Rooting the TF300T *without* downgrading (from .29)

Search This thread
By:
Advanced…
miloj

miloj

Senior Member
Jun 9, 2012
58
174
Nice
Hello,

I managed to root my TF300 this week-end.

Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://xdaforums.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

Here is the full guide, and the link to the binaries at the end.

Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

Here is now the full guide:

Rooting the Asus Transformer TF300T
===================================

: first, use known method to get write access to the /system partition

Code: 
adb push debugfs /data/local/
adb push su /data/local/
adb shell

Code: 
$ cd /data/local/
$ mv tmp tmp.back
FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
Code: 
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p1[/COLOR] tmp
$ exit
FOR PADFONE ONLY:
Code: 
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p21[/COLOR] tmp
$ exit
FOR SAMSUNG GALAXY SII ONLY:
Code: 
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p9[/COLOR] tmp
$ exit

FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://xdaforums.com/showthread.php?t=1791193 thx to Nesquick95)
Code: 
$ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
$ exit

Code: 
adb reboot

adb shell

: some cleanup first

Code: 
$ cd /data/local

: and now, let's do the dirty work

Code: 
$ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
[COLOR="green"]NOTE: if this is your first attempt, you should see an error message here, simply ignore it[/COLOR]
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
$ exit

: done, let's reboot and get root !

Code: 
adb reboot
adb shell
$ /system/xbin/su
# id
[COLOR="Blue"]id=0(root) gid=0(root) ....[/COLOR]
# exit

: cleanup remaining files

Code: 
$ rm /data/local/su
$ rm /data/local/debugfs
$ exit

Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.


After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.


And now here is the link for the binaries:

http://db.tt/FBUNeVmo

The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

Please let me know how it goes for you.

Credits: wolf849 for the symlink exploit ;)

EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it :)
Here is the URL:
sparkym3 said:
I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.

http://xdaforums.com/showthread.php?t=1706588
Click to expand...
Click to collapse

EDIT1: Here are the devices successfully rooted so far:
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
ASUS TF700T
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"

milo
 
Last edited:
  • Like
Reactions: alexrodrigues43, ffbeltran, Mich3lin and 133 others
P05TMAN

P05TMAN

Senior Member
Aug 15, 2011
399
101
Boulder, CO
miloj said:
Hello,

I managed to root my TF300 this week-end.

Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://xdaforums.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

Here is the full guide, and the link to the binaries at the end.

Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

Here is now the full guide:

Rooting the Asus Transformer TF300T
===================================

: first, use known method to get write access to the /system partition

adb push debugfs /data/local/
adb push su /data/local/
adb shell
$ cd /data/local/
$ mv tmp tmp.back
$ ln -s /dev/block/mmcblk0p1 tmp
$ exit
adb reboot

adb shell

: some cleanup first

$ cd /data/local
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp

: and now, let's do the dirty work

$ chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /dev/block/mmcblk0p1
debugfs: cd xbin
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0104755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit

: done, let's reboot and get root !

adb reboot
adb shell
$ /system/xbin/su
# id
id=0(root) gid=0(root) ....
# exit

: cleanup remaining files

$ rm /data/local/su
$ rm /data/local/debugfs

Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.

And now here is the link for the binaries:

http://db.tt/FBUNeVmo

The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

Please let me know how it goes for you.

Credits: wolf849 for the symlink exploit ;)

milo
Click to expand...
Click to collapse

If this proves to be successful across multiple users, I may try this out; I'm excited to see how this information pans out.
 
G

gasingvar

Senior Member
Apr 2, 2008
54
18
Yep. That was me.
In essence I had a locked (can get OTA), not rooted device with .26 WW firmware.
Now I've got a locked (can still get OTA unless Asus changes something), rooted device with .29 WW firmware.
This is the holy grail for tf300t users at the moment.

I'm so happy!
 
  • Like
Reactions: P05TMAN
miloj

miloj

Senior Member
Jun 9, 2012
58
174
Nice
For information, I just rooted a friend's TF201 with the same method :)


Sent from my ASUS Transformer Pad TF300T using XDA
 
  • Like
Reactions: P05TMAN
Lyshalia

Lyshalia

Senior Member
Feb 21, 2011
57
23
Confirmed

CONFIRMED!
I rooted my WW.29 this way. No need to downgrade to .17 first.
Thank you, thank you, thank you :)
 
  • Like
Reactions: P05TMAN
mcho19

mcho19

Senior Member
Mar 15, 2009
81
0
Oakland, CA
Confirmed working on US .29!

Edit: Does trying adb remount and failing have anything to do with the root or am I not understanding the adb command?
 
NJ_RAMS_FAN

NJ_RAMS_FAN

Senior Member
Sep 28, 2011
885
96
North Bergen, NJ
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine. :confused:
 
Last edited:
miloj

miloj

Senior Member
Jun 9, 2012
58
174
Nice
NJ_RAMS_FAN said:
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine. :confused:
Click to expand...
Click to collapse

Because risk was too high in my opinion:

- risk to brick when injecting the blob into mmcblk0p4 (if the tablet reboot in the middle, I guess you get a 500€ brick)
- risk to not receiving any ASUS OTA (many users have reported this, I didn't want to test it myself)

The procedure was also a bit too complex, between US, DE, DE to WW, and WW blobs.

Also the .17 WW blob is nowhere available.

With my method, there is one risk, it is if the tablet reboot in the middle of writing into the partition. But I guess than, like any other linux (or unix for that matter), the android boot would run fsck on the partition and get it repaired.

And my method is faster !! :)

Sent from my ASUS Transformer Pad TF300T using XDA
 
Last edited:
  • Like
Reactions: kowlown, fuol, madferret and 1 other person
G

gasingvar

Senior Member
Apr 2, 2008
54
18
mcho19 said:
Confirmed working on US .29!

Edit: Does trying adb remount and failing have anything to do with the root or am I not understanding the adb command?
Click to expand...
Click to collapse
I didn't try, but if I'm allowed to guess the debugfs tool doesn't check permissions as rigorously as mount commands (ie it's working on a lower level). But that's a guess. Another guess would be that dd'ing the su binary would have worked, but then you probably wouldn't have been able to set the correct permissions on the su binary.

NJ_RAMS_FAN said:
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine. :confused:
Click to expand...
Click to collapse
The downgrade method doesn't work with OTAs on .WW firmware. This is the only way at the moment if you're > .17 WW or on .17 DE.

It may even work on __many___ more devices (but that's another guess).
 
P

phigafr

Senior Member
Jun 12, 2009
93
3
A great great thanks from an almost noob... My TF201 unlocked (!) .21 is now rooted!!


Pas remarqué que tu étais français aussi!
 
Last edited:
N

Niggy86

Member
Jun 5, 2009
8
2
A great thanks from me, too!

I have one question: After dooing all steps, my tablet is rooted. But the SuperUser App doesn't ask me to allow the apps. In the SU-App from the Market i don't see any App allowed, but every app which needs root, works in root mode without asking.
Did I do something wrong?

Thank's a lot,

Niggy
 
G

gasingvar

Senior Member
Apr 2, 2008
54
18
Niggy86 said:
A great thanks from me, too!

I have one question: After dooing all steps, my tablet is rooted. But the SuperUser App doesn't ask me to allow the apps. In the SU-App from the Market i don't see any App allowed, but every app which needs root, works in root mode without asking.
Did I do something wrong?

Thank's a lot,

Niggy
Click to expand...
Click to collapse
You need to install superuser from market and reinstall the su binary.
As soon as possible.
 
D

darkuni

Senior Member
Sep 12, 2010
378
75
At the risk of getting torched ... :)

Is there a Windows version of debugfs? I'm assuming this is to be done under Linux.

Any Windows equivalents?

Thanks :)
 
You must log in or register to reply here.

Similar threads

seanzscreams
[ROM]ASU-JellyBean-Hydro 8 (6/29/13)Liquid Butter..- Tf300 -Official 10.6.1.15.3 Base
Replies
3K
Views
368K
W
Weaponx525
sbdags
[ROM]★●[TF300T/G/L/201/301][CROMi-X 5.4][ROM2SD | ODEX/DEODEX 10.6.1.27.5][02/22]●★
Replies
2K
Views
437K
B
betanman
XpLoDWilD
[OFFICIAL][4.2.2][TF300T][NIGHTLIES] CyanogenMod 10.1 for TF300T
Replies
2K
Views
318K
Papapau
Papapau
sbdags
[ROM]★●[TF300T/G/201/301][CROMi-Xenogenesis 4.7.0][ODEX/DEODEX 10.6.1.15.3][Jul 20]●★
Replies
3K
Views
428K
sbdags
sbdags
Dees_Troy
[RECOVERY][TF300T] TWRP 3.1.1-0 touch recovery [2017-05-19]
Replies
1K
Views
333K
yongyek
yongyek

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 136
    miloj
    miloj
    Hello,

    I managed to root my TF300 this week-end.

    Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

    Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://xdaforums.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

    Here is the full guide, and the link to the binaries at the end.

    Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

    Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

    Here is now the full guide:

    Rooting the Asus Transformer TF300T
    ===================================

    : first, use known method to get write access to the /system partition

    Code: 
    adb push debugfs /data/local/
adb push su /data/local/
adb shell

    Code: 
    $ cd /data/local/
$ mv tmp tmp.back
    FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
    Code: 
    $ ln -s /dev/block/mmcblk0[COLOR="Red"]p1[/COLOR] tmp
$ exit
    FOR PADFONE ONLY:
    Code: 
    $ ln -s /dev/block/mmcblk0[COLOR="Red"]p21[/COLOR] tmp
$ exit
    FOR SAMSUNG GALAXY SII ONLY:
    Code: 
    $ ln -s /dev/block/mmcblk0[COLOR="Red"]p9[/COLOR] tmp
$ exit

    FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://xdaforums.com/showthread.php?t=1791193 thx to Nesquick95)
    Code: 
    $ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
$ exit

    Code: 
    adb reboot

adb shell

    : some cleanup first

    Code: 
    $ cd /data/local

    : and now, let's do the dirty work

    Code: 
    $ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
[COLOR="green"]NOTE: if this is your first attempt, you should see an error message here, simply ignore it[/COLOR]
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
$ exit

    : done, let's reboot and get root !

    Code: 
    adb reboot
adb shell
$ /system/xbin/su
# id
[COLOR="Blue"]id=0(root) gid=0(root) ....[/COLOR]
# exit

    : cleanup remaining files

    Code: 
    $ rm /data/local/su
$ rm /data/local/debugfs
$ exit

    Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.


    After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.


    And now here is the link for the binaries:

    http://db.tt/FBUNeVmo

    The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

    Please let me know how it goes for you.

    Credits: wolf849 for the symlink exploit ;)

    EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it :)
    Here is the URL:
    sparkym3 said:
    I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.

    http://xdaforums.com/showthread.php?t=1706588
    Click to expand...
    Click to collapse

    EDIT1: Here are the devices successfully rooted so far:
    ASUS TF300T .26 .29 .30
    ASUS TF201 .21 .28
    ASUS TF101 S/N B70* .24
    ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
    ASUS TF700T
    SAMSUNG Galaxy II ICS 4.0.3
    SAMSUNG Galaxy Tab 2 7"

    milo
    View
    4
    miloj
    miloj
    NJ_RAMS_FAN said:
    Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine. :confused:
    Click to expand...
    Click to collapse

    Because risk was too high in my opinion:

    - risk to brick when injecting the blob into mmcblk0p4 (if the tablet reboot in the middle, I guess you get a 500€ brick)
    - risk to not receiving any ASUS OTA (many users have reported this, I didn't want to test it myself)

    The procedure was also a bit too complex, between US, DE, DE to WW, and WW blobs.

    Also the .17 WW blob is nowhere available.

    With my method, there is one risk, it is if the tablet reboot in the middle of writing into the partition. But I guess than, like any other linux (or unix for that matter), the android boot would run fsck on the partition and get it repaired.

    And my method is faster !! :)

    Sent from my ASUS Transformer Pad TF300T using XDA
    View
    3
    miloj
    miloj
    Mr.Clark said:
    My question is how you find out the magic number:
    Click to expand...
    Click to collapse

    I found it with the mount command,that's the device name from which /system is mounted.

    You can send me the result of the mount command if you need help.

    EDIT: maybe root explorer only shows files on which you have read access. Try doing in a console (from adb, or ConnectBot, or Terminal IDE):

    $ ls -al /dev/block
    View
    2
    miloj
    miloj
    FYI, there was one success in this thread: http://xdaforums.com/showthread.php?t=1688994 where I originally posted.

    milo
    View
    2
    Sib64
    Sib64
    You should re-write your OP and use this tool on the message menu # (go advanced) and separate different parts of your script.
    And if you find a way for build an automatic script or tool, it will be excellent ;)

    like this :
    Code: 
    adb push debugfs /data/local/
adb push su /data/local/
adb shell
$ cd /data/local/
$ mv tmp tmp.back
$ ln -s /dev/block/mmcblk0p1 tmp
$ exit
adb reboot
    View

New posts