Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,812,421 Members 39,009 Now Online
XDA Developers Android and Mobile Development Forum

[ROOT] TPSparkyRoot - ICS

Tip us?
 
sparkym3
Old
(Last edited by sparkym3; 10th May 2012 at 01:10 AM.) Reason: Update for new phone and Android patch
#1  
sparkym3's Avatar
Recognized Contributor - OP
Thanks Meter 794
Posts: 428
Join Date: Dec 2011

 
DONATE TO ME
Default [ROOT] TPSparkyRoot - ICS

I have your ICS root ready, how about we call it TPSparkyRoot. I based my research on code written by Dan Rosenberg (similar to what jchase did with NachoRoot in the fact that chown/chmod follows symlinks even when set during startup), here is a link to that research http://vulnfactory.org/blog/2011/08/...g-the-droid-3/

**UPDATE**
Android's source has been patched so that future OEMs can not leave this hole open by accident.
https://android-review.googlesource.com/#/c/36035/

**UPDATE**
This method has been shown to work on the HTC One X see forum
http://forum.xda-developers.com/show....php?t=1644167

Theoretically this should work on Honeycomb versions of the Prime as well, since the Honeycomb update is where I found the flaw that is being exploited. I have confirmed this works on my Prime.

**UPDATE**
This exploit does not currently work for the latest ICS update released (v9.4.2.11 on 1/18/2012). You can use OTA Rootkeeper to backup your root prior to updating using OTA, which I have confirmed to work on my device, (this may not work if you push the update manually).
https://market.android.com/details?i....otarootkeeper
For the devs out there, it does not to honor the ro.kernel.qemu=1 setting within the local.prop because it is already set to blank by that point by the build.prop


You must have your Prime set up to use adb and your adb location contained in your path variable (windows) or unzip the files from my zip into that directory before running.
**UPDATED**
If you are have issues getting adb working, make sure asus sync is not running, if it is then kill it.


adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
adb shell rm /data/local.prop > nul
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
adb shell id
//IF ID IS 0/root THEN CONTINUE, ELSE START OVER>
adb remount
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
//UNDO EVERYTHING EXCEPT su
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot

**UPDATE** As jchase stated "If your device "bootloops" don't stress, just follow through with the commands as it "loops" ro.kernel.qemu can do funky stuff." I did notice this in my rooting but just assumed it was normal as this is my first use of adb.

**UPDATE2**
If you get a permissions error on the call
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
then you may try
adb shell rm /data/local.prop
And then try the echo command again. This may be due to having rooted prior without cleaning up properly. Thanks to Franky_402 for this piece of info.
I have updated the batch file to include this step, it should still be fine for those who are not having the issue as well.

I have attached a zip file containing the su and a bat file for a more automated process (just pauses when during reboots, don’t hit go until it’s done rebooting). Or, you can run the commands manually and get the su file from the origin http://downloads.androidsu.com/super...ghi-signed.zip

Finally, install Superuser to make it all work https://market.android.com/details?i...fou.android.su

**UPDATE** UNROOT
There are multiple was to unroot now that you have root access already (all you need to do is remove the su file; so you could potential skip all the steps before the remount and just add the local.prop manually using a file manager and then reboot).

The one most similar way to how you rooted would be to follow all of the steps above, but replace these 3 lines
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su

with this line
adb shell rm /system/xbin/su

This will remove the actual root, but it would leave behind any apps that you have given root access to or any files that those apps changed themselves (i.e. RootKeeper backs up the su file and the backup would need to be removed). If you had anything like this you would need to clean up that first before unrooting because it is a dead giveaway that it was rooted.

Viperboy should be releasing his tool shortly that utilizes this method, if you would like a one click process that installs apps along with it (superuser, busybox). I’m guessing it installed them to the root apps directory so these also would need to be removed when unrooting as well (i.e. if you root using his new tool you should unroot using it as well).

**UPDATED** Remove PayPal link in favor of link over there <-
Attached Files
File Type: zip TPSparkyRoot.zip - [Click for QR Code] (6.8 KB, 15076 views)
The Following 90 Users Say Thank You to sparkym3 For This Useful Post: [ Click to Expand ]
 
sparkym3
Old
#2  
sparkym3's Avatar
Recognized Contributor - OP
Thanks Meter 794
Posts: 428
Join Date: Dec 2011

 
DONATE TO ME
Yes, as it says, I went from the same base exploit that was shown by Dan and was the base for jchase as well.
 
Haro912
Old
(Last edited by Mikey; 11th January 2012 at 10:53 PM.)
#3  
Senior Member
Thanks Meter 155
Posts: 1,645
Join Date: Jul 2011
Location: Pittsburgh

 
DONATE TO ME
The commands more than likely are but the exploit must be different or Jcases rot would still be working... Thanks OP!!!

EDIT: He didn't "ask" for donations just gave a link since he doesn't have the donate button <<over there
Devices: LG G3, Transformer Prime
------------------
Asus Transformer Prime
ROM: AOKP by Jermaine151
Kernel: Motley by _Motley
------------------
LG G3:
ROM: Stock
Kernel: Stock
 
jcase
Old
(Last edited by Mikey; 11th January 2012 at 10:54 PM.)
#4  
jcase's Avatar
Forum Moderator / Senior Recognized Developer - Taco Vendor
Thanks Meter 7,649
Posts: 3,757
Join Date: Feb 2010
Location: Sequim WA

 
DONATE TO ME
Not mine at all, props to this guy! Send him some bones.
I'm taking a break of an undetermined length. Please don't contact me about exploits

Something important? jcase@cunninglogic.com
Like Android security topics? Join our G+ community -> https://plus.google.com/communities/...07618051049043
The Following 9 Users Say Thank You to jcase For This Useful Post: [ Click to Expand ]
 
sparkym3
Old
#5  
sparkym3's Avatar
Recognized Contributor - OP
Thanks Meter 794
Posts: 428
Join Date: Dec 2011

 
DONATE TO ME
Yes, thanks, I did not realize that there was a donate button as I am still learning this forum.
The Following User Says Thank You to sparkym3 For This Useful Post: [ Click to Expand ]
 
jcase
Old
#6  
jcase's Avatar
Forum Moderator / Senior Recognized Developer - Taco Vendor
Thanks Meter 7,649
Posts: 3,757
Join Date: Feb 2010
Location: Sequim WA

 
DONATE TO ME
This root is confirmed!

If your device "bootloops" don't stress, just follow through with the commands as it "loops" ro.kernel.qemu can do funky stuff.

Good ****.
I'm taking a break of an undetermined length. Please don't contact me about exploits

Something important? jcase@cunninglogic.com
Like Android security topics? Join our G+ community -> https://plus.google.com/communities/...07618051049043
The Following 4 Users Say Thank You to jcase For This Useful Post: [ Click to Expand ]
 
Haro912
Old
#7  
Senior Member
Thanks Meter 155
Posts: 1,645
Join Date: Jul 2011
Location: Pittsburgh

 
DONATE TO ME
Quote:
Originally Posted by sparkym3 View Post
Yes, thanks, I did not realize that there was a donate button as I am still learning this forum.
Yeah it's in the User Control Panel on the top of the forum
Devices: LG G3, Transformer Prime
------------------
Asus Transformer Prime
ROM: AOKP by Jermaine151
Kernel: Motley by _Motley
------------------
LG G3:
ROM: Stock
Kernel: Stock
The Following User Says Thank You to Haro912 For This Useful Post: [ Click to Expand ]
 
Diamondback
Old
#8  
Diamondback's Avatar
Developer Committee / Senior Moderator / Recognized Developer
Thanks Meter 6,341
Posts: 4,384
Join Date: Jan 2010
"Reported" your thread to a mod, so he can move it to the dev section

And welcome to XDA Don't let the trolls take your love for android

Contact the Developer Committee with any questions or concerns regarding
the Recognized Developer program.
Mention my name with @Diamondback in any post to easily get my attention.
Please use BB Codes to format your posts.
 
Diamondback
Old
#9  
Diamondback's Avatar
Developer Committee / Senior Moderator / Recognized Developer
Thanks Meter 6,341
Posts: 4,384
Join Date: Jan 2010
Quote:
Originally Posted by jcase View Post
This root is confirmed!

If your device "bootloops" don't stress, just follow through with the commands as it "loops" ro.kernel.qemu can do funky stuff.

Good ****.
OP, maybe put that in the OP, so users don't panic :P

Contact the Developer Committee with any questions or concerns regarding
the Recognized Developer program.
Mention my name with @Diamondback in any post to easily get my attention.
Please use BB Codes to format your posts.
 
Chainfire
Old
#10  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt?
Thanks Meter 49,977
Posts: 9,089
Join Date: Oct 2007

 
DONATE TO ME
Moved to development.
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

 

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

iOS
Apple iPad 3, iPad Mini 2


NOTICE: I do not respond to tech support questions through PM.

The Following User Says Thank You to Chainfire For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes