Learn How to Create an Old School Dialer

XDA is not only a great source for custom ROMs, kernels, and various modifications for numerous … more

USB Desktop Charger Roundup – XDA TV

Sometimes you learn one way to do something, and that’s the way you do it forever. You never … more

Samsung Galaxy Grand Duos Receives Early CM12 Port

Samsung Galaxy Grand is a dual-SIM phone with a 5 screen that was announced two years ago. … more

Google Adds New Features to Drive, Sheets, Slides and Docs

In the last few months, Google has been working very hard to adapt all its apps to … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Rooting the HTC DESIRE Z, VISION, G2 with Super Tool under Linux

OP fkereki

30th December 2011, 09:35 PM   |  #1  
OP Junior Member
Flag Montevideo
Thanks Meter: 0
 
15 posts
Join Date:Joined: Dec 2011
More
I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.

Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!

A summary:

To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.

Some experiments

I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.

I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278    device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"

[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.

[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.

[+] Found a GingerBread ! 0x00015118[*] Scooting ...[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf[*] Popping 24 more zerglings[*] Sending 173 zerglings ...

[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
 ./adb remount
remount succeeded
 ./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[...many lines snipped out...]
# exit
So, /system is now r/w. Let's push "su".
Code:
 ./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
 ./adb shell "chown root.shell /system/bin/su"
 ./adb shell "chmod 06755 /system/bin/su"
 ./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
 ./adb shell "ln -s /system/bin/su /system/xbin/su"
 ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root     shell        5392 2011-08-02 01:09 schedtest
[...many lines snipped out...]
lrwxrwxrwx root     shell             2010-10-26 09:02 stop -> toolbox
-rw-rw-rw- root     root        22228 2011-11-10 12:53 su
-rwxr-xr-x root     shell        5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root     shell         192 2010-09-23 06:51 svc
lrwxrwxrwx root     shell             2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root     shell        5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root     shell       22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root     shell        5536 2011-08-02 01:11 crasher
-rwxr-xr-x root     shell       60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root     shell       22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root     shell        5536 2011-08-02 01:11 crasher
-rwxr-xr-x root     shell       60276 2008-08-01 09:00 dexdump
lrwxrwxrwx root     root              2011-12-30 16:48 su -> /system/bin/su
-rwxr-xr-x root     shell       22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root     root      7221765 2011-08-02 01:08 Settings.apk
[...many lines snipped out...]
-rw-r--r-- root     root       296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root     root       785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root     root       551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root     root       255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
-rw-r--r-- root     root       785801 2011-11-10 12:54 Superuser.apk
# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
su: permission denied
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root     shell        5392 2011-08-02 01:09 schedtest
[...many lines snipped out...]
lrwxrwxrwx root     shell             2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root     shell        5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root     shell         192 2010-09-23 06:51 svc
lrwxrwxrwx root     shell             2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root     shell        5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root     shell        5536 2011-08-02 01:11 crasher
-rwxr-xr-x root     shell       60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root     shell       22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".

Doing this with scripts

I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.

The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.

The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.
Attached Files
File Type: rar htc1.and.htc2.rar - [Click for QR Code] (552 Bytes, 108 views)
30th December 2011, 11:55 PM   |  #2  
Junior Member
Thanks Meter: 0
 
6 posts
Join Date:Joined: Dec 2011
G2 Temp Root
Hi, I got a tmo g2 2.3.4

i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.

Any way to combine this temp root with older options to gain a perm root?
31st December 2011, 02:29 AM   |  #3  
frigid's Avatar
Senior Member
Flag Denver, CO
Thanks Meter: 323
 
453 posts
Join Date:Joined: Sep 2008
Donate to Me
More
Cool man! Thanks!
31st December 2011, 11:56 PM   |  #4  
OP Junior Member
Flag Montevideo
Thanks Meter: 0
 
15 posts
Join Date:Joined: Dec 2011
More
HTC security measure?
Looking around, I found this page about a security method by HTC... to quote:

Quote:

The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.

This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...
1st January 2012, 06:21 AM   |  #5  
OP Junior Member
Flag Montevideo
Thanks Meter: 0
 
15 posts
Join Date:Joined: Dec 2011
More
Unhappy Cannot get S-OFF
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.

I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:

Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree     
# ./data/local/gfree -f             
--secu_flag off set         
--cid set. CID will be changed to: 11111111                                                                                                                                                               
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
 - Section[16]: .modinfo
 -- offset: 0x00000a14 (2580)
 -- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... Failed.
Module failed to load: No such file or directory
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
Last edited by fkereki; 1st January 2012 at 06:22 AM. Reason: Better format
5th January 2012, 02:11 AM   |  #6  
Junior Member
Thanks Meter: 0
 
23 posts
Join Date:Joined: Jan 2011
Quote:
Originally Posted by fkereki

I tried adapting the third script (get S-OFF) for Linux but it didn't work out.

I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:

Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree     
# ./data/local/gfree -f             
--secu_flag off set         
--cid set. CID will be changed to: 11111111                                                                                                                                                               
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
 - Section[16]: .modinfo
 -- offset: 0x00000a14 (2580)
 -- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... Failed.
Module failed to load: No such file or directory
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.

well that sucks!
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes