5,594,438 Members 33,840 Now Online
XDA Developers Android and Mobile Development Forum

[ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit

Tip us?
 
djrbliss
Old
(Last edited by djrbliss; 24th October 2012 at 11:37 AM.)
#1  
Recognized Developer - OP
Thanks Meter 2576
Posts: 136
Join Date: Aug 2011

 
DONATE TO ME
Default [ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit

I have successfully rooted the AT&T HTC One X running build 2.20.

In the previous build (1.85), S-ON was only partially enforced, so it was possible to modify the /system partition without having unlocked the bootloader, in order to install su and Superuser.apk. This was changed in build 2.20: full S-ON is now in effect. As a result, it is no longer possible to write to /system even after remounting it as writable, since the S-ON feature has NAND-locked the storage.

In other words, it's impossible have a "permanent root" on 2.20 in the traditional sense without unlocking the bootloader.

I have prepared an exploit that gains temporary root access by leveraging two vulnerabilities and uses these newly gained root privileges to overwrite the CID ("superCID"), so that it's possible to unlock the bootloader via HTC's website. I'm sorry if you'd prefer to not unlock your bootloader this way, but there are no other options for root access available.

===========
DISCLAIMER
===========

This exploit modifies the CID of your device. Doing so likely voids your warranty, and may be in violation of your contract with AT&T (I am not a lawyer). Additionally, while this exploit has been tested and has not been observed to cause any negative side effects in practice, I am in no way responsible if it turns your device into an expensive paperweight.

=============
INSTRUCTIONS
=============

1. Download the exploit from:
http://vulnfactory.org/public/X_Factor_Windows.zip

Edit: Linux/Mac version available here. Thanks to Jesse Osiecki (@jesseosiecki) for suggesting I support this and providing me with a working version (that I ended up re-writing):
http://vulnfactory.org/public/X_Factor_Linux_OSX.zip


2. Extract the entire zip file.

3. Connect your device via USB, ensure you have the latest HTC USB drivers installed (only on Windows), and ensure USB debugging mode is enabled.

4. Double-click "run.bat", or if running Linux or OSX, open a terminal, change directories to the extracted exploit, and run "./run.sh".

5. Follow the instructions printed by the exploit. You will need to authorize two backup restorations during the exploit's execution.

6. If the exploit is successful, it will print "[+] Set CID!". If it does not print this, the exploit has failed, so please do not continue.

7. The exploit will automatically reboot into bootloader mode. Press enter after bootloader mode is finished booting, and the exploit will print your CID. If the exploit was successful, it should return "11111111" as your CID.

8. If your CID was successfully set, press enter to generate an unlock token.

9. Visit htcdev.com, navigate to the "Bootloader unlock" section, choose "All other supported models" from the drop-down menu, and provide the unlock token when asked.

10. After unlocking the bootloader, you can flash a custom recovery partition via fastboot, boot into recovery mode, and use a recovery ADB shell or install from an update.zip to install Superuser and su (I do not provide support for custom recoveries, but this is a straightforward process that other people can help with).

======
NOTES
======

I am not affiliated with any Android forum or group, including XDA - this is just where I've chosen to publish this exploit.

Portions of this exploit are similar in concept to the ADB backup/restore exploit published by Bin4ry, but the vulnerability used in this exploit is entirely distinct from Bin4ry's.

========
CREDITS
========

Thanks to Michael Coppola for pointing me at the vulnerable driver I leverage for the second phase of the exploit, and props for independently discovering the same vulnerability I used. Thanks to jcase and P3Droid for their continuing support - I owe you guys beers.

======
Paypal
======
http://goo.gl/zBGb0
The Following 282 Users Say Thank You to djrbliss For This Useful Post: [ Click to Expand ]
 
qwertyaas
Old
#2  
qwertyaas's Avatar
Senior Member
Thanks Meter 80
Posts: 843
Join Date: Aug 2010
Awesome job!
The Following User Says Thank You to qwertyaas For This Useful Post: [ Click to Expand ]
 
kancherlapraneeth
Old
#3  
kancherlapraneeth's Avatar
Senior Member
Thanks Meter 265
Posts: 1,111
Join Date: Nov 2009
Location: hyderabad, India
Thanks for this djrbliss .. root.. yeah!!
I write for AndroidFanNetwork



Current Devices
HTC One,HTC Desire

Follow me - @Google Plus | @Twitter
 
rohan32
Old
#4  
rohan32's Avatar
Forum Moderator / Recognized Developer
Thanks Meter 5021
Posts: 1,986
Join Date: Nov 2011
Location: New Jersey

 
DONATE TO ME
Great work man! Congrats.

And welcome to all the new ROM flashers
#teamkang

Follow me on Twitter
@rohanXm
for the my latest development updates

Devices:
LG Nexus 4 (DD)
Asus Nexus 7 (DD)
HTC One XL
LG Optimus G
HTC G2
The Following 4 Users Say Thank You to rohan32 For This Useful Post: [ Click to Expand ]
 
Mister J
Old
#5  
Senior Member
Thanks Meter 132
Posts: 563
Join Date: Mar 2011
Well, seems like here's the proof.

I take back my doubts, very nice job!
 
speednir123
Old
#6  
Member
Thanks Meter 5
Posts: 63
Join Date: Oct 2012
the one xl is my first android device so i got some questions
by temp root you mean when you shut off the phone we need to do it again?
and i guess there will be a perm root soon because of this exploit am i right?

also ty very much djrbliss
for achieving this :].
 
rohan32
Old
#7  
rohan32's Avatar
Forum Moderator / Recognized Developer
Thanks Meter 5021
Posts: 1,986
Join Date: Nov 2011
Location: New Jersey

 
DONATE TO ME
It utilizes a temp root to change the CID and therefore unlock
The unlock is permanent, the root is temporary

Though after you unlock, just flash a SuperUser zip and you will get permanent root
#teamkang

Follow me on Twitter
@rohanXm
for the my latest development updates

Devices:
LG Nexus 4 (DD)
Asus Nexus 7 (DD)
HTC One XL
LG Optimus G
HTC G2
The Following 5 Users Say Thank You to rohan32 For This Useful Post: [ Click to Expand ]
 
GuyIncognito721
Old
#8  
GuyIncognito721's Avatar
Senior Member
Thanks Meter 218
Posts: 408
Join Date: Mar 2011
Location: Oswego
Temp root is being used to spoof the CID and unlock the bootloader in order to flash a custom recovery, and thus custom ROMs that are then rooted. This is a permanent root solution.
The Following User Says Thank You to GuyIncognito721 For This Useful Post: [ Click to Expand ]
 
qwertyaas
Old
#9  
qwertyaas's Avatar
Senior Member
Thanks Meter 80
Posts: 843
Join Date: Aug 2010
Quote:
Originally Posted by speednir123 View Post
the one xl is my first android device so i got some questions
by temp root you mean when you shut off the phone we need to do it again?
and i guess there will be a perm root soon because of this exploit am i right?

also ty very much djrbliss
for achieving this :].
This will fully root your phone. Just follow instructions to root, Super CID, unlock BL then flash recovery.

The root itself is a different manner than 1.85 but the whole process after should be the same. This is a method to get you to unlock the BL.
 
h1m
Old
#10  
Member
Thanks Meter 19
Posts: 79
Join Date: Dec 2011
Stupid question. Will this method work on Mac?

Sent from my HTC One X using xda app-developers app

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes