EVO Shift Temp Root for 2.3.3 and HBoot Downgrade

Search This thread

Stuke00

Senior Member
Oct 6, 2010
711
96
Collinsville, IL
To downgrade your HBOOT to go back to 2.2 visit this link http://forum.xda-developers.com/showthread.php?t=1255474
This will allow you to flash 2.2 to perm root the phone

If you wish to help with perm root status for Android 2.3.3, please visit this thread http://forum.xda-developers.com/showthread.php?t=1218580

Thanks to everyone in this post who has helped get this far. You will need to have the Android SDK installed and working knowledge of ADB and basic file system structure.

Major help from minneyar

TEMP ROOT Instructions:
  • Download http://tinyw.in/1lI
  • Unzip if required and put in your ADB folder
  • Launch command prompt and navigate to your ADB folder
  • adb push fre3vo /data/local/tmp/
  • adb shell
  • chmod 777 /data/local/tmp/fre3vo
  • /data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF (if this doesn't work, try rebooting phone)
  • Download these 2 files here and put them in your ADB directory: http://forum.xda-developers.com/showthread.php?p=14927732#post14927732
  • exit back to command prompt if you aren't there already
  • adb push Superuser3-beta1.apk /data/app/
  • adb push su-3.0-alpha7 /data/local/tmp
  • adb shell (should now see # instead of $)
  • cd /data/local/tmp
  • chmod 777 su-3.0-alpha7
  • ./su-3.0-alpha7
  • cd /
  • mount -o remount,rw -t rootfs rootfs /
  • rm vendor
  • mkdir vendor
  • mkdir vendor/bin
  • cat /data/local/tmp/su-3.0-alpha7 > /vendor/bin/su
  • chmod 4755 /vendor/bin/su

You now have temp root. Disregard any notification about outdated SU binary. Root will go away if you reboot. If you reboot your phone you can obtain root again by just running the following

  • adb shell
  • chmod 777 /data/local/tmp/fre3vo
  • /data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF
  • adb shell (should now see # instead of $)
  • cd /data/local/tmp
  • chmod 777 su-3.0-alpha7
  • ./su-3.0-alpha7
  • cd /
  • mount -o remount,rw -t rootfs rootfs /
  • rm vendor
  • mkdir vendor
  • mkdir vendor/bin
  • cat /data/local/tmp/su-3.0-alpha7 > /vendor/bin/su
  • chmod 4755 /vendor/bin/su

I haven't found a way to re-root after rebooting without connecting to a PC
 

Attachments

  • temproot.jpg
    temproot.jpg
    42.6 KB · Views: 3,797
Last edited:

tokuzumi

Senior Member
Nov 25, 2008
1,117
173
You are saying you cannot install the superuser app? From reading in the Evo3D forums, you could install Superuser, even without being rooted, but it obviously won't allow root access, until you run a root exploit.

Try rebooting the phone, installing superuser, run fre3vo, and then try the adb shell, and su method.

This is getting interesting. Hopefully you are on to something.
 
  • Like
Reactions: jimmy2823

Stuke00

Senior Member
Oct 6, 2010
711
96
Collinsville, IL
You are saying you cannot install the superuser app? From reading in the Evo3D forums, you could install Superuser, even without being rooted, but it obviously won't allow root access, until you run a root exploit.

Try rebooting the phone, installing superuser, run fre3vo, and then try the adb shell, and su method.

This is getting interesting. Hopefully you are on to something.

Okay let me clarify

I can install SU but it wouldn't install the binaries. I did all of the above. Says su: not found.

I then tried something else.
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
# cat /system/bin/sh > /system/bin/su
# chmod 4755 /system/bin/su

I was then able to get the SU binaries to install but Titanium Backup says:
"Busybox works but the "su" command does not elevate to root: "whoami" reports "app_135" instead of root/uid 0.

then su from the command prompt was saying "link_image[1935]: 3160 missing essential tablesCANNOT LINK EXECUTABLE" and now back to su: not found again....
 
