I'd just like to see the tab 2 get its own sub forum. I'd like to follow any development.
So far so good. I love this little thing. Coming from a nexus s, i really thought Touch Wiz was going to be annoying. Took me no time to adjust.
I found a universal root method that may be able to help us, but I am no developer. This appears to work on a number of phones and tablets.
Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" fuctions calls in order to work.
Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.
This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.
1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool
If the trick works, you will see the $ prompt change to a # one.
Hope it will help.
n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit
./mempodroid 0xd904 0xae5f sh
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb push su /system/bin
failed to copy 'su' to '/system/bin/su': Read-only file system
do this:
adb push <path to mempodroid> /data/local/tmp/
adb shell
$ chmod 755 /data/local/tmp/mempodroid
$ /data/local/tmp/mempodroid 0xd904 0xae5f sh
# id
what is the output of the id command after running those commands in adb shell?
if it says uid=0 then i'll be happy
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell
shell@android:/ $ cd /data/local/tmp
cd /data/local/tmp
shell@android:/data/local/tmp $ ls
ls
boomsh
busybox
mempodroid
n95-offsets
output
psneuter
sh
zergRush
shell@android:/data/local/tmp $ chmod 777 mempodroid
chmod 777 mempodroid
shell@android:/data/local/tmp $ chmod 755 n95-offsets
shell@android:/data/local/tmp $ ./n95-offsets
n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit
./mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f mount -o remount,rw
'' /system
ae5f mount -o remount,rw '' /system <
1|shell@android:/data/local/tmp $ ./mempodroid 0xd904 0xae5f sh
./mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $
1|shell@android:/data/local/tmp $ /data/local/tmp/mempodroid 0xd904 0xae5f sh
/data/local/tmp/mempodroid 0xd904 0xae5f sh
1|shell@android:/data/local/tmp $
Either that or the offsets reported by n95-offsets are incorrect. I have no idea how reliable it is or how it works though. Wish I had my tablet with me to dig deeper.
static const unsigned char exit_pattern[8] = { 0xB0, 0xFF, 0xFF, 0xFF, 0x04, 0x46, 0x00, 0x20};
static const unsigned char suid_pattern[8] = { 0xD0, 0x40, 0xE0, 0x3D, 0x68, 0x28, 0x46, 0x29};