# .629 Root Exploit Development



## jellybellys

Just curious if zergRush works on .629. Can anyone get it to work?

Edit:
It doesn't. Scroll down and read the thread. I'm working on developing my own root exploit.


----------



## Vypor

jellybellys said:


> Just curious if zergRush works on .629. Can anyone get it to work?


I've not tried it but I preserved my root before OTA so I can't really try. I've even installed other new root apps post OTA and they work. Used voodoo root keeper. Not everyone else has the same experience though. Guess I'm lucky.

Sent from my Transformer Prime TF201 using RootzWiki


----------



## jellybellys

Vypor said:


> I've not tried it but I preserved my root before OTA so I can't really try. I've even installed other new root apps post OTA and they work. Used voodoo root keeper. Not everyone else has the same experience though. Guess I'm lucky.
> 
> Sent from my Transformer Prime TF201 using RootzWiki


Guess that means that .629 does not remove the su binary, so if zergRush did work then that would be a working root method.


----------



## sjwoodard

zergRush gives the following output.



Code:


<br />
$ chmod 755 /data/local/zergRush<br />
$ /data/local/zergRush<br />
[**] Zerg rush - Android 2.2/2.3 local root<br />
[**] (C) 2011 Revolutionary. All rights reserved.<br />
[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.<br />
[+] Found a GingerBread ! 0x00000118<br />
[*] Scooting ...<br />
[*] Sending 149 zerglings ...<br />
[*] Sending 189 zerglings ...<br />
[-] Hellions with BLUE flames !<br />

Here's where it's breaking down.



Code:


<br />
uint32_t buffsz = 0;<br />
uint32_t allbuffsz[] = {16,24,0};<br />
<br />
while(buffsz=allbuffsz[tries]) {<br />
if(checkcrash()) {<br />
printf("[+] Zerglings found a way to enter ! 0x%02x\n", buffsz);<br />
break;<br />
}<br />
tries++;<br />
}<br />
<br />
if(!buffsz) {<br />
printf("[-] Hellions with BLUE flames !\n");<br />
exit(-1);<br />
}<br />

I'm not familiar with crashlog which seems to be where zergRush outputs, but it gives the following.



Code:


<br />
31179 31181 D dalvikvm: GC_CONCURRENT freed 689K, 57% free 3067K/7111K, external 2357K/2773K, paused 6ms+2ms<br />

I'll work more on going over the source tomorrow night.


----------



## jellybellys

What kernel version is .629... just thinking of linux kernel exploits. Maybe we could knock out our own exploit.


----------



## jellybellys

jellybellys said:


> What kernel version is .629... just thinking of linux kernel exploits. Maybe we could knock out our own exploit.


Ok... I think if it's above or equal to 2.6.34 we could use this exploit with a little modification maybe...
http://www.exploit-db.com/exploits/15916/


----------



## jellybellys

Ok I'm thinking this exploit will work... but does anyone know if:
1. The kernel version is 2.6.34 or higher?
2. It includes phonet?
Thanks and hopefully we will have a working root exploit.


----------



## Gasai Yuno

jellybellys said:


> Ok... I think if it's above or equal to 2.6.34 we could use this exploit with a little modification maybe...
> http://www.exploit-d...exploits/15916/


Quoting:


Code:


<br />
* This exploit is NOT stable:<br />
<br />
* * It only works on 32-bit x86 machines<br />

Did you magically turn your ARM-powered D2G into an Intel x86-compatible device?


----------



## jellybellys

Gasai Yuno said:


> Quoting:
> 
> 
> Code:
> 
> 
> <br />
> * This exploit is NOT stable:<br />
> <br />
> * * It only works on 32-bit x86 machines<br />
> 
> Did you magically turn your ARM-powered D2G into an Intel x86-compatible device?


Oops need to read the comments sometimes 
More googling!
Do you happen to know what kernel version the .629 update is?


----------



## sjwoodard

Gasai Yuno said:


> Quoting:
> 
> 
> Code:
> 
> 
> <br />
> * This exploit is NOT stable:<br />
> <br />
> * * It only works on 32-bit x86 machines<br />
> 
> Did you magically turn your ARM-powered D2G into an Intel x86-compatible device?


Such little faith, haha... I actually think a cap_sys_admin exploit might still work with some modification. I'm working on it using another version of the exploit that jelly posted (http://www.exploit-db.com/exploits/15944/), but I don't have much spare time these days. I'll post here if I find anything useful.

Also, the kernel is 2.6.32.9. This may be the stumbling block for using those two root exploits.


----------



## sjwoodard

Well, I'm not sure what I did, but I tried a few exploits and nothing would get su. Then I ran motofail (http://shortfuse.org/?cat=3) and when it first rebooted, my phone went into Clockwork Recovery which I had installed from a previous root. My guess is that a dormant CW can be reactivated with the hijack/logwrapper from a previous bootstrap recovery. I actually didn't change anything related to this though, so I'm a little confused. The downside is that there still seems to be no su. I can't call an adb shell (I don't know if CW even works with adb) and 'fix permissions' doesn't seem to do anything. Sorry, I'm actually not very familiar with CW...

I'm treading very lightly because of the SBF situation, so there's no way I'm going to try flashing anything. But, could somebody else confirm that CW recovery can be launched without re-rooting?


----------



## sjwoodard

Follow up... You wouldn't be able to reactivate a dormant CW recovery without root (stupid me). I honestly can't figure out how it got activated unless I just haven't rebooted my phone since Feb 23 when I last ran bootstrap recovery (that's the timestamp on hijack/logwrapper). I'm not familiar with CW recovery, so I posted a video of what it's doing.


----------



## Vypor

jellybellys said:


> Oops need to read the comments sometimes
> More googling!
> Do you happen to know what kernel version the .629 update is?


Sent from my DROID2 GLOBAL using RootzWiki


----------



## jellybellys

sjwoodard said:


> Such little faith, haha... I actually think a cap_sys_admin exploit might still work with some modification. I'm working on it using another version of the exploit that jelly posted (http://www.exploit-d...exploits/15944/), but I don't have much spare time these days. I'll post here if I find anything useful.
> 
> Also, the kernel is 2.6.32.9. This may be the stumbling block for using those two root exploits.


Can't seem to figure out how to port this exploit to arm eabi. agcc is shooting me errors.


----------



## mystro

http://droidmodderx.com/one-click-root-for-any-motorola-device-running-gb/

now i know this doesn't work to root our phone, but can someone explain to me why or if we could modify it so it could?


----------



## sjwoodard

mystro said:


> http://droidmodderx....ice-running-gb/
> 
> now i know this doesn't work to root our phone, but can someone explain to me why or if we could modify it so it could?


It was just an exploit that Verizon/Motorola knew about and wanted to patch for security reasons. As for modifying it, once an exploit is patched you'd basically have to find a new exploit and write a new code. I've been looking at all the known exploits to see if one can be found that hasn't been patched yet, but so far no luck. It's likely up to the hardcore security guys to find the next one.


----------



## sjwoodard

Jellybelly, which version of the arm compiler are you using with agcc? I'm using the ndk-r7b, but it's giving me errors on everything. Should I be using an older version?


----------



## jellybellys

sjwoodard said:


> Jellybelly, which version of the arm compiler are you using with agcc? I'm using the ndk-r7b, but it's giving me errors on everything. Should I be using an older version?


Keep getting this:


Code:


<br />
/home/jellybellys/googlesource/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/../lib/gcc/arm-eabi/4.4.3/../../../../arm-eabi/bin/ld: cannot find -lc<br />
collect2: ld returned 1 exit status<br />

Never used agcc before... maybe I set something up wrong.


----------



## sjwoodard

It's not you, the old agcc doesn't work with the new ndk... I guess they move all the files around everytime they release Android releases an update. Anyways, I found a bash script that works with the newest ndk (r7b)... http://inportb.com/2012/01/08/agcc-bash-make-native-android-c-programs-using-the-ndk/

Stuff like zergRush might still give missing header errors, but I just searched around for what was missing and put it where gcc was looking for it. It's kinda a pain though. I want to go back to the older versions that I'm used to, but I'm thinking if we're looking for new exploits that we should be using the newest tools.


----------



## jellybellys

sjwoodard said:


> It's not you, the old agcc doesn't work with the new ndk... I guess they move all the files around everytime they release Android releases an update. Anyways, I found a bash script that works with the newest ndk (r7b)... http://inportb.com/2...-using-the-ndk/
> 
> Stuff like zergRush might still give missing header errors, but I just searched around for what was missing and put it where gcc was looking for it. It's kinda a pain though. I want to go back to the older versions that I'm used to, but I'm thinking if we're looking for new exploits that we should be using the newest tools.


Darn. Giving me different errors now...


Code:


<br />
/home/jellybellys/android-ndk/platforms/android-8/arch-arm/usr/lib/crtbegin_dynamic.o: In function `_start':<br />
(.text+0x14): undefined reference to `main'<br />
collect2: ld returned 1 exit status<br />


----------



## jellybellys

jellybellys said:


> Darn. Giving me different errors now...
> 
> 
> Code:
> 
> 
> <br />
> /home/jellybellys/android-ndk/platforms/android-8/arch-arm/usr/lib/crtbegin_dynamic.o: In function `_start':<br />
> (.text+0x14): undefined reference to `main'<br />
> collect2: ld returned 1 exit status<br />


Nevermind. Got it to work. Anyone want to try this and give me a log output of the errors... I don't actually have a d2g to try it on.
http://jellybeangamer.com/dev/jellyroot


----------



## RShea

jellybellys said:


> Nevermind. Got it to work. Anyone want to try this and give me a log output of the errors... I don't actually have a d2g to try it on.
> http://jellybeangame...m/dev/jellyroot


I have a Droid 2 Global that I lost the SU and rooting with the last update to .629. I'd like a solution to redo the Rooting and following this discussion. I downloaded this jellyroot on my PC but more instructions or information is needed. I'd like to help if possible, but obviously do not want to end up bricking the device (like flashing it after the update will now from all I've read). Fairly technical with computer background and first issue with the file is it has no extension and asks what software do you want to use to open it on a PC. If this is designed to be loaded on the phone directly- that is fine but again I'd like some instructions on how to work with this jellyroot.


----------



## MrB206

Has anyone considered the method Dan used to root the Spectrum? He tricked ADB into running as an emulator, then installed SU. Not sure if that would work here.


----------



## jellybellys

MrB206 said:


> I have a Droid 2 Global that I lost the SU and rooting with the last update to .629. I'd like a solution to redo the Rooting and following this discussion. I downloaded this jellyroot on my PC but more instructions or information is needed. I'd like to help if possible, but obviously do not want to end up bricking the device (like flashing it after the update will now from all I've read). Fairly technical with computer background and first issue with the file is it has no extension and asks what software do you want to use to open it on a PC. If this is designed to be loaded on the phone directly- that is fine but again I'd like some instructions on how to work with this jellyroot.


Theoretically, you could run it just as you would run zergRush


----------



## sjwoodard

MrB206 said:


> Has anyone considered the method Dan used to root the Spectrum? He tricked ADB into running as an emulator, then installed SU. Not sure if that would work here.


That sounds simple too! I'll check it out tonight.

Also, Jelly, can you post the source? Or, is it a mod of zergRush... If that's the case I'll take your word. I'm just a little very nervous without the SBF, so I want to double-check this isn't going to brick anything.


----------



## sjwoodard

RShea said:


> I have a Droid 2 Global that I lost the SU and rooting with the last update to .629. I'd like a solution to redo the Rooting and following this discussion. I downloaded this jellyroot on my PC but more instructions or information is needed. I'd like to help if possible, but obviously do not want to end up bricking the device (like flashing it after the update will now from all I've read). Fairly technical with computer background and first issue with the file is it has no extension and asks what software do you want to use to open it on a PC. If this is designed to be loaded on the phone directly- that is fine but again I'd like some instructions on how to work with this jellyroot.


You have to run the file from inside the Android debug application, called adb. Search Google for "ADB in Windows" to get started (Sorry, I don't use Windows that often). Then you can copy the jellyroot to your sdcard. When you're ready to connect to adb make sure and turn USB debugging on in your D2G's settings and set your phone to "PC Mode". Then when you get adb connected to your phone it should show a dollar sign ($). That means you're now sending commands to your phone. The commands below (hopefully) will move the file from the sdcard to your data folders and set permissions on the file to allow you to run the code (last line).



Code:


<br />
$ mv /sdcard/jellyroot /data/local/tmp/<br />
$ cd /data/local/tmp<br />
$ chmod 755 jellyroot<br />
$ chmod +x jellyroot<br />
$ ./jellyroot<br />

Hope this helps!


----------



## jellybellys

sjwoodard said:


> That sounds simple too! I'll check it out tonight.
> 
> Also, Jelly, can you post the source? Or, is it a mod of zergRush... If that's the case I'll take your word. I'm just a little very nervous without the SBF, so I want to double-check this isn't going to brick anything.


The source is actually just a slight mod of this: http://www.vfocus.net/art/20101027/8133.html


----------



## sjwoodard

Jelly, I tried it on an emulator, and it doesn't give any output. Just for good measure zergRush actually works on the emulator (maybe because it already has root). I'm a little nervous to try out a straight Linux exploit. I'm more comfortable working with something that's already worked on Android like the Dan R. LG root. Also, I found this one too which might be interesting: http://jon.oberheide.org/files/levitator.c

RShea, ignore the chmod +x command I wrote earlier, it's not needed on Android. And, be careful going forward... This can brick your phone and there's no telling when or if we'll see an SBF. I'm going to keep testing on emulators first to see if it's stable then start pushing it to the D2G.


----------



## MrB206

I would think the exploit might work on all versions unless adb is patched to not be able to be tricked. In any event, I can give you specific on the exploit Dan used if you want...he sent it to me when I started deving the Spectrum and wanted to know more about the phone.

Sent from my VS920 4G using Tapatalk


----------



## sjwoodard

MrB206 said:


> I would think the exploit might work on all versions unless adb is patched to not be able to be tricked. In any event, I can give you specific on the exploit Dan used if you want...he sent it to me when I started deving the Spectrum and wanted to know more about the phone.
> 
> Sent from my VS920 4G using Tapatalk


Yea, that would be great! You can send it however you want and I can pass it along to Jellybellys. So it's an exploit in adb, as in we'd need to recompile adb from source? Or, is it something to compile and run on the phone? I guess I'll wait and see.


----------



## MrB206

I don't think compiling is required. He devised a script that ran the process. I'll send ya the info.

Sent from my VS920 4G using Tapatalk 2 Beta-3


----------



## RShea

sjwoodard said:


> Jelly, I tried it on an emulator, and it doesn't give any output. Just for good measure zergRush actually works on the emulator (maybe because it already has root). I'm a little nervous to try out a straight Linux exploit. I'm more comfortable working with something that's already worked on Android like the Dan R. LG root. Also, I found this one too which might be interesting: http://jon.oberheide...les/levitator.c
> 
> RShea, ignore the chmod +x command I wrote earlier, it's not needed on Android. And, be careful going forward... This can brick your phone and there's no telling when or if we'll see an SBF. I'm going to keep testing on emulators first to see if it's stable then start pushing it to the D2G.


I'm going to hold off then and not be one of the first to try it. As much as I'd like Root back on the phone (so Titanium Backup can run again, Droidwall, etc. and mostly because since I lost root my battery usage has gone way up), I can't afford to brick my phone at this point. If this gets tested and is working or know that there can be a way to load another Rom that will allow Root- then I may again try to get back to being rooted.


----------



## jellybellys

sjwoodard said:


> Yea, that would be great! You can send it however you want and I can pass it along to Jellybellys. So it's an exploit in adb, as in we'd need to recompile adb from source? Or, is it something to compile and run on the phone? I guess I'll wait and see.


http://vulnfactory.org/public/spectrum_root_linux_osx.zip
It's just a shell script... you could try and give it a go.


----------



## sjwoodard

jellybellys said:


> http://vulnfactory.o...t_linux_osx.zip
> It's just a shell script... you could try and give it a go.


It fails on the first line. It's trying to symlink a GPS file that isn't on the D2G. I'm guessing this is how he was able to get r/w permissions in /data/... Also, can somebody explain what the "2>/dev/null" does? I've never seen 2> before.



Code:


<br />
$adb shell "rm /data/gpscfg/gps_env.conf 2>/dev/null"<br />
$adb shell "ln -s /data /data/gpscfg/gps_env.conf"<br />

Then, the phone reboots and gets r/w permission in /system/ by writing this line in.



Code:


<br />
$adb shell "echo 'ro.kernel.qemu=1' > /data/local.prop"<br />

This is an interesting method, but it would've been really easy to patch. It's possible the gpscfg folder is still there, but I can't see it. Maybe we can find somebody that still has root to use root explorer and search for the gps_env.conf? But even f it was there, we wouldn't be any closer to accessing it on unrooted phones, I guess.


----------



## Gasai Yuno

sjwoodard said:


> Also, can somebody explain what the "2>/dev/null" does? I've never seen 2> before.


If you took your time to learn input/output and standard streams, you would probably know that by default, any process that starts on the console has three file handles associated with it: stdin (file handle 0), stdout (1), stderr (2). In redirection, "<" is "0<", ">" is "1>".

This is, by the way, the very basics of input/output programming.


----------



## jellybellys

If anyone wants to give levitator a go... I made a binary right here: http://jellybeangamer.com/dev/levitator


----------



## jellybellys

Also... yet another way to try and symlink to /data/local.prop and change it to an emulator... you could always try this one:
https://github.com/CunningLogic/TacoRoot


----------



## MrB206

Gasai Yuno said:


> If you took your time to learn input/output and standard streams, you would probably know that by default, any process that starts on the console has three file handles associated with it: stdin (file handle 0), stdout (1), stderr (2). In redirection, "".
> 
> This is, by the way, the very basics of input/output programming.


Ya know, people would be far more receptive to your comments if the weren't always so condescending. Not everyone here is a programmer, but your comments push people away from wanting to learn.

Sent from my VS920 4G using Tapatalk 2 Beta-3


----------



## sjwoodard

Gasai Yuno said:


> If you took your time to learn input/output and standard streams, you would probably know that by default, any process that starts on the console has three file handles associated with it: stdin (file handle 0), stdout (1), stderr (2). In redirection, "<" is "0<", ">" is "1>".
> 
> This is, by the way, the very basics of input/output programming.


Sorry about that. I'm just a beginner in over my head... Thanks for the answer though.


----------



## Gasai Yuno

MrB206 said:


> Ya know, people would be far more receptive to your comments if the weren't always so condescending. Not everyone here is a programmer, but your comments push people away from wanting to learn.


Trying to hack up an exploit and not knowing the very _basics_? Looks to me as an exact opposite of wanting to learn, thus, my comment above.


----------



## bikedude880

Gasai Yuno said:


> If you took your time to learn input/output and standard streams, you would probably know that by default, any process that starts on the console has three file handles associated with it: stdin (file handle 0), stdout (1), stderr (2). In redirection, "<" is "0<", ">" is "1>".
> 
> This is, by the way, the very basics of input/output programming.


Quite informative and something I was unaware of. A little snarky, but freaking whatever


----------



## MrB206

Gasai Yuno said:


> Trying to hack up an exploit and not knowing the very _basics_? Looks to me as an exact opposite of wanting to learn, thus, my comment above.


Don't act like that's the first person you've been snarky with. Yea, if someone is a noob, they probably shouldn't post links for apps/progs to run exploits if they're not familiar with programming, but that's no reason to be condescending or disrespectful, when they're clearly going through the steps TO LEARN. I'd like to think most people that post here have a good idea of 'do this at your own risk', though I realize that's not always the case. Point being, there are more polite ways to convey helpful information, which many of us lesser-experienced in the ways of linux/programming will gladly take if not talked to like we're dullards.


----------



## mentalchaos

I wish all working on this good luck.


----------



## sjwoodard

I found a pretty recent telnetd exploit that might be useful. I started a telnet listener on the D2G, and this script is trying to brute force a connection to get root. This looks like it could be used as a remote exploit, so I'm guessing this would've been a top priority to patch, if it even ever existed.

http://www.exploit-db.com/exploits/18280/


----------



## bikedude880

sjwoodard said:


> I found a pretty recent telnetd exploit that might be useful. I started a telnet listener on the D2G, and this script is trying to brute force a connection to get root. This looks like it could be used as a remote exploit, so I'm guessing this would've been a top priority to patch, if it even ever existed.
> 
> http://www.exploit-db.com/exploits/18280/


That would be cool if our devices actually started telnetd... and if it were the real version and not part of busybox.

Good find, but highly unlikely for our device.


----------



## sjwoodard

bikedude880 said:


> That would be cool if our devices actually started telnetd... and if it were the real version and not part of busybox.
> 
> Good find, but highly unlikely for our device.


Ah... I just found telnetd in the bin folder and fired it up. It looked like it was listening, but yea, I could never telnet in.


----------



## jellybellys

Has anyone tried levitator or tacoroot yet?


----------



## sjwoodard

jellybellys said:


> Has anyone tried levitator or tacoroot yet?


Yea, I tried both with no luck.


----------



## Gasai Yuno

To listen on port 23 (default) telnetd must be started as root. To successfully exploit its vulnerabilities, it definitely has to be started as root.


----------



## sjwoodard

Gasai Yuno said:


> To listen on port 23 (default) telnetd must be started as root. To successfully exploit its vulnerabilities, it definitely has to be started as root.


Ah, thanks for the info. It just ran with no output, so I couldn't actually tell. Well, hopefully Jelly will figure something out.

Jelly, I've tried my best to adjust the following exploits to compile under agcc and point to the proper targets for the D2G, but none have worked. In hindsight, some of these were stupid to try...

motofail http://vulnfactory.org/blog/2012/02/11/rooting-the-droid-4-a-failed-bounty-experiment/
psneuter http://wiki.cyanogenmod.com/wiki/Templatesneuter_downgrade
telnetd-encrypt_keyid http://www.exploit-db.com/exploits/18280/
KillingMeSoftly https://github.com/Shabbypenguin/Killing-me-softly/blob/master/KillingMeSoftly.c
tacoroot https://github.com/CunningLogic/TacoRoot/blob/master/tacoroot.sh
half-nelson http://jon.oberheide.org/files/half-nelson.c
mips-execve http://www.exploit-db.com/exploits/18162/
netcat http://www.exploit-db.com/exploits/17194/
dec-alpha http://www.exploit-db.com/exploits/17391/
levitator http://jon.oberheide.org/files/levitator.c
mempodipper http://git.zx2c4.com/CVE-2012-0056/tree/mempodipper.


----------



## somkun

Gasai Yuno said:


> To listen on port 23 (default) telnetd must be started as root. To successfully exploit its vulnerabilities, it definitely has to be started as root.


Is there any way to force it to listen on a different port (like 80) that doesn't require root? probably a dumb question, but its always worth a shot... also if there's somebody willing to point me in the right direction, i'm a 3rd year CS major and want to assist.


----------



## bikedude880

bikedude880 said:


> Is there any way to force it to listen on a different port (like 80) that doesn't require root? probably a dumb question, but its always worth a shot... also if there's somebody willing to point me in the right direction, i'm a 3rd year CS major and want to assist.


Enough said. Our version is NOT the telnet that exploit targets. Fuck, it's most likely not even the same codebase. A third year CS major ought to know this over a CS dropout.


----------



## somkun

my bad, I missed that comment... so I guess there's no way to start it at boot without root... so... would you mind explaining in detail the concept of rooting, so I can know what to be looking for? Are we attempting to get a root password, or do we have to access root commands without a root login? I've played with *nix a bit but I've never hacked before.


----------



## Gasai Yuno

dec-alpha is an architecture. The DEC Alpha CPUs are completely different from the ARM ones used in most Android devices.

MIPS is also a completely different architecture, used for example in Silicon Graphics workstations.

That's just from the names.


----------



## sjwoodard

Gasai Yuno said:


> dec-alpha is an architecture. The DEC Alpha CPUs are completely different from the ARM ones used in most Android devices.
> 
> MIPS is also a completely different architecture, used for example in Silicon Graphics workstations.
> 
> That's just from the names.


I've either earned your trust or you just feel even more sorry for me now, haha. Yea, I realized it was stupid to attempt some of these, but I had all weekend free. I was really trying to comb through to see how all these different exploits work. Again, I'm really new to this side of scripting. All of my other experience is mostly ASP, PHP, etc... Stuff that's really far away from the processor (and much easier to understand). This is really interesting though. It makes me wish I would've studied computer science, and it's helping me at work too with the other programming languages.

Somkun, root access is the ability to run anything we want on any part of the system. There's some ways of going inside a process that already has root access and then pulling out that processes' ability to get root and then making that permanent. At least, that's the approach I'm taking. So far, I've just been trying out things other people have already written, but all of the holes they're using have been patched on our device. Now, I'm just trying to use their ideas to start writing my own script, but the fear of bricking my only phone is slowing me down because I've gotta learn line-by-line what all these codes do. I'm mostly depending on people here to tell me what I'm doing wrong!


----------



## bikedude880

I can't risk locking out my production/dev phones for 629 root development. Has anyone tried exploiting the jpeg library? Or find a bug within the browser or motoblur? Buffer exploits are targetable via side-loading an app or finding a "weak" moto app.

Someone correct my mistakes in that statement, if any 

Edit: do you have "USB Debugging" enabled under Settings? Iirc, some exploits target adb and editing build.prop... one click motoroot is an example used on Windows.


----------



## somkun

So, I saw that Droid X got rerooted by making the phone "update" to a Milestone rom, would that be at all possible using a D2 rom? The rom would only need to boot iiuc (if i understand correctly) for us to be able to get root, then load a CFW or SBF back. Correct me if I'm wrong.


----------



## sjwoodard

somkun said:


> So, I saw that Droid X got rerooted by making the phone "update" to a Milestone rom, would that be at all possible using a D2 rom? The rom would only need to boot iiuc (if i understand correctly) for us to be able to get root, then load a CFW or SBF back. Correct me if I'm wrong.


I think they used an SBF (not a rom) to reset the phone. That's out of the question now since it's guaranteed to brick your device.


----------



## Gasai Yuno

In case with DROID X, the European Milestone X's SBF had compatible keys. It's quite possible that the European Milestone X has had these newer keys since forever.


----------



## jellybellys

Getting a d2g from jonman so I can keep working on this... I even came up with an idea to possibly steal an unlocked bootloader from moto's servers usin this method: http://rootzwiki.com/topic/4145-unlock-droid-bionic-bootloader-project/


----------



## Keifla96

jellybellys said:


> Getting a d2g from jonman so I can keep working on this... I even came up with an idea to possibly steal an unlocked bootloader from moto's servers usin this method: http://rootzwiki.com...loader-project/


I'm interested in that unlocked boot loader, let me know when you get it. Until then I'll be sitting back watch the pigs fly with there new wings.


----------



## x13thangelx

jellybellys said:


> Getting a d2g from jonman so I can keep working on this... I even came up with an idea to possibly steal an unlocked bootloader from moto's servers usin this method: http://rootzwiki.com...loader-project/


Because thats never been tried at all right?


----------



## jellybellys

x13thangelx said:


> Because thats never been tried at all right?


Haha yeah... I think that the xoom will be the only motorola device ever to have an unlocked bootloader.


----------



## Gasai Yuno

jellybellys said:


> Haha yeah... I think that the xoom will be the only motorola device ever to have an unlocked bootloader.


I thought the DROID had an unlocked bootloader. But I guess you know better.


----------



## mystro

Gasai Yuno said:


> I thought the DROID had an unlocked bootloader. But I guess you know better.


Ssssooo much sass lol and ya i'm fairly confident it has an unlocked bootloader.


----------



## ExodusC

Gasai Yuno said:


> I thought the DROID had an unlocked bootloader. But I guess you know better.


Let's be nice...

I never understood why the Milestone had a locked boot loader, since the trend seems to have reversed and now international phones seem less locked down than US carrier-specific devices, on the average.

Sent from my HP TouchPad via Tapatalk.


----------



## MrB206

mystro said:


> Ssssooo much sass lol and ya i'm fairly confident it has an unlocked bootloader.


It did. I never understood why moto went from unlocked with the og droid to a locked one.

Sent from my VS920 4G


----------



## jellybellys

I never understood motorola... that's why if you read my signature it don't say motorola in there...


----------



## x13thangelx

jellybellys said:


> I never understood motorola... that's why if you read my signature it don't say motorola in there...


One word: quality. My dads already on his third DINC in half the time I've had my D2G and I'm harder on my phones than he is.

edit: that does not apply to the replacement ones.... those are just bad.


----------



## Gasai Yuno

I can agree with x13thangelx on this. Got my D2G from eBay in June 2011, no issues whatsoever.


----------



## jellybellys

Gasai Yuno said:


> I can agree with x13thangelx on this. Got my D2G from eBay in June 2011, no issues whatsoever.


Got my Dinc2 in august 2011... no issues whatsoever.
My dad got his d2g in may 2011, cooked itself within 1 week of operation.


----------



## Chaos2092

Let's cut the company/hardware pissing contest short, really now.


----------



## sjwoodard

Sorry, I haven't done too much work on the D2G .629 root issue. I just got a new ASUS tablet and I'm setting up an XBMC htpc which is using my linux box at the moment. But, the phone seemed incredibly slow these past few days which made me miss root. So, i'm going to pick up exploit testing where I left off (and learning along the way).

Jelly, any luck with your D2G, did you receive it?


----------



## jellybellys

sjwoodard said:


> Sorry, I haven't done too much work on the D2G .629 root issue. I just got a new ASUS tablet and I'm setting up an XBMC htpc which is using my linux box at the moment. But, the phone seemed incredibly slow these past few days which made me miss root. So, i'm going to pick up exploit testing where I left off (and learning along the way).
> 
> Jelly, any luck with your D2G, did you receive it?


Haven't gotten one yet. Jonman is going to lend me his when he's finished up doing some CM9 stuff on it. PMed jungletek, no response yet.


----------



## silver6054

sjwoodard said:


> Sorry, I haven't done too much work on the D2G .629 root issue. I just got a new ASUS tablet and I'm setting up an XBMC htpc which is using my linux box at the moment. But, the phone seemed incredibly slow these past few days which made me miss root. So, i'm going to pick up exploit testing where I left off (and learning along the way).
> 
> Jelly, any luck with your D2G, did you receive it?


Which other models have this issue, Droid X (although a fix for that), Droid Pro, Droid X2 and D2G, are their others? I would hope that it is getting close enough to a critical mass for more exploit writers to get interested.


----------



## zyy757

From DROIDX latest update rooted, I got this idea and make this sbf file,it's .608 boot and devtree.

I tested it on a not-for-sell device (with unlocked bootloader),after I flashed this file, I tried root the device using " droid3 root script ", and I SUCCEEDED ！！(and I think it will root success using any root work on .608)

So now I need someone to help me testing it on a normal d2g,can anyone help ? Thanks a lot! 
Now I'm working for flash.629 boot and devtree back.

Sorry for my badly English

http://db.tt/i0Nr7zUY
Unzip it, you'll get the sbf file

WARNING: DON'T TRY THIS IF YOU ARE NOT SURE WHAT YOU ARE DOING! ! !


----------



## Naesen20

zyy757 said:


> From DROIDX latest update rooted, I got this idea and make this sbf file,it's .608 boot and devtree.
> 
> I tested it on a not-for-sell device (with unlocked bootloader),after I flashed this file, I tried root the device using " droid3 root script ", and I SUCCEEDED ！！(and I think it will root success using any root work on .608)
> 
> So now I need someone to help me testing it on a normal d2g,can anyone help ? Thanks a lot!
> Now I'm working for flash.629 boot and devtree back.
> 
> Sorry for my badly English
> 
> http://db.tt/i0Nr7zUY
> Unzip it, you'll get the sbf file
> 
> WARNING: DON'T TRY THIS IF YOU ARE NOT SURE WHAT YOU ARE DOING! ! !


Woah there, slow down: Unlocked bootloader? D2G? How did you pull that one off? I'm pretty sure that's more valuable than the root at this moment.

If I'm understanding you, you are saying that you generated your own sbf, you have unlocked your bootloader, and you have rooted the .629 update.
These three things haven't been seen anywhere to my knowledge before (I thought the sbf was motorola proprietary software, the bootloader is also locked down tight, and thus you can't flash anything under .629).

I think I'm able to help if you can be a little more clear as to what you're trying to have us do.


----------



## zyy757

Naesen20 said:


> Woah there, slow down: Unlocked bootloader? D2G? How did you pull that one off? I'm pretty sure that's more valuable than the root at this moment.
> 
> If I'm understanding you, you are saying that you generated your own sbf, you have unlocked your bootloader, and you have rooted the .629 update.
> These three things haven't been seen anywhere to my knowledge before (I thought the sbf was motorola proprietary software, the bootloader is also locked down tight, and thus you can't flash anything under .629).
> 
> I think I'm able to help if you can be a little more clear as to what you're trying to have us do.


I deleted the things expect boot and devtree in .608 sbf.
My device is a not-for-sell device, when I got it, the bootloader didn't locked, but I didn't knew until I flashed full .608 sbf on .629 and device wasn't brick.
Now I want to know is this way to root can only work on my device or all d2g

this way is unstable, because I still thinking a way to get and flash .629 boot and devtree


----------



## x13thangelx

Naesen20 said:


> Woah there, slow down: Unlocked bootloader? D2G? How did you pull that one off? I'm pretty sure that's more valuable than the root at this moment.
> 
> If I'm understanding you, you are saying that you generated your own sbf, you have unlocked your bootloader, and you have rooted the .629 update.
> These three things haven't been seen anywhere to my knowledge before (I thought the sbf was motorola proprietary software, the bootloader is also locked down tight, and thus you can't flash anything under .629).
> 
> I think I'm able to help if you can be a little more clear as to what you're trying to have us do.


Droid X not D2G. There are several "dev" versions floating around with unlocked bootloaders. I've never done it and dont know how but from what I've heard its not very hard to make the sbf files.

The reason cant flash anything below .629 is because the keys on /boot were changed (from my understanding). If that isnt changed then it should flash no problem. Obviously do at your own risk though.


----------



## zyy757

x13thangelx said:


> Droid X not D2G. There are several "dev" versions floating around with unlocked bootloaders. I've never done it and dont know how but from what I've heard its not very hard to make the sbf files.
> 
> The reason cant flash anything below .629 is because the keys on /boot were changed (from my understanding). If that isnt changed then it should flash no problem. Obviously do at your own risk though.


Remember many d2g brick after downgrade? I think that's saying keys in old sbf still work .


----------



## masterchung7

Stupid idea but technically would it be possible if you can edit the sbf file, and that you can edit the files so that you sbf directly to ics?

Sent from my DROIDX using RootzWiki


----------



## x13thangelx

zyy757 said:


> Remember many d2g brick after downgrade? I think that's saying keys in old sbf still work .


Its along the lines of if your not overwriting the boot stuff with an older version then you shouldnt brick.


----------



## zyy757

x13thangelx said:


> Its along the lines of if your not overwriting the boot stuff with an older version then you shouldnt brick.


but when I flashed .608 boot and devtree, my device is still working good, I used for 1 day


----------



## sjwoodard

zyy757 said:


> but when I flashed .608 boot and devtree, my device is still working good, I used for 1 day


It would be hard to predict the normal outcome since you have an unlocked bootloader.


----------



## eddly

Hello, Has anyone found a way to fix a bricked d2g from a failed downgrade from .628 to .608?


----------



## possnfiffer

bump*


----------



## zyy757

sjwoodard said:


> It would be hard to predict the normal outcome since you have an unlocked bootloader.


oh. . . That's a sad news


----------



## trter10

Can someone pull the init, /system and /data?


----------



## silver6054

Interestingly it looks like the update to the Droid Pro, while blocking root exploits, didn't prevent SBFing to the earlier versions,

e.g. post 62 on http://www.droidforums.net/forum/motorola-droid-pro/202625-stock-update-7.html

Doesn't help us of course, but strange that the other phone marketed for business didn't get "fixed".


----------



## themib

maybe a hardware issue, that they couldn't fix whatever they are trying to do

Sent from my DROID X2 using RootzWiki


----------



## zyy757

trter10 said:


> Can someone pull the init, /system and /data?


I got /system，cdt，boot，recovery
http://db.tt/URcDwNYE

from a rooted non-secure device with some script mod ，but I forget where did I mod...build.porp & pppril.conf I guess


----------



## Huskerwebhead

Anything new on this effort? I finally got my wife talked in to rooting her phone, unfortunately, it's the D2 Global running .629.


----------



## Gasai Yuno

Not needed due to http://rootzwiki.com/topic/23207-how-to-sbf-unbricking-root-d2g-629/


----------



## Seb559

Ok if its not too much can someone make a one click program. And howcome i can root a Droid Bionic and not my droid 2???Arent they the same version and all that. Plz reply.


----------



## Gasai Yuno

It's near impossible to “make one click program” in this case.


----------



## Seb559

Gasai Yuno said:


> It's near impossible to "make one click program" in this case.


Ok but like i said why can droid bionic be rooted but not droid 2


----------



## jellybellys

These are two completely different cell phones. The same exploits that may work on the bionic may not work on the d2g.

Sent from my Galaxy Nexus using RootzWiki


----------



## nomad5133

Seb559 said:


> Ok but like i said why can droid bionic be rooted but not droid 2


and, the droid 2 got an update (.621) that I have yet seen to be rooted.

Follow this thread if you want to stay up to date with process of rooting the .621 update

http://rootzwiki.com/topic/24396-creating-a-droid-2-unbricking-method/


----------

