I managed to root my TF300 this week-end.
Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.
Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/show....php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.
Here is the full guide, and the link to the binaries at the end.
Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs
Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.
Here is now the full guide:
Rooting the Asus Transformer TF300T
: first, use known method to get write access to the /system partition
adb push debugfs /data/local/ adb push su /data/local/ adb shell
$ cd /data/local/ $ mv tmp tmp.back
$ ln -s /dev/block/mmcblk0p1 tmp $ exit
$ ln -s /dev/block/mmcblk0p21 tmp $ exit
$ ln -s /dev/block/mmcblk0p9 tmp $ exit
$ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp $ exit
adb reboot adb shell
$ cd /data/local
$ toolbox chmod 755 /data/local/debugfs $ /data/local/debugfs -w /data/local/tmp debugfs: cd xbin debugfs: rm su NOTE: if this is your first attempt, you should see an error message here, simply ignore it debugfs: write /data/local/su su debugfs: set_inode_field su mode 0106755 debugfs: set_inode_field su uid 0 debugfs: set_inode_field su gid 0 debugfs: quit $ rm /data/local/tmp $ mv /data/local/tmp.back /data/local/tmp $ exit
adb reboot adb shell $ /system/xbin/su # id id=0(root) gid=0(root) .... # exit
$ rm /data/local/su $ rm /data/local/debugfs $ exit
After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.
And now here is the link for the binaries:
The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).
Please let me know how it goes for you.
Credits: wolf849 for the symlink exploit
EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it
Here is the URL:
I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-220.127.116.11_CHT_9.1.15-0
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"