Can we try EVO's new root method for 1.49?

[bowtieduece]

Ran across this thread in the evo section, seeing how we also have htc's flash lite. It made me hopeful of attaining root. Ive tried every card mentioned as being successful on three different systems:-(

http://forum.xda-developers.com/showthread.php?t=718889

 

[ericFuels999]

Ran across this thread in the evo section, seeing how we also have htc's flash lite. It made me hopeful of attaining root. Ive tried every card mentioned as being successful on three different systems:-(

http://forum.xda-developers.com/showthread.php?t=718889

Even though I didn't really think it would work, I gave it a shot anyway. Naturally, it was unsuccessful. The Eris take FOREVER to load that website, and it never triggers the shell script to ask for a reload, therefore permission is denied for the second part when you reboot with adb shell.

Interesting exploit, though. I wonder if there is some way to modify it for the Eris. Maybe you could contact the devs.

 

[ericFuels999]

Really, nobody else is interested in this?

 

[sickbox]

Yep that's what I expected. Yea there's gotta be someone here that can do the changes to the EVO files so they work with Eris, and upload the proper files to file sites and have us downloading in no time, so we can get root finally. Yes please anyone here up and willing

Toastcfh used to do some work for the Eris someone may want to start there since he provided what looks to be a pretty main part of the EVO root.

 

[ericFuels999]

Toastcfh used to do some work for the Eris someone may want to start there since he provided what looks to be a pretty main part of the EVO root.

Thanks for the tip. I sent him a PM. Will report back when I find something.

 

[bftb0]

Anyone with an Eris can help out - rooted or unrooted.

I looked at those scripts last night - what seems like the necessary conditions for the beginning of the exploit (part1) are:

(1) there is a directory read/write/traversal permission security flaw in the data area for flash-lite;
(2) apparently, when flash-lite is running it must have root privilege at a moment when it performs a file "chmod" operation

So, an unprivileged user goes in, and makes a symlink (at the correct moment in time) in flash-lite's data area that points to a mtd partition - moments later, flash-lite "chmods" what it thinks is a file in it's data area, but instead, it is chmod'ing the target of a symlink - the normally protected mtd partition.

This allows use of flash_image to write whatever is wanted to that partition - even as an unprivileged user.

It should be easy enough for someone with Linux/Unix command line scripting experience to test to see if these conditions prevail on the Eris. You don't even need to be root - make your symlink point to something in /data/local if you are worried about something bad happening to a mtd partition. Chmod it initially to 600, and see if it get's changed by flash-lite when (and if) you drop the symlink into place.


I would do it, but I've got to go buy all the parts for ( & build) a new computer (no dev station as of last night ).

bftb0

 

[ericFuels999]

Anyone with an Eris can help out - rooted or unrooted.

bftb0

Thank you for the detailed explanation. I'll have a look at the scripts, though it's more about learning new things for me, as this exceeds the current state of my unix knowledge. Hope others with more immediate knowledge of the subject will take a crack at it.

 

[ericFuels999]

The shell script points to sharedobjects within /data/data/com.android.browser/flashlite, but sharedobjects, nor any folder for that matter, exists within that directory on the Eris. Is there a different place this could point; does the Eris have the same objects stored in a different location?

 

[MyFixofAndroid]

UPDATE: I'm searching my filesystem on my Eris right now to find it. I will report back later with results.

Also If we find a sharedobjects folder (and the right one) then we can point the script in the proper direction and have root very soon.

 

[jimbonj]

Maybe the "sharedobjects" folder and other missing folders are really on the Eris, one of you should look for them. Use ASTRO or a different file manager and search most of the whole filesystem and see if you can find "sharedobjects" on your Erises.

In the meantime I'll try the same thing. Maybe there's a search engine for the file system of the Eris that you can get in the Android Market, that would do the trick. A file and/or folder search engine.

If we find a sharedobjects folder (and the right one) then we can point the script in the proper direction and have root very soon.

From what I see (and this may just be my eris), the directory probably does exist but we can't touch it:
ls -l
...
drwxrwx--x system system 2010-04-15 02:23 data
...

No read or write permissions to the directory using adb or Astro.

I do have permissions for /sdcard/data on my Eris:
d---rwxr-x system sdcard_rw 2010-06-26 13:26 data

but it doesn't contain the referenced folders and I don't think the browser downloads temporary files to the SD card.

 

[sickbox]

I checked on my other Eris which is rooted. It seems that these may be the directories that we are looking for. However I don't find anything in an app-cache directory.


# find / -name *flashlite
find / -name *flashlite
/data/data/com.android.browser/flashlite
find: /proc/851: No such file or directory
# find / -name com.android.browser
find / -name com.android.browser
/data/data/com.android.browser

 

[MyFixofAndroid]

Well this appears to be the deal breaker then. Because non-root users of Eris cannot access /data as non-root, they cannot see anything in app-cache, and therefore cannot root yet, at least with this particular method unless there's another way to do it.

We should think of a way to still exploit Flash Lite on Eris, but use a different folder/folders in the Part? scripts that they point to for the operations of the script. This may be possible to do, however, still unlikely to work, and it is still going to be hard at this point.

But does anyone want to give my modified EVO method but for Eris a try? One of you should, so that we can root this thing and get it over with.

 

[jvward]

From what I see (and this may just be my eris), the directory probably does exist but we can't touch it:
ls -l
...
drwxrwx--x system system 2010-04-15 02:23 data
...

No read or write permissions to the directory using adb or Astro.

I do have permissions for /sdcard/data on my Eris:
d---rwxr-x system sdcard_rw 2010-06-26 13:26 data

but it doesn't contain the referenced folders and I don't think the browser downloads temporary files to the SD card.

I dont think we would need read write permissions to begin with to use this root, if we had them to start we would be rooted

Because is he using a exploit in flash lite to write to a restricted folder, hes not just found a folder where the permissions aren't set correctly.

If flash lite can invoke admin access and we can exploit it there should be a way to root this.

I am going to the bar going to get some beers for my friends birthday, when I get home I am going to see if I can modify this into an eris root

 

[MyFixofAndroid]

Yeah JVWARD!

On your rooting effort, all the better, try modifying it for Eris and let all of us know if you succeed, hope you can, so we can get root too. Keep trying it with different changes until you get it to work.

Thanks.

 

[sickbox]

You are able to cd directly into /data/data/com.android.browser/ and then ls, so all hope may not be lost yet. The flashlite directory does not show up, I'm guessing because I haven't used my browser yet so I need to try and get to a flash site and see if it is created. I'm having some problems with the touch screen my leak Eris right now that I'm trying to fix right now if anyone else wants to give it a shot.

 

[MyFixofAndroid]

You are able to cd directly into /data/data/com.android.browser/ and then ls, so all hope may not be lost yet. The flashlite directory does not show up, I'm guessing because I haven't used my browser yet so I need to try and get to a flash site and see if it is created. I'm having some problems with the touch screen my leak Eris right now that I'm trying to fix right now if anyone else wants to give it a shot.

Yes sickbox, by all means, keep trying stuff, and finding that "flashlite" directory etc. till you get it to root. Hope your touchscreen returns to normal, and that you can create the directory that you mentioned in your previous post by using a flash site.

 

[lostpilot28]

Hey guys, I know this is a tall order, but I want to help. Any chance you could do a "step by step" set of instructions, or at least copy & paste the Evo instructions with the appropriate changes to try this on the Eris? I'm still not rooted, and the SD card Timing root method isn't working for me. I'd like to try something different.

 

[jvward]

hey can someone with a rooted Eris using a an almost 100% stock Rom setup dump there file system and post it. Anyone using a highly customized Rom don't bother.

Sent from my Eris using Tapatalk

 

[ericFuels999]

Hey guys, I know this is a tall order, but I want to help. Any chance you could do a "step by step" set of instructions, or at least copy & paste the Evo instructions with the appropriate changes to try this on the Eris? I'm still not rooted, and the SD card Timing root method isn't working for me. I'd like to try something different.

Link to the Evo instructions is in the OP. Currently working to see if it's possible on the Eris, so that's a no-go for now.

Stay tuned.

 

[rycheme]

Team,

I've been working with the scripts with the awesome folks on IRC and have currently gotten thus far:

Part1 - http://pastebin.com/FUJWM3zW
Part2 - http://pastebin.com/6h07zrdm

I believe at this point I've screwed up my FlashLite plugin with my testing, so I'm going to try to recover that and keep moving along.

LR