Post Reply

[ROOT] TPSparkyRoot - ICS

OP sparkym3

11th January 2012, 08:24 AM   |  #1  
sparkym3's Avatar
OP Recognized Contributor
Thanks Meter: 795
 
428 posts
Join Date:Joined: Dec 2011
Donate to Me
More
I have your ICS root ready, how about we call it TPSparkyRoot. I based my research on code written by Dan Rosenberg (similar to what jchase did with NachoRoot in the fact that chown/chmod follows symlinks even when set during startup), here is a link to that research http://vulnfactory.org/blog/2011/08/...g-the-droid-3/

**UPDATE**
Android's source has been patched so that future OEMs can not leave this hole open by accident.
https://android-review.googlesource.com/#/c/36035/

**UPDATE**
This method has been shown to work on the HTC One X see forum
http://forum.xda-developers.com/show....php?t=1644167

Theoretically this should work on Honeycomb versions of the Prime as well, since the Honeycomb update is where I found the flaw that is being exploited. I have confirmed this works on my Prime.

**UPDATE**
This exploit does not currently work for the latest ICS update released (v9.4.2.11 on 1/18/2012). You can use OTA Rootkeeper to backup your root prior to updating using OTA, which I have confirmed to work on my device, (this may not work if you push the update manually).
https://market.android.com/details?i....otarootkeeper
For the devs out there, it does not to honor the ro.kernel.qemu=1 setting within the local.prop because it is already set to blank by that point by the build.prop


You must have your Prime set up to use adb and your adb location contained in your path variable (windows) or unzip the files from my zip into that directory before running.
**UPDATED**
If you are have issues getting adb working, make sure asus sync is not running, if it is then kill it.


adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
adb shell rm /data/local.prop > nul
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
adb shell id
//IF ID IS 0/root THEN CONTINUE, ELSE START OVER>
adb remount
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
//UNDO EVERYTHING EXCEPT su
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot

**UPDATE** As jchase stated "If your device "bootloops" don't stress, just follow through with the commands as it "loops" ro.kernel.qemu can do funky stuff." I did notice this in my rooting but just assumed it was normal as this is my first use of adb.

**UPDATE2**
If you get a permissions error on the call
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
then you may try
adb shell rm /data/local.prop
And then try the echo command again. This may be due to having rooted prior without cleaning up properly. Thanks to Franky_402 for this piece of info.
I have updated the batch file to include this step, it should still be fine for those who are not having the issue as well.

I have attached a zip file containing the su and a bat file for a more automated process (just pauses when during reboots, don’t hit go until it’s done rebooting). Or, you can run the commands manually and get the su file from the origin http://downloads.androidsu.com/super...ghi-signed.zip

Finally, install Superuser to make it all work https://market.android.com/details?i...fou.android.su

**UPDATE** UNROOT
There are multiple was to unroot now that you have root access already (all you need to do is remove the su file; so you could potential skip all the steps before the remount and just add the local.prop manually using a file manager and then reboot).

The one most similar way to how you rooted would be to follow all of the steps above, but replace these 3 lines
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su

with this line
adb shell rm /system/xbin/su

This will remove the actual root, but it would leave behind any apps that you have given root access to or any files that those apps changed themselves (i.e. RootKeeper backs up the su file and the backup would need to be removed). If you had anything like this you would need to clean up that first before unrooting because it is a dead giveaway that it was rooted.

Viperboy should be releasing his tool shortly that utilizes this method, if you would like a one click process that installs apps along with it (superuser, busybox). I’m guessing it installed them to the root apps directory so these also would need to be removed when unrooting as well (i.e. if you root using his new tool you should unroot using it as well).

**UPDATED** Remove PayPal link in favor of link over there <-
Attached Files
File Type: zip TPSparkyRoot.zip - [Click for QR Code] (6.8 KB, 15257 views)
Last edited by sparkym3; 10th May 2012 at 01:10 AM. Reason: Update for new phone and Android patch
The Following 90 Users Say Thank You to sparkym3 For This Useful Post: [ View ]
11th January 2012, 08:31 AM   |  #2  
sparkym3's Avatar
OP Recognized Contributor
Thanks Meter: 795
 
428 posts
Join Date:Joined: Dec 2011
Donate to Me
More
Yes, as it says, I went from the same base exploit that was shown by Dan and was the base for jchase as well.
11th January 2012, 08:31 AM   |  #3  
Senior Member
Flag Pittsburgh
Thanks Meter: 156
 
1,645 posts
Join Date:Joined: Jul 2011
Donate to Me
More
The commands more than likely are but the exploit must be different or Jcases rot would still be working... Thanks OP!!!

EDIT: He didn't "ask" for donations just gave a link since he doesn't have the donate button <<over there
Last edited by Mikey; 11th January 2012 at 10:53 PM.
11th January 2012, 08:33 AM   |  #4  
jcase's Avatar
Forum Moderator / Senior Recognized Developer - Taco Vendor
Flag Sequim WA
Thanks Meter: 8,064
 
3,858 posts
Join Date:Joined: Feb 2010
Donate to Me
More
Not mine at all, props to this guy! Send him some bones.
Last edited by Mikey; 11th January 2012 at 10:54 PM.
The Following 9 Users Say Thank You to jcase For This Useful Post: [ View ]
11th January 2012, 08:36 AM   |  #5  
sparkym3's Avatar
OP Recognized Contributor
Thanks Meter: 795
 
428 posts
Join Date:Joined: Dec 2011
Donate to Me
More
Yes, thanks, I did not realize that there was a donate button as I am still learning this forum.
The Following User Says Thank You to sparkym3 For This Useful Post: [ View ]
11th January 2012, 08:39 AM   |  #6  
jcase's Avatar
Forum Moderator / Senior Recognized Developer - Taco Vendor
Flag Sequim WA
Thanks Meter: 8,064
 
3,858 posts
Join Date:Joined: Feb 2010
Donate to Me
More
This root is confirmed!

If your device "bootloops" don't stress, just follow through with the commands as it "loops" ro.kernel.qemu can do funky stuff.

Good ****.
The Following 4 Users Say Thank You to jcase For This Useful Post: [ View ]
11th January 2012, 08:39 AM   |  #7  
Senior Member
Flag Pittsburgh
Thanks Meter: 156
 
1,645 posts
Join Date:Joined: Jul 2011
Donate to Me
More
Quote:
Originally Posted by sparkym3

Yes, thanks, I did not realize that there was a donate button as I am still learning this forum.

Yeah it's in the User Control Panel on the top of the forum
The Following User Says Thank You to Haro912 For This Useful Post: [ View ]
11th January 2012, 08:40 AM   |  #8  
Diamondback's Avatar
Developer Committee / Senior Moderator / Recognized Developer
Thanks Meter: 6,397
 
4,431 posts
Join Date:Joined: Jan 2010
More
"Reported" your thread to a mod, so he can move it to the dev section

And welcome to XDA Don't let the trolls take your love for android
11th January 2012, 08:41 AM   |  #9  
Diamondback's Avatar
Developer Committee / Senior Moderator / Recognized Developer
Thanks Meter: 6,397
 
4,431 posts
Join Date:Joined: Jan 2010
More
Quote:
Originally Posted by jcase

This root is confirmed!

If your device "bootloops" don't stress, just follow through with the commands as it "loops" ro.kernel.qemu can do funky stuff.

Good ****.

OP, maybe put that in the OP, so users don't panic :P
11th January 2012, 08:43 AM   |  #10  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt?
Thanks Meter: 51,517
 
9,238 posts
Join Date:Joined: Oct 2007
Donate to Me
More
Moved to development.

The Following User Says Thank You to Chainfire For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes