[DEV] ICS rooting for kernel 10 users

Search This thread

blambo

Senior Member
Jul 28, 2010
154
77
This should be very interesting. Thanks for continuing to stay with it.

Sent from my Sony Tablet S using xda premium
 

OCedHrt

Senior Member
May 18, 2009
721
63
San Jose
I finally did it...

http://xdaforums.com/showthread.php?p=25157446#post25157446

Now let's wait for ICS and hope that Sony's one will be built on a "good" kernel.

But it seems we are unable to chmod without root. So this would require one of our rooted ICS friends to give us the offsets?

chmod not needed in recovery, but it doesn't get root:

/sdcard/n95-offsets

n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd9ec 0xaf47 sh

1|@android:/system/bin $ /sdcard/mempodroid 0xd9ec 0xaf47 sh
/sdcard/mempodroid 0xd9ec 0xaf47 sh
1|@android:/system/bin $
 
Last edited:

Nesquick95

Senior Member
Jan 31, 2009
86
45
Too bad...

Well... That's the copy of a successful session, taken from my Galaxy Nexus (see image attached).
Too bad if the exploit doesn't root our ICS release.
Can you please post your run-as (/system/bin/run-as) binary ? I'll try to get the offsets another way.
 

Attachments

  • n95-offsets.jpg
    n95-offsets.jpg
    36.3 KB · Views: 448

condi

Senior Member
Feb 13, 2007
744
989
Ostrów Wielkopolski
condiecu.pl
Well... That's the copy of a successful session, taken from my Galaxy Nexus (see image attached).
Too bad if the exploit doesn't root our ICS release.
Can you please post your run-as (/system/bin/run-as) binary ? I'll try to get the offsets another way.

I've managed to run your bin, got offsets, but still no root...:

Code:
n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit

./mempodroid 0xd9ec 0xaf47 sh


and then:

Code:
shell@android:/ $ /data/local/tmp/mempodroid 0xd9ec 0xaf47 sh
/data/local/tmp/mempodroid 0xd9ec 0xaf47 sh
1|shell@android:/ $
 
  • Like
Reactions: SudaDreamS

Nesquick95

Senior Member
Jan 31, 2009
86
45
Really too bad

Sony's ICS is built on kernel 2.6.39, normally rootable by this exploit... Maybe they have patched it...
Need a copy of /system/bin/run-as binary to try finding offsets another way, as a last chance. My tablet hasn't got the update (unrootable kernel 10 - French region)
:(
 
  • Like
Reactions: SudaDreamS

Nesquick95

Senior Member
Jan 31, 2009
86
45
The worst thing that could happend

I don't know if running in recovery can make mempodroid fail... It probably doesn't. But as you can see, Condi has run n95-offsets in "regular" /data/local/tmp without success.

I have verified the offsets in the run-as binary posted with IDA disassembler, the offsets returned by n95-offsets are the good ones.

I think Sony's 2.6.39 kernel is patched, the exploit won't work...

:( :( :( :( :( :( :( :( :( :( :( :( :( :( :( :( :(

(Maybe) we will find an other one (some day)...
 
Last edited:

Nesquick95

Senior Member
Jan 31, 2009
86
45
A last ray of hope ?

There is something weird in the run-as posted by OCedHrt... His ELF header show an entry point at 0x8000 when the other run-as' that I've seen have their entry point at 0x80C0...
It sounds a little simple but may someone test :

./mempodroid 0xd92c 0xae87 sh

Thx !
 
Last edited:

Maeur1

Senior Member
Dec 4, 2010
231
58
Wellington
There is something weird in the run-as posted by OCedHrt... His ELF header show an entry point at 0x8000 when the other run-as' that I've seen have their entry point at 0x80C0...
It sounds a little simple but may someone test :

./mempodroid 0xd92c 0xae87 sh

Thx !

Tried it, sadly did not work. I also got the latest version of mempodroid off the git, but still didnt work.

EDIT: FOUND a little thing, our offsets (from n95-offsets) are exactly the same as the transformer prime, maybe we can use the exploit they used to root ours?
 
Last edited:

OCedHrt

Senior Member
May 18, 2009
721
63
San Jose
I don't know if running in recovery can make mempodroid fail... It probably doesn't. But as you can see, Condi has run n95-offsets in "regular" /data/local/tmp without success.

I have verified the offsets in the run-as binary posted with IDA disassembler, the offsets returned by n95-offsets are the good ones.

I think Sony's 2.6.39 kernel is patched, the exploit won't work...

:( :( :( :( :( :( :( :( :( :( :( :( :( :( :( :( :(

(Maybe) we will find an other one (some day)...

I wonder how he got chmod to work. Well I assume he already had root. Chmod returns operation not permitted for me so I had to try it in recovery.

Sent from my Nexus S using XDA
 

Nesquick95

Senior Member
Jan 31, 2009
86
45
Tried it, sadly did not work. I also got the latest version of mempodroid off the git, but still didnt work.

EDIT: FOUND a little thing, our offsets (from n95-offsets) are exactly the same as the transformer prime, maybe we can use the exploit they used to root ours?

Transformer Prime is probably running the same kernel than our tablet but I guess it has been released earlier than Sony's ICS, when mempodroid was still young and proud (I mean not patched)!

It's hard to figure out, but we must keep on searching, try things like you suggest... I haven't decided yet if I will sell my Sony S or if I will loose some more time on it.
 
  • Like
Reactions: SudaDreamS

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    I finally did it...

    http://xdaforums.com/showthread.php?p=25157446#post25157446

    Now let's wait for ICS and hope that Sony's one will be built on a "good" kernel.
    3
    Binary attached.

    Since we're unable to chmod under normal boot (operation not permitted), the only way is to run under recovery. Is it possible that mempodroid doesn't work under recovery?
    2
    looks very promising, great work Nesquick :)
    maybe in a week (or little more..) we could test it in practice!
    keep up the good work :)

    br
    condi
    1
    Well... That's the copy of a successful session, taken from my Galaxy Nexus (see image attached).
    Too bad if the exploit doesn't root our ICS release.
    Can you please post your run-as (/system/bin/run-as) binary ? I'll try to get the offsets another way.

    I've managed to run your bin, got offsets, but still no root...:

    Code:
    n95-offsets by Nesquick95
    Gets requiered offsets for mempodroid exploit
    
    ./mempodroid 0xd9ec 0xaf47 sh


    and then:

    Code:
    shell@android:/ $ /data/local/tmp/mempodroid 0xd9ec 0xaf47 sh
    /data/local/tmp/mempodroid 0xd9ec 0xaf47 sh
    1|shell@android:/ $
    1
    Really too bad

    Sony's ICS is built on kernel 2.6.39, normally rootable by this exploit... Maybe they have patched it...
    Need a copy of /system/bin/run-as binary to try finding offsets another way, as a last chance. My tablet hasn't got the update (unrootable kernel 10 - French region)
    :(