Rooting the TF300T *without* downgrading (from .29)

Search This thread

miloj

Senior Member
Jun 9, 2012
58
174
Nice
Hello,

I managed to root my TF300 this week-end.

Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

Here is the full guide, and the link to the binaries at the end.

Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

Here is now the full guide:

Rooting the Asus Transformer TF300T
===================================

: first, use known method to get write access to the /system partition

Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell

Code:
$ cd /data/local/
$ mv tmp tmp.back
FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p1[/COLOR] tmp
$ exit
FOR PADFONE ONLY:
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p21[/COLOR] tmp
$ exit
FOR SAMSUNG GALAXY SII ONLY:
Code:
$ ln -s /dev/block/mmcblk0[COLOR="Red"]p9[/COLOR] tmp
$ exit

FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://forum.xda-developers.com/showthread.php?t=1791193 thx to Nesquick95)
Code:
$ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
$ exit

Code:
adb reboot

adb shell

: some cleanup first

Code:
$ cd /data/local

: and now, let's do the dirty work

Code:
$ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
[COLOR="green"]NOTE: if this is your first attempt, you should see an error message here, simply ignore it[/COLOR]
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp
$ exit

: done, let's reboot and get root !

Code:
adb reboot
adb shell
$ /system/xbin/su
# id
[COLOR="Blue"]id=0(root) gid=0(root) ....[/COLOR]
# exit

: cleanup remaining files

Code:
$ rm /data/local/su
$ rm /data/local/debugfs
$ exit

Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.


After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.


And now here is the link for the binaries:

http://db.tt/FBUNeVmo

The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

Please let me know how it goes for you.

Credits: wolf849 for the symlink exploit ;)

EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it :)
Here is the URL:
I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.

http://forum.xda-developers.com/showthread.php?t=1706588

EDIT1: Here are the devices successfully rooted so far:
ASUS TF300T .26 .29 .30
ASUS TF201 .21 .28
ASUS TF101 S/N B70* .24
ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
ASUS TF700T
SAMSUNG Galaxy II ICS 4.0.3
SAMSUNG Galaxy Tab 2 7"

milo
 
Last edited:

P05TMAN

Senior Member
Aug 15, 2011
399
100
Boulder, CO
Hello,

I managed to root my TF300 this week-end.

Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

Here is the full guide, and the link to the binaries at the end.

Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

Here is now the full guide:

Rooting the Asus Transformer TF300T
===================================

: first, use known method to get write access to the /system partition

adb push debugfs /data/local/
adb push su /data/local/
adb shell
$ cd /data/local/
$ mv tmp tmp.back
$ ln -s /dev/block/mmcblk0p1 tmp
$ exit
adb reboot

adb shell

: some cleanup first

$ cd /data/local
$ rm /data/local/tmp
$ mv /data/local/tmp.back /data/local/tmp

: and now, let's do the dirty work

$ chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /dev/block/mmcblk0p1
debugfs: cd xbin
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0104755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit

: done, let's reboot and get root !

adb reboot
adb shell
$ /system/xbin/su
# id
id=0(root) gid=0(root) ....
# exit

: cleanup remaining files

$ rm /data/local/su
$ rm /data/local/debugfs

Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.

And now here is the link for the binaries:

http://db.tt/FBUNeVmo

The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

Please let me know how it goes for you.

Credits: wolf849 for the symlink exploit ;)

milo

If this proves to be successful across multiple users, I may try this out; I'm excited to see how this information pans out.
 

gasingvar

Senior Member
Apr 2, 2008
54
18
Yep. That was me.
In essence I had a locked (can get OTA), not rooted device with .26 WW firmware.
Now I've got a locked (can still get OTA unless Asus changes something), rooted device with .29 WW firmware.
This is the holy grail for tf300t users at the moment.

I'm so happy!
 
  • Like
Reactions: P05TMAN

miloj

Senior Member
Jun 9, 2012
58
174
Nice
Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine. :confused:

Because risk was too high in my opinion:

- risk to brick when injecting the blob into mmcblk0p4 (if the tablet reboot in the middle, I guess you get a 500€ brick)
- risk to not receiving any ASUS OTA (many users have reported this, I didn't want to test it myself)

The procedure was also a bit too complex, between US, DE, DE to WW, and WW blobs.

Also the .17 WW blob is nowhere available.

With my method, there is one risk, it is if the tablet reboot in the middle of writing into the partition. But I guess than, like any other linux (or unix for that matter), the android boot would run fsck on the partition and get it repaired.

And my method is faster !! :)

Sent from my ASUS Transformer Pad TF300T using XDA
 
Last edited:

gasingvar

Senior Member
Apr 2, 2008
54
18
Confirmed working on US .29!

Edit: Does trying adb remount and failing have anything to do with the root or am I not understanding the adb command?
I didn't try, but if I'm allowed to guess the debugfs tool doesn't check permissions as rigorously as mount commands (ie it's working on a lower level). But that's a guess. Another guess would be that dd'ing the su binary would have worked, but then you probably wouldn't have been able to set the correct permissions on the su binary.

Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine. :confused:
The downgrade method doesn't work with OTAs on .WW firmware. This is the only way at the moment if you're > .17 WW or on .17 DE.

It may even work on __many___ more devices (but that's another guess).
 

phigafr

Senior Member
Jun 12, 2009
93
3
A great great thanks from an almost noob... My TF201 unlocked (!) .21 is now rooted!!


Pas remarqué que tu étais français aussi!
 
Last edited:

Niggy86

Member
Jun 5, 2009
8
2
A great thanks from me, too!

I have one question: After dooing all steps, my tablet is rooted. But the SuperUser App doesn't ask me to allow the apps. In the SU-App from the Market i don't see any App allowed, but every app which needs root, works in root mode without asking.
Did I do something wrong?

Thank's a lot,

Niggy
 

gasingvar

Senior Member
Apr 2, 2008
54
18
A great thanks from me, too!

I have one question: After dooing all steps, my tablet is rooted. But the SuperUser App doesn't ask me to allow the apps. In the SU-App from the Market i don't see any App allowed, but every app which needs root, works in root mode without asking.
Did I do something wrong?

Thank's a lot,

Niggy
You need to install superuser from market and reinstall the su binary.
As soon as possible.
 

darkuni

Senior Member
Sep 12, 2010
378
75
At the risk of getting torched ... :)

Is there a Windows version of debugfs? I'm assuming this is to be done under Linux.

Any Windows equivalents?

Thanks :)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 136
    Hello,

    I managed to root my TF300 this week-end.

    Since the method of downgrading to .17, getting root, then waiting for Asus to update it again OTA to .29... was not really satisfying to me, I found a simpler (and hopefully safer) way to do it.

    Story short: instead of getting write access to mmcblk0p4 to write a blob (as in method #2 of http://forum.xda-developers.com/showthread.php?t=1622628), I'm getting write access to mmcblk0p1 to write a single file, with suid perms.

    Here is the full guide, and the link to the binaries at the end.

    Please be sure to read it until the end, and to understand every line of it. I thus encourage you to read the debugfs manpage here: http://linux.die.net/man/8/debugfs

    Of course, there is no garantee for this to work or to not brick your device, especially if you don't understand what you type, so RTFM twice.

    Here is now the full guide:

    Rooting the Asus Transformer TF300T
    ===================================

    : first, use known method to get write access to the /system partition

    Code:
    adb push debugfs /data/local/
    adb push su /data/local/
    adb shell

    Code:
    $ cd /data/local/
    $ mv tmp tmp.back
    FOR TRANSFORMER (TF101 TF201 TF300T TF700T) ONLY:
    Code:
    $ ln -s /dev/block/mmcblk0[COLOR="Red"]p1[/COLOR] tmp
    $ exit
    FOR PADFONE ONLY:
    Code:
    $ ln -s /dev/block/mmcblk0[COLOR="Red"]p21[/COLOR] tmp
    $ exit
    FOR SAMSUNG GALAXY SII ONLY:
    Code:
    $ ln -s /dev/block/mmcblk0[COLOR="Red"]p9[/COLOR] tmp
    $ exit

    FOR SAMSUNG GALAXY TAB 2 7" ONLY: (see http://forum.xda-developers.com/showthread.php?t=1791193 thx to Nesquick95)
    Code:
    $ ln -s /dev/block/platform/omap/omap_hsmmc.1/by-name/FACTORYFS tmp
    $ exit

    Code:
    adb reboot
    
    adb shell

    : some cleanup first

    Code:
    $ cd /data/local

    : and now, let's do the dirty work

    Code:
    $ toolbox chmod 755 /data/local/debugfs
    $ /data/local/debugfs -w /data/local/tmp
    debugfs: cd xbin
    debugfs: rm su
    [COLOR="green"]NOTE: if this is your first attempt, you should see an error message here, simply ignore it[/COLOR]
    debugfs: write /data/local/su su
    debugfs: set_inode_field su mode 0106755
    debugfs: set_inode_field su uid 0
    debugfs: set_inode_field su gid 0
    debugfs: quit
    $ rm /data/local/tmp
    $ mv /data/local/tmp.back /data/local/tmp
    $ exit

    : done, let's reboot and get root !

    Code:
    adb reboot
    adb shell
    $ /system/xbin/su
    # id
    [COLOR="Blue"]id=0(root) gid=0(root) ....[/COLOR]
    # exit

    : cleanup remaining files

    Code:
    $ rm /data/local/su
    $ rm /data/local/debugfs
    $ exit

    Next step is to install ASAP the superuser app from the market, since my version of su is home-made, and was not designed with security in mind.


    After installation, or if you previously installed, open it and check for an update, there should be one available. This will replace the non-securised su binary with the one provided by superuser. Reboot when asked to, and you're done.


    And now here is the link for the binaries:

    http://db.tt/FBUNeVmo

    The source code of su is given, and debugfs was compiled natively from a gentoo chroot inside my Transformer (the first version was cross-compiled but segfaulted now and then).

    Please let me know how it goes for you.

    Credits: wolf849 for the symlink exploit ;)

    EDIT0: sparkym3 created a tool integrating this procedure. Although it seems to work only on Windows, a "few" users could make use of it :)
    Here is the URL:
    I have created an automated tool using this root method and am looking for confirmation that it works on a Transformer 300.

    http://forum.xda-developers.com/showthread.php?t=1706588

    EDIT1: Here are the devices successfully rooted so far:
    ASUS TF300T .26 .29 .30
    ASUS TF201 .21 .28
    ASUS TF101 S/N B70* .24
    ASUS PadFone IML74K.CHT_PadFone-9.18.8.41_CHT_9.1.15-0
    ASUS TF700T
    SAMSUNG Galaxy II ICS 4.0.3
    SAMSUNG Galaxy Tab 2 7"

    milo
    4
    Question: Why weren't you satisfied with downgrading method? i asked because I did the downgrade method and the tf300 has been working fine. :confused:

    Because risk was too high in my opinion:

    - risk to brick when injecting the blob into mmcblk0p4 (if the tablet reboot in the middle, I guess you get a 500€ brick)
    - risk to not receiving any ASUS OTA (many users have reported this, I didn't want to test it myself)

    The procedure was also a bit too complex, between US, DE, DE to WW, and WW blobs.

    Also the .17 WW blob is nowhere available.

    With my method, there is one risk, it is if the tablet reboot in the middle of writing into the partition. But I guess than, like any other linux (or unix for that matter), the android boot would run fsck on the partition and get it repaired.

    And my method is faster !! :)

    Sent from my ASUS Transformer Pad TF300T using XDA
    3
    My question is how you find out the magic number:

    I found it with the mount command,that's the device name from which /system is mounted.

    You can send me the result of the mount command if you need help.

    EDIT: maybe root explorer only shows files on which you have read access. Try doing in a console (from adb, or ConnectBot, or Terminal IDE):

    $ ls -al /dev/block
    2
    FYI, there was one success in this thread: http://forum.xda-developers.com/showthread.php?t=1688994 where I originally posted.

    milo
    2
    You should re-write your OP and use this tool on the message menu # (go advanced) and separate different parts of your script.
    And if you find a way for build an automatic script or tool, it will be excellent ;)

    like this :
    Code:
    adb push debugfs /data/local/
    adb push su /data/local/
    adb shell
    $ cd /data/local/
    $ mv tmp tmp.back
    $ ln -s /dev/block/mmcblk0p1 tmp
    $ exit
    adb reboot