSYCLICK . (Actually, please extract them there).
Installation
Connect your Tattoo to your phone, make sure USB Debugging is enabled (Settings -> Applications -> Development) and sit back. Windows should say "New Hardware! OMG!" and ask "What is this piece of tech?" (aka New Hardware Install Wizard). On XP, allow to search Windows Update. On Vista/7, I'm going to have to get back to you on that. The installed driver will be like "HTC Dream blah blah blah ADB Interface" or something. Odd why it says it's a HTC Dream...
Anyway, go to the folder where you extracted the files, and run the Installation.bat file. It's the one that says "Installation" With the cogs icon.
You'll get a DOS Prompt and some text, PAY ATTENTION! My installer will hold your hand and explain what's happening. Should any errors occur, you may be out of space on your Tattoo's internal memory or something. If you do get errors, please post them here! I'll try to fix them for you guys and girls.
Post-install tasks
When complete, run the TestBusybox.bat script in the same folder where you extracted the BusyBox files, and you should get some output. If not, busybox failed to install... Let me know what the error is and I'll try to fix it.
Notes:
You can use the busybox commands in /data/local/bin from "adb shell" or a terminal emulator on the phone itself... /data/local/bin/sh DOES NOT work from adb shell, I don't know why. It will work using a terminal emulator. Try "/data/local/bin/free" and such for some memory read outs, etc, etc.
Feel free to love/like/hate/kill/shoot my work, you can expect to see ROMs and the like in the near future as I love hacking devices.
Cheers,
Coburn64
Ok busybox installed normally...
Do i have root acces with busybox now? I dont see su...
C:\Busybox>adb shell /data/local/busybox ls /data
ls: can't open '/data': Permission denied
I do see /data/local and under tho... including ../bin and ../rights but dont see any use of it...
Coburn Hi, this is a step closer to being root
can be root in busybox?
chmod command does?
thx
Code:
benno.id.au/blog/2007/11/14/android-busybox
chmod command is useless without su...If only su worked
Installed and worked fine, can run busybox but:
it runs with shell privileges
setting setuid bit doesn't solve, because I can chown to root
Do I miss something?
Thanks Really appreciate your work!
Do you have to install the new RUU Click HTC WWE 1.63.405.1 WWE test signed NoDriver first?
coolbits said:
Code:
benno.id.au/blog/2007/11/14/android-busybox
chmod command is useless without su...If only su worked
Click to expand...
Click to collapse
I know friend!
I asked the chmod without adb, or if they could use the chmod as root from the busibox console
leon1984 said:
I know friend!
I asked the chmod without adb, or if they could use the chmod as root from the busibox console
Click to expand...
Click to collapse
All this does is allows you to run more commands from the shell in Android, whereas the standard shell doesn't have many commands built-in. Could be used in conjuction with a root hack.
One step more, but nothing to do with root
I'm starting to believe that Click will never have a root method working because its underused compared with other android devices
MiSSigNNo said:
One step more, but nothing to do with root
I'm starting to believe that Click will never have a root method working because its underused compared with other android devices
Click to expand...
Click to collapse
The next Linux kernel root vulnerability (which works on the Tattoo) should bring us root, as well as other Android devices such as the Eris.
coolbho3000 said:
The next Linux kernel root vulnerability (which works on the Tattoo) should bring us root, as well as other Android devices such as the Eris.
Click to expand...
Click to collapse
What's the new root vulnerability? Is it something that was just discovered?
coolbho3000 said:
The next Linux kernel root vulnerability (which works on the Tattoo) should bring us root, as well as other Android devices such as the Eris.
Click to expand...
Click to collapse
Ok, where to find more info about this? :S
coolbho3000 said:
The next Linux kernel root vulnerability (which works on the Tattoo) should bring us root, as well as other Android devices such as the Eris.
Click to expand...
Click to collapse
I was able to install Busybox on my phone successfully. But the problem is I don't know what it's for. Would anyone be kind enough to post a link or a tutorial for this? Thanks.
sheik_yerbouti said:
I was able to install Busybox on my phone successfully. But the problem is I don't know what it's for. Would anyone be kind enough to post a link or a tutorial for this? Thanks.
Click to expand...
Click to collapse
Busybox just allows you to use more features at the adb shell command line. So, yeah. Heh.
You lost me at 'adb shell command line'. Is that some command line provided by the Android SDK?
sheik_yerbouti said:
You lost me at 'adb shell command line'. Is that some command line provided by the Android SDK?
Click to expand...
Click to collapse
Sorry if I lost you. Let me sum it up: It's a 'feature pack' for Android Developers, which could be used in conjunction with rooting tools.
Coburn64 said:
What's the new root vulnerability? Is it something that was just discovered?
Click to expand...
Click to collapse
zenthought.org/content/file/android-root-2009-08-16-source
This is linked in the other thread...
ivendor said:
zenthought.org/content/file/android-root-2009-08-16-source
This is linked in the other thread...
Click to expand...
Click to collapse
That code is old, and apparently won't work. It won't compile either, Paul from Modaco tried it and it just spat the dummy and gave a make error.
Coburn64 said:
That code is old, and apparently won't work. It won't compile either, Paul from Modaco tried it and it just spat the dummy and gave a make error.
Click to expand...
Click to collapse
That's the code for the old asroot exploit (used in the Hero IIRC). It's been patched in August/09 so it won't affect the kernel in stock Tattoos.
Yeah, that's what I was getting at - the exploit is too old.
We need to either:
1) Get a S-OFF bootloader
2) Find another working root exploit
3) Dig around in the test ROM and extract the SU binary out of that sucker and put it in /data/local on the working ROM.
I think I can do the latter.
Hi,
it's my first post here and I'm aware that I'm going to ask a typical newbie question... But after quite a long period of browsing the internet and this forum I concluded that I need help So I hope that I don't annoy anyone...
My intention is to prepare my Nexus One to use Cyanogenmod. To do that, I want to use a Linux PC instead of a Windows PC. I bought my Nexus from Vodefone in Germany. All current OTAs are installed. Some more specific information: Android 2.2.1, Build FRG83D.
I understood, that at first I have to root my Nexus and need to unlock my boot loader. But I'm a bit confused by the number of different approaches to root/unlock the Nexus One which can be found in this forum and via google. The most of the guides require a Windows PC. To me it was not possible to decide which approach I should follow in order to safely unlock and root my Nexus.
So far I've tried to root my device with the tool "ANDroot", but it won't work... I assume, that I need to follow a more complex approach via a USB-connected PC. I'm a quite experienced Linux (Ubuntu) user and want to use linux for rooting and unlocking my device.
I don't ask for someone to explain to me in detail how to do it! But it would be great if someone cold tell me whether it is easily possible to root and unlock my device from Linux and if so where I might find some comprehensive explanations.
Many thanks in advance and regards from Germany!
try here
http://ilikemygooglephone.com/2010/...-and-root-google-nexus-one-mac-windows-linux/
Look here, under root: http://forum.xda-developers.com/wiki/index.php?title=Nexus_One
I say forget the one-button root and go the OG way, but I guess it just comes down to how comfortable you are with the process.
The process doesn't change very much regardless of what OS you are running.
All of the SDK adb commands are exactly the same - it's just ./adb rather than adb.exe.
Follow the instructions on the Android SDK download page for setting up the SDK on your system, and then follow instructions here for unlocking/rooting/flashing your device.
Just because you use Linux doesn't make you "special"
Thanks a lot for your replies!
Actually I just needed to realize that the Android SDK runs on Linux as well, and that with even less issues than on Win (no need for fancy USB drivers).
Very good for an overall overview: theunlockrDOTcom/2010/01/02/how-to-root-the-nexus-one/
One just has to realize that e.g. "fastboot-windows" has to be replaced by "fastboot_linux"...
A showstopper was the annoying "install-recovery.sh" script which kept me from loading into the new installed recovery image. But after consulting google the following saved me from freaking out:
Code:
./adb shell
$ su
# rm /system/etc/install-recovery.sh
rm failed for /system/etc/install-recovery.sh, Read-only file system
# mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
# rm /system/etc/install-recovery.sh
# exit
$ exit
After that is was straightforward to install CyanogenMod by following their specific update guide:
wiki.cyanogenmodDOTcom/index.php?title=Nexus_One:_Full_Update_Guide
And now I'm happily enjoying even a FM radio which I did not expect while thinking of installing CyanogenMod...!
shouldn't adb oem unlock do the trick?
Bloodflame said:
shouldn't adb oem unlock do the trick?
Click to expand...
Click to collapse
It's fastboot oem unlock ... but potato-patato.
To the OP...
I know you probably thought of this already but add
Code:
export PATH=~/android/tools/:$PATH
to your bash .rc script so you don't have to put up with ./adb each time you want to use the adb command.
sassafras
whoops. i should stop posting when tired
don't pay attention to me
So you've rooted your phone, hacked your webtop, but then you realize that your Ubuntu doesn't have ssh. Wait, what? What the hell is *nix for if you don't have ssh?!
Time to fix that.
Based upon the existing packages, the Ubuntu installation is Jaunty/9.04. In this case, the packages to install for clean dependencies are these:
libedit2
openssh-client
passwd
For each package, you want to download the package that's listed as Published to /mnt/sdcard-ext (before you complain that I'm using old packages, when starting up, I prefer to have a consistent OS, rather than picking and choosing packages from several different versions).
Installation ended up being simpler than I expected, although I ended up remounting /mnt/sdcard-ext as /osh/mnt/sdcard-ext so that I could have a decent work area in my chroot. Here were the commands I used (including the remount) after downloading the three .deb files into /mnt/sdcard-ext:
Settings→SD card & phone storage→Unmount SD card
From the Android terminal:
su
mkdir /osh/mnt/sdcard-ext
mount -t vfat /dev/block/vold/179:33 /osh/mnt/sdcard-ext
From LXTerminal:
sudo chroot /osh
dpkg -i *.deb
exit
Settings→SD card & phone storage→Mount SD card (this will forcibly unmount the SD card from the other directory and mount it in the normal directory)
Congratulations! ssh has just been installed.
Is this the process people are using to install other. deb packages? Apt-get isn't working for me.
Sent from my MB860 using XDA App
edounn said:
Is this the process people are using to install other. deb packages? Apt-get isn't working for me.
Click to expand...
Click to collapse
I'm actually not sure what other people are doing.
Personally, I'm reluctant at the moment to use the second-layer package management tools, since there really isn't much free space in /osh, and I'd rather not trigger a domino effect of package installation by accident. As such, I'd prefer to be a lot more precise in what packages I'm installing.
Besides of which, the custom Motorola Ubuntu packages do cause some issues. For example, they shipped a version of Awn that normally ships with Ubuntu 9.10, so it's difficult to touch (if you want to go back to that version but stock, it starts an upgrade loop that becomes difficult to manage). But, you can try setting your depot to launchpad.net, which might work out for you.
some static linked binaries i built
I built a few static binaries today as I too don't really want to screw with trying to force some packages in alongside the base system.
I included a tarball (seems like the forums won't take a tar.gz) with scp, sftp, ssh, and wget in it. They are all static linked arm binaries so you shouldn't have any dependency issues. They're not built with anything special, I just grabbed the latest openssh and wget and built them.
I've only tested the ssh and wget, but I would assume that both scp and sftp also work. If there is enough interest I can post the rest of the openssh suite, I got the entire suite to build (didn't test it though).
Let me know if things work, I may build other things as a bunch of static linked binaries, or just setup a chroot to run more stuff from the webtop.
If anyone is looking for an SSH daemon on the android side of the device, this is an excellent guide to do it:
http://teslacoilsw.com/dropbear
Also, I've uploaded the compiled binaries for 2.2.1 (Dropbear Telsa v0.52) and the stock ssh client that comes with the android 2.2.1 SDK (Dropbear v0.49)
would this help with xsession i.e. ssh -X [email protected]
I believe xauth is all you need for X11 forwarding via SSH, and that's included in the webtop os.
Hi,
I9305 is not officially supported by towelroot. So I searched for some details about the exploit and found this pastebin.com/A0PzPKnM (which seems to be decompiled and cleaned - made more readable towelroot v1) and some articles about how its supposed to work (blog.nativeflow.com/the-futex-vulnerability and tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/). I have to admit that I don’t understand it fully, but well enough to modify it to this pastebin.com/1fdmC4Xv , which is working exploit on my i9305 with Android 4.3, kernel 3.0.31. I didn’t make any big changes – I made few modifications to compile the code, added lots of debugging output, changed what happens when the hack is successful and added the iov_index variable, which is the most important change. The original code is not nice and my changes are not nice neither, please be lenient while reading it. If you want to use it, compile it with android ndk, push to /data/local/tmp and run. There can be one argument, number from 0 (default) to 7 (you can use bigger, but it makes no sense). If it succeeds, you’ll get root prompt. Otherwise it can freeze or reboot the phone. You can check the kernel panic reason in /proc/last_kmsg. If you see that it crashed in plist_add because “Unable to handle kernel NULL pointer dereference at virtual address 0000000c”, subtract 0xc from the address and use as the argument (iov_index) next time. Don’t give up, it doesn’t work always. Note that, the phone will reboot after you quit the root shell. Its up to you what you do with this, but AFAIK successful execution of this exploit doesn`t change the KNOX warranty bit, at least my phone still says that the system is “official”.
Remember to be careful, when doing anything of this and don’t blame for any damage.
If you want to play with it in debugger, you don’t have to use the android emulator as suggest in the article mentioned above – I used vanilla kernel 3.0.31 compiled with exynos4_defconfig, buildroot userspace and latest qemu with the machine smdkc210.
Pavel
P.S. I don`t have enough posts here, so you have to use the links manually
prqek said:
Hi,
I9305 is not officially supported by towelroot. So I searched for some details about the exploit and found this pastebin.com/A0PzPKnM (which seems to be decompiled and cleaned - made more readable towelroot v1) and some articles about how its supposed to work (blog.nativeflow.com/the-futex-vulnerability and tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/). I have to admit that I don’t understand it fully, but well enough to modify it to this pastebin.com/1fdmC4Xv , which is working exploit on my i9305 with Android 4.3, kernel 3.0.31. I didn’t make any big changes – I made few modifications to compile the code, added lots of debugging output, changed what happens when the hack is successful and added the iov_index variable, which is the most important change. The original code is not nice and my changes are not nice neither, please be lenient while reading it. If you want to use it, compile it with android ndk, push to /data/local/tmp and run. There can be one argument, number from 0 (default) to 7 (you can use bigger, but it makes no sense). If it succeeds, you’ll get root prompt. Otherwise it can freeze or reboot the phone. You can check the kernel panic reason in /proc/last_kmsg. If you see that it crashed in plist_add because “Unable to handle kernel NULL pointer dereference at virtual address 0000000c”, subtract 0xc from the address and use as the argument (iov_index) next time. Don’t give up, it doesn’t work always. Note that, the phone will reboot after you quit the root shell. Its up to you what you do with this, but AFAIK successful execution of this exploit doesn`t change the KNOX warranty bit, at least my phone still says that the system is “official”.
Remember to be careful, when doing anything of this and don’t blame for any damage.
If you want to play with it in debugger, you don’t have to use the android emulator as suggest in the article mentioned above – I used vanilla kernel 3.0.31 compiled with exynos4_defconfig, buildroot userspace and latest qemu with the machine smdkc210.
Pavel
P.S. I don`t have enough posts here, so you have to use the links manually
Click to expand...
Click to collapse
Hi! I use I9305 with android 4.4.4 - without any branding. Could U help me with root this device without knox flag? Thank u, I'm from polish and my english is soo bad ;/ I want ready aplication to install if u could do this for me
wow thanks you
Hi schizyk12,
I am afraid, that I will disappoint you. I don`t have any other phone than my i9305 with 4.3, so it would be a blind shot to create such an application. Even if I had some more devices, I am not sure if I have time to do this. Another problem is that I am not even sure whether this would work on 4.4.4. What kernel does it use? See this www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153 , if your kernel version is higher than 3.14.5 then the bug this is exploiting is fixed. If you kernel is build after May 26th, 2014, it is also probably fixed.
I am attaching the binary that worked for me. You can try it - unzip it and pull it into /data/local/tmp using adb (if you don`t know how to do it, search the web, it`s not difficult) and execute from adb shell as /data/local/tmp/tr_c 1 (or some other integer, see my original post). Keep trying, it may not work for the first time. If it succeeds, you will see something like this:
Code:
cpid3 resumed.
hack.
/system/bin/sh
[email protected]:/data/local/tmp #
If your phone reboots, it is a good sign – the bug is probably not fixed.
I also have i9305 with Android 4.3 (kernel 3.0.31) and everything seems to work fine - when I execute tr_c 1 it displays a lot of lines but there are few, which look exact same like in your post above. Now the problem - this method doesn't give me root access... I don't know what is wrong. Can you help me with this? Maybe you know how to get it working? Thanks for all of your work PS: Sorry for my english.
What do you mean by root access? This is not one the “one click root” applications, this is only the exploit. If you see at the end what I posted in my previous post, you have root access, but only in that one session. If you want to have rooted device, you have to do the rest manually. Unfortunately I didn`t find any article describing what this means. There are only lots of “one click” apps. Finally I used Koushiks Superuser – it is simple and opensource, so it was quite easy to find how the installation (“rooting”) works. Take a look at this script github.com/koush/Superuser/blob/master/Superuser/assets/update-binary . Don`t execute it, it is supposed to be run from recovery. Here are briefly the steps to be done (I hope I didn`t forget anything, don`t do it if you don`t understand it):
1) mount -oremount,rw /system
2) copy su to /system/xbin
3) chown it 0:0 and chmod it to 6755
4) create link from /system/bin/su to /system/xbin/su
5) modify (or create) /system/etc/install-recovery.sh (see github.com/koush/Superuser/blob/master/Superuser/assets/install-recovery.sh)
6) sync and reboot
I actually used the disabled ssh service from /init.rc and I am enabling it install-recovery.sh, so if the su daemon is killed, it is restarted automatically. The daemon is needed because of bypassing SELinux, the suid bit is not enough (I suppose I can chmod to 755 in step 3).
You don`t have to compile the whole supperuser, you can download it from here www.koushikdutta.com/post/superuser .
But there is one problem with this version – if the selinux is enforcing, the su works only from adb shell. It is because the socket used for communication between su and daemon is in /dev, which is not accessible by applications. So I moved it to /data/local/tmp/. Now it works for apps and not for adb shell. But you have to compile the su binary to do this. I should report a bug to Koushik.... Also adding setenforce 0 to install-recovery.sh should help, but it turns off SELinux.
Pavel
Yeah, I thought it will be something like "one-click root". Now I understand - I had root access from adb but not normally rooted phone I read your instructions and I have more questions. Did you do this on your phone? Is the warranty void still 0 after these operations? I don't want to change it to 1
PS: I'm not sure if I can make this work, so I must live without root on this device since it'll be easier to do
I*did all of this on my phone I don`t see any triangle like here www.mobot.net/samsung-galaxy-s2-removing-yellow-triangle-37410 . The know warranty void in download mode says 0, so I guess it is OK. But the device status in settings says custom, but this happened after I removed knox related applications. I didn`t try to put them back. It may fix it. If I remember well, the step I described didn`t change any of these bit and statuses.
It`s not so difficult, you just need some understanding how Linux system works.
The attached archive includes 3 tools for those of you with .3.2.3.2 (or earlier) bootloaders.
Since other tools (and earlier version of these very tools) are available and working well,
this is mostly meant as an entry to an imaginary beauty contest. (JOKING!!!)
cuber.py
a generic gmpy2-free reimplementation of @vortox's signature.py
use this to generate your unlock.img
cuboot.py (uses cuber.py)
a Python-only reimplementation of @vortox's cuber
includes fixes to the kernel command-line and the device-tree
use this to convert a standard Amazon boot.img (>=.4.x.x)
upHDX (uses cuboot.py)
bash script to repack Amazon updates for TWRP
could be DANGEROUS, use with care
tested on Apollo for both 14.4.5.2 and 14.4.5.3
my unit is fully 14.4.5.3 now, except for aboot (which is 3.2.3.2)
should work on Thor as well
Those with bootloader .3.2.6 and lower can downgrade to .3.1.0
and upgrade the bootloader to the latest vulnerable version .3.2.3.2.
Those with .3.2.7 and higher appear to be out of luck with forged signatures, but I hear there's progress on rooting .4.5.2.
The python scripts have been tested on the following OS / Python combinations:
Windows: 2.7.9 and 3.4.3
Linux: 2.7.9 and 3.3.4
OSX: 2.6.? (cannot quite remember)
In addition to the tools themselves, I also included "educational" examples
(examples.sh for Linux/OSX, examples.bat for Windows).
These make use of the split.py script, which is otherwise unnecessary.
(The Windows example also shows that simply echoing your manfid/serial
combo to cuber.py -the way one does in Linux/OSX- won't work due to
the carriage-return character introduced by the echo command.
You'll need to handcraft a file matching the '0x%02x%08xn' format...)
Another batch file py..bat is meant as an extra aid for Windows users
to avoid trouble with setting paths and such. You should be able to simply
download and install your preferred Python version.
Open a command shell (cmd.exe), navigate to wherever you extracted the
archives, and type 'py PYTHON-SCRIPT ARGS' to run the Python scripts.
(This handholding intentionally does NOT work for the upHDX script.)
Hopefully, someone will find these simple tools useful.
EDIT: To unlock your bootloader (<=.3.2.3.2), you'll need adb and fastboot.
On Linux, most distributions package these separately. Look for android-tools-{adb,fastboot} or some such.
For Windows, you can get these from the official Android SDK (which is a **large** download,
with a lot more tools you won't need, if you don't already use them, but it's safe).
Alternatively, there's a very legit-looking project here an XDA, with a much smaller
download, fast install, and exactly the tools you need. I haven't used either... (-;
The actual unlock procedure is described here and here.
EDIT#2: I added another script 'cublock.py' to make unlock.img generation super easy both on Windows and Linux.
MD5( tools.zip) = c17fc91344bd3b4b040129a79a39741f
EDIT#3: Fixed issues with older versions of certain tools on Debian 7.
MD5( tools.zip) = 4f93ab667fd61db26c83675ce0bd6d9f
EDIT#4: Fixed a bug when 'cuber.py' is used directly from the command line.
MD5(tools.zip) = 67b4a6d65aa2b0aa3500b122c8a25290View attachment 3210856
XDA:DevDB Information
HDXtools, Tool/Utility for the Amazon Kindle Fire HDX 7" & 8.9"
Contributors
draxie
Version Information
Status: Alpha
Created 2015-03-13
Last Updated 2015-03-13
Thank for your works.
Can I use upHDX to remove bootloader, recovery from 4.5.3 and flash via TWRP?
Thanks
tuanda82 said:
Thank for your works.
Can I use upHDX to remove bootloader, recovery from 4.5.3 and flash via TWRP?
Thanks
Click to expand...
Click to collapse
Let's hope so. That's what I did, in any case.
I'm an adventurer; so, I ran './upHDX fw update-kindle-14.4.5.3_user_453011120.bin',
pushed the resulting update-kindle-14.4.5.3_user_453011120-upHDXfw.zip to my HDX 8.9
and installed it with TWRP.
Worked for me, but I cannot provide any guarantees, unfortunately.
It may be wise to omit 'fw', and doublecheck that you're happy with the contents of the
updater-script in the newly generated archive.
AND, -of course- make sure your bootloader version is at most .3.2.3.2!!!
draxie said:
Let's hope so. That's what I did, in any case.
I'm an adventurer; so, I ran './upHDX fw update-kindle-14.4.5.3_user_453011120.bin',
pushed the resulting update-kindle-14.4.5.3_user_453011120-upHDXfw.zip to my HDX 8.9
and installed it with TWRP.
Worked for me, but I cannot provide any guarantees, unfortunately.
It may be wise to omit 'fw', and doublecheck that you're happy with the contents of the
updater-script in the newly generated archive.
AND, -of course- make sure your bootloader version is at most .3.2.3.2!!!
Click to expand...
Click to collapse
Thanks. But your upHDX scripts is for linux user only. I am on Windows .
If you have time could you upload your xxxx_14.4.5.3_xxxx.zip? Thanks
draxie said:
The attached archive includes 3 tools for those of you with .3.2.3.2 (or earlier) bootloaders.
Since other tools (and earlier version of these very tools) are available and working well,
this is mostly meant as an entry to an imaginary beauty contest. (JOKING!!!)
cuber.py
a generic gmpy2-free reimplementation of @vortox's signature.py
use this to generate your unlock.img
cuboot.py (uses cuber.py)
a Python-only reimplementation of @vortox's cuber
includes fixes to the kernel command-line and the device-tree
use this to convert a standard Amazon boot.img (>=.4.x.x)
upHDX (uses cuboot.py)
bash script to repack Amazon updates for TWRP
could be DANGEROUS, use with care
tested on Apollo for both 14.4.5.2 and 14.4.5.3
my unit is fully 14.4.5.3 now, except for aboot (which is 3.2.3.2)
should work on Thor as well
Those with bootloader .3.2.6 and lower can downgrade to .3.1.0
and upgrade the bootloader to the latest vulnerable version .3.2.3.2.
Those with .3.2.7 and higher appear to be out of luck with forged signatures, but I hear there's progress on rooting .4.5.2.
The python scripts have been tested on the following OS / Python combinations:
Windows: 2.7.9 and 3.4.3
Linux: 2.7.9 and 3.3.4
OSX: 2.6.? (cannot quite remember)
In addition to the tools themselves, I also included "educational" examples
(examples.sh for Linux/OSX, examples.bat for Windows).
These make use of the split.py script, which is otherwise unnecessary.
(The Windows example also shows that simply echoing your manfid/serial
combo to cuber.py -the way one does in Linux/OSX- won't work due to
the carriage-return character introduced by the echo command.
You'll need to handcraft a file matching the '0x%02x%08x\n' format...)
Another batch file py..bat is meant as an extra aid for Windows users
to avoid trouble with setting paths and such. You should be able to simply
download and install your preferred Python version.
Open a command shell (cmd.exe), navigate to wherever you extracted the
archives, and type 'py PYTHON-SCRIPT ARGS' to run the Python scripts.
(This handholding intentionally does NOT work for the upHDX script.)
Hopefully, someone will find these simple tools useful.
EDIT: To unlock your bootloader (<=.3.2.3.2), you'll need adb and fastboot.
On Linux, most distributions package these separately. Look for android-tools-{adb,fastboot} or some such.
For Windows, you can get these from the official Android SDK (which is a **large** download,
with a lot more tools you won't need, if you don't already use them, but it's safe).
Alternatively, there's a very legit-looking project here an XDA, with a much smaller
download, fast install, and exactly the tools you need. I haven't used either... (-;
The actual unlock procedure is described here and here.
EDIT#2: I added another script 'cublock.py' to make unlock.img generation super easy both on Windows and Linux.
MD5( tools.zip) = c17fc91344bd3b4b040129a79a39741f
Click to expand...
Click to collapse
Thanks a lot for the good work but id like to let tell you that it will be great if you can explain all the entire work in layman's terms because there would be many people having hundreds of questions and concerns.
Just an advice if you feel worthy... No disrespect intended...
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
I did it all in windows 8.1 64 bit edition.
With help from this post:
http://forum.xda-developers.com/showpost.php?p=58897784&postcount=67
get Python 2.7 for windows and install it >>https://www.python.org/download/releases/2.7/
btw I installed the 64 bit edition for both
get GMPY2 for Python 2.7 https://code.google.com/p/gmpy/downloads/list
Follow the post for step by step. I encountered some trouble with fast boot driver, I had to remove the driver and install a generic one I selected from windows then I manually installed it. Ran the fast boot command to unlock and I was unlocked. a lot easier than it looks.
Reckerr said:
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
Click to expand...
Click to collapse
Appreciate it. Will attempt Saturday after a read through.
Works on Windows...
tuanda82 said:
Thanks. But your upHDX scripts is for linux user only. I am on Windows .
If you have time could you upload your xxxx_14.4.5.3_xxxx.zip? Thanks
Click to expand...
Click to collapse
Actually, I tested upHDX in Windows using Cygwin.
I had to select zip and unzip in the Archive group and python in the Python group
in the installer to get all the dependencies in place, and the only issue I faced was a few filename collisions
in the /system/media/audio/ringtones folder (case-sensitivity problem).
Code:
[COLOR="Lime"]>[/COLOR] diff -ru cygwin/ linux/
Only in linux/system/media/audio/ringtones: ANDROMEDA.ogg
Only in linux/system/media/audio/ringtones: CANISMAJOR.ogg
Only in linux/system/media/audio/ringtones: Hydra.ogg
Only in linux/system/media/audio/ringtones: PERSEUS.ogg
Only in linux/system/media/audio/ringtones: URSAMINOR.ogg
These could just be copied from the original update-*.bin after installation.
Reckerr said:
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
Click to expand...
Click to collapse
If you could spell out what you mean by 'it', I might be able to help.
yujikaido79 said:
I did it all in windows 8.1 64 bit edition.
With help from this post:
http://forum.xda-developers.com/showpost.php?p=58897784&postcount=67
get Python 2.7 for windows and install it >>https://www.python.org/download/releases/2.7/
btw I installed the 64 bit edition for both
get GMPY2 for Python 2.7 https://code.google.com/p/gmpy/downloads/list
Follow the post for step by step. I encountered some trouble with fast boot driver, I had to remove the driver and install a generic one I selected from windows then I manually installed it. Ran the fast boot command to unlock and I was unlocked. a lot easier than it looks.
Click to expand...
Click to collapse
Of course, if you want to make it more difficult for yourself,
you can use the older version of my tool as well.
The new one is not limited to Python 2.7, but works on both current Python versions;
and does NOT require GMPY2.
Also, if you are looking to unlock your bootloader, the 'cublock.py' script is your friend.
You just pass in the manfid and serial (separately; no need to fuse them).
Whether you choose to install Python standalone or as part of Cygwin is up to you.
The latter also includes 'bash' and lets you convert the Amazon update to a TWRP-friendly ZIP.
draxie said:
Of course, if you want to make it more difficult for yourself, you can use the older version of ny tool as well.
The new one is not limited to Python 2.7, but works on both current Python versions; and does NOT require GMPY2.
Also, if you are looking to unlock your bootloader, the 'unlock.py' script is your friend.
You just pass in the manfid and serial (separately; no need to fuse them).
Whether you choose to install Python standalone or as part of Cygwin is up to you.
The latter also includes 'bash' and lets you convert the Amazon update to a TWRP-friendly ZIP.
Click to expand...
Click to collapse
I have Windows 7 and Nexus 2.0.5 with bootloader from http://forum.xda-developers.com/kin...p-flashable-3-2-3-bootloader-upgrade-t3025504 installed Python 2.7 and the adb and fastboot and driver package from post 1
Using
adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial
And unlock.py and then
adb reboot-bootloader
And
Fastboot -i 0x1949 devices
fastboot -i 0x1949 flash unlock <unlock file>
fastboot -i 0x1949 reboot
IT was very easy, I only had some driver problems in fastboot mode
Uphdx don't work on debian 7
Bruder Torgen said:
I have Windows 7 and Nexus 2.0.5 with bootloader from http://forum.xda-developers.com/kin...p-flashable-3-2-3-bootloader-upgrade-t3025504 installed Python 2.7 and the adb and fastboot and driver package from post 1
Using
adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial
And unlock.py and then
adb reboot-bootloader
And
Fastboot -i 0x1949 devices
fastboot -i 0x1949 flash unlock <unlock file>
fastboot -i 0x1949 reboot
IT was very easy, I only had some driver problems in fastboot mode
Click to expand...
Click to collapse
FYI - followed this process on an identical environment with identical results. Struggled a bit more with Windows drivers; if you're having trouble this might help (posts 8-10).
im running this version 13.3.0.2 and im a newbe with kindle what should I do
benyo8990 said:
im running this version 13.3.0.2 and im a newbe with kindle what should I do
Click to expand...
Click to collapse
Welcome to the HDX forums. How to proceed depends on what you want to accomplish. Read through the various threads to see what is available and the effort required. If your goal is to root and/or install custom roms you MUST disconnect from WiFi as Amazon will attempt to upgrade your tablet to the lastest Fire OS. Should that happen your options will be severely limited.
Two words of caution:
1) Kindles are not like other devices. Tough to tame and easy to brick. If you approach modding with a casual attitude you'll probably end up with a non-recoverable brick. READ, READ, READ before doing anything. Ask questions when you are ready.
2) There are no tidy fail-safe tutorials for the HDX. There is work and risk involved. You have to do your homework first. No one is going to hold your hand (sorry for the lecture - just trying to set expectations early).
More info please!
dpeddi said:
Uphdx don't work on debian 7
Click to expand...
Click to collapse
Given that it worked for me even in Cygwin on Windows 7, this sounds odd.
Nevertheless, I'd appreciate more info on how it fails (and which flavor of Debian 7
you are using; so, that I have a chance to reproduce your issue).
UPDATE: Nevermind. I fired up a VM with Debian 7.8.0-amd64-standard,
and found out for myself. Apparently, 'df' in 'coreutils 8.13' used here
doesn't support the '--output' option; AND, python 2.7.3 is more strict
about the input types to 'unpack'. I fixed these and the script worked.
I'll post the new version in a second.
DF --optional not supported, $m seems to not be set
Thank you for posting this awesome tool. I am running 13.4.5.2 with a twrp recovery and the most recent available (without breaking twrp) kernel.
My question is, if worst case scenario happens and I try to use cygwin to upHDX, it does not work, but I think it did, and I install a partially working update, am I bricked? Or, will it just write over my kernel and recovery with no hope of going back. As I type this, I am thinking the answer is, both are possible, but thought I would ask before breaking things.
Sent from my KFTHWI using Tapatalk
[Edit] If you know what you are doing, this script is very helpful. I especially enjoy how it explains everything it does as it does it. So, you can see the files it changes. I used cygwin and it worked perfectly. If you understand the Unix command tools, it is a piece of cake. I do not mean to belittle the risk involved, it is significant, however, if you read what is happening, and know this worked, and can be assured there is no issue with your recovery, you can still roll back if something goes wrong. Do not take this comment as minimal risk, the risk is substantial, and you need to wipe to go back. One of my devices did not take the update well (My fault), and, I had to go back. These devices do not handle wipes well. So, the moral of the story.
-This is an excellent and versatile tool,
-There is significant risk
-If you do your research, follow directions, and meet the requirements, you can get success. Have your cake and eat it too on your terms!!
-With this tool, I have the most recent update, root, and twrp (Amazon apps work too).
Thanks again for the tools.
[/Edit]
lekofraggle said:
My question is, if worst case scenario happens and I try to use cygwin to upHDX, it does not work, but I think it did, and I install a partially working update, am I bricked? Or, will it just write over my kernel and recovery with no hope of going back. As I type this, I am thinking the answer is, both are possible, but thought I would ask before breaking things.
Click to expand...
Click to collapse
I saw you managed fine, but just in case anybody else wonders,
the script will bail at the first sign of error and you'll know it.
Of course, this won't guarantee that things cannot go wrong,
but minimizes the chances that they go unnoticed.
NOTE, HOWEVER that:
This has only been tested on 4.5.2 and 4.5.3; and, I would strongly recommend against blindly running it on newer releases (as the pattern matching that's being relied upon for what to throw away --including the anti-rollback fuse stuff-- might easily get broken with relatively minor changes.
A good sanity check is to unzip both the original update and the newly created "sanitized" version, and compare them (e.g. via a recursive diff) to doublecheck if the changes are sensible.