HTC Vision // Desire Z Temporary Rooting
1. Download this package: MegaUpload
2. Copy the content of the package in a folder called "temproot" in your SDCard root.
3. Execute this script:
Code:
#!/system/bin/sh
cp -R /mnt/sdcard/temproot/* /data/local/tmp/
cd /data/local/tmp/
chmod 755 *
./rageagainstthecage-arm5.bin
ps
4. Restart Terminal Emulator
5. Execute this script:
Code:
#!/system/bin/sh
/data/local/tmp/busybox killall rageagainstthecage-arm5.bin
mount -o rw,remount -t ext3 /dev/block/mmcblk0p25 /system
/data/local/tmp/busybox cp /sdcard/temproot/Superuser.apk /system/app/Superuser.apk
/data/local/tmp/busybox cp /sdcard/temproot/su /system/bin/su
/data/local/tmp/busybox cp /sdcard/temproot/busybox /system/bin/busybox
chmod 4755 /system/bin/su
chmod 4755 /system/bin/busybox
mount -o ro,remount -t ext3 /dev/block/mmcblk0p25 /system
Now your phone is temporairily rooted and you can even get root on adb.
Thanks to:
*- C-Skills for the exploit
*- Guys in G2 section for testing it.
Sweet
but what do we do to get full root access?
There is no full root yet for either this device or g2. You will see that later
M9x3mos said:
There is no full root yet for either this device or g2. You will see that later
Click to expand...
Click to collapse
excited
wonder if the "z" and G2 can use the same Recovery image and Roms..or wil it be like htc magic and My touch ?
G2 and Z are the same device.... HTC Vision.
Radio ROMs and BootLoaders should be compatible, we only need someone that can verify, but AFAIK a G2 owner flashed a full Desire Z ROM and worked without problems.
kholk said:
G2 and Z are the same device.... HTC Vision.
Radio ROMs and BootLoaders should be compatible, we only need someone that can verify, but AFAIK a G2 owner flashed a full Desire Z ROM and worked without problems.
Click to expand...
Click to collapse
any idea if the G2 is a test unit or retail unit? i want senseui (sad i know, but im a sucker for nice graphic)
Correction. The Desire Z rom currently be flashed to G2 but the PC10IMG.zip original G2 rom does work on the Desire Z
I try using this but My G2 didn't work, I got stock here at this step:
"#!/system/bin/sh
cp -R /mnt/sdcard/temproot/* /data/local/tmp/"
Anyone try overclocking it yet?
waiting89 said:
I try using this but My G2 didn't work, I got stock here at this step:
"#!/system/bin/sh
cp -R /mnt/sdcard/temproot/* /data/local/tmp/"
Click to expand...
Click to collapse
Are there any errors?
Please provide more details, it's only a file copy...
kholk said:
Are there any errors?
Please provide more details, it's only a file copy...
Click to expand...
Click to collapse
Link is down kind sir. I found this one Droid2Root.rar from another forum.
waiting89 said:
I try using this but My G2 didn't work, I got stock here at this step:
"#!/system/bin/sh
cp -R /mnt/sdcard/temproot/* /data/local/tmp/"
Click to expand...
Click to collapse
It gives you an axxs denied when you try that. says "cp: permission denied." I can't ls inside of /data either.
do changes persist?
If I do this temp root and install busybox or tether, will the changes be wiped out on restart?
"cp: permission denied." Yes this is the error code I get.
"export PATH=/data/local/bin:$PATH
$ $ #! /system/bin/sh
$ cp -R /mnt/sdcard/temproot/* /data/local/tmp/
cp: permission denied
$"
That's exactly what it appears on the terminal.
I read this on androidspin :
If you root your new G2 phone, HTC has embedded a chip that will detect this and return the phone back to its original factory settings. So much for open source!
They can do this?
The file is no longer available. Can someone repost it?
Thanks
Hmm, yep same problem, cp gives me a permission denied, and the folder /data is a system file seems like we don't have any access to it. on the example, seems like there's # instead of $ which means it has admin access, how did you get to that state? sorry android noob here :-\
stian230 said:
I read this on androidspin :
If you root your new G2 phone, HTC has embedded a chip that will detect this and return the phone back to its original factory settings. So much for open source!
They can do this?
Click to expand...
Click to collapse
Actually no, and its covered in many threads, and I'm sure the op doesn't want the discussion started again.
There isn't any chip that will magically transform your HTC Vision in an airplane / automobile / house / cigarette industry.
script?
Could somebody help with packaging this as a script so we could re-root simply?
Related
first time posting to these forums and would like to contribute my findings i was able to gain root on the uscc htc desire in adb using some other guides for the evo 4g unlock. but now i need some help on how to get the modified su in the right place to make this work for the apps. these are the steps i used to gain temporary root.
1) installed android sdk to get adb
2) set up the phone in debug mode
3) downloaded the rageagainstthecage-arm5.bin file(attached)
4) ran this from the sdk folder containing adb.exe
Code:
adb.exe push C:/PATH/TO/FILE/rageagainstthecage-arm5.bin /data/local/tmp
adb.exe shell
cd /data/local/tmp
chown 0755 rageagainstthecage-arm5.bin
./rageagainstthecage-arm5.bin
5) adb shell will exit retype adb.exe shell and now you have root
this is as far as i have got so far now i need to know where to put su which i could not find in /system/xbin
also i am new to the android scene so sorry if this is a bad question, but if i were to flash a recovery image of the gsm desire to my cdma would this work to enter adb in recovery mode or would this brick my phone, i didnt know if the recovery affected that or if that was the rom.
I think you need to put su and Superuser.apk on you sdcard (adb push file /sdcard/)
Then
in your su shell prompt
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
cat /sdcard/Superuser.apk > /system/app/Superuser.apk
cat /sdcard/su > /system/bin/su
chmod 06755 /system/bin/su
Please let us know if this works.
I hope this works out!
Sent from my USCC HTC Desire using XDA App
i found out that this command doesnt actually make the system directory writeable
Code:
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
and running it a second time causes the device to reboot.
any sugetions to make it writable, im willing to work on this, but like i said i have no experience with android although i am very familiar linux.
You are aware that while booted into Android the /system is not writeable?
You have to boot into recovery mode to do this.
i am now, i tried the method for the incredible but it seems to not run adb on bootup at least after about 15 tries it didn't work, any suggestions? is there a way to flash the recovery without effecting the radio or rom because there isn't any roms for this phone as of yet, or could you point me in the right direction to start my research on how to write a rom? would it be the same as rolling your own linux distro?
also though this to be worth mentioning there seems to be no su file currently on the phone.
i got some time this morning to dig around in the payload-update.zip files for the incredible and was wondering if i could use this to install su because it looks like it doesn't flash anything (atleast looking at the script it looks like it doesn't, i cant say that for the binary file what does that do?) just wondering if there would be any adverse affects by applying this in recovery.
It might be worth talking to AmonRA, or Koush (I believe he works on Clockwork Mod) for a custom recovery. As for installing superuser, you could try the unrevoked team. (unrevoked.com) I wish I knew more in terms of development to help but I hope this leads you in the right direction.
blitz2190 - Here is a link to Superuser.apk and su. Link
I think you need to put su and Superuser.apk on you sdcard (adb push file /sdcard/)
Then
in your su shell prompt
mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system
cat /sdcard/Superuser.apk > /system/app/Superuser.apk
cat /sdcard/su > /system/bin/su
chmod 06755 /system/bin/su
I am very interested to know how this works out. If you need anyone else to help test things let me know. I am not a linux buff, but i can follow commands...
CreepingDeath said:
I am very interested to know how this works out. If you need anyone else to help test things let me know. I am not a linux buff, but i can follow commands...
Click to expand...
Click to collapse
Do you have a USCC Desire?
northmendo said:
Do you have a USCC Desire?
Click to expand...
Click to collapse
Yes I do, and I am willing to help out where I can.
CreepingDeath said:
Yes I do, and I am willing to help out where I can.
Click to expand...
Click to collapse
A couple q's fof you.
Do you have a Mac or PC?
Do you have adb installed?
I will help if I can. I have the phone and a Mac and don't have adb installed.
Sent from my USCC HTC Desire using the XDA App
dhh93 said:
I will help if I can. I have the phone and a Mac and don't have that apply.
Sent from my USCC HTC Desire using the XDA App
Click to expand...
Click to collapse
Cool first install adb. Follow these instructions to install it on Mac.
HERE
Ok doing that right now.
dhh93 said:
Ok doing that right now.
Click to expand...
Click to collapse
Great. I would start by trying the the method from the first post give me about 5 mins and I will post them in a mac friendly format.
Ok will wait on that
I have tried the latest version of Visionary "R14" but it doesn't work, I have also tried Visionary "R3" "R11" "R12" and "13" and they all don't work on my OTA updated T-mobile G2.... either for temp-root or permanent root..I have tried the ADB/Rage/gfree method of rooting and I getting an ERROR on the last part instructions.... ""## mkdir failed for /system/xbin, File exists"
My main question is if anyone could check to see if their version of the Visionary app is the version 7 or r7...if so could you please used titanium backup to send me a copy of the file....
thank you so so much...
Not sure why a specific older version of Visionary would work if the newer (or older) versions would not.
Regarding your error message, is that when you run the command:
/data/local/tmp/root
Click to expand...
Click to collapse
If so you will note that the instructions on the wiki state immediately below that: You may see an error message along the lines of "mkdir: /system/xbin already exists", but if so you can ignore that, the rest of the script should still run ok.
If you boot into the bootloader (press volume down while powering on device) do you have S-OFF? If so you know that the GFREE part at least did work.
sammd301 said:
I have tried the latest version of Visionary "R14" but it doesn't work, I have also tried Visionary "R3" "R11" "R12" and "13" and they all don't work on my OTA updated T-mobile G2.... either for temp-root or permanent root..I have tried the ADB/Rage/gfree method of rooting and I getting an ERROR on the last part instructions.... ""## mkdir failed for /system/xbin, File exists"
My main question is if anyone could check to see if their version of the Visionary app is the version 7 or r7...if so could you please used titanium backup to send me a copy of the file....
thank you so so much...
Click to expand...
Click to collapse
As has been explained in the Development section, be VERY CAREFUL with Visionary as it is known to brick phones.
When I first got my DZ I was eager to Root and uses V14 to obtain root but remember that this is not a 'Real' S-OFF. GFREE is the best and safest method to use. I was a lucky newbie who didn't end up with a brick!
raitchison said:
Not sure why a specific older version of Visionary would work if the newer (or older) versions would not.
Regarding your error message, is that when you run the command:
If so you will note that the instructions on the wiki state immediately below that: You may see an error message along the lines of "mkdir: /system/xbin already exists", but if so you can ignore that, the rest of the script should still run ok.
If you boot into the bootloader (press volume down while powering on device) do you have S-OFF? If so you know that the GFREE part at least did work.
Click to expand...
Click to collapse
yes you are exactly right...when I input in this command " /data/local/tmp/root" then I got back this error "mkdir failed for /system/xbin, File exists" you see the difference, instead of "already exits" I did ignore the error message but when I tried to used a root required app like root explorer...It states the phone needs to rooted before the app can work....Lastly when I enter into the boot loader "I indeed notice that S-OFF" the problem is that the phone is not rooted not even temporary...as far as visionary r7 goes I recall after the OTA, it did work on my phone for temporary rooting...it is when I attempted to used visionary r14 to obtain permanent root that visionary r7 was overwritten by r14...which doesn't work even for temp rooting thanks for your input
gbarayah said:
As has been explained in the Development section, be VERY CAREFUL with Visionary as it is known to brick phones.
When I first got my DZ I was eager to Root and uses V14 to obtain root but remember that this is not a 'Real' S-OFF. GFREE is the best and safest method to use. I was a lucky newbie who didn't end up with a brick!
Click to expand...
Click to collapse
right now...neither method works not the "visionary r14 or ADB/RAGE/GFREE" I wouldn't mind using either method, the problem is that ADB/Rage/GFREE METHOD keep giving this error message "mkdir failed for /system/xbin, File exists" which I have done a ton of research and still can find a fixed,
sammd301 said:
yes you are exactly right...when I input in this command " /data/local/tmp/root" then I got back this error "mkdir failed for /system/xbin, File exists" you see the difference, instead of "already exits" I did ignore the error message but when I tried to used a root required app like root explorer...It states the phone needs to rooted before the app can work....Lastly when I enter into the boot loader "I indeed notice that S-OFF" the problem is that the phone is not rooted not even temporary...as far as visionary r7 goes I recall after the OTA, it did work on my phone for temporary rooting...it is when I attempted to used visionary r14 to obtain permanent root that visionary r7 was overwritten by r14...which doesn't work even for temp rooting thanks for your input
Click to expand...
Click to collapse
Crap I typed up this response but I guess I didn't submit it because it's gone...
OK what you are saying is actually good news, it means you had temp root at one point or gfree would not have worked (you would not have S-OFF now)
If you can get temp root to work even one more time you can flash ClockWorkMod recovery and then load a custom/pre-rooted ROM.
I do suspect that you have messed up your system with your various attempts at rooting (especially the fact that you used visionary and other deprecated root methods) and you need to wipe your system and start over with either a custom ROM or a pre-rooted stock ROM.
I would start by running this section of the root process:
ON YOUR PHONE:
1. Launch Terminal Emulator
2. Execute /data/local/tmp/rage
3. Wait for the message: "Forked #### childs."
4. Menu > Reset Term - Terminal Emulator will exit.
5. Launch Terminal Emulator, it Force Closes. Launch a second time, and you'll have a root shell
Click to expand...
Click to collapse
If you have a # prompt that means you have temp root, from there I would use flash_image to flash ClockWorkMod 3.0.5 to the phone (see guide)
Get ClockWorkMod here
Once you have CWM installed you can basically ignore your current OS and flash whatever you want, you can go with a custom ROM or if you don't want to do that you can go with a pre-rooted stock ROM (see this thread). In any case I would definitely wipe first (from within CWM)
Yeah, flashing a pre-rooted custom ROM is probably your cleanest solution at this point. If you want to try and fix what you have though, you can try the following steps:
1. Follow the instructions to get temp root with rage again.
2. In Terminal, try these commands and look for an error at any point (this is what the root script is actually doing, with the addition of the deletion of the xbin file/directory since that seems to be what is messing up):
Code:
# /data/local/tmp/busybox killall rage
# mount -o rw,remount -t ext3 /dev/block/mmcblk0p25 /system
# rm -rf /system/xbin
# mkdir /system/xbin
# /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin/busybox
# chmod 4755 /system/xbin/busybox
# /system/xbin/busybox --install -s /system/bin
# cp /sdcard/Superuser.apk /system/app/Superuser.apk
# cp /sdcard/su /system/bin/su
# chmod 4755 /system/bin/su
Flashing a custom ROM is probably easier though.
ianmcquinn said:
Yeah, flashing a pre-rooted custom ROM is probably your cleanest solution at this point. If you want to try and fix what you have though, you can try the following steps:
1. Follow the instructions to get temp root with rage again.
2. In Terminal, try these commands and look for an error at any point (this is what the root script is actually doing, with the addition of the deletion of the xbin file/directory since that seems to be what is messing up):
Code:
# /data/local/tmp/busybox killall rage
# mount -o rw,remount -t ext3 /dev/block/mmcblk0p25 /system
# rm -rf /system/xbin
# mkdir /system/xbin
# /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin/busybox
# chmod 4755 /system/xbin/busybox
# /system/xbin/busybox --install -s /system/bin
# cp /sdcard/Superuser.apk /system/app/Superuser.apk
# cp /sdcard/su /system/bin/su
# chmod 4755 /system/bin/su
Flashing a custom ROM is probably easier though.
Click to expand...
Click to collapse
Right now I going to try to use this command to fix the error and if it doesn't work, I will then try to flash a custom and see how that goes...Update will be posted as I go along....thanks for the kind help....
raitchison said:
Crap I typed up this response but I guess I didn't submit it because it's gone...
OK what you are saying is actually good news, it means you had temp root at one point or gfree would not have worked (you would not have S-OFF now)
If you can get temp root to work even one more time you can flash ClockWorkMod recovery and then load a custom/pre-rooted ROM.
I do suspect that you have messed up your system with your various attempts at rooting (especially the fact that you used visionary and other deprecated root methods) and you need to wipe your system and start over with either a custom ROM or a pre-rooted stock ROM.
I would start by running this section of the root process:
If you have a # prompt that means you have temp root, from there I would use flash_image to flash ClockWorkMod 3.0.5 to the phone (see guide)
Get ClockWorkMod here
Once you have CWM installed you can basically ignore your current OS and flash whatever you want, you can go with a custom ROM or if you don't want to do that you can go with a pre-rooted stock ROM (see this thread). In any case I would definitely wipe first (from within CWM)
Click to expand...
Click to collapse
I will attempt to flash ClockWorkmod, once I try out "ianmcquinn" suggesting in trying to fix the rooting error...thanks for the help
ianmcquinn said:
Yeah, flashing a pre-rooted custom ROM is probably your cleanest solution at this point. If you want to try and fix what you have though, you can try the following steps:
1. Follow the instructions to get temp root with rage again.
2. In Terminal, try these commands and look for an error at any point (this is what the root script is actually doing, with the addition of the deletion of the xbin file/directory since that seems to be what is messing up):
Code:
# /data/local/tmp/busybox killall rage
# mount -o rw,remount -t ext3 /dev/block/mmcblk0p25 /system
# rm -rf /system/xbin
# mkdir /system/xbin
# /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin/busybox
# chmod 4755 /system/xbin/busybox
# /system/xbin/busybox --install -s /system/bin
# cp /sdcard/Superuser.apk /system/app/Superuser.apk
# cp /sdcard/su /system/bin/su
# chmod 4755 /system/bin/su
Flashing a custom ROM is probably easier though.
Click to expand...
Click to collapse
Yes I used the wiki instruction to gain temporary root on the phone and proceeded to tryout the above command...I got mostly error with the command below is what I en-counted as I enter the command....
# /data/local/tmp/busybox killall rage
No error here just # prompt
# mount -o rw,remount -t ext3 /dev/block/mmcblk0p25 /system
No error again just # prompt
# rm -rf /system/xbin
Error "rm failed for -rf, Read-only file system"
# mkdir /system/xbin
Error "mkdir failed for /system/xbin, File exists"
# /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin/busybox
Error "cp: can't stat '/system/xbin/busybox': Not a directory"
# chmod 4755 /system/xbin/busybox
Error "Unable to chmod /system/xbin/busybox: Not a directory"
# /system/xbin/busybox --install -s /system/bin
Error "/system/xbin/busybox: not found"
# cp /sdcard/Superuser.apk /system/app/Superuser.apk
Error "cp: not found"
# cp /sdcard/su /system/bin/su
Error "cp: not found"
# chmod 4755 /system/bin/su
Error "Unable to chmod /system/bin/su: No such file or directory
I am now going to attempt the Clockwork custom rom flash..
Folks victory is mine....No, VICTORY IS OURS, I sincerely like to thank all of you all, who replied with helpful suggesting...especially the following members "raitchison" from West Hill, CA and "ianmcquinn" a true senior member of xda-developer.
This is what I did to finally get the phone rooted....
I took "Raitchison" advice by trying to use flash_image to flash ClockWorkMod recovery... but during the process I could not get pass copying file to the phone root system folder usind android terminal emulator ...so I input this command "chmod 777/system" to gain write access to the folder...after doing that I manually moved busybox file to system folder and attempted a rooting the phone using the rooting instruction from the HTC G2/DESIRE Z wiki site...at...
http://forum.xda-developers.com/wik...cess_.28Permanent_Root_.2F_.22Permaroot.22.29
And this time around, everything went as normal after rooting the phone I open root required app and Wa La...no error message...
Guys I once again wants thank you all for the support....I also looked forward to help out others facing the same issue...so if anyone has encounter the same or similar issue please feel free to post here and I will response....
Can any one help me I am trying to close this thread...How do I go about doing it....thanks
There is no need to close the thread, if anyone has a similar problem and finds it via search they can come in here and bring the discussion back up, otherwise if there is no activity it will naturally fall to the bottom of the thread list.
It works for me I just did it yday using visionary and gfree all on my phone weird that it doesn't work for you?
Sent from my Liquid Metal using XDA Premium App
Hello,
I've had a few requests for help unrooting the Bell Desire Z for warranty purposes.
If you've noticed, there isn't a specific guide for us Bell users, while T-Mobile customers have like a dozen guides scattered around. I figured this out and I should share it.
The really tricky part was figuring out how to get rid of superuser.apk and also get s-on and Bell's CID in the right order, but it turns out it's simple haha. Unfortunately there was not guide for me, so I had to figure this out trial and error and piecing it together from other random posts. I'm not a dev/hacker (well, maybe now I am a novice hacker), so it was a big deal for me (lol) and I can relate to the frustration that comes from not having a good resource.
The exact build my phone shipped with was 1.34.666.5 and other phones may have shipped with other builds, but I've determined that the way Bell operates is that they send their phones to a 3rd party repair facility, and they don't check this (or don't care). However, they may still check whether or not the phone is rooted. So let's unroot it.
DISCLAIMER: Do your own research. I am not responsible for anything bad that happens to your phone after this point (but I will take credit for your success!! ). I used this method successfully and everything worked great. But proceed with caution. If you are unsure, do some looking around. CHECK YOUR MD5 SUMS! Easy MD5 is in the market, and is great.
0. If you have flashed a new radio, flash the old radio back. This one:
http://www.mediafire.com/?9cb8a7jwxob8o6r
NOTE: I'm leaving specific details out of this because if you don't know how to do this, that means you haven't done it before, and you don't need to do this step, and should probably avoid flashing new radios anyway.
1. Download this file:
https://rcpt.yousendit.com/1317004046/ea1de40db3968b867573327c903231bf
-unzip it, and place the folders in /sdcard/clockworkmod/backup/
(recovery will check the md5 sums for you)
2. Reboot into recovery (assuming you have the clockworkmod recovery).
-Do a factory reset (yes, you will lose all your apps etc if you didn't back up)
-Choose Backup/Restore, Advanced Restore, Stock DZ System, System.img
-Choose Backup/Restore, Advanced Restore, Stock DZ Boot, Boot.img
-Reboot
3. Download
http://dl.dropbox.com/u/15272013/Flash Recovery Files.zip
Unzip those files to the root of your sdcard.
PLEASE CHECK THE MD5 of recovery.img AFTER you have unzipped it and placed it on your sdcard!! Sometimes if you check an md5 on your pc and then copy it over, you could still have an error, and then you'll be in a bit of trouble!
md5 of recovery.img: id5d280af717f9afd7ce1c3285c129bc
4. Download the following file:
http://cmw.22aaf3.com/common/gfree_07.zip
md5 (of entire folder): 6916cf05b0805aeac9effdc1725aaa12
unzip and place the file gfree on the root of your sdcard
3. Install Terminal Emulator from the Market. This all needs to be done in the same Terminal Session. Type
$su
#mount -o remount, rw /system
#cp /sdcard/flash_image /system/bin/
#chmod 777 /system/bin/flash_image
#/system/bin/flash_image recovery /sdcard/recovery.img
#cp /sdcard/gfree /data/local/tmp/
#chmod 777 /data/local/tmp/gfree
#rm /system/app/superuser.apk
#/data/local/tmp/gfree -s on -c BM___001
Now when you reboot your phone, you will have an unrooted phone, stock. For clarity, you have:
-Stock, Unrooted Bell ROM 1.34.666.5
-Stock, Matching Radio
-S-Off HBoot
-Proper Bell CID
-Superuser.apk nowhere to be found
The only loose ends are that flash_image will still be in your /system/bin and if you flashed the eng hboot, your hboot number may not match. I'm 99.9% certain nobody at the repair facility will look or care about it. Also, I'd prefer you avoid flashing your hboot, since that is singly the most risky thing you can do with your phone.
If anybody knows whether the flash_image binary works in /data/local/tmp, let me know and I'll edit the post.
Note: when you get your phone back, it will have the latest GB RUU on it. This will give you a bit of trouble re-rooting it. There is no way around having them flash the latest firmware on it, since it's the very first thing they do before they diagnose your phone.
Thanks to Football for information on shipped builds and mxpxboi for his rooted 1.34.666.5 nandroid files.
Cheers!
JT
jontornblom said:
3. Install Terminal Emulator from the Market. This all needs to be done in the same Terminal Session. Type
$su
#mount -o remount, rw /system
#cp /sdcard/flash_image /system/bin/
#chmod 777 /system/bin/flash_image
#/system/bin/flash_image recovery /sdcard/recovery.img
#cp /sdcard/gfree /data/local/tmp/
#chmod777 /system/bin/gfree
#rm /system/app/superuser.apk
#/data/local/tmp/gfree -s on -c BM___001
Click to expand...
Click to collapse
Thanks for the help jontornblom. Quick question:
I am receiving the error message saying /system/bin/gfree no such directory.
Any Tips?
Merzennary said:
Thanks for the help jontornblom. Quick question:
I am receiving the error message saying /system/bin/gfree no such directory.
Any Tips?
Click to expand...
Click to collapse
Did you accidentally type a "/" after gfree?
Sent from my Nexus 6 like tears in rain.
good job - thx for this guide
jontornblom said:
$su
#mount -o remount, rw /system
#cp /sdcard/flash_image /system/bin/
#chmod 777 /system/bin/flash_image
#/system/bin/flash_image recovery /sdcard/recovery.img
#cp /sdcard/gfree /data/local/tmp/
#chmod777 /system/bin/gfree
#rm /system/app/superuser.apk
#/data/local/tmp/gfree -s on -c BM___001
Click to expand...
Click to collapse
There are a couple of small typos in this code. In the second chmod there should be a space between "chmod" and "777". More importantly though, that second chmod should be on "/data/local/tmp/gfree" since that's where it's been copied
Sent from my Desire Z running CM7.
steviewevie said:
There are a couple of small typos in this code. In the second chmod there should be a space between "chmod" and "777". More importantly though, that second chmod should be on "/data/local/tmp/gfree" since that's where it's been copied
Sent from my Desire Z running CM7.
Click to expand...
Click to collapse
Thanks! Sorry about that =( I will edit the OP
Edit: okay, typos fixed. My apologies to anyone who ran into trouble because of this.
Sent from my Nexus 6 like tears in rain.
jontornblom said:
Hello,
1. Download this file:
...yousendit.com/1317004046/....3968b867573327c903231bf
-unzip it, and place the folders in /sdcard/clockworkmod/backup/
(recovery will check the md5 sums for you)
Click to expand...
Click to collapse
Could someone re-upload file from step 1?
Hi,
I too could use the file from Step 1. And there is a little urgency as I need to get my DZ back to stock as soon as possible.
Your help is appreciated...greatly!
Thanks.
I rooted my A100 a few weeks ago, but have now decided to sell it and upgrade to newer tablet. I used Zeronull's batch file/method, and DID NOT install any sort of custom recovery. I've searched and searched, and the best advice I could find was to reflash a stock firmware using the Power/VolumeUp recovery method. I tried using "Acer_AV041_A100_0.002.00_WW_GEN1.zip" (renamed to "update.zip" on my microSD) but only quickly get the dead Android with the red triangle (w/exclamation point). I tried 2 different microSD cards (and 2 different downloads) just to make sure that wasn't the issue.
Is there a way (thru ADB or manual steps using root explorer) to "unwind" what Zeronull's batch file does? Worst case, I can do a Factory Reset and just sell it as "rooted", but I'd really prefer to have the thing back to true "stock" for the potential buyer. However, the LAST thing I want to do at this point is to take any unnecessary risks and brick the thing!
FWIW, this recertified A100 shipped with ICS 4.0.3. -- the Build number in my "Settings" screen shows "Acer_AV041_A100_1.015.00_PA_CUS1" and the Image version shows "Acer_AV041_A100_RV02RC01_PA_CUS1".
Thanks in advance!
delroot.sh -- is that my answer?
After looking at the shell scripts in zeronull's package, I see that there is a "delroot.sh" script that gets copied to /data/local/tmp. Do I just need to run this (via ADB or terminal emulator)? Could it be that easy (i.e. to run this, and then do a Factory Reset)?
Here's the script:
toolbox mount -o remount, rw /system/
rm /system/bin/mount
ln -s /system/bin/toolbox /system/bin/mount
/data/local/tmp/busybox cp /system/xbin/dexdump /data/local/tmp/dexdump
/data/local/tmp/busybox cp /system/xbin/tcpdump /data/local/tmp/tcpdump
rm /system/xbin/*
/data/local/tmp/busybox cp /data/local/tmp/dexdump /system/xbin/dexdump
/data/local/tmp/busybox cp /data/local/tmp/tcpdump /system/xbin/tcpdump
rm /data/local/tmp/tcpdump /data/local/tmp/dexdump
rm -r /system/sbin/
rm /system/bin/su
Sure looks like this would work (I'd also get rid of /data/local/tmp, since it was created in the initial runit-win.bat process)! Again, thanks for any advice...
kltalley said:
After looking at the shell scripts in zeronull's package, I see that there is a "delroot.sh" script that gets copied to /data/local/tmp. Do I just need to run this (via ADB or terminal emulator)? Could it be that easy (i.e. to run this, and then do a Factory Reset)?
Here's the script:
toolbox mount -o remount, rw /system/
rm /system/bin/mount
ln -s /system/bin/toolbox /system/bin/mount
/data/local/tmp/busybox cp /system/xbin/dexdump /data/local/tmp/dexdump
/data/local/tmp/busybox cp /system/xbin/tcpdump /data/local/tmp/tcpdump
rm /system/xbin/*
/data/local/tmp/busybox cp /data/local/tmp/dexdump /system/xbin/dexdump
/data/local/tmp/busybox cp /data/local/tmp/tcpdump /system/xbin/tcpdump
rm /data/local/tmp/tcpdump /data/local/tmp/dexdump
rm -r /system/sbin/
rm /system/bin/su
Sure looks like this would work (I'd also get rid of /data/local/tmp, since it was created in the initial runit-win.bat process)! Again, thanks for any advice...
Click to expand...
Click to collapse
Thatll do it for sure though deleting that dir by hand after losing root will likely fail. Perhaps add the in to the script right after dexdump deletion. It won't really matter though.
Sent from my Galaxy Nexus using Tapatalk 2
pio_masaki said:
Thatll do it for sure though deleting that dir by hand after losing root will likely fail. Perhaps add the in to the script right after dexdump deletion. It won't really matter though.
Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse
Thanks, pio_masaki!
This guide was tested on my samsung galaxy [email protected] gt-B5330 and it worked.
WARNING: this can brick your phone, used on your own risk (both eyes wide open).
The idea behing can be ported on any phone that allows you to upload custom firmware (most samsungs with odin).
The idea is that you escalate to superuser by setting suid on /system/bin/toolbox executable.
By duing that you can run most of the unix commands on android as a superuser.
I is enought for you to copy su utility somewhere where there is not a nosuid option on mountpoint. and make it a suided executable then execute su and get the #.
It's all down hill from here.
I cannot verify for every ics rom out there, but it seems that now ics uses ext4 filesystem for the system partition.
I have made a script that inspects a stock rom firmware isolate the permissions for the toolbox executable and add to them SUID,SUIG.
After that it pachs the firmware back and you can flash it to your device and have a easylly rootable device. (I will post the stept to take to get a standard rooted device).
What you need:
a linux/gnu (it will not work with cygwin because we have to mount the ext4 partition).
simg2img utility (you can get it from xda site it is in ext4_utility packet).
su, busybox and superuser.apk binaries for android (you can take them from a rooting package).
heimdal (for linux) xor odin (for windows and if you cannot flash the firmware on your phone form linux).
I've put all untilities that are not standard into the tar.
just unpack and you have the universal-patch.sh to run over an .tar.md5 firware stock rom.
And post-firmwareUpdate.sh to run after you flash in order to make the root a standard android root.
This was not tested on any other phone (was tested only on GT-B5330) and do it on your own risk.
This rooting does not exploit any weakness (or flaw) in kernel or any thing, it just modifies the stock firmware to make it more flexible so it should be forward compatible with any version of android after ics.
I assume this would exclude HTC's since you meed to be s-off to flash a firmware. I would probably verify that and edit the title if necessary. Other than that, this looks like it could be helpful.
Help to understand the procedure
Hi ETTT,
first of all thanks for your job and effort in finding a solution to this issue.. it has been driving me crazy till now.. but thanx to you i see the light :good: I see it but i cannot really understand the procedure.. Could you please write a step by step explanation of what i need to do. (I am not what we could call a genius with linux).
Thanks in advance.
The First said:
Hi ETTT,
first of all thanks for your job and effort in finding a solution to this issue.. it has been driving me crazy till now.. but thanx to you i see the light :good: I see it but i cannot really understand the procedure.. Could you please write a step by step explanation of what i need to do. (I am not what we could call a genius with linux).
Thanks in advance.
Click to expand...
Click to collapse
If you are refering to the procedure that the script is doing here is the version of step by step (with-out the script):
http://forum.xda-developers.com/showthread.php?t=1956653
If you want to know the step by step with the script, here (I will not respond to more basic than this, like how to boot ubuntu and stuff.):
mkdir -p /tmp/foo
sudo mkdir /mnt
cd /tmp/foo
tar -xzf universal-patch.tar.gz
export PATH=./:$PATH
{get the firmware here and unzip it, it should have a file with .tar.md5 suffix}
./universal-patch.sh {the name of the firmware including the .tar.md5 suffix}
wait a while. you should have by the way about 10 times the size of the zip as free space.
if all goes well you will have a myfrm.tar.md5 rady for flashing.
flash the firmware, and after boot enable usb debuging, hook the phone to pc
sudo adb devices
./post-firmwareUpdate.sh
you should have a rooted phone.
you cannot go any more basic than that.
Have fun.
Thanks for your effort, I'm already have my XWALH3 patched, btw you should to check the patch on line 19, you've misstype something there
Sent from my GT-B5330 using xda app-developers app
The file after qa
phyxar said:
Thanks for your effort, I'm already have my XWALH3 patched, btw you should to check the patch on line 19, you've misstype something there
Sent from my GT-B5330 using xda app-developers app
Click to expand...
Click to collapse
Thanks for testing and input.
phyxar said:
Thanks for your effort, I'm already have my XWALH3 patched, btw you should to check the patch on line 19, you've misstype something there
Sent from my GT-B5330 using xda app-developers app
Click to expand...
Click to collapse
XWALH3 i've produce from your universal-patch cannot being flashed to my phone, odin crash each time open those files
phyxar said:
XWALH3 i've produce from your universal-patch cannot being flashed to my phone, odin crash each time open those files
Click to expand...
Click to collapse
I'm puting the xdelta to the XWALH3
here are the md5s for the original and patched firmware.
cfe3ca545c4a2c8d453e02cd549655a1 B5330XWALH3_B5330OJVALH1_B5330XXLH4_HOME.tar.md5
624f63943bff54941e4042a39d7928f2 myfrm.tar.md5
Now I have some question in order to debug:
does the patching you have done yeild the same file as I have here?
have you use the same imput? (that's why I've give you the md5 of my imput).
Hey you have rooted you b5330 then do you notice any performance upgrade
Sent from my GT-B5330 using xda premium
Can I patch the firmware using windows??
Because I'm on win
I don't really understand using linux
Or can you make single click batch file that I can use it to patch my firmware???
I really appreciate it if someone provide it
Thanks
Sent from my GT-B5330 using xda app-developers app
byboyz said:
Can I patch the firmware using windows??
Because I'm on win
I don't really understand using linux
Or can you make single click batch file that I can use it to patch my firmware???
I really appreciate it if someone provide it
Thanks
Sent from my GT-B5330 using xda app-developers app
Click to expand...
Click to collapse
I don't know windows that much to make a batch clone of the script. so you need linux.
But you can use a live cd (maybe from ubuntu) to run the script.
ETTT said:
I don't know windows that much to make a batch clone of the script. so you need linux.
But you can use a live cd (maybe from ubuntu) to run the script.
Click to expand...
Click to collapse
Thx for ur reply
How can I open XWALH3.patch that u give earlier??
Bcause I don't know anything about linux
Sent from my GT-B5330 using xda app-developers app
byboyz said:
Thx for ur reply
How can I open XWALH3.patch that u give earlier??
Bcause I don't know anything about linux
Sent from my GT-B5330 using xda app-developers app
Click to expand...
Click to collapse
that patch is an xdelta patch.
There is an xdelta application on windows, don't know if it works, but it should work.
ETTT said:
If you are refering to the procedure that the script is doing here is the version of step by step (with-out the script):
http://forum.xda-developers.com/showthread.php?t=1956653
If you want to know the step by step with the script, here (I will not respond to more basic than this, like how to boot ubuntu and stuff.):
mkdir -p /tmp/foo
sudo mkdir /mnt
cd /tmp/foo
tar -xzf universal-patch.tar.gz
export PATH=./:$PATH
{get the firmware here and unzip it, it should have a file with .tar.md5 suffix}
./universal-patch.sh {the name of the firmware including the .tar.md5 suffix}
wait a while. you should have by the way about 10 times the size of the zip as free space.
if all goes well you will have a myfrm.tar.md5 rady for flashing.
flash the firmware, and after boot enable usb debuging, hook the phone to pc
sudo adb devices
./post-firmwareUpdate.sh
you should have a rooted phone.
you cannot go any more basic than that.
Have fun.
Click to expand...
Click to collapse
hi there, I'm stuck at last point/step: ./post-firmwareUpdate.sh
my terminal respond many error about busybox
the code like this:
2684 KB/s (91980 bytes in 0.033s)
4016 KB/s (996704 bytes in 0.242s)
4491 KB/s (1085140 bytes in 0.235s)
.//busybox: 1: .//busybox: Syntax error: word unexpected (expecting ")")
.//busybox: 1: .//busybox: Syntax error: word unexpected (expecting ")")
dd if=/data/local/tmp/su of=/mnt/obb/su # copy the su binary to a place that can be sudoed
chown 0.0 /mnt/obb/su # modify the owner
chmod 6755 /mnt/obb/su # set SUID flag.
/mnt/obb/su # becomes root !!
mount -o remount,rw /system # remount the system partition as readwrite.
dd if=/data/local/tmp/su of=/system/xbin/su #copy su in path
chown 0.0 /system/xbin/su
chmod 6755 /system/xbin/su
chmod 755 /system/bin/toolbox # close the security hole (toolbox is nolonger with SUID)
dd if=/data/local/tmp/Superuser.apk of=/system/app/Superuser.apk # copy the superuser application
chown 0.0 /system/app/Superuser.apk
chmod 666 /system/app/Superuser.apk
#now this is done for busybox
dd if=/data/local/tmp/busybox of=/system/xbin/busybox
chown 0.0 /system/xbin/busybox
chmod 755 /system/xbin/busybox
cd /system/xbin
for k in
nt/obb/su # copy the su binary to a place that can be sudoed <
/mnt/obb/su: cannot open for write: Permission denied
1|[email protected]:/ $ chown 0.0 /mnt/obb/su # modify the owner
Unable to chmod /mnt/obb/su: No such file or directory
10|[email protected]:/ $ chmod 6755 /mnt/obb/su # set SUID flag.
Unable to chmod /mnt/obb/su: No such file or directory
10|[email protected]:/ $ /mnt/obb/su # becomes root !!
/system/bin/sh: /mnt/obb/su: not found
# remount the system partition as readwrite. <
mount: Operation not permitted
/system/xbin/su #copy su in path <
/system/xbin/su: cannot open for write: Read-only file system
1|[email protected]:/ $ chown 0.0 /system/xbin/su
Unable to chmod /system/xbin/su: No such file or directory
10|[email protected]:/ $ chmod 6755 /system/xbin/su
Unable to chmod /system/xbin/su: No such file or directory
# close the security hole (toolbox is nolonger with SUID) <
Unable to chmod /system/bin/toolbox: Read-only file system
er.apk of=/system/app/Superuser.apk # copy the superuser application <
/system/app/Superuser.apk: cannot open for write: Read-only file system
1|[email protected]:/ $ chown 0.0 /system/app/Superuser.apk
Unable to chmod /system/app/Superuser.apk: No such file or directory
10|[email protected]:/ $ chmod 666 /system/app/Superuser.apk
Unable to chmod /system/app/Superuser.apk: No such file or directory
10|[email protected]:/ $ #now this is done for busybox
10|[email protected]:/ $ dd if=/data/local/tmp/busybox of=/system/xbin/busybox
/system/xbin/busybox: cannot open for write: Read-only file system
1|[email protected]:/ $ chown 0.0 /system/xbin/busybox
Unable to chmod /system/xbin/busybox: No such file or directory
10|[email protected]:/ $ chmod 755 /system/xbin/busybox
Unable to chmod /system/xbin/busybox: No such file or directory
10|[email protected]:/ $ cd /system/xbin
[email protected]:/system/xbin $ for k in
Click to expand...
Click to collapse
smhybrid said:
hi there, I'm stuck at last point/step: ./post-firmwareUpdate.sh
my terminal respond many error about busybox
the code like this:
Click to expand...
Click to collapse
Ok it seams busybox has a thing against ")" in comments.
Here is the script without comments, so try this.
ETTT said:
Ok it seams busybox has a thing against ")" in comments.
Here is the script without comments, so try this.
Click to expand...
Click to collapse
no good, it's still have same error...
maybe the problem is in busybox?
and i don't know why I'm unable to do chmod
smhybrid said:
no good, it's still have same error...
maybe the problem is in busybox?
and i don't know why I'm unable to do chmod
Click to expand...
Click to collapse
give this command:
adb shell ls -l /system/bin/toolbox
and let's see if the toolbox has suid.
ETTT said:
give this command:
adb shell ls -l /system/bin/toolbox
and let's see if the toolbox has suid.
Click to expand...
Click to collapse
what i get is
-rwxr-xr-x root shell 99068 2012-08-09 11:59 toolbox
how to get suid?
smhybrid said:
what i get is
-rwxr-xr-x root shell 99068 2012-08-09 11:59 toolbox
how to get suid?
Click to expand...
Click to collapse
have you flash the patched firmware?
ETTT said:
have you flash the patched firmware?
Click to expand...
Click to collapse
well, I've just do all of Your step, except this:
flash the firmware, and after boot enable usb debuging, hook the phone to pc
Click to expand...
Click to collapse
because I don't know the meaning of flash the firmware. How to do that?
So I skip that and hook the phone to pc with usb debugging enabled
i'm new at linux, but I want to try this method for my galaxy chat