Root TF300TG with JB 4.1.1 and bootloader locked

[aragornptc]

There's a way to ONLY root this model, never rooted before, without unlocking bootloader ?

 

[funnel71]

Not at this time.

Sent from my ASUS Transformer Pad TF300T using xda app-developers app

 

[bads3ctor]

My adventures in trying to root locked Tf300 JB 4.1.1

I'm posting this information in the hope that it might be helpful in future attempts at rooting locked TF300 running Jelly Bean. My approach is to modify this: http://forum.xda-developers.com/showpost.php?p=31545627&postcount=1 and this: http://forum.xda-developers.com/showthread.php?t=1894717.

Briefly, this is my understanding of this exploit(Please correct me if I am wrong):
By spamming this: ln -s /data/local.prop /data/data/com.android.settings/a/file99 while an adb restore is in progress, when file99 gets written, it overwrites /data/local.prop with the contents of file99, which contains the magic ro.kernel.qemu=1 and on reboot, adb shell has root.

Now the problem with the TF300 is that the backup fails to write the contents of fakebackup.ab to /data/data/com.android.settings/a/. Using this: http://forum.xda-developers.com/showthread.php?t=1730309 I am able to decompress fakebackup.ab and look into the resulting tar file.

Running the "expliot" on my TF300 results in only one file of zero length being written to /data/data/com.android.settings/a/: file44. By running tar -tvf fakebackup.tar on the decompressed backup, the first physical file in fakebackup.tar is file44.

What I believe is happening is that the TF300 backup locks up while trying to write the first file in fakebackup.ab. The result is this: /data/data/com.android.settings is erased in preparation for the restore, file44 is written but fails, the backup locks up and you are left with full write pernissions to /data/data/com.android.settings/a/. I have confirmed full write permissions to /data/data/com.android.settings/a/ so this might be helpful in future exploits.

I have tried to modify fakebackup.ab to write any file to /data/data/com.android.settings/a/ or some other location in /data/data/com.android.settings to get /data/local.prop overwritten with no success so far. I have managed to overwrite /data/local.prop with file44 but all that gets me is a zero length /data/local.prop.

Edit: Another side affect of having write permissions to /data/data/com.android.settings/a is this: ln -s / /data/data/com.android.settings/a/somefilename and then doing an adb backup com.android.settings gets you a huge .ab file with interesting files in it.
__________________________________________________________________________________________________

Edit2: I have write access now to /data on locked TF300 Jelly Bean 4.1.1 and this: echo "ro.kernel.qemu=1" > /data/local.prop works. Problem is......upon reboot, no root shell. To get write access to /data and any other system directory or file on /data, do this:

In a terminal window: adb shell "while ! ln -s /data /data/data/com.android.settings/a/data50; do :; done"
in another terminal window: adb restore fakebackup.ab

Go to your TF300 and restore the backup. You should see the command in terminal window 1 complete, You now have write permissions to /data. To get write permissions to other files or directories in /data, just change the ln -s /data part of the spam command to point to that file or directory.

 

[ebildude123]

I'm posting this information in the hope that it might be helpful in future attempts at rooting locked TF300 running Jelly Bean. My approach is to modify this: http://forum.xda-developers.com/showpost.php?p=31545627&postcount=1 and this: http://forum.xda-developers.com/showthread.php?t=1894717.

Briefly, this is my understanding of this exploit(Please correct me if I am wrong):
By spamming this: ln -s /data/local.prop /data/data/com.android.settings/a/file99 while an adb restore is in progress, when file99 gets written, it overwrites /data/local.prop with the contents of file99, which contains the magic ro.kernel.qemu=1 and on reboot, adb shell has root.

Now the problem with the TF300 is that the backup fails to write the contents of fakebackup.ab to /data/data/com.android.settings/a/. Using this: http://forum.xda-developers.com/showthread.php?t=1730309 I am able to decompress fakebackup.ab and look into the resulting tar file.

Running the "expliot" on my TF300 results in only one file of zero length being written to /data/data/com.android.settings/a/: file44. By running tar -tvf fakebackup.tar on the decompressed backup, the first physical file in fakebackup.tar is file44.

What I believe is happening is that the TF300 backup locks up while trying to write the first file in fakebackup.ab. The result is this: /data/data/com.android.settings is erased in preparation for the restore, file44 is written but fails, the backup locks up and you are left with full write pernissions to /data/data/com.android.settings/a/. I have confirmed full write permissions to /data/data/com.android.settings/a/ so this might be helpful in future exploits.

I have tried to modify fakebackup.ab to write any file to /data/data/com.android.settings/a/ or some other location in /data/data/com.android.settings to get /data/local.prop overwritten with no success so far. I have managed to overwrite /data/local.prop with file44 but all that gets me is a zero length /data/local.prop.

Edit: Another side affect of having write permissions to /data/data/com.android.settings/a is this: ln -s / /data/data/com.android.settings/a/somefilename and then doing an adb backup com.android.settings gets you a huge .ab file with interesting files in it.
__________________________________________________________________________________________________

Edit2: I have write access now to /data on locked TF300 Jelly Bean 4.1.1 and this: echo "ro.kernel.qemu=1" > /data/local.prop works. Problem is......upon reboot, no root shell. To get write access to /data and any other system directory or file on /data, do this:

In a terminal window: adb shell "while ! ln -s /data /data/data/com.android.settings/a/data50; do :; done"
in another terminal window: adb restore fakebackup.ab

Go to your TF300 and restore the backup. You should see the command in terminal window 1 complete, You now have write permissions to /data. To get write permissions to other files or directories in /data, just change the ln -s /data part of the spam command to point to that file or directory.

Damn, nice job. Write a full guide on rooting with this please?

Sent from my ASUS Transformer Pad TF300T using Tapatalk 2

 

[bads3ctor]

Damn, nice job. Write a full guide on rooting with this please?

That's the problem...It doesn't root the tablet. Anyone know why adding ro.kernel.qemu=1 to /data/local.prop doesn't give adb root access on this tablet?

 

[ebildude123]

That's the problem...It doesn't root the tablet. Anyone know why adding ro.kernel.qemu=1 to /data/local.prop doesn't give adb root access on this tablet?

Try replacing /data with /system/bin?
Then pushing su over?
Idk lol :C

Sent from my ASUS Transformer Pad TF300T using Tapatalk 2

 

[bads3ctor]

Try replacing /data with /system/bin?
Then pushing su over?
Idk lol :C

System partition is mounted read only so that won't work. I know why now....adbd is running as "shell" instead of "root":
shell 166 1 4460 0 ffffffff 00000000 S /sbin/adbd

Looks like Asus does not allow Android on the TF300 to run in emulator mode. Thats my guess as to why echo "ro.kernel.qemu=1" > /data/local.prop does not work.

 

[ch3mn3y]

The most important for me is to get acces to write in /system/usr. Than we could make there folder we-need-root with voodoo backup in it and restore it via app to get root.

Sent using tf300t - stock JellyBean (docked/nonrooted)

 

[txdroid_user]

System partition is mounted read only so that won't work. I know why now....adbd is running as "shell" instead of "root":
shell 166 1 4460 0 ffffffff 00000000 S /sbin/adbd

Looks like Asus does not allow Android on the TF300 to run in emulator mode. Thats my guess as to why echo "ro.kernel.qemu=1" > /data/local.prop does not work.

I'm a complete rookie when it comes to this but is it possible to use the downloaded stock rom, modify it and change those permissions?

 

[poochie2]

I'm a complete rookie when it comes to this but is it possible to use the downloaded stock rom, modify it and change those permissions?

AFAIK updates are signed, you tamper them and they don't get installed.

 

[ebildude123]

System partition is mounted read only so that won't work. I know why now....adbd is running as "shell" instead of "root":
shell 166 1 4460 0 ffffffff 00000000 S /sbin/adbd

Looks like Asus does not allow Android on the TF300 to run in emulator mode. Thats my guess as to why echo "ro.kernel.qemu=1" > /data/local.prop does not work.

Is /data/local.prop being created successfully?

Also, tried this? http://forum.xda-developers.com/showthread.php?t=1892002

 

[bads3ctor]

Is /data/local.prop being created successfully?

Also, tried this? http://forum.xda-developers.com/showthread.php?t=1892002

I have tried the qemu hack which is supposed to get Android to boot into emulator mode. /data/local.prop is being created properly but upon reboot, my TF300 is not in emulator mode and no root adb prompt.

I have also done the debugfs hack to get rights to /dev/block/mmcblk0p1 by modifying this:
http://forum.xda-developers.com/showthread.php?t=1704209

No love there either. Both must have been patched by Asus. Some devs have been saying that a locked TF300 can't be rooted but my understanding is that the bootloader and kernel are signed preventing a hack on those to areas but /system should be able to be remounted rw and su copied to /system/xbin as long as we can find a way to root this pos.

Edit: Here is my post on the debugfs thread: http://forum.xda-developers.com/showpost.php?p=35395926&postcount=505

 

[ebildude123]

Bump, any progress?

 

[bads3ctor]

Bump, any progress?

Well...confidentially....just between you and me.....:silly:....I returned my $279 + tax($298) TF300T to BB(Black Friday deal) and bought a red TF300T from clearance.bestbuy.com for $250 + tax($267) ... hoping that it comes with ICS instead of JB and I will be golden! I receive it in 2 days. If that happens....then I will root it, protect root the normal way, upgrade to JB....restore root and i'm done. Lazy a$$ way of rooting this tablet.

If it has JB on it.........then its back to the salt mines of trying more exploits or creating some of my own.

Edit: Too bad its not a newer Samsung device with an Exynos 4 in it...WOW...what a thread that is: http://forum.xda-developers.com/showthread.php?t=2048511. I have never read anything like it. Some SERIOUS devs posting there!

Edit2: Sorry everyone...I received my new red TF300 and it has ICS on it! I can still try some exploits after I upgrade to Jelly Bean if anyone wants me to. I know that debugfs fails and so does the local.prop hack on locked Jelly Bean. I have searched for other /data hacks and have found no more....post a link here for any other hacks that leverage write access to /data to get root and I will try them.

 

[ccb1208]

Do we have any other talented developers working on this?
I was able to downgrade to root my tablet only to realize I was no longer receiving OTA updates once that was complete. I read that some users had success by waiting for more then a week for updates to start coming again but I would hardly call that success. Plus, I had downgraded to a firmware that my tablet hadn't even shipped with so I figured thats why i was having trouble receiving the update. I decided to apply a minor upgrade manually (knowing it would break root) so I could see if I got updates on the new firmware and once confirmed, I would downgrade again and root and wait patiently. (I was bored)
Problem is, I upgraded to a jelly bean (4.1) build not knowing that was the point of no return.

Current status:
-no way to downgrade
-still not receiving updates from asus
-no root

I am this close to returning this stupid device and getting a nexus 10. If anyone can provide me any assistance with this, it would be greatly appreciated.

P.S. Unlocking the bootloader is not an option for me

 

[ch3mn3y]

Odp: Root TF300TG with JB 4.1.1 and bootloader locked

U cant root when u are on bootloader version 10+ (4.1 or 4.2) on locked bootloader. And i f u have not get update maybe there is no update for ur version of tf300? However u can wait to the moment when on asus tf300t download site will be .blob file to download. Than it will be able to do "force update" by puuting it on /sdcard

Sent using tf300t - stock 4.2.1

 

[aerdely]

U cant root when u are on bootloader version 10+ (4.1 or 4.2) on locked bootloader. And i f u have not get update maybe there is no update for ur version of tf300? However u can wait to the moment when on asus tf300t download site will be .blob file to download. Than it will be able to do "force update" by puuting it on /sdcard

Sent using tf300t - stock 4.2.1

It just became available.

http://support.asus.com/download.as...rmer+Pad+TF300T&os=&hashedid=8BmzkQ4yoz5WzBrW


Sent from my ASUS Transformer Pad TF300T using xda app-developers app

 

[ch3mn3y]

Odp: Root TF300TG with JB 4.1.1 and bootloader locked

Firstly i thought that u are sayin about root on locked 4.2, but than i found out that its link to asus download page

Sent using tf300t - stock 4.2.1