Related
I've been trying to fix this problem for a long while, especially since I would like to install busybox on my Hero. I currently have root access (as can be seen through root explorer), and I have no trouble flashing to custom roms and things like that, but when on the base, rooted HTC Hero it seems the only command that doesn't work in the console is 'adb remount'.
The only time I have ever had it work was when I stumbled upon a guide on how to do it (I have since lost the link), but there was something in the update.zip file included with the guide that completely disabled wifi and left GPS perpetually on, which to mean is not worth it just to have remount access.
I know mostly everyone on this forum has no trouble getting remount access, since every thread seems to use it, but how do I get access?
Thank you!
I'm having the same problem, albeit on a Sprint Hero. I'm definitely rooted. I flashed multiple ROMs before using a Nand backup to revert to stock... and since then I've used shell to uninstall some stock apps. But I get 'permission denied' anytime i try the remount command. It's frustrating.
Did you modify your boot.img file so that ro.secure is now = 0?
On GSM Hero, you need to do that if you want to use ADB in root mode. I don't know exactly what would need to be done on your CDMA phone, but on the GSM, you need to extract the boot.img ramdisk, and then edit init.rc (see http://forum.xda-developers.com/showthread.php?t=443041&page=2)
Try running this command-
Code:
getprop ro.secure
and see if you get a 1 or a 0. If it's a 1, then ADB should not see the device as rooted, so find out about editing the boot.img file. If a 0, I don't know what's going on.
So I decided to fumble around a bit with my incredible, I read about the hosts file for blocking ads here and noticed that I would get permission denied errors, then when i had the phone with the screen on, did adb shell from a command prompt I got the super user permissions screen on my device.
now I was able to run the mount commands successfully, and as far as testing I was able to do mv /etc/hosts /etc/oldmaid and it took. however when I try to mv the other hosts file i get an error about a cross linked device. so i try doing a cat /sdcard/hosts.for.mobile.txt > /etc/hosts and get an error about the device not having sufficient space.
Anyone have any input on this? I know a cooked rom will already have this hosts file in it, but i'm trying to see if i can't get it going now.
Thanks!
I do not have one yet but what commands are available? Can you "locate hosts" or "find / -name hosts"
nm try this file "/system/etc/hosts" <-- stated in xda forums 3772987&postcount=5 Hope this is what you were looking for.
You are getting that error due to the fact that nand protection is still enabled. We need to flash a boot image with ro.secure=0 to be able to write to everything in /system.
ihtfp69 said:
You are getting that error due to the fact that nand protection is still enabled. We need to flash a boot image with ro.secure=0 to be able to write to everything in /system.
Click to expand...
Click to collapse
Ah, that would explain it. Thanks for the info!
Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"
The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:
HEXcube said:
The real reason behind adb root or insecure adb is the adb daemon in the device running at root permissions. In pre-Android 4.1 versions, this is usually decided by some initialisation script(like init.rc) at boot time. The script checks for value in default.prop,local.propand other environment variables.
If it finds build.prop,default.prop or local.prop property file with ro.secure=0 adbd is allowed to run as root. You'll get adb root and hence will be able to do commands like adb remount,adb root and adb shell's prompt'll be # by default. The user may be displayed as [email protected] or [email protected] adb GUIs like Android Commander and QtADB will get to work in Root mode.
But,if it's ro.secure=1, adb daemon is made to work in secure mode, and adb won't change to root mode on issuing adb root command. However, if su binary is present in $PATH, u can still call su command from adb shell. But, it's not enough for Android Commander to get Root Access. It is possible to attain adb root through any one of the following methods:
1.For CyanoGenMod based ROMs there is an option in Settings->Developer Settings->Root access to control root access. Choose ADB only or Apps and ADB in options to get adb root.
2.Else use adbd Insecure app by chainfire if you have a rooted device. This is useful, especially for Android 4.1+ devices.
3.Or, you may manually edit default.prop to set it's value to 0, but original default.prop will be restored from boot partition everytime you reboot(this is the reason why adb Insecure cannot permanently do adb root, though there is an option to repeat the rooting procedure everytime the device boots). This method is called temporary adb root. On pre-Android 4.0 ROMs default.prop file was located in / directory. I read that from Android 4.x this file is in ramdisk and so more difficult to edit. But Android 4.0 has local.prop which is easier to modify than default.prop( See method 5)
4.For permanent adb root, you'll have to extract boot.img, change default.prop, repack and then flash it back to device.
5. In Android 4.0 there's local.prop file in /data partition. Setting ro.secure=0 in this file will do adb root permanently. Else you can set another property ro.kernel.qemu=1 in the same file. But, this value makes the system think that it is running in an android emulator. Many exploits and root methods set this property temporarily to gain root. But, it may cause side effects if used permanently. Setting ro.secure=0 is recommended. Do this command in terminal app or adb shell:
echo ro.secure=0 >/data/local.prop
or you can manually copy a local.prop file with ro.secure=0 as it's content to /data.
6.Note that method 3,4 and 5 won't work in Android 4.0 Jelly Bean onwards. According to Dan Rosenburg(drjbliss in XDA),the researcher who discovered adb root emulator exploit and many other exploits, Jelly Bean doesn't parse any property files to set the ownership of adb daemon. The stock adbd will have to be replaced with an insecure one to gain adb root. But still,as adbd is located in /sbin whose contents are reloaded everytime on reboot from boot.img, it won't be permanent.
7. For permanent adb root, you may flash an insecure boot.img(one that contains and insecure adbd)
8. If you're really desperate and can't get adb root to work with any of the above methods use an exploit. Most of the adb based rooting methods utilise some exploit to make the adb daemon run as root. By studying the exploit and implementing it you could gain adb root atleast temporarily.I'm not recommending this method but as a last resort you could try them.
Acknowledgements: Thanks to Dan Rosenberg for explaining the reasons behind adb root, especially the one in Jelly Bean.
Click to expand...
Click to collapse
Original thread: Can't get ADB Root Access in certain ROMs?
So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.
How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):
Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;
Warnings:
I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!
Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.
The usual stuff:
I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...
All the credits goes for the developers created the great tools used for this mod.
If you think it's useful fill free to say THEM and me thanks.
@nijel8
Thanks for sharing this. I will test this out on my device. If successful I would like to share this over in the One SV forums.
I never even considered this idea smh lol.
Edit: confirmed working
Thanks so much for sharing this. I too use adb a lot and need an insecure kernel.
Success. Nexus 5 and I changed Franco kernel to insecure.
Franco kernels used to be insecure but none thus far have been on the N5. Any reason behind this?
Fuzzy13 said:
Thanks so much for sharing this. I too use adb a lot and need an insecure kernel.
Success. Nexus 5 and I changed Franco kernel to insecure.
Franco kernels used to be insecure but none thus far have been on the N5. Any reason behind this?
Click to expand...
Click to collapse
My guess is devs play it safe so average Joe don't mess with /system... ha-ha
btw is "adb logcat" working for you?
Only problem with the adbd from chainfires ADB Insecure is that it breaks adb wireless,any solution ?
nijel8 said:
Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"
The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:
Original thread: Can't get ADB Root Access in certain ROMs?
So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.
How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):
Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;
Warnings:
I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!
Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.
The usual stuff:
I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...
All the credits goes for the developers created the great tools used for this mod.
If you think it's useful fill free to say THEM and me thanks.
Click to expand...
Click to collapse
Some time ago I 've tried to do this for a Nexus6, running Marshmallow.
Android has tighten up security, so I got bootloops.
Anyone has managed to do this?
Thank you!
nijel8 said:
Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"
The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:
Original thread: Can't get ADB Root Access in certain ROMs?
So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.
How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):
Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;
Warnings:
I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!
Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.
The usual stuff:
I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...
All the credits goes for the developers created the great tools used for this mod.
If you think it's useful fill free to say THEM and me thanks.
Click to expand...
Click to collapse
Can this work with Note 3 N900 (exynos kernel) sir? Or just only for snapdragon chipsrt kernel? Thanks sir!
does this work on locked bootloader devices?
a custom kernel exists for my devices (G928A) with AdB Insecure , but its got a few qwirks that need worked out ( that require fully rooting the device )
all im looking for is insecure Adb, ( which I have tried to change ro.secure=0 and adb.secure=0 both with Echo commands in shell) for temporary adb root on the device
how did ManIT make his custom kernel undetectable/passable by the bootloader but with modifications?
if this will work ... then I will just edit an image pulled from the devices current boot.img and do the same adb insecure edit to the ramdisk.. to update the root flash kernel... shes a bit dated.... and there isn't one for marshmallow specific one yet.
I was also reading about a filler file due to block sizing when repacking the image ... so I created a copy file and edited the contents till it zipped back to within 1kb of data... will this be detected and flagged at boot?
help please
Great tutorial.
I did it by following the steps in your post.
Thank you for clear and precise explanation.
Anybody have a pre-patched / adb root enabled adbd at hand (10.0.36 or higher - current is 10.0.41 I think)?
This guide presupposes that you have Supersu installed as systemless, and that you have access to adb.
This will bypass provisioning checks for builtin tether app. The modded apk should work with future updates without touching /system at all.
Installation
Method 1 - Manual install
Download the attached CarrierEntitlement apk.
If you have su.img su:
Code:
adb push CarrierEntitlement.apk /sdcard/CarrierEntitlement.apk
adb shell
su
mkdir /su/CarrierEntitlement
cp /sdcard/CarrierEntitlement.apk /su/CarrierEntitlement/CarrierEntitlement.apk
chmod 644 /su/CarrierEntitlement/CarrierEntitlement.apk
echo "mount -o bind /su/CarrierEntitlement/CarrierEntitlement.apk /system/priv-app/CarrierEntitlement/CarrierEntitlement.apk" > /su/su.d/05TetherMod
chmod +x /su/su.d/05TetherMod
reboot
If you have sbin su (Android 8.0+)
Code:
adb push CarrierEntitlement.apk /sdcard/CarrierEntitlement.apk
adb shell
su
mkdir /sbin/supersu/CarrierEntitlement
cp /sdcard/CarrierEntitlement.apk /sbin/supersu/CarrierEntitlement/CarrierEntitlement.apk
chmod 644 /sbin/supersu/CarrierEntitlement/CarrierEntitlement.apk
echo "mount -o bind /sbin/supersu/CarrierEntitlement/CarrierEntitlement.apk /system/priv-app/CarrierEntitlement/CarrierEntitlement.apk" > /sbin/supersu/su.d/05TetherMod
chmod +x /sbin/supersu/su.d/05TetherMod
reboot
Method 2 - Flashable Zip (su.img only)
Code:
1. Download attached zip.
2. Flash in TWRP (Last tested in alpha 2)
Information
This mod is accomplished by replacing the following function:
Code:
.method public static getCarrierEntitlement(Landroid/content/Context;)Lcom/google/android/carrierentitlement/CarrierEntitlement;
.registers 2
.param p0, "context" # Landroid/content/Context;
.prologue
.line 56
const/4 v0, 0x0
return-object v0
.end method
NOTE: Post install
You may need to edit your APNs to get tethering working for your carrier.
On sprint, where editing APNs is disabled, the fix is here: Sprint Fix
Be sure to thank @Builtfordtough1 for all his help in diagnosing the issue at this post: The Solution!
Be sure to thank sb1893 for sbin su instructions.
Worked Perfectly
This worked perfectly. Fantastic job!
So I am on stock with unlocked bootloader, twrp installed, and rooted with SuperSU. Because this is an apk file, do i just download onto the phone and install as I would with any other .apk file?
coolhandz said:
So I am on stock with unlocked bootloader, twrp installed, and rooted with SuperSU. Because this is an apk file, do i just download onto the phone and install as I would with any other .apk file?
Click to expand...
Click to collapse
The directions clearly state in adb speak that you need to create a directory for the file. Move to said directory, change permissions, etc etc. Nothing about installing via the apk.
pcriz said:
The directions clearly state in adb speak that you need to create a directory for the file. Move to said directory, change permissions, etc etc. Nothing about installing via the apk.
Click to expand...
Click to collapse
well, i can follow basic commands in minimal adb & fastboot. I think this may be above me unless there is an idiots' guide.
coolhandz said:
well, i can follow basic commands in minimal adb & fastboot. I think this may be above me unless there is an idiots' guide.
Click to expand...
Click to collapse
Do you have access to adb? They are pretty straight forward. May need to view them on the website but if you are using an app it may throw the word wrap off and make the commands seem confusing. The directions are pretty word for word.
pcriz said:
Do you have access to adb? They are pretty straight forward. May need to view them actually on the website but if you are using an app it may throw the word wrap off and make the commands seem confusing. The directs are pretty word for word.
Click to expand...
Click to collapse
If by adb you mean minimal adb & fastboot, then yes I have access and I could probably brave it.
coolhandz said:
If by adb you mean minimal adb & fastboot, then yes I have access and I could probably brave it.
Click to expand...
Click to collapse
I wouldn't suggest doing it how I did it but I downloaded the file to my phone. I created the directory using a root enabled file browser (see mkdir command {make directory}). I even used the file properties option in solid explorer to change the permissions (see chmod 644). Every other command I did on the phone from a terminal emulator. Just had to ignore the adb shell command because I am actually doing them on the device and not through a shell on my computer.
pcriz said:
I wouldn't suggest doing it how I did it but I downloaded the file to my phone. I created the directory using a root enabled file browser (see mkdir command {make directory}). I even used the file properties option in solid explorer to change the permissions (see chmod 644). Every other command I did on the phone from a terminal emulator. Just had to ignore the adb shell command because I am actually doing them on the device and not through a shell on my computer.
Click to expand...
Click to collapse
yeah, all that is definitely outside of my comfort zone, but thank you for the info.
Can you normally update your device with OTA-updates like a un-rooted device, without flashfire or connect to your computer?
Is there an advantage to doing this over adding "net.tethering.noprovisioning=true" to the build.prop file?
airmaxx23 said:
Is there an advantage to doing this over adding "net.tethering.noprovisioning=true" to the build.prop file?
Click to expand...
Click to collapse
This mod is systemless, and should survive OTAs. That mod changes the build.prop on the system partition, which could prevent taking OTAs.
njeri123 said:
Can you normally update your device with OTA-updates like a un-rooted device, without flashfire or connect to your computer?
Click to expand...
Click to collapse
Any modification to the boot image *should* prevent OTAs from working at all. However, you can flash back to stock boot images, and take OTAs as long as you have not modified /system, which this mod does not do.
Furthermore, as long as you don't wipe /data/ this mod will live in su.img and survive when you flash newer system software.
Fenny said:
This mod is systemless, and should survive OTAs. That mod changes the build.prop on the system partition, which could prevent taking OTAs.
Any modification to the boot image *should* prevent OTAs from working at all. However, you can flash back to stock boot images, and take OTAs as long as you have not modified /system, which this mod does not do.
Furthermore, as long as you don't wipe /data/ this mod will live in su.img and survive when you flash newer system software.
Click to expand...
Click to collapse
Thanks for the explanation, I removed the build.prop line and used this method and it's working fine. Thank you.
@Fenny
Thank you so much for putting this into a .zip file. It is greatly appreciated!
is there a non root method to bypass the checks? i dont plan on unlocking or rooting since i use android pay...
ddarvish said:
is there a non root method to bypass the checks? i dont plan on unlocking or rooting since i use android pay...
Click to expand...
Click to collapse
I also use Android pay, so I have two boot images ready to fastboot or flash. I have a boot image with root, and a boot image without root running a kernel that hides the bootloader unlocked flag.
So, the way I handle this, I flash the unrooted (bootloader flag hidden) image as my daily driver kernel, this passes safetynet, and allows me to use Android pay.
I make a backup of that boot image. Then, I install TWRP, my custom kernel, and SuperSU. I make a backup of that image as well.
So I have two backed up boot images:
rooted.img
HideBLUnlock.img
I flash HideBLUnlock.img to boot a, and boot b, safetynet passes.
Whenever I need to tether I have my computer with me, so I "fastboot boot rooted.img" which leaves me rooted until my next reboot.
Depending on your usage you might want to reverse that.
All my mods get stored in su.img, so switching out the boot images is all I need to have the best of both worlds.
Is it possible to fastboot boot twrp and flash the zip without being rooted or having twrp actually installed? O unlocked my bootloader but that's been it
Ocelot13 said:
Is it possible to fastboot boot twrp and flash the zip without being rooted or having twrp actually installed? O unlocked my bootloader but that's been it
Click to expand...
Click to collapse
You can use the fastboot twrp image to install this mod but you MUST have SuperSu. I have basic validation to check that in my update.zip. If you don't have a su.img in /cache or /data, this mod cannot be installed.
Flashed via TWRP and now i finally have a fully functioning hotspot!!
Fenny said:
I also use Android pay, so I have two boot images ready to fastboot or flash. I have a boot image with root, and a boot image without root running a kernel that hides the bootloader unlocked flag.
So, the way I handle this, I flash the unrooted (bootloader flag hidden) image as my daily driver kernel, this passes safetynet, and allows me to use Android pay.
I make a backup of that boot image. Then, I install TWRP, my custom kernel, and SuperSU. I make a backup of that image as well.
So I have two backed up boot images:
rooted.img
HideBLUnlock.img
I flash HideBLUnlock.img to boot a, and boot b, safetynet passes.
Whenever I need to tether I have my computer with me, so I "fastboot boot rooted.img" which leaves me rooted until my next reboot.
Depending on your usage you might want to reverse that.
All my mods get stored in su.img, so switching out the boot images is all I need to have the best of both worlds.
Click to expand...
Click to collapse
This is facinating, do you ever think where we can use boot a and boot b in a multiboot like fashion so that when you turn on the device you can choose what to boot?
Hello,
I am trying to root my own Android. I was able to get dirty cow exploit running, which allows me to write to files that I should not be to, including files in /system directory. How can I take advantage of that?
I was able to take advantage of binary with setuid, I overwritten it with my binary, which ran setpropes to enable adb over Wifi (setprop service.adb.tcp.port 6565). Otherwise I don't have access to adb, it doesn't work over USB for some reason, but now I lost the binary file.
Apart from that I was able to modify /etc/hosts, which is helpful, but not that groundbreaking.
Version is 4.4.2, kernel 3.0.19. No adb.
What would you recommend to do?
Edit:
A managed to turn on wifi over adb by overriding " /system/bin/fsck_msdos" and plugging in usb. Now I can access adb over wifi. Also reading trough this:
https://forum.xda-developers.com/general/security/dirty-cow-t3484879/page4