# Lets root this thing



## TekMason (Oct 14, 2011)

A big thanks to the mods at RootzWiki for creating this forum. I hope this will become the preferred home for all TPT rooting efforts.

There are a lot of TPT owners (most from thinkpadtabletforums.com) that are very eager to get root. Unfortunately the majority of them, myself included, are relatively new to advanced root exploit methods. However our resolve and commitment to accomplishing our goal should not be underestimated.

If any there are any uber-rooters out there can point us noobs in the right direction and/or lend us a hand please speak up. In the meantime I am going to try to get some advanced rooters who have shown and interest on-board and on this forum.

Thanks,
TekMason

PS As a token of my appreciation to RootWiki I will be ponying up a few bucks for a Supporting members subscription package. I would urge that all of you TPT owners that want to root your tab do the same.


----------



## xrs (Jul 12, 2011)

i <3 rootzwiki for making this forum since xda was being such haters. and any devs willing to point us in the right direction im willing to try to the best of my noob abilities. lets root!


----------



## XGP15A2 (Oct 16, 2011)

Yeah!


----------



## xrs (Jul 12, 2011)

has anyone tried http://forum.xda-developers.com/showthread.php?t=941445? im gonna give it a try i think when i get adb working, according to lenovo forums they get some way there but still cant access all. ill see what my n00b self can do!


----------



## TekMason (Oct 14, 2011)

I've got adb running to my TPT. based losely on the instructions at http://knowledge.lapasa.net/. I've been meaning to write a step by step how-to on getting adb running against the TPT but just haven't gotten around to it yet.


----------



## xrs (Jul 12, 2011)

ya ive already read how to do it just havent gotten around to installing sdk and adb yet. any news from jfuelner and that cyanogen dev about root progress? havent been on the chat channel in a few days. just an fyi theres a channel on freenode called #thinkpad-root for those looking to help.


----------



## TekMason (Oct 14, 2011)

I think you mean #thinkpad-android
There doesn't appear to be a channel called #thinkpad-root


----------



## opnsrcaddict (Oct 17, 2011)

XRS,

The process you linked to does not work on our tablets. We are unable to remount the filesystem to allow us to copy the files onto /system/.


----------



## TekMason (Oct 14, 2011)

This is the mesage:



> C:\>adb remount
> remount failed: Operation not permitted


----------



## XGP15A2 (Oct 16, 2011)

xrs said:


> has anyone tried http://forum.xda-developers.com/showthread.php?t=941445? im gonna give it a try i think when i get adb working, according to lenovo forums they get some way there but still cant access all. ill see what my n00b self can do!


I've tried it. Couldn't get the /system to get out of "read only".


----------



## xrs (Jul 12, 2011)

yes i did mean #thinkpad-android sorry for confusion i just titled mine as root so thats what i remembered. So that method didnt work... devs!!! we ned your guidance!


----------



## TekMason (Oct 14, 2011)

I have been doing some research into what might work on the TPT. I'll create a separate thread for each method. If you get a chance to try them out on the TPT please post to the specific thread your results.
-Z4Root
-SuperOneClick
-Gingerbreak
-Universal Androot

I know it's a long shot but some of us noobs might just learn something by trying them.


----------



## x3rr15 (Oct 10, 2011)

I've tried all of those methods, Tek.

-Z4Root
Crashes while trying to get access to the shell

-SuperOneClick
Doesn't have the right adb driver initially
I modified a driver from lenovo's website as per this post - http://forums.lenovo.com/t5/ThinkPa...ess-Signature-Verification/td-p/550427/page/3 and this post - http://knowledge.lapasa.net/?p=190 
This allows SuperOneClick to get to step 6 but it froze then
I then disabled USB Debugging and it got to step 7 
but it then failed and crashed when trying to mount /System/ for RW access

-GingerBreak
Doesn't appear to do anything useful, it just hangs.

-Universal AndRoot
Comes up with error "Failed! No ~~~Fu Goo ~~~"

Will Post detailed results and logs where possible in specific threads


----------



## TekMason (Oct 14, 2011)

Thanks x3rr15. That will save the rest of us from wasting out time on them.

Hopefully the detailed results and logs you post will give the uber-rooters some ideas. Maybe a few modifications to one of those methond will make it work on the TPT (as was done with Gingerbreak for the Iconia).


----------



## x3rr15 (Oct 10, 2011)

No worries!

Yeah, lets hope so! I haven't had very much experience with this stuff but I've trying everything I can think of!

I will be posting adb logcat results for each app shortly.

Just working on collecting that information now!


----------



## xrs (Jul 12, 2011)

our general problem here is accessing the system folder. i think thats where everything is failing, seems to be read only and locked down quite hard. im hoping lenovo gives us an option to get a stripped down ICS release and have root much more easily obtainable. wishful thinking i know, and even if so i dont see it happening for a good amount of time


----------



## TekMason (Oct 14, 2011)

Great work guys. Validation is always good.
I think I may try a few just to get some experience.

If you find any other programs/methods post a new thread on them for testing results.

TekMason


----------



## xrs (Jul 12, 2011)

busted tek lol


----------



## dsw1ft (Oct 19, 2011)

Have there been any other tablets that have been secured like the TPT. I've too have been unable to remount. I tired to flash into the recovery, but it needs to be signed.

Is there a way to fake a signature on the update.zip?


----------



## TekMason (Oct 14, 2011)

I doubt it would be possible to fake a signature/encryption key.

Not sure how it has been done on other devices but I'm thinking that we need a Shellcode type of exploit that will escalate privileges so that we can change the permissions on the system folde and install su.


----------



## xrs (Jul 12, 2011)

thats probably what we're gonna have to wait for, we're gonna need some developer help on this one. is there a proper thread we can post requesting developer help?


----------



## b16 (Jun 6, 2011)

Let me see fi I can reach out to anyone for this


----------



## xrs (Jul 12, 2011)

thank you b16


----------



## Silrocco (Oct 22, 2011)

I've tried everything that I know about rooting on my TPT. I've rooted for some time now...G1, myTouch, Galaxy S, Nook and current my Nexus S. With out a Fastboot Protocol I can't flash a boot.img. Unless some dev out there knows of a method to flash an img
with out fastboot.


----------



## TekMason (Oct 14, 2011)

b16 said:


> Let me see fi I can reach out to anyone for this


Are bounties or donations for a specific causes encouraged at RW?
I'm sure we could raise a few bucks to offset the costs of a TPT if it is allowed here.
TekMason


----------



## xrs (Jul 12, 2011)

something formal like a paypal fund would be cool


----------



## djmwj (Oct 21, 2011)

* Silrocco :*

if you can make a boot.img system.img and recover.img ... It can be readily flashed with NVFLASH.... and the SBK keys.... see my post entitled Bootloader please....

I can't figure out the what base to use for the boot.img (when using mkbootimg)


----------



## djmwj (Oct 21, 2011)

if we can build those files it will flash.

I have flashed several different system.img and boot.img now but i don't have the right setup ... please see bootloader post

Thanks


----------



## yggdrsil (Oct 22, 2011)

DJMWJ please stop spreading the rumors that your keys for nvflash work. they don't.
I have tried it, and they are not the same keys as for the ideapad.
If I am wrong please let me know but I sure don't think I am.
So for now we need a (imho) a straight up exploit to gain write access to the recovery partition and rewrite our new recovery image.
My power button broke and I had to send my tablet in so I wasn't following the threads.....


----------



## djmwj (Oct 21, 2011)

No they do not work. II have stated quite clearly it is for the ideapad not thinkpad. I am not spreading rumors that they do work. I have put the info up to show how the ideapad works, as it will likely be very similar as the thinkpad


----------



## yggdrsil (Oct 22, 2011)

my thinkpadmwas running soncrappy that when i got it back from the repair shop i performed a factory reset.
its running much better now, but one of the things i noticed is that after it boots the first time it runs an app installer process and installs some bloat. me and nipqer think this might be able to be hijacked aand used to install su ... it may run with root privs, i have a busy week so i wont be wiping mine for a whille but if anyone else wants to play with it i think it might be worth a shot.


----------



## chrisnk1 (Nov 15, 2011)

my k1 says" booting recovery kernel image", and never a thing more. all this from its first update. thanks lenovabrick. hehe
I have been following every web article that has anything to do with unbricking my brand new k1, and havent seen anyone "show" any proof they gained root or got the key from some chinese dev key leak.....
.
IS IT POSSIBLE TO PUSH THE STOCK OTA BACK ONTO THE TBT AND IF SO HOW? NVFLASH, sdk tools? adb?

I started college for an IT degree just to learn how to root my EVO. Im enjoying learning everything insofar except this k1 has me very frustrated. Ands its my 5 year old sons bday gift...happy birthday son! heres a cool paperweight. with keyboard dock. enjoy


----------



## chrisnk1 (Nov 15, 2011)

yggdrsil said:


> my thinkpadmwas running soncrappy that when i got it back from the repair shop i performed a factory reset.
> its running much better now, but one of the things i noticed is that after it boots the first time it runs an app installer process and installs some bloat. me and nipqer think this might be able to be hijacked aand used to install su ... it may run with root privs, i have a busy week so i wont be wiping mine for a whille but if anyone else wants to play with it i think it might be worth a shot.


Mine is available for "PLAY" just get at me and well figure it out. Ill load ice cream sandwich if you like...is that possible? didnt i just see the source code released by google for it?

sorry if this post is misplaced but It pertains to me and to you. You fix/mod them. I want to be your student. I want to develope android soon. and i am learning from all of you and for that I thank you!

esspecially if your 17 and a dev. You kids have a bright future. you just need to make it untill your 25. then you have succeeded.lol


----------



## Blanco954 (Jun 23, 2011)

chrisnk1 said:


> Mine is available for "PLAY" just get at me and well figure it out. Ill load ice cream sandwich if you like...is that possible? didnt i just see the source code released by google for it?
> 
> sorry if this post is misplaced but It pertains to me and to you. You fix/mod them. I want to be your student. I want to develope android soon. and i am learning from all of you and for that I thank you!
> 
> esspecially if your 17 and a dev. You kids have a bright future. you just need to make it untill your 25. then you have succeeded.lol


LoL are you serious! How r u going to load ICS?? This tablet is locked down, the users here are exploring a way to root. If you want to donate you TPT to the cause that's very commendable. But I have to say your post is way out there bud. Looks like you didn't bother to read or your having problems following this thread.


----------



## MadKat (Nov 3, 2011)

yggdrsil said:


> my thinkpadmwas running soncrappy that when i got it back from the repair shop i performed a factory reset.
> its running much better now, but one of the things i noticed is that after it boots the first time it runs an app installer process and installs some bloat. me and nipqer think this might be able to be hijacked aand used to install su ... it may run with root privs, i have a busy week so i wont be wiping mine for a whille but if anyone else wants to play with it i think it might be worth a shot.


I factory reset mine a couple times last week for strange issues with the stock background image (the one with the hand holding the stylus) constantly reappearing as my background for no reason and was wondering similar things, at the very least it would be nice to be able to kill that process somehow so we can at least end up with a hopefully vanilla rom at that point. I also had questions about the built in lenovo mobility manager suite which i believe also has root access to the device but i havent been able to get ahold of the PC side of the mobility manager software because it will only run on a server with windows 2003 or 2008 installed but as this is lenovo's corporate option for remote administrating the tablets i am very interested to know what type of functionality is included and if there may be some way to exploit that software to help us gain root.

Also for anyone interested i have the 32gb wifi only model and both the dock and keyboard folio and am more than willing to try random stuff with them to help get it rooted or whatever. I have also cracked mine open a few times to try a few older 3g cards with no luck so far.


----------



## photonmedia (Nov 8, 2011)

yggdrsil said:


> my thinkpadmwas running soncrappy that when i got it back from the repair shop i performed a factory reset.
> its running much better now, but one of the things i noticed is that after it boots the first time it runs an app installer process and installs some bloat. me and nipqer think this might be able to be hijacked aand used to install su ... it may run with root privs, i have a busy week so i wont be wiping mine for a whille but if anyone else wants to play with it i think it might be worth a shot.


Looking in /system/app, I wonder if it's either the PreInstall.apk or OneTimeInitializer.apk. Neither of those are familiar to me from my other Android devices but then again, this is the only one I have that is honeycomb...


----------



## f47h3r (Nov 17, 2011)

photonmedia said:


> Looking in /system/app, I wonder if it's either the PreInstall.apk or OneTimeInitializer.apk. Neither of those are familiar tox me from my other Android devices but then again, this is the only one I have that is honeycomb...


few things ive noticed... there are 3 programs in the /system/bin folder that run as suid root ... netcfg, ping, and run-as

i might spend some time doing code analysis on them.


----------



## obscure.detour (Nov 2, 2011)

I like the way this thread is going. I'll also reach out and ask about those processes running on cold boot. If there is anything I can try that will help any of you, just let me know.

Cheers.


----------



## der_markus (Nov 19, 2011)

f47h3r said:


> few things ive noticed... there are 3 programs in the /system/bin folder that run as suid root ... netcfg, ping, and run-as


But we don't have write acccess to modify these files, do we?

Cheers.


----------



## MadKat (Nov 3, 2011)

Ok so i did a bit of screwing around with mine, the 1st run installer is preinstall.apk, and installs a the apps in the following list in order. I believe most if not all of these apps are removable from the tablet so i dont think the installer has root but if you dont care for these apps or would rather install them yourself just hit the reset button the moment the installer starts and then ive been booting into the recovery and clearing the cache just to make sure, done it like 3-4 times now and havent noticed any issues and the installer has never re-launched. Gonna start looking into setting up a server to test the lenovo mobility manager software next.

Preinstall.apk app list (sorry for any spelling errors)

oovoo
netflix
acrsoft music server
music
mcafee security
printshare
drm player
mspot movies
hw spades
hw solitaire
slacker
gallery
hw hearts
hw euchre
ebuddy
ereader
hw backgammon
mspot music
amazon mp3
zs provider
zinio
video player
media byte service
poketalk
kindle
faceservice
citrix receiver
arcsync
angry birds hd
accuweather
absolute


----------



## ZebCrs (Oct 24, 2011)

Is there any info in the new Razorclaw hack that can be useful ?
https://github.com/androidroot/razorclaw


----------



## f47h3r (Nov 17, 2011)

ZebCrs said:


> Is there any info in the new Razorclaw hack that can be useful ?
> https://github.com/a...droot/razorclaw


Glancing though the code this is interesting, but the exploit itself is utilizes Asus's asus-backup program. It does raise the interest of using lenovo software such as mobility manager to install a root program.


----------



## yggdrsil (Oct 22, 2011)

Gona try to mod out the zergrush...
if it works ill post, if not im going back to being drunk.


----------



## ker2gsr (Jul 26, 2011)

yggdrsil said:


> Gona try to mod out the zergrush...
> if it works ill post, if not im going back to being drunk.


Good luck on both

Sent from my DROIDX using Tapatalk


----------



## ZebCrs (Oct 24, 2011)

If we can't do this by "pure" software we have to look at the CPU boot options. The Tegra 2 chipset has more than one way to boot up. It can be internal flash but there is also an option to boot from external SD-card- (U-boot)
We also have Jtag options but I am not sure how that works when the bootloader is password protected. If anyone here has a RIFF BOX account. I might get me one if my christmas bonus is good 
Schematics for this unit would also be good.
I am pulling some friends to get the Tegra 2 datasheets.
Does anyone know the CPU version on this device ( so I do not need to open mine  ) Scans of the MB would help good as well.


----------



## Koshu (Nov 27, 2011)

Some Pics of the TPT insides are here -> http://forums.lenovo...IDE/td-p/545681
They are not in high quality and i can't see an IC big enough to be the tegra, but maybe it helps.


----------



## obscure.detour (Nov 2, 2011)

ZebCrs said:


> If we can't do this by "pure" software we have to look at the CPU boot options. The Tegra 2 chipset has more than one way to boot up. It can be internal flash but there is also an option to boot from external SD-card- (U-boot)
> We also have Jtag options but I am not sure how that works when the bootloader is password protected. If anyone here has a RIFF BOX account. I might get me one if my christmas bonus is good
> Schematics for this unit would also be good.
> I am pulling some friends to get the Tegra 2 datasheets.
> Does anyone know the CPU version on this device ( so I do not need to open mine  ) Scans of the MB would help good as well.


I dunno if this will help but I found this on the Lenovo Forums.

Hardware Manual

I haven't looked through it extensively but it might have what you're looking for.

Skimmed and doesn't look like it offers much, other than how to take apart the device and replacing various components.


----------



## ahkit (Nov 28, 2011)

im not sure if this help.. there is a pictures of the tegra 2 chip on one of the forum. But its from Lenovo Ideapad K1.
Hope they are the same chip version being used

http://www.techrepublic.com/photos/cracking-open-the-lenovo-ideapad-k1/6286020?seq=51

hope it helps


----------



## comet270 (Dec 1, 2011)

I'm poised to buy a TPT. My only reservation is the lack of root. Is there any chance that this thing cannot be rooted? Is there precedent for an Android device maintaining its chastity despite the onslaught? Is there a likely timeframe for this process? (Or am I better off lowering my standards and going with a Toshiba Thrive?)


----------



## JerseyDubbin (Oct 19, 2011)

The non-root for this is holding me back as well. I would want to put CM7 or possible CM9 on it but without root this would be impossible







.


----------



## Blanco954 (Jun 23, 2011)

I hope root happens soon. If root, this tablet will perform tasks better and get updates that have taken other similar hardware to the next level. I enjoy my TPT. Does all I need in my daily meetings at work. What stands out for me is the digitizing pen. Everyone that I show what I can do on my TPT are impressed. Looks like the folks at XDA have jumped on the bandwagon so this combined force and knowledgeable developers will crack this nut and claim the bounty.


----------



## yirsung (Oct 20, 2011)

TekMason said:


> This is the mesage:


Did you try this???

http://forum.xda-developers.com/showthread.php?t=685146


----------



## commando_jim (Jan 11, 2012)

Has anyone tried the Nachoroot utility on the TPT? ( http://www.androidpolice.com/2012/01/04/exclusive-nachoroot-brings-root-access-to-the-transformer-prime-even-with-the-newest-firmware/ )

Apparently this works for all versions of the ASUS transformer which have similar hardware, but probably a different HW encryption key. I don't have ADB setup or a windows machine to easily try it on, but if no one can give this a try I may be able to wrangle something.

Cheers


----------



## commando_jim (Jan 11, 2012)

Another exploit from the transformer Dev's: http://forum.xda-developers.com/showthread.php?t=1439429
this one is supposed to be good for the ICS on the transformer. Again, I'm kind of a noob at this, so I have no idea if these are exploiting ASUS specific holes or if they will work on the TPT


----------



## yirsung (Oct 20, 2011)

commando_jim said:


> Has anyone tried the Nachoroot utility on the TPT? ( http://www.androidpo...ewest-firmware/ )
> 
> Apparently this works for all versions of the ASUS transformer which have similar hardware, but probably a different HW encryption key. I don't have ADB setup or a windows machine to easily try it on, but if no one can give this a try I may be able to wrangle something.
> 
> Cheers


No luck
Said "No such AMI304_CONFIG.INI"


----------



## yirsung (Oct 20, 2011)

commando_jim said:


> Another exploit from the transformer Dev's: http://forum.xda-dev...d.php?t=1439429
> this one is supposed to be good for the ICS on the transformer. Again, I'm kind of a noob at this, so I have no idea if these are exploiting ASUS specific holes or if they will work on the TPT


No luck

Permission denied....


----------



## ker2gsr (Jul 26, 2011)

yirsung said:


> No luck
> 
> Permission denied....


root has been achieved just waiting on verification before its released ....get ya donations ready









Sent from my Galaxy Nexus using Tapatalk


----------



## veryevil (Oct 23, 2011)

Can confirm the root exploit as I am currently running one of the first rooted tablets. Bliss will package it up and release it in a few hours.


----------



## mlin (Jan 21, 2012)

Yay! We have root! Can't wait to get a pure AOSP HC (or possibly ICS) build running on this thing!


----------



## xrs (Jul 12, 2011)

cant believe how easy it was to root this thing.. ^ also cant wait to have a vanilla version of android running on this baby now, would LOVE ics as i have been running it on my phone for a few months and sadly it has made me pretty much stop using my tablet, but that all just changed.. i was seriously debating selling my tablet because i thought root would never be achieved. thanks to all involved


----------



## Blanco954 (Jun 23, 2011)

This is awesome! I almost gave up on this tab getting root. Let the custom ROM's head are way.

Freaking awesome!!!!

Sent from my DROID BIONIC using RootzWiki


----------



## nfjord (May 16, 2012)

Hi everyone,

I also have to root my TPT. According to the discussion in this topic, it seems that it has been achieved. However, I do not find where the steps to do so are explained. Where can I find it please?


----------

