[ROOT ICS] The hard way && Digging for roots

Search This thread
By:
Advanced…
Icewyng

Icewyng

Senior Member
Dec 10, 2010
309
109
Québec
oneovakindoldys2 said:
[/COLOR]when you guys get the boot.img unpacked, you will seperate the kernel from the ramdisk. after you get it opened up have a good look at init.vangogh.rc., default.prop,etc. when you get it broken down you can edit the information and recompile it with the correct settings to get fastboot and nvflash working, but i have yet to find a way to get it back on the tablet. has anyone been able to unpack [[[any]]] acer iconia rom, and then repack it, even [[without]] editing it and get the signature correct to flash it back to the tablet? thanks
Click to expand...
Click to collapse

I have been editing all the .rc files before and tried to get them back but it did not work. I think the only way will be with NvFlash or Fastboot. Anyone talked to the A500 guys to know how they got their unlocker to work?

As for my tablet, unless I can get NvFlash to work, It is screwed for now. I can still do dev work but just not test it. :)
 
O

o0TheFLaSH0o

Member
Oct 10, 2011
9
0
Is there something I can edit in the build prop to help the screen sensitivity? In YouTube and Netflix I can't scroll without without unintentional selections.
 
oneovakindoldys2

oneovakindoldys2

Senior Member
Nov 27, 2011
70
13
smokku said:
They looked (in disassembler) at EUUs code that generates SBK from CPUID.
Click to expand...
Click to collapse
what they did on the a500 ics bootloader was really rather simple....they already had itsmagic and an [unlocked nvflash] in hc 3.0, which we don't have. their bootloader, as well as nvflash were locked up tight in ics just as ours is, however they just patched the bootloader by using nvflash from hc. you can read this thread....post #52 will explain it pretty well if you don't want to read the whole thread....however the entire thread it very useful reading for us a100 owners. i'm trying a few different methods and i will let you guys know if i find anything new and i hope you will do the same. good luck
 
Icewyng

Icewyng

Senior Member
Dec 10, 2010
309
109
Québec
oneovakindoldys2 said:
what they did on the a500 ics bootloader was really rather simple....they already had itsmagic and an [unlocked nvflash] in hc 3.0, which we don't have. their bootloader, as well as nvflash were locked up tight in ics just as ours is, however they just patched the bootloader by using nvflash from hc. you can read this thread....post #52 will explain it pretty well if you don't want to read the whole thread....however the entire thread it very useful reading for us a100 owners. i'm trying a few different methods and i will let you guys know if i find anything new and i hope you will do the same. good luck
Click to expand...
Click to collapse

Makes sense. The problem I had was that Acer Recovery App is installing the recovery but it installs Itsmagic as well and this is why I am stuck at this moment. If it was one or the other, fine... but both at the same time killed it for me.

I am sure there would be a way to do the same for us as well. I will have to check it out and see what happens. They've checked the EUU with an diassembler?? Wow... lots of work for sure! Maybe we should do the same as well.
 
oneovakindoldys2

oneovakindoldys2

Senior Member
Nov 27, 2011
70
13
@icewyng....what are you able to access on your tab? can you get to adb at all? apx mode? if you can access apx mode, hook your tab to your pc...run the euus...instead of finishing it, let it sit for about two minutes....it should ask if you wish to wipe all data from your tab. it wont wipe a functional tab, but by chance it could possibly wipe a [disabled sos] tab. this probably won't work, but it is worth a try. good luck
 
smokku

smokku

Senior Member
Jan 15, 2009
416
67
Warsaw
abadcafe.pl
Icewyng said:
The problem I had was that Acer Recovery App is installing the recovery but it installs Itsmagic as well and this is why I am stuck at this moment. If it was one or the other, fine... but both at the same time killed it for me.
Click to expand...
Click to collapse

'itsmagic' wipes your APK (mmcblk0p7) partition, overwriting it with magic value, that forces bootloader to recalculate boot (p1) and recovery (p2) signatures.
As we have a different magic value than A500, this is what killed your tab - you lost your boot and recovery signatures, and bootloader won't boot any of these.

You should be able to recover your dead device using EUUs - this is a service tool designed exactly for this purpose.
But I couldn't make it work at all. Maybe you would have a better luck.
 
Icewyng

Icewyng

Senior Member
Dec 10, 2010
309
109
Québec
smokku said:
'itsmagic' wipes your APK (mmcblk0p7) partition, overwriting it with magic value, that forces bootloader to recalculate boot (p1) and recovery (p2) signatures.
As we have a different magic value than A500, this is what killed your tab - you lost your boot and recovery signatures, and bootloader won't boot any of these.

You should be able to recover your dead device using EUUs - this is a service tool designed exactly for this purpose.
But I couldn't make it work at all. Maybe you would have a better luck.
Click to expand...
Click to collapse

Yea... that is what you get for experimenting stuff that you are not 100% sure of. :)

The thing is that I use Linux and not Windows... It might make it a bit more difficult to do. I do have APX and fastboot so I am not too worried about it. I just need to find a way to get it back.

@oneovaking... are you sure about that? if so, I guess it would be a good way to get out of it.
 
oneovakindoldys2

oneovakindoldys2

Senior Member
Nov 27, 2011
70
13
@smokku, yes, if we could get euus to function correctly with our cpuid our problems would very likely be solved, however at this point noone has been able to accomplish this as far as i am aware of. if you want, you can decompress the a100 euus and unpack it and you will find the [old] a100 imahe and all of the nvflash config files as well as the md5sums in a seperate file , so someone has almost certainly had nvflash working on the old version, but i have not figured out how to get it on our tabs without a working euus,nvflash, or fastboot, but i am certainly not an expreienced dev like several of the a500 developers are. you guys may be able to make some progress if you have time to thoroughly look it over.

@icewyng, yes, i am certain that it will wipe an a500, but i have yet to get it to wipe my a100, but as i said, mine has a working operating system. what happens is you will try to trick the euus into not seeing an operating system on your tab, after it does not see an operating system it will format and reinstall in theory. it works fine with the a500, but as you know, we have a problem somewhere so it won't work for us. i beleive that our problem could possibly be with the nvflash config files, etc not being correct. good luck
 
M

madmalkav

Senior Member
Oct 19, 2007
51
6
Icewyng said:
Was able to extract the blob
Click to expand...
Click to collapse

Can you please explain how? I'm in a similar situation with antoher tegra based tablet and I think I'm missing something. Trying blobtools version posted on another thread that have support for encrypted blobs, but it has the crypto key in the .h file and it is longer that the second field of the res/keys that I thought was the key for unsigning.
 
P

peporras

Senior Member
Jan 8, 2010
112
18
Albacete
No sirve de nada
 

Attachments

  • IMG_20120326_163658.jpg
    IMG_20120326_163658.jpg
    258.9 KB · Views: 410
Last edited:
M

madmalkav

Senior Member
Oct 19, 2007
51
6
Thanks but we got a recovery program and a OTA file from the producer of this tablet. I have been analyzing those for some hours and instead of using standard tegra security, they are ofuscating the files with modified file formats. good newsis tablet is back to work, bad news is I will not be able to resort to already discovered tegra securiry flags with this machine.
 
  • Like
Reactions: peporras
You must log in or register to reply here.

Similar threads

Z
Full root for A10x and A5xx ICS. Simple method.
Replies
363
Views
315K
M
manjulapra
vache
[LEAK][ICS 4.0.3] Acer_AV041_A100_1.012.00_WW_GEN1
Replies
453
Views
243K
Hussainch
Hussainch
A
[ROOTED] Rooting An Acer Iconia A100
Replies
224
Views
148K
O
onuris
Z
[Stock Rom] [ICS 4.0.3] Acer_A100_AV041_1.014.00_COM_GEN1
Replies
103
Views
115K
pio_masaki
pio_masaki
civato
[ROM]ICS-"FLEX-A100-REAPER-RELIX_Rev2 (15-Sep-2012)ntfs-3Gusb-GoogleNow,.......
Replies
527
Views
137K
Y
yazyazoo

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 9
    C
    crossix
    Here's my attempt at a "double click" root for ics. I've included everything you might need including the usb drivers. It doesn't need anything special to run, just the usb driver installed and your tab with USB debugging enabled (go to settings -> developer options and check USB debugging.)

    Download:
    http://db.tt/77NSAPDs

    Extract and install the usb driver if needed. Plug your tab in to your pc & Double click the .bat file. Check to see if your device id is listed, if its not close the window out and check that your device is connected and recognized by windows (also check that you have the drivers for the tab installed and that USB debugging is enabled).

    If it is listed (should display a series of numbers) press any key to start the rooting scripts. It will load su and busybox to the loop mount for you. Once the script is done you may need to restart the tab and run the .bat file again to be able to write to the looped system (while the loop system is mounted you can modify the build.prop file and other files within /system by going to /data/local/rootme/loop/ but /system itself isnt r/w mounted. )

    This was a pain to get working and it still may not work right, if it does work for you though, you can re-run the .bat file each time you reboot your tab to be able to write to the looped system. Eventually I'll integrate the commands into the install-recovery.bat file along with some sdcard tweaks so you won't have to re-run the bat file after reboot.

    Thanks to eww245 for providing the commands initially (I used a variation of his and ones from the post on the toshiba forums to get this to work).

    Sent from my MB860 using XDA App
    View
    4
    E
    eww245
    For anyone that doesn't want to root the hard way crossix has come up with a double click root for Windows xdaforums.com/showpost.php?p=23052186&postcount=105

    Update 2/26/12
    /system can now be mounted writable see the bottom of this post.

    So the old Honeycomb exploit has now been patched in ICS. But there was an exploit found in the newer ICS kernels. Written by saurik,: called mempodroid

    There is an offset needed as an argument to the binary, for the a100 we'll use what has worked for the a200 as noted in sauriks github linked above.

    The issue with this is mounting /system as writable. I'm not sure if it's something in ICS, but it appears to be write protected. As noted here and here we will loop mount the system partition.

    The tools needed are:

    1. mempodroid under Usage Instructions, download pre-compiled
    2. busybox 1.20 snapshot 3-10-12
    3. su the latest from androidsu.com, extract from system/bin
    4. mount.txt script

    After downloading and extracting place them all in a folder called tools.
    This must be done with adb. Issue the following from cmd or a terminal:
    Code: 
    $ adb shell mkdir /data/local/tools
$ adb push tools /data/local/tools ; adb shell
$ cd /data/local ; chmod 755 tools/*
$ cd tools ; ./mempodroid 0xd9f0 0xaf47 sh
    If all went well you should be at a hash # prompt. This is temp root.

    mount /system rw the new way:
    Code: 
    # PATH=$PWD:$PATH
# sh mount.txt -o remount,rw /system

    Copy su and busybox to /system
    Code: 
    # ./busybox cp busybox /system/xbin; ./busybox cp su /system/xbin/
# chmod 6755 /system/xbin/su

    Install busybox
    Code: 
    # cd /system/xbin
# for i in $(busybox --list); do ln -s busybox $i; done; sync
    Copy the mount script
    If busybox is updated this step must be run again
    Code: 
    # cp /data/local/tools/mount.txt /system/bin/mount
# cp /data/local/tools/mount.txt /system/xbin/mount

    Done your a100 should be rooted

    the old way:

    Now lets loop mount /system
    Code: 
    [b]This is no longer needed[/b]
# ./busybox losetup -o $((512 * 51200)) /dev/block/loop7 /dev/block/mmcblk0
    Code: 
    # ./busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
# mkdir loop ; mount -t ext4 /dev/block/loop7 loop

    Copy su and busybox to the new mount point.
    Code: 
    # ./busybox cp su loop/xbin/ ; ./busybox cp busybox loop/xbin/
# chmod 6755 loop/xbin/su ; sync
    If it worked your a100 is fully rooted. Make sure to install SuperUser from the Market.
    Either get busybox installer from the market, and install it to /data/local/tools/loop/xbin
    Or:
    Code: 
    # cd loop/xbin
# for i in $(busybox --list); do ln -s busybox $i; done; sync
    The mount point won't survive a reboot so in order to write to /system again run:
    Code: 
    # busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
# mount -t ext4 /dev/block/loop7 /data/local/tools/loop

    [update 2/26/12]
    To mount /system as writable do the following from adb. We'll just make a directory called /data/loop for easy access.
    Code: 
    $ adb shell
$ su
# stop
[b]your screen will go black[/b]
# mkdir /data/loop
[b]skip this if the loop is already set up
# busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3[/b]
# mount -t ext4 /dev/block/loop7 /data/loop
# mount -o bind /data/loop /system
# start
    You can write to /system with any app but /system can't be remounted ro then back to rw.

    This can be added to /etc/install-recovery.sh to make it permanent
    Code: 
    busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
mount /dev/block/loop7 /data/loop
mount -o bind /data/loop /system
    Thanks to crossix as the first to get temp root, and Icewyng for pointing out the exploit and helping with the magic number.
    View
    3
    D
    deadpieface
    I got root using this method. http://xdaforums.com/showpost.php?p=22862959&postcount=306


    I used quick boot app and selected 'Bootloader'. May be useful?

    got this:
    View
    2
    C
    crossix
    eww245 said:
    Not sure why the files aren't showing up. Maybe try busybox sync after copying them.

    [edit] I asssume you can get root manually and it's just a problem with your script?
    Let me know, hopefully the instructions are all correct now. I updated them several times yesterday.
    Also, there might be an easier way than what I posted, if you find one post it here or shoot me a PM.
    Click to expand...
    Click to collapse

    Thanks, I'm having to use a slightly different method since I can't pass arguments through adb shell and mempodroid. It's copying all the files to the tab and executing shell scripts for each step in the process based off a combo of your root method and the one found for the toshiba tab. Hopefully I'll get it figured out soon..
    View
    2
    E
    eww245
    eww245 said:
    Thought that might happen, have to get some more ideas.

    [edit] So maybe using 'stop' will help, from adb

    # stop
    # mount -o bind /data/local/tools/loop /system
    # start

    There probably won't be a bootanimation, but if it gets to the lockscreen it should be ok without FCs. If it bootloops just hold in the power button or use the pinhole reset.

    I should just suck it up and upgrade just don't think I'm ready.
    Click to expand...
    Click to collapse

    bumping this^ could someone try it.


    Looks like the a500 got rooted with the same method. xdaforums.com/showpost.php?p=22862959&postcount=306 There's one difference with the loop mount. So can someone try this and see if it mounts writable. Just trying to make things simpler, Thanks

    busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
    mount -t ext4 /dev/block/loop7 /data/local/tools/loop

    Also looks like they ran memopdroid on the tablet, so maybe I can refine it some more.
    View

New posts