I have managed it to root the i9001. So far it is very complicated, and the detailed guide as well as the analysis of SMD archives is only in German available:
http://www.android-hilfe.de/samsung-...ml#post1911955
As always: You are responsible for your Phone! If someone bricks his device using this guide, I am not responsible for that! Bad Luck, I have warned you! Its a dangerous job! You really shouldn't do it.
In short:
- extract the PDA SMD File
- mount system.ext4
- copy su binary and Superuser.apk into the mounted image
- adjust the file permissions (especially the suid bit for su)
- umount system.ext4
- repack the PDA SMD.
I have created two Linux bash scripts for extracting and packing SMD Archives. Warning: I'm not very experienced in bash scripting. If someone is here who is capable of making a nice script of it,
feel free! The scripts are working, that's all so far. They won't win a price in a beauty contest.
First the extract.sh:
Code:
#!/bin/bash
base=0
length=1
while (( length > 0 ))
do
# calculate Length
let "skip = base + 18"
length=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "length = length * 65536"
let "skip = base + 16"
length2=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "length += length2"
let "length = length / 512" # Number of 512-Byte blocks
# calculate offset
let "skip = base + 22"
offset=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "offset = offset * 65536"
let "skip = base + 20"
offset2=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "offset += offset2"
let "offset = offset / 512" # Number of 512-Byte blocks
# save header in case of first loop
if (( base == 0 ))
then
dd if=${1} bs=512 of=header count=${offset}
fi
# extract filename
let "skip = base + 32"
filename=`dd if=${1} skip=${skip} count=16 bs=1 2>/dev/null`
# and finally: extract image
if (( length > 0 ))
then
echo "Length: ${length}"
echo "Offset: ${offset}"
echo "Filename: ${filename}"
dd if=${1} bs=512 of=${filename} skip=${offset} count=${length} 2>/dev/null
fi
# next header
let "base += 64"
done
Syntax:
./extract.sh Archive.smd
The script will extract the archive and create a lot of local files (system.ext, boot.img and so on). Well, the content of the Archive obviously.
Root the system.ext4:
I have used the newest su and Superuser.apk from here (3.0-beta4 at the moment. Newer ones should be ok):
http://goo-inside.me/superuser
The steps for rooting a system.ext4:
Code:
mkdir system
sudo mount -o loop system.ext4 system
sudo cp su system/xbin/
sudo chown 0.0 system/xbin/su
sudo chmod 4755 system/xbin/su
sudo cp Superuser.apk system/app/
sudo chown 0.0 system/app/Superuser.apk
sudo chmod 644 system/app/Superuser.apk
sudo umount system
And the pack.sh. Note: The pack.sh so far expects an existing "header" file created from an extract action and all files to be added into the archive. The resulting archive will have the same contents, as the starting archive (of course with a modified system.ext4). MD5 Checksums in the archive are calculated automatically.
Code:
#!/bin/bash
base=16
length=0
filename=dummy
# save the beginning
dd if=header of=newheader bs=1 count=16 2>/dev/null
# First create the MD5 checksums of all included (and maybe modified) files and generate the new header
while [ ! -z "${filename}" ]
do
# Length, offset, etc. is unchanged, just copy it.
let "skip = base"
dd if=header of=newheadertmp bs=1 skip=${skip} count=32 2>/dev/null
cat newheadertmp >> newheader
rm newheadertmp
# extract filename
let "skip = base + 16"
filename=`dd if=header skip=${skip} count=16 bs=1 2>/dev/null`
if [ ! -z "${filename}" ]
then
echo "creating MD5Sum of: ${filename}"
checksum=`md5sum ${filename} | tr '[a-z]' '[A-Z]'`
echo -n ${checksum:0:32} >> newheader
fi
# next header
let "base += 64"
done
# save the rest of the old header.
filesize=$(stat -c%s header)
let "base -= 32"
let "size = filesize - base"
dd if=header of=newheadertmp bs=1 skip=${base} count=${size} 2>/dev/null
cat newheadertmp >> newheader
rm newheadertmp
# the new header is the first content of the new archive.
cat newheader > ${1}
# now add all files to the archive.
filename=dummy
base=16
while [ ! -z "${filename}" ]
do
# extract filename
let "skip = base + 16"
filename=`dd if=header skip=${skip} count=16 bs=1 2>/dev/null`
if [ ! -z "${filename}" ]
then
echo "Adding: ${filename}"
cat ${filename} >> ${1}
fi
# next header
let "base += 64"
done
rm newheader
Syntax:
./pack.sh Archive.smd
Flash the resulting .smd files using Odin Multi Downloader an be happy about a rooted SGS Plus.
Note: The procedure has been tested with European KF6 and KP4 firmware. the scripts are capable of extracting and packing other SMD Archives as well, like Modem or CSC SMDs. But you don't need it for rooting (but maybe for debranding or customizing ROMs).
I'm thinking about an simpler root method like a modified kernel with a "magic" initramfs (like CF Root is working). This would make rooting of course much easier. But I have to investigate a lot of things handling boot.imgs.
Introducing XDA:DevCon – A Conference For Developers By Developers
