shw-m110s root exploit and extras + BASIC guide to root ANYTHING.
Much of the info here is still educational and even useful at times... but I'm not supporting this anymore and the simple thing to do now is just use Tegrak kernels. They are rooted, lag fixed, and more. Look it up. It does void your warranty of course.
my safe journaling ext4 kernel page
is here (now with root, busybox, voodoo sound and improved mount option congifuration). If you're willing to use odin, it will do almost everything in this post in one flash.
tegrak's kernel is also rooted. It uses less standard version of busybox for some reason. (1.13.something). I'm sure that's fine or he wouldn't use it.
Quick Guide
First Rynza has an app called
z4root that does this without a usb cable and is one click (
Not presently working with SL28 phone update so keep reading). It works on this device in Froyo and probably also eclair. It also installs busybox. It's a market app, so just search the market on your phone.. download and do it.
Use
z4mod for a lagfix if you don't know what to use. RyanZa (author of OneClick Lag fix) is co-dev on
z4mod. There is an app available
in xda
(sometimes in the market too). It's easy to use. It does flash a new kernel, but it's all pretty automated. If it complains about space on /system.. remove something from /system (like a big apk), but back it up.. you can put it back when it's done installing.
The older One click lag fix, OCLF V2.0+ is not ready yet for froyo on this device yet (breaks vibration). It might be fixed soon, especially if there's interest. V1+ (offered from the same app) also works very well.
lag fix disclaimer:
1) I feel stock keeps getting faster and smoother, maybe even with 2.2.1, so give stock a try first before lag-fixing. 2)Evidence is piling up that un-journaled (faster) lag fixes(as this is) may be less safe for data (app data, not sd card data) in an improper shutdown.(Note some people also strongly disagree, but this is my post) Many feel the performance is worth the risk especially since apps can be re-installed (from backups made from your corrupted data or from the market ). I don't know of any confirmed problems outside of testing environments, I had filesytem corruption myself AFTER I wrote this, but I pulled the battery a few times; don't. Data corruption doesn't always produce easily confirmable or understandable problems. It's up to you. Voodoo is probably safer now but the only voodoo for this device has korean instructions and may or may not use the latest safe versions of voodoo. I am still using z4mod for now. If you don't know.. just buy life insurance and don't do your corporate accounting with your cell phone.
I have recently constructed a z4mod kernel with ext4 modules from tegrak on page 157
No repartition instructions exist yet so you're on your own with that for right now. If you don't even understand what it has to do with the above paragraph, you certainly aren't ready to mess with it.
You still may want to read below about the manual root method (just to understand) and about things like lag fix and busybox and titanium backup and un-rooting or just to understand how it all works so you don't need to ask silly questions.
Long old (but still good) guide:
root that doesn't need to be setup at boot, is simpler (than joeykrim), and doesn't interfere with OCLF or superuser or probably anything else)
Preface
I didn't exactly develop any of this(ok just a little). Mostly just (re)discovered it and collected it. Amazingly.. it's not really documented well.
Since I first wrote this I found quiet but older cyanogenmod page desribing this method for one of the cousins. Also another more recent page here at xda describes this working on the epic.
http://xdaforums.com/showthread.php?p=8406167#post8406167
and it should work for just about anything else running 2.1 or 2.2 (confirmed, thanks to koe1974 for testing/fixing for m110s froyo) with some tweaks (see
special cases below including joeykrim/leshak cases).
And finally superoneclick which came out a little later basically uses this approach (and may well work on shw-m110s)
Thanks to
joeykrim for epic root method that inspired this one and for proofing this one, and thanks to the anonymous (I think) guy who found the exploit in the first place. Thanks to
koe1974 for catching group/passwd file ommission and for testing, and to
allovel83 for info about his fresh phone. Thanks to
Wapu for first tries at OCLF that inspired much of this.
What is root.. really? (skip to "Howto root it" if you don't care how it works.)
The ONLY thing needed to have root access on any device is a working "su" command. Working means
1) it's in default executable path (ie /system/bin or /system/xbin)
2) The file is set as owned by root
3) It is executable by everyone
4) It has the set-user-id bit set which means it will run with root permissions when anyone runs it
5) /etc/passwd and /etc/group exist with definitions for the root user and group.
That's it. (I'm ignoring root kernels)
If this works, then root is permanent and requires no startup scripts, no playlogos1 trick.
su Installation options
There are 4 basic methodds used to copy these files (but they all have this same end goal).
1) Flash a whole new custom rom (wipes data.) including su. (very device specific obviously)
2) Use the phones update ability to add files from an update.zip file in recovery mode. (many one-clicks use this, not superoneclick but I think it's impossible on froyo stock bootloaders which require signed update.zips)
3) Flash a new kernel.. actually this more about the initramfs image that the kernel uses and which has su and related files.
http://xdaforums.com/showthread.php?t=788108
That one probably doesn't work on our device but who knows..
(Both 1 and 3 can brick your phone if you do the flash incorrectly)
4) Use an exploit to gain root access on a running system. Use that access to install the files. The most flexible method for working out root on new setups.
(It may not be impossible to fully brick this way.. but it would take serious skill, really, not in a sarcastic way)
I only talk about option 4 here. Option 2 does not work for this device as of present 2.1 models. Option 1 does but with no custom roms, doesn't actually gain root.
Option 3 is unexplored and again has no particular advantages. I have successfully rooted a kernel and can make one available for flashing if needed. This is more attractive now that lag fixes are using kernel mods anyway.
the exploit
To install these files on a running system... one needs root permissions already! Darn. Some anonymous guy found an exploit (rageagainstthecage) in adb that could get root permissions in the adb shell until the next reboot. That's enough to get things installed. (Update: the idea that this only works through a usb connection is a myth as proven by Ryanza's z4root.
FYI, That means any app can get complete control over your device with this trick if your phone is in debug mode! This is real security threat , but we may as well use it until it's shut down)
The implementation
Here... nothing to it. Run rageagainstthe cage... copy the files in, set permissions. Reboot.. period.
HOWTO root it
I think this has all been tested essentially cut and paste now (by koe1974).
First get adb working for your device. Plenty of other FAQ's explain this, including the "Big FAQ" in i9000 general.
Download jk-su (or any other su) and rageagainstthegage-arm5.bin from
http://forum.sdx-developers.com/epic-development/adb-root-exploit-test/
The link is broken.. sorry, search and you'll find it. Not sure I'm allowed to post such things here?
Get temporary root from the exploit
rageagainstthecage goes in /data/local/tmp because we have write permission there, because we can't execute things from the sdcard, and because that's where one puts temporary things.
Code:
adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage-arm5.bin
adb shell
chmod 755 /data/local/tmp/rageagainstthecage-arm5.bin
cd /data/local/tmp
./rageagainstthecage-arm5.bin
exit
re-establish adb (may require reconnecting cable and/or
adb kill-server possibly more than once (especially helpfule in froyo according to koe1974). I find it depends on which usb port I use, and this is also reported elsewhere.. my esata port on my laptop is by far best)
look for # prompt
If not... try temp root procedures again. It will work
Then make it permanent:
Code:
adb push jk-su /sdcard
adb shell
mount -o remount,rw -t rfs /dev/block/stl9 /system
cat /sdcard/jk-su > /system/xbin/su
chmod 4755 /system/xbin/su
ln -s /system/xbin/su /system/bin/su
echo "root::0:0:root:/data/local:/system/bin/sh" > /etc/passwd
echo "root::0:" > /etc/group
(the link to /system/bin/su might not be needed)
That's it. Some instructions use superuser.apk to install passwd and group files.
I'd rather get normal su working first, reboot and test it.
reboot.. check for root:
adb shell
su
# exit
The "#" should show up on its own. You don't type it. This "#" prompt is the indication that you have root. Well done.
NOTE for other devices:
Some devices may mount root somewhere other than /dev/block/stl9
Amusingly at the moment you can use "/dev/block/yomama" in the command and can also use any filesystem, and it will work!
I thin because it's a remount it actually ignores these parameters (may not be gauranteed behavior with future versions though)
Anyway, this should not be taken as a step by step guide for any non-similar device, but should basically show the right approach (even though it may work perfectly.. but may not). See "special cases" below for issues I'm aware of.
Highly Recommended
Install superuser.apk from market
Superuser.apk protects your root by popping up a prompt asking for permission whenever a new program wants to use root. To do this, it replaces the su file.
After installing this Titanium Backup may think you don't have root. More on this below.
Optionally: For galaxy relative owners ONLY, (as far I know):
Install RyanZa One Click Lag Fix 2.1 apk version (or any other probably) with no modifications. This is the only lag fix with english instructions that I know of that's tested on the korean device. I use the max image size with no problems. It works, makes the phone much faster, and its modifications are relatively un-invasive compared to other fixes (no kernel replacement or partition reformatting).
This copies the splash screen /system/bin/playlogos1 to /system/bin/playlogosnow and replaces it with a new playlogos1 which is just a script that calls /system/bin/userinit.sh to setup the lag fix, and then calls the original splash screen, playlogosnow.
Market Enabler can allow phones in restricted acess areas to get games using the Android Market. Use its backup feature. Then set your network to something like T-Mobile USA. It's temporary, for one internet session I think unless you buy the full version.
(
legal disclaimerI don't know any details about Korean or other internet access control laws. That's your problem to worry about)
Install busybox. Probably very optional since most root tools provide their own (z4root installs it but without all the sym links). You can probably use the market installer if you do it ***
BEFORE installing OCLF***. If you do it after.. it may remove OCLF's own copy and break OCLF and your apps installation (or anything else using its own copy of busybox.)
If you installed OCLF (or something else with busybox in it, like TiB), you can link its busybox into your system this way.
Code:
adb shell
su
mount -o remount,rw -t rfs /dev/block/stl9 /system
ln -s /data/oclf/busybox /system/bin/busybox
busybox --install -s /system/bin
And this version should be well tested and maintained for Samsung devices.
You can also install the market installer, run it, but don't click install and it will give you a new version you can link in the same way.
Or just try installing the market one BEFORE OCLF or anything else that might have its own.
Tintanium Backup also can install a busybox but it also does not become default and does NOT get it's commands sym-linked into /system/xbin. It is basically there for TB use unless you fully install in it instead of the OCLF or other version.
Funny story there (
This seems no longer relevant with some versions of things. When I installed
TB after superuser.. it said I didn't have root (superuser never asked for permission as it should) and won't work. When I clicked "problems" and install busybox.. it asked for root (tried to use su) and I said ok, and then it worked fine ever since. This has nothing to do with busybox probably, only to do with superuser acting flaky and/or TB checking for root in some funny or impatient way.
removing busybox
Isn't that simple as far as I can tell (until now)...
If you've installed all the symlinks then you might want to remove them all.
Code:
adb shell
su
mount -o remount,rw -t rfs /dev/block/stl9 /system
busybox ls -al /system/bin |busybox grep busybox | busybox awk -F" " '{print "/system/bin/"$9}'| busybox xargs busybox ls
This just finds them. It's not heavily tested so I suggest you run it once as is. It should output many filenames in turquoise letters in /system/bin. It may also find busybox itself.
If you're happy, change the ls at the end of the long command to an "rm" and do it again to remove.
If your busybox is in /system/bin, this will remove it along with the links. If you used the instructions above for OCLF busybox it will remove the link and OCLF will remove busybox when it is uninstalled. If your busybox is somewhere else or linked to somewhere else, you got there it, you can delete it.
unrooting
Once you're root and used root apps the only way to make sure there's no trace of modified files on your phone is to reflash the ROM or diff your entire /system against a ROM image. But if you just want to disable root access and remove what we've done above...
First undo other things that need root of course.
Undo OCLF for example, but just use standard methods for those without modification.
Remove busybox.. see instructions above.
Then it should just go like this:
adb shell
Code:
adb shell
$ su
# mount -t rfs -o remount,rw /dev/block/stl9 /system
# rm /etc/passwd
# rm /etc/group
# rm /system/bin/su
# rm /system/xbin/su
# rm /sdcard/jk-su
# rm /data/local/tmp/rageagainstthecage-arm5.bin
# reboot
Amusingly OCLF should work after unrooting if you reverse the order.
Special Cases(other devices)
Just to be thorough:
The primary exploit, rageagainstthecage (ratc), works on ANY 2.1 or 2.2 device, but there are some little dificulties
1)
Once upon a time (and probably still) the android system on the moment would undo set user id bit on files in /system on bootup. Root broke. Jeoeykrim (actually leshak I think) fixed this by copying su to a ramdisk during bootup. Set it's permissions, and soft linking back to /system/bin and /system/xbin
Later it worked on the epic and was adopted on all its cousins, maybe because nobody bothered to try the obvious simpler ways. It's since been found (by me and others) that although it worked, it's just not needed on these devices, at least not with present firmwares (maybe something changed). Furthermore the symlink interferes with superuser installation and the startup scripts interfere with installation of OCLF and who knows what else (because it uses the same playlogos1 file to install its startup scripts)
A few devices still may suffer from this issue. If you have su working, and it breaks after rebooting (test without superuser.apk first), then try the joeykrim/leshak method, but this problem seems very rare now.
http://forum.sdx-developers.com/epic-development/adb-root-exploit-test/
If you then install superuser, you'll want to copy its file in correctly.. see link in post above. If you install OCLF you'll need to restore the playlogos file (an option on the apk).. install it, and then make a new playlogos file that calls both the OCLF script and the root setup script. Wapu has in this thread one working instruction set for that. I've contested that it should be do-able in a simpler way, but no cut and paste instructions exist for that.
2) A few devices are NAND locked meaning you can't copy in su. For those google around about NAND locks. There a trick to un nand lock first.