-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Root All Root Suggestions and tries here
- Thread starter bnb25
- Start date
-
- Tags
- lg spirit 4g
- Status
sammyz
LG Whiz Kid
Stock recovery and Fastboot exist, just no UI for recovery and Fastboot is only accessible when /system is wiped, which requires root. It has been this way since the Optimus M and beyond.
GameTheory
Android Expert
alfick3
Android Expert
The Optimus M only wiped user data and factory reset the phone when we did a reboot into recovery. Also, we weren't able to manually get into fastboot. I only got into it twice, and that was upon a failed recovery flash.
bnb25
Android Expert
bnb25
Android Expert
yeah, that's what i kept getting when i was trying that one root. I wasn't thinking about that, got it now.:thumbup:
isaacj87
Android Expert
Whoa, whoa wait, guys. I totally forgot about this thread and specifically this post: http://androidforums.com/5495890-post1.html
I was wrong before. We do have that Backup application, but Spdfreak34 is correct, we have a newer version. However, I posted the source code for the systembackuptest.apk that the Motion uses to gain root access. If I can decipher the logcat error output that Spdfreak34 posted, I can re-write the systembackuptest.apk and build a new apk that works for us. Hopefully, Spritemobile, the developers behind our backup app, haven't caught on to our naughty ways and patched the holes for good.
So, to clear things up. I'll try:
1) Figuring out why we can't run the Motion's root method (Backup app exploit)
2) Hopefully, re-write the source code to get around the error
3) Build a new apk and use that to gain root access
Judging by the error output, it doesn't seem like Spritemobile patched the vulnerability. It just seems to be a mismatching of UID and service calls. It's possible that this could work. I'll let you guys know if I can get something going once I re-setup my Android development environment.
Once again, here's the source code (in Java) for systembackuptest. If anyone notices something related to the error I linked above, please let me know: http://pastebin.com/Ugd7yfb5
I was wrong before. We do have that Backup application, but Spdfreak34 is correct, we have a newer version. However, I posted the source code for the systembackuptest.apk that the Motion uses to gain root access. If I can decipher the logcat error output that Spdfreak34 posted, I can re-write the systembackuptest.apk and build a new apk that works for us. Hopefully, Spritemobile, the developers behind our backup app, haven't caught on to our naughty ways and patched the holes for good.
So, to clear things up. I'll try:
1) Figuring out why we can't run the Motion's root method (Backup app exploit)
2) Hopefully, re-write the source code to get around the error
3) Build a new apk and use that to gain root access
Judging by the error output, it doesn't seem like Spritemobile patched the vulnerability. It just seems to be a mismatching of UID and service calls. It's possible that this could work. I'll let you guys know if I can get something going once I re-setup my Android development environment.
Once again, here's the source code (in Java) for systembackuptest. If anyone notices something related to the error I linked above, please let me know: http://pastebin.com/Ugd7yfb5
bnb25
Android Expert
if you need someone to use their phone as a guinea pig let me know. that's all I can do, I'm not really familiar with braking down apps and stuff.
bnb25
Android Expert
sammyz
LG Whiz Kid
So that's why he doesn't understand how the LG phones work
I'm just joking
Seriously though, I believe Isaac may be on to something
:thumbup:
isaacj87
Android Expert
No worries! Yeah, that was a loooonng time ago. The Ascend is what got me interested in Android in the beginning!
bnb25
Android Expert
I loved the Ascend
Shabbypenguin
Extreme Android User
@isaac, it's not odd that reboot recovery causes factory reset. Every phone uses that command even when not rooted.
incorrect, all it does is issue a reboot command.
because lg's logic is teh only time you need to be in recovery is when doing a reset. there is a flag set in the misc partition that tells teh phone what needs to be done, each flag having special meaning. a postrecoveryboot.sh is used to ensure that flag gets wiped out (so that on teh optimus m+ and connect/lucid people dont leave cwm getting formatted
youll have root access in none of those modes actually, if you could get fastboot all you could do is flash an img which then would also have to pass the whole bootloader is locked issue.
Like I said, I'm able to drop into the shell and look around the filesystem:
Code:
isaac@isaac-g4:~/Android/o4xr$ sudo ./adb-linux shell
shell@android:/ $unfortunately what most people dont realize is that getting "temp root" is the hard part. keeping root is as easy as copying 3 files over meanwhile finding a vulnerbility and using it to escalate to an exploit is worlds harder.
the problem is at that point it will be running as a user app and not system :/
not saying that will cause it to fial but i dont believe they have the same permissions allowed
sammyz
LG Whiz Kid
adb reboot recovery
???
Always factory resetted any LG phone I've messed with...
Shabbypenguin
Extreme Android User
rigth and as i explained to issac why it does this. that command on any normal android device doesnt. its simply lg's way of screwing with crap because they can
sammyz
LG Whiz Kid
What does it do on normal androids? Just reboot??
isaacj87
Android Expert
Well, that's "non-standardized" behavior. On all phones I've developed on or modified (Motorola Triumph, Huawei Ascend, LG Optimus V, Nexus S), issuing the reboot command with the recovery flag should drop you into recovery (whether it be stock, CWM, etc.)
Kind of makes me wonder how LG expects to update this phone if all the recovery wants to do is wipe all of our data.
sammyz
LG Whiz Kid
Well, that's "non-standardized" behavior. On all phones I've developed on or modified (Motorola Triumph, Huawei Ascend, LG Optimus V, Nexus S), issuing the reboot command with the recovery flag should drop you into recovery (whether it be stock, CWM, etc.)
Kind of makes me wonder how LG expects to update this phone if all the recovery wants to do is wipe all of our data.
Oh trust me, when you get an OTA, it still works. Not Optimus m though, it never did OTAs...
isaacj87
Android Expert
That's not always the case. Drop into shell when in recovery. You'll see you have root access. I only wanted to use fastboot as a means to flash a new (CWM) recovery in order to be able to flash a zip package containing the root stuff.
Temp root is only a means to an end. On the Optimus V, we used SuperOneClick to obtain temp root. This allowed us to flash a new recovery (using flash_image) and then subsequently install the root files via a flashable package. This is what I was hoping to do with the Spirit. That way I can kill 2 birds with 1 stone. Get CWM flashed on the phone and gain root access.
The dummy backuptest apk is installed as a user app. That's the whole point. It doesn't need to be a system app because it's exploiting LG's backup app to be able to add this one line:
Code:
ro.kernel.qemu=1Like I said, I'm sure lots of things changed since I was knee-deep in developing. Admittedly, I never had the (dis)pleasure of dealing with a locked bootloader. The only device I had that had a locked bootloader (Nexus S), Google allowed users to easily unlock it. CM7 (http://androidforums.com/triumph-al...ersion-cm7-triumph-09182011-discontinued.html) and MIUI (http://androidforums.com/triumph-al...-1-11-25-triumph-113011-2-gb-2-3-7-based.html) were the last things I ever worked on, so it's safe to say I have a lot of catching up to do.
isaacj87
Android Expert
But it doesn't mean LG still didn't make things a PITA!
Shabbypenguin
Extreme Android User
i dont have this phone, but if ANY OEM is making you get rooted shell in recovery that would be a huge security concern. if it were possible on lg devices then they would be under a lot of fire from the press (you want proof of this google search "shabbypenguin ZTE backdoor")
the problem is on this device you have signature checking on boot for both kernels. you arent flashing anything to them but the exact stock ones. even then btw superoneclick is just a wrapper, the exploits used vary, its one of teh biggest issues with superoneclick is everyone thinks it does all the rooting yet dont realize all the hard work is done by people they have never heard of.
yes having that line inside local.prop will allow you to have a rooted shell (it makes your phone think its the emulator, which runs as root). is there any way to edit the backups made? and my point is even if you compile it teh program is already installed to system its not like you can remove/replace it.
isaacj87
Android Expert
My understanding is the backuptest app is simply a dummy app that hijacks LG's Backup (made my SpriteMobile) app. It's not looking to replace anything. We're not trying to touch anything in /system, yet. You run the dummy app, it uses LG's backup app to facilitate temp root access, then run a script that simply adb pushes everything into place. Somehow, the dummy app piggybacks the LG backup app to let it open and write into the prop file:
Code:
public void onServiceConnected(ComponentName name, IBinder service) {
svc = ISystemService.Stub.asInterface(service);
try {
ParcelFileDescriptor pfd = svc.setFile("/data/local.prop");
FileDescriptor fd = pfd.getFileDescriptor();
FileOutputStream fos = new FileOutputStream(fd);
fos.write(new String("ro.kernel.qemu=1").getBytes());
fos.close();
} catch (RemoteException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}This bootloader is locked. You'll brick flashing a recovery. We use a bootstrap, 2nd init recovery on the motion.
Key combo boots stock recovery , an app is required to boot into recovery....so if you ever get in a bootloop, stock recovery won't help you much
Thanks for the heads up. I didn't know this...
Looks like there goes our only hope of running overclocked kernels. Why do manufacturers do this...- Status