[DEV] Current Progress and Guides: CRACKED UBOOT!!! Roms and Kernels Comming Soon

Loglud · 05:00 PM

[DEV] Current Progress and Guides: CRACKED UBOOT!!! Roms and Kernels Comming Soon

This thread is designed for representation of the current progress on the Nook Tablet rooting and exploits, the second post will contain how to guides so you can learn to work on it for you self. REMEMBER I DO THIS FOR FUN, please respect the thread as well as others opinions

OLD UPDATES AT THE END OF THIS POST.

First off if you haven’t read the wiki yet to know what is currently in the device you should look here.
Also you should look at the http://www.nooktabletdev.orgfor information on the Nook Tablet Development process. - Thanks to dj_segfault

Rooting Scripts

Windows: Root, OTA block, De-bloat, Gapps Thanks to Indirect
Mac/Linux: Rooting script Thanks to t-r-i-c-k
Mac/Linux: Root,OTA Block, Gapps

CURRENT PROGRESS

adb connection: COMPLETE
adb root: COMPLETE
busybox:COMPLETE
permanent root: COMPLETE BY INDIRECT
GApps and Market: COMPLETE BY INDIRECT & Anlog
recovery mode: COMPLETE BY nemith

THANKS TO NEMITH

bootloader: Locked and Signed Irrelevant

uboot: CRACKED BY BAUWKS

THANKS TO BAUWKS

Quote:

Originally Posted by Loglud

bauwks method uses the flashing_boot.img to his advantage, and since it is not checked by security, effectively he has made an insecure uboot. While this is not an unlocked bootloader, it is a way to get around the security, and enable custom recovery and higher level processes to be run.

I have been looking at this line of code for a long time, and as im sure hkvc and bauwks saw it is a large (but 100% necessary) flaw:

distro/u-boot/board/omap4430sdp/mmc.c: 559 : setenv ("bootcmd", "setenv setbootargs setenv bootargs ${sdbootargs}; run setbootargs; mmcinit 0; fatload mmc 0:1 0x81000000 flashing_boot.img; booti 0x81000000");

Without this line of code, it would be impossible for any one but the factory whom could JTAG flash (but since it is secured, most likely they also have to make a flashing_boot.img).

12/9/11:

UBUNTU is here, thanks to ADAMOUTLER

http://www.youtube.com/watch?v=PwUg17pVWBs&hd=1
Keep in mind this is only an overlay verson but it is prof that one day we might be able to push roms and kernels over existing ones, then hijack then (next work) and then use them.

Please PM me or post if you know anything else, and or want to add anything.

Loglud · 06:02 PM

Usefull threads

Usefull threads:

ROOTING:
Full root for Nook Tablet. [11/20/11] [Yes this is a permanent root!] Thanks to indirect
Noot Tablet - Easy root & Market on MAC (1 download, 1 script to run) Thanks to t-r-i-c-k
[Windows/Linux] Unroot and uninstall gApps for the nook tablet [Scripts] Thanks to indirect

MODS to Default Rom:
[Full Mod + Root + OTA block] Snowball-mod: Full Modification Root [1/6/2012] Thanks to cfoesch
[DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! Thanks to [DEV][WIP] Enable init.d scripts and build.prop mods for Nook Tablet! 1 Attachment(s) (Multi-page thread 1 2 3 ... Last Page)
Originally Posted By: diamond_lover

Kernels:

Coming Soon

ROMS:

Coming Soon

APPS:
[Tutorial][WIP] Installing alternative Keyboards on the NT. Thanks to robertely
[DEV] - HomeCatcher Redirect n Button to any Launcher Thanks to gojimi
Hidden Settings App Updated 12/30/11 Thanks to brianf21
Replacement SystemUI.apk v2: Permanent back and menu buttons, n as Home button Thanks to revcompgeek

DEVELOPMENT:
[Dev]Files of interest in the system Thanks to indirect
[REF] Nook Tablet Source Code Thanks to diamond_lover
BHT Installer (Basic Hacking Tools) Thanks to AdamOutler
[Stock Firmware]Restore Barnes & Nobel Nook 1.4.0 from SDCard Thanks to AdamOutler

Loglud · 06:04 PM

Guides

Table of Contents

Enableing adb Connection (eab1)
Rooting using zergRush (rug2)
Installing busyboxy (ibb3)
Permanent root (pr4) THANKS TO INDIRECT
Installing GApps (aga5) THANKS TO ANLOG
Full system restore/wipe (fsr6) THANKS TO INDIRECT

Enableing adb Connection (eab1)

Install the andriod SDK that is required for your Operating system.

NOTE: This will requries the SDK, and JDK both of which can be downloaded by clicking the links, downloading and installing it.
Run the andriod SDK Manager and Install "Andriod SDK Platform-tools"

Modify your adb_usb.ini file to read such as the following:
Code:
```
# ANDROID 3RD PARTY USB VENDOR ID LIST -- DO NOT EDIT.
# USE 'android update adb' TO GENERATE.
# 1 USB VENDOR ID PER LINE.
0x2080
```
This will be in your /home/{username}/.andriod/ folder for mac and linux
This will be in your C:/Users/{username}/.andriod folder for Windows.

ADB is now enabled for your device, however it is not ON your device. YOU MUST DO THIS EVERY TIME YOU WISH TO ADB INTO YOUR DEVICE.

To do this you will need to download any app, and attempt to install it.
You can use this app if you need.

Click on the Package Installer, and then a prompt will pop up asking if you want change the settings to allow 3rd party apps.

*DO NOT ENABLE IF YOU WISH TO ACCESS ADB*
I am working on a way to have it enabled by default.

In the settings page you should see *2* USB Debuggin modes.

Press them both and accept the prompt.

PLUG IN YOUR DEVICE.
Note* You should see the Android Development icon on the bottom of the screen.

ADB will now be able to see your device. How ever you will need to restart the server before it sees it.

Rooting using zergRush (rug2)
This is for the poeople whom have access to adb. You will also need this file. Unzip the file.

Type in the following command (while in the folder with the zergRush Binary):
Code:
```
adb push ./zergRush /data/local
```

Once thats installed run this:
Code:
```
adb shell chmod 777 /data/local/tmp
```

And lastly:
Code:
```
adb shell /data/local/zergRush
```

You are now rooted (only for this reboot)

Installing busyboxy (ibb3)
You will need root and the following busybox file.

Type in the following command while in the location where busy box was downloaded to:
Code:
```
adb push ./busybox /data/local
```

Busybox works by calling binaries from a file outside of /system/bin/. We must make this file by issuing the following command:
Code:
```
adb shell mkdir /data/busybox
```

Lets make sure we can install busybox without permission probles:
Code:
```
adb shell chmod  777 /data/local/busybox
```

Next install busybox in the folder:
Code:
```
adb shell /data/local/busybox --install
```

We now need to take the /system/folder, and mount it as a writeable folder:

Code:

adb shell mount -rw -o remount /dev/block/platform/mmci-omap-hs.1/by-name/system /system

Link it into bin:

Code:

adb shell ln -s /data/local/busybox /system/bin/busybox

You now have busybox installed

Permanent root (pr4)
THANKS TO INDIRECT for Files and Scripts

We will need SU and Superuser.apk

First we need to install the Superuser.apk:

Code:

adb wait-for-device install Superuser.apk
adb remount

Next lets go ahead and push the su application up to the /data/local/ folder
Code:
```
adb push su /data/local/
```

Next we will need to change the permissions and cp su from the /data/local/ folder to the /system/bin/

Code:

adb shell chmod 4755 /data/local/su;mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system;busybox cp /data/local/su /system/bin

Installing GApps (eab1)
THANKS TO ANALOG and INDIRECT for Scripts

First things first we need to download the GAPPS. The most reacent one is this one or get the most recent one here.

Unzip and navigate to the most root folder of that package in your shell.

We need to verify that adb is booting into root. To do this we can issue the command:
Code:
```
adb shell id
```
If id doesn't return root then you will need to re-zergRush your device

Now it is time for us to export the apps to the directories.

