Disclaimer #1: KingoRoot, dr.fone, and most other one-click rooting tools are characterized as malware. Should you use these tools? That decision is yours and yours alone. I do not own any of the tools that follow. All the links are to files that are publicly available.
Disclaimer #2: This is a risky undertaking. If you encounter issues or, worse, end up with a brick, I (or the others here) will try to help you, but the risk is all yours.
Disclaimer #3: This approach is not for everyone. If you lack a half-decent linear combination of (1) troubleshooting skills, (2) patience, (3) reading-comprehension skills, and (4) some love of risk, please stop here.
Disclaimer #4: I have only tried this on the 2017 HD 10. If you try this on another device type and it works, please post in the appropriate forum. If you try this on another device type and it does not work, don't be shocked.
NAQ (Never-Asked Questions):
a. What is "offline" rooting?
-- Rooting your device without needing access to the Internet (i.e., the rooting process requires no Internet connection; not on the phone/tablet, not on the computer).
b . Aren't there a gazillion rooting threads for the 2017 HD 10, each claiming to be easier than its predecessors? Why even bother with this fancy "offline" stuff?
-- All of those rooting threads use tools that require Internet access on the PC. What if those tools stop working because of server issues on their end?
-- More importantly, it's well known that these one-click rooting tools extract and transmit a ton of device-identifying information (e.g., IMEI, Serial Number, ...) that is not central to the rooting process. Why give that up?
For a few weeks now, I have been trying to come up with a rooting process that does not require any Internet access on the computer (we know KingoRoot and dr.fone need Internet access on the computer). I have finally figured out how. As a result, we should be able to root the 2017 HD 10 even if these rooting options cease to exist (assuming Amz updates are blocked at 184.108.40.206).
While Kingo does a good job of hiding its root exploits (i.e., the scripts it fetches from the cloud), the good doctor is a bit more generous (its files are downloaded onto a folder on the disk). I copied everything from that folder after a successful root attempt on my test tablet and examined each file. I was able to tinker with the scripts and binaries after moving them to /data/local/tmp on my tablet, but wasn't able to achieve anything meaningful ... until tonight. Noting the presence of some weirdly-named files in that folder, I did a simple Google search and came up with this hit. Of particular interest is method 2 (ELF). Based on that reading and armed with the files from the folder on the disk, I was able to achieve root without Internet access on my computer. I have done so multiple times, w/ and w/o a fresh sideload of the 220.127.116.11 update .bin. The process succeeds more often than it fails (when it does fail, a reboot and retry usually works), not unlike failures with Kingo or the doctor. It's the same exploit after all.
I am guessing Kingo uses a similar process, but does enough to make its scripts difficult to obtain offline. Access to the doctor's scripts and some clarity on the rooting procedure should help others on this forum make even greater progress.
Update: See my post #10 in this thread for Kingo-related instructions. To do this with Kingo, you would complete steps 4 and 5 in this OP and then move to the steps in post #10.
You will need to download a few files (for which you will, of course, need Internet on your computer):
1. Download the exploits here (it's clear that the exploit that's working for the 2017 HD 10 is Dirty COW: CVE-2016-5195): 20165195.zip and SuperSU_18+.zip and extract to their respective folders.
2. Copy all the files from the SuperSU_18+ folder into the 20165195 folder (overwriting wsroot.sh). Rename 20165195 to something simpler, say c. Inside the c folder, you should have the following binaries and scripts: ddexe, debuggerd, fileWork, install-recovery.sh, Matrix, pidof, start_wssud.sh, su, su_arm64, Superuser.apk, supolicy, toolbox, and wsroot.sh. You can delete Superuser.apk (we will be downloading SuperSU next).
3. Download the SuperSU 2.82 SR5 apk from here (or search for another source). Move it to the c folder.
4. Install the Fire's drivers and ADB+fastboot from here (if you haven't already done so).
You will not need Internet access from this point forward.
You should now have the c folder with 12 files and the SuperSU apk handy. If you lose root for whatever reason (or if you just want to test this out), you do not need KingoRoot or dr.fone. Follow these steps:
5. Do the basics:
-- Fire up your Fire.
-- On your first boot, start the process by clicking on Continue, then click on any of the WiFi choices, click Cancel, choose Not Now, and then Skip. Once the Fire gets to the home screen, pull down the notification bar and enable airplane mode.
-- Become a developer by tapping Serial Number (in Device Options) 7 times, go to Developer Options, and Enable ADB.
-- Go to Security in Settings and enable Apps from Unknown Sources.
-- Connect your Fire to the computer, Allow USB debugging on the tablet, check the popup box to Always allow from this computer (if this does not happen here, it will when you start adb next).
-- Type adb shell in an administrative command prompt. You should enter the tablet as a user.
6. On your computer, copy all the files from the c folder to the Fire's internal storage (/sdcard). Next, go to the command prompt with adb shell and copy the files to /data/local/tmp:
cp /sdcard/c/* /data/local/tmp cd /data/local/tmp ls -l
chmod 755 *
./Matrix /data/local/tmp 2
[*] exploited 0x7f83021000=f97cff8c end!!!!!!! <WSRoot><Exploit>0</Exploit></WSRoot> <WSRoot><Done>0</Done></WSRoot>
This is a sample of the entire output that should be generated:
[email protected]:/data/local/tmp $ ./Matrix /data/local/tmp 2 <WSRoot><Command>0</Command></WSRoot> <WSRoot><InitResource>0</InitResource></WSRoot> Decrypt Success: /data/local/tmp/fileWork Output File Name: /data/local/tmp/fileWork. <WSRoot><Decrypt>0</Decrypt></WSRoot> extracting: /data/local/tmp/Bridge_wsroot.sh extracting: /data/local/tmp/krdirtyCow32 extracting: /data/local/tmp/krdirtyCow64 extracting: /data/local/tmp/libsupol.so extracting: /data/local/tmp/my.sh extracting: /data/local/tmp/mysupolicy extracting: /data/local/tmp/patch_script.sh extracting: /data/local/tmp/root3 <WSRoot><Decompression>0</Decompression></WSRoot> execute string: /data/local/tmp/root3 /data/local/tmp/ 2 WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6ffffffe arg 0x600 WARNING: linker: /data/local/tmp/root3: unused DT entry: type 0x6fffffff arg 0x1 ro.build.version.sdk :22 ro.product.cpu.abi :arm64-v8a is x64 execute string: /data/local/tmp/krdirtyCow64 /data/local/tmp/ 2 WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6ffffffe arg 0xd30 WARNING: linker: /data/local/tmp/krdirtyCow64: unused DT entry: type 0x6fffffff arg 0x1 path : /data/local/tmp/ path : /data/local/tmp[*] path_script:/data/local/tmp/patch_script.sh /data/local/tmp rm: /data/local/tmp/sepolicy: No such file or directory rm: /data/local/tmp/load: No such file or directory supolicy v2.76 (ndk:armeabi) - Copyright (C) 2014-2016 - Chainfire Patching policy [/data/local/tmp/sepolicy] --> [/data/local/tmp/load] ... -permissive:zygote=ok -permissive:kernel=ok -permissive:init=ok -permissive:su=ok -permissive:init_shell=ok -permissive:shell=ok -permissive:servicemanager=ok - Success find_opcode offset:2d0 opcode:aaffbbee find ok star:7f8325c008 end:7f8325c2d8 size:2d0 sh : /data/local/tmp/my.sh /data/local/tmp 2 fwrite is count 210148 /data/local/tmp/load1 fwrite is count 54204 /data/local/tmp/load2 find_opcode offset:2b4 opcode:eaeaeaea find_opcode offset:2b8 opcode:ebebebeb find_opcode offset:22d opcode:abababab load = 408a0 load1 = 334e4 load2 = d3bc find_opcode offset:2b0 opcode:efefefef find_opcode offset:24d opcode:cdcdcdcd find_opcode offset:2bc opcode:acacacac init_shellcode loadsize:264352 loadpath:/data/local/tmp/load shpath:/data/local/tmp/my.sh /data/local/tmp 2 shpath:2bc open /proc PID:208 find logd pid : d0 _inject_start_s:0x7f8325c008 Copying /sepolicy to /data/local/tmp/cp_sepolicy cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load1 size: 210148 [*] mmap 0x7f83055000;[*] exploit (patch)[*] currently 0x7f83055000=8f97cff8c sched_setaffinity: Function not implemented[*] madvise = 0x7f83055000 210148 checking the patch ... exploit sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s check done sched_setaffinity: Function not implementedmadviseThread() done procselfmemThread() done[*] exploited 0x7f83055000=f97cff8c [main]p_vdso_addr:0x7f8325a000 p_vdso_buffer:0x400000[*]set_ret_jmp[*]set_ret_jmp 400410[*]set_ret_jmp 400420 [main] write 1 Parent is over..status == 0 socket: No such file or directory socket = 7 ret = ffffffff connect : No such file or directory ret = ffffffff find coe f [main] write 2 Parent is over..status == 0 cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/load2 warning: new file size (54204) and file old size (210148) differ size: 54204 [*] mmap 0x7f83236000;[*] exploit (patch)[*] currently 0x7f83236000=8f97cff8c sched_setaffinity: Function not implemented[*] madvise = 0x7f83236000 54204 checking the patch ... exploit sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s check done sched_setaffinity: Function not implementedmadviseThread() done procselfmemThread() done[*] exploited 0x7f83236000=8600a5 find coe 36 Parent is over..status == 0 cow_exploit_mv_file_init: Overriding /sepolicy from /data/local/tmp/cp_sepolicy size: 210148 [*] mmap 0x7f83021000;[*] exploit (patch)[*] currently 0x7f83021000=10007008600a5 checking the patch ... exploit sleep 1s sched_setaffinity: Function not implementedsched_setaffinity: Function not implemented[*] madvise = 0x7f83021000 210148 sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s sleep 1s check done madviseThread() done procselfmemThread() done[*] exploited 0x7f83021000=f97cff8c end!!!!!!! <WSRoot><Exploit>0</Exploit></WSRoot> <WSRoot><Done>0</Done></WSRoot>
9. Confirm by getting to a root shell:
11. Open SuperSU and update binary as Normal (should be successful).
12. Click to reboot.
13. Set SuperSU to Grant as default access.
14. Delete the two wondershare directories in /data/data-lib/:
cd /data/data-lib rm -r com.wondershare.DashRoot rm -r wondershare
su mount -w -o remount /system