As their doesn't seem to be a place where developers can put there heads together working on a root exploit, I shall start one.
An exploit that gives system level privileges (not root) was released earlier today http://seclists.org/fulldisclosure/2014/Nov/51 so I decided to look into how sony's apps access the DRM on Z3. I looked into the androidmanifest.xml of the ServiceMenu.apk and found this permission
<uses-permission android:name="com.sonymobile.permission.ACCESS_DRM"/>
I am pretty sure this is only allowed for system apps as: ServiceMenu is listed as
android:sharedUserId="android.uid.system"
and is located in /system/app/
I am interested in what this permission actually gives access to. If it gives access to the DRM keys themselves, backing them up would not be to much of a problem and they could most likely be restored fairly easily after unlocking. This permission could also simply give access to a check if the DRM keys are valid (much less useful for us). I would be interested in having someone with root debugging the service menu and determining what actually gets called when checking the status.
I hope this belongs here and I hope some other developers who actually have access to a device right now (RMA ) could help and work together. If this doesn't belong here let me know.
backup TA
what does this method please: download a correct firmware with pc companion, decrypt these with Flashtool and start then a backup with these files.
then i have a backup from my org. rom inkluding ta partition.
is that correct?
konsolen said:
what does this method please: download a correct firmware with pc companion, decrypt these with Flashtool and start then a backup with these files.
then i have a backup from my org. rom inkluding ta partition.
is that correct?
Click to expand...
Click to collapse
not as i understood it: in order to backup ta partition you need root, but the only way to gain root access currently is by unlocking bootloader, which wipes ta partition -> you need a backup done before unlocking bl, so we need a exploit which grants us root acces or acces to install supersu without unlocking bl first, then you can backup ta and all is fine
yes, i also thinked so.
but then i tried to download a firmware for my plugged device with sonys pc companion.
Then after the decrypt i see there is a ta partition.
i write to sony if every sgp621 can youse this downloadet furnware blobs.
i get the answer that this is only for this tab which was plugged in at the beginning.
so my mind was that this is a complete backup of my device with the device specidic ta partition. because like can this unbrick a totaly bricked device.
How can i locate if this ta partition is the correct one?
My produced ta backup has the folowing inside:
shinano r2 boit config data
author: akio yoshikawa,
Format: TA Partition <HEX8>
UnitID<hex32> UnitSize<hex32> data<hex32>
and here then codes
^^ drm keys arent in the ftf, they are device specific, so to save you some time, there's not likely anything of interest to be found in any decryption of ftf ta partition. (the ta partition is used for more than just drm btw..)
iBuzman said:
^^ drm keys arent in the ftf, they are device specific, so to save you some time, there's not likely anything of interest to be found in any decryption of ftf ta partition. (the ta partition is used for more than just drm btw..)
Click to expand...
Click to collapse
Yes sir i know. But thats no normal firmware file. Thats firm is only for the device id that startet the repair process.
Thats a copy of the Firmware thats on this device. If you flash this on your device with a Phyton Box it will fullbrick.
I found in the ta backup tool:
Searching for S1 Boot..." < nul
tools\adb.exe shell su -c "%BB% cat /dev/block/%1 | %BB% grep -s -m 1 -c -i 'S1_Boot'">tmpbak\backup_matchS1_Boot
set /p backup_matchS1_Boot=<tmpbak\backup_matchS1_Boot
if "!backup_matchS1_Boot!" == "1" (
echo +
) else (
echo -
)
set /p "=Searching for S1 Loader..." < nul
tools\adb.exe shell su -c "%BB% cat /dev/block/%1 | %BB% grep -s -m 1 -c -i 'S1_Loader'">tmpbak\backup_matchS1_Loader
set /p backup_matchS1_Loader=<tmpbak\backup_matchS1_Loader
if "!backup_matchS1_Loader!" == "1"
Exactly that S1 Loader Boot i get after the uncrypt.
Maybe it could help in some way http://seclists.org/fulldisclosure/2014/Nov/81
Xani.e said:
Bounty thread
The link with the exploit seems very interesting.
Click to expand...
Click to collapse
I just put together a POC of the exploit. I was able to launch a few apps, including Root Explorer, from the Add Account dialog. Unfortunately, I couldn't get anything to modify any contents of /system. After looking at the permissions, /system is still under root ownership, so that makes sense. I'm not sure what elevated access file-wise the system user has, if any, beyond a normal user. Sending spoof SMS and doing factory reset isn't going to get us very far lol.
elkay said:
I just put together a POC of the exploit. I was able to launch a few apps, including Root Explorer, from the Add Account dialog. Unfortunately, I couldn't get anything to modify any contents of /system. After looking at the permissions, /system is still under root ownership, so that makes sense. I'm not sure what elevated access file-wise the system user has, if any, beyond a normal user. Sending spoof SMS and doing factory reset isn't going to get us very far lol.
Click to expand...
Click to collapse
Lol, thanks for your work with the POC. Now, I'm sure I'm just stating the obvious, but the way I understand it is that we don't really need to modify any files. As long as we can just read the TA partition to make a backup, that's good enough. Guessing that wasn't possible, though? Right?
elkay said:
I'm not sure what elevated access file-wise the system user has, if any, beyond a normal user. Sending spoof SMS and doing factory reset isn't going to get us very far lol.
Click to expand...
Click to collapse
It seems that system apps have the permission to use "com.sonymobile.permission.ACCESS_DRM" :
minijaws said:
I looked into the androidmanifest.xml of the ServiceMenu.apk and found this permission
<uses-permission android:name="com.sonymobile.permission.ACCESS_DRM"/>
I am pretty sure this is only allowed for system apps as: ServiceMenu is listed as
android:sharedUserId="android.uid.system"
and is located in /system/app/.
Click to expand...
Click to collapse
Xani.e said:
It seems that system apps have the permission to use "com.sonymobile.permission.ACCESS_DRM" :
Click to expand...
Click to collapse
I'll look into this later tonight or tomorrow. Have to head out for the day now.
EDIT - Nm, found the info I needed. Will continue this tonight.
---------- Post added at 01:55 PM ---------- Previous post was at 01:30 PM ----------
Xani.e said:
It seems that system apps have the permission to use "com.sonymobile.permission.ACCESS_DRM" :
Click to expand...
Click to collapse
Got antsy and tried it real quick since I have it set up already to do so. From launching Better Terminal Emulator via the exploit, I tried issuing:
dd if=/dev/block/platform/msm_sdcc.1/by-name/TA of=TA.img
But I still got permission denied. I'll do some more debugging later to ensure that I'm actually getting BTE running as System user.
elkay said:
I'll look into this later tonight or tomorrow. Have to head out for the day now.
EDIT - Nm, found the info I needed. Will continue this tonight.
---------- Post added at 01:55 PM ---------- Previous post was at 01:30 PM ----------
Got antsy and tried it real quick since I have it set up already to do so. From launching Better Terminal Emulator via the exploit, I tried issuing:
dd if=/dev/block/platform/msm_sdcc.1/by-name/TA of=TA.img
But I still got permission denied. I'll do some more debugging later to ensure that I'm actually getting BTE running as System user.
Click to expand...
Click to collapse
Some more digging has shown that BTE is still running as the app user, not System, when issuing the 'id' command. Looks like native code will need to be executed from the intent rather than launching another app. I'm not sure how to go about executing the 'dd' command from busybox manually from an intent.
elkay said:
Some more digging has shown that BTE is still running as the app user, not System, when issuing the 'id' command. Looks like native code will need to be executed from the intent rather than launching another app. I'm not sure how to go about executing the 'dd' command from busybox manually from an intent.
Click to expand...
Click to collapse
Don't think it'll be useful since TA partition has permission 600 and the owner is root [emoji29]
eskamhl said:
Don't think it'll be useful since TA partition has permission 600 and the owner is root [emoji29]
Click to expand...
Click to collapse
Yeah I just noticed that, too. Don't think this exploit is going to do much of anything for us. Looks like System isn't much more privileged than a normal user, from a filesystem perspective.
Instead of trying to backup ta wouldn't it be more useful to try and push supersu binary and app? Once we get this we have access to ta anyways + root seems to be the bigger advantage
EricCartmanez said:
Instead of trying to backup ta wouldn't it be more useful to try and push supersu binary and app? Once we get this we have access to ta anyways + root seems to be the bigger advantage
Click to expand...
Click to collapse
That would be ideal, but System isn't enough to write to anywhere that I'm aware of that we can push the binaries somewhere usable.
iBuzman said:
coz no delete option.....
Click to expand...
Click to collapse
I read your original post. What theme apks were you talking about? Wouldn't modifying the apk code require a resign anyway? I'm just curious which apks you meant because I wasn't aware of those.
Is it possible?
Anyone with root on the Z3 makes a Backup from Root with this -----(play.google.com/store/apps/details?id=com.Supersu_Root_Copy_2) App??? and all Otter Users can restore the Backup of this one Person?
If the root or supersu Binary needs specific Hardware IDs to restore can i these rip if i use gnu root (whezzyx) to read the specific id and Hardware Tags of mm Original Rom? Ort is it possible only with gnu-root Backup the TA-Partition with help from ADB -TOOLZ???
elkay said:
I read your original post. What theme apks were you talking about? Wouldn't modifying the apk code require a resign anyway? I'm just curious which apks you meant because I wasn't aware of those.
Click to expand...
Click to collapse
I was under the impression (probably incorrectly) we actually get away with not resigning, and checking permissions for theme apps suggests system write access - I'll find my original notes on this (from a hangout I had with [NUT] on the topic). my idea was to use a modified theme apk to inject su binary (and I have no idea how to do that)
edit (notes on themes copy/paste from hangout)
just looking into com.android.systemui - and yes looks like it is whitelisted for get "MODE_ALLOWED" default access. Sony signatures seem to remain when making themes so maybe something can be "snuck" into the app to allow root?
I think we got it in in unified xperia section.
Related
So, anyone come up with a way to block the NC from receiving its firmware updates from B&N? I can see Barnes releasing a update and it just installs itself and wipes out the root we have. I'm sure they cant be happy about all the stuff we are now doing on the nook, but I'm sure they are especially not happy about us being able to install the Kindle app! In my mind, its the best of both worlds, but I'm sure B&N wouldnt see it that way. They could (for all practical purposes), put out a 1.0.1 update that blocked that app and kills our root.
The "default way" of disabling OTA updates on Android might work (make sure your device is not currently updating or something):
Code:
mount -o remount,rw /dev/block/mmcblk0p5 /system
cd /etc/security
mv otacerts.zip otacerts.zip_DISABLED_OTA_UPDATES
Although the key contained in that ZIP file does not look like it's really used (its name is testkey.x509.pem).
Edit: Please disregard my mindless ramblings below (I feel like the noob I am, now). I took a closer look at the code once my mind had emerged from whatever haze had been blocking my deeper thought processes and realized what needed to be done to get it to work (I learned a little more about ADB, which helps). And what's more, I think I did it the right way. *grin* Now, if we knew for sure this would block updates, we'd be set. I suppose we'll find out soon enough.
Thanks for posting the code, Weichel.
weichel said:
The "default way" of disabling OTA updates on Android might work (make sure your device is not currently updating or something):
Code:
mount -o remount,rw /dev/block/mmcblk0p5 /system
cd /etc/security
mv otacerts.zip otacerts.zip_DISABLED_OTA_UPDATES
Although the key contained in that ZIP file does not look like it's really used (its name is testkey.x509.pem).
Click to expand...
Click to collapse
Just to make sure I'm on the right track (noob here), I'd want to do an "adb shell" then run the script above? Also, read-write access for the NC system partition is probably necessary, yes? I haven't enabled rw access yet, didn't want to take any chances of accidentally bricking my NC.
I tried the code above (without going through to proceedure to enable read-write access to the system partition), but it didn't return any messages confirming success or failure.
just looked in that /etc folder and I see install-recovery.sh I wonder what that does.
xboxexpert said:
just looked in that /etc folder and I see install-recovery.sh I wonder what that does.
Click to expand...
Click to collapse
Overwrites corrupted/custom recovery with stock one on boot. At least, that's what it did on the OG Droid.
disregard. wrong post
big.t_03 said:
Edit: Please disregard my mindless ramblings below (I feel like the noob I am, now). I took a closer look at the code once my mind had emerged from whatever haze had been blocking my deeper thought processes and realized what needed to be done to get it to work (I learned a little more about ADB, which helps). And what's more, I think I did it the right way. *grin* Now, if we knew for sure this would block updates, we'd be set. I suppose we'll find out soon enough.
Thanks for posting the code, Weichel.
Just to make sure I'm on the right track (noob here), I'd want to do an "adb shell" then run the script above? Also, read-write access for the NC system partition is probably necessary, yes? I haven't enabled rw access yet, didn't want to take any chances of accidentally bricking my NC.
I tried the code above (without going through to proceedure to enable read-write access to the system partition), but it didn't return any messages confirming success or failure.
Click to expand...
Click to collapse
I don't understand the confusion here. You have a rooted Color Nook. Install Root Explorer and go to /system/etc and click the Mount R/W button and then long press the ocacerts.zip file and rename it. It's that easy.
HTML:
The new update blocks the current ways of attaining root for the device. However, if you have root before you update, it is possible to retain this during the upgrade.
Script is online!
A newer version is available here:
http://forum.xda-developers.com/showthread.php?p=12540398#post12540398
Yeah... I'll just wait for you
Thanks for this! been holding out on the update ever since I found out you lose root during the beta testings
if this works i guess it's time to get my desktop back up and running so i can flash back and use this. damn power supplies dying on me.
ill wait for ur auto script
will this b possible btw neone?
Flash the 1.5.7 sbf -> run gblur custom rom -> run the root scrip
No Gingerblur needs root to push its files, also if you need a host I can host
Scripts are online!
Run beforeupdate.bat, update, then run afterupdate.bat.
Haven't tried it yet but wanted to say thanks and great work!
--EDIT -- BELIEVE THIS IS FIXED--
you didn't package the bin folder with psneuter.. :X
In reference to "adb.exe push movesu.sh /data/local/tmp > NUL 2>&1"
movesu.sh is now backup.sh, yes?
Also busybox "mv /system/xbin/su /system/bin/frozenfish" clobbers the copy from system/bin, if there is a difference, i thought it was generally a symlink to /system/bin.
Other than that, good idea in renaming the binary file, I probably won't use frozenfish in case Motorola targets that now..
Sounds sweet! If I already updated can I flash back to old then re root? Then run script then update?
Sent from my MB860 using XDA App
Update: Yes You Can ! just finished..
Whoops - I based it from adeo without making the proper changes. Corrected one should be live in a few minutes.
all good take your time..
so far the only corrections were the movesu.sh in beforeupdate.bat
and the missing /bin folder :X .. well technically you just need psneuter in there.. and just change the /bin/psneuter.. to /psneuter saves you time lol
The new version is up. It depends on su being installed on the system. You'll also need to OK a request by Superuser for root before it will run on beforeupdate.bat.
curious as the previous workaround used webtop to retain root through LXterminal... with root on here, will we be able to re-apply the Webtop mod?
by the way, good work
"movesu.sh" is called but doesn't exist.
shawnbuck said:
The new version is up. It depends on su being installed on the system. You'll also need to OK a request by Superuser for root before it will run on beforeupdate.bat.
Click to expand...
Click to collapse
Do you have the su that does not require Superuser.apk installed?
Let me boot into my windows partition and I'll give it a try. Let me make sure I have the steps right:
Run beforeupdate.bat
Get OTA from system update
Run afterupdate.bat
Anything I'm missing? I'm rooted using aRoot fyi.
I think
adb.exe push movesu.sh /data/local/tmp > NUL 2>&1
is a typo and it should say backupsu
dLo GSR said:
curious as the previous workaround used webtop to retain root through LXterminal... with root on here, will we be able to re-apply the Webtop mod?
by the way, good work
Click to expand...
Click to collapse
Root here is a normal root, anything you could do before you'll be able to continue doing.
eval- said:
I think
adb.exe push movesu.sh /data/local/tmp > NUL 2>&1
is a typo and it should say backupsu
Click to expand...
Click to collapse
Thats right - I corrected that and added a new version.
OrangesOfCourse said:
Let me boot into my windows partition and I'll give it a try. Let me make sure I have the steps right:
Run beforeupdate.bat
Get OTA from system update
Run afterupdate.bat
Anything I'm missing? I'm rooted using aRoot fyi.
Click to expand...
Click to collapse
Exactly right. I'll clarify the directions in the OP.
lpsi2000 said:
Do you have the su that does not require Superuser.apk installed?
Click to expand...
Click to collapse
This doesn't come bundled with a copy of su, it uses the one already installed in the system.
will this work on flash sbf?
This is my attempt at a Bell FAQ, it is a work in progress.
Q. Why don't the instructions I found on how to do X not work?A. This is a development forum, sometimes things are written in shorthand assuming you know things you don't. At lot of things are specific to one carrier's phone or another. Sometimes things change and are now obsolete, something new was found, a better way of doing things, if you were not following it all along you are likely to be lost. Read between the lines, you are a human being with reasoning abilities, figure it out. Q. What should I do first?
A. Backup your phone. That means everything, especially your pds partition. Nandroid won't cut it and you have already modified your phone beyond the ability to get back if you can run it.
Ex. dd if=/dev/block/mmcblk0p3 of=/sdcard/backup/mmcblk0p3
Save your backup on your computer, create a zip of all the files, burn it off on cd/dvd, put it in a safety deposit box at your bank. Be prepared for bricking your phone. A lot of things mentioned in threads here are developed and tested for ATT phones, they may not work 100% on your phone.Q. What is ADB?A. It stands for Android Debug Bridge or something like that. It is a program that runs on your computer that lets you talk to your phone using special commands. Your phone has to have adb enabled, it's a setting under application/development.
Ex. adb shell
This opens a linux shell connected to your phone. Linux is an operating system for computers, it is also used as the base for android phones.
Ex. adb install file.apk
Ex. adb push file /tmp
Ex. adb pull /tmp/file .
Q. What is CWM recovery?A. Android phones come with a special boot configuration that allows for changes to the android system from a place outside the system. It is very corporate and does the job for official signed updates, but only Motorola and it's oems can sign the updates. Not much fun for us. CWM recovery is a replacement for the official recovery system that doesn't require signed updates.
You install CWM recovery using fastboot or moto-fastboot.Q. What is unlocking the bootloader all about?A. It is the means of putting CWM recovery on your phone so you can install roms and other packages. It allows you to flash a partition with mods and have the phone not soft brick when you reboot. When the unlocked versions of the atrix bootloader were found it started a new round of mods. A lot of the threads prior to that are now obsolete.Q. How do I unlock the bootloader?A. There is a huge thread already about this, see here.
WARNING: this is a permanent change to your phone.
Summary:
1. Download the archive
2. Extract the sbf inside, whatever it's called, that is the one to use.
3. Use linux sbf_flash or rsdlite from windows to install it.
3. fastboot oem unlock
4. Copy code fastboot spits out.
5. fastboot oem unlock code
6. fastboot reboot
You will see unlocked while booting and when you get into android you will have ~300MB of ram. This will need to be fixed. Also, you will lose all your data during the process, do a backup first.Q. What is fastboot/moto-fastboot?A. It's a program to access the phone and do stuff, write phone partition images mostly. The stock one can only handle tiny system images, pretty useless for the Atrix, xda member eval- compiled the motorola version for us that can handle larger system images, do a search for moto-fastboot.
Ex. moto-fastboot flash recovery recovery.img.Q. How do I fix the ram problem?A. I did up a CWM recovery zip to update the boot and recovery partitions to contain a kernel command line with the missing bit "[email protected]" added. See here.
There are other means of doing this, some boot images come prepackaged with the command line already embedded. There are ATT compiled kernels with a patch inside the kernel itself to do the same thing. You can search for those when you are ready to try things like custom ATT kernels on your phone.Q. How do I root the phone?A. If you are unlocked and you have fastboot flashed a version of CWM recovery, it is trivial. By that I mean almost impossible for newbies to figure out.
It would go something like this:
1. Boot into CWM recovery.
2. use adb shell
3. adb push a su binary to the phone.
4. mount system as read write as /system
5. copy su binary to /system/bin
6. make sure it has the right permissions, 06755 mode , user root, group root.
7. unmount -l /system
8. when in android look on the market for Superuser.apk, install.
Every rooting method out there is all about putting su into /system/bin with 06755 permissions, most don't work anymore since Gingerbread. If you are looking for a simple, no brain involved solution, you are likely to get something working and also something else you didn't want like a replaced preinstall partition or an installed busybox with different functionality for some important system commands. (Busybox may be more up to date even, but if it doesn't do what is expected of the older version, it's still not good.)
Another way would be to create a CWM zip that simply puts the linux su binary in system with the correct permissions. Some info about creating your own can be found here. Doing this is more involved that just doing it manually, but it would be a good practice for getting into creating CWM updates.
Here is a link to a exploit someone did up to root the phone when running GB. Haven't tested it, and with an unlocked phone it is totally redundant, but it's nice that some found yet another security hole in the OS, seems similar in result to psneuter, so be sure to reboot the phone to fix the exploited system.
Seriously, if you are going to be reading or posting in the development section of xda for an android phone, take the 5 minutes to become familiar with adb and a few linux shell commands, it will save you hours of confusion and aggravation. If you fly blind trying things on your phone without understanding what you are doing you are eventually going to get into a place you can't get out of and need a new phone or REALLY have to struggle to understand things. You were warned. Q. How do I get back to stock?
A. You can't unless you have a backup of all your phone partitions and can update your radio and bootloader to be stock. Once you unlock your phone, it is recorded that you did so by blowing a physical fuse on the phone. This cannot be restored, you will need a new phone.
What does stock mean to you? When I bought my phone it had a certain radio, the bootloader couldn't be unlocked, the android system files had certain versions, etc. Beyond the android system there are 18 partitions that I know of on the phone, most phones do with 5-6. Every ota update or sbf files take the normal files and change them to something else, non android partitions get modified or replaced.
I have some solutions for getting close to stock, do a search for Gobstopper. There is one for Bell 2.2.2 and Bell 2.3.4, use one or the other. These attempt a full back to stock operation, that means the radio and bootloader will be stock, recovery will be stock as well. (All the partitions that are on the phone are written over with the ones that were on my phone when I bought it, with the exception of partitions 3 (pds), 15 (cache), 16 (data), and 18 (userdata or internal memory), factory reset clears cache and data, you don't want pds touched or internal memory.) Unlocked will no longer be displayed when you boot and you will no longer have CWM recovery installed. You will need to install the unlocked bootloader again and fastboot flash recovery again if stock is not what you wanted. (Your pds partition is not involved in this operation, so if you made changes to it, either directly or indirectly via a sbf this will not restore it, your pds partition contains individual phone information.)
More about sbf format here.Q. What does the pds partition taste like?A. It's not really fit to eat. Now you know.
It is mmcblk0p3, a partition on your phone, it is mounted as /pds when android boots and contains a bunch of folders and files that nobody really understands fully but Motorola. Having a look at some of the files you will see things like your network physical address, bluetooth physical address. You will find threads where the display is all arsed up, cpu running at half speed, touch screen not working right, etc, all due to something going wrong with /pds. It is best to back it up and not mess with it. Restore it in an emergency. Maybe one day everything in there will be figured out, take a stab at it yourself.
See this thread by edgan for how to back up your pds partition.
See this thread by KeRmiT80 about attempting to fix your pds partition. Good motivation to see previous link.
Q. I lost network data access after flashing X.
A. Check your APN list, if it's not a Bell firmware you are using, it probably doesn't have Bell's APN list. Scratch that, you don't know what that is or how to check it.
It stands for Access Point Name and a big list of them is stored on your phone in one big file (/system/etc/apns-conf.xml), each firmware has it's own version of it. Your phone will get two numbers from your carrier's phone network to do a look up in this list to figure out what configuration to use. So say it gets mcc 302, mcn 610, it will check the phone and look up 302, 610 in the file and read what it says there and use that config to try to connect. Now, another thing is that the phone knows what the home network is by these two numbers, embedded somewhere in the system. A foreign, non Bell carrier won't have Bell's numbers in there so your phone will think it's roaming. If you have roaming disabled, guess what, no data connection. Your carrier should be smart enough not to charge you for roaming, never had a problem with that, but you never know.
Here are the apn settings you can enter manually for your phone, see Bell's support link.
Q. How do I get webtop over HDMI to work?
A. There are several threads on getting this to work on ATT phones and others, they are specific to the firmware being run on the phone. They involve copying two deodexed files to your system/app folder and replacing the ones already there. You will also need to clear your dalvik cache to get the new code recognized. They are DockService.apk and PortalApp.apk. If you are not deodexed then you also have to remove the .odex files for both.
Here is one thread for Gingerbread, in the zip there is one for ORFR that will get you to viewing the webtop on Bell GB, but applications don't load.
Here is another thread for Froyo that works, see the Bell specific bit in the OP. This does not work from Bell Gingerbread. To be continued...
Hoping the Mods sticky this
A link should be attached to the wiki as well. I will try to when I get home if it isn't done already.
shouldn't this be in general? or q&a?
Magnetox said:
shouldn't this be in general? or q&a?
Click to expand...
Click to collapse
Probably both. Most things referenced are in development.
Cheers!
Sent from my MB860 using xda premium
y2whisper said:
Hoping the Mods sticky this
A link should be attached to the wiki as well. I will try to when I get home if it isn't done already.
Click to expand...
Click to collapse
+1 this should be a sticky on either or both general or development...
cheers for this...this thread is going to help me with my youtube viewers BIG TIME!!
Very nice!
Keep it up NFHimself!
NFHimself said:
This is my attempt at a Bell FAQ, it is a work in progress.
Q. How do I root the phone?A. If you are unlocked and you have fastboot flashed a version of CWM recovery, it is trivial. By that I mean almost impossible for newbies to figure out.
It would go something like this:
1. Boot into CWM recovery.
2. use adb shell
3. adb push a su binary to the phone.
4. mount system as read write as /system
5. copy su binary to /system/bin
6. make sure it has the right permissions, 06755 mode , user root, group root.
7. unmount -l /system
8. when in android look on the market for Superuser.apk, install.
Every rooting method out there is all about putting su into /system/bin with 06755 permissions, most don't work anymore since Gingerbread. If you are looking for a simple, no brain involved solution, you are likely to get something working and also something else you didn't want like a replaced preinstall partition or an installed busybox with different functionality for some important system commands. (Busybox may be more up to date even, but if it doesn't do what is expected of the older version, it's still not good.) To be continued...
Click to expand...
Click to collapse
I used this method to root the stock Bell Gingerbread ROM. Works on an Atrix too. It's a quick download and easy for those people who may not be comfortable with the adb command line.
http://www.psouza4.com/Bionic/
thx
useful for newbies
but can you put some more details about returning to stock and explain the pds partition in details plz?
papakilo10 said:
I used this method to root the stock Bell Gingerbread ROM. Works on an Atrix too. It's a quick download and easy for those people who may not be comfortable with the adb command line.
http://www.psouza4.com/Bionic/
Click to expand...
Click to collapse
Had a look at the script in that one, should be fine, doesn't install a busybox or anything like that. I don't care for Superuser.apk in /system/app myself, but it won't harm anything having it there.
Cheers!
ytwytw said:
thx
useful for newbies
but can you put some more details about returning to stock and explain the pds partition in details plz?
Click to expand...
Click to collapse
I added a few things, anything in particular you wanted?
I am trying to avoid step by step tutorials or spoon feeding everything, so people who are lazy/careless will have to attempt to think for themselves. It just leads to more questions, more laziness, and bricked phones, and I don't have the time these days.
Cheers!
Another S-Off script that was sent to me by coremark. Successfully s-off my device and supercid.
http://firewater-soff.com/
Thanks to @coremark.
After gaining S-off on a fully stock device using Firewater + temproot, what is the easiest method for permanent rooting?
Since due to S-off full access is granted to all partitions, is it possible to install the su binary and superuser / superSu apk to the /system partition without flashing a custom recovery? For example by using "adb push" or a root file manager?
Where can I get a su binary? Should I extract it from superSu / superuser recovery ZIP package?
Could anyone walk me through the steps?
edorner said:
After gaining S-off on a fully stock device using Firewater + temproot, what is the easiest method for permanent rooting?
Since due to S-off full access is granted to all partitions, is it possible to install the su binary and superuser / superSu apk to the /system partition without flashing a custom recovery? For example by using "adb push" or a root file manager?
Where can I get a su binary? Should I extract it from superSu / superuser recovery ZIP package?
Could anyone walk me through the steps?
Click to expand...
Click to collapse
I'm afraid you'll need a custom recovery for this. The /system write protection is implemented in kernel (the kernel doesn't sync changes to the actual block device and keeps them in RAM) and S-OFF is completely orthogonal to this. To work around it, you'd need a custom kernel (which is not feasible at the moment since HTC haven't released the full source tree yet, unfortunately) or the wp-mod hack (which I would be afraid of using, to be honest).
Also, why avoid custom recovery when you're already S-OFF and you can flash the stock recovey anytime?
koniiiik said:
The /system write protection is implemented in kernel (the kernel doesn't sync changes to the actual block device and keeps them in RAM) and S-OFF is completely orthogonal to this.
Click to expand...
Click to collapse
You are right, that makes sense.
But then how is this possible (if it is at all)? -> http://forum.xda-developers.com/showthread.php?t=2339056
(Pls check out the 2nd post from member "Indirect".)
AFAIK the One has the exact same kind of /system write protection as the 901s. Doesn't it?
Just out of curiosity, why would you be afraid to use wp-mod? Unknown / unpublished source? Bad feedback from users?
edorner said:
You are right, that makes sense.
But then how is this possible (if it is at all)? -> http://forum.xda-developers.com/showthread.php?t=2339056
(Pls check out the 2nd post from member "Indirect".)
AFAIK the One has the exact same kind of /system write protection as the 901s. Doesn't it?
Click to expand...
Click to collapse
To be honest, no idea. All I do know is that on my phone the write protection works the way it does and I don't really see a feasible way around it. Also, I haven't tried these exact steps. It's possible that adb remount does some extra work or something. Moreover, I'm not sure about the adb shell chmod ... command – that would require root, wouldn't it? But since I haven't tried it, I can only guess.
If you don't mind trying it, I'd be interested in the results.
edorner said:
Just out of curiosity, why would you be afraid to use wp-mod? Unknown / unpublished source? Bad feedback from users?
Click to expand...
Click to collapse
The way I understand wp_mod works is that it monkey-patches the running kernel's filesystem driver to skip the check for the /system partition. In other words, it rewrites the code of the running kernel in-memory. This by itself is reason enough to be extremely careful around such code as it has potential for a major disaster. Missing the right memory location by any nonzero number of bytes can result in the kernel doing practically anything (most likely a crash).
Now, to make matters worse, these seem to be only a few binary versions of the kernel module and people seem to just take a binary compiled for one kernel, modify the version information within the file to make it match other kernels and load it on a completely different kernel. This, to me, is borderline insane, considering that the kernel binaries depend on the version of the kernel, used compiler and even compiler flags used when building.
Again, though, I haven't actually looked at the module's source code; can't say I'm suffering from a surplus of free time and I'm also not *that* interested in it. Most likely it's written in a robust enough way to have a high chance of success. (This seems to be backed up by anecdotal evidence – the thing appears to work for people, which is a small wonder for me.) All of the above is actually just my interpretation of stuff I read in some threads here on XDA-developers and I haven't even tried to confirm it myself.
Still, for me, using the recovery for any such changes is a sufficient and acceptable workaround, since I don't need to modify /system that often.
Wow! Thanks for the exhaustive expanation about WP-mod!
If you don't mind trying it, I'd be interested in the results.
Click to expand...
Click to collapse
Well I am also a bit skeptical about this solution. So I am not sure I will be brave enough to try it
But if I do decide to give it a try, I will post the results here, I promise.
edorner said:
Well I am also a bit skeptical about this solution. So I am not sure I will be brave enough to try it
But if I do decide to give it a try, I will post the results here, I promise.
Click to expand...
Click to collapse
As far as @Indirect's post goes, that should be risk-free – either it does work, or it doesn't do anything. I don't see how it could harm your phone. Worst case, you end up with a /system/xbin/su binary that doesn't work due to wrong privileges (or owner information), in which case you should be able to just remove it and start over.
koniiiik said:
As far as @Indirect's post goes, that should be risk-free – either it does work, or it doesn't do anything. I don't see how it could harm your phone. Worst case, you end up with a /system/xbin/su binary that doesn't work due to wrong privileges (or owner information), in which case you should be able to just remove it and start over.
Click to expand...
Click to collapse
Ah, I see. In that case I will definitely try it!
Truth is I am still an Android noob, I used ADB maybe on two occasions so far, and did not have the time yet to properly check out the documentation for these particular commands.
One more question:
If I understand correctly, Firewater (when used together with the temproot) will also unlock your bootloader. Do you think the apps in /data/preloadwill be deleted in this case too? (I.e. does it do a factory wipe like the unlock process via HTCDev?)
If so, how do I restore the apps? Do I simply copy the APK's back to /data/preload with a root file manager, and that's it?
IIRC Helium backup is not really perfect for the purpose, because it is unable to restore those apps to /data/preload, and puts them to the standard app path. Is this what you remember, too?
edorner said:
One more question:
If I understand correctly, Firewater (when used together with the temproot) will also unlock your bootloader. Do you think the apps in /data/preloadwill be deleted in this case too? (I.e. does it do a factory wipe like the unlock process via HTCDev?)
If so, how do I restore the apps? Do I simply copy the APK's back to /data/preload with a root file manager, and that's it?
IIRC Helium backup is not really perfect for the purpose, because it is unable to restore those apps to /data/preload, and puts them to the standard app path. Is this what you remember, too?
Click to expand...
Click to collapse
No idea, I haven't used firewater, but my guess would be that it won't wipe anything…
As for backing up /data/preload, you can for example use temproot to get access to the directory, copy it somewhere on your sdcard and adb pull it. In case it gets wiped, you can just push it back again and voilà. It's going to require some shell-fu, however.
Alternately, you can just download my ZIP of the latest stock ROM and extract it, it contains the latest /data/preload.
And yes, just copying the APK files into /data/preload should suffice *– Dalvik and its package manager is intelligent enough to detect something has changed in there and perform any installation steps necessary. If it doesn't work right away, a reboot should fix things.
Edorner. It won't wipe. I tried it already.
Sent from my GT-I9305 using XDA Premium 4 mobile app
koniiiik said:
As far as @Indirect's post goes, that should be risk-free – either it does work, or it doesn't do anything. I don't see how it could harm your phone. Worst case, you end up with a /system/xbin/su binary that doesn't work due to wrong privileges (or owner information), in which case you should be able to just remove it and start over.
Click to expand...
Click to collapse
So, as promised, I tried the "adb remount" command on my device and it did not work.
Code:
adb remount
remount failed: Operation not permitted
However "mount -o remount,rw -t ext4 /dev/block/mmcblk0p38 /system" in root shell (acquired by temproot) worked like a charm And the modifications to /system performed afterwards turned out to be permanent. So in the end I was able to gain root without using a custom recovery.
Based on my experiences, I created a guide which summarizes all the steps necessary to S-OFF and root a completely stock device without using HTCDev unlock and custom recoveries.
I investigated a bit as to why "adb remount" would not work, and found two interesting topics on XDA about the issue:
[2013.05.24][ROOT] adbd Insecure v1.30
Can't get ADB Root Access in certain ROMs?
In short, "adb remount" is only available if the ADB daemon is run in "insecure" mode in a particular ROM. And unfortunately our stock ROMs seem to use secure ADB.
edorner said:
So, as promised, I tried the "adb remount" command on my device and it did not work.
Code:
adb remount
remount failed: Operation not permitted
However "mount -o remount,rw -t ext4 /dev/block/mmcblk0p38 /system" in root shell (acquired by temproot) worked like a charm And the modifications to /system performed afterwards turned out to be permanent. So in the end I was able to gain root without using a custom recovery.
Based on my experiences, I created a guide which summarizes all the steps necessary to S-OFF and root a completely stock device without using HTCDev unlock and custom recoveries.
I investigated a bit as to why "adb remount" would not work, and found two interesting topics on XDA about the issue:
[2013.05.24][ROOT] adbd Insecure v1.30
Can't get ADB Root Access in certain ROMs?
In short, "adb remount" is only available if the ADB daemon is run in "insecure" mode in a particular ROM. And unfortunately our stock ROMs seem to use secure ADB.
Click to expand...
Click to collapse
Fantastic guide, I just read it and wow.
Also, good to know that particular procedure disables the write protection. I'll have to investigate this sometime, because just now I tried and found out that on my device, the changes to /system are rolled back as soon as I remount /system read-only again. Maybe if I left it read-write all the time, they would persist as well...? I'll have a closer look at this later.
koniiiik said:
Fantastic guide, I just read it and wow.
Also, good to know that particular procedure disables the write protection. I'll have to investigate this sometime, because just now I tried and found out that on my device, the changes to /system are rolled back as soon as I remount /system read-only again. Maybe if I left it read-write all the time, they would persist as well...? I'll have a closer look at this later.
Click to expand...
Click to collapse
Thanks
Hm... Strange...
Instead of manually remounting /system as "ro", I simply rebooted the device. (What can I say, I am hopelessly lazy ) After the reboot I checked the permissions of /system by issuing the "mount" command without any parameters. It showed that it was remounted using the original settings:
Code:
/dev/block/mmcblk0p38 /system ext4 ro,noatime,data=ordered 0 0
So in theory, rebooting instead of manually remounting as "ro" should not make any difference. But who knows
After the reboot, I checked the changes I made to /system previously, and fortunately they did not disappear. (su was still there, I could successfully copy it, and execute it.)
Since then, I've performed a couple more reboots and at least one full shutdown-startup cycle as well. And I still have not lost any changes.
Please let me know if you find something out! I am very interested.
YOU MUST HAVE ROOT ACCESS TO PROCEED
THIS WILL NOT WORK IF YOU DON'T HAVE ROOT
A MINIMUM TEMPORARY SPACE OF 400MB ON YOUR INTERNAL STORAGE IS REQUIRE FOR THIS BACKUP PROCEDURE
THIS PROGRAM IS FOR PARTITIONS BACKUP PURPOSES AND NOTHING ELSE
Hello everyone,
After trial and error and keep trying with lot of errors finally got this puppy working, backups 19 Partitions from your device, i don't know if the A2017 (chinese variant) have the same partition table but as far as i know and have seen the A2017U and A2017G does have the same partition table which is awesome for any Rom developers to work on things or any dev.
Steps:
1- Download the zip file from here 1CLick_Partition_Backup_v0.1
2- Decompress anywhere you want (i prefer in the root of drive C: )
3- Make sure you have enable USB-Debbuging
4- Plug your Device
4- Double Click 1click_PartitionBackup_by_DrakenFX.exe and watch the program run
5- When Done your Partition Back-up will be in you C:/a2017u_partitions_backup folder
6- DONE
This is just the beginning i may be adding more Options like Single backup or group backup.
NOTE 01 : I didn't add the system partition backup for the sole reason of been huge file 6gb at least and I can add system in future update as separate option.
NOTE 02 : I'm not a savvy when comes to dev. but if i can do something that can help other do things a little easier , i'll be around
Reserve 01
Reserve 02
Do we have any way to restore these backups after?
XblackdemonX said:
Do we have any way to restore these backups after?
Click to expand...
Click to collapse
There is a way using flashable zip via TWRP, but I'll look into for something else... I'm new to all this so still learning , fastboot is another way but I'll look into it
I had to disable windows defender in order to download this. It kept flagging it as malware. Just a heads up.
CandyFoxJ said:
I had to disable windows defender in order to download this. It kept flagging it as malware. Just a heads up.
Click to expand...
Click to collapse
really? i'm ensure you there's no malware or anything malicious in this file.... i have downloaded and my windows doesn't detect anything. (Win10 Latest Update)
I've seen it throw false positives before, I'm not worried about it. Probably the packer used in your app. This is what it picked up.
Since this is XDA after all, you should probably either post your source and/or release it as a script/command list. It's not really security friendly to release a .exe that runs root commands. It could probably be run all as a batch command.
CandyFoxJ said:
I've seen it throw false positives before, I'm not worried about it. Probably the packer used in your app. This is what it picked up.
Click to expand...
Click to collapse
Could be cuz the commands it runs?
the zip file contains the following...
-adb.exe
-adbWinApi.dll
-adbWinUsbApi.dll
-1click_PartitionBackup_by_DrakenFX.exe
adb files needed just in case the user doesn't have adb install and these 3 files will do the job, Why sees it as Malware i really don't know but for command it have to Pull the Partitions out of the device.
---------- Post added at 09:06 PM ---------- Previous post was at 09:04 PM ----------
[/COLOR]
DrakenFX said:
YOU MUST HAVE ROOT ACCESS TO PROCEED
THIS WILL NOT WORK IF YOU DON'T HAVE ROOT
A MINIMUM TEMPORARY SPACE OF 400MB ON YOUR INTERNAL STORAGE IS REQUIRE FOR THIS BACKUP PROCEDURE
THIS PROGRAM IS FOR PARTITIONS BACKUP PURPOSES AND NOTHING ELSE
Hello everyone,
After trial and error and keep trying with lot of errors finally got this puppy working, backups 19 Partitions from your device, i don't know if the A2017 (chinese variant) have the same partition table but as far as i know and have seen the A2017U and A2017G does have the same partition table which is awesome for any Rom developers to work on things or any dev.
Steps:
1- Download the zip file from here 1CLick_Partition_Backup_v0.1
2- Decompress anywhere you want (i prefer in the root of drive C: )
3- Make sure you have enable USB-Debbuging
4- Plug your Device
4- Double Click 1click_PartitionBackup_by_DrakenFX.exe and watch the program run
5- When Done your Partition Back-up will be in you C:/a2017u_partitions_backup folder
6- DONE
This is just the beginning i may be adding more Options like Single backup or group backup.
NOTE 01 : I didn't add the system partition backup for the sole reason of been huge file 6gb at least and I can add system in future update as separate option.
NOTE 02 : I'm not a savvy when comes to dev. but if i can do something that can help other do things a little easier , i'll be around
Click to expand...
Click to collapse
OMG!
This is nice!
But I'm running linux!
You make the script universal please.
Or I could write one myself...
manu7irl said:
OMG!
This is nice!
But I'm running linux!
You make the script universal please.
Or I could write one myself...
Click to expand...
Click to collapse
if i only knew how to this in java (Universal) i'll do it in a flash, but i have no clue....i'm creating a new file and may by i'll do it as .bat (you can look it up if i release it this way with some choices and adding probably more partition if i have miss any + separate choice for system dumb (is way to big of a file),
P.S. if you know java PM
DrakenFX said:
if i only knew how to this in java (Universal) i'll do it in a flash, but i have no clue....i'm creating a new file and may by i'll do it as .bat (you can look it up if i release it this way with some choices and adding probably more partition if i have miss any + separate choice for system dumb (is way to big of a file),
P.S. if you know java PM
Click to expand...
Click to collapse
Bat file is good for me...
You can check the partition list under
Code:
ls -al /dev/block/....
manu7irl said:
Bat file is good for me...
You can check the partition list under
Code:
ls -al /dev/block/....
Click to expand...
Click to collapse
Yeah I have the partition table by-name , just don't see the need of adding every single one but just the necessary ones (modem, Bluetooth, aboot, few more) and I'll add system in the next release.....
DrakenFX said:
There is a way using flashable zip via TWRP, but I'll look into for something else... I'm new to all this so still learning , fastboot is another way but I'll look into it
Click to expand...
Click to collapse
you could fire up twrp or any terminal app.
In twrp mode:
Just comnect your device to your PC with adb installed.
Push the partition image you want to flash in /sdcard/ folder.
Code:
adb push [IMAGE.IMG] /sdcard/
then do:
From your PC, run first:
Code:
adb shell
Then do,
Code:
su
dd if=/sdcard/[IMAGE.IMG] of=/dev/block/bootdevice/by-name/[NAME OF IMAGE]
Example:
Code:
dd if=/sdcard/modem.bin of=/dev/block/bootdevice/by-name/modem
This will overwrite the chosen partition as dd works at a very low command level.
Do not try to flash recovery or boot or aboot through this if you are on locked bootloader. this will brick your device.
Do not try this at home if you don't know what you are doing, you may kill your neighbor's dog or worse the cat.
I made a script to backup any partition in our A7:
YOU HAVE TO BE ROOT, TO USE IT.
To run it simply push to the sdcard fire up adb shell to launch the script.
from the computer while connected to the A7 with usb debugging turned on
Code:
adb push PATH_to_the_script/full-backup.sh /sdcard
and
Code:
adb shell
su
cd /sdcard/
sh full-backup.sh
you will see a menu to choose which partition to backup.
As in the attachment.
enjoy, and please hit the thanks button.