[GUIDE] Permanent root on Desire Z 'the clean way', using rage

Search This thread

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
Hey guys, I just had a quick question about this method of rooting, when I try to execute this command on my HTC Desire Z (Bell):

adb push rage /data/local/tmp/rage

I get an error:
cannot stat 'rage': No such file or directory

I did a google search, and even reinstalled adb... any help much appreciated, thanks!

You need to be running that "adb" command from your PC, not your phone.
 

composites

Member
Nov 12, 2010
25
0
when i run

Code:
# /data/local/tmp/busybox md5sum /data/local/*

i get the same "CVE-2010-EASY Android local root exploit (c) 2010 by 743C...
Forked #### childs." message that appeared after running 'rage' instead of seeing the actual file checksums. is this normal?

at this point my mobile sometimes reboots. one time the touchscreen and cap buttons were reversed (home was search and search was home, etc) and had to pull the battery to fix this.

can anyone advise?
 

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
when i run

Code:
# /data/local/tmp/busybox md5sum /data/local/*

i get the same "CVE-2010-EASY Android local root exploit (c) 2010 by 743C...
Forked #### childs." message that appeared after running 'rage' instead of seeing the actual file checksums. is this normal?

at this point my mobile sometimes reboots. one time the touchscreen and cap buttons were reversed (home was search and search was home, etc) and had to pull the battery to fix this.

Your mobile is rebooting because you are running rage for a second time. For some reason you have pushed rage over to your phone as busybox. i.e. when you run "busybox" you're actually running the rage program.
 

jonoball88

Senior Member
Apr 20, 2009
75
1
i pushed everything onto my phone but when i start the first step on the terminal putting in /data/local/tmp/rage it tells me " permission denied"

anything i can do??
 

jonoball88

Senior Member
Apr 20, 2009
75
1
ok so heres what happened... i got my phone rooted and s-off and got ahead of myself and tried flashing a world PC10IMG.zip... apparently that could have bricked my phone... lucky it didnt flash the rom properly and froze as soon as it tried to access the bootloader.
I booted up the phone and still had the original bell rom working fine. I then noticed that since I tried flashing the world rom it then turned my "s-on" and screwed up the superuser app. So then I found the stock bell ruu and flashed that onto my phone.
I went through all the steps to re-root my phone and turn s-off. Everything worked fine untill I got to the last step to lock in the root (/data/local/tmp/root) and it said " mkdir failed for /system/xbin, File exists"
So Is my phone still rooted and not active?
Busybox tells me the phone is unrooted. The visionary way has also never worked for me as it always got stuck on the " rooting your phone" stage and never did anything.
ill even pay someone to help me!!
 

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
I went through all the steps to re-root my phone and turn s-off. Everything worked fine untill I got to the last step to lock in the root (/data/local/tmp/root) and it said " mkdir failed for /system/xbin, File exists"
So Is my phone still rooted and not active?

Ignore that error message, it usually does that. Did you have a # prompt at that stage ?


Busybox tells me the phone is unrooted. The visionary way has also never worked for me as it always got stuck on the " rooting your phone" stage and never did anything.
il

Do you get a # prompt if you type "su" ?
 

jonoball88

Senior Member
Apr 20, 2009
75
1
yes i had a # at that stage, as for the second question whenever i type in "su" in the terminal it says su: permission denied
 
Last edited:

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
yes i had a # at that stage, as for the second question whenever i type in "su" in the terminal it says su:permission denied

When you type in "su" then the Superuser app on the phone should pop up and ask for permission. But if you don't click on it quickly then you'll get "permission denied".
 

jonoball88

Senior Member
Apr 20, 2009
75
1
When you type in "su" then the Superuser app on the phone should pop up and ask for permission. But if you don't click on it quickly then you'll get "permission denied".

but when i type in "su" the superuser app dosnt pop up. As soon as i type it in the terminal it says permission denied immediately
 

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
but when i type in "su" the superuser app dosnt pop up. As soon as i type it in the terminal it says permission denied immediately

Do you have the Superuser app installed ?

It sounds like you don't have permanent root applied properly. When you ran that root script, did you have a # prompt ? And what error message did you get from running the "insmod" command, if the error isn't "Function not implemented" but something else, it won't work.
 

jonoball88

Senior Member
Apr 20, 2009
75
1
Do you have the Superuser app installed ?

It sounds like you don't have permanent root applied properly. When you ran that root script, did you have a # prompt ? And what error message did you get from running the "insmod" command, if the error isn't "Function not implemented" but something else, it won't work.

yep i have su installed... the thing is this is the second time im trying to run this root and s-off process. The first time i did it i had full root access, busybox confirmed i had root and su was working fine. i even ran titanium backup to confirm root worked.. The problem was I tried flashing the wrong world rom and when you do that it locks up the phone apparently. So then I flashed the stock bell rom back on and when i installed su and busybox it said i no longer had root. So i figured if i would do this process all over again it would work but no such luck.

thanks for all your help fyi. if you have paypal ill give you 40 bucks if you can help me out!
 

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
yep i have su installed... the thing is this is the second time im trying to run this root and s-off process. The first time i did it i had full root access, busybox confirmed i had root and su was working fine. i even ran titanium backup to confirm root worked.. The problem was I tried flashing the wrong world rom and when you do that it locks up the phone apparently. So then I flashed the stock bell rom back on and when i installed su and busybox it said i no longer had root. So i figured if i would do this process all over again it would work but no such luck.

thanks for all your help fyi. if you have paypal ill give you 40 bucks if you can help me out!

I'm happy to try and help but thanks, I don't need any money for it. Rage is very straightforward but you do need to be careful you are doing exactly the right steps in exactly the right order. If you get any unexpected error messages then it won't work, you need to identify which step is going wrong.

Please go back and try the whole rage process again, starting with the temp root bit. When you get to the perm root bit, do not do the "dd" bit to copy the engineering bootloader (that's been superseded by gfree, and this guide really needs updating to reflect that), just skip over that one step but do all the rest.

Tell us where it goes wrong. Make sure you have all the expected prompts and no unexpected error messages. Something is going wrong for you at some stage, it's probably just been overlooked.
 

jonoball88

Senior Member
Apr 20, 2009
75
1
thanks, i really appreciate it! So i tried the whole process all over again and i think i found something now... when im on this step to turn security off for permanent flashing - insmod /data/local/wpthis-Z.ko
init_module 'wpthis-Z.ko' failed (Function not implemented)

i type it in and i get a different error message... it says `init_module 'wpthis-Z.ko' failed ( Exec format error)

could that be whats going wrong
 

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
thanks, i really appreciate it! So i tried the whole process all over again and i think i found something now... when im on this step to turn security off for permanent flashing - insmod /data/local/wpthis-Z.ko
init_module 'wpthis-Z.ko' failed (Function not implemented)

i type it in and i get a different error message... it says `init_module 'wpthis-Z.ko' failed ( Exec format error)

could that be whats going wrong

Yep, that's exactly what's going wrong. That command is inserting a kernel module to defeat the write-protection. So when it works, it comes up with that "Function not implemented" error message - that means it worked correctly !

But as you say, you get a different error message, so that means it failed, and nothing was written to internal memory, only cache. So when you reboot you lose root - i.e. it's only a temp root.

What ROM/kernel combination are you running ? That kernel module seems to be incompatible with your kernel, i.e. it's not the standard European Desire Z kernel.
 

jonoball88

Senior Member
Apr 20, 2009
75
1
kernal:
2.6.32.21-gdfdd99d
htc-kernal@and18-2 #1
mon out 18 19:47:51 cst 2010

software number:
1.34.666.1
 

jonoball88

Senior Member
Apr 20, 2009
75
1
kernal:
2.6.32.21-gdfdd99d
htc-kernal@and18-2 #1
mon out 18 19:47:51 cst 2010

software number:
1.34.666.1

i think i found my problem... i flashed to a older rom... the original bell rom was 1.35.666.5.

ill try find a way to flash back to that newer ( original bell shipped) rom then maybe it will fix the root process.
 

steviewevie

Retired Forum Moderator
Oct 28, 2009
5,333
616
UK
i think i found my problem... i flashed to a older rom... the original bell rom was 1.35.666.5.

ill try find a way to flash back to that newer ( original bell shipped) rom then maybe it will fix the root process.

Yeah I can only presume that the kernel module simply won't work with your older ROM. You can always temporarily flash to a different ROM that does work with that kernel module and then flash back to what you have. Or you can try the other kernel modules e.g the G2 ones (pre- and post-OTA) - check the thread on the G2 forums. The worst that can happen is they'll simply not work and give you that same error message.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    This thread is copied and modified from the G2 thread by trigeek for the Desire Z:
    http://xdaforums.com/showthread.php?t=834228


    Apart from the changed hboot and wpthis-Z kernel module for the Desire Z instead of the G2, I have also updated the su-binary and SuperUser.apk to the latest version by ChainsDD


    In no way I can be held responsible for any bricks to your phone. You are using this guide at your own risk!! I did test this guide on my own, and also on a friend's Desire Z.

    As there was no manual rooting guide for the Desire Z, I posted it myself in order to help others that do not like visionary and like to do it 'the clean way'.


    [GUIDE] Temp to permanent root on Desire Z, using rage instead of visionary
    =================================================
    There's already a guide here for obtaining permanent root using VISIONary, but some folks in #G2ROOT are having issues with the way that VISIONary modifies parititons. Using rage directly is a bit cleaner, since you know exactly what it's going to touch at each step of the way. I did NOT come up with any of this on my own, I'm building completely off of work that others have done. Speaking of which-

    None of this would be possible without the tireless work that scotty2 put in. He stayed with the project for well over a month, through lots of smashed hopes and dead ends, until the solution was finally found. Were it not for his work, as well as the help of a few other key folks- we wouldn't be here. He deserves our thanks and some donations! We're talking hundreds of hours of work here, a couple bucks is not too much for that. His paypal is:

    walker.scott@gmail.com
    Send him some love! I'm not asking for anything myself, because I spent a half hour putting this together, and that doesn't deserve any donations!


    DESIRE Z ROOT INSTRUCTIONS
    =================================================
    These are modified instructions based on the ones posted at http://bit.ly/g2root that use Visionary. A number of people have run into issues with the way that Visionary juggles around temporary partitions, and using the original root exploit is a much easier, and cleaner method for achieving permanent root. This tutorial will walk you through the rooting process by first achieving temporary root, and moving on to permanent root.

    REQUIREMENTS
    =================================================
    •Visionary disabled at boot or uninstalled completely
    •Android Terminal Emulator app
    •ADB
    •desirez-combined-root.zip (Attached to this post)

    In the commands to run below, $ or # represent the prompt and should NOT be entered as part of the commands.


    VERY IMPORTANT!
    Visionary has caused filesystem corruption for some users during the rooting process. Before attempting the instructions below, make sure that you have "auto run on boot" turned OFF, and reboot your system. Since you will not need visionary anyway after this, you might as well just uninstall visionary and reboot NOW before doing anything.

    TEMP ROOT
    =================================================
    ON YOUR PC:
    Unzip the z-temp-root files to a folder. From a cmd window or terminal, navigate to that folder and execute these commands:

    Code:
    $ adb push su /sdcard/su
    $ adb push Superuser.apk /sdcard/Superuser.apk
    $ adb push rage /data/local/tmp/rage
    $ adb push busybox /data/local/tmp/busybox
    $ adb push root /data/local/tmp/root
    $ adb shell chmod 0755 /data/local/tmp/*

    ON YOUR PHONE:

    1.Launch Terminal Emulator
    2.
    Code:
    /data/local/tmp/rage
    3.Wait for the message: "Forked #### childs."
    4.Menu > Reset Term - Terminal Emulator will exit.
    5.Launch Terminal Emulator, it Force Closes. Launch a second time, and you'll have a root shell
    6.**NOTE**: in the original directions from the XDA thread, you are instructed to run the /data/local/tmp/root script here. DON'T do this just yet. Leave the terminal window open.

    PERM ROOT
    =================================================
    ON YOUR PC:
    unzip z-perm-root and navigate to that folder. There will be four files. You will need to push two of these to your phone: hboot_7230_0.84.2000_100908.nb0 and wpthis-Z.ko. The other two files are optional for checksum verification.

    Code:
    $ adb push hboot_7230_0.84.2000_100908.nb0 /data/local
    $ adb push wpthis-Z.ko /data/local

    Optional but might came in handy:
    Code:
    $ adb push md5checksum /sdcard/md5checksum


    ON YOUR PHONE:
    You should still have terminal emulator up, at a root prompt. Now run:

    Optional but recommended:
    Code:
    # /data/local/tmp/busybox md5sum /data/local/*

    You should see:
    hboot_7230_0.84.2000_100908.nb0 2ce1bdd5e4c1119ccfcecb938710d742
    wpthis-Z.ko c73c5e77c91d306c418983c002b60b93

    In case your hboot or wpthis-Z.ko file do not have the same md5hash as shown above, DO NOT CONTINUE. This means your file is corrupt or you are using a different file, for example the one for the G2 instead of Desire Z.

    Now, let's turn off security for permanent flashing:

    Code:
    # insmod /data/local/wpthis-Z.ko
    init_module 'wpthis-Z.ko' failed (Function not implemented)

    That means it worked. This next step is CRUCIAL. You must make sure that you are writing to the proper partition here or you could brick your phone. To be absolutely clear- the partition is mmcblk(zero)p(one)(eight)

    # dd if=/data/local/hboot_7230_0.84.2000_100908.nb0 of=/dev/block/mmcblk0p18
    You should see some messages indicating that it was written.

    Code:
    # /data/local/tmp/root
    This will lock in root, and give you 'su' access in the future. Next, run:

    Code:
    # sync

    Now wait at least a minute, just to be safe. After waiting, reboot your phone using the power button. After it finishes starting up, launch the terminal emulator, and type 'su'. You should get the prompt asking you to grant permissions. If you got the prompt, congratulations! You have permanent root!
    1
    ok i hope i'm not screwed. When i typed in "$ /data/local/tmp/rage' suddenly my phone asked for a connection type, and I didn't get to see the 'forked XXX child' msg. but a bunch of text that included 'screwing kids' or something liek that. Can i proceeed? Or I need to type in "$ /data/local/tmp/rage" again? I did not key in the $ sign just the command after it.

    Terminal emulator exited and the phone became laggy. I launched it back and instead of a $ sign it was now a # sign.

    Help?

    I have now put the default connection to 'charge only', previously it was 'disk drive' but i selected 'charge only' for the purpose of rooting when prompted but did not check 'do not ask me again'. I guess it won't prompt me again now.

    Or is it easier for me to reboot the phone and resume the steps right after pushing the files?

    The connections are still intact as I'm posting.
    The phone is still functional though, not laggy anymore.

    Summary:
    Last command in command prompt = adb shell chmod 0755 /data/local/tmp/*
    Last command in Terminal emulator = $ /data/local/tmp/rage
    now it's showing (after reopening the app) = export PATH=/data/local/bin:$PATH# #
    Phone suddenly asked for connection type
    Terminal emulator exited
    Panic!

    That sounds ok, though I wonder if you didn't wait long enough for the "forked" message.

    What rage does is start up a couple of thousand processes on your phone, to exploit a bug that lets it become root. So your phone will go a bit slower while this is happening.

    If you've got the # prompt then that's good news, it means you've got root. At this stage it's only a temp root, but that's what it's supposed to do.

    Can you get the terminal emulator back up and open again with the # prompt ?
    1
    thing is my screen turned off and (screen timeout? lol) and connection prompt thingy before I get to see the 'forked ....' msg.

    Opened terminal emulator and it's showing me now:

    export PATH=/data/local/bin:$PATH#
    # #

    Proceed? Any way I can check if i'm in the right steps?

    ok, well it sounds like "rage" worked fine. So just proceed to the next step. Skip over the "dd" though.
    1
    ok i've proceeded with the perma root steps and the last return was

    mkdir failed for /system/xbin, File exists


    I've proceeded with the 'sync' command.

    Ok to reboot?

    Yes, go ahead. That "File exists" message is normal.
    1
    YES! Reboot was OK! Man it did take a life time to reboot (longer, I suppose?). How do i check if root access is persistent? Typing 'su' in terminal?

    Yes, do an "su" and check you can get the # prompt after a reboot.