Hello,
I managed to root my TF300 this week-end.
Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.
Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://xdaforums.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.
Here is the full guide, and the link to the binaries at the end.
Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs
Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.
Here is now the full guide:
Rooting the Asus Transformer TF300T
===================================
: first, use known method to get write access to the /system partition
FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
FOR PADFONE ONLY:
FOR SAMSUNG GALAXY SII ONLY:
FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://xdaforums.com/showthread.php?t=1791193 thx to Nesquick95)
: some cleanup first
: and now, let's do the dirty work
: done, let's reboot and get root !
: cleanup remaining files
Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.
After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.
And now here is the link for the binaries:
http://db.tt/FBUNeVmo
The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).
Please let me know how it goes for you.
Credits: wolf849 for the symlink exploit
EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it
Here is the URL:
EDIT1: Here are the devices successfully rooted so far:
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
ASUS TF700T
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"
milo
I managed to root my TF300 this week-end.
Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.
Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://xdaforums.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.
Here is the full guide, and the link to the binaries at the end.
Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs
Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.
Here is now the full guide:
Rooting the Asus Transformer TF300T
===================================
: first, use known method to get write access to the /system partition
Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell
Code:
$ cd /data/local/
$ mv tmp tmp.back
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p1[/COLOR] tmp
$ exit
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p21[/COLOR] tmp
$ exit
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p9[/COLOR] tmp
$ exit
FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://xdaforums.com/showthread.php?t=1791193 thx to Nesquick95)
Code:
$ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
$ exit
Code:
adb reboot
adb shell
: some cleanup first
Code:
$ cd /data/local
: and now, let's do the dirty work
Code:
$ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
[COLOR="green"]NOTE: if this is your first attempt, you should see an error message here, simply ignore it[/COLOR]
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
$ exit
: done, let's reboot and get root !
Code:
adb reboot
adb shell
$ /system/xbin/su
# id
[COLOR="Blue"]id=0(root) gid=0(root) ....[/COLOR]
# exit
: cleanup remaining files
Code:
$ rm /data/local/su
$ rm /data/local/debugfs
$ exit
Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.
After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.
And now here is the link for the binaries:
http://db.tt/FBUNeVmo
The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).
Please let me know how it goes for you.
Credits: wolf849 for the symlink exploit
EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it
Here is the URL:
I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.
http://xdaforums.com/showthread.php?t=1706588
EDIT1: Here are the devices successfully rooted so far:
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
ASUS TF700T
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"
milo
Last edited: