I rooted this device successfully but then my bro try'd installing a busybox and it broke the root so I did a factory reset then try'd to root again and all I got was this
2510 KB/s (89968 bytes in 0.035s)
Changing permissions...
Executing Exploit (could take some minutes, be patient!)
Hit ENTER to continue
Drücken Sie eine beliebige Taste . . .
Device detected: KFSOWI (JDQ39)
Attempt acdb exploit...
KFSOWI (JDQ39) is not supported.
Attempt fj_hdcp exploit...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x80008000 form iomem
Attempt put_user exploit...
ioctl: Bad address
Attempt fb_mem exploit...
Detected kernel physical address at 0x80008000 form iomem
Attempt perf_swevent exploit...
Drücken Sie eine beliebige Taste . . .
I have try 'd the manual way and uninstalled driver's then reinstalled them I downloaded the root and nothing seems to work...I need someone's help
Thanks
Performing a factory rest does not completely remove root access since the binaries are still left. That's most likely why you cannot gain root access.Try following the advice given in post 15 from this link.
http://forum.xda-developers.com/showthread.php?t=1923612&page=2
elua35 said:
Performing a factory rest does not completely remove root access since the binaries are still left. That's most likely why you cannot gain root access.Try following the advice given in post 15 from this link.
http://forum.xda-developers.com/showthread.php?t=1923612&page=2
Click to expand...
Click to collapse
i have try'd unrooting and had no sucess i just get permission deined at
mount -o remount,rw /system
so i get rm failed here
rm /system/xbin/su
because i dont have permission...i try'd rooting again after this and no luck still no luck but thank for the advice
EDIT:in the beginning when i type
adb shell
su
after i type su i get
su: must be suid to work properly
EDIT:I was looking throughout the files and found in /system/xbin a superuser file I try 'd opening it and reading it but it was encrypted like it's expected to be but then I try 'd deleting it but then again no root so no permissions
I think you and I are in the same boat. I had root, something went wrong, factory reset the device, now can't get root back, and no solutions I've found on here have worked.
Related
Finally the race is over and some brave devs managed to get root on the tattoo and some were able to reproduce it on their own devices already. But notice: We are in an early stage of development. There is no one-klick-get-root app at the moment and there is still much work to be done until we get custom roms.
I will try to keep track of the ongoing development and update this post periodically. I've you find a mistake or get something new, let us know but we can't give support to every linux-nob at this point of development!
At the moment beeing root on the tattoo does NOT enable you to use the usual applications like Wifi Tethering that need root out of the box. You are also unable to write to /system by default. Now there is a new hack to make /system writable (look at the bottom of this post)
[size=+2]Status[/size]
Last update: 26.02.2010 - 12:55 MEZ
[size=+1]Rooting[/size]
The tattoo was successfully rooted the first time on 19.02.2010 ( http://forum.xda-developers.com/showpost.php?p=5672597&postcount=93 ). It was reproduced by some other users already, there is some work to be done make the exploit work more easily.
Because it has been asked many times: If there will ever be an OFFICIAL update with android 2.1 by HTC for the Tattoo (nobody knows definitively), this root-exploit will NOT work! You will lose root then!
It was done by porting this exploit http://www.milw0rm.com/exploits/8678 to the arm plattform and the tattoo. It uses a security hole in kernel 2.6.29 that wasn't patched in tattoos kernel. All began here on 10.2.2010 (the first post doesn't has to do anything with this): http://forum.xda-developers.com/showthread.php?t=631540
Kudos to zanfur, bftb0, mainfram3, HT123 and others (sorry if I forgot an important one).
The exploit was tweaked to deliver root more reliable.
[size=+1]Flashing custom roms[/size]
To develop custom roms won't be the problem, but the tattoo has got some extra security mechanisms that don't make it trivial to flash a new rom even now we have root. There is work going on to solve this.
[size=+1]Howto get root-privileges[/size]
I think it is save to follow but this is done at your own risk. Don't blame me if you Tattoo explodes, eats your hamster or make your girlfriend leave you.
Remember: We're in an early state of development, this is no Klick-an-Run-app, linux knowledge is needed.
Newbis on Windows should follow this howto made by Coburn64, its much easier than this one: http://forum.xda-developers.com/showthread.php?t=637927
Download this to your PC and unzip: View attachment 285070
(the older release was called m6 and can be found here: View attachment r00t.zip)
m7 is the binary. Push m7 to your Tattoo using adb:
Code:
adb push m7 /data/local/bin/m7
adb chmod 755 /data/local/bin/m7
Start a shell:
Code:
adb shell
Start the exploit in the shell:
Code:
cd /data/local/bin
while `true` ; do /data/local/bin/m7; done
The new m7 is an improved version of the old m6, it now should bring you root much more reliable.
With the old m6 while it is running, bring up and close random apps via task manager on the tattoo. This might not be necessary with m7. After a while the exploit should report success and come up with a root-shell. The promt should change from
Code:
$
to
Code:
#
Sometime the exploit stopps but no shell ('#') comes up. Just terminate it with ^C and try again.
You did it, you should be root now!
Let's set some variables:
Code:
export LD_LIBRARY_PATH=/system/lib
export PATH=/system/bin
When you got your shell, check if you are really root:
Code:
id
You should get something like this:
Code:
# id
uid=0(root) gid=1000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
uid=0(root) is important.
To get a root-shell more easily next time, we have to make su work.
Take this su binary and push it in your tatto: http://www.fileuploadx.de/45656
Code:
adb push su /data/local/bin/su
Remount /data without the nosuid-option
Code:
# mount -o rw,remount /dev/block/mtdblock3 /data
Change the owner to root and set the suid-bit
Code:
# chown root.root /data/local/bin/su
# chmod 4755 /data/local/bin/su
Now you don't have to run the exploit again, just open a normal shell and run
Code:
$ /data/local/bin/su
Now you should be root!
Attention: If you reboot your phone, you have to run the exploit and the mount command again because /data will be mounted nosuid again!
Thats it!
Some suggestions for going on. When you run mount, you will see that some partitions are mounted read-only and/or with the nosuid-option. You can change this by running:
Code:
mount -o rw,remount /dev/block/mtdblockYOUWANT /DIRtoREMOUNT
[size=+2]Other developer stuff[/size]
Here I will list all other thinks, more dangerous and not with all steps described in detail because you should know how to do this if you want to
New: Make /system writeable
This is a dangerous part, it might break you system forever unless you don't know what you are doing! Don't try it unless you are a dev! That is the reason why the steps you have to do are not described in a more detailed way. If you don't know what to type in, you shouldn't try this hack!
Download View attachment 286072
1. Copy tattoo-hack.ko from the zip to /data/local/bin
2. # insmod /data/local/bin/tattoo-hack.ko
3. Remount system partition to be writeable
Now you can do everything with /system until you reboot. /system is the only partition that is mounted without nosuid after reboot, so copy su over to /system/bin/ to keep root permanently. To be able to use programs like setcpu you have to replace /system/bin/su with this su:
View attachment 286154
Flashing a custom recovery image
This is in alpha-state but we are able to flash custom recovery images what is the determining step to flashing custom roms. Don't ask how to flash android 2.x (we didn't do it right now) or when it will be ready. It will bes sometimes...
http://forum.xda-developers.com/showthread.php?t=639486
Have a lot of fun!
-bm-
BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.
Great - bm - thank you very much
-bm- said:
-bm-
Click to expand...
Click to collapse
This is a great day, it's really amazing how people could work together searching the good way to root this awesome little phone. Just to say I've really appreciated your work... I followed all you guys day by day... Thank you everyone, sorry for the OT.
Anyway... risks of bricks?
elvisior said:
BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.
Click to expand...
Click to collapse
Youre right, busybox makes further development more handy. But I think it isn't needed for /data/local/bin to exist, because for me it was there and I've got no busybox on my tattoo
chdir /data/local/bin
Click to expand...
Click to collapse
instead of
chdir to /data/local/bin
Click to expand...
Click to collapse
Thanks Man.
Nice team work.
stupid noobie question how Push m6 to your Tattoo using adb! can anyone possible make a noobie tutorial?!
@zoko : Use your favorite linux distribution.
please can you help me?when I do .m6 in shell i get
Code:
[ Overwritten 0xb0000100
but no #, any help for me?
ApotheoZ said:
@zoko : Use your favorite linux distribution.
Click to expand...
Click to collapse
You don't need Linux. Windows or even Mac OS will do just fine.