  • Like
Reactions: blamous and Derfus

crump84

Senior Member
Feb 19, 2011
1,308
445
The Gump
Well here's a tweet he put out a couple of hours ago.

@agrabren: For those with the SHIFT, it's a known bug in my code that we missed the address. One too many zeroes in the list. I'll try to fix it soon.


Sent from my PG06100 using XDA App
 

Stuke00

Senior Member
Oct 6, 2010
711
96
Collinsville, IL
Well here's a tweet he put out a couple of hours ago.

@agrabren: For those with the SHIFT, it's a known bug in my code that we missed the address. One too many zeroes in the list. I'll try to fix it soon.


Sent from my PG06100 using XDA App

Yeah he posted that right after I gave him the memory address for the exploit. Just means that I did it the manual way through debugging. At least I think so... hopefully soon!
 
  • Like
Reactions: Mr_myke

minneyar

Member
Mar 31, 2008
14
7
San Antonio
Good news, everybody! I have successfully acquired temp root on my Shift!

First, fre3vo has to be pointed at the right address. After copying it over to my phone, I did "adb shell" and then ran it like so:

/data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF

That printed out a message that it found an exploit and kicked me out of the shell. After doing "adb shell" again, I got a command prompt. I tried installing the 2.3.6.3 version of Superuser, but it complained about being unable to install "su"; I tried to find a separate su binary and copy it over manually, but it didn't work due to a linker error.

After searching around, I found a beta version of Superuser 3:
http://forum.xda-developers.com/showthread.php?p=14927732#post14927732

First I uninstalled the old version of Superuser and then used adb to install the new one from that thread. I ran it and it said it was unable to install su, so I downloaded the version of su provided there and installed it manually. The process went something like:

Code:
adb push su-3.0-alpha7 /data/local/tmp
adb shell
# cd /data/local/tmp
# chmod 4755 su-3.0-alpha7
# ./su-3.0-alpha7
# mount -o remount,rw -t ext3 /dev/block/mmcblk0p26 /system
# cat su-3.0-alpha7 > /system/bin/su
# chmod 4755 /system/bin/su

I don't know if explicitly running "./su-3.0-alpha7" is necessary, it just seemed like a good idea at the time. I don't know if everybody's block device will be named "mmcblk0p26", I used "mount" to figure out what was mounted at /system.

Anyway, after all that was done, I ran Superuser again and it didn't complain. To test it out, I started up Wireless Tether. It asked me for superuser permissions, which I granted it, and it's working fine.

Root successful!
 
Last edited:

Kevets

Senior Member
Mar 20, 2010
505
109
I followed those steps exactly and got what I would call a partial root. Some of the 'you need root' errors are gone but "su" still results in 'not found' even though "mkdir su" results in 'file exists.'

mmcblk0p26 exists on this unit.

The weirdest part is that Adfree will accept the device as rooted and with superuser but says it can't find a partition to modify. And after a reboot root is definitely gone.

I think you're on to it but it isn't quite there yet.
 
  • Like
Reactions: minneyar

minneyar

Member
Mar 31, 2008
14
7
San Antonio
It seems to be fully temprooted to me; I have to redo it if I reboot, but otherwise it's working perfectly. After following the steps I listed above, running "ls -l /system/bin/su" should produce this output:

Code:
# ls -l /system/bin/su
ls -l /system/bin/su
-rwsr-xr-x root     root        22228 2011-07-25 19:14 su

If it says "No such file or directory" instead, then the su binary isn't in the right place.

Looking back over what I wrote, I think I left out a step -- if you were following what I listed exactly, it probably won't work, because I forgot to change to the /data/local/tmp directory. I'll update that...

Update: after playing around with it for a while, something is definitely not quite right. Everything works fine at first; I've tested Wireless Tether and Titanium Backup and they're both fine. After leaving my phone for a while and coming back, though, applications that try to get root access mysteriously fail. The dialog prompt doesn't even appear.

Going back into the adb shell, /system/bin/su is still there, but trying to run "su" causes this to happen:

Code:
# su
su
link_image[1935]:  3802 missing essential tablesCANNOT LINK EXECUTABLE

But if I use cat to overwrite su and then chmod it again, everything works. su must somehow be getting modified by something else and replaced with a bad version... but I'm not sure where to look.
 
Last edited:

Stuke00

Senior Member
Oct 6, 2010
711
96
Collinsville, IL
It seems to be fully temprooted to me; I have to redo it if I reboot, but otherwise it's working perfectly. After following the steps I listed above, running "ls -l /system/bin/su" should produce this output:

Code:
# ls -l /system/bin/su
ls -l /system/bin/su
-rwsr-xr-x root     root        22228 2011-07-25 19:14 su

If it says "No such file or directory" instead, then the su binary isn't in the right place.

Looking back over what I wrote, I think I left out a step -- if you were following what I listed exactly, it probably won't work, because I forgot to change to the /data/local/tmp directory. I'll update that...

Update: after playing around with it for a while, something is definitely not quite right. Everything works fine at first; I've tested Wireless Tether and Titanium Backup and they're both fine. After leaving my phone for a while and coming back, though, applications that try to get root access mysteriously fail. The dialog prompt doesn't even appear.

Going back into the adb shell, /system/bin/su is still there, but trying to run "su" causes this to happen:

Code:
# su
su
link_image[1935]:  3802 missing essential tablesCANNOT LINK EXECUTABLE

But if I use cat to overwrite su and then chmod it again, everything works. su must somehow be getting modified by something else and replaced with a bad version... but I'm not sure where to look.

YES! I have root! I was able to install a screenshot app and test it :) this is amazing progress! Thanks for that.

So now when I reboot, you have to do the entire thing again? SU and all?
 

Kevets

Senior Member
Mar 20, 2010
505
109
I think I had that issue too. I just couldn't believe the files just disappeared and thought I did something wrong somewhere.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 32
    To downgrade your HBOOT to go back to 2.2 visit this link http://forum.xda-developers.com/showthread.php?t=1255474
    This will allow you to flash 2.2 to perm root the phone

    If you wish to help with perm root status for Android 2.3.3, please visit this thread http://forum.xda-developers.com/showthread.php?t=1218580

    Thanks to everyone in this post who has helped get this far. You will need to have the Android SDK installed and working knowledge of ADB and basic file system structure.

    Major help from minneyar

    TEMP ROOT Instructions:
    • Download http://tinyw.in/1lI
    • Unzip if required and put in your ADB folder
    • Launch command prompt and navigate to your ADB folder
    • adb push fre3vo /data/local/tmp/
    • adb shell
    • chmod 777 /data/local/tmp/fre3vo
    • /data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF (if this doesn't work, try rebooting phone)
    • Download these 2 files here and put them in your ADB directory: http://forum.xda-developers.com/showthread.php?p=14927732#post14927732
    • exit back to command prompt if you aren't there already
    • adb push Superuser3-beta1.apk /data/app/
    • adb push su-3.0-alpha7 /data/local/tmp
    • adb shell (should now see # instead of $)
    • cd /data/local/tmp
    • chmod 777 su-3.0-alpha7
    • ./su-3.0-alpha7
    • cd /
    • mount -o remount,rw -t rootfs rootfs /
    • rm vendor
    • mkdir vendor
    • mkdir vendor/bin
    • cat /data/local/tmp/su-3.0-alpha7 > /vendor/bin/su
    • chmod 4755 /vendor/bin/su

    You now have temp root. Disregard any notification about outdated SU binary. Root will go away if you reboot. If you reboot your phone you can obtain root again by just running the following

    • adb shell
    • chmod 777 /data/local/tmp/fre3vo
    • /data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF
    • adb shell (should now see # instead of $)
    • cd /data/local/tmp
    • chmod 777 su-3.0-alpha7
    • ./su-3.0-alpha7
    • cd /
    • mount -o remount,rw -t rootfs rootfs /
    • rm vendor
    • mkdir vendor
    • mkdir vendor/bin
    • cat /data/local/tmp/su-3.0-alpha7 > /vendor/bin/su
    • chmod 4755 /vendor/bin/su

    I haven't found a way to re-root after rebooting without connecting to a PC
    6
    Temp Root fully Automated [Windows]

    This zip has ADB, the exploit, the latest su and Superuser.apk [8/18/11], and the latest busybox for android.

    The script is a combination of Windows PowerShell and a sh script. You Must have PowerShell installed (Google it or search Microsoft downloads), preferably version 2. (windows 7 you enable it as a feature, but i think it is on by default)

    Unzip into a folder, preferably near the root of your hard drive. Like C:\TempRootEvoShift
    there is a readme.txt ... it is mostly this information

    Run Powershell (generally Start -> All Programs -> Accessories -> Windows Powershell -> Windows Powershell) [or Start -> Run -> Powershell, or many have an icon in the quick launch bar ... small blue greater than symbol]

    IF you have never run a Powershell script you will need to enable PS1 files by typing set-executionpolicy remotesigned

    CD into the folder you unzipped and run the script by typing

    .\TempRootEvoShift.ps1

    i have tested it on 2 computers, but i digitally signed the script and i do not know what your computers will do with that. If they do not like it, open the script in Notepad, Copy all of it down to, but not including the signature block, and paste it into Powershell (AFTER YOU Change directories into where you unzipped)
    3
    Semi-automated Semi-n00bz proof temp root

    I have come up with a semi-automated root process, check the youtube video here with the description, sorry for it running very fast, my screen recorder was acting weird.

    http://www.youtube.com/watch?v=YPjqeeDKCDw

    and here is the description, no matter what I did YouTube would not let me add the description I wanted, what the heck, so I'll post it here. My should be YouTube description:

    "the commands for the first .bat file are

    Code:
    cd /data/local/tmp
    
    ./su-3.0-alpha7
    
    cd /
    
    mount -o remount,rw -t rootfs rootfs /

    and these are for the second one

    Code:
    cat /data/local/tmp/su-3.0-alpha7 > /vendor/bin/su
    
    chmod 4755 /vendor/bin/su

    And no, this does not let you flash custom recoveries, custom roms, s-off, or any of the like. This only lets you have root access on the stock rom, and semi-automates the process."

    Make sure to use the readme first.txt for help

    Enjoy
    3
    Ok, I should have something alpha by mid week... Got a lot of other stuff going on.
    3
    Good news, everybody! I have successfully acquired temp root on my Shift!

    First, fre3vo has to be pointed at the right address. After copying it over to my phone, I did "adb shell" and then ran it like so:

    /data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF

    That printed out a message that it found an exploit and kicked me out of the shell. After doing "adb shell" again, I got a command prompt. I tried installing the 2.3.6.3 version of Superuser, but it complained about being unable to install "su"; I tried to find a separate su binary and copy it over manually, but it didn't work due to a linker error.

    After searching around, I found a beta version of Superuser 3:
    http://forum.xda-developers.com/showthread.php?p=14927732#post14927732

    First I uninstalled the old version of Superuser and then used adb to install the new one from that thread. I ran it and it said it was unable to install su, so I downloaded the version of su provided there and installed it manually. The process went something like:

    Code:
    adb push su-3.0-alpha7 /data/local/tmp
    adb shell
    # cd /data/local/tmp
    # chmod 4755 su-3.0-alpha7
    # ./su-3.0-alpha7
    # mount -o remount,rw -t ext3 /dev/block/mmcblk0p26 /system
    # cat su-3.0-alpha7 > /system/bin/su
    # chmod 4755 /system/bin/su

    I don't know if explicitly running "./su-3.0-alpha7" is necessary, it just seemed like a good idea at the time. I don't know if everybody's block device will be named "mmcblk0p26", I used "mount" to figure out what was mounted at /system.

    Anyway, after all that was done, I ran Superuser again and it didn't complain. To test it out, I started up Wireless Tether. It asked me for superuser permissions, which I granted it, and it's working fine.

    Root successful!
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone