[DEV] Current Progress and Guides: CRACKED UBOOT!!! Roms and Kernels Comming Soon

Loglud · Nov 19, 2011

This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self. REMEMBER I DO THIS FOR FUN, please respect the thread as well as others opinions

OLD UPDATES AT THE END OF THIS POST.

First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
Also you should look at the http://www.nooktabletdev.orgfor information on the Nook Tablet Development process. - Thanks to dj_segfault

Rooting Scripts

Windows: Root, OTA block, De-bloat, Gapps Thanks to Indirect
Mac/Linux: Rooting script Thanks to t-r-i-c-k
Mac/Linux: Root,OTA Block, Gapps

CURRENT PROGRESS

adb connection: COMPLETE
adb root: COMPLETE
busybox:COMPLETE
permanent root: COMPLETE BY INDIRECT
GApps and Market: COMPLETE BY INDIRECT & Anlog
recovery mode: COMPLETE BY nemith

THANKS TO NEMITH

bootloader: Locked and Signed Irrelevant

uboot: CRACKED BY BAUWKS

THANKS TO BAUWKS

Loglud said:
bauwks method uses the flashing_boot.img to his advantage, and since it is not checked by security, effectively he has made an insecure uboot. While this is not an unlocked bootloader, it is a way to get around the security, and enable custom recovery and higher level processes to be run.

I have been looking at this line of code for a long time, and as im sure hkvc and bauwks saw it is a large (but 100% necessary) flaw:

distro/u-boot/board/omap4430sdp/mmc.c: 559 : setenv ("bootcmd", "setenv setbootargs setenv bootargs ${sdbootargs}; run setbootargs; mmcinit 0; fatload mmc 0:1 0x81000000 flashing_boot.img; booti 0x81000000");

Without this line of code, it would be impossible for any one but the factory whom could JTAG flash (but since it is secured, most likely they also have to make a flashing_boot.img).

12/9/11:

UBUNTU is here, thanks to ADAMOUTLER

http://www.youtube.com/watch?v=PwUg17pVWBs&hd=1
Keep in mind this is only an overlay verson but it is prof that one day we might be able to push roms and kernels over existing ones, then hijack then (next work) and then use them.

Please PM me or post if you know anything else, and or want to add anything.

Loglud · Nov 19, 2011

Usefull threads

Usefull threads:

ROOTING:
Full root for Nook Tablet. [11/20/11] [Yes this is a permanent root!] Thanks to indirect
Noot Tablet - Easy root & Market on MAC (1 download, 1 script to run) Thanks to t-r-i-c-k
[Windows/Linux] Unroot and uninstall gApps for the nook tablet [Scripts] Thanks to indirect

MODS to Default Rom:
[Full Mod + Root + OTA block] Snowball-mod: Full Modification Root [1/6/2012] Thanks to cfoesch
[DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! Thanks to [DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! 1 Attachment(s) (Multi-page thread 1 2 3 ... Last Page)
Originally Posted By: diamond_lover

Kernels:

Coming Soon

ROMS:

Coming Soon

APPS:
[Tutorial][WIP] Installing alternative Keyboards on the NT. Thanks to robertely
[DEV] - HomeCatcher Redirect n Button to any Launcher Thanks to gojimi
Hidden Settings App Updated 12/30/11 Thanks to brianf21
Replacement SystemUI.apk v2: Permanent back and menu buttons, n as Home button Thanks to revcompgeek

DEVELOPMENT:
[Dev]Files of interest in the system Thanks to indirect
[REF] Nook Tablet Source Code Thanks to diamond_lover
BHT Installer (Basic Hacking Tools) Thanks to AdamOutler
[Stock Firmware]Restore Barnes & Nobel Nook 1.4.0 from SDCard Thanks to AdamOutler

Loglud · Nov 19, 2011

Guides

Table of Contents

Enableing adb Connection (eab1)
Rooting using zergRush (rug2)
Installing busyboxy (ibb3)
Permanent root (pr4) THANKS TO INDIRECT
Installing GApps (aga5) THANKS TO ANLOG
Full system restore/wipe (fsr6) THANKS TO INDIRECT

Enableing adb Connection (eab1)

Install the andriod SDK that is required for your Operating system.

NOTE: This will requries the SDK, and JDK both of which can be downloaded by clicking the links, downloading and installing it.
Run the andriod SDK Manager and Install "Andriod SDK Platform-tools"

[*]Modify your adb_usb.ini file to read such as the following:
Code:
```
# ANDROID 3RD PARTY USB VENDOR ID LIST -- DO NOT EDIT.
# USE 'android update adb' TO GENERATE.
# 1 USB VENDOR ID PER LINE.
0x2080
```
This will be in your /home/{username}/.andriod/ folder for mac and linux
This will be in your C:/Users/{username}/.andriod folder for Windows.

ADB is now enabled for your device, however it is not ON your device. YOU MUST DO THIS EVERY TIME YOU WISH TO ADB INTO YOUR DEVICE.

[*]To do this you will need to download any app, and attempt to install it.
You can use this app if you need.

[*]Click on the Package Installer, and then a prompt will pop up asking if you want change the settings to allow 3rd party apps.

*DO NOT ENABLE IF YOU WISH TO ACCESS ADB*
I am working on a way to have it enabled by default.

[*]In the settings page you should see *2* USB Debuggin modes.

[*]Press them both and accept the prompt.

[*]PLUG IN YOUR DEVICE.
Note* You should see the Android Development icon on the bottom of the screen.

ADB will now be able to see your device. How ever you will need to restart the server before it sees it.

Rooting using zergRush (rug2)
This is for the poeople whom have access to adb. You will also need this file. Unzip the file.

Type in the following command (while in the folder with the zergRush Binary):
Code:
```
adb push ./zergRush /data/local
```
[*]Once thats installed run this:
Code:
```
adb shell chmod 777 /data/local/tmp
```
[*]And lastly:
Code:
```
adb shell /data/local/zergRush
```
[*]You are now rooted (only for this reboot)

Installing busyboxy (ibb3)
You will need root and the following busybox file.

Type in the following command while in the location where busy box was downloaded to:
Code:
```
adb push ./busybox /data/local
```
[*]Busybox works by calling binaries from a file outside of /system/bin/. We must make this file by issuing the following command:
Code:
```
adb shell mkdir /data/busybox
```
[*]Lets make sure we can install busybox without permission probles:
Code:
```
adb shell chmod  777 /data/local/busybox
```
[*]Next install busybox in the folder:
Code:
```
adb shell /data/local/busybox --install
```
[*]We now need to take the /system/folder, and mount it as a writeable folder:
Code:
```
adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
```
[*]Link it into bin:
Code:
```
adb shell ln -s /data/local/busybox /system/bin/busybox
```
You now have busybox installed

Permanent root (pr4)
THANKS TO INDIRECT for Files and Scripts

We will need SU and Superuser.apk

First we need to install the Superuser.apk:
Code:
```
adb wait-for-device install Superuser.apk
adb remount
```
[*]Next lets go ahead and push the su application up to the /data/local/ folder
Code:
```
adb push su /data/local/
```
[*]Next we will need to change the permissions and cp su from the /data/local/ folder to the /system/bin/
Code:
```
adb shell chmod 4755 /data/local/su;mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system;busybox cp /data/local/su /system/bin
```

Installing GApps (eab1)
THANKS TO ANALOG and INDIRECT for Scripts

First things first we need to download the GAPPS. The most reacent one is this one or get the most recent one here.
[*] Unzip and navigate to the most root folder of that package in your shell.

[*]We need to verify that adb is booting into root. To do this we can issue the command:

Code:

adb shell id

If id doesn't return root then you will need to re-zergRush your device
[*]Now it is time for us to export the apps to the directories.

Code:

adb shell mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system
adb push system/app/CarHomeGoogle.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/app/FOTAKill.apk /system/app/
adb shell chmod 644 /system/app/FOTAKill.apk
adb push system/app/GenieWidget.apk /system/app/
adb shell chmod 644 /system/app/GenieWidget.apk
adb push system/app/GoogleBackupTransport.apk /system/app/
adb shell chmod 644 /system/app/GoogleBackupTransport.apk
adb push system/app/GoogleCalendarSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleCalendarSyncAdapter.apk
adb push system/app/GoogleContactsSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleContactsSyncAdapter.apk
adb push system/app/GoogleFeedback.apk /system/app/
adb shell chmod 644 /system/app/GoogleFeedback.apk
adb push system/app/GooglePartnerSetup.apk /system/app/
adb shell chmod 644 /system/app/GooglePartnerSetup.apk
adb push system/app/GoogleQuickSearchBox.apk /system/app/
adb shell chmod 644 /system/app/GoogleQuickSearchBox.apk
adb push system/app/GoogleServicesFramework.apk /system/app/
adb shell chmod 644 /system/app/GoogleServicesFramework.apk
adb push system/app/LatinImeTutorial.apk /system/app/
adb shell chmod 644 /system/app/LatinImeTutorial.apk
adb push system/app/MarketUpdater.apk /system/app/
adb shell chmod 644 /system/app/MarketUpdater.apk
adb push system/app/MediaUploader.apk /system/app/
adb shell chmod 644 /system/app/MediaUploader.apk
adb push system/app/NetworkLocation.apk /system/app/
adb shell chmod 644 /system/app/NetworkLocation.apk
adb push system/app/OneTimeInitializer.apk /system/app/
adb shell chmod 644 /system/app/OneTimeInitializer.apk
adb push system/app/Talk.apk /system/app/
adb shell chmod 644 /system/app/Talk.apk
adb push system/app/Vending.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/etc/permissions/com.google.android.maps.xml /system/etc/permissions/
adb push system/etc/permissions/features.xml /system/etc/permissions/
adb push system/framework/com.google.android.maps.jar /system/framework/
adb push system/lib/libvoicesearch.so /system/lib/

Now you have GApps installed from Anlog's. All Credits go to him and Indirect

Full system restore/wipe (fsr6)
THANKS TO INDIRECT

WARNING THIS WILL WIPE YOUR ENTIRE FILESYSTEM!!!

Go into adb shell or terminal emulator.
Issue command:
Code:
```
echo -n '0000' > /bootloader/BootCnt
```
Next reboot your device by conventional methods or issue:
Code:
```
reboot
```
Your nook will now restart and tell you it is resetting.
You now have a clean slate!

Drewmungus · Nov 19, 2011

Got some links for howto's on the adb connection/root.

cgdash · Nov 19, 2011

Yeah - if someone has details on how to adb connect and root, it'd be helpful to include links. I've yet to see specifics for either.

MechaGen · Nov 19, 2011

Reserved

Sent from Tapatalk, NOOK Color CM7 Nightly's!

Loglud · Nov 19, 2011

I aplogize im still typing them up

Indirect · Nov 20, 2011

Damn loglud, I ended up beating you to the root lol. Sorry about that! D:

scsione889 · Nov 20, 2011

The Droid 2 and Droid X had locked bootloaders with the 'e-fuse' and Koush got around them and installed CWM with this...

http://www.koushikdutta.com/2010/08/droid-x-recovery.html

What do you guys think? I don't have a NT yet to try anything (probably won't get one until sometime around x-mas).

Loglud · Nov 20, 2011

l

Indirect said:
Damn loglud, I ended up beating you to the root lol. Sorry about that! D:

Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?

downsay · Nov 20, 2011

Loglud said:
l

Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?

Superoneclick...love!

Sent from my Nook Tablet using Tapatalk

Indirect · Nov 20, 2011

Loglud said:
l

Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?

Not at all so long as you give proper credits.

luigi90210 · Nov 21, 2011

Loglud said:
This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self.

First off if you haven’t read the wiki yet to know what is currently in the device you should look here.

CURRENT PROGRESS

adb connection: COMPLETE
adb root: COMPLETE
busybox: COMPLETE
permanent root: IN PROGRESS

bootloader: Locked and Signed

By the bootloader being locked and signed it is very difficult to design anything that will boot besides nook roms. In order to solve this some of the Devs have suggested the following:

kexec: RESEARCHING
2nd init: RESEARCHING

CWM: NOT STARTED

Please PM me or post if you know anything else, and or want to add anything.

hopefully it is cracked soon cause i dont want to buy this if i can't have a full custom rom, all of the verizon motorola phones run roms off of 2nd init and it just isnt the same to be honest. you can never run a full custom rom with second init(well you can but you have to build the rom to fit the kernel) and honestly i want my device to be mine

you should tweet cvpcs or someone who makes and maintains 2nd init roms to get more info on it though

kgingeri · Nov 21, 2011

Can't get busybox installed

I'm stuck... I get errors for #3 for busybox... errors like...

Code:

$ adb shell /data/local/busybox --install
busybox: /data/busybox/[: No such file or directory
busybox: /data/busybox/[[: No such file or directory
busybox: /data/busybox/addgroup: No such file or directory
.....
busybox: /data/busybox/yes: No such file or directory
busybox: /data/busybox/zcat: No such file or directory
busybox: /data/busybox/zcip: No such file or directory

So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!

Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?

(I'm running from OSX, if that matters)

EDIT: and of course I'm getting...

Code:

$ adb shell ln -s /data/local/busybox /system/bin/busybox
link failed Read-only file system

$ adb remount
remount failed: Operation not permitted

Loglud · Nov 21, 2011

kgingeri said:
I'm stuck... I get errors for #3 for busybox... errors like...

Code:

$ adb shell /data/local/busybox --install busybox: /data/busybox/[: No such file or directory busybox: /data/busybox/[[: No such file or directory busybox: /data/busybox/addgroup: No such file or directory ..... busybox: /data/busybox/yes: No such file or directory busybox: /data/busybox/zcat: No such file or directory busybox: /data/busybox/zcip: No such file or directory

So I logged into root via adb shell, set busybox permissions to execute and tried that but same messages?!

Also, adb won't let me 'remount' - (I thought i'd try to copy it direct to /system/bin)?

(I'm running from OSX, if that matters)

EDIT: and of course I'm getting...

Code:

$ adb shell ln -s /data/local/busybox /system/bin/busybox link failed Read-only file system $ adb remount remount failed: Operation not permitted

Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw

kgingeri · Nov 22, 2011

Still some glitches installing busybox...