Code:

adb shell mount -o remount,rw /dev/block/platform/mmci-omap-hs.1/by-name/system /system
adb push system/app/CarHomeGoogle.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/app/FOTAKill.apk /system/app/
adb shell chmod 644 /system/app/FOTAKill.apk
adb push system/app/GenieWidget.apk /system/app/
adb shell chmod 644 /system/app/GenieWidget.apk
adb push system/app/GoogleBackupTransport.apk /system/app/
adb shell chmod 644 /system/app/GoogleBackupTransport.apk
adb push system/app/GoogleCalendarSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleCalendarSyncAdapter.apk
adb push system/app/GoogleContactsSyncAdapter.apk /system/app/
adb shell chmod 644 /system/app/GoogleContactsSyncAdapter.apk
adb push system/app/GoogleFeedback.apk /system/app/
adb shell chmod 644 /system/app/GoogleFeedback.apk
adb push system/app/GooglePartnerSetup.apk /system/app/
adb shell chmod 644 /system/app/GooglePartnerSetup.apk
adb push system/app/GoogleQuickSearchBox.apk /system/app/
adb shell chmod 644 /system/app/GoogleQuickSearchBox.apk
adb push system/app/GoogleServicesFramework.apk /system/app/
adb shell chmod 644 /system/app/GoogleServicesFramework.apk
adb push system/app/LatinImeTutorial.apk /system/app/
adb shell chmod 644 /system/app/LatinImeTutorial.apk
adb push system/app/MarketUpdater.apk /system/app/
adb shell chmod 644 /system/app/MarketUpdater.apk
adb push system/app/MediaUploader.apk /system/app/
adb shell chmod 644 /system/app/MediaUploader.apk
adb push system/app/NetworkLocation.apk /system/app/
adb shell chmod 644 /system/app/NetworkLocation.apk
adb push system/app/OneTimeInitializer.apk /system/app/
adb shell chmod 644 /system/app/OneTimeInitializer.apk
adb push system/app/Talk.apk /system/app/
adb shell chmod 644 /system/app/Talk.apk
adb push system/app/Vending.apk /system/app/
adb shell chmod 644 /system/app/CarHomeGoogle.apk
adb push system/etc/permissions/com.google.android.maps.xml /system/etc/permissions/
adb push system/etc/permissions/features.xml /system/etc/permissions/
adb push system/framework/com.google.android.maps.jar /system/framework/
adb push system/lib/libvoicesearch.so /system/lib/

Now you have GApps installed from Anlog's. All Credits go to him and Indirect

Full system restore/wipe (fsr6)
THANKS TO INDIRECT

WARNING THIS WILL WIPE YOUR ENTIRE FILESYSTEM!!!

Go into adb shell or terminal emulator.
Issue command:
Code:
```
echo -n '0000' > /bootloader/BootCnt
```
Next reboot your device by conventional methods or issue:
Code:
```
reboot
```
Your nook will now restart and tell you it is resetting.
You now have a clean slate!

Drewmungus · 19th November 2011, 06:25 PM

Got some links for howto's on the adb connection/root.

cgdash · 07:48 PM

Yeah - if someone has details on how to adb connect and root, it'd be helpful to include links. I've yet to see specifics for either.

MechaGen · 19th November 2011, 09:30 PM

Reserved

Sent from Tapatalk, NOOK Color CM7 Nightly's!

Loglud · 19th November 2011, 09:43 PM

I aplogize im still typing them up

Indirect · 20th November 2011, 10:01 AM

Damn loglud, I ended up beating you to the root lol. Sorry about that! D:

scsione889 · 20th November 2011, 03:47 PM

The Droid 2 and Droid X had locked bootloaders with the 'e-fuse' and Koush got around them and installed CWM with this...

http://www.koushikdutta.com/2010/08/...-recovery.html

What do you guys think? I don't have a NT yet to try anything (probably won't get one until sometime around x-mas).

Loglud · 20th November 2011, 08:54 PM

l

Quote:

Originally Posted by Indirect

Damn loglud, I ended up beating you to the root lol. Sorry about that! D:

Its no problem at all. Hints why i posted these guides. I was hoping someone wouod figure it out. I found it last night too. It sucked cause im now back at my childhood home trying to get my macbook pro to boot fedora and windows. Im gonna repackage the root with Superoneclick. Thanks so much for your effort. Would you mind if i added that to the guides?