5,597,313 Members 36,653 Now Online
XDA Developers Android and Mobile Development Forum

Rooting the HTC DESIRE Z, VISION, G2 with Super Tool under Linux

Tip us?
 
fkereki
Old
#1  
Junior Member - OP
Thanks Meter 0
Posts: 15
Join Date: Dec 2011
Location: Montevideo
Exclamation Rooting the HTC DESIRE Z, VISION, G2 with Super Tool under Linux

I'm posting this in order to show how to use Super Tool under Linux (for Windows & Mac users, changes should be minimal) and also to show some weird results when rooting HTC Desire Z (aka Vision or G2) phones, which may lead to enhancements in the tool.

Also, the Super Tool thread is already over 90 pages long, and has to do with several phones; I thought that a separate thread about these HTC phones would be useful; I hope this won't be against the forum rules, but please accept my apologies in advance if I'm wrong about this!

A summary:

To sum everything up in advance, results are sort of weird... you can get root using the ZergRush exploit, then install "su", "SuperUser", and "BusyBox", but after a while they just disappear. This makes me suspect that there is some kind of "behind the lines" software running, which sets things back to normal, but I don't know the solution yet.

Some experiments

I set up an Android development environment. I'm working in its platform-tools directory, where the "adb" command resides. I extracted the Super Tool files in the root of the Android directory, two levels up, so they are found at the ../../htcsupertoolv2 directory.

I set my phone for USB Debugging, and then, working from the Linux shell:
Code:
$ ./adb kill-server
$ ./adb start-server
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ ./adb devices
List of devices attached
HT0B9RT01278    device
OK, my device is attached and ready. Let's see if we already had root:
Code:
$ ./adb shell
$ su
su: permission denied
$ exit
The device is in its basic state, and we haven't got root. Let's install the ZergRush code.
Code:
$ ./adb shell "rm /data/local/tmp/*"
$ ./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
451 KB/s (23056 bytes in 0.049s)
$ ./adb shell "chmod 777 /data/local/tmp/zergRush"
$ ./adb shell "./data/local/tmp/zergRush"

[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.

[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.

[+] Found a GingerBread ! 0x00015118[*] Scooting ...[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219d4 0x0054[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd194d3 0xafd395bf[*] Popping 24 more zerglings[*] Sending 173 zerglings ...

[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
$ ./adb shell
# exit
Nice, it managed to get root, at least for the time being! Now, let's set the system R/W.
Code:
 ./adb remount
remount succeeded
 ./adb shell
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
/dev/block/mmcblk0p25 /system ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p26 /data ext3 rw,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p27 /cache ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
/dev/block/mmcblk0p28 /devlog ext3 rw,nosuid,nodev,relatime,errors=continue,barrier=0,data=ordered 0 0
[...many lines snipped out...]
# exit
So, /system is now r/w. Let's push "su".
Code:
 ./adb push ../../htcsupertoolv2/root/su /system/bin/su
411 KB/s (22228 bytes in 0.052s)
 ./adb shell "chown root.shell /system/bin/su"
 ./adb shell "chmod 06755 /system/bin/su"
 ./adb shell "rm /system/xbin/su"
rm failed for /system/xbin/su, No such file or directory
 ./adb shell "ln -s /system/bin/su /system/xbin/su"
 ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2861 KB/s (785801 bytes in 0.268s)
$ ./adb push ../../htcsupertoolv2/root/su /system/bin/su
516 KB/s (22228 bytes in 0.041s)
$ ./adb shell
# cd /system/bin
# ls -l s*
-rwxr-xr-x root     shell        5392 2011-08-02 01:09 schedtest
[...many lines snipped out...]
lrwxrwxrwx root     shell             2010-10-26 09:02 stop -> toolbox
-rw-rw-rw- root     root        22228 2011-11-10 12:53 su
-rwxr-xr-x root     shell        5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root     shell         192 2010-09-23 06:51 svc
lrwxrwxrwx root     shell             2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root     shell        5480 2011-08-02 01:09 system_server
# chmod 755 su
# chown root.shell su
# ls -l su
-rwxr-xr-x root     shell       22228 2011-11-10 12:53 su
As we see, "su" is installed, with the same owner/group/permissions as the other commands. Let's add a symlink in /system/xbin to "su".
Code:
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root     shell        5536 2011-08-02 01:11 crasher
-rwxr-xr-x root     shell       60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root     shell       22256 2011-08-02 01:11 wireless_modem
# ln -s /system/bin/su /system/xbin/su
# cd /system/xbin/
# ls -l *
-rwxr-xr-x root     shell        5536 2011-08-02 01:11 crasher
-rwxr-xr-x root     shell       60276 2008-08-01 09:00 dexdump
lrwxrwxrwx root     root              2011-12-30 16:48 su -> /system/bin/su
-rwxr-xr-x root     shell       22256 2011-08-02 01:11 wireless_modem
# exit
There's the symlink, all right. Now, let's push "Superuser.apk".
Code:
$ ./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
2689 KB/s (785801 bytes in 0.285s)
$ ./adb shell
# cd /system/app
# ls -l S*
-rw-r--r-- root     root      7221765 2011-08-02 01:08 Settings.apk
[...many lines snipped out...]
-rw-r--r-- root     root       296419 2011-08-02 01:09 Street.apk
-rw-rw-rw- root     root       785801 2011-11-10 12:54 Superuser.apk
-rw-r--r-- root     root       551020 2008-08-01 09:00 SystemUI.apk
-rw-r--r-- root     root       255720 2008-08-01 09:00 SystemUI.odex
# chmod 644 Superuser.apk
# ls -l Super*
-rw-r--r-- root     root       785801 2011-11-10 12:54 Superuser.apk
# exit
So, there is Superuser.apk, with appropriate user/group/permissions. It's time for a reboot!
Code:
$ ./adb remount
remount succeeded
$ ./adb reboot
A short while afterwards...
Code:
$ ./adb shell
$ su
su: permission denied
$ cd /system/bin/
$ ls -l s*
-rwxr-xr-x root     shell        5392 2011-08-02 01:09 schedtest
[...many lines snipped out...]
lrwxrwxrwx root     shell             2010-10-26 09:02 stop -> toolbox
-rwxr-xr-x root     shell        5456 2011-08-02 01:09 surfaceflinger
-rwxr-xr-x root     shell         192 2010-09-23 06:51 svc
lrwxrwxrwx root     shell             2010-10-26 09:02 sync -> toolbox
-rwxr-xr-x root     shell        5480 2011-08-02 01:09 system_server
$ cd /system/xbin/
$ ls -l *
-rwxr-xr-x root     shell        5536 2011-08-02 01:11 crasher
-rwxr-xr-x root     shell       60276 2008-08-01 09:00 dexdump
-rwxr-xr-x root     shell       22256 2011-08-02 01:11 wireless_modem
So, "su" is gone?! The exploit managed a temp root, but after the reboot, something set things back to standard, removing "su" and "Superuser.apk".

Doing this with scripts

I set up a pair of scripts to automate the previous work (and included BusyBox installation, by the way) but the results are the same.

The first script, htc1.sh, is:
Code:
#!/bin/sh
./adb shell "rm /data/local/tmp/*"
./adb push ../../htcsupertoolv2/root/zergRush /data/local/tmp/.
./adb shell "chmod 777 /data/local/tmp/zergRush"
./adb shell "./data/local/tmp/zergRush"
The second script, htc2.sh, to be run afterwards, when (temp) root has been achieved, is:
Code:
#!/bin/sh
./adb remount
./adb push ../../htcsupertoolv2/root/busybox /data/local/tmp/.
./adb shell "chmod 755 /data/local/tmp/busybox"
./adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
./adb shell "cd /system/xbin; chown root.shell busybox; chmod 04755 busybox"
./adb shell "/system/xbin/busybox --install -s /system/xbin"
./adb shell "rm -r /data/local/tmp/busybox"
./adb push ../../htcsupertoolv2/root/su /system/bin/su
./adb shell "cd /system/bin; chown root.shell su; chmod 06755 su"
./adb shell "rm /system/xbin/su; ln -s /system/bin/su /system/xbin/su"
./adb push ../../htcsupertoolv2/root/Superuser.apk /system/app/.
./adb shell "cd /system/app; chmod 644 Superuser.apk"
If you run ./htc1.sh and then ./htc2.sh results will be the same; the added commands will be gone, and you won't be able to "su" no more.

The attached scripts should help Linux users to root other phones (which are known to work) but the Desire Z question still remains; there seems to be something missing, at least for the time being.
Attached Files
File Type: rar htc1.and.htc2.rar - [Click for QR Code] (552 Bytes, 99 views)
 
tmog2ginger
Old
#2  
Junior Member
Thanks Meter 0
Posts: 6
Join Date: Dec 2011
Default G2 Temp Root

Hi, I got a tmo g2 2.3.4

i used the superhtctoolv2 on win7, and htcdrivers linked in the original thread.
i performed the option 1 and 2, and was able to gain temp root, but just like every1 else it goes away with a reboot, or even after prolong period of inactivity, it works as long as i keep messing with Titanium backup or other root apps.

Any way to combine this temp root with older options to gain a perm root?
 
frigid
Old
#3  
frigid's Avatar
Senior Member
Thanks Meter 319
Posts: 453
Join Date: Sep 2008
Location: Denver, CO

 
DONATE TO ME
Cool man! Thanks!
 
fkereki
Old
#4  
Junior Member - OP
Thanks Meter 0
Posts: 15
Join Date: Dec 2011
Location: Montevideo
Default HTC security measure?

Looking around, I found this page about a security method by HTC... to quote:

Quote:
The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as rooting, but a side effect of HTCs security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored.
This sure looks like the problem we are having with the HTC DESIRE Z/G2/VISION...
 
fkereki
Old
(Last edited by fkereki; 1st January 2012 at 05:22 AM.) Reason: Better format
#5  
Junior Member - OP
Thanks Meter 0
Posts: 15
Join Date: Dec 2011
Location: Montevideo
Unhappy Cannot get S-OFF

I tried adapting the third script (get S-OFF) for Linux but it didn't work out.

I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:

Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree     
# ./data/local/gfree -f             
--secu_flag off set         
--cid set. CID will be changed to: 11111111                                                                                                                                                               
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
 - Section[16]: .modinfo
 -- offset: 0x00000a14 (2580)
 -- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... Failed.
Module failed to load: No such file or directory
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
 
Lui5
Old
#6  
Junior Member
Thanks Meter 0
Posts: 23
Join Date: Jan 2011
Quote:
Originally Posted by fkereki View Post
I tried adapting the third script (get S-OFF) for Linux but it didn't work out.

I first tried everything by hand. I ran ht1.sh first (to get root) and then went on to:

Code:
$ ./adb push ../../htcsupertoolv2/root/gfree /data/local
2127 KB/s (134401 bytes in 0.061s)
followed by
Code:
$ ./adb shell
# chmod 777 /data/local/gfree     
# ./data/local/gfree -f             
--secu_flag off set         
--cid set. CID will be changed to: 11111111                                                                                                                                                               
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
 - Section[16]: .modinfo
 -- offset: 0x00000a14 (2580)
 -- size: 0x000000cc (204)
Kernel release: 2.6.35.10-g7b95729
New .modinfo section size: 204
Attempting to power cycle eMMC... Failed.
Module failed to load: No such file or directory
So I'm guessing the DESIRE Z/G2/VISION cannot be perm rooted with Super Tool, at least "as is" --- I'll possibly be trying backdating the firmware next.
well that sucks!
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes