Develop Bugs

[SOLVED] How can I perform a factory wipe on Desire via ADB/Clockwork Recovery?

Having dropped my desire and cracked the screen I would like to perform a factory wipe via ADB before I take it in for repair (I've backed it up).
I have the clockwork recovery which doesn't have the su/format commands and I am unable to find information on the other functions.
Any tips?
Many thanks!

Clockwork recovery offers all wipe and factory reset functions. 2.5.0.7, unless I'm missing something

He has no screen man, so gui is Wortes
Anyway, try this
Code:
adb shell
#wipe data

just a question, can you go from rooted desire with custom rom to stock by just wiping everyting in clockwork recovery?
I thought you needed to run a RUU update to put everything back to stock?

swimon said:
I thought you needed to run a RUU update to put everything back to stock?
Click to expand...
Click to collapse
That's right. But even if wipe all is not back to stock, it's better than leaving a rooted rom if you want to give it for repair i think.

try;
adb shell
wipe all
you need to add ./ to the start of adb if using a mac or linux
./adb shell
wipe all

Thanks for all the help guys!
I tried the *wipe* command, but I didn't have superuser mode set up.
To get into superuser, which was denied repeatedly I read that a popup usually shows on the phone requesting access. I think I managed to click that by tapping the screen on the left where "yes/accept" usually shows.
When I tried with superuser:
Code:
adb shell
su
wipe system
I got an long list of files that it was unable to delete.
At this point, I needed to leave and thought maybe the phone needed charging or something.
Coming back to it now, the phone is not recognised by ADB.
I've done a lot of searching and I think I must have unchecked the "usb debugging" from the notifications menu somehow.
So I have a new problem...
q) Is it possible to enable usb debugging with a cracked screen or otherwise get into the phone?
I connect the phone and just get android disk device/usb disk drive in windows manager.
I can reboot the phone into bootloader (with volume down held) and when I connect the phone I get bootloader interface appearing instead of disk drive but I just don't know where to go from there.
All I want is to clean the phone before I send it in for repair!
If anyone is able to help, I greatly appreciate it, if not thanks for your time.

In recovery you have full adb acces and can do all!
I would say, you try to make a nandroid backup and than flash the ruu
You take out your sd card and send than the device to them.
They wont to a forensic dataanalys, and most of the personal stuff is on the sd ;-)
Ps.: as far as i know you can flash ruus over fastboot(needs s-off)
And when you get your phone back, you root it and restore the last backup!
Pps.: if you haven't done a backup in the closer past you can sync, with htc sync with your pc! So you have atleast your contacts
Edit: when everything fails just keep the sd :-( they should be professional enough to keep your privacy! And i dont think your emails, sms and contacts are that different from all others :-D

Ah thanks, I thought I might be able to do that as I was mulling it over this morning. When I get home I'll give it a try and see if I succeed. I'll let you know how it goes!
Thanks for the tips and the advice on the nandroid backup - I do have a backup already - I did it when I cracked the screen as a pre-emptive, because at first I could see everything and I assumed it was just a crack but overnight the screen blacked out totally.

Ok, it's in recovery mode but doesn't seem to recognise wipe command. I added a directory listing of /sbin
Code:
C:\Program Files\Android\android-sdk\platform-tools>adb devices
List of devices attached
HT0XWPLXXXXX recovery
C:\Program Files\Android\android-sdk\platform-tools>adb shell
~ # wipe data
wipe data
/sbin/sh: wipe: not found
~ # wipe all
wipe all
/sbin/sh: wipe: not found
~ # wipe
wipe
/sbin/sh: wipe: not found
~ # ls
ls
cache etc res sdcard
data init root sys
default.prop init.rc sbin system
dev proc sd-ext tmp
~ # cd sbin
cd sbin
/sbin # ls
ls
[ erase_image mkswap sort
[[ expr mktemp split
adbd false mkyaffs2image stat
amend fdisk modprobe strings
ash fgrep more stty
awk find mount swapoff
basename flash_image mountpoint swapon
bbconfig fold mv sync
bunzip2 free nandroid sysctl
busybox freeramdisk nandroid-md5.sh tac
bzcat fuser nice tail
bzip2 getopt nohup tar
cal grep od tee
cat gunzip patch test
catv gzip pgrep time
chgrp head pidof top
chmod hexdump pkill touch
chown id printenv tr
chroot insmod printf true
cksum install ps tty
clear kill pwd tune2fs
cmp killall rdev umount
cp killall5 readlink uname
cpio killrecovery.sh realpath uniq
cut length reboot unix2dos
date less recovery unlzop
dc ln renice unyaffs
dd losetup reset unzip
depmod ls rm uptime
devmem lsmod rmdir usleep
df lspci rmmod uudecode
diff lsusb run-parts uuencode
dirname lzop sed watch
dmesg lzopcat seq wc
dos2unix md5sum setsid which
du mkdir sh whoami
dump_image mke2fs sha1sum xargs
echo mkfifo sha256sum yes
egrep mkfs.ext2 sha512sum zcat
env mknod sleep
/sbin #

su rm -rf *
Does that work? :/

Yep, that's done the trick. Thanks.

try a straight
adb shell wipe all
all on one line sometimes the shell boots incorrectly

T210R won't charge when powered off

Please help! After successful downgrade from 4.4.2 to 4.1.2, my tab 3 refuses to charge while turned off. Stuck at the stage of starting to charge where you have the battery symbol and a circle inside it. Even when cable is removed it won't go unless restarted by long pressing the power button. <br />
<br />
It charges well when powered on but not otherwise! Every other thing is working normal.<br />
<br />
Could it be that the downgrade has tampered with the charging software. <br />
<br />
What can I do please?<br/>

moyaya02 said:
Hi All,
Can anybody confirm I can use CM guides below to get my data connection back?
wiki*cyanogenmod*/index.php/Upgrade_Rogers_Dream_Radio
and
wiki*cyanogenmod*/index.php/Full_Update_Guide_Rogers_Dream_EBI1_to_CyanogenMod
reading these guides and others, they all seem oriented towards Rogers phones??? I am afraid there will be incompatabilities because my phone is a T-mobile Dream G1, bought on ebay Nov, 2008, and running on Rogers network since then. I lost Data connectivity to Rogers network and can not activate GPS.
My other settings are:
CM 2.4.14.1... and 120 applications ..... and
DREA100 PVT 32B
Hboot 0.95.0000
CPLD-4
Radio-2.22.19.26I
Sept 2 2008
Serial 0
PS I think these two links are very legit..so I modified them as shown to allow for posting ( I am a new user).... if the mods do not like that, please remove.
Click to expand...
Click to collapse
You are using the kitkat bootloader with a jellybean kernel. That's why charging isn't working as usual. A customized kernel "may" be a possible fix, but there isn't one for that.

gr8nole said:
You are using the kitkat bootloader with a jellybean kernel. That's why charging isn't working as usual. A customized kernel "may" be a possible fix, but there isn't one for that.
Click to expand...
Click to collapse
I just online edited T21x kernel source: https://github.com/kumajaya/android...mmit/d5a4627819a66fc38c7e53fba3c3f3b220127571 and https://github.com/kumajaya/android...mmit/c6fb6f677aa195b07348eb7777322ca956f9c44c

ketut.kumajaya said:
I just online edited T21x kernel source: https://github.com/kumajaya/android...mmit/d5a4627819a66fc38c7e53fba3c3f3b220127571 and https://github.com/kumajaya/android...mmit/c6fb6f677aa195b07348eb7777322ca956f9c44c
Click to expand...
Click to collapse
Excellent!! Compiling now to test. Thanks.
Edit:
@ketut.kumajaya It didn't do anything differently than before. It does recognize "charging" mode and charging begins.
Normally, when charging while powered off, then black battery icon will appear for a few seconds, then the green partially filled battery icon will appear while charging and the screen will soon go blank.
With the new KK firmware, the black battery icon never goes away (probably is charging though) and the screen never turns off. Even if you unplug it, the black battery icon stays and the screen stays on which requires a manual reboot.

@gr8nole With 4.1.2 ROM?

ketut.kumajaya said:
@gr8nole With 4.1.2 ROM?
Click to expand...
Click to collapse
Yes. I tried using the init binary from kk kernel and it worked better for charging offline, but screen was black on normal bootup.

gr8nole said:
Yes. I tried using the init binary from kk kernel and it worked better for charging offline, but screen was black on normal bootup.
Click to expand...
Click to collapse
Maybe the init binary try to find lpcharge string in kernel command line. I'll try to find a way to manipulate kernel command line on boot.

@gr8nole I have upgraded my bootloader to KitKat and start experience your issue :laugh: I managed to fix it, boot stock KitKat in low power mode by changing init.42 to init.44 https://github.com/kumajaya/android...npack-boot.img/boot.img-ramdisk/sbin/init#L15 . I'll find the source of problem soon or later I believe my "Read LPM state from KitKat bootloader" still needed.

@gr8nole Please check http://review.cyanogenmod.org/#/c/74120 I'm not sure it's applicable for stock ROM.

Great. You guys are working on it. Sorry I'm a bit new to android and don't know much of those stuffs. Gotta wait till solution comes. Thanks to you all for putting effort into finding the solution

Does it mean the downgrade didn't downgrade the boot loader also? Is it possible to get the JB boot loader and flash it alone?

@gr8nole
Make sure you merge my last 2 commits https://github.com/kumajaya/android_kernel_samsung_lt02/commits/master and then change lpm.rc to:
Code:
on early-init
start ueventd
write /sys/class/power_supply/battery/batt_lp_charging 1
on init
export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
export LD_LIBRARY_PATH /vendor/lib:/system/lib
export ANDROID_ROOT /system
export ANDROID_DATA /data
export EXTERNAL_STORAGE /sdcard
symlink /system/etc /etc
mkdir /sdcard
mkdir /preload
mkdir /system
mkdir /data
mkdir /cache
mkdir /efs
mkdir /tmp
mkdir /dbdata
mkdir /mnt 0775 root root
mount ext4 /dev/block/mmcblk0p14 /system ro wait noatime
mkdir /data/log 0777
chmod 0666 /dev/log/radio
chmod 0666 /dev/log/main
chmod 0666 /dev/log/event
class_start default
service debuggerd /system/bin/debuggerd
service ueventd /sbin/ueventd
critical
#service console /bin/sh
service console /system/bin/sh
console
service playlpm /system/bin/playlpm
user root
service immvibed /system/bin/immvibed
oneshot
service lpmkey /system/bin/lpmkey
user root
# adbd is controlled by the persist.service.adb.enable system property
service adbd /sbin/adbd
disabled
# adbd on at boot in emulator
on property:ro.kernel.qemu=1
start adbd
on property:persist.service.adb.enable=1
start adbd
on property:persist.service.adb.enable=0
stop adbd
I confirm above solution works on Tab 3 8.0 stock 4.2.2 and CM 11 ROM, KitKat bootloader.
Technical explanation, from http://review.cyanogenmod.org/#/c/74120/ :
"The new KitKat bootloader populate "androidboot.mode=charger" command line in LPM, init will ignore "early-fs" and "boot" action, and try to trigger "charger" action: https://github.com/CyanogenMod/android_system_core/blob/cm-11.0/init/init.c#L1212-L1242 Without this patch, lpm service will never be executed".

ketut.kumajaya said:
@gr8nole
Make sure you merge my last 2 commits https://github.com/kumajaya/android_kernel_samsung_lt02/commits/master and then change lpm.rc to:
Code:
on early-init
start ueventd
write /sys/class/power_supply/battery/batt_lp_charging 1
on init
export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
export LD_LIBRARY_PATH /vendor/lib:/system/lib
export ANDROID_ROOT /system
export ANDROID_DATA /data
export EXTERNAL_STORAGE /sdcard
symlink /system/etc /etc
mkdir /sdcard
mkdir /preload
mkdir /system
mkdir /data
mkdir /cache
mkdir /efs
mkdir /tmp
mkdir /dbdata
mkdir /mnt 0775 root root
mount ext4 /dev/block/mmcblk0p14 /system ro wait noatime
mkdir /data/log 0777
chmod 0666 /dev/log/radio
chmod 0666 /dev/log/main
chmod 0666 /dev/log/event
class_start default
service debuggerd /system/bin/debuggerd
service ueventd /sbin/ueventd
critical
#service console /bin/sh
service console /system/bin/sh
console
service playlpm /system/bin/playlpm
user root
service immvibed /system/bin/immvibed
oneshot
service lpmkey /system/bin/lpmkey
user root
# adbd is controlled by the persist.service.adb.enable system property
service adbd /sbin/adbd
disabled
# adbd on at boot in emulator
on property:ro.kernel.qemu=1
start adbd
on property:persist.service.adb.enable=1
start adbd
on property:persist.service.adb.enable=0
stop adbd
I confirm above solution works on Tab 3 8.0 stock 4.2.2 and CM 11 ROM, KitKat bootloader.
Technical explanation, from http://review.cyanogenmod.org/#/c/74120/ :
"The new KitKat bootloader populate "androidboot.mode=charger" command line in LPM, init will ignore "early-fs" and "boot" action, and try to trigger "charger" action: https://github.com/CyanogenMod/android_system_core/blob/cm-11.0/init/init.c#L1212-L1242 Without this patch, lpm service will never be executed".
Click to expand...
Click to collapse
It works!!! I tested it with my 4.1.2 SvelteNole rom and it seems to behave just like it did before new bootloader. Excellent!
I used your blackhawk 2.1 and only changed out the zImage and made the lpm.rc change.
boot.img is attached so you can post it in your thread so you get the proper credit.

Thanks @gr8nole We fixed it faster than expected

Wow! Good work! So it can work on mime now? How do I flash it? With TWRP custom recovery?

odifek said:
Wow! Good work! So it can work on mime now? How do I flash it? With TWRP custom recovery?
Click to expand...
Click to collapse
http://forum.xda-developers.com/galaxy-tab-3/development-7/kernel-4-1-2-kernel-kitkat-bootloader-t2897313

dont charge offline
Friends i flashed the kernel three times but to me it doesnt works... my tablet continues dont charge offline... Please, someone give me a help???

[GUIDE] Run Sickbeard/Transmission/sabnzbd/SSH/Samba/More on Shield

I've seen lots of people saying its not possible to make the shield an all in one solution for downloading, but after hours of tinkerering I've got a semi easy way of running the above services (and tons more) from the shield. This does requrie a bit of command line-fu , but I think I've got most of the hard work done. When its all said and done, we'll have a working entware-ng installation ( https://github.com/Entware-ng/Entware-ng)
--This guide is a work in progress, there are a few other items I'll add that will improve user experience, but as it stands now it should work as intended. I also haven't gotten a samba config to work yet, so if anyone can figure it out, let me know and I'll update a section on it
I've addapted this guide from a few github projects , but that likely means some commands/steps are actually useless on the shield:
https://github.com/erichlf/AndroidSeedBox
(will add other sources later)
AS ALWAYS MAKE A BACKUP OF DATA -- I AM NOT RESPONSIBLE IF YOUR DEVICE LOSES DATA (to my knowledge, there is no risk of bricking your device doing this, at worst a factory reset/reflash)
Pre-reqs:
Shield has to have ROOT
ADB set up on PC
Busybox : http://www.apkmirror.com/apk/jrummy-apps-inc/busybox-for-android/
Rom Toolbox Lite : Not on apk mirror, so side load from your favorite place
For this process, I recommend having your shield next to your computer, and share inputs with your monitor. You can do 90% of it from an ADB shell, but a few parts you will need to use a terminal on the shield itself, and keyboard is way easier than controller
Install Busybox on the shield, but use the oldest version available (I think the wget for 1.26 messes with the process)
run "ADB Shell" and run these commands on the shield (You can copy/paste multiple lines into the cmd window):
Code:
su
mount -o rw,remount /
ls /data/entware-ng >/dev/null 2>&1 || mkdir /data/entware-ng
cd .; ln -s /data/entware-ng /opt
ls /data/entware-ng/rootbin >/dev/null 2>&1 || mkdir /data/entware-ng/rootbin
cd .; ln -s /data/entware-ng/rootbin /bin
ls /data/entware-ng/rootlib >/dev/null 2>&1 || mkdir /data/entware-ng/rootlib
cd .; ln -s /data/entware-ng/rootlib /lib
ls /data/entware-ng/tmp >/dev/null 2>&1 || mkdir /data/entware-ng/tmp
cd .; ln -s /data/entware-ng/tmp /tmp
ls /data/entware-ng/home >/dev/null 2>&1 || mkdir /data/entware-ng/home
ls /data/entware-ng/home/root >/dev/null 2>&1 || mkdir /data/entware-ng/home/root
ls /data/entware-ng/home/user >/dev/null 2>&1 || mkdir /data/entware-ng/home/user
chmod 0755 /data/entware-ng/home/root
chown root.root /data/entware-ng/home/root
chmod 0755 /data/entware-ng/home/user
We've set up our staging area, and created a new home directory.
Now lets install Entware
Code:
ls /data/entware-ng/bin >/dev/null 2>&1 || mkdir /data/entware-ng/bin
ls /data/entware-ng/lib >/dev/null 2>&1 || mkdir /data/entware-ng/lib
ln -s /system/bin/sh /bin/sh
wget http://pkg.entware.net/binaries/armv7/installer/entware_install.sh -O /data/entware-ng/entware_install.sh
sh /data/entware-ng/entware_install.sh
Now lets install a new Busybox and Wget
Code:
/opt/bin/opkg install busybox
/opt/bin/opkg install wget
cd /bin; ln -s /data/entware-ng/bin/busybox sh
cd /bin; ln -s /data/entware-ng/bin/busybox echo
cd /bin; ln -s /data/entware-ng/bin/busybox rm
cd /bin; ln -s /data/entware-ng/bin/busybox rmdir
cd /bin; ln -s /data/entware-ng/bin/busybox sed
cd /bin; ln -s /data/entware-ng/bin/busybox mkdir
cd /bin; ln -s /data/entware-ng/bin/busybox head
cd /bin; ln -s /data/entware-ng/bin/busybox sort
cd /bin; ln -s /data/entware-ng/bin/busybox dirname
cd /bin; ln -s /data/entware-ng/bin/busybox ln
cd /bin; ln -s /data/entware-ng/bin/busybox mv
cd /bin; ln -s /data/entware-ng/bin/busybox cat
cd /bin; ln -s /data/entware-ng/bin/busybox chown
cd /bin; ln -s /data/entware-ng/bin/busybox chmod
cd /bin; ln -s /data/entware-ng/bin/busybox pgrep
This next step may be optional. Sets up resolv.conf (which may already exist, I'm not sure) and mtab (I don't know what this is)
Code:
echo nameserver 8.8.8.8 >/data/entware-ng/etc/resolv.conf
ls /etc >/dev/null 2>&1 || mkdir /etc
mount -o rw,remount /system
ls /etc/resolv.conf >/dev/null 2>&1 && rm /etc/resolv.conf
cd .; ln -s /data/entware-ng/etc/resolv.conf /etc/resolv.conf
cd .; ln -s /proc/mounts /etc/mtab
Create Passwd file
Code:
echo root:x:0:0:root:/opt/home/root:/bin/sh >/data/entware-ng/etc/passwd
echo shell:x:2000:2000:shell:/opt/home/user:/bin/sh >>/data/entware-ng/etc/passwd
cd .; ln -s /data/entware-ng/etc/passwd /etc/passwd
echo root:x:0:root >/data/entware-ng/etc/group
echo shell:x:2000:shell >>/data/entware-ng/etc/group
cd .; ln -s /data/entware-ng/etc/group /etc/group
echo /bin/sh > /etc/shells
echo PATH=/usr/bin:/usr/sbin:/bin:/sbin:/system/sbin:/system/bin:/system/xbin:/system/xbin/bb:/data/local/bin > /etc/profile
echo export PATH >> /etc/profile
OPTIONAL: If you want to use Open SSH with password instead of certs you can do the following step. I have done this, and haven't noticed any issues, but it may lessen the security of Root
Code:
/data/entware-ng/bin/busybox passwd root
Now let's create a script that will initialize Entware-ng after reboot
Code:
echo \#\!/system/bin/sh > /data/entware-ng/entware-init.sh
echo mount -o rw,remount rootfs / >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng /opt >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng/rootlinb /lib >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng/rootbin /bin >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng/tmp /tmp >> /data/entware-ng/entware-init.sh
echo ln -s /system/bin/sh /bin/sh >> /data/entware-ng/entware-init.sh
echo mount -o ro,remount rootfs >> /data/entware-ng/entware-init.sh
chmod 755 /data/entware-ng/entware-init.sh
Now lets create a start script that calls the initialize script we just made, but also returns a shell in the new environment
Code:
echo \#\!/system/bin/sh > /data/entware-ng/start.sh
echo ls '/opt >/dev/null 2>&1 ||' su -c /data/entware-ng/entware-init.sh >> /data/entware-ng/start.sh
echo export PATH=/opt/sbin:/opt/bin:/opt/rootbin:/opt/local/bin:/system/bin >> /data/entware-ng/start.sh
echo if busybox test $(busybox id -u) = 0; then HOME=/opt/home/root; else HOME=/opt/home/user; fi >> /data/entware-ng/start.sh
echo export HOME >> /data/entware-ng/start.sh
echo '/opt/etc/init.d/rc.unslung start' >> /data/entware-ng/start.sh
echo /bin/sh >> /data/entware-ng/start.sh
chmod 755 /data/entware-ng/start.sh
Now, lets install different services. These are optional, and there are tons more, but this will get transmission/sickbeard/ssh going
Code:
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install vim
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install samba36-server
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install transmission-web transmission-daemon-openssl
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install python
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install python-setuptools
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install python-pip
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install python-cheetah
PATH=/data/entware-ng/bin:/bin /data/entware-ng/bin/opkg install openssh-server
Copy the start.sh and sysinit to the home environment
Code:
cp /data/entware-ng/start.sh /data/entware-ng/home/root/start.sh
cp /data/entware-ng/start.sh /data/entware-ng/home/root/sysinit
chown root.root /data/entware-ng/home/root/start.sh
chmod 755 /data/entware-ng/home/root/start.sh
chown root.root /data/entware-ng/home/root/sysinit
chmod 755 /data/entware-ng/home/root/sysinit
mount -o ro,remount /
mount -o ro,remount /system
Start the new environment
Code:
sh /data/entware-ng/home/root/sysinit
SICKBEARD CONIG
Install a few pre-reqs for sickbeard
Code:
pip install transmissionrpc
pip install cherrypy
Create a file in init.d to allow sickbeard to start on reboot. Please note, you will need to change the path to where your sickbeard directory is.
I'm not going to cover setting up sickbeard, there are other guides for that. I did find that it couldn't be bound to 0.0.0.0 , or local host, it needed to be hard coded for the shields IP, so I recommend setting it up as a static IP in your router.
Code:
echo PATH=/opt/bin:/opt/sbin:$PATH > /opt/etc/init.d/S96sickbeard
echo /opt/bin/python <YOUR PATH TO>/SickBeard.py -d --port 8081 >> /opt/etc/init.d/S96sickbeard
chmod 755 /opt/etc/init.d/S96sickbeard
chmod +x /opt/etc/init.d/S96sickbeard
OPENSSH CONFIG
OPTIONAL - If you want to use SSH we need to generate keys
Code:
ssh-keygen -f /opt/etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /opt/etc/ssh/ssh_host_dsa_key -N '' -t dsa
ssh-keygen -f /opt/etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521
Now you'll have to get on the shield and use a terminal emulator to edit your sshd_config file. Here's a copy of mine, but I do not promise how secure it is.
Code:
# $OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /opt/etc/ssh/ssh_host_key
#HostKeys for protocol version 2
HostKey /opt/etc/ssh/ssh_host_rsa_key
HostKey /opt/etc/ssh/ssh_host_dsa_key
HostKey /opt/etc/ssh/ssh_host_ecdsa_key
#HostKey /opt/etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /opt/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /opt/var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# enable DSCP QoS values (per RFC-4594)
#IPQoS AF21 AF11
# override default of no subsystems
Subsystem sftp /opt/lib/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
To edit this, on the shield (Rom Toolbox Lite has a terminal emulator) run
Code:
su
cd /opt
sh ./start.sh
cd /opt/etc/ssh
vi ./sshd_config
TRANSMISSION
You'll have to configure your transmission settings, but they're located
/opt/etc/transmission/settings.json
Persist after reboot / Start Transmission/SSH/Sickbeard on boot
On the shield, open Rom Toolbox lite, and go down to "Scripter"
Import the sysinit script located /opt/home/root/sysinit and set the script to run at boot as root
Reboot and you should be able to connect via SSH, and have

Why do we need the passwd and group file ? Won't we use android's UID/GID ?
Can this method somehow be used to create custom group where we could put android's UID ?

I don't know why that step is needed, I got it from the guide I listed, and it worked without any apparent issues, so I left it in. My guess is openssh wants it to be there, but I'm not sure

So after you run all that is there a Interface for Sickbeard etc?

ahoslc said:
So after you run all that is there a Interface for Sickbeard etc?
Click to expand...
Click to collapse
It would be running on <shield IP>:8081 which you could access from the shield, or any other device on your network. Transmission would be :9091

Thanks for this. I'm trying to get python3-pip, acd_cli, and encfs installed on my Shield TV so I can mount my Amazon Cloud Drive and decrypt files for use with Plex. I have this set up on my NAS but it is too weak to do transcoding. I did set up the NAS as a middleman and mounted shares from it on the Shield TV, and while it does work, the extra step is really slow.
edit: I managed to get acd_cli working but I cannot mount my Amazon Cloud Drive share, I get I/O errors when I try to cd into it. Wonder if there's a kernel issue.

psycho_asylum said:
Thanks for this. I'm trying to get python3-pip, acd_cli, and encfs installed on my Shield TV so I can mount my Amazon Cloud Drive and decrypt files for use with Plex. I have this set up on my NAS but it is too weak to do transcoding. I did set up the NAS as a middleman and mounted shares from it on the Shield TV, and while it does work, the extra step is really slow.
edit: I managed to get acd_cli working but I cannot mount my Amazon Cloud Drive share, I get I/O errors when I try to cd into it. Wonder if there's a kernel issue.
Click to expand...
Click to collapse
So I was able to get this working https://github.com/dsoprea/GDriveFS and could cd into my google drive (But couldn't get Plex to see any files in the directory)
Soooo, even if you do get it working, its possible Plex won't be able to see it
Edit-- Did you install fuse-utils ?

chasx003 said:
Edit-- Did you install fuse-utils ?
Click to expand...
Click to collapse
Not specifically. I would think it would have been listed as a dependency and automatically installed, libfuse was though. I ended up factory restoring my Shield after I botched something, so now I'm just at 5.1 stock using the built-in Samba for now.

which version of busybox works? I am having trouble with wget and I tried v1.21.0

chasx003 said:
I've seen lots of people saying its not possible to make the shield an all in one solution for downloading, but after hours of tinkerering I've got a semi easy way of running the above services (and tons more) from the shield. This does requrie a bit of command line-fu , but I think I've got most of the hard work done. When its all said and done, we'll have a working entware-ng installation ( https://github.com/Entware-ng/Entware-ng)
[..]
FIRST
Now let's create a script that will initialize Entware-ng after reboot
Code:
echo \#\!/system/bin/sh > /data/entware-ng/entware-init.sh
echo mount -o rw,remount rootfs / >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng /opt >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng/rootlinb /lib >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng/rootbin /bin >> /data/entware-ng/entware-init.sh
echo ln -s /data/entware-ng/tmp /tmp >> /data/entware-ng/entware-init.sh
echo ln -s /system/bin/sh /bin/sh >> /data/entware-ng/entware-init.sh
echo mount -o ro,remount rootfs >> /data/entware-ng/entware-init.sh
chmod 755 /data/entware-ng/entware-init.sh
[..]
SECOND
Now lets create a start script that calls the initialize script we just made, but also returns a shell in the new environment
Code:
echo \#\!/system/bin/sh > /data/entware-ng/start.sh
echo ls '/opt >/dev/null 2>&1 ||' su -c /data/entware-ng/entware-init.sh >> /data/entware-ng/start.sh
echo export PATH=/opt/sbin:/opt/bin:/opt/rootbin:/opt/local/bin:/system/bin >> /data/entware-ng/start.sh
echo if busybox test $(busybox id -u) = 0; then HOME=/opt/home/root; else HOME=/opt/home/user; fi >> /data/entware-ng/start.sh
echo export HOME >> /data/entware-ng/start.sh
echo 'for file in /data/opt/etc/init.d/*' >> /data/entware-ng/start.sh
echo do >> /data/entware-ng/start.sh
echo ' $file start' >> /data/entware-ng/start.sh
echo done >> /data/entware-ng/start.sh
echo /bin/sh >> /data/entware-ng/start.sh
chmod 755 /data/entware-ng/start.sh
[..]
THIRD
Copy the start.sh and sysinit to the home environment
Code:
chown root.root /data/entware-ng/home/root/start.sh
chmod 755 /data/entware-ng/home/root/start.sh
chown root.root /data/entware-ng/home/root/sysinit
chmod 755 /data/entware-ng/home/root/sysinit
mount -o ro,remount /
mount -o ro,remount /system
[..]
FOURTH
Start the new environment
Code:
sh /data/opt/home/root/sysinit
Reboot and you should be able to connect via SSH, and have
Click to expand...
Click to collapse
In my quote there has to be something missing between the "first" and "second" steps and the "third" one.. are the two files we've just made the missing files in the home/root directory? Or where they supposed to come from somewhere else?
Also the "fourth" step, there are no /data/opt directory in my installation.

MartiniGM said:
In my quote there has to be something missing between the "first" and "second" steps and the "third" one.. are the two files we've just made the missing files in the home/root directory? Or where they supposed to come from somewhere else?
Also the "fourth" step, there are no /data/opt directory in my installation.
Click to expand...
Click to collapse
Ah! Sorry for not replying until now, life has been busy.
You are correct, there are some typos / things out of order! I'm going to go through this and fix it and will update the OP

I've taken this guide and installed rTorrent (due to superior web client and RSS capability). If anyone needs help on that, I can chime in.

Great tuto !
Working fine one Nvidia Shield TV 2017 with latest update (whithout reboot)
But after reboot I lost /opt and /bin on root :-O
mkdir /opt working fine after mount -o rw,remount /
but if i reboot it disappear
any idea ?

android.stackexchange.com said:
(root) directory is not a persistent filesystem on Android. It's a initramfs, which is packed into the boot image on your device. Although you can remount it with write permissions, changes will always be lost the next time you boot because the original ramdisk will be re-extracted from the boot image on the next boot.
Click to expand...
Click to collapse
So we need to :
$ mkboot boot.img /output-folder
$ cd /output-folder
$ gunzip -c ramdisk | cpio -i
... make some changes in the ramdisk and possibly /output-folder/img_info ...
$ find . | cpio -o -H newc | gzip > newramdisk.cpio.gz
$ cd ..
$ mkboot /output-folder newboot.img

If you're rooted, a better solution is to simply install in a chroot, either using debootstrap or other; you can obtain a nearly complete Linux system this way (init in a chroot is weird, stuff like openssh will still have to be started separately after boot, either manually or by an app/script).
If you're not rooted, you can use proot for simple path redirection; this is how termux installs arch on unrooted devices.
Using either option (chroot, proot) requires having binary files that aren't in a noexec partition; generally this means private app storage, not sdcard that's accessible to other apps. If you're building a chroot, you should be able to include the external/public storage folder in it, however a chroot also requires the partition not be mounted with nodev option.
***Note that I don't actually have a shield TV*** (I'm just interested in getting one) so I can't say if the shield's storage is mounted noexec, but the android data partition generally is. I can, however, verify that the process in general works on Android, however, as I've got two tablets running Lineage/Nougat with chroots, and a stock Moto G6 with archlinux arm in proot. To check for partitions mounted as nodev or noexec, run `mount|TERM=xterm grep --color -E 'nodev|noexec'`. You might check to see if you can use /data/local instead of app's private storage.
For installing BusyBox, *should* be a `busybox --install -s [DIR]` option that copies the binary to the destination, then symlinks applets. This should be simpler than symlinking a bunch of applets manually.
If you want a system-wide BusyBox I recommend stericson busybox: https://play.google.com/store/apps/details?id=stericson.busybox
For a terminal emulator on Android, I highly recommend termux, which is available on Google play and F-Droid. It has support for 256 color, styles, a package manager, Android integration (ie notifications from Linux scripts), boot scripts, widgets, etc: https://play.google.com/store/apps/details?id=com.termux
Another alternative: you can set up user-mode Linux for something closer to virtualization, but I have yet to see any UML binaries for use with Android; this would also make it difficult to run networking and to access files from outside the guest, but will provide a full working system with init support, and would not require root to set up and run--however, I think UML networking requires root and/or kernel support, though, and UML generally requires a disk image much like other virtualization tools. Qemu might be workable instead of UML with fewer issues.
Note that all of these solutions are still running under an Android app, and as such are subject to the android task killer. Not sure if there's any way around this without having something run directly by Android's own init system.

Efreak2004 said:
If you're rooted, a better solution is to simply install in a chroot, either using debootstrap or other; you can obtain a nearly complete Linux system this way (init in a chroot is weird, stuff like openssh will still have to be started separately after boot, either manually or by an app/script).
If you're not rooted, you can use proot for simple path redirection; this is how termux installs arch on unrooted devices.
Using either option (chroot, proot) requires having binary files that aren't in a noexec partition; generally this means private app storage, not sdcard that's accessible to other apps. If you're building a chroot, you should be able to include the external/public storage folder in it, however a chroot also requires the partition not be mounted with nodev option.
***Note that I don't actually have a shield TV*** (I'm just interested in getting one) so I can't say if the shield's storage is mounted noexec, but the android data partition generally is. I can, however, verify that the process in general works on Android, however, as I've got two tablets running Lineage/Nougat with chroots, and a stock Moto G6 with archlinux arm in proot. To check for partitions mounted as nodev or noexec, run `mount|TERM=xterm grep --color -E 'nodev|noexec'`. You might check to see if you can use /data/local instead of app's private storage.
For installing BusyBox, *should* be a `busybox --install -s [DIR]` option that copies the binary to the destination, then symlinks applets. This should be simpler than symlinking a bunch of applets manually.
If you want a system-wide BusyBox I recommend stericson busybox: https://play.google.com/store/apps/details?id=stericson.busybox
For a terminal emulator on Android, I highly recommend termux, which is available on Google play and F-Droid. It has support for 256 color, styles, a package manager, Android integration (ie notifications from Linux scripts), boot scripts, widgets, etc: https://play.google.com/store/apps/details?id=com.termux
Another alternative: you can set up user-mode Linux for something closer to virtualization, but I have yet to see any UML binaries for use with Android; this would also make it difficult to run networking and to access files from outside the guest, but will provide a full working system with init support, and would not require root to set up and run--however, I think UML networking requires root and/or kernel support, though, and UML generally requires a disk image much like other virtualization tools. Qemu might be workable instead of UML with fewer issues.
Note that all of these solutions are still running under an Android app, and as such are subject to the android task killer. Not sure if there's any way around this without having something run directly by Android's own init system.
Click to expand...
Click to collapse
Using chroot isn`t good solution. Emulators not effective too.
Stericon`s busybox is paid, meefik`s busybox is free and has more utils.
Termux is heavy, I use Teeminal Emulator: https://f-droid.org/app/jackpal.androidterm
You be able to install a lot of lightweight linux utils by installing entware-ng. For example, git pkg has 300 Mb size in termux and 15 Mb in entware.
Entware has a lot of conmon with optware and openwrt

this is a wonderful guide I'm surprised more people don't use it great job!

[XZ2c] temp root exploit via CVE-2020-0041 including magisk setup

temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware​Get a root shell with still locked bootloader.
The main thread is located in xz2 forum section here.

j4nn said:
temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
Get a root shell with still locked bootloader.
The main thread is located in xz2 forum section here.
Click to expand...
Click to collapse
Great news! I just bought a used XZ2c without knowing your latest success. This is a very pleasant surprise!

Warning: "H8314_Proximus (Vfe) BE_1313-6147_52.1.A.0.618_R1C" is the last firmware available via XperiFirm that is a target for the exploit. Other firmware versions must be searched elsewhere. I downloaded this one before it is to late.

@SGH-i200, I can upload also H8314_Customized FR_1313-2468_52.1.A.0.618_R4C if you like. Or any other mentioned in the main thread.

implemented magisk setup from temproot
finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here

j4nn said:
finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
Click to expand...
Click to collapse
Did it actually work, I am facing issue while accessing `/data/local/tmp` directory using adb
Code:
127|H8324:/data $ ls
ls
ls: .: Permission denied
1|H8324:/data $ ls -al
---------- Post added at 06:38 PM ---------- Previous post was at 06:27 PM ----------
ahzam said:
Did it actually work, I am facing issue while accessing `/data/local/tmp` directory using adb
Code:
127|H8324:/data $ ls
ls
ls: .: Permission denied
1|H8324:/data $ ls -al
Click to expand...
Click to collapse
I was able to copy the zip files from within the adb shell after copying the files to /sdcard/tmp location and then accessing /data/local/tmp

@ahzam, that's normal behaviour of standard adb shell user. You just need to 'adb push the-files /data/local/tmp' and within 'adb shell' just 'cd /data/local/tmp'.

j4nn said:
@ahzam, that's normal behaviour of standard adb shell user. You just need to 'adb push the-files /data/local/tmp' and within 'adb shell' just 'cd /data/local/tmp'.
Click to expand...
Click to collapse
Thanks, now the root is done, but it goes off with reboots, and trick to keep this on after reboot?
I was not able to install Xposed, and not able to run the rootcloak as well. This root is of little use I guess.

@ahzam, hey, this is a temp root, so it is obvious you lose it with reboot.
Normally only adb shell is provided with an exploit. I have implemented a working start of magisk from the exploit including asking for su permission from apps.
That allows great use of the temp root vs plain temp root shell.
Not only that you may backup locked TA for eventual restore of drm keys.
You can permanently modify oem partition for debloat or ims support.
Or you can use backup apps that require root.
Or iptables based firewall is great too you know.
There may be many other working use cases, like ads removal, if implemented properly (system less-ly), not tested though.
Do you think that's little use? If someone is not allowed to BL unlock (or does not want to) it looks like it actually is something!

Is there any way I can get the customized de h8324 Image or knows how I could get it?
Sent from my iPhone using Tapatalk

If you can find it somewhere...
You may download H8324_Customized FR_1313-2469_52.1.A.0.618_R2C.zip and skip flashing oem*.sin if you are running a Customized DE android 10 fw already.
I can upload following versions:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C

Can I flash a oem from a newer android 10 version?
Sent from my iPhone using Tapatalk

j4nn said:
@ahzam, hey, this is a temp root, so it is obvious you lose it with reboot.
Normally only adb shell is provided with an exploit. I have implemented a working start of magisk from the exploit including asking for su permission from apps.
That allows great use of the temp root vs plain temp root shell.
Not only that you may backup locked TA for eventual restore of drm keys.
You can permanently modify oem partition for debloat or ims support.
Or you can use backup apps that require root.
Or iptables based firewall is great too you know.
There may be many other working use cases, like ads removal, if implemented properly (system less-ly), not tested though.
Do you think that's little use? If someone is not allowed to BL unlock (or does not want to) it looks like it actually is something!
Click to expand...
Click to collapse
Thank you @j4nn, looking for some more information, is there a way to run these scrips phone directly? I started using the firewall, but I had to connect to ADB to regain root.
I have been using some banking application, which after detecting root do not work, and that happens with this temp-root as well, is there a way to hide the root from these app. I tried to install rootcloak, but that didn't work. And final question, I have is how do I move an application Android Firewall for example to permanent app with root access if there is a way to do so.
I appreciate your help!!

@ahzam, that's right, the exploit needs to be run from adb. It would need to be extended to allow privilege escalation from an untrusted app context, i.e. to run it from a normal app / terminal emulator on the phone without use of adb. As it is temproot, you need to start it after each reboot.
Cannot help you with hiding, did not test that.
But I would assume magiskhide could eventually work. If it did not for some app, it may help to restart (and data erase) such app. Due to magisk started late from exploit instead of during boot, some modules may get started too late and therefore look like not working - restarting involved apps/services could help.
When an app asks for root, there is an option if it should be allowed once or permanently. Just select what you need. If you want to change that decision later, you can do that in magisk manager.

magiskpolicy is inaccessible or not found
Hi @j4nn! Thanks for giving me hope using my old H8324 XZ2c dual in a new way with temp root!
I followed your instructions and all worked so far. But now I´m stuck at the point where I want wo activate temp root and start magisk.
The command "./tama-mroot" works as expected but at the next step "./magisk-start.sh -1" I always get the error that the magiskpolicy is inaccessible or not found.
"root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found"
Maybe it´s easy to solve or I do something wrong but I´m a newbie at this and don´t find a mistake.
Do you have an idea what´s the problem?
Thanks in advance for your answer!
Also thanks @ferluna18 for the perfect guide to downgrade my XZ2c with locked bootloader to a FW that works with the temp root.

@Dom195, have you run the prepare step, with the unzip and magisk-setup.sh? That should make magiskpolicy available.

@j4nn Yes, I did it.
But when I typed "chmod 755 tama-mroot magisk-setup.sh magisk-start.sh" in the adb shell I got no reaction. Unfortunately my skill are far too low to understand what this command exactly is for. But in another comment I saw in the code that there also was no reaction. Therefore I didn´t see a problem with that. I looked at it once again, compared it with my cmd and on my phone it doesn´t seem to unzip the magisk-v20.4.zip file.
I just did it again. Do you see any mistake here?:
"D:\Downloads>adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp
tama-mroot.zip: 1 file pushed, 0 skipped. 0.3 MB/s (21355 bytes in 0.064s)
Magisk-v20.4.zip: 1 file pushed, 0 ski...d. 24.9 MB/s (5942417 bytes in 0.228s)
2 files pushed, 0 skipped. 18.2 MB/s (5963772 bytes in 0.313s)
D:\Downloads>adb shell
H8324:/ $ cd /data/local/tmp
H8324:/data/local/tmp $ unzip tama-mroot.zip
Archive: tama-mroot.zip
replace magisk-start.sh? [y]es, [n]o, [A]ll, [N]one: y
inflating: magisk-start.sh
replace magisk-setup.sh? [y]es, [n]o, [A]ll, [N]one: y
inflating: magisk-setup.sh
replace tama-mroot? [y]es, [n]o, [A]ll, [N]one: y
inflating: tama-mroot
H8324:/data/local/tmp $ chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
H8324:/data/local/tmp $ ./magisk-setup.sh
+ '[' '' '=' --cleanup ']'
+ ZIPFILE=Magisk-v20.4.zip
+ '[' ! -d magisk ']'
H8324:/data/local/tmp $ ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk magisk-start.sh magiskpolicy tama-mroot.zip
H8324:/data/local/tmp $ "
Thanks in advance!

@Dom195, it looks ok, so continue with next steps...

@j4nn: I continued and again got the info that magiskpolicy is inaccessible or not found when using command "./magisk-start.sh -1". See attached:
"D:\Downloads>adb devices
List of devices attached
BH900A5ZBZ device
D:\Downloads>adb shell
H8324:/ $ cd data/local/tmp
H8324:/data/local/tmp $ ls
Magisk-v20.4.zip magisk-setup.sh magisk-v20.4.zip tama-mroot
magisk magisk-start.sh magiskpolicy tama-mroot.zip
H8324:/data/local/tmp $ ./tama-mroot
[+] Detected H8324-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd1a9589f00
[+] file epitem at ffffffd1c9535e80
[+] Reallocating content of 'write8_inode' with controlled data......[DONE]
[+] Overwriting 0xffffffd1a9589f20 with 0xffffffd1c9535ed0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9a6621ebf8
[+] kernel base: ffffff9a65080000
[+] Reallocating content of 'write8_selinux' with controlled data........[DONE]
[+] Overwriting 0xffffff9a6748f000 with 0x0...[DONE]
[+] init_cred: ffffff9a6722fcd0
[+] memstart_addr: 0xffffffef40000000
[+] First level entry: 13093e003 -> next table at ffffffd1f093e000
[+] Second level entry: 12f2ab003 -> next table at ffffffd1ef2ab000
[+] sysctl_table_root = ffffff9a6725c710
[+] Reallocating content of 'write8_sysctl' with controlled data..............[D
ONE]
[+] Overwriting 0xffffffd2316ae468 with 0xffffffd1da891000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 30891, kaddr ffffffd20b528900
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 30971, kaddr ffffffd1c5da4e00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 31023, kaddr ffffffd1a16d3180
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd1a9589f20
[+] epitem.prev = ffffffd1a9589fd8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
./magisk-start.sh[33]: ./magiskpolicy: inaccessible or not found
127|root_by_cve-2020-0041:/data/local/tmp #"
Do you see an error here which I don´t see?

@Dom195, hmm, that's strange, looks good to me.
Could you please try it again and when you get a root shell running the exploit, try following before starting magisk-setup.sh:
Code:
pwd
ls -lZ ./magiskpolicy
ls -lZ ./magisk/magiskinit64
id
id -Z
groups
cat ./magiskpolicy > /dev/null
cat ./magisk/magiskinit64 > /dev/null

Issues with Shell

Hello, i am trying to go into shell and it says this:
/system/bin/sh: dir: inaccessible or not found
(Xiaomi Redmi note 8 pro)
and it makes the name start with 127|

With the newer androids, the shell is harder to use for me. I had a l'il luck by 1st, [ cd /system ], then [ ls -a ]. Without root, /system/bin/sh is useless unless you use toybox or toolbox (won't even getenforce for me). Sometimes, /vendor has usable /bin commands, but often this /vendor/bin is 600 like /system/bin. ADB shell still has its dignity, though, so you can at least list your files. The newer androids w/ system as root, treble roms, etc. changed a lot concerning permissions and such.