• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Rooting the Tattoo(its done!) - what we have got so far

Search This thread

-bm-

Senior Member
Jun 12, 2005
75
0
Finally the race is over and some brave devs managed to get root on the tattoo and some were able to reproduce it on their own devices already. But notice: We are in an early stage of development. There is no one-klick-get-root app at the moment and there is still much work to be done until we get custom roms.
I will try to keep track of the ongoing development and update this post periodically. I've you find a mistake or get something new, let us know but we can't give support to every linux-nob at this point of development!
At the moment beeing root on the tattoo does NOT enable you to use the usual applications like Wifi Tethering that need root out of the box. You are also unable to write to /system by default. Now there is a new hack to make /system writable (look at the bottom of this post)

[size=+2]Status[/size]
Last update: 26.02.2010 - 12:55 MEZ


[size=+1]Rooting[/size]
The tattoo was successfully rooted the first time on 19.02.2010 ( http://forum.xda-developers.com/showpost.php?p=5672597&postcount=93 ). It was reproduced by some other users already, there is some work to be done make the exploit work more easily.
Because it has been asked many times: If there will ever be an OFFICIAL update with android 2.1 by HTC for the Tattoo (nobody knows definitively), this root-exploit will NOT work! You will lose root then!

It was done by porting this exploit http://www.milw0rm.com/exploits/8678 to the arm plattform and the tattoo. It uses a security hole in kernel 2.6.29 that wasn't patched in tattoos kernel. All began here on 10.2.2010 (the first post doesn't has to do anything with this): http://forum.xda-developers.com/showthread.php?t=631540
Kudos to zanfur, bftb0, mainfram3, HT123 and others (sorry if I forgot an important one).
The exploit was tweaked to deliver root more reliable.


[size=+1]Flashing custom roms[/size]
To develop custom roms won't be the problem, but the tattoo has got some extra security mechanisms that don't make it trivial to flash a new rom even now we have root. There is work going on to solve this.


[size=+1]Howto get root-privileges[/size]
I think it is save to follow but this is done at your own risk. Don't blame me if you Tattoo explodes, eats your hamster or make your girlfriend leave you.
Remember: We're in an early state of development, this is no Klick-an-Run-app, linux knowledge is needed.
Newbis on Windows should follow this howto made by Coburn64, its much easier than this one: http://forum.xda-developers.com/showthread.php?t=637927

Download this to your PC and unzip: View attachment 285070
(the older release was called m6 and can be found here: View attachment r00t.zip)
m7 is the binary. Push m7 to your Tattoo using adb:
Code:
adb push m7 /data/local/bin/m7
adb chmod 755 /data/local/bin/m7

Start a shell:
Code:
adb shell

Start the exploit in the shell:
Code:
cd /data/local/bin
while `true` ; do /data/local/bin/m7; done

The new m7 is an improved version of the old m6, it now should bring you root much more reliable.
With the old m6 while it is running, bring up and close random apps via task manager on the tattoo. This might not be necessary with m7. After a while the exploit should report success and come up with a root-shell. The promt should change from
Code:
$
to
Code:
#

Sometime the exploit stopps but no shell ('#') comes up. Just terminate it with ^C and try again.

You did it, you should be root now!
Let's set some variables:
Code:
export LD_LIBRARY_PATH=/system/lib
export PATH=/system/bin

When you got your shell, check if you are really root:
Code:
id

You should get something like this:
Code:
# id
uid=0(root) gid=1000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
uid=0(root) is important.

To get a root-shell more easily next time, we have to make su work.

Take this su binary and push it in your tatto: http://www.fileuploadx.de/45656
Code:
adb push su /data/local/bin/su

Remount /data without the nosuid-option
Code:
# mount -o rw,remount /dev/block/mtdblock3 /data

Change the owner to root and set the suid-bit
Code:
# chown root.root /data/local/bin/su
# chmod 4755 /data/local/bin/su


Now you don't have to run the exploit again, just open a normal shell and run
Code:
$ /data/local/bin/su
Now you should be root!
Attention: If you reboot your phone, you have to run the exploit and the mount command again because /data will be mounted nosuid again!

Thats it!

Some suggestions for going on. When you run mount, you will see that some partitions are mounted read-only and/or with the nosuid-option. You can change this by running:
Code:
mount -o rw,remount /dev/block/mtdblockYOUWANT /DIRtoREMOUNT

[size=+2]Other developer stuff[/size]
Here I will list all other thinks, more dangerous and not with all steps described in detail because you should know how to do this if you want to :)

New: Make /system writeable
This is a dangerous part, it might break you system forever unless you don't know what you are doing! Don't try it unless you are a dev! That is the reason why the steps you have to do are not described in a more detailed way. If you don't know what to type in, you shouldn't try this hack!

Download View attachment 286072
1. Copy tattoo-hack.ko from the zip to /data/local/bin
2. # insmod /data/local/bin/tattoo-hack.ko
3. Remount system partition to be writeable

Now you can do everything with /system until you reboot. /system is the only partition that is mounted without nosuid after reboot, so copy su over to /system/bin/ to keep root permanently. To be able to use programs like setcpu you have to replace /system/bin/su with this su:
View attachment 286154


Flashing a custom recovery image
This is in alpha-state but we are able to flash custom recovery images what is the determining step to flashing custom roms. Don't ask how to flash android 2.x (we didn't do it right now) or when it will be ready. It will bes sometimes...
http://forum.xda-developers.com/showthread.php?t=639486


Have a lot of fun!
-bm-
 
Last edited:

elvisior

Member
Feb 19, 2010
12
0
BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.
 

-bm-

Senior Member
Jun 12, 2005
75
0
BTW.. In order for /data/local/bin to exist it's probably best you do the busybox install to there first.. also the busybox commands are very handy.

Youre right, busybox makes further development more handy. But I think it isn't needed for /data/local/bin to exist, because for me it was there and I've got no busybox on my tattoo :)
 

-bm-

Senior Member
Jun 12, 2005
75
0
stupid noobie question how Push m6 to your Tattoo using adb! can anyone possible make a noobie tutorial?!

Hi zoko!
Please use google to find a tutorial for pushing files using adb, there are many out there and using adb is not tattoo-specific!
We don't have time to provide more service at the moment ;-)

By the way: I'm happy about everybody testing, but I wonder what you want to do with a root-shell I you even didn't use adb before. But learning and trying is always a good thing but please consider learning by googling also ;-)

Have a lot of fun!
-bm-
 

shtefand

Member
Feb 12, 2010
10
0
after i run the exploit once I have to reboot the phone to be able run it again or i get
HTML:
$ usage: reboot [-n] [-p] [rebootcommand]
.

any option to be able to run it more than once without rebooting the phone?
 

mainfram3

Senior Member
Mar 5, 2006
184
3
The Tattoo Root (kit)

Here's a small installation batch, to make it easier for everyone.

Download the supplied zip (TattooRoot).
Run 'install-tattoo-root'.

Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin


STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done

The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt


STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su

I think the comments are self-explanatory. If you can't get the m6 into your Tattoo, even with the help of this batch, I suggest you wait a little longer for a more foolproof way to free your Tattoo :)

Everytime you reboot your Tattoo you'll have to execute steps 1 and 2 again.
 

Attachments

  • TatooRoot.zip
    938.7 KB · Views: 871

chusen

Senior Member
Dec 20, 2009
76
0
@mainfram3 i dont get same results

Code:
--------------------------------------------------
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
300 KB/s (5546 bytes in 0.018s)
1366 KB/s (356916 bytes in 0.255s)
9 KB/s (126 bytes in 0.013s)
--------------------------------------------------
M6 exploit (shoryuken derived with ARM shellcode from Zanfur)
installed to /data/local/bin


STEP 1:
Launch adb shell at the command prompt
Once in a shell type:
while `true` ; do /data/local/bin/m6; done

The exploit has succeded once you get a root prompt (indicated by #)
Retry the while loop above, until you get the root prompt


STEP 2:
Run /data/local/bin/create_su.sh to create a
suid shell in /data/local/bin/su
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------

where are my error?
 

mainfram3

Senior Member
Mar 5, 2006
184
3
i get
Code:
Creating /data/local/bin (it's ok to get an error)
mkdir failed for /data/local/bin, File exists
34 KB/s (5546 bytes in 0.156s)
796 KB/s (356916 bytes in 0.437s)
7 KB/s (126 bytes in 0.015s)
--------------------------------------------------

where are my error?

Chusen,

That is allright.

Now, launch a adb shell by typing
Code:
adb shell
and then try the exploit
Code:
$ while `true` ; do /data/local/bin/m6; done

until your greeted with:
Code:
[ Overwritten 0xb0000100
#                                  <---- This # indicates you got root