[HOW-TO] Root FRGxx builds without unlocking bootloader

Search This thread

cmstlist

Senior Member
Jan 11, 2010
3,364
524
Toronto
Google Pixel 4a
EDIT: Great news! We have an on-device one-click root again!

Simply download VISIONary from (edit: used to be in the Market) Modaco. I tried it on FRG83 stock. It works. No ADB, no external computer required, no fuss. Thanks to the developers!

EDIT again: Sorry, the FRG83D build no longer works with VISIONary - BUT - the overall rageagainstthecage method still works via ADB. I also hear that SuperOneClick works but it requires a Windows machine.

----

Ok it's been established that Universal Androot / exploid / freenexus no longer works on FRG33/FRG83 etc. And it's been established that "rageagainstthecage" does still work. So far I'm not aware of a one-click method to implement the latter exploit.

So I'm starting this thread to centralize everyone's experiences. I don't personally need these instructions but other folks apparently do. I've quoted a rooting guide in post #2. If you think any refinements are necessary or you have a better way of writing it out, please feel free to add to this thread.
 
Last edited:

cmstlist

Senior Member
Jan 11, 2010
3,364
524
Toronto
Google Pixel 4a
Thanks to efrant for pointing the way to this guide. Based on comments below, I'm quoting another revised version.

Hi OP,
You may want to edit your post #2, I have inserted the mounting commands in the thread i posted previously. this will help novice users to get thing right out of box without figuring why permission denied.
I have just tried out the additional mounting steps..things are working fine..

Tidy up step by step rooting

1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz

2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.

3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250

Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)

F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage

F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}
[*] Searching for adb ...
[+] Found adb as PID 64
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server

F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *

F:\ADB>adb shell
#mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system 

Follow the following steps to install Superuser.apk, busybox,su

F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit

F:\ADB>adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system 
# exit 
exit


And below are the previous contents of this post, prior to editing.
-------------


Many respondents on this thread have indicated that the instructions don't work the first time. If you get to the step where you are supposed to get a root shell (#) but you instead get a non-root shell ($), start from the top and try the exploit once or twice more. Apparently if you are persistent it will work.

I'm also told these instructions are missing adb remount before the steps where you push busybox, su and so forth.

Tidy up step by step rooting

1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz

2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.

3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250
Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)

F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage

F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}
[*] Searching for adb ...
[+] Found adb as PID 64
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server

F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *

F:\ADB>adb shell
#

Follow the following steps to install Superuser.apk, busybox,su

F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit

F:\ADB>adb shell
# su
su
# exit 
exit
 
Last edited:
  • Like
Reactions: PaulCayard

cmstlist

Senior Member
Jan 11, 2010
3,364
524
Toronto
Google Pixel 4a
There is detailed step-by-step info in many threads as to how to use the rageagainstthecage exploit to root your device, e.g.: http://forum.xda-developers.com/showpost.php?p=8300203&postcount=55

Why start a new thread?

Actually that's perfect, thanks.

I started a new thread because the step-by-step info is buried in other threads and many folks post questions asking about it because they can't find said guides. I figured if I could start a new thread with a proper title, it would be located more easily.
 

Jack_R1

Senior Member
Aug 9, 2009
4,365
962
All the info is located in Nexus One Wiki, under "Guides" / "Rooting". Direct link to the post with complete data. So I still don't see any need for the post, that will be buried in forum depths. My signature..

But since you posted it, and it's more detailed - I'll change the link to point to it.

[edit 2] The Wiki is damn slow after the forum crash...
[edit 3] It refuses to accept the submit, complaining about "session data loss". Time to complain to admins..
 
Last edited:

cmstlist

Senior Member
Jan 11, 2010
3,364
524
Toronto
Google Pixel 4a
Heh well if the Wiki is crashy at the moment, all the more reason to have a redundant post here.

If you look back to the linked posts, I was the one who suggested which instructions for ali3nfr3ak to follow after a successful push of rageagainstthecage, and then ali3nfr3ak reported success on FRG33, and then hmanxx seems to have stripped out the irrelevant/unnecessary lines. So it's teamwork =)

One thing I'm not sure of - I see the original "exploid"/"freenexus" instructions included a cleanup by removing /system/bin/rootshell. Should something similar be done after rageagainstthecage to clean up?
 

ali3nfr3ak

Senior Member
Dec 1, 2008
598
151
Christchurch
@ cmstlst This is a good idea, because when I did this I had like 3 different pages open as all the information was spread everywhere, hopefully this will make it easier for everyone to follow, good one :D
 

highvista

Senior Member
Jul 12, 2009
249
56
Oregon
LG V20
I used the steps posted here to restore root access to a Nexus One which had been previously rooted with 1-click. It was running stock FRF91. It was a fairly smooth process, especially since the update to FRG83 did not delete my Superuser.apk, su, or busybox files. The permissions had just been turned down, so with the RageAgainstTheCage exploit active, I was able to change the permissions as indicated and was off and running.

The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command

mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system

for the read/write mount and was then able to turn up the permissions. And, in the interests of completeness, to mount /system read-only again afterward:

mount -o remount,ro -t yaffs2 /dev/block/mtdblock4 /system

Thanks much for consolidating the procedure where it was easy to find.
 

Jack_R1

Senior Member
Aug 9, 2009
4,365
962
The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command

mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system

It's mtdblock3, not mtdblock4, though for some reason the mount worked for me even on 6. But in any case, much better and easier done using ADB command:

adb remount


Finally the Wiki is also back to work, the "Rooting FRG83" link is updated to point to this thread.
 
Last edited:

Atento

Senior Member
Jun 18, 2010
622
243
Curitiba
Here, the rageagainstthecage didn't work.
I followed these steps:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)

F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage

F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}[*] Searching for adb ...
[+] Found adb as PID 64[*] Spawning children. Dont type anything and wait for reset![*][*] If you like what we are doing you can send us PayPal money to[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.[*] If you are a company and feel like you profit from our work,[*] we also accept donations > 1000 USD![*][*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server

F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *

F:\ADB>adb shell
#
But, I didn't get root shell (#), when I typed "adb shell" I still got ($).
I'm in FRG83, Android 2.2.1.

Any ideas?
 

snovvman

Senior Member
Jun 6, 2008
1,530
511
Thanks to efrant for pointing the way to this guide.

Thank you for posting this. It was a big help. I lost my root after 2.2.1 and this worked great. I did have to execute the .bin file 3 times. The first time, I got $, and the second time as well. It was only on the 3rd execute that I got the # prompt. I read that others had the same problem, that it only worked after a few times.

I used the steps posted here to restore root access to a Nexus One which had been previously rooted with 1-click. It was running stock FRF91. It was a fairly smooth process, especially since the update to FRG83 did not delete my Superuser.apk, su, or busybox files. The permissions had just been turned down, so with the RageAgainstTheCage exploit active, I was able to change the permissions as indicated and was off and running.

The only gotcha I ran into was that I had to mount the /system partition read/write before I could set permissions on the files there. After the exploit was active and I had shelled back into the phone via ADB, I issued the command

mount -o remount,rw -t yaffs2 /dev/block/mtdblock4 /system

for the read/write mount and was then able to turn up the permissions. And, in the interests of completeness, to mount /system read-only again afterward:

mount -o remount,ro -t yaffs2 /dev/block/mtdblock4 /system

Thanks much for consolidating the procedure where it was easy to find.

Thank you for this. I was in the same situation and I was not able to set the premissions. Then I saw your post. I am not a Linux/Unix guy, so it was step-by-step for me. Curiously, why is it necessary to change the premission for su, busybox, etc.?

Thanks guys.
 

Xel'Naga

Member
Apr 14, 2010
22
3
Here, the rageagainstthecage didn't work.
I followed these steps:

But, I didn't get root shell (#), when I typed "adb shell" I still got ($).
I'm in FRG83, Android 2.2.1.

Any ideas?

I had this, too. Like the above poster said, I got # after several tries. However something went wrong midway through the other steps from efrant, and I went back and lost #, only had $.

Also looking for ideas.
 

snovvman

Senior Member
Jun 6, 2008
1,530
511
I had this, too. Like the above poster said, I got # after several tries. However something went wrong midway through the other steps from efrant, and I went back and lost #, only had $.

Also looking for ideas.

I would try the process over again from the beginning. Once you get the #, follow highvista's information to mount the file system as RW, and do the chmods. After you are done, re-mount as RO.
 

Xel'Naga

Member
Apr 14, 2010
22
3
I would try the process over again from the beginning. Once you get the #, follow highvista's information to mount the file system as RW, and do the chmods. After you are done, re-mount as RO.

Yup, had to reboot the device and try again about four times and then it finally all stuck. Now rooted on 2.2.1.
 

Atento

Senior Member
Jun 18, 2010
622
243
Curitiba
Thank you for posting this. It was a big help. I lost my root after 2.2.1 and this worked great. I did have to execute the .bin file 3 times. The first time, I got $, and the second time as well. It was only on the 3rd execute that I got the # prompt. I read that others had the same problem, that it only worked after a few times.



Thank you for this. I was in the same situation and I was not able to set the premissions. Then I saw your post. I am not a Linux/Unix guy, so it was step-by-step for me. Curiously, why is it necessary to change the premission for su, busybox, etc.?

Thanks guys.
Thanks for your replies! I'm rooted now.

Thanks for all!!!
 

hmanxx

Senior Member
Nov 15, 2008
170
9
Hi OP,
You may want to edit your post #2, I have inserted the mounting commands in the thread i posted previously. this will help novice users to get thing right out of box without figuring why permission denied.
I have just tried out the additional mounting steps..things are working fine..

Tidy up step by step rooting

1) Getting rageagainstthecage-arm5.bin
http://stealth.openwall.net/xSports/...nstTheCage.tgz

2) Getting Superuser.apk, busybox,su
http://forum.xda-developers.com/showthread.php?t=736271
Or
Find yourself..there are many floating around.

3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
Reference:http://forum.xda-developers.com/show...&postcount=250

Code:
F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
263 KB/s (5392 bytes in 0.020s)

F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage

F:\ADB>adb shell
$ cd /data/local/tmp
cd /data/local/tmp
$ ./rageagainstthecage
./rageagainstthecage[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C[*] checking NPROC limit ...
[+] RLIMIT_NPROC={3084, 3084}[*] Searching for adb ...
[+] Found adb as PID 64[*] Spawning children. Dont type anything and wait for reset![*][*] If you like what we are doing you can send us PayPal money to[*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.[*] If you are a company and feel like you profit from our work,[*] we also accept donations > 1000 USD![*][*] adb connection will be reset. restart adb server on desktop and re-login.
$
F:\ADB>adb kill-server

F:\ADB>adb start-server
* daemon not running. starting it now *
* daemon started successfully *

F:\ADB>adb shell
#mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system 

Follow the following steps to install Superuser.apk, busybox,su

F:\ADB>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox cp busybox /system/bin
./busybox cp busybox /system/bin
# chmod 4755 /system/bin/busybox
chmod 4755 /system/bin/busybox
# busybox cp Superuser.apk /system/app
busybox cp Superuser.apk /system/app
# busybox cp su /system/bin
busybox cp su /system/bin
# chmod 4755 /system/bin/su
chmod 4755 /system/bin/su
# exit
exit

F:\ADB>adb shell
# su
su
#mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system 
# exit 
exit
 
Last edited:

cmstlist

Senior Member
Jan 11, 2010
3,364
524
Toronto
Google Pixel 4a
Thanks, I'll fix it up when I'm at a desktop computer again and less occupied by the Masters thesis I'm defending in just over 2 weeks :)

Sent from my Nexus One using XDA App
 

Fredro

Member
Feb 15, 2010
43
6
hehe oh noes. I gave the cage file a go 3 times, failed, so I got pissed and unlocked the bootloader, then now I read about the remounting of the file system.. didn't think about that.

well.. now I can't undo the unlocking :/
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Thanks to efrant for pointing the way to this guide. Based on comments below, I'm quoting another revised version.

    Hi OP,
    You may want to edit your post #2, I have inserted the mounting commands in the thread i posted previously. this will help novice users to get thing right out of box without figuring why permission denied.
    I have just tried out the additional mounting steps..things are working fine..

    Tidy up step by step rooting

    1) Getting rageagainstthecage-arm5.bin
    http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz

    2) Getting Superuser.apk, busybox,su
    http://forum.xda-developers.com/showthread.php?t=736271
    Or
    Find yourself..there are many floating around.

    3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
    Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250

    Code:
    F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
    263 KB/s (5392 bytes in 0.020s)
    
    F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
    
    F:\ADB>adb shell
    $ cd /data/local/tmp
    cd /data/local/tmp
    $ ./rageagainstthecage
    ./rageagainstthecage
    [*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
    [*] checking NPROC limit ...
    [+] RLIMIT_NPROC={3084, 3084}
    [*] Searching for adb ...
    [+] Found adb as PID 64
    [*] Spawning children. Dont type anything and wait for reset!
    [*]
    [*] If you like what we are doing you can send us PayPal money to
    [*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
    [*] If you are a company and feel like you profit from our work,
    [*] we also accept donations > 1000 USD!
    [*]
    [*] adb connection will be reset. restart adb server on desktop and re-login.
    $
    F:\ADB>adb kill-server
    
    F:\ADB>adb start-server
    * daemon not running. starting it now *
    * daemon started successfully *
    
    F:\ADB>adb shell
    #mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system 
    
    Follow the following steps to install Superuser.apk, busybox,su
    
    F:\ADB>adb shell
    # cd /data/local/tmp
    cd /data/local/tmp
    # ./busybox cp busybox /system/bin
    ./busybox cp busybox /system/bin
    # chmod 4755 /system/bin/busybox
    chmod 4755 /system/bin/busybox
    # busybox cp Superuser.apk /system/app
    busybox cp Superuser.apk /system/app
    # busybox cp su /system/bin
    busybox cp su /system/bin
    # chmod 4755 /system/bin/su
    chmod 4755 /system/bin/su
    # exit
    exit
    
    F:\ADB>adb shell
    # su
    su
    #mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system 
    # exit 
    exit


    And below are the previous contents of this post, prior to editing.
    -------------


    Many respondents on this thread have indicated that the instructions don't work the first time. If you get to the step where you are supposed to get a root shell (#) but you instead get a non-root shell ($), start from the top and try the exploit once or twice more. Apparently if you are persistent it will work.

    I'm also told these instructions are missing adb remount before the steps where you push busybox, su and so forth.

    Tidy up step by step rooting

    1) Getting rageagainstthecage-arm5.bin
    http://stealth.openwall.net/xSports/RageAgainstTheCage.tgz

    2) Getting Superuser.apk, busybox,su
    http://forum.xda-developers.com/showthread.php?t=736271
    Or
    Find yourself..there are many floating around.

    3) Rooting Process (Installing custom Recovery rom section is deleted to simplify illustration
    Reference:http://forum.xda-developers.com/showpost.php?p=8120790&postcount=250
    Code:
    F:\ADB>adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage
    263 KB/s (5392 bytes in 0.020s)
    
    F:\ADB>adb shell chmod 700 /data/local/tmp/rageagainstthecage
    
    F:\ADB>adb shell
    $ cd /data/local/tmp
    cd /data/local/tmp
    $ ./rageagainstthecage
    ./rageagainstthecage
    [*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C
    [*] checking NPROC limit ...
    [+] RLIMIT_NPROC={3084, 3084}
    [*] Searching for adb ...
    [+] Found adb as PID 64
    [*] Spawning children. Dont type anything and wait for reset!
    [*]
    [*] If you like what we are doing you can send us PayPal money to
    [*] 7-4-3-C[at]web.de so we can compensate time, effort and HW costs.
    [*] If you are a company and feel like you profit from our work,
    [*] we also accept donations > 1000 USD!
    [*]
    [*] adb connection will be reset. restart adb server on desktop and re-login.
    $
    F:\ADB>adb kill-server
    
    F:\ADB>adb start-server
    * daemon not running. starting it now *
    * daemon started successfully *
    
    F:\ADB>adb shell
    #
    
    Follow the following steps to install Superuser.apk, busybox,su
    
    F:\ADB>adb shell
    # cd /data/local/tmp
    cd /data/local/tmp
    # ./busybox cp busybox /system/bin
    ./busybox cp busybox /system/bin
    # chmod 4755 /system/bin/busybox
    chmod 4755 /system/bin/busybox
    # busybox cp Superuser.apk /system/app
    busybox cp Superuser.apk /system/app
    # busybox cp su /system/bin
    busybox cp su /system/bin
    # chmod 4755 /system/bin/su
    chmod 4755 /system/bin/su
    # exit
    exit
    
    F:\ADB>adb shell
    # su
    su
    # exit 
    exit
    1
    There is detailed step-by-step info in many threads as to how to use the rageagainstthecage exploit to root your device, e.g.: http://forum.xda-developers.com/showpost.php?p=8300203&postcount=55

    Why start a new thread?