Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,783,072 Members 44,959 Now Online
XDA Developers Android and Mobile Development Forum

[DISCUSSION][SOLVED] ROOTING G2 Vision T-mobile

Tip us?
 
sino8r
Old
#141  
sino8r's Avatar
Senior Member
Thanks Meter 539
Posts: 3,306
Join Date: Sep 2006
Location: Birmingham, Alabama
Quote:
Originally Posted by lbcoder View Post
.... ??
How about some crazy thing like....
mkdir /craziness
mount -t ext3 /dev/block/mmcblk0p49 /craziness
copy files into /craziness, sync, and reboot before it blows up.
Hahaha! Cute... yeah I saw all those crzy partitions last night while looking for the disk size.

I didn't realize you were trying through ext3...

Why if heck are all those partitions in there to begin with? I've never seen that many...
evolution
HTC Wizard G3
HTC Excalibur
HTC Dream
HTC Sapphire
HTC Rhodium
HTC Espresso
HTC Glacier
HTC Vision
HTC Doubleshot
Samsung Note 2

My recent works:
2G/3G/4G/H+ icons for CM7.1 and Nightly

How to defeat data throttling

2.1 with JIT enabled on MTS

boot animation (Nexus "X"/HTC "quietly brilliant") for MTS
 
teferi
Old
#142  
Junior Member
Thanks Meter 6
Posts: 28
Join Date: Oct 2010
It looks like the busybox binary I grabbed will revert to your real uid (not effective uid), so you can't do anything useful with if if you've made a SUID shell and launched it from an unprivileged adb prompt. If you're in a similar situation, the following short program may be useful:

#include <sys/types.h>
#include <unistd.h>

int main() {
setreuid(0,0);
execl("/system/bin/sh","sh");
return 1;
}

Compile and statically link it with a compiler targeting Linux armel and run it from a setuid shell, it'll set your real uid to 0 and busybox will let you do things privileged (including running 'busybox ash', which has history and some minimal line editing!)

Not a step forward in getting root to stick, but it's sure easier to explore on a real keyboard via adb shell rather than the phone one.
 
teferi
Old
#143  
Junior Member
Thanks Meter 6
Posts: 28
Join Date: Oct 2010
...or you could just copy Superuser.apk and its su into the appropriate places and set their permissions properly, which will be a lot easier (while still also not yet persisting across reboots)
 
gariak
Old
(Last edited by gariak; 2nd October 2010 at 12:25 AM.) Reason: Added last line
#144  
Member
Thanks Meter 12
Posts: 45
Join Date: May 2009
To sum up so far:

At your command prompt on your computer:

adb push Superuser.apk /sdcard/Superuser.apk
adb push su /sdcard/su
adb push busybox /sdcard/busybox
adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage-arm5.bin

Open terminal program

$ cd data/local/tmp
$ chmod 0755 rageagainstthecage-arm5.bin
$ ./rageagainstthecage-arm5.bin

Let the process run until "Forked..." message
Hit enter

$ ./rageagainstthecage-arm5.bin

See unable to fork message
Hit Menu button and Reset Terminal
Re-open terminal program
You should have a # prompt instead of $

(I've created a script that does the following)

# /data/local/tmp/busybox killall rageagainstthecage-arm5.bin
# mount -o rw,remount -t ext3 /dev/block/mmcblk0p25 /system
# /data/local/tmp/busybox cp /sdcard/Superuser.apk /system/app/Superuser.apk
# /data/local/tmp/busybox cp /sdcard/su /system/bin/su
# /data/local/tmp/busybox cp /sdcard/busybox /system/bin/busybox
# chmod 4755 /system/bin/su
# chmod 4755 /system/bin/busybox
# mount -o ro,remount -t ext3 /dev/block/mmcblk0p25 /system

After this, I can run su in the adb shell and get root via adb.
NOTE: if you exit adb and rerun it, you lose root (via adb, not in the terminal) and I haven't figured out a way to get it back, short of starting from the beginning again.
 
ultma75
Old
#145  
ultma75's Avatar
Senior Member
Thanks Meter 75
Posts: 710
Join Date: Jun 2009
Location: Houston, Texas
Quote:
Originally Posted by gariak View Post
To sum up so far:

At your command prompt on your computer:

adb push Superuser.apk /sdcard/Superuser.apk
adb push su /sdcard/su
adb push busybox /sdcard/busybox
adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage-arm5.bin

Open terminal program

$ cd data/local/tmp
$ chmod 0755 rageagainstthecage-arm5.bin
$ ./rageagainstthecage-arm5.bin

Let the process run until "Forked..." message
Hit enter

$ ./rageagainstthecage-arm5.bin

See unable to fork message
Hit Menu button and Reset Terminal
Re-open terminal program
You should have a # prompt instead of $

(I've created a script that does the following)

# /data/local/tmp/busybox killall rageagainstthecage-arm5.bin
# mount -o rw,remount -t ext3 /dev/block/mmcblk0p25 /system
# /data/local/tmp/busybox cp /sdcard/Superuser.apk /system/app/Superuser.apk
# /data/local/tmp/busybox cp /sdcard/su /system/bin/su
# /data/local/tmp/busybox cp /sdcard/busybox /system/bin/busybox
# chmod 4755 /system/bin/su
# chmod 4755 /system/bin/busybox
# mount -o ro,remount -t ext3 /dev/block/mmcblk0p25 /system

After this, I can run su in the adb shell and get root via adb.
anyone try this? waiting on g2
Mine: G1>G2>G2x>LG Nexus 4!

Asus transformer tf101

Samsung galaxy player 5.0

Wife: Stock T-Mobile S3 & Nexus 7

twitter.com/ultma75
 
teferi
Old
#146  
Junior Member
Thanks Meter 6
Posts: 28
Join Date: Oct 2010
Off topic: Looks like they didn't try very hard to disable tethering...iptables and the usb ethernet gadget driver are still in the kernel and the iptables and dnsmasq binaries are present. Shouldn't be too hard to bring that up.
 
logicsans
Old
#147  
Junior Member
Thanks Meter 0
Posts: 10
Join Date: Aug 2010
I'll try it on Monday, when I get the phone. But hopefully there should be enough confirmation by then.

Cheers!
 
gariak
Old
#148  
Member
Thanks Meter 12
Posts: 45
Join Date: May 2009
This explains some of the trouble with other methods...

http://android.git.kernel.org/?p=pla...6e0ca50702c9ab

So what needs to be done to get a custom recovery made/adapted?

Perhaps this will be useful? I'm learning as I go...

cat /proc/emmc
dev: size erasesize name
mmcblk0p17: 00040000 00000200 "misc"
mmcblk0p21: 0087f400 00000200 "recovery"
mmcblk0p22: 00400000 00000200 "boot"
mmcblk0p25: 19fbfa00 00000200 "system"
mmcblk0p27: 0cccce00 00000200 "cache"
mmcblk0p26: 53200200 00000200 "userdata"
mmcblk0p28: 01400000 00000200 "devlog"
 
sino8r
Old
#149  
sino8r's Avatar
Senior Member
Thanks Meter 539
Posts: 3,306
Join Date: Sep 2006
Location: Birmingham, Alabama
Quote:
Originally Posted by gariak View Post
This explains some of the trouble with other methods...

http://android.git.kernel.org/?p=pla...6e0ca50702c9ab

So what needs to be done to get a custom recovery made/adapted?

Perhaps this will be useful? I'm learning as I go...

cat /proc/emmc
dev: size erasesize name
mmcblk0p17: 00040000 00000200 "misc"
mmcblk0p21: 0087f400 00000200 "recovery"
mmcblk0p22: 00400000 00000200 "boot"
mmcblk0p25: 19fbfa00 00000200 "system"
mmcblk0p27: 0cccce00 00000200 "cache"
mmcblk0p26: 53200200 00000200 "userdata"
mmcblk0p28: 01400000 00000200 "devlog"
what about contacting koush or amon_ra to make a recovery or edit of theirs?
evolution
HTC Wizard G3
HTC Excalibur
HTC Dream
HTC Sapphire
HTC Rhodium
HTC Espresso
HTC Glacier
HTC Vision
HTC Doubleshot
Samsung Note 2

My recent works:
2G/3G/4G/H+ icons for CM7.1 and Nightly

How to defeat data throttling

2.1 with JIT enabled on MTS

boot animation (Nexus "X"/HTC "quietly brilliant") for MTS
 
biosehnsucht
Old
#150  
Junior Member
Thanks Meter 0
Posts: 25
Join Date: May 2009
If the NAND is being presented as mmc type device, perhaps the baseband ("radio") processor is performing mmc to nand conversion, and also acting as a gatekeeper? Don't the baseband processors often perform other interfacing functions in other devices?

This might also be relevant to the ~2.1GB mmc size weirdness - there are of course not going to be non-power-of-two NAND devices so all these ~2.1GB devices must have 4GB of space but may show up with an odd number of sectors due to gatekeeping by the baseband processor.

The baseband processor might simply discard any writes to certain sectors not being performed in an approved fashion (perhaps using special IPC calls or by first authenticating with it to enable write through). Perhaps it caches writes in the "rest" of the NAND space, until the next reboot?

Perhaps there is some kind of dual partition set up like a Tivo for the system partitions, so you write your OS update to the other partition set (through whatever nonstandard methods are used), write config someplace indicating to use the other partition set, reboot, bootloader tries booting and if things don't check out, revert to previous partition set.

THREAD CLOSED
Subscribe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Just Get a Moto G 4G? This Toolkit Does all the Basics

Just yesterday, we talked about how the wallet-friendlyMoto G4G had just achieved a … more

Twik Keeps Your Accounts Secure with Randomly Generated Passwords

If youre one of thosewho find it just an impossible task to keep trackof … more

Moto G 4G Receives Official CyanogenMod 11 Love

When theMoto Gwas initially released to the world in November of last year,very few actually … more

Get Your Tasks Organized on Android Wear with Agenda Wear

Having a checklist of things you need to do is something we all can find useful at … more