Loglud said:
Sorry it took me so long to get back to you. I have updatd my guide to help you out. First of you will need to make the busybox directory, then change the permissions of the binary file, then run the install. You will then have to mount -rw

Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?

After the initial 'push' command, I could install via:

Code:

mac-osx$ adb shell
$ su root
# cd /data/local
# chmod 755 busybox
# ls -l 
-rwxr-xr-x shell    shell     1745016 2011-11-21 00:21 busybox
# mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
# mkdir ../busybox
# ./busybox --install

Also, is the line:

Code:

# ln -s /data/local/busybox /system/bin/busybox

not supposed to be

Code:

# ln -s /data/busybox /system/bin/busybox

Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.

EDIT: PS my mount on data is as follows..

Code:

# mount|grep /data
/dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0

EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...

Code:

# cd /
# ls -l | grep '\<data\>'
drwxrwx--x system   system            2011-11-21 18:25 data
# chmod 777 data

Loglud · Nov 22, 2011

kgingeri said:
Thanks Loglud, but I still had trouble using adb. It's like I don't have root from adb? I get permission errors on mkdir and remounting etc?
Weird that the 'adb shell mkdir /data/busybox' gave me permission errors?! It did work fine with the interactive adb shell - weird!?

After the initial 'push' command, I could install via:

Code:

mac-osx$ adb shell $ su root # cd /data/local # chmod 755 busybox # ls -l -rwxr-xr-x shell shell 1745016 2011-11-21 00:21 busybox # mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system # mkdir ../busybox # ./busybox --install

Also, is the line:

Code:

# ln -s /data/local/busybox /system/bin/busybox

not supposed to be

Code:

# ln -s /data/busybox /system/bin/busybox

Things went weird on me in the final step, but I did manage to get all the hard linked busybox files to show up in /system/bin eventually, so I'm a happy camper.

EDIT: PS my mount on data is as follows..

Code:

# mount|grep /data /dev/block/platform/mmci-omap-hs.1/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,data=ordered 0 0

EDIT2:
Hmmm... seems like maybe my /data folder has weird permissions - if so not sure why?...

Code:

# cd / # ls -l | grep '\<data\>' drwxrwx--x system system 2011-11-21 18:25 data # chmod 777 data

ok so whats happening? i modified the guides and i was hopping that would help you. The command is

Code:

# ln -s /data/local/busybox /system/bin/busybox

and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.

kgingeri · Nov 22, 2011

Loglud said:
ok so whats happening? i modified the guides and i was hopping that would help you. The command is

Code:

# ln -s /data/local/busybox /system/bin/busybox

and as for your permissions it seems as though your root since your in the # shell but, you have to change the permissions on your /system folder not the /data folder the permsisions on the data file should be fine since i think shell is a member of system, so you can put all your data in there.

Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...

Here you are as it happens

MBAir$ ls busybox
busybox

MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)

MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied

Of course there is no point continuing until I do the following...

MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit

MBAir$ adb shell mkdir /data/busybox

MBAir$ adb shell chmod 777 /data/local/busybox

MBAir$ adb shell /data/local/busybox --install

MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted

To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)

Loglud · Nov 22, 2011

kgingeri said:
Yeah, I'm root in the 'adb shell' because I 'su root' but adb commands fail from the Mac shell. I'll reboot my NT and give you the script. My /data permissions get reset when I reboot...

Here you are as it happens

MBAir$ ls busybox
busybox

MBAir$ adb push ./busybox /data/local
2881 KB/s (1745016 bytes in 0.591s)

MBAir$ adb shell mkdir /data/busybox
mkdir failed for /data/busybox, Permission denied

Of course there is no point continuing until I do the following...

MBAir$ adb shell
$ su root
# chmod 777 /data
# exit
$ exit

MBAir$ adb shell mkdir /data/busybox

MBAir$ adb shell chmod 777 /data/local/busybox

MBAir$ adb shell /data/local/busybox --install

MBAir$ adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system
mount: Operation not permitted

To get around the last error, I had to do another 'adb shell', 'su root' and do 'ln' commands manually.
(I actually ran a shell 'for loop' on the tablet, using all files found in /data/busybox as a list and issued ln commands for each against a copy of busybox in /system/bin)

re run zergRush exploit. your adb shell is defaulting to the shell username. by rerunning the zergy you will allow for yourself to use the adb shell as root. make sure you dont run it as the root user though. you are also more then welcome to hop in irc and ask questions.

Loglud · Nov 24, 2011

Any one having difficulty rooting or see anything that needs to be updated?

[DEV] Current Progress and Guides: CRACKED UBOOT!!! Roms and Kernels Comming Soon

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Member

Senior Member

Member

Senior Member

Senior Member

Similar threads

Top Liked Posts