Rooting the TF300T *without* downgrading (from .29)
I managed to root my TF300 this week-end.
Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.
Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/show....php?t=1622628
), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.
Here is the full guide, and the link to the binaries at the end.
Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs
Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.
Here is now the full guide:
Rooting the Asus Transformer TF300T
: first, use known method to get write access to the /system partition
adb push debugfs /data/local/
adb push su /data/local/
FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
$ cd /data/local/
$ mv tmp tmp.back
FOR PADFONE ONLY:
$ ln -s /dev/block/mmcblk0p1 tmp
FOR SAMSUNG GALAXY SII ONLY:
$ ln -s /dev/block/mmcblk0p21 tmp
FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://forum.xda-developers.com/show....php?t=1791193 thx to Nesquick95)
$ ln -s /dev/block/mmcblk0p9 tmp
$ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
: some cleanup first
: and now, let's do the dirty work
$ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
NOTE: if this is your first attempt, you should see an error message here, simply ignore it
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
: done, let's reboot and get root !
id=0(root) gid=0(root) ....
: cleanup remaining files
Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.
$ rm /data/local/su
$ rm /data/local/debugfs
After installation, or if you previously installed, open it and check for an update
, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.
And now here is the link for the binaries:
The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).
Please let me know how it goes for you.
Credits: wolf849 for the symlink exploit
EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it
Here is the URL:
EDIT1: Here are the devices successfully rooted so far:
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-22.214.171.124_CHT_9.1.15-0
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"