Zoko, grab adb.exe from the Android SDK. To install m6, just run:
Code:
adb push m6 /data/local/bin/m6
chusen said:
please can you help me?when I do .m6 in shell i get
Code:
[ Overwritten 0xb0000100
but no #, any help for me?
Click to expand...
Click to collapse
As I try to say in my howto (okay, my english is not the best ;-) ): That happens quite often. Just stop it with ^C ([control]+C) and start the exploit again until you have luck!
zoko said:
stupid noobie question how Push m6 to your Tattoo using adb! can anyone possible make a noobie tutorial?!
Click to expand...
Click to collapse
Hi zoko!
Please use google to find a tutorial for pushing files using adb, there are many out there and using adb is not tattoo-specific!
We don't have time to provide more service at the moment ;-)
By the way: I'm happy about everybody testing, but I wonder what you want to do with a root-shell I you even didn't use adb before. But learning and trying is always a good thing but please consider learning by googling also ;-)
Have a lot of fun!
-bm-
thanks but i try and try and try... and same result, more ideas or only try it?
Is there any way to mount /data r/w on boot?
I doubt it because the exploit should be run first... hmm
So now we need a custom rom with root privileges
...first a recovery.. i think
after i run the exploit once I have to reboot the phone to be able run it again or i get
HTML:
$ usage: reboot [-n] [-p] [rebootcommand]
.
any option to be able to run it more than once without rebooting the phone?
The Tattoo Root (kit)
Here's a small installation batch, to make it easier for everyone.
Download the supplied zip (TattooRoot).
Run 'install-tattoo-root'.
Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin
STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done
The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt
STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su
I think the comments are self-explanatory. If you can't get the m6 into your Tattoo, even with the help of this batch, I suggest you wait a little longer for a more foolproof way to free your Tattoo
Everytime you reboot your Tattoo you'll have to execute steps 1 and 2 again.
@mainfram3 i dont get same results
Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin
STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done
The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt
STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------
where are my error?
chusen said:
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------
where are my error?
Click to expand...
Click to collapse
Chusen,
That is allright.
Now, launch a adb shell by typing
Code:
adb shell
and then try the exploit
Code:
$ while `true` ; do /data/local/bin/m6; done
until your greeted with:
Code:
[ Overwritten 0xb0000100
# <---- This # indicates you got root
I was on v8 non-rooted.
I followed the instructions here to the letter:
http://forum.xda-developers.com/showthread.php?t=1566729&page=4
didn't have any issues at all, no errors.
I'm confirmed on V8 and do have root but can't access CWM. Attempting to run the new AIO again gives the following:
Root and Recovery for ZV8
Press any key to continue . . .
* daemon not running. starting it now *
* daemon started successfully *
Device found
Mounting Device
remount failed: Operation not permitted
Pushing Root Permissions
Unable to chmod /system/bin/su: Read-only file system
7781 KB/s (5345280 bytes in 0.670s)
Unable to chmod /system/xbin/busybox: Read-only file system
Installing CWM Recovery
/dev/block/mmcblk0p14: cannot open for write: Permission denied
Remove Trash
rm failed for /system/etc/install-recovery.sh, Read-only file system
rm failed for /system/recovery-from-boot.p, Read-only file system
rm failed for /data/local.prop, No such file or directory
CWM Recovery!!!
Press any key to continue . . .
Any ideas how to get to CWM?
Looks like you need to root again after your upgrade. Run MT's Root&RecoveryAIO.bat again and select the "Root ZV8" option.
[EDIT]
My bad. That's what you are trying to do! I've been up all night and am tired. Did you get any errors when you ran the "Prepare for Update" option before you upgraded? That option actually pushes the superuser files back to your phone and the "Root ZV8" option just goes back and set's the permissions. You can try manually running these commands with adb first.
Files\adb push Files\zergrush /data/local/tmp/zergrush
Files\adb shell "chmod 755 /data/local/tmp/zergrush"
I'm a bit of a noob here but I think I'm following the instructions correctly.
I've just rooted my device. I opened cmd to check for root acces and this is what it says:
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(m ount),
1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002( net_bt),3003(inet),3006(net_bw
_stats)
[email protected]:/ #
I'm presuming that means it's rooted. However when I launch ES Explorer or File Explorer and try to enable root access it says faild:
Root Explorer cannot be enabled
or
Sorry test failed
Any ideas what I'm doing wrong?
I dont know if its a problem with super user, because when it says there should be su request pop up in ES EXplorer it doesnt happen.
When i try to reinstall superuser.apk in cmd i get the following:
C:\Users\AJ\Desktop\Android>adb install Superuser.apk
3585 KB/s (1468798 bytes in 0.400s)
pkg: /data/local/tmp/Superuser.apk
Failure [INSTALL_FAILED_ALREADY_EXISTS]
C:\Users\AJ\Desktop\Android>
ajnicho said:
I dont know if its a problem with super user, because when it says there should be su request pop up in ES EXplorer it doesnt happen.
When i try to reinstall superuser.apk in cmd i get the following:
C:\Users\AJ\Desktop\Android>adb install Superuser.apk
3585 KB/s (1468798 bytes in 0.400s)
pkg: /data/local/tmp/Superuser.apk
Failure [INSTALL_FAILED_ALREADY_EXISTS]
C:\Users\AJ\Desktop\Android>
Click to expand...
Click to collapse
try es explorer and do it again at the first time it said sorry test failed but when I repeated it, it gave me access. if you have superuser you pretty much are rooted, and if not follow the qemu root process.
Hello everyone,
I have a weird problem with my HTC One (Japanese version HTL22). The Hboot is 1.57, android version 4.4.2. I basically triedever method, even the one specific for this HTL22 but I encounter a weird issue:
On adb, I am able to push the revone into the temp dir; chmod 755 but when I want to prepare the S-OFF with revone-P I always got the same error message:
Gaining root access (thanks to Dan's motochopper)...[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
...
I also tried with the run_root_shell made for htl22, to use before revone but error came out:
Device detected: ()
Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x80608000 form iomem
Attempt fb_mem exploit...
Detected kernel physical address at 0x80608000 form iomem
Failed to open /dev/graphics/fb0 due to Permission denied
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
() is not supported.
Failed to setup variables.
The first line is odd to me, it slike it don t fin my phone: Device detected: (). I tried to type adb devices and it find my phone, but if i enter the shell, then type adb shell, the list is empty i don t know if it is normal or not.
And yes the debug option is on !
Any advice for my case ? thank you very much in advance !
erannou said:
Hello everyone,
I have a weird problem with my HTC One (Japanese version HTL22). The Hboot is 1.57, android version 4.4.2. I basically triedever method, even the one specific for this HTL22 but I encounter a weird issue:
On adb, I am able to push the revone into the temp dir; chmod 755 but when I want to prepare the S-OFF with revone-P I always got the same error message:
Click to expand...
Click to collapse
Revone? As far as I'm concerned it doesn't work with HBOOT 1.57
erannou said:
Hello everyone,
I have a weird problem with my HTC One (Japanese version HTL22). The Hboot is 1.57, android version 4.4.2. I basically triedever method, even the one specific for this HTL22 but I encounter a weird issue:
On adb, I am able to push the revone into the temp dir; chmod 755 but when I want to prepare the S-OFF with revone-P I always got the same error message:
Gaining root access (thanks to Dan's motochopper)...[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
[-] Failed to open framebuffer device.
...
I also tried with the run_root_shell made for htl22, to use before revone but error came out:
Device detected: ()
Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x80608000 form iomem
Attempt fb_mem exploit...
Detected kernel physical address at 0x80608000 form iomem
Failed to open /dev/graphics/fb0 due to Permission denied
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
() is not supported.
Failed to setup variables.
The first line is odd to me, it slike it don t fin my phone: Device detected: (). I tried to type adb devices and it find my phone, but if i enter the shell, then type adb shell, the list is empty i don t know if it is normal or not.
And yes the debug option is on !
Any advice for my case ? thank you very much in advance !
Click to expand...
Click to collapse
Are you using windows or linux? Try this ADB and fastboot I attached to the post. Also have you unlocked the bootloader yet through HTCdev?
johnwayne007 said:
Are you using windows or linux? Try this ADB and fastboot I attached to the post. Also have you unlocked the bootloader yet through HTCdev?
Click to expand...
Click to collapse
Thank you for your answer.
I am using Windows 7, i tried on 8 and it is the same result.
HTCdev don t work for me as my carrier is not allowing it ...
I tried your files but the result is the same.
Is there any method for hboot 1.57 ? I will maybe try sunshine but as it is not free, i am afraid it won t work with my phone, as my final goal is to get rid of the sim lock !
erannou said:
Thank you for your answer.
I am using Windows 7, i tried on 8 and it is the same result.
HTCdev don t work for me as my carrier is not allowing it ...
I tried your files but the result is the same.
Is there any method for hboot 1.57 ? I will maybe try sunshine but as it is not free, i am afraid it won t work with my phone, as my final goal is to get rid of the sim lock !
Click to expand...
Click to collapse
Only Sunshine method to s-off hboot 1.57
MaratabHashmi said:
Only Sunshine method to s-off hboot 1.57
Click to expand...
Click to collapse
Thank you for your answer. I guess i have no choice then.
With sunshine I should be able to unable the sim lock right? Or the hboot 1.57 will prevent me to do it ?
Thank you in advance !
erannou said:
Thank you for your answer. I guess i have no choice then.
With sunshine I should be able to unable the sim lock right? Or the hboot 1.57 will prevent me to do it ?
Thank you in advance !
Click to expand...
Click to collapse
sim unlock is not achieved with s-off its 2 different thing. You need to purchase a sim unlock code.
i just updated and rooted stock android 5.1.1 on my xperia Z1 and ro works for everything but ES file explorer. before the update it was working (on android 5.0.1) but no matter how many times i switch the option on it just does this
asks for root permission, i grant, it switches on for 3 seconds then slides back off saying sorry test failed this feature cant run on your device.
xdarkmario said:
i just updated and rooted stock android 5.1.1 on my xperia Z1 and ro works for everything but ES file explorer. before the update it was working (on android 5.0.1) but no matter how many times i switch the option on it just does this
asks for root permission, i grant, it switches on for 3 seconds then slides back off saying sorry test failed this feature cant run on your device.
Click to expand...
Click to collapse
Did you disable Sony RIC?
xasbo said:
Did you disable Sony RIC?
Click to expand...
Click to collapse
i have never heard of Sony RIC, whats that?
i downloaded some sony RIC killer v2 and used it, this is the output
Code:
=============================================
Getting device variables
=============================================
Device model is C6902
Firmware is 14.6.A.0.368
Checking if device is rooted...
Device rooted.
=============================================
Sending files
=============================================
1870 KB/s (657704 bytes in 0.343s)
52 KB/s (849 bytes in 0.015s)
Copying kernel module...
1077 KB/s (34473 bytes in 0.031s)
51 KB/s (823 bytes in 0.015s)
424 KB/s (13592 bytes in 0.031s)
Kernel version is 3.4.0-perf-g4fd66c3
Version does not match 3.4.0-perf-ge4322cd, needs patching...
dd: conv option disabled
Kernel module patched.
error: only position independent executables (PIE) are supported.
=============================================
Checking for Sony RIC
=============================================
Sony RIC Service found.
Installing RIC kill script installmount.sh...
insmod: init_module '/data/local/tmp/wp_mod.ko' failed (Exec format error)
mount: Operation not permitted
Stock mount does not exist. Creating dir and link
mkdir failed for /system/bin/stock, Read-only file system
Unable to open /system/bin/stock: No such file or directory
ln: /system/bin/stock/mount: No such file or directory
rm: /system/bin/mount: Read-only file system
cp: /system/bin/mount: Read-only file system
Unable to chmod /system/bin/mount: Read-only file system
Installing of mount.sh finished
Done. You can now unplug your device.
Enjoy SONY RIC KILLER
=============================================
What to do next?
- Modify platform.xml to access SD card without issues.
Press any key to continue . . .
do i need a custom kernel? i dont really feel the need to install a custom kernel if i dont have to.
EDIT SGP621-RICDefeat.zip seems to work, root is working as far as i can see for now
xdarkmario said:
i have never heard of Sony RIC, whats that?
Click to expand...
Click to collapse
The RIC is what prevents you from (normally) making /system read/writeable on the stock kernel. Normally, this is defeated by flashing root and a RIC killer at the same time (e.g., SuperSU + XZDR).
Looks like you've got it sorted.
i have a rooted xperia zr on 5.1.1 with superSU and dual recovery installed but can't get ES explorer to let me use root explorer after providing super user access to the app. can't get sony ric killer to work, either. i'm flat out of ideas.
I've had this issue when i flashed the latest 5.1.1 zip. The solution that worked for me was to flash the kernel with XZDR again. After that the root explorer option in ES file explorer sticks.
Bro, you have to disable Sony RIC