EVO Shift Temp Root for 2.3.3 and HBoot Downgrade

Stuke00

Senior Member
Oct 6, 2010
711
96
0
Collinsville, IL
To downgrade your HBOOT to go back to 2.2 visit this link http://forum.xda-developers.com/showthread.php?t=1255474
This will allow you to flash 2.2 to perm root the phone

If you wish to help with perm root status for Android 2.3.3, please visit this thread http://forum.xda-developers.com/showthread.php?t=1218580

Thanks to everyone in this post who has helped get this far. You will need to have the Android SDK installed and working knowledge of ADB and basic file system structure.

Major help from minneyar

TEMP ROOT Instructions:
  • Download http://tinyw.in/1lI
  • Unzip if required and put in your ADB folder
  • Launch command prompt and navigate to your ADB folder
  • adb push fre3vo /data/local/tmp/
  • adb shell
  • chmod 777 /data/local/tmp/fre3vo
  • /data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF (if this doesn't work, try rebooting phone)
  • Download these 2 files here and put them in your ADB directory: http://forum.xda-developers.com/showthread.php?p=14927732#post14927732
  • exit back to command prompt if you aren't there already
  • adb push Superuser3-beta1.apk /data/app/
  • adb push su-3.0-alpha7 /data/local/tmp
  • adb shell (should now see # instead of $)
  • cd /data/local/tmp
  • chmod 777 su-3.0-alpha7
  • ./su-3.0-alpha7
  • cd /
  • mount -o remount,rw -t rootfs rootfs /
  • rm vendor
  • mkdir vendor
  • mkdir vendor/bin
  • cat /data/local/tmp/su-3.0-alpha7 > /vendor/bin/su
  • chmod 4755 /vendor/bin/su

You now have temp root. Disregard any notification about outdated SU binary. Root will go away if you reboot. If you reboot your phone you can obtain root again by just running the following

  • adb shell
  • chmod 777 /data/local/tmp/fre3vo
  • /data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF
  • adb shell (should now see # instead of $)
  • cd /data/local/tmp
  • chmod 777 su-3.0-alpha7
  • ./su-3.0-alpha7
  • cd /
  • mount -o remount,rw -t rootfs rootfs /
  • rm vendor
  • mkdir vendor
  • mkdir vendor/bin
  • cat /data/local/tmp/su-3.0-alpha7 > /vendor/bin/su
  • chmod 4755 /vendor/bin/su

I haven't found a way to re-root after rebooting without connecting to a PC
 

Attachments

Last edited:

tokuzumi

Senior Member
Nov 25, 2008
1,117
173
0
You are saying you cannot install the superuser app? From reading in the Evo3D forums, you could install Superuser, even without being rooted, but it obviously won't allow root access, until you run a root exploit.

Try rebooting the phone, installing superuser, run fre3vo, and then try the adb shell, and su method.

This is getting interesting. Hopefully you are on to something.
 
  • Like
Reactions: jimmy2823

Stuke00

Senior Member
Oct 6, 2010
711
96
0
Collinsville, IL
You are saying you cannot install the superuser app? From reading in the Evo3D forums, you could install Superuser, even without being rooted, but it obviously won't allow root access, until you run a root exploit.

Try rebooting the phone, installing superuser, run fre3vo, and then try the adb shell, and su method.

This is getting interesting. Hopefully you are on to something.
Okay let me clarify

I can install SU but it wouldn't install the binaries. I did all of the above. Says su: not found.

I then tried something else.
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
# cat /system/bin/sh > /system/bin/su
# chmod 4755 /system/bin/su

I was then able to get the SU binaries to install but Titanium Backup says:
"Busybox works but the "su" command does not elevate to root: "whoami" reports "app_135" instead of root/uid 0.

then su from the command prompt was saying "link_image[1935]: 3160 missing essential tablesCANNOT LINK EXECUTABLE" and now back to su: not found again....
 
  • Like
Reactions: blamous and Derfus

crump84

Senior Member
Feb 19, 2011
1,308
445
0
The Gump
Well here's a tweet he put out a couple of hours ago.

@agrabren: For those with the SHIFT, it's a known bug in my code that we missed the address. One too many zeroes in the list. I'll try to fix it soon.


Sent from my PG06100 using XDA App
 

Stuke00

Senior Member
Oct 6, 2010
711
96
0
Collinsville, IL
Well here's a tweet he put out a couple of hours ago.

@agrabren: For those with the SHIFT, it's a known bug in my code that we missed the address. One too many zeroes in the list. I'll try to fix it soon.


Sent from my PG06100 using XDA App
Yeah he posted that right after I gave him the memory address for the exploit. Just means that I did it the manual way through debugging. At least I think so... hopefully soon!
 
  • Like
Reactions: Mr_myke

minneyar

Member
Mar 31, 2008
14
7
0
San Antonio
Good news, everybody! I have successfully acquired temp root on my Shift!

First, fre3vo has to be pointed at the right address. After copying it over to my phone, I did "adb shell" and then ran it like so:

/data/local/tmp/fre3vo -debug -start fbb58a00 -end FFFFFFFF

That printed out a message that it found an exploit and kicked me out of the shell. After doing "adb shell" again, I got a command prompt. I tried installing the 2.3.6.3 version of Superuser, but it complained about being unable to install "su"; I tried to find a separate su binary and copy it over manually, but it didn't work due to a linker error.

After searching around, I found a beta version of Superuser 3:
http://forum.xda-developers.com/showthread.php?p=14927732#post14927732

First I uninstalled the old version of Superuser and then used adb to install the new one from that thread. I ran it and it said it was unable to install su, so I downloaded the version of su provided there and installed it manually. The process went something like:

Code:
adb push su-3.0-alpha7 /data/local/tmp
adb shell
# cd /data/local/tmp
# chmod 4755 su-3.0-alpha7
# ./su-3.0-alpha7
# mount -o remount,rw -t ext3 /dev/block/mmcblk0p26 /system
# cat su-3.0-alpha7 > /system/bin/su
# chmod 4755 /system/bin/su
I don't know if explicitly running "./su-3.0-alpha7" is necessary, it just seemed like a good idea at the time. I don't know if everybody's block device will be named "mmcblk0p26", I used "mount" to figure out what was mounted at /system.

Anyway, after all that was done, I ran Superuser again and it didn't complain. To test it out, I started up Wireless Tether. It asked me for superuser permissions, which I granted it, and it's working fine.

Root successful!
 
Last edited:

Kevets

Senior Member
Mar 20, 2010
505
109
0
I followed those steps exactly and got what I would call a partial root. Some of the 'you need root' errors are gone but "su" still results in 'not found' even though "mkdir su" results in 'file exists.'

mmcblk0p26 exists on this unit.

The weirdest part is that Adfree will accept the device as rooted and with superuser but says it can't find a partition to modify. And after a reboot root is definitely gone.

I think you're on to it but it isn't quite there yet.
 
  • Like
Reactions: minneyar

minneyar

Member
Mar 31, 2008
14
7
0
San Antonio
It seems to be fully temprooted to me; I have to redo it if I reboot, but otherwise it's working perfectly. After following the steps I listed above, running "ls -l /system/bin/su" should produce this output:

Code:
# ls -l /system/bin/su
ls -l /system/bin/su
-rwsr-xr-x root     root        22228 2011-07-25 19:14 su
If it says "No such file or directory" instead, then the su binary isn't in the right place.

Looking back over what I wrote, I think I left out a step -- if you were following what I listed exactly, it probably won't work, because I forgot to change to the /data/local/tmp directory. I'll update that...

Update: after playing around with it for a while, something is definitely not quite right. Everything works fine at first; I've tested Wireless Tether and Titanium Backup and they're both fine. After leaving my phone for a while and coming back, though, applications that try to get root access mysteriously fail. The dialog prompt doesn't even appear.

Going back into the adb shell, /system/bin/su is still there, but trying to run "su" causes this to happen:

Code:
# su
su
link_image[1935]:  3802 missing essential tablesCANNOT LINK EXECUTABLE
But if I use cat to overwrite su and then chmod it again, everything works. su must somehow be getting modified by something else and replaced with a bad version... but I'm not sure where to look.
 
Last edited:

Stuke00

Senior Member
Oct 6, 2010
711
96
0
Collinsville, IL
It seems to be fully temprooted to me; I have to redo it if I reboot, but otherwise it's working perfectly. After following the steps I listed above, running "ls -l /system/bin/su" should produce this output:

Code:
# ls -l /system/bin/su
ls -l /system/bin/su
-rwsr-xr-x root     root        22228 2011-07-25 19:14 su
If it says "No such file or directory" instead, then the su binary isn't in the right place.

Looking back over what I wrote, I think I left out a step -- if you were following what I listed exactly, it probably won't work, because I forgot to change to the /data/local/tmp directory. I'll update that...

Update: after playing around with it for a while, something is definitely not quite right. Everything works fine at first; I've tested Wireless Tether and Titanium Backup and they're both fine. After leaving my phone for a while and coming back, though, applications that try to get root access mysteriously fail. The dialog prompt doesn't even appear.

Going back into the adb shell, /system/bin/su is still there, but trying to run "su" causes this to happen:

Code:
# su
su
link_image[1935]:  3802 missing essential tablesCANNOT LINK EXECUTABLE
But if I use cat to overwrite su and then chmod it again, everything works. su must somehow be getting modified by something else and replaced with a bad version... but I'm not sure where to look.
YES! I have root! I was able to install a screenshot app and test it :) this is amazing progress! Thanks for that.

So now when I reboot, you have to do the entire thing again? SU and all?
 

Kevets

Senior Member
Mar 20, 2010
505
109
0
I think I had that issue too. I just couldn't believe the files just disappeared and thought I did something wrong somewhere.