Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,740,943 Members 52,738 Now Online
XDA Developers Android and Mobile Development Forum

[DEV] S-OFF, PERMROOT, eMMC write [INSTRUCTIONS]

Tip us?
 
adwinp
Old
(Last edited by adwinp; 11th November 2010 at 04:05 PM.)
#1  
adwinp's Avatar
Senior Member - OP
Thanks Meter 136
Posts: 1,676
Join Date: Jun 2008
Location: urandom
Default [DEV] S-OFF, PERMROOT, eMMC write [INSTRUCTIONS]

props to scotty & tmzt


BE CAREFUL WHAT PARTITION YOU'RE DD'ING INTO OTHERWISE YOU'LL END WITH A BRICK.

Instructions
1: Get VISIONary from the market and do a temp root
2: download http://rapidshare.com/files/429891451/dhd_root.zip and extract.
Place these files in /sdcard/ on your DHD (you only need 1 of the .ko, depending on your kernel version - check with uname -a in adb shell)


Go to adb shell, switch to root (su) and do the following:

insmod /sdcard/wp-(version).ko
for example: insmod /sdcard/wp_g5ed1769.ko
This will disable wp (will be enabled on reboot though...)

dd if=/sdcard/hboot_eng.nb0 of=/dev/block/mmcblk0p18
This will install engineering hboot

BE CAREFUL - DOUBLE CHECK THE PARTITION
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p21

OR

save recovery.img somewhere on your HDD, open a shell/cmd in that directory and:
fastboot flash recovery recovery.img
Both ways will install an unsecured recovery (not clockwork yet)

The module is for the release version of DHD (2.32.21-g5ed1769)
If you have another one, you can easily mod it:

check your version via:
cat /proc/version

Download a Hex Editor, search for vermagic in the wp_g5ed1769.ko, and replace patch version with:
g5ed1769
Save
Reload to sdcard and follow instructions from the top.

You can now PERMROOT (once you load the module, just push su and Superuser.apk to /sdcard/)
and
copy su to /system/bin/
and Superuser.apk to /system/app/

Don't forget to suid su:
su
chmod 4755 /system/bin/su



NOTE:
once you load the module, you can confirm a successful load via:
dmesg|tail

here's a sample output

<3>[ 881.934631] mmc0: DMA channel flushed (0x80000004)
<3>[ 881.935241] Flush data: 00000000 00000000 00000103 c0088008 c7e38000 00000001
<6>[ 881.935913] mmc0: Controller has been reset
<6>[ 881.936279] mmc0: Worked around bug 1535304
<3>[ 881.941802] mmcblk0: error -110 sending status comand
<3>[ 881.942443] mmcblk0: error -110 sending read/write command, response 0x0, card status 0x0
<3>[ 881.943084] mmcblk0: error -5 transferring data, sector 327712, nr 8, card status 0x0
<6>[ 881.943695] mmc0: reinit card
<4>[ 881.944030] mmc0: Starting deferred resume
<6>[ 882.010437] mmc0: Deferred resume completed
 
adwinp
Old
#2  
adwinp's Avatar
Senior Member - OP
Thanks Meter 136
Posts: 1,676
Join Date: Jun 2008
Location: urandom
What about adb pushing su and Superuser.apk WHILE flashing a STOCK ROM via RUU? The eventual signatures check is in the beginning only and thus irrelevant for this procedure.
During this length process, the real SYSTEM: is unlocked, and we should be able to do anything we want during that time.
Basically, we just need to check till /system/bin/su is copied from the RUU, THEN push ours, in order to prevent overwriting by the stock one.

This SHOULD, at least in theory, allow us to have persistent root. Can anybody check that?
 
Apache14
Old
#3  
Apache14's Avatar
Recognized Developer
Thanks Meter 551
Posts: 875
Join Date: Feb 2009

 
DONATE TO ME
While flashing the via RRU every file that is pushed is sig checked... Besides we cant push spcific files in RRU anyway :-|

And before anyone says recovery ADB is locked down in recovery so cant push anything that way :(

Tbh we have two hopes... Have a singed test recovery to flash we need a shipping desire hd to test this -- (first desire root type)

And the G2 root ppl the hd will have the same protection as the G2

:)

Sent from my GT-I9000 using XDA App
Phone :- Sony Xperia Z (CM10.1)

Tablet :- Asus Transformer Prime (TF201) & Asus Transformer TF101


IRC :- freenode #asus-transformer #G2Root come join us
I am Bumble-Bee

Twitter :- BumbleDroid Follow Me

If I Have Helped You Buy Me A Beer

 
adwinp
Old
#4  
adwinp's Avatar
Senior Member - OP
Thanks Meter 136
Posts: 1,676
Join Date: Jun 2008
Location: urandom
I was just pushing ideas around, things I need to check anyway.
It's hard to do any real work without a device to work on (yet - should be shipped by next week).

It WOULD be great if anyone could come forward with a test/engineering device I could work with. Maybe a test/engineering partitions dump?
 
adwinp
Old
#5  
adwinp's Avatar
Senior Member - OP
Thanks Meter 136
Posts: 1,676
Join Date: Jun 2008
Location: urandom
Since I am *still* waiting for my device (thanks HT...) and can't field test any of my ideas, I've been filing a few of them in the G2 forum.
The latest one being http://forum.xda-developers.com/show...&postcount=184
 
mikecoffee
Old
#6  
Senior Member
Thanks Meter 12
Posts: 329
Join Date: Dec 2009
Quote:
Originally Posted by adwinp View Post
Since I am *still* waiting for my device (thanks HT...) and can't field test any of my ideas, I've been filing a few of them in the G2 forum.
The latest one being http://forum.xda-developers.com/show...&postcount=184


Getting my HD on Friday hopefully will hand it over to team villainrom and see what we can do grrrr
Twitter @michaeljjava
HTC Sensation
HTC Flyer
HTC Desire HD
HTC Desire
HTC Hero
HTC Dream
HTC HD2
HTC Touch 3G
If you want to support VillainROM, why not donate to the site at donate?
 
adwinp
Old
#7  
adwinp's Avatar
Senior Member - OP
Thanks Meter 136
Posts: 1,676
Join Date: Jun 2008
Location: urandom
R.E is a b*****.
If only we had access to an engineering device, we could dump pmem (since we know at what address HBoot is loaded anyway), compare that to a retail device, and try some binary patching the HBoot via userland and/or a module....
 
K900
Old
#8  
Senior Member
Thanks Meter 2214
Posts: 4,703
Join Date: Aug 2010
Location: Moscow
I have just thought about it: can the lock be related to path, not to address or something? Maybe you could symlink /system somewhere in /data (somewhere that is writable normally) and write through this symlink? Kinda improbable but worth trying...

Sent from my HDfied HTC Desire

Sent from my HDfied HTC Desire
Not really doing anything Android-related right now. OnePlus plz?
 
adwinp
Old
#9  
adwinp's Avatar
Senior Member - OP
Thanks Meter 136
Posts: 1,676
Join Date: Jun 2008
Location: urandom
Quote:
Originally Posted by K900 View Post
I have just thought about it: can the lock be related to path, not to address or something? Maybe you could symlink /system somewhere in /data (somewhere that is writable normally) and write through this symlink? Kinda improbable but worth trying...

Sent from my HDfied HTC Desire

Sent from my HDfied HTC Desire

Unfortunately it doesn't work that way.
;]
A symlink inherits all properties of the parent.
It's like trying to change tires in a car with a broken down engine. You won't be able to drive it, no matter what the tires.
 
K900
Old
#10  
Senior Member
Thanks Meter 2214
Posts: 4,703
Join Date: Aug 2010
Location: Moscow
Quote:
Originally Posted by adwinp View Post
Unfortunately it doesn't work that way.
;]
A symlink inherits all properties of the parent.
It's like trying to change tires in a car with a broken down engine. You won't be able to drive it, no matter what the tires.
I think the lock is not in the FS, it's somewhere lower level, so it just might work

Sent from my HDfied HTC Desire
Not really doing anything Android-related right now. OnePlus plz?

Tags
dhdroot
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes