I ran all the required commands and noticed that the chmod did not do anything. So I decided to run the temp root command abd I get permission denied.
Sent from my T-Mobile G2 using XDA App
Please anyone? I run this command "adb shell chmod 755 /data/local/tmp/*" but it does not do anything, is there something I have to change on that line?
Been trying to root for 2 days now but unsuccessful.
you're not supposed to see any return on the command prompt. Just continue with the procedure.
Thanks for giving me a reply, waited many hours. THANK you though.
When I run the temp root command, I get this.
"C:\android-sdk-windows\platform-tools>adb shell /data/local/tmp/psneuter
mmap() failed. Operation not permitted
C:\android-sdk-windows\platform-tools>adb shell
"
C:\android-sdk-windows\platform-tools>adb shell
#
#
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum /dev/block/mmcblk0p18
./busybox md5sum /dev/block/mmcblk0p18
b532ca54a073f0c4043bd7be69ebce8d /dev/block/mmcblk0p18
# cd /data/local/tmp
cd /data/local/tmp
# ./gfree -f -b hboot-eng.img
./gfree -f -b hboot-eng.img
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
--hboot set. hboot image hboot-eng.img will be installed in partition 18
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x00015384 (86916)
Section index for section name string table: 41
String table offset: 0x000151cb (86475)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x000011cc (4556)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.17-g9ab3677
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c029c72c, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc029c000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc029c72c + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 18 and installing specified hboot image...
Backing up current partition 7 and patching it...
patching secu_flag: 0
Done.
# ./flash_image recovery recovery.img
./flash_image recovery recovery.img
# cd /data/local/tmp
cd /data/local/tmp
# ./flash_image recovery recovery.img
./flash_image recovery recovery.img
# ./root_psn
./root_psn
# sync
sync
#
Did these commands run right?
# cd /data/local/tmp
# ./gfree -f -b hboot-eng.img
# ./flash_image recovery recovery.img
# ./root_psn
# sync
All looks good to me.... When yoh restart the phone do you have s off?
Sent from my HTC Vision using XDA App
Ok ariel_ on the irc channel has managed to get the right LTE radio and I was able to dd it back on, but we still need to get the cdma radio.
@ariel_> I used this command to take one of them out. adb shell dd bs=256 count=49153 if=/dev/block/platform/omap/omap_hsmmc.0/by-name/radio of=/sdcard/radio.img and this was for the other one: adb shell dd if=/dev/block/mmcblk0p9 of=/data/media/radio1.img
Click to expand...
Click to collapse
I then took those images and pushed them onto my device through the recovery shell using as follows.
C:\Galaxy Nexus ToolKit>adb-toolkit.exe shell
~ # ls
ls
boot etc sd-ext
cache init sdcard
data init.rc sys
datadata proc system
default.prop res tmp
dev root ueventd.goldfish.rc
emmc sbin ueventd.rc
~ # cd sdcard
cd sdcard
/data/media # ls
ls
radio.img radio1.img
/data/media # dd if=/sdcard/radio.img of=/dev/block/platform/omap/omap_hsmmc.0/b
y-name/radio
dd if=/sdcard/radio.img of=/dev/block/platform/omap/omap_hsmmc.0/b
y-name/radio
24576+1 records in
24576+1 records out
12583168 bytes (12.0MB) copied, 3.677856 seconds, 3.3MB/s
/data/media # dd if=/sdcard/radio1.img of=/dev/block/mmcblk0p9
dd if=/sdcard/radio1.img of=/dev/block/mmcblk0p9
32768+0 records in
32768+0 records out
16777216 bytes (16.0MB) copied, 4.613159 seconds, 3.5MB/s
/data/media #
C:\Galaxy Nexus ToolKit>
Click to expand...
Click to collapse
My LTE baseband now reads correctly as L700.FC12 but my CDMA baseband isnt correct.
Please post questions in Q&A.
Development is for released products
Thanks
FNM
Background: Just purchased a Samsung Galaxy SIII i747 running 4.0.4, but alas I have only a mac and need to root + cwm without tripping the counter. I loved my original galaxy and hope this community continues to flourish.
This was inspired by Noxious Ninja at http://forum.xda-developers.com/showthread.php?t=1790104 and miloj at http://forum.xda-developers.com/showthread.php?t=1704209 so give them some props :good:.
Tools Required:
clockworkmod
Temporary su (found in attachment)
debugfs (also found in attachment)
adb (Found in Android SDK)
optional: if you're using windows then you'll need extra drivers
Note: The su and debugfs were not compiled by me however miloj does provide code for su in his post incase you're concerned they both deserve more props :good:.
Now that you've collected all of the necessary tools it's time to get to work. You should type in lines that are black. The color green should be your response. If something is red it's important.
STEP 1: push debug and su onto your device and locate relavent block devices create a symbolic link for our attack to /system
Make sure usb debugging is enabled. First unarchive the attachment and if your path is correct simply.
Code:
macbook-pro:debugfs_su entropy$ adb push debugfs /data/local/
[COLOR="Lime"]2708 KB/s (1862336 bytes in 0.671s)[/COLOR]
macbook-pro:debugfs_su entropy$ adb push su /data/local/
[COLOR="lime"]2795 KB/s (372006 bytes in 0.129s)[/COLOR]
macbook-pro:debugfs_su entropy$ adb shell
[email protected]:/ $ cd /data/local
[email protected]:/data/local $ mv tmp tmp.back
[email protected]:/data/local $ cd /dev/block/platform/msm_sdcc.1/by-name
[email protected]:/dev/block/platform/msm_sdcc.1/by-name $ ls -al
[COLOR="lime"]lrwxrwxrwx root root 1970-01-25 02:16 aboot -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 1970-01-25 02:16 backup -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 1970-01-25 02:16 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 1970-01-25 02:16 cache -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 1970-01-25 02:16 efs -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 1970-01-25 02:16 fota -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 1970-01-25 02:16 fsg -> /dev/block/mmcblk0p21
lrwxrwxrwx root root 1970-01-25 02:16 grow -> /dev/block/mmcblk0p23
lrwxrwxrwx root root 1970-01-25 02:16 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 1970-01-25 02:16 modemst1 -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 1970-01-25 02:16 modemst2 -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 1970-01-25 02:16 pad -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 1970-01-25 02:16 param -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 1970-01-25 02:16 persist -> /dev/block/mmcblk0p16
[COLOR="Red"]lrwxrwxrwx root root 1970-01-25 02:16 recovery -> /dev/block/mmcblk0p18[/COLOR]
lrwxrwxrwx root root 1970-01-25 02:16 rpm -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 1970-01-25 02:16 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 1970-01-25 02:16 sbl2 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 1970-01-25 02:16 sbl3 -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 1970-01-25 02:16 ssd -> /dev/block/mmcblk0p22
[COLOR="red"]lrwxrwxrwx root root 1970-01-25 02:16 system -> /dev/block/mmcblk0p14[/COLOR]
lrwxrwxrwx root root 1970-01-25 02:16 tz -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 1970-01-25 02:16 userdata -> /dev/block/mmcblk0p15[/COLOR]
[email protected]:/dev/block/platform/msm_sdcc.1/by-name $ cd /data/local
[email protected]:/data/local $ ln -s /dev/block/mmcblk0p14 tmp #this comes from one of the red highlights specifically the symbolic link to system
[email protected]:/data/local $ exit
macbook-pro:debugfs_su entropy$ adb reboot
STEP 2: perform the attack and clean up
Code:
macbook-pro:debugfs_su entropy$ adb shell
[email protected]:/ $ cd /data/local
[email protected]:/data/local $ toolbox chmod 755 /data/local/debugfs
[email protected]:/data/local $ /data/local/debugfs -w /data/local/tmp
[COLOR="Lime"]debugfs 1.42 (29-Nov-2011)[/COLOR]
debugfs: cd xbin
debugfs: rm su
[COLOR="Red"]rm: File not found by ext2_lookup while trying to resolve filename[/COLOR] #don't worry about this
debugfs: write /data/local/su su
[COLOR="Lime"]Allocated inode: 533[/COLOR]
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
[email protected]:/data/local $ rm tmp
[email protected]:/data/local $ mv tmp.back tmp
[email protected]:/data/local $ exit
macbook-pro:debugfs_su entropy$ adb reboot
STEP 3: Great success
Code:
macbook-pro:debugfs_su entropy$ adb shell
[email protected]:/ $ /system/xbin/su
[COLOR="lime"]Now we be 0:0 ![/COLOR]
[email protected]:/ # id
[COLOR="Lime"]uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)[/COLOR]
[email protected]:/ # exit
[email protected]:/ $ exit
STEP 4: Immediately install superuser and force an upgrade to replace the unsecured su
STEP 5: Install Clockwork
Code:
macbook-pro:Downloads entropy$ adb push recovery-clockwork-5.8.4.5-d2att.img /sdcard/
[COLOR="lime"]3660 KB/s (7170048 bytes in 1.912s) [/COLOR]
macbook-pro:Downloads entropy$ adb shell
[email protected]:/ $ su
[email protected]:/ # id
[COLOR="lime"]uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)[/COLOR]
[email protected]:/ # dd if=recovery-clockwork-5.8.4.5-d2att.img of=/dev/block/mmcblk0p18 #this device file comes from step 1 and is for the recovery partition
[COLOR="lime"]14004+0 records in
14004+0 records out
7170048 bytes transferred in 1.844 secs (3888312 bytes/sec)[/COLOR]
[email protected]:/ # reboot recovery
STEP 6: Celebrate and give yourself a pat on the back, because this will be fixed very quickly
First post! Also, maybe the mods could move this to the appropriate forum.
Thanks for posting this so folks in this forum can see it. The link that you give at the top of your post for Noxious Ninja's thread goes directly to his instructions and, though those are in the Verizon forum, the method works for all US GS3 variants. Nice and easy way to root without having to flash anything in Odin, and it doesn't trip the flash counter.
Noxious Ninja has also put a Windows batch script based tool together that automates this process (it would be easy enough to write a bash script for Linux to do the same thing). I just used the Windows based tool to root stock UCALG1, and it worked great.
Here is the link to Noxious Ninja's automated tool.:
http://forum.xda-developers.com/showthread.php?t=1792342
jscott30 said:
Thanks for posting this so folks in this forum can see it. The link that you give at the top of your post for Noxious Ninja's thread goes directly to his instructions and, though those are in the Verizon forum, the method works for all US GS3 variants. Nice and easy way to root without having to flash anything in Odin, and it doesn't trip the flash counter.
Noxious Ninja has also put a Windows batch script based tool together that automates this process (it would be easy enough to write a bash script for Linux to do the same thing). I just used the Windows based tool to root stock UCALG1, and it worked great.
Here is the link to Noxious Ninja's automated tool.:
http://forum.xda-developers.com/showthread.php?t=1792342
Click to expand...
Click to collapse
Yea, they did most of the work. My carrier is AT&T so I was just happy I could make some progress today with everything coming together despite so much segregation between carriers (I understand why). However, I am a little discouraged by the mysterious IMEI disappearances. I was about to flash cm9 and kt747, but am having second thoughts. I miss my captivate I only flashed it once.
arcadia3go said:
Yea, they did most of the work. My carrier is AT&T so I was just happy I could make some progress today with everything coming together despite so much segregation between carriers (I understand why). However, I am a little discouraged by the mysterious IMEI disappearances. I was about to flash cm9 and kt747, but am having second thoughts. I miss my captivate I only flashed it once.
Click to expand...
Click to collapse
IMEI problems have been solved. There are two threads with two slightly different backup methods and restoration methods. I recommend reading them both and backing up both ways. I know I did.
jscott30 said:
Thanks for posting this so folks in this forum can see it. The link that you give at the top of your post for Noxious Ninja's thread goes directly to his instructions and, though those are in the Verizon forum, the method works for all US GS3 variants. Nice and easy way to root without having to flash anything in Odin, and it doesn't trip the flash counter.
Noxious Ninja has also put a Windows batch script based tool together that automates this process (it would be easy enough to write a bash script for Linux to do the same thing). I just used the Windows based tool to root stock UCALG1, and it worked great.
Here is the link to Noxious Ninja's automated tool.:
http://forum.xda-developers.com/showthread.php?t=1792342
Click to expand...
Click to collapse
off topic but great to see you in the GS3 forums.Loved your roms for the Infuse4g
Woah! Odin seems much simpler lol
Not sure using debugfs on the file system is that great an idea. I posted on this exploit on the Full Disclosure mailing list, and here is what Dan Rosenberg had to say in reply to me. Note in particular his sentence: "Using debugfs to modify the filesystem is completely unnecessary and potentially destructive."
just want to point out that in my case i had to specify full path when installing CWM in step 5
from:
dd if=recovery-clockwork-5.8.4.5-d2att.img of=/dev/block/mmcblk0p18 #this device file comes from step 1 and is for the recovery partition
14004+0 records in
to:
dd if=/sdcard/recovery-clockwork-5.8.4.5-d2att.img of=/dev/block/mmcblk0p18 #this device file comes from step 1 and is for the recovery partition
14004+0 records in
have some problems with CMW after root
CMW worked after the immediate reboot, but somehow lost and the 3e Recovery as back.
I initiated a post here:
http://forum.xda-developers.com/showthread.php?p=30708262#post30708262
Now if only someone can figure out and on device root method.
OP, I think I love you!
Thanks so much for this!
I want to execute this command...
tune2fs -m 1 /dev/block/mmcblk0p10
but my terminal return this:
---------------
[email protected]:/ $ su
[email protected]:/ # tune2fs -m 1 /dev/block/mmcblk0p10
unknown option -- mBusyBox v1.24.2-jrummy (2016-04-14 07:07:39 PDT) multi-call binary.
Usage: tune2fs [-c MAX_MOUNT_COUNT] [-i DAYS] [-C MOUNT_COUNT] [-L LABEL] BLOCKDEV
Adjust filesystem options on ext[23] filesystems
1|[email protected]:/ #
---------------
How I can achieve my goal?
(android 4.1.2 at gt-i9100)
(the result is important for me, not the tools)
hi had to restore everything and going through stages have installed busybox and unblocked bootloader but cant get rbox boot menu to install i follow all the stages but on last stage i get cannot open for read: No such file or directory any ideas? here is full commands and response:
is is possible to ubgrade without boot menu or install twrp instead or must i go through the stages
adb push c:\users\paul\desktop\bootmenu.img /sdcard
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
cannot stat 'c:userspauldesktopbootmenu.img': No such file or directory
1|[email protected]:/ # adb shell
adb shell
[email protected]:/ # su
su
[email protected]:/ # su
su
[email protected]:/ # /system/xbin/busybox md5sum /sdcard/bootmenu.img
/system/xbin/busybox md5sum /sdcard/bootmenu.img
a8a3c28baafe43f354d92e6cc8b392d3 /sdcard/bootmenu.img
[email protected]:/ # rm -f /sdcard/bootmenu.img
rm -f /sdcard/bootmenu.img
[email protected]:/ # exit
exit
[email protected]:/ # exit
exit
[email protected]:/ # mount -o remount,rw /system
mount -o remount,rw /system
[email protected]:/ # mkdir /system/boot
mkdir /system/boot
[email protected]:/ # dd if=/dev/block/platform/msm_sdcc.1/by-name/boot of=/system/boot/boot.img
dcc.1/by-name/boot of=/system/boot/boot.img <
20480+0 records in
20480+0 records out
10485760 bytes transferred in 0.422 secs (24847772 bytes/sec)
[email protected]:/ # mount -o remount,ro /system
mount -o remount,ro /system
[email protected]:/ # dd if=/sdcard/bootmenu.img of=/dev/block/platform/msm_sdcc.1/by-name/boot
dev/block/platform/msm_sdcc.1/by-name/boot <
/sdcard/bootmenu.img: cannot open for read: No such file or directory
paulsavo said:
hi had to restore everything and going through stages have installed busybox and unblocked bootloader but cant get rbox boot menu to install i follow all the stages but on last stage i get cannot open for read: No such file or directory any ideas? here is full commands and response:
is is possible to ubgrade without boot menu or install twrp instead or must i go through the stages
adb push c:\users\paul\desktop\bootmenu.img /sdcard
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
cannot stat 'c:userspauldesktopbootmenu.img': No such file or directory
1|[email protected]:/ # adb shell
adb shell
[email protected]:/ # su
su
[email protected]:/ # su
su
[email protected]:/ # /system/xbin/busybox md5sum /sdcard/bootmenu.img
/system/xbin/busybox md5sum /sdcard/bootmenu.img
a8a3c28baafe43f354d92e6cc8b392d3 /sdcard/bootmenu.img
[email protected]:/ # rm -f /sdcard/bootmenu.img
rm -f /sdcard/bootmenu.img
[email protected]:/ # exit
exit
[email protected]:/ # exit
exit
[email protected]:/ # mount -o remount,rw /system
mount -o remount,rw /system
[email protected]:/ # mkdir /system/boot
mkdir /system/boot
[email protected]:/ # dd if=/dev/block/platform/msm_sdcc.1/by-name/boot of=/system/boot/boot.img
dcc.1/by-name/boot of=/system/boot/boot.img <
20480+0 records in
20480+0 records out
10485760 bytes transferred in 0.422 secs (24847772 bytes/sec)
[email protected]:/ # mount -o remount,ro /system
mount -o remount,ro /system
[email protected]:/ # dd if=/sdcard/bootmenu.img of=/dev/block/platform/msm_sdcc.1/by-name/boot
dev/block/platform/msm_sdcc.1/by-name/boot <
/sdcard/bootmenu.img: cannot open for read: No such file or directory
Click to expand...
Click to collapse
You deleted the file you're trying to dd. might want to double check the instructions.
Lol seen that cheers