Jump to content

  1. 0
  2. 0
  3. 0/5

Rate this Topic

* * * * *
4 votes

New root method for stock 2.3.4 (621/622) found (Droid2, R2D2)

  • Please log in to reply

OP phifc

phifc

Member

  • 22 posts

Posted 14 July 2012 - 11:18 AM #1

This is for original Droid2 and Droid R2D2. If you have issues booting after root, check the end of this post.

I've been working on root for a few days after having to flash stock 621. I've tested this with my R2D2 running 621.

7/25/2012 - Thanks to beh for putting together an EzSBF cd for this! Just burn, boot from CD and follow the directions. It can flash to the stock 621 update for those that want the stock Gingerbread image, then gives you the option to root if you like. You can also create a bootable USB stick with the iso using http://unetbootin.sourceforge.net/

Droid 2 621 EzSBF with root option
The MD5 is
e50bc7914c4852ca32e9f08f7744c056

The instructions below work, but beh's EzSBF is far superior.

If you want to use CyanogenMod 7.2 after root with this method check this post.

Windows (Easy way)
Install Motorola drivers and RDS Lite if you don't already have them installed.
Get RootDroid2update.7z (md5 sum FCB9D5BC5225894CA66A9729E3FFD1C5), extract folder, run RootDroid2.bat and follow the instructions.
You'll have to flash the phone as part of the process.

Linux (Easy way)
You'll need adb and sbf_flash.
1) Download the RootDroid2update file (md5 sum FCB9D5BC5225894CA66A9729E3FFD1C5), extract it wherever you like.
2) Using adb enter "adb shell ln -s /data/local.prop /data/preinstall_md5/magic.md5"
3) Flash using sbf file in download, wait for full boot.
4) Reboot again.
5) "adb shell" should be root, you can now install the root utils from the zip



Linux (Long way)
What you need: Stock SBF (thanks to droid-developers.org), custom preinstall.img (md5 sum 02A7EB41DF2622974912E8D143295E9F), adb (from android sdk), and sbf_flash

1) Enable USB debugging on your phone and send this adb command:

adb shell ln -s /data/local.prop /data/preinstall_md5/magic.md5

2) Unpack the custom preinstall file, then reboot your phone into flash mode by holding the up arrow on the keypad. Then send the custom SBF file with sbf_flash:
sbf_flash -r --preinstall preinstall.img <stock sbf filename>

(For example, I used 1FF-p2a_droid2_cdma_droid2-user-2.3.4-4.5.1_57_DR4-51-120117-release-keys-signed-Verizon-US.sbf so the command is "sbf_flash -r --preinstall preinstall.img 1FF-p2a_droid2_cdma_droid2-user-2.3.4-4.5.1_57_DR4-51-120117-release-keys-signed-Verizon-US.sbf")

3) Wait for phone to boot after flashing, then reboot again one final time.
4) "adb shell" should give you a root prompt (# instead of $)

5)Send superuser utils from http://androidsu.com/superuser/

adb shell mount -o remount,rw /dev/block/system /system
adb push su /system/bin/su
adb shell chmod 4755 /system/bin/su

adb push Superuser.apk /system/app/Superuser.apk
adb shell chmod 644 /system/app/Superuser.apk
adb shell mount -o remount,ro /dev/block/system /system

Thanks to Dan Rosenberg (djrbliss) and those that helped him research http://vulnfactory.o...ng-the-droid-3/ for ideas :)

Important
If you are having issues booting, you may need to remove the exploit files and clear the cache, as reported by Morlok8k.

Literary almost every other reboot was failing...

so i went into terminal emulator (this could also be done in adb shell, i guess)

i did the following:

su
rm /data/preinstall_md5/magic.md5
rm /system/preinstall/md5/magic.md5
rm /system/preinstall/app/magic


then i went into clockworkmod recovery and cleared the cache. (not data and cache, just cache)

I have rebooted many times since doing the above (i did each one with some reboots in between, just to see which step fixed it), but clearing the cache after removing the hack has seemed to fix my issue.


I don't know how other devices are handling your hack but my Droid 2 Global needed the hack cleaned up to restore stability. It works though! very clever.


Edited by phifc, 02 August 2012 - 04:52 PM.

  • 18 Likes

supercutetom

supercutetom

That guy who's not sexy but thinks he is.

  • 120 posts

Posted 14 July 2012 - 11:41 AM #2

Yo, I just got hard so it doesn't matter if this works or not. If it does I shall achieve climax.

However Linux acts quirky on my laptop due to its integrated graphics card. So I'll have to hold out for a windows fix. Humbug.
  • 1 Likes

OP phifc

phifc

Member

  • 22 posts

Posted 14 July 2012 - 03:37 PM #3

Added Windows files. Any feedback is appreciated!
  • 1 Likes

bikedude880

bikedude880

You can haz Developer Status

Posted 14 July 2012 - 04:24 PM #4

My only question is: what makes that preinstall image special?

Grats!
  • 0 Likes
Click 'Like' or Donate if you've enjoyed my work and snarky sense of humor.

Droid2 Global: Running Android the way it was meant to, free from the bonds of Motorola software.

Got a problem with my responses? Read this: http://www.catb.org/...ions.html#intro

OP phifc

phifc

Member

  • 22 posts

Posted 14 July 2012 - 04:35 PM #5

Well there's an exploit in loadpreinstall.sh. It compares md5 sum files of preinstalled apps and if they're different, copies the md5 to the local cache. The preinstall just has an empty file in app/ so it will parse the md5 for it. Instead of an md5 sum, it contains a local.prop that allows adb root shell. So the system thinks it's copying the md5sum to the cache when it bounces off the symlink and overwrites the /data/local.prop, giving adb root on next reboot. You can modify CG66 without the phone barfing on startup.

Edited by phifc, 14 July 2012 - 04:39 PM.

  • 3 Likes

supercutetom

supercutetom

That guy who's not sexy but thinks he is.

  • 120 posts

Posted 14 July 2012 - 04:43 PM #6

Ok so fuck it I'll give this a whirl. I'm just letting my battery charge up.

Quick question... Flashing .621 over my .622 will work right? Assuming, yes, since Droid 2 SBF's always worked on the R2D2.
  • 0 Likes

bikedude880

bikedude880

You can haz Developer Status

Posted 14 July 2012 - 04:51 PM #7

Well there's an exploit in loadpreinstall.sh. It compares md5 sum files of preinstalled apps and if they're different, copies the md5 to the local cache. The preinstall just has an empty file in app/ so it will parse the md5 for it. Instead of an md5 sum, it contains a local.prop that allows adb root shell. So the system thinks it's copying the md5sum to the cache when it bounces off the symlink and overwrites the /data/local.prop, giving adb root on next reboot. You can modify CG66 without the phone barfing on startup.

What an interesting method... not unlike other root tools, except in how it's delivered. :D
  • 0 Likes
Click 'Like' or Donate if you've enjoyed my work and snarky sense of humor.

Droid2 Global: Running Android the way it was meant to, free from the bonds of Motorola software.

Got a problem with my responses? Read this: http://www.catb.org/...ions.html#intro

OP phifc

phifc

Member

  • 22 posts

Posted 14 July 2012 - 05:35 PM #8

Ok so fuck it I'll give this a whirl. I'm just letting my battery charge up.

Quick question... Flashing .621 over my .622 will work right? Assuming, yes, since Droid 2 SBF's always worked on the R2D2.


I just tried and it worked, other than an error message saying it couldn't load the Best of R2D2. I also use a Droid R2D2 =)
  • 0 Likes

supercutetom

supercutetom

That guy who's not sexy but thinks he is.

  • 120 posts

Posted 14 July 2012 - 05:44 PM #9

Cool cool, I'm almost about to give it a go. Battery is almost done.

Few more questions...
-We can flash ROM's back over this, right? I'm rooting it regardless just to give Moto the finger.
-Should I use the Full Droid 2 SBF first since I have an R2D2 or is using the one mentioned in your little tutorial good?
(I just don't wanna hose my phone)

Edited by supercutetom, 14 July 2012 - 05:55 PM.

  • 0 Likes

slogar25

slogar25

Member

  • 50 posts

Posted 14 July 2012 - 06:03 PM #10

This is awsome!!!!

Sent from my DROID2 using Tapatalk 2
  • 1 Likes