[ROOT ICS] The hard way && Digging for roots

Search This thread

eww245

Senior Member
Aug 19, 2008
494
77
Throop
For anyone that doesn't want to root the hard way crossix has come up with a double click root for Windows forum.xda-developers.com/showpost.php?p=23052186&postcount=105

Update 2/26/12
/system can now be mounted writable see the bottom of this post.

So the old Honeycomb exploit has now been patched in ICS. But there was an exploit found in the newer ICS kernels. Written by saurik,: called mempodroid

There is an offset needed as an argument to the binary, for the a100 we'll use what has worked for the a200 as noted in sauriks github linked above.

The issue with this is mounting /system as writable. I'm not sure if it's something in ICS, but it appears to be write protected. As noted here and here we will loop mount the system partition.

The tools needed are:

1. mempodroid under Usage Instructions, download pre-compiled
2. busybox 1.20 snapshot 3-10-12
3. su the latest from androidsu.com, extract from system/bin
4. mount.txt script

After downloading and extracting place them all in a folder called tools.
This must be done with adb. Issue the following from cmd or a terminal:
Code:
$ adb shell mkdir /data/local/tools
$ adb push tools /data/local/tools ; adb shell
$ cd /data/local ; chmod 755 tools/*
$ cd tools ; ./mempodroid 0xd9f0 0xaf47 sh
If all went well you should be at a hash # prompt. This is temp root.

mount /system rw the new way:
Code:
# PATH=$PWD:$PATH
# sh mount.txt -o remount,rw /system

Copy su and busybox to /system
Code:
# ./busybox cp busybox /system/xbin; ./busybox cp su /system/xbin/
# chmod 6755 /system/xbin/su

Install busybox
Code:
# cd /system/xbin
# for i in $(busybox --list); do ln -s busybox $i; done; sync
Copy the mount script
If busybox is updated this step must be run again
Code:
# cp /data/local/tools/mount.txt /system/bin/mount
# cp /data/local/tools/mount.txt /system/xbin/mount

Done your a100 should be rooted

the old way:

Now lets loop mount /system
Code:
[b]This is no longer needed[/b]
# ./busybox losetup -o $((512 * 51200)) /dev/block/loop7 /dev/block/mmcblk0
Code:
# ./busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
# mkdir loop ; mount -t ext4 /dev/block/loop7 loop

Copy su and busybox to the new mount point.
Code:
# ./busybox cp su loop/xbin/ ; ./busybox cp busybox loop/xbin/
# chmod 6755 loop/xbin/su ; sync
If it worked your a100 is fully rooted. Make sure to install SuperUser from the Market.
Either get busybox installer from the market, and install it to /data/local/tools/loop/xbin
Or:
Code:
# cd loop/xbin
# for i in $(busybox --list); do ln -s busybox $i; done; sync
The mount point won't survive a reboot so in order to write to /system again run:
Code:
# busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
# mount -t ext4 /dev/block/loop7 /data/local/tools/loop

[update 2/26/12]
To mount /system as writable do the following from adb. We'll just make a directory called /data/loop for easy access.
Code:
$ adb shell
$ su
# stop
[b]your screen will go black[/b]
# mkdir /data/loop
[b]skip this if the loop is already set up
# busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3[/b]
# mount -t ext4 /dev/block/loop7 /data/loop
# mount -o bind /data/loop /system
# start
You can write to /system with any app but /system can't be remounted ro then back to rw.

This can be added to /etc/install-recovery.sh to make it permanent
Code:
busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
mount /dev/block/loop7 /data/loop
mount -o bind /data/loop /system
Thanks to crossix as the first to get temp root, and Icewyng for pointing out the exploit and helping with the magic number.
 

Attachments

  • mount.txt
    342 bytes · Views: 939
  • busybox-1.20.zip
    936.1 KB · Views: 558
Last edited:

danifunker

Senior Member
Sep 12, 2011
892
242
39
Toronto
www.funkervogt.com
OK...

Testing this out and found there were a couple of bugs.
You didn't have a "loop" folder created so I made one in the "tools" folder.

and, when mounting, you need to specify -t ext4.

Here are the revised commands for # mount /dev/block/loop7 loop

mkdir loop;mount -t ext4 /dev/block/loop7 /data/local/tools/loop

I noticed that the files /data/local/tools/loop/xbin/su and /data/local/tools/loop/xbin/busybox don't exist on /system/xbin until after a restart.

Finally, the busybox we are using to install doesn't seem to make all of the links to all of the nice commands we are used to, so things like grep, cp, etc... they won't work. I'm trying to figure out how to re-run the GUI busybox installer and point it to the loop folder, but haven't had much success.
 
  • Like
Reactions: myprecious27

Icewyng

Senior Member
Dec 10, 2010
309
109
Québec
OK...

Testing this out and found there were a couple of bugs.
You didn't have a "loop" folder created so I made one in the "tools" folder.

and, when mounting, you need to specify -t ext4.

Here are the revised commands for # mount /dev/block/loop7 loop

mkdir loop;mount -t ext4 /dev/block/loop7 /data/local/tools/loop

I noticed that the files /data/local/tools/loop/xbin/su and /data/local/tools/loop/xbin/busybox don't exist on /system/xbin until after a restart.

Finally, the busybox we are using to install doesn't seem to make all of the links to all of the nice commands we are used to, so things like grep, cp, etc... they won't work. I'm trying to figure out how to re-run the GUI busybox installer and point it to the loop folder, but haven't had much success.

You beat me to the punch... was about to point it out.

Not sure what version of busybox this is but I will try with 1.19.2 and see how it goes.

Edit: Got root! It works great... for Busybox, use Busybox Installer to be able to get the latest version (1.19.4) I confirm that system is R/O for now.
 
Last edited:
  • Like
Reactions: ptesmoke

eww245

Senior Member
Aug 19, 2008
494
77
Throop
OK...

Testing this out and found there were a couple of bugs.
You didn't have a "loop" folder created so I made one in the "tools" folder.

and, when mounting, you need to specify -t ext4.

Here are the revised commands for # mount /dev/block/loop7 loop

mkdir loop;mount -t ext4 /dev/block/loop7 /data/local/tools/loop

I noticed that the files /data/local/tools/loop/xbin/su and /data/local/tools/loop/xbin/busybox don't exist on /system/xbin until after a restart.

Finally, the busybox we are using to install doesn't seem to make all of the links to all of the nice commands we are used to, so things like grep, cp, etc... they won't work. I'm trying to figure out how to re-run the GUI busybox installer and point it to the loop folder, but haven't had much success.

I did have some typos, think it's right now. That is an old busybox, it was just a quick find and it includes losetup but it's not one to use full time. Maybe sync is needed at the end so files are written properly. I didn't have to use -t ext4 with HC, but Ill add it to the OP

[edit] you have to use "busybox cp or busybox grep" I didn't include a way to add all the symlinks. Wow I have typos everywhere it's the end of the day for me, working nights.
 
Last edited:
  • Like
Reactions: Icewyng

myprecious27

Senior Member
Nov 11, 2008
138
48
Nowy Targ
The tools folder gets pushed (the 3 files are copied) but then it says there is no such folder.
edit: never mind - i created the folder manually and pushed the files into the folder:)
edit2: rooted - thakns guys:)
 
Last edited:

toyface

Senior Member
Aug 7, 2010
606
58
Derbyshire
Brilliat work, will try this later (need to get the sdk all set up again, I've been distro swapping). Got a pool match tonight too, so will try as soon as I can, will give whatever feedback I can later.
 

rando152

Member
Jan 24, 2012
19
1
wait how is it rooted if it's r/o I thought point of root was to make the file system r/w... er is root just allowing you to view all directories? Sorry for a noobish question, but you gotta start somewhere right?
 

NoSudo

Senior Member
Feb 2, 2012
188
95
Kalifornia
wait how is it rooted if it's r/o I thought point of root was to make the file system r/w... er is root just allowing you to view all directories? Sorry for a noobish question, but you gotta start somewhere right?

Well I think if we have su working we will be able to mount /system rw in some way if not directly. I cant imagine not being able to.

In any case though being able to write to /data as root is very useful. Example: Hulu flash fix.
 

danifunker

Senior Member
Sep 12, 2011
892
242
39
Toronto
www.funkervogt.com
You can't view /data if you're not root. That's one thig. Also, other functions may require root, like advanced networking things, etc.

I agree, not being able to write to /system is a major inconvenience, but most of the root programs will still work, as long as you're not writing to /system.
 

ptesmoke

Senior Member
Sep 23, 2008
2,961
795
Cold Lake
better yet is there a way we can do this solely on the tab? im away for work for another 4 weeks and only have my cell and a100 with me :-(

Sent from my SGH-I897 using xda premium
 

eww245

Senior Member
Aug 19, 2008
494
77
Throop
I get
Code:
255|[email protected]:/data/local/tools # mount -t ext4 /dev/block/loop7 /data/local
/tools/loop
lock/loop7 /data/local/tools/loop                                             <
mount: Invalid argument
:(


I noticed the same thing happen after you root it and restart... not sure what to do next. Are you at temp loop?

try:
Code:
# busybox losetup -d /dev/block/loop7

# busybox losetup -o $((512 * 51200)) /dev/block/loop7 /dev/block/mmcblk0
# mount -t ext4 /dev/block/loop7 /data/local/tools/loop
The first line may produce
losetup: /dev/block/loop7: No such device or address
If it's not looped
After you are rooted the above can be run without adb from a terminal as su.
The mount point can be anywhere ex. /sdcard/loop instead of /data/local/tools/loop
 

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Here's my attempt at a "double click" root for ics. I've included everything you might need including the usb drivers. It doesn't need anything special to run, just the usb driver installed and your tab with USB debugging enabled (go to settings -> developer options and check USB debugging.)

    Download:
    http://db.tt/77NSAPDs

    Extract and install the usb driver if needed. Plug your tab in to your pc & Double click the .bat file. Check to see if your device id is listed, if its not close the window out and check that your device is connected and recognized by windows (also check that you have the drivers for the tab installed and that USB debugging is enabled).

    If it is listed (should display a series of numbers) press any key to start the rooting scripts. It will load su and busybox to the loop mount for you. Once the script is done you may need to restart the tab and run the .bat file again to be able to write to the looped system (while the loop system is mounted you can modify the build.prop file and other files within /system by going to /data/local/rootme/loop/ but /system itself isnt r/w mounted. )

    This was a pain to get working and it still may not work right, if it does work for you though, you can re-run the .bat file each time you reboot your tab to be able to write to the looped system. Eventually I'll integrate the commands into the install-recovery.bat file along with some sdcard tweaks so you won't have to re-run the bat file after reboot.

    Thanks to eww245 for providing the commands initially (I used a variation of his and ones from the post on the toshiba forums to get this to work).

    Sent from my MB860 using XDA App
    4
    For anyone that doesn't want to root the hard way crossix has come up with a double click root for Windows forum.xda-developers.com/showpost.php?p=23052186&postcount=105

    Update 2/26/12
    /system can now be mounted writable see the bottom of this post.

    So the old Honeycomb exploit has now been patched in ICS. But there was an exploit found in the newer ICS kernels. Written by saurik,: called mempodroid

    There is an offset needed as an argument to the binary, for the a100 we'll use what has worked for the a200 as noted in sauriks github linked above.

    The issue with this is mounting /system as writable. I'm not sure if it's something in ICS, but it appears to be write protected. As noted here and here we will loop mount the system partition.

    The tools needed are:

    1. mempodroid under Usage Instructions, download pre-compiled
    2. busybox 1.20 snapshot 3-10-12
    3. su the latest from androidsu.com, extract from system/bin
    4. mount.txt script

    After downloading and extracting place them all in a folder called tools.
    This must be done with adb. Issue the following from cmd or a terminal:
    Code:
    $ adb shell mkdir /data/local/tools
    $ adb push tools /data/local/tools ; adb shell
    $ cd /data/local ; chmod 755 tools/*
    $ cd tools ; ./mempodroid 0xd9f0 0xaf47 sh
    If all went well you should be at a hash # prompt. This is temp root.

    mount /system rw the new way:
    Code:
    # PATH=$PWD:$PATH
    # sh mount.txt -o remount,rw /system

    Copy su and busybox to /system
    Code:
    # ./busybox cp busybox /system/xbin; ./busybox cp su /system/xbin/
    # chmod 6755 /system/xbin/su

    Install busybox
    Code:
    # cd /system/xbin
    # for i in $(busybox --list); do ln -s busybox $i; done; sync
    Copy the mount script
    If busybox is updated this step must be run again
    Code:
    # cp /data/local/tools/mount.txt /system/bin/mount
    # cp /data/local/tools/mount.txt /system/xbin/mount

    Done your a100 should be rooted

    the old way:

    Now lets loop mount /system
    Code:
    [b]This is no longer needed[/b]
    # ./busybox losetup -o $((512 * 51200)) /dev/block/loop7 /dev/block/mmcblk0
    Code:
    # ./busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
    # mkdir loop ; mount -t ext4 /dev/block/loop7 loop

    Copy su and busybox to the new mount point.
    Code:
    # ./busybox cp su loop/xbin/ ; ./busybox cp busybox loop/xbin/
    # chmod 6755 loop/xbin/su ; sync
    If it worked your a100 is fully rooted. Make sure to install SuperUser from the Market.
    Either get busybox installer from the market, and install it to /data/local/tools/loop/xbin
    Or:
    Code:
    # cd loop/xbin
    # for i in $(busybox --list); do ln -s busybox $i; done; sync
    The mount point won't survive a reboot so in order to write to /system again run:
    Code:
    # busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
    # mount -t ext4 /dev/block/loop7 /data/local/tools/loop

    [update 2/26/12]
    To mount /system as writable do the following from adb. We'll just make a directory called /data/loop for easy access.
    Code:
    $ adb shell
    $ su
    # stop
    [b]your screen will go black[/b]
    # mkdir /data/loop
    [b]skip this if the loop is already set up
    # busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3[/b]
    # mount -t ext4 /dev/block/loop7 /data/loop
    # mount -o bind /data/loop /system
    # start
    You can write to /system with any app but /system can't be remounted ro then back to rw.

    This can be added to /etc/install-recovery.sh to make it permanent
    Code:
    busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
    mount /dev/block/loop7 /data/loop
    mount -o bind /data/loop /system
    Thanks to crossix as the first to get temp root, and Icewyng for pointing out the exploit and helping with the magic number.
    3
    I got root using this method. http://forum.xda-developers.com/showpost.php?p=22862959&postcount=306


    I used quick boot app and selected 'Bootloader'. May be useful?

    got this:
    2
    Not sure why the files aren't showing up. Maybe try busybox sync after copying them.

    [edit] I asssume you can get root manually and it's just a problem with your script?
    Let me know, hopefully the instructions are all correct now. I updated them several times yesterday.
    Also, there might be an easier way than what I posted, if you find one post it here or shoot me a PM.

    Thanks, I'm having to use a slightly different method since I can't pass arguments through adb shell and mempodroid. It's copying all the files to the tab and executing shell scripts for each step in the process based off a combo of your root method and the one found for the toshiba tab. Hopefully I'll get it figured out soon..
    2
    Thought that might happen, have to get some more ideas.

    [edit] So maybe using 'stop' will help, from adb

    # stop
    # mount -o bind /data/local/tools/loop /system
    # start

    There probably won't be a bootanimation, but if it gets to the lockscreen it should be ok without FCs. If it bootloops just hold in the power button or use the pinhole reset.

    I should just suck it up and upgrade just don't think I'm ready.

    bumping this^ could someone try it.


    Looks like the a500 got rooted with the same method. forum.xda-developers.com/showpost.php?p=22862959&postcount=306 There's one difference with the loop mount. So can someone try this and see if it mounts writable. Just trying to make things simpler, Thanks

    busybox losetup /dev/block/loop7 /dev/block/mmcblk0p3
    mount -t ext4 /dev/block/loop7 /data/local/tools/loop

    Also looks like they ran memopdroid on the tablet, so maybe I can refine it some more.