Database Develop

Rooting the Tattoo(its done!) - what we have got so far

Finally the race is over and some brave devs managed to get root on the tattoo and some were able to reproduce it on their own devices already. But notice: We are in an early stage of development. There is no one-klick-get-root app at the moment and there is still much work to be done until we get custom roms.
I will try to keep track of the ongoing development and update this post periodically. I've you find a mistake or get something new, let us know but we can't give support to every linux-nob at this point of development!
At the moment beeing root on the tattoo does NOT enable you to use the usual applications like Wifi Tethering that need root out of the box. You are also unable to write to /system by default. Now there is a new hack to make /system writable (look at the bottom of this post)
[size=+2]Status[/size]
Last update: 26.02.2010 - 12:55 MEZ
[size=+1]Rooting[/size]
The tattoo was successfully rooted the first time on 19.02.2010 ( http://forum.xda-developers.com/showpost.php?p=5672597&postcount=93 ). It was reproduced by some other users already, there is some work to be done make the exploit work more easily.
Because it has been asked many times: If there will ever be an OFFICIAL update with android 2.1 by HTC for the Tattoo (nobody knows definitively), this root-exploit will NOT work! You will lose root then!
It was done by porting this exploit http://www.milw0rm.com/exploits/8678 to the arm plattform and the tattoo. It uses a security hole in kernel 2.6.29 that wasn't patched in tattoos kernel. All began here on 10.2.2010 (the first post doesn't has to do anything with this): http://forum.xda-developers.com/showthread.php?t=631540
Kudos to zanfur, bftb0, mainfram3, HT123 and others (sorry if I forgot an important one).
The exploit was tweaked to deliver root more reliable.
[size=+1]Flashing custom roms[/size]
To develop custom roms won't be the problem, but the tattoo has got some extra security mechanisms that don't make it trivial to flash a new rom even now we have root. There is work going on to solve this.
[size=+1]Howto get root-privileges[/size]
I think it is save to follow but this is done at your own risk. Don't blame me if you Tattoo explodes, eats your hamster or make your girlfriend leave you.
Remember: We're in an early state of development, this is no Klick-an-Run-app, linux knowledge is needed.
Newbis on Windows should follow this howto made by Coburn64, its much easier than this one: http://forum.xda-developers.com/showthread.php?t=637927
Download this to your PC and unzip: View attachment 285070
(the older release was called m6 and can be found here: View attachment r00t.zip)
m7 is the binary. Push m7 to your Tattoo using adb:
Code:
adb push m7 /data/local/bin/m7
adb chmod 755 /data/local/bin/m7
Start a shell:
Code:
adb shell
Start the exploit in the shell:
Code:
cd /data/local/bin
while `true` ; do /data/local/bin/m7; done
The new m7 is an improved version of the old m6, it now should bring you root much more reliable.
With the old m6 while it is running, bring up and close random apps via task manager on the tattoo. This might not be necessary with m7. After a while the exploit should report success and come up with a root-shell. The promt should change from
Code:
$
to
Code:
#
Sometime the exploit stopps but no shell ('#') comes up. Just terminate it with ^C and try again.
You did it, you should be root now!
Let's set some variables:
Code:
export LD_LIBRARY_PATH=/system/lib
export PATH=/system/bin
When you got your shell, check if you are really root:
Code:
id
You should get something like this:
Code:
# id
uid=0(root) gid=1000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
uid=0(root) is important.
To get a root-shell more easily next time, we have to make su work.
Take this su binary and push it in your tatto: http://www.fileuploadx.de/45656
Code:
adb push su /data/local/bin/su
Remount /data without the nosuid-option
Code:
# mount -o rw,remount /dev/block/mtdblock3 /data
Change the owner to root and set the suid-bit
Code:
# chown root.root /data/local/bin/su
# chmod 4755 /data/local/bin/su
Now you don't have to run the exploit again, just open a normal shell and run
Code:
$ /data/local/bin/su
Now you should be root!
Attention: If you reboot your phone, you have to run the exploit and the mount command again because /data will be mounted nosuid again!
Thats it!
Some suggestions for going on. When you run mount, you will see that some partitions are mounted read-only and/or with the nosuid-option. You can change this by running:
Code:
mount -o rw,remount /dev/block/mtdblockYOUWANT /DIRtoREMOUNT
[size=+2]Other developer stuff[/size]
Here I will list all other thinks, more dangerous and not with all steps described in detail because you should know how to do this if you want to
New: Make /system writeable
This is a dangerous part, it might break you system forever unless you don't know what you are doing! Don't try it unless you are a dev! That is the reason why the steps you have to do are not described in a more detailed way. If you don't know what to type in, you shouldn't try this hack!
Download View attachment 286072
1. Copy tattoo-hack.ko from the zip to /data/local/bin
2. # insmod /data/local/bin/tattoo-hack.ko
3. Remount system partition to be writeable
Now you can do everything with /system until you reboot. /system is the only partition that is mounted without nosuid after reboot, so copy su over to /system/bin/ to keep root permanently. To be able to use programs like setcpu you have to replace /system/bin/su with this su:
View attachment 286154
Flashing a custom recovery image
This is in alpha-state but we are able to flash custom recovery images what is the determining step to flashing custom roms. Don't ask how to flash android 2.x (we didn't do it right now) or when it will be ready. It will bes sometimes...
http://forum.xda-developers.com/showthread.php?t=639486
Have a lot of fun!
-bm-

BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.

Great - bm - thank you very much

-bm- said:
-bm-
Click to expand...
Click to collapse
This is a great day, it's really amazing how people could work together searching the good way to root this awesome little phone. Just to say I've really appreciated your work... I followed all you guys day by day... Thank you everyone, sorry for the OT.
Anyway... risks of bricks?

elvisior said:
BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.
Click to expand...
Click to collapse
Youre right, busybox makes further development more handy. But I think it isn't needed for /data/local/bin to exist, because for me it was there and I've got no busybox on my tattoo

chdir /data/local/bin
Click to expand...
Click to collapse
instead of
chdir to /data/local/bin
Click to expand...
Click to collapse

Thanks Man.
Nice team work.

stupid noobie question how Push m6 to your Tattoo using adb! can anyone possible make a noobie tutorial?!

@zoko : Use your favorite linux distribution.

please can you help me?when I do .m6 in shell i get
Code:
[ Overwritten 0xb0000100
but no #, any help for me?

ApotheoZ said:
@zoko : Use your favorite linux distribution.
Click to expand...
Click to collapse
You don't need Linux. Windows or even Mac OS will do just fine.
Zoko, grab adb.exe from the Android SDK. To install m6, just run:
Code:
adb push m6 /data/local/bin/m6

chusen said:
please can you help me?when I do .m6 in shell i get
Code:
[ Overwritten 0xb0000100
but no #, any help for me?
Click to expand...
Click to collapse
As I try to say in my howto (okay, my english is not the best ;-) ): That happens quite often. Just stop it with ^C ([control]+C) and start the exploit again until you have luck!

zoko said:
stupid noobie question how Push m6 to your Tattoo using adb! can anyone possible make a noobie tutorial?!
Click to expand...
Click to collapse
Hi zoko!
Please use google to find a tutorial for pushing files using adb, there are many out there and using adb is not tattoo-specific!
We don't have time to provide more service at the moment ;-)
By the way: I'm happy about everybody testing, but I wonder what you want to do with a root-shell I you even didn't use adb before. But learning and trying is always a good thing but please consider learning by googling also ;-)
Have a lot of fun!
-bm-

thanks but i try and try and try... and same result, more ideas or only try it?

Is there any way to mount /data r/w on boot?
I doubt it because the exploit should be run first... hmm
So now we need a custom rom with root privileges

...first a recovery.. i think

after i run the exploit once I have to reboot the phone to be able run it again or i get
HTML:
$ usage: reboot [-n] [-p] [rebootcommand]
.
any option to be able to run it more than once without rebooting the phone?

The Tattoo Root (kit)
Here's a small installation batch, to make it easier for everyone.
Download the supplied zip (TattooRoot).
Run 'install-tattoo-root'.
Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin
STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done
The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt
STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su
I think the comments are self-explanatory. If you can't get the m6 into your Tattoo, even with the help of this batch, I suggest you wait a little longer for a more foolproof way to free your Tattoo
Everytime you reboot your Tattoo you'll have to execute steps 1 and 2 again.

@mainfram3 i dont get same results
Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin
STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done
The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt
STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------
where are my error?

chusen said:
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------
where are my error?
Click to expand...
Click to collapse
Chusen,
That is allright.
Now, launch a adb shell by typing
Code:
adb shell
and then try the exploit
Code:
$ while `true` ; do /data/local/bin/m6; done
until your greeted with:
Code:
[ Overwritten 0xb0000100
# <---- This # indicates you got root

[ROOTING] The M7 Exploit + Newbie Guide

To be honest, I'm a nice guy, but when threads get filled with utter "OMG, How do I root?" posts, I get pissed off. I don't mean to backseat moderate or anything, I just really get fed up sometimes. Hence, I've broken out the hardcore side of myself, and I present:
Coburn's (mostly) failproof rootmeplz kthxbai tutorial, featuring the awesome m7 exploit.
YOU CANNOT USE THIS ROOT GUIDE TO INSTALL ANDROID 2.0.x/2.1/2.x AT THIS MOMENT IN TIME. PLEASE DO NOT ASK IF YOU CAN INSTALL ANDROID 2.x USING ROOT, AT THIS STAGE IT'S A BIG FAT NO! THANK YOU FOR YOUR ATTENTION!!
Alright.
Easy to understand, plain english guide
Download the ZIP file attached to this post. Extract the files to a safe location - perhaps C:\Tattoo ?
Now, you'll need adb for windows. You can get it from my website's server here: ADB for windows.
Make sure your device is in USB Debug Mode (Settings > Applications > Development). This is ESSENTIAL!
Extract all the files in the adb4win zip file to your C:\Tattoo folder.
Now, go to Command Prompt. In XP, it's under System Tools in Accessories. In Vista/7, it'll be under accessories.
Do the following at the command line:
C:\Users\Coburn> cd C:\Tattoo
This will change your working directory from C:\Users\Coburn (or silimar) to C:\Tattoo .
Now, at the command line, do this:
C:\Tattoo> adb-windows shell "mkdir /data/local/bin" (with the quotes!).
This makes a directory on the Tattoo under /data/local, called bin. If you get a error (like mkdir failed, file/folder exists), this is fine! Don't sweat it.
Now, run this command:
C:\Tattoo> adb-windows push m7 /data/local/bin/m7
...and wait until finish.
Run this:
C:\Tattoo> adb-windows shell "cd /data/local/bin && chmod 755 ./m7" (with the quotes!)
This allows you to run the sucker.
Now, the fun part. Run this:
C:\Tattoo> adb-windows shell
This will dump you at a "$" shell. do the following:
C:\Tattoo> adb-windows shell
$ cd /data/local/bin
$ while ./m7 ; do : ; done
...lotsa text will flow down your screen. This is normal. Sometimes the exploit causes adb to freeze up, I don't know. I think it may be due to the exploit. It worked on my mac fine though...
Soon, you'll be greeted with this:
#
This is the root prompt! If you get stuff like this:
# usage: reboot ...
usage: reboot ....
usage: reboot ...
Just keep your cool, press enter and the # will say "Boo" again. This is due the exploit spawning reboots to gain the shell.
Then, do these commands from this thread's first post:
-bm- and the hax0rs crew said:
You did it, you should be root now!
Let's set some variables:
Code:
export LD_LIBRARY_PATH=/system/lib
export PATH=/system/bin
[...] check if ur root:
Code:
id
You should get something like this:
Code:
# id
uid=0(root) gid=1000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
uid=0(root) is important.
Click to expand...
Click to collapse
When you get this:
C:\Tattoo> adb-windows shell
$ cd /data/local/bin
$ while ./m7 ; do : ; done
[... lotsa pasta ...]
#
You can do anything then! Look at /system, /data, etc etc. You're broken free, my friend, and you'll forever be free. Until you press that exit button. you didn't. You didn't press that exit button? lolwut u did? Grrrrrrr!!!
EDIT: Added Guide to remount partitions. It's below.
Now you need to install su. Exit your root shell (via CTRL+C) (NO, Coburn, are you serious? ME LOSE ROOT SHELL?! ) and download this su.zip and extract it to C:\Tattoo. DO NOT EXIT THE COMMAND PROMPT WINDOW.
Meanwhile, back at the ranch, in your command prompt window, do this:
C:\Tattoo> adb-windows push su /data/local/bin/su
Then break out a shell...
C:\Tattoo> adb-windows shell
at the $ prompt, enter:
$ chmod 755 /data/local/bin/su
$ cd /data/local/bin/
..run the exploit again via "while 'true' ; do ./m7 ; done" to get root again then enter ...
# chown root.root /data/local/bin/su
# chmod 4755 /data/local/bin/su
# mount -o rw,remount /dev/block/mtdblock5 /data
# mount -o rw,remount /dev/block/mtdblock3 /system (This line allows you to play around with files on the system partition!)
After that, you can exit out of the root shell, and try a normal shell and this:
$ /data/local/bin/su
...which should make you get a nice # prompt. (Sometimes it doesn't, for me it got su: permission denied, wtf?)
(End SU Part of guide)
Tested on Windows 7. Also works on a phone terminal emulator too!
Keep your cool peeps - I do this for fun, I'm not a fulltime android dev. I am an addict though.
Happy rootin my friends.
Cheers,
Tattoo Hacker Coburn.
Greets fly out to the geeks that hacked it originally - without you, I'd have got a nexus one.
Thanks for marsdroid for correcting an error. Kudos to you, bro!
"ANDROID - It's a virus. In a Good Way. Once it's in your system, you can't get rid of it."

You should also add the "su" part in order to get root easier after the first time. Otherwise you have to do the exploit every time you want #

You could also add an explanation on how to remount the partitions without nosuid, so that a suid su can work.

mainfram3 said:
You could also add an explanation on how to remount the partitions without nosuid, so that a suid su can work.
Click to expand...
Click to collapse
Noted. Will do.
LordGiotto said:
You should also add the "su" part in order to get root easier after the first time. Otherwise you have to do the exploit every time you want #
Click to expand...
Click to collapse
Heh, yeah. Might add that up too.

Coburn64.
Thanks Man.
Nice Thread.

Thank you Coburn

svprm said:
Coburn64.
Thanks Man.
Nice Thread.
Click to expand...
Click to collapse
Thanks bro for your thanks.

I'm very glad you did that work, I'm kind of busy but I will update my statusposting and link to your HowTo!
Thats great community work.
[ROOTING] The M7 Exploit + Newbie Guide
Easy to understand, plain english guide
Click to expand...
Click to collapse
I apologize for my english, it's not my native language and I tried my best. ;-)
Keep up your work!
-bm-

-bm- said:
I'm very glad you did that work, I'm kind of busy but I will update my statusposting and link to your HowTo!
Thats great community work.
I apologize for my english, it's not my native language and I tried my best. ;-)
Keep up your work!
-bm-
Click to expand...
Click to collapse
You're welcome. I actually wanted this thread to help your thread, I wanted to spawn a m7 exploit thread to keep the original thread (which is based on the classic m6 exploit) clean of "How do I root with m7" and such.
Keep up the good work too, bm!

Thanks Coburn, so m6 is useless..
adb shell rm /data/local/bin/m6?

thx for the work , and corrections ! deleted the ealyer post

?
When i get # , and type:
# chown root.root /data/local/bin/su
i get :
chown root.root /data/local/bin/su
chown: not found
#
What i'm doing wrong /??

liderzre said:
When i get # , and type:
# chown root.root /data/local/bin/su
i get :
chown root.root /data/local/bin/su
chown: not found
#
What i'm doing wrong /??
Click to expand...
Click to collapse
type
export LD_LIBRARY_PATH=/system/lib
export PATH=/system/bin

rooted
Ty. Guide is not 100% for noobs. (ME).

Problem copying files to system partition after successfull rooting
Hi
The device was rooted successfully (from the first time using m7)
But I have very strange problem.
I try to update some files in the /system (updating fonts in /system/fonts).
I successfully run following command to remount system with rw permissions
/system/bin/mount -o rw,remount /dev/block/mtdblock3 /system
But when I try to copy files to /system/fonts I get "not enough memory" error.
If I run "df" command it shows that /system has 14% free before write attempt
But if I run "df" command after the write attempt I see that there is no free space.
It looks like there is some protection mechanism that prevents copying files to /system partition.
Does any one has an idea how to solve it?
Thanks

ronyrad said:
Hi
The device was rooted successfully (from the first time using m7)
But I have very strange problem.
I try to update some files in the /system (updating fonts in /system/fonts).
I successfully run following command to remount system with rw permissions
/system/bin/mount -o rw,remount /dev/block/mtdblock3 /system
But when I try to copy files to /system/fonts I get "not enough memory" error.
If I run "df" command it shows that /system has 14% free before write attempt
But if I run "df" command after the write attempt I see that there is no free space.
It looks like there is some protection mechanism that prevents copying files to /system partition.
Does any one has an idea how to solve it?
Thanks
Click to expand...
Click to collapse
The problem is well known an jet we have got no explanation. It looks like an additional security system build in by HTC. That is what also prevents us from flashing Custom ROMS at the moment. Development goes on here: http://forum.xda-developers.com/showthread.php?t=631540&page=18 but there is no solution or explanation until now.
-bm-

Could it be that it seems to be that the driver (yaffs) is possibly trying to copy /system into memory, and then reflash the partition all at once (to prevent NAND/NOR tear and wear)?

this guide is in error and will for sure not work ...
you should post probberly ...specially now when things is working....
there is no reason do do a NONSENCE guide .....
thx for the work thoe
Click to expand...
Click to collapse
Excuse me, but it was tested working. I do not post false or misleading information, so please don't accuse me of posting something that won't work. It does work. If you have troubles, you're not following it correctly. Start again and work one step at a time.

Coburn64 said:
Excuse me, but it was tested working. I do not post false or misleading information, so please don't accuse me of posting something that won't work. It does work. If you have troubles, you're not following it correctly. Start again and work one step at a time.
Click to expand...
Click to collapse
don't worry for such baseless allegations coburn.... u r doing a great job. keep up this good work bro.... thanks a lot for this wonderful presentation...
waiting for ur custom ROM.....

Coburn64 u are missing a ; in the 2. while
and i dont expect the newbies to sit back and wait for the "BUUH"..
but im sure someone will....
thx again
EDIT Coburn64 fixed it

[MOD] v0.3.1 Working Full Ubuntu for 1.5.7 and 1.8.3 based on Sogarth's script

Sogarth's webtop2sd will be released soon, you really should wait and install that instead of this! Thanks -The Management
No longer breaks on 1.83, thanks to Romracer
Update: This script worked on my phone. Mind you I was installing it from a fresh SBF flash, but it should work on your phone too. Absolutely no guarantees as usual.
Update 11th April 2011, 06:59 PM: Won't be getting CWM package because it'd be huuuuuuuuuge.
Update 28th April 2011. 16:38 PM: Removing BETA tag since there have been no issues with the script for quite some time.
First off I would like to thank Sogarth for making this script in the first place as well as Romracer for fixing it for 1.83. Since he is busy doing more important work I decided to do this little hack for those of us that updated to 1.5.7 and dont feel like flashing back to earlier versions to get full Ubuntu working.
Again, this is only necessary if you're already running 1.5.7 or 1.8.3.
Secondly, I am still working on this script so it may not work for you. If you have a problem you may post in the thread or PM me showing exactly the error message, word for word, that you receive.
Updates will be included in the OP from time to time as I fix errors.
Instructions:
1) install.bat (from your computer)
2) adb shell (get a shell on your phone)
3) su (get root on your phone in that shell)
4) . /data/local/tmp/install.sh (run the install script *on your phone* don't forget the "." and the space after the dot, or you will have to chmod 755 the shell script manually)
5) ?????
6) profit\
Noob instructions, written by Viamonte (I take no credit or responsibility):
Thanks again for all your help. Now the noob instructions:
"1-Download "Terminal Emulator" from the market, on your phone (or any other terminal), and the file anexed in this thread to your computer.
2-Connect the Atrix to the computer via USB, configuring the connection mode to "None" and enabling USB Debugging mode (Settings>Applications>Development>USB debugging)
3-Unzip the file you downloaded on your pc, and run Install.bat. This will push the script to your phone.
4-Go back to your phone and open the emulator you downloaded. Then type "su" (without quotes) and press enter. Then type ". /data/local/tmp/install.sh" (without quotes) and press enter again.
The script should begin running now. It will stop in two moments where you'll be instructed to get a cup of coffee, and may take several minutes to continue form this point. When finished, the Atrix will reboot.
To check if this worked, use the Webtop either on your multimidia dock or your lapdock and verify if new itens appeared on your task bar and on the right upper side of the screen"
0.3.1 release
0.2 release
0.1 first release
Changelog
0.3.1 fix to gconf file's mdate so it does what its supposed to do =)
0.3 Small typo fixes and cpp package install fix by romracer, now works on 1.83 =)
0.2 Fixed some typos in uninstall.sh and make sure the %gconf file wound up in the right spot.
0.1 - first version. NOT CWM install but ready to be packaged for that more or less

Nice, I'll give this a shot later.

Ill give it a shot when I get home!
Sent from Motorola Atrix on TELUS.

My phone is working perfectly, so why not ruin it?
I'm giving this a try right now!
1.4.57 - Rooted and gingerblurred with HDMI Mirroring and Webtop hack.
I'll update as progress goes along:
Edit 1:
Initial try gave me this
Checking device state...
Obtaining temporary root access...pushing shell scripts
A filesystem file already exists. Reset it? [n] y
Mounting the filesystem...
07.sh
--------------------------------------------
EXECUTION FAILED
Unable to mount the filesystem file. ERR 07
--------------------------------------------
Press any key to continue . . .
Edit 2:
Ok, it doesnt work with resetting it. How about removing?
Checking device state...
Obtaining temporary root access...pushing shell scripts
A filesystem file already exists. Reset it? [n] n
A filesystem file already exists. Delete it? [n] y
Deleting the filesystem file...
--------------------------------------
EXECUTION FAILED
Unable to delete the filesystem file.
--------------------------------------
Press any key to continue . . .
Edit 3:
Ok, only one option left then.
Checking device state...
Obtaining temporary root access...pushing shell scripts
A filesystem file already exists. Reset it? [n] n
A filesystem file already exists. Delete it? [n] n
--------------------------------------------------------------------------
EXECUTION FAILED
The filesystem file already exists, but no operations have been selected.
--------------------------------------------------------------------------
Press any key to continue . . .
=====================================================================
Edit 4:
Since execution is failing I'm trying to find the problem. Using ADB Shell i tried to manually run the shell scripts and stumbled here:
(I tried chmod 777 @ 02.sh to see if that was the problem, no change is results)
# ls -l
...
...
-rwsr-sr-x shell shell 87 2011-04-06 12:13 03.sh
-rwxrwxrwx shell shell 82 2011-04-06 12:11 02.sh
-rwsr-sr-x shell shell 251 2011-04-06 12:04 01.sh
# pwd
pwd
/data/tmp/shell
# /data/tmp/shell/02.sh
/data/tmp/shell/02.sh
/data/tmp/shell/02.sh: not found

I had the same issue as flybob when I tried to run the script.
Sent from my MB860 using XDA Premium App

Good effort, but 1.57 changes how we have to run commands as root. On a normal linux box, I'm sure your methods would work fine, but we're not dealing with a normal su binary. You should look into doing this as CWM as opposed to .bat files. I had a hell of a time getting around the restrictions since the psneuter exploit was closed.

Ah, I did not think about that Ririal, thanks for the info. I am not familiar with CWM though.
Why is the /tmp directory in /data ? That would certainly cause every script to fail.
I'll look at this some more tonight.

Ririal said:
Good effort, but 1.57 changes how we have to run commands as root. On a normal linux box, I'm sure your methods would work fine, but we're not dealing with a normal su binary. You should look into doing this as CWM as opposed to .bat files. I had a hell of a time getting around the restrictions since the psneuter exploit was closed.
Click to expand...
Click to collapse
How about a shell script that we can run in terminal emulator ? and the output goes to screen and a log file for debug !

molotof said:
How about a shell script that we can run in terminal emulator ? and the output goes to screen and a log file for debug !
Click to expand...
Click to collapse
most of the script is now run by shell scripts, no reason you couldn't run them in the terminal emulator, just get the order right. There are also a few lines I didn't translate to shell so you'd have to enter them by hand.
In any case I'll keep working on this until Sogarth releases his version with union mounts =D

You might be interested to know this;
# cd /tmp
cd /tmp
# pwd
pwd
/data/tmp
# ls -l /tmp
lrwxrwxrwx root root 2011-04-09 14:47 tmp -> /data/tmp
I'll happily help with the script, i know tons of linux and got my Atrix ready to be bricked

flybob said:
You might be interested to know this;
# cd /tmp
cd /tmp
# pwd
pwd
/data/tmp
# ls -l /tmp
lrwxrwxrwx root root 2011-04-09 14:47 tmp -> /data/tmp
I'll happily help with the script, i know tons of linux and got my Atrix ready to be bricked
Click to expand...
Click to collapse
That's just a symlinked directory. I won't make a difference if you call either.

Yes, just replied to the previous question
Why is the /tmp directory in /data ? That would certainly cause every script to fail.
I'll look at this some more tonight.
Click to expand...
Click to collapse
However, why doesn't the scripts run as wanted...?
# cat /tmp/shell/02.sh
cat /tmp/shell/02.sh
#!/bin/sh
/system/bin/su
/bin/rm /data/ubuntu.disk > /dev/null 2>&1 && echo PASS#
# ls -l /tmp/shell/02.sh
ls -l /tmp/shell/02.sh
-rwxrwxrwx shell shell 82 2011-04-06 12:11 02.sh
# /tmp/shell/02.sh
/tmp/shell/02.sh
/tmp/shell/02.sh: not found

flybob said:
Yes, just replied to the previous question
However, why doesn't the scripts run as wanted...?
# cat /tmp/shell/02.sh
cat /tmp/shell/02.sh
#!/bin/sh
/system/bin/su
/bin/rm /data/ubuntu.disk > /dev/null 2>&1 && echo PASS#
# ls -l /tmp/shell/02.sh
ls -l /tmp/shell/02.sh
-rwxrwxrwx shell shell 82 2011-04-06 12:11 02.sh
# /tmp/shell/02.sh
/tmp/shell/02.sh
/tmp/shell/02.sh: not found
Click to expand...
Click to collapse
Ah ok my mistake, you didn't quote anything I didn't realize that's what you were responding too
Likely noexec flag causing that issue.
Also, you can't invoke su from inside a shell script. It just doesn't work with this su binary.

yeah, I guess not. I hadn't realized that it wasn't a real 'su' before making this... too bad.
If anyone figures out how to get around that we'll be in business Unfortunately that's way beyond my expertise.

Okay, after fiddling a little bit and talking to a friend I may have solved some of the problems, mainly with the scripts executing and su working.
I will have to rewrite a bunch of things but should report back tonight.

the2dcour said:
Okay, after fiddling a little bit and talking to a friend I may have solved some of the problems, mainly with the scripts executing and su working.
I will have to rewrite a bunch of things but should report back tonight.
Click to expand...
Click to collapse
su -c "command"
You'll have to allow superuser on the phone for every single command.

PM'd you my error. I tried manually editing the permissions, but that didn't work.

Running on GladAtrix2 v3
USB debugging on; USB set to none
Checking device state...
Obtaining temporary root access...pushing shell scripts
-------------------------
EXECUTION FAILED
Unable to chmod scripts.
-------------------------
Press any key to continue . . .
Changed /sdcard-ext to /sdcard in script. Got this error
Checking device state...
Obtaining temporary root access...pushing shell scripts
-------------------------
EXECUTION FAILED
Unable to chmod scripts.
-------------------------
* server not running *
Press any key to continue . . .
Running BETA_ubuntu-1.0.6.4.zip. File extracts to BETA_ubuntu-1.0.6.2 directory. Ran ubuntu-1.5.7.bat
Moved BETA_ubuntu-1.0.6.2 to C:\ Same error

The only easy workaround to that I can see at the moment is to
Code:
adb shell
su
chmod 777 /path-to-scripts/*
ls -l /path-to-scripts/*
make sure all the files are executable (should say rwxrwxrwx)
then remove the bit of code from 1.5.7.bat
Code:
set retval=
for /f "tokens=*" %%l in ('%~dps0adb.exe shell "/bin/chmod 6755 /mnt/sdcard-ext/shell/* > /dev/null 2>&1 && echo PASS"') do set retval=%%l
if "%retval%" neq "PASS" set message=Unable to chmod scripts. && goto abort
If anyone can help me fix this problem I should be able to automate the chmod process using ririal's suggestion of su -c. The problem is that there are too many nested quotation marks in this section of the batch file, and I can't for the life of me figure out how to escape quotes so they pass through to adb:
Code:
set retval=
for /f "tokens=*" %%l in ('%~dps0adb.exe shell "/system/bin/su -c [U]'/bin/chmod 6755 /mnt/sdcard-ext/shell/*'[/U] > /dev/null 2>&1 && echo PASS"') do set retval=%%l
if "%retval%" neq "PASS" set message=Unable to chmod scripts. && goto abort
The underlined bit is where I need to escape either single or double quotes.

the2dcour said:
The only easy workaround to that I can see at the moment is to
Code:
adb shell
su
chmod 777 /path-to-scripts/*
ls -l /path-to-scripts/*
make sure all the files are executable (should say rwxrwxrwx)
then remove the bit of code from 1.5.7.bat
Code:
set retval=
for /f "tokens=*" %%l in ('%~dps0adb.exe shell "/bin/chmod 6755 /mnt/sdcard-ext/shell/* > /dev/null 2>&1 && echo PASS"') do set retval=%%l
if "%retval%" neq "PASS" set message=Unable to chmod scripts. && goto abort
If anyone can help me fix this problem I should be able to automate the chmod process using ririal's suggestion of su -c. The problem is that there are too many nested quotation marks in this section of the batch file, and I can't for the life of me figure out how to escape quotes so they pass through to adb:
Code:
set retval=
for /f "tokens=*" %%l in ('%~dps0adb.exe shell "/system/bin/su -c [U]'/bin/chmod 6755 /mnt/sdcard-ext/shell/*'[/U] > /dev/null 2>&1 && echo PASS"') do set retval=%%l
if "%retval%" neq "PASS" set message=Unable to chmod scripts. && goto abort
The underlined bit is where I need to escape either single or double quotes.
Click to expand...
Click to collapse
^ escapes batch, \ escapes shell. Hope this helps. If you zip up and send me the whole process in a single .sh file I can wrap it up in CWM for you.

[ROOT][HOW-TO]Working Root Method for ICS 4.0.4

** Update ****************
************************
Posted a .zip with scripts for both Windows and *nix users to automate the process.
Linux:
-----
Unzip the contents of the attached ICS404root.zip anywhere on your computer and run the script aptly named "runme_root_script.sh". It should take care of the rest. Make sure you have USB Debugging enabled and you put the phone in Camera mode, not mass storage device.
Windows:
---------
Unzip ICS404root.zip wherever you want and then run "rootscript.bat". Make sure you have USB Debugging enabled and you put the phone in Camera mode, not mass storage device.
*************************
*************************
Credit to miloj for finding this technique on the Transformer. (See the thread noted below and be sure to thank him!) I modified it to work on our devices.
http://forum.xda-developers.com/showthread.php?t=1704209
I'll put together a script to automate this process shortly, but if you're antsy like me, here's the lowdown:
1. Download the following files:
su: http://db.tt/ShPzea6I
debugfs: http://db.tt/bGFh43LZ
2. Save the two files downloaded above on /sdcard. (ie: mount your sdcard in windows and copy them over, or "adb push" them to /sdcard).
**Make sure you have your phone on Mount Camera mode, not as a mass storage device; otherwise, you won't be able to access your /sdcard directory via adb. **
3. In a linux terminal/Windows command prompt:
Code:
adb shell
[email protected]_maserati:/ $ cd /sdcard
[email protected]_maserati:/ $ cp su /data/local/12m/
[email protected]_maserati:/ $ cp debugfs /data/local/12m/
[email protected]_maserati:/ $ cd /data/local/12m
[email protected]_maserati:/ $ chmod 755 debugfs
[email protected]_maserati:/ $ chmod 755 su
[email protected]_maserati:/ $ mv batch batch.bak
[email protected]_maserati:/ $ ln -s /dev/block/mmcblk1p20 batch
[email protected]_maserati:/ $ exit
adb reboot
4. While you are waiting for the phone to reboot, type the following into your terminal/command window:
Code:
adb wait-for-device shell
5. Once you're back into the android shell:
Code:
[email protected]_maserati:/ $ cd /data/local/12m
[email protected]_maserati:/ $ rm batch
[email protected]_maserati:/ $ mv batch.bak batch
[email protected]_maserati:/ $ /data/local/12m/debugfs -w /dev/block/mmcblk1p20
(The following is entered at the "debugfs:" prompt)
debugfs: # cd xbin
debugfs: # write /data/local/12m/su su
debugfs: # set_inode_field su mode 0104755
debugfs: # set_inode_field su uid 0
debugfs: # set_inode_field su gid 0
debugfs: # quit
[email protected]_maserati:/ $ cd /data/local/12m
[email protected]_maserati:/ $ rm su
[email protected]_maserati:/ $ rm debugfs
[email protected]_maserati:/ $ exit
adb reboot
Done deal. Now you've got the "su" binary pushed to your /system partition and set with the proper permissions for execution. Download the Superuser app from the market and you're good to go. Make sure you update the su binary within the Superuser app as well to make sure you're up to date.

Awesome! Were you able to upgrade to the latest leak and not lose root? Btw, what carrier are you on? I figured out how to get tethering fully functional on rogers but the process requires root...
Sent from my XT894 running ICS

You bet. I had to fastboot the leaked .208 update over top of the .206 update yesterday because I messed up my /system partition; I had used the OTA Rootkeeper to keep root permissions when upgrading from .219 but had foolishly disabled it right before I bungled everything up.
So to sum it up, this method didn't require anything to be done before updating to the .208 leak; since it has nothing to do with the technical details of the kernel itself, I'm fairly certain it should work for the .200 or .206 leaks as well. Root permissions were obtained from a completely stock system.
I'm in Canada with Bell but it doesn't matter because I imported the phone from the US; Verizon is the only carrier that has this phone. At any rate, this method is pretty universal, it is preying on a vulnerability present in the stock init.rc file and I bet it would work on other phones such as the RAZR as well.

So we can confirm this is 100% working with Fastbooting back and moving to 208? If so I will probably jump on this immediately.

I am trying to do this method but I cant adb to detect my phone. Im on the .208 leak. Can anybody help?

Have you enabled USB Debugging in the Settings->Developer Options menu?

Rick#2 said:
Have you enabled USB Debugging in the Settings->Developer Options menu?
Click to expand...
Click to collapse
Yep.

Not able to reboot, trying manually...
Code:
debugfs: /data/local/12m/su: Permission denied
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
Had to reboot manually twice. This is the only error message I received. Tried Superuser, but it stops.
I'm on .200 btw.

droidian1441 said:
Yep.
Click to expand...
Click to collapse
I'm having the same issue. I'm on the 208 leak. I start command prompt in windows then type "adb shell" and I get the "device not found" message. I enabled usb debugging and my phone is connected as mass storage.

Likewise, Reboot requires su access, manual only. When I go and run the write command in debugfs permission denied. Any ideas what would cause this? Based on the code shown in the first post, SU had been already acquired(# vs $), which makes me wonder here.

Die Bruine said:
Not able to reboot, trying manually...
Code:
debugfs: /data/local/12m/su: Permission denied
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
debugfs: su: File not found by ext2_lookup
Had to reboot manually twice. This is the only error message I received. Tried Superuser, but it stops.
I'm on .200 btw.
Click to expand...
Click to collapse
Looks like you're doing something wrong with the debugfs command; you don't want to enter /data/local/12m/su at that prompt.
Running su from any partition other than /system will lead to a permissions error, so you don't want to bother trying to execute it from the /data/local/12m location.
(The following is entered at the "debugfs:" prompt, ie: after executing /data/local/12m/debugfs -w /dev/block/mmcblk1p20; see step 5.)
Code:
debugfs: # cd xbin
debugfs: # write /data/local/12m/su su
debugfs: # set_inode_field su mode 0104755
debugfs: # set_inode_field su uid 0
debugfs: # set_inode_field su gid 0
debugfs: # quit

Grizzy3 said:
I'm having the same issue. I'm on the 208 leak. I start command prompt in windows then type "adb shell" and I get the "device not found" message. I enabled usb debugging and my phone is connected as mass storage.
Click to expand...
Click to collapse
Ive got the same situation over here. I can stick without root, just the fact that I would have it again would be just the single reason to do it. Lol.
Sent from my DROID4 using Tapatalk 2

Code:
debugfs 1.42 (29-Nov-2011)
debugfs: cd xbin
cd xbin
debugfs: write /data/local/12m/su su
write /data/local/12m/su su
/data/local/12m/su: Permission denied
Rick, that's what we're putting in. From the code you posted it shows that you had root access already. Do you have any other suggestions on this? Because that's the in and out I get.
---------- Post added at 04:57 AM ---------- Previous post was at 04:53 AM ----------
Problem resolved. Need to run the following code:
Code:
chmod 755 debugfs
chmod 755 su
Then continue with rooting.

gdeeble said:
From the code you posted it shows that you had root access already.
Click to expand...
Click to collapse
Not sure where you're making this assumption from. I just wrote the "#" symbol in there to signal where to start entering commands... though I suppose you're correct in pointing out that the "#" shows up on a root prompt. A smarter choice probably would have been "$".
Trust me, I'm not an idiot. I wouldn't have gone through the hassle of writing up the guide in the first post if it didn't work.

Didn't mean it that way, just looked like it already had root, which was what confused me. But thanks again for this. :-D

Tried it again. This time no errors and the phone rebooted. But now Superuser keeps on FC .
Reinstalled superuser, updated and busybox. Now rooted! Thnx.
BTW, you might wanna update the OP. Do not batch the commands under windows. I tried several times. I think there is something wrong with the timing. Manually entering all the commands in a shell works. But putting them in a batch will enter them too fast for ADB to handle (under Windows shell) I guess.

Die Bruine said:
BTW, you might wanna update the OP. Do not batch the commands under windows. I tried several times.
Click to expand...
Click to collapse
I don't know, it seemed to work fine for me with the script I made. Anyways, glad it worked out for you.
Now that we can re-root as well as (somewhat convolutedly) fastboot ourselves back on track, we're good to go.

droidian1441 said:
Ive got the same situation over here. I can stick without root, just the fact that I would have it again would be just the single reason to do it. Lol.
Sent from my DROID4 using Tapatalk 2
Click to expand...
Click to collapse
As stated in the guide, you need to be in camera mode not mass storage.
Sent from my DROID4 using XDA

I was trying to do it manually last night before the OP posted the batch file, and it was not working because I was in MTP instead of PTP. SO make sure you use PTP.
Put your phone in camera (PTP) mode for the USB connection and it should work fine. Also, after it completes, download Superuser from the market.
I ran Titanium Backup after everything and it told me it needed to fix my su binary permissions or something like that... I let it do its thing... Either way, IT WORKED!!!!!

I put it in camera mode and made sure usb debugging is enabled. Then I ran the script for windows. Still getting the device not found error throughout. Really don't know what's going on.

Bricked over mistake, please help.

i have a Japanese HTC One or HTL22. I tried to sim unlock it as shown in this URL.
Code:
adb push misc.img /
adb shell
# dd if=/misc.img of=/dev/block/mmcblk0p19
# reboot
Upon writing this codes in cmd, i made a mistake: instead of /mmcblk0p19 I input /mmcblk0p1.
There was a message saying
Code:
/dev/block/mmcblk0p1: write error: No space left on device
257+0 records in
257+0 records out
131072 bytes transferred in ...
So i think the misc.img is transferred into the device (though it said no space left). And now the device wont boot.
Please help. Thanks.

I cant delete this thread. Please go to and reply in any of the following pages:
for HTC One
for Android