5,597,354 Members 31,174 Now Online
XDA Developers Android and Mobile Development Forum

Rooting the TF300T *without* downgrading (from .29)

Tip us?
 
miloj
Old
(Last edited by miloj; 24th July 2012 at 04:17 PM.) Reason: Added a note about rm error message
#1  
miloj's Avatar
Member - OP
Thanks Meter 174
Posts: 58
Join Date: Jun 2012
Location: Nice

 
DONATE TO ME
Default Rooting the TF300T *without* downgrading (from .29)

Hello,

I managed to root my TF300 this week-end.

Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/show....php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

Here is the full guide, and the link to the binaries at the end.

Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

Here is now the full guide:

Rooting the Asus Transformer TF300T
===================================

: first, use known method to get write access to the /system partition

Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell
Code:
$ cd /data/local/
$ mv tmp tmp.back
FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
Code:
$ ln -s /dev/block/mmcblk0p1 tmp
$ exit
FOR PADFONE ONLY:
Code:
$ ln -s /dev/block/mmcblk0p21 tmp
$ exit
FOR SAMSUNG GALAXY SII ONLY:
Code:
$ ln -s /dev/block/mmcblk0p9 tmp
$ exit
FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://forum.xda-developers.com/show....php?t=1791193 thx to Nesquick95)
Code:
$ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
$ exit
Code:
adb reboot

adb shell
: some cleanup first

Code:
$ cd /data/local
: and now, let's do the dirty work

Code:
$ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
NOTE: if this is your first attempt, you should see an error message here, simply ignore it
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
$ exit
: done, let's reboot and get root !

Code:
adb reboot
adb shell
$ /system/xbin/su
# id
id=0(root) gid=0(root) ....
# exit
: cleanup remaining files

Code:
$ rm /data/local/su
$ rm /data/local/debugfs
$ exit
Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.


After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.


And now here is the link for the binaries:

http://db.tt/FBUNeVmo

The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

Please let me know how it goes for you.

Credits: wolf849 for the symlink exploit

EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it
Here is the URL:
Quote:
Originally Posted by sparkym3 View Post
I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.

http://forum.xda-developers.com/show....php?t=1706588
EDIT1: Here are the devices successfully rooted so far:
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
ASUS TF700T
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"

milo
The Following 136 Users Say Thank You to miloj For This Useful Post: [ Click to Expand ]
 
P05TMAN
Old
#2  
P05TMAN's Avatar
Senior Member
Thanks Meter 73
Posts: 251
Join Date: Aug 2011
Location: Boulder, CO
Quote:
Originally Posted by miloj View Post
Hello,

I managed to root my TF300 this week-end.

Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/show....php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

Here is the full guide, and the link to the binaries at the end.

Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

Here is now the full guide:

Rooting the Asus Transformer TF300T
===================================

: first, use known method to get write access to the /system partition

adb push debugfs /data/local/
adb push su /data/local/
adb shell
$ cd /data/local/
$ mv tmp tmp.back
$ ln -s /dev/block/mmcblk0p1 tmp
$ exit
adb reboot

adb shell

: some cleanup first

$ cd /data/local
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp

: and now, let's do the dirty work

$ chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /dev/block/mmcblk0p1
debugfs: cd xbin
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0104755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit

: done, let's reboot and get root !

adb reboot
adb shell
$ /system/xbin/su
# id
id=0(root) gid=0(root) ....
# exit

: cleanup remaining files

$ rm /data/local/su
$ rm /data/local/debugfs

Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.

And now here is the link for the binaries:

http://db.tt/FBUNeVmo

The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

Please let me know how it goes for you.

Credits: wolf849 for the symlink exploit

milo
If this proves to be successful across multiple users, I may try this out; I'm excited to see how this information pans out.
 
miloj
Old
(Last edited by miloj; 11th June 2012 at 12:58 PM.)
#3  
miloj's Avatar
Member - OP
Thanks Meter 174
Posts: 58
Join Date: Jun 2012
Location: Nice

 
DONATE TO ME
FYI, there was one success in this thread: http://forum.xda-developers.com/show....php?t=1688994 where I originally posted.

milo
The Following 2 Users Say Thank You to miloj For This Useful Post: [ Click to Expand ]
 
gasingvar
Old
#4  
Member
Thanks Meter 18
Posts: 54
Join Date: Apr 2008
Yep. That was me.
In essence I had a locked (can get OTA), not rooted device with .26 WW firmware.
Now I've got a locked (can still get OTA unless Asus changes something), rooted device with .29 WW firmware.
This is the holy grail for tf300t users at the moment.

I'm so happy!
The Following User Says Thank You to gasingvar For This Useful Post: [ Click to Expand ]
 
miloj
Old
#5  
miloj's Avatar
Member - OP
Thanks Meter 174
Posts: 58
Join Date: Jun 2012
Location: Nice

 
DONATE TO ME
For information, I just rooted a friend's TF201 with the same method


Sent from my ASUS Transformer Pad TF300T using XDA
ASUS TF300T Stock - SAMSUNG Galaxy SIII Stock - HTC Desire HD CM7 - Got root !
The Following User Says Thank You to miloj For This Useful Post: [ Click to Expand ]
 
Lyshalia
Old
#6  
Lyshalia's Avatar
Junior Member
Thanks Meter 2
Posts: 23
Join Date: Feb 2011
Thumbs up Confirmed

CONFIRMED!
I rooted my WW.29 this way. No need to downgrade to .17 first.
Thank you, thank you, thank you
The Following User Says Thank You to Lyshalia For This Useful Post: [ Click to Expand ]
 
MarcoHafkamp
Old
(Last edited by MarcoHafkamp; 11th June 2012 at 09:32 PM.)
#7  
MarcoHafkamp's Avatar
Senior Member
Thanks Meter 14
Posts: 117
Join Date: Feb 2011
It worked! Simpel and easy on ww29 locked!

Thanks!!!
 
mcho19
Old
#8  
mcho19's Avatar
Member
Thanks Meter 0
Posts: 65
Join Date: Mar 2009
Location: Bellingham
Confirmed working on US .29!

Edit: Does trying adb remount and failing have anything to do with the root or am I not understanding the adb command?

Asus EEE Pad Transformer T300T (Rooted)
CM 10

Samsung T989 Galaxy S2(Rooted)
CM 10

Asus EEE Pad Transformer TFT101(Rooted/Retired)
Prime 2.0.3

HTC Incredible (Rooted/Retired)
MIUI

G1 (Rooted/Retired)
CM 6
 
NJ_RAMS_FAN
Old
(Last edited by NJ_RAMS_FAN; 11th June 2012 at 07:04 PM.)
#9  
NJ_RAMS_FAN's Avatar
Senior Member
Thanks Meter 54
Posts: 467
Join Date: Sep 2011
Location: West New York, NJ
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine.
Me: Nexus 5 Tablet: LG Pad 8.3
Wife: Samsung Galaxy S IV SGH-M919 Tablet: Tab 3 8.0


Retired: T-Mobile G2x (2 Sold), HTC Amaze 4g (sold), GSM Galaxy Nexus (Broke ), Galaxy S II T-989(Sold), Galaxy S III T-999(Sold) Tablets: Samsung 7.0 Plus (Sold), Samsung 2 7.0 (Sold), Asus TF300 (Sold)
 
miloj
Old
(Last edited by miloj; 11th June 2012 at 07:25 PM.)
#10  
miloj's Avatar
Member - OP
Thanks Meter 174
Posts: 58
Join Date: Jun 2012
Location: Nice

 
DONATE TO ME
Quote:
Originally Posted by NJ_RAMS_FAN View Post
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine.
Because risk was too high in my opinion:

- risk to brick when injecting the blob into mmcblk0p4 (if the tablet reboot in the middle, I guess you get a 500 brick)
- risk to not receiving any ASUS OTA (many users have reported this, I didn't want to test it myself)

The procedure was also a bit too complex, between US, DE, DE to WW, and WW blobs.

Also the .17 WW blob is nowhere available.

With my method, there is one risk, it is if the tablet reboot in the middle of writing into the partition. But I guess than, like any other linux (or unix for that matter), the android boot would run fsck on the partition and get it repaired.

And my method is faster !!

Sent from my ASUS Transformer Pad TF300T using XDA
ASUS TF300T Stock - SAMSUNG Galaxy SIII Stock - HTC Desire HD CM7 - Got root !

The Following 4 Users Say Thank You to miloj For This Useful Post: [ Click to Expand ]
Tags
root, tf300, transformer
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes