Root i'll help find a root method if...

[mainefungi]

From a long time ago:



Is this still the su you use? I notice Impactor specifies it as "# drop SuperSU su to /system/xbin/su"; so I wonder if a Superuser su works as well.

No, I currently use this su file I have seen used on some other qualcomm based phones...

Neither my modified method, nor the original one posted by unknownone use the version that Cydia Impactor uses because we are choosing to use our own. I am not even sure what version of su Cydia drops, because I have never had it run successfully on this phone. We do not use that part of Impactor. We just use the telnet exploits to gain access and remount /system as r/w.

Now... SuperSU and Superuser are just the programs that manage what apps can use su... You can uninstall one and install the other without changing the actual su binary file that is installed in /system/xbin... Though you will still need to "Allow" whatever programs you want to have su access, they will both run fine using the same su file. Just do not keep both installed at the same time.

Likewise, you can have either of these programs installed, but if you do not have the su binary in place you will not have root access...

Any of that make sense? or is it clear as mud...

 

[echristopherson]

Makes sense.

 

[mainefungi]

Makes sense.

Cool...

Also, time will tell if my method will be more or less stable than unknownone's.

The only testing I have done on my method is that of repeat-ability... In other words, can I reliably reproduce the root after several fresh boots...

Some apps may like my method better and some his... or they may both be the same... In theory they should be the same... but we will see.

 

[echristopherson]

I can't get it to work.

Here is what I saw when I tried it (this says attempts 1-3 but there were probably some intervening attempts that I didn't record):

First attempt:

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # exit
~ # mount -o rw,remount /system
~ # mount|grep system
/dev/block/mmcblk0p19 on /system type ext4 (rw,relatime,data=ordered)
~ # cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': I/O error
~ # touch /system/xbin/foo
touch: /system/xbin/foo: Read-only file system
~ # mount|grep system
/dev/block/mmcblk0p19 on /system type ext4 (ro,relatime,data=ordered)
~ # mount -o rw,remount /system && cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': Read-only file system
~ # mount|grep system
/dev/block/mmcblk0p19 on /system type ext4 (ro,relatime,data=ordered)
~ # Connection closed by foreign host.

Second attempt:

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # exit
~ # mount -o rw,remount /system && cp /sdcard/su /system/xbin/su && cd /system/xbin && chmod 06755 su && ln -s /system/xbin/su /system/bin/su
cp: can't create '/system/xbin/su': I/O error
~ # mount |grep system
/dev/block/mmcblk0p19 on /system type ext4 (ro,relatime,data=ordered)
~ # mount -o rw,remote /system && mount |grep system
mount: can't read '/etc/fstab': No such file or directory
~ # ls /etc
AudioFilter.csv                      init.qcom.post_boot.sh
BCM4330B1_002.001.032.0518.0520.hcd  init.qcom.post_fs.sh
NOTICE.html.gz                       init.qcom.sdio.sh
OperatorPolicy.xml                   init.qcom.thermald_conf.sh
UserPolicy.xml                       init.qcom.wifi.sh
apns-conf.xml                        init.target.8x25.sh
audio_effects.conf                   init.wlanprop.sh
audio_policy.conf                    loc_parameter.ini
bluetooth                            media_codecs.xml
custom_config                        media_profiles.xml
dbus.conf                            mkshrc
dhcpcd                               pcsuite.iso
event-log-tags                       permissions
fallback_fonts-ja.xml                ppp
fallback_fonts.xml                   qosmgr_rules.xml
firmware                             security
gps.conf                             system_fonts.xml
hosts                                thermal-8x25-evb.conf
init.ath3k.bt.sh                     thermal-8x25-sku7.conf
init.goldfish.sh                     updatecmds
init.qcom.bt.sh                      verify.zip
init.qcom.coex.sh                    voicemail-conf.xml
init.qcom.composition_type.sh        vold.fstab
init.qcom.efs.sync.sh                wifi
init.qcom.fm.sh                      wiperconfig.xml
~ # ls /etc/fstab
ls: /etc/fstab: No such file or directory
~ # mount|grep system
/dev/block/mmcblk0p19 on /system type ext4 (ro,relatime,data=ordered)
~ # mount -o rw,remote /dev/block/mmcblk0p19 /system && mount |grep system
mount: mounting /dev/block/mmcblk0p19 on /system failed: Device or resource busy

Third and subsequent attempts:

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # exit
~ # mount -o rw,remount /system && cp /sdcard/su /system/xbin/su && chmod 06755
/system/xbin/su && ln -s /system/xbin/su /system/bin/su
cp: can't create '/system/xbin/su': Read-only file system

Judging from the

/dev/block/mmcblk0p19 on /system type ext4 (rw,relatime,data=ordered)

in the output of mount in the first attempt, it does mount as rw for a short time. But it seems like it always remounts as ro shortly thereafter, and I have to reboot the phone to remount rw again. Also, I'm not sure what the I/O error was when attempting to copy su over.

 

[mainefungi]

First attempt:

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # exit
~ # mount -o rw,remount /system
~ # mount|grep system
/dev/block/mmcblk0p19 on /system type ext4 (rw,relatime,data=ordered)
~ # cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': I/O error
~ # touch /system/xbin/foo
touch: /system/xbin/foo: Read-only file system
~ # mount|grep system
/dev/block/mmcblk0p19 on /system type ext4 (ro,relatime,data=ordered)
~ # mount -o rw,remount /system && cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': Read-only file system
~ # mount|grep system
/dev/block/mmcblk0p19 on /system type ext4 (ro,relatime,data=ordered)
~ # Connection closed by foreign host.

Also, I'm not sure what the I/O error was when attempting to copy su over.

I don't know why, but if I run the "mount|grep system" command after remounting, I also get the I/O error. However, if I run down through my steps one at a time, without adding extra commands... or combining commands... it works... at least for me.

However, I have noticed that it does revert to being unrooted after a bit. I am still experimenting...

I am thinking I will try to chown root:shell /system/bin/su, and see if the new owner makes it more or less stable...

 

[echristopherson]

Hmm. Still no good for me.

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # exit
~ # mount -o rw,remount /system
~ # cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': Read-only file system
~ # cd system/xbin
/system/xbin # chmod 06755 su
chmod: su: No such file or directory
/system/xbin # ln -s /system/xbin/su /system/bin/su
ln: /system/bin/su: Read-only file system
/system/xbin #

 

[mainefungi]

Hmm. Still no good for me.

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # exit
~ # mount -o rw,remount /system
~ # cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': Read-only file system
~ # cd system/xbin
/system/xbin # chmod 06755 su
chmod: su: No such file or directory
/system/xbin # ln -s /system/xbin/su /system/bin/su
ln: /system/bin/su: Read-only file system
/system/xbin #

One... Is that after a fresh phone reboot?

Two, what is your current setup? I am currently on Windows 8.1 using the built in telnet... which I had to enable...

Finally, have you tried the original method by unknownone on page 4? If so, what were the results?

 

[echristopherson]

One... Is that after a fresh phone reboot?

Yes.

Two, what is your current setup? I am currently on Windows 8.1 using the built in telnet... which I had to enable...

Mac OS X 10.9, using built-in telnet.

Finally, have you tried the original method by unknownone on page 4? If so, what were the results?

No, I haven't. I couldn't understand a few of the steps he laid out, so I was waiting for something less ambiguous to come along.

 

[echristopherson]

OK, I've just tried Unkn0wn's exploit (in a few versions, starting with his exact instructions). I think I have a better understanding of it now. However, it didn't work either.

The first time I ran it, I first logged in to the system telnet (2222) and ran ls and su just to see what would happen; and then logged out and logged into the root telnet (22). I didn't record the results from the system telnet session, but the root session looked like this:

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # cp
sh: cp: not found
127|root@android:/ # mount -o rw,remount /system
root@android:/ # mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p19 /system ext4 rw,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.3/by-num/p22 /data ext4 rw,nosuid,nodev,relatime,noauto_da_alloc,data=ordered 0 0
/dev/block/mmcblk0p10 /persist ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/mmcblk0p21 /cache ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:33 /storage/sdcard0 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:33 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /storage/sdcard0/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
/dev/block/dm-0 /mnt/asec/com.eamobile.tetris_full_azn-1 ext4 ro,dirsync,nosuid,nodev,noatime 0 0
/dev/block/dm-1 /mnt/asec/com.atari.mobile.amazon.greatesthitspro-1 ext4 ro,dirsync,nosuid,nodev,noatime 0 0
/dev/block/dm-2 /mnt/asec/com.mantano.reader.android.lite-1 ext4 ro,dirsync,nosuid,nodev,noatime 0 0
root@android:/ # busybox cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': Input/output error
1|root@android:/ # cd /system/xbin
root@android:/system/xbin # busybox chmod 06755 su
chmod: su: No such file or directory
1|root@android:/system/xbin # ln -s /system/xbin/su /system/bin/su
link failed Read-only file system

As you can see, /system apparently remounted rw but I later had an input/output error (after running mount to verify the rw).

Subsequent times (after a reboot each time), I also ran the 2222 telnet followed by 22; but I was visibly unable to remount /system at all!

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # mount -o rw,remount /system
mount: Read-only file system

After this point nothing seems to run successfully, since /system is still ro. I tried remounting again, passing the -n option (which bypasses writing to /etc/mtab so you can mount things when even /etc is on a read-only filesystem), but the mount binary doesn't understand -n.

I also notice that Unkn0wn's method specifies that you run mount while still inside the su in the root telnet, but yours says to exit su first. I've tried that both ways as well, in Unkn0wn's exploit.

 

[mainefungi]

The first time I ran it, I first logged in to the system telnet (2222) and ran ls and su just to see what would happen; and then logged out and logged into the root telnet (22). I didn't record the results from the system telnet session, but the root session looked like this:

Okay, there are 2 things that are very important with his method... And yes, the process runs differently...

1. Do not touch any buttons on the phone until you are 100% done his steps...

2. This part of his steps must be followed to a T before moving on...

-Run the telnet exploit on system using cydia impactor.
-Log into the system telnet
-Run some commands
-Now run: su (This will produce an interesting error message, saying that we need to be suid even though the binary is not installed)
-Type exit

Note: I found "run some commands" a bit vague...

On thing is certain... If you do not run any commands... it will fail to remount /system as rw later... Do not ask me why, I do not know.

So here is what I do... see steps 3 to 6 for what I do for "commands"

1. Run telnet exploit as system on cydia impactor...
2. Telnet into my phone IP (Telnet 192.168.1.129 2222)
3. Type "ls", then enter.
4. Type "cd system", then enter.
5. Type "cd xbin", then enter.
6. Type "ls", then enter.
7. Type "su", then enter.
8. Type "exit", then enter.

Then move on to the rest of his directions...

1. Run telnet exploit as root cydia impactor...
2. Telnet into my phone IP (Telnet 192.168.1.129 22)
3. Type "su", then enter (get FIX ME error).
4. Type "cp", then enter (will error saying it cannot be found)
5. "mount -o rw,remount /system", then enter.
6. Type "mount", then enter. (make sure /sytem is rw)
7. Type "busybox cp /sdcard/su /system/xbin/su", then enter.
8. Type "cd /system/xbin", then enter.
9. Type "busybox chmod 06755 su", the enter.
10. Type "ln -s /system/xbin/su /system/bin/su"

That is it...

Install supersu or superuser on phone and make sure it sees binary
You can download root checker and run it; it should report root access.

Hopefully that will help clear up his directions... Not sure if it will help you or not. If you still have issues, it could be that you are on a Mac, and that the telnet client is different. You could try a third part telnet program to see if you luck changes.

Good luck

 

[karmmisht]

It looks like echristopherson and I are having the same problem. Everything works up to the point of trying to copy su to /system/xbin and I get the same I/O error message. I've tried it a number of times and with two different telnet clients with the same result.

It occurred to me that maybe some settings or apps that are running could make the difference since both mainefungi and Unkn0wn0ne don't seem to be running into the problem. I just turned off all of the google location services and also the sync option (that allows gmail, etc to sync) but that didn't help. It still could be there are other differences in our settings or installed apps. It's difficult for me to think that either a mac or linux machine would make the difference.

Also, I can remount /data to get rid of the nosuid option and can remount / (rootfs) to rw. I've been able to create a new directory /opt under / and put su there. Then, changed the PATH to include /opt. Unfortunately, it wasn't recognized as a proper, rooted installation and disappeared following reboot. Given that a new directory and files can be written under /, it's strange that I can't write to /system.

I don't want to take much of your time on this mainefungi - you've been very helpful by more carefully outlining the steps you took to get root. Don't know if it will help, but if you don't mind checking what services you have running (under manage apps). My phone shows:

- Settings
- Google Services
- Google Services
- Wiper App
- Android keyboard (AOSP)

Any other differences people can think of? Right now, I feel that I'm just wallowing around not making any real progress on this. Thanks for any ideas.

 

[mainefungi]

I don't want to take much of your time on this mainefungi - you've been very helpful by more carefully outlining the steps you took to get root. Don't know if it will help, but if you don't mind checking what services you have running (under manage apps). My phone shows:

- Settings
- Google Services
- Google Services
- Wiper App
- Android keyboard (AOSP)

Any other differences people can think of? Right now, I feel that I'm just wallowing around not making any real progress on this. Thanks for any ideas.

Sure, I have the following...

Settings
Facebook
Y!Mail
Y!Mail
Google Services
Google Services
Wiper App
Android Keyboard

But, I for giggles I uninstalled Facebook and Yahoo Mail... and both method still work for me...

 

[karmmisht]

Still can't copy to /system. Oh well.

It was mentioned before about automating the temp rooting. In doing a little searching, I haven't seen any sources available for cydia-impactor other than a gui interface. Possibly, "expect" could be used in linux to automate the procedure but this wouldn't be convenient. To provide a start in the automation, here's a script that runs telnet and installs su.

Preliminaries:

a. enable USB debugging.
b. place su under /sdcard.
c. push the script described below, installsu.sh, to /data/local/tmp.
d. get root using one of the previously described methods and change permissions of installsu.sh to execute:
~ # chmod 06755 /data/local/tmp/installsu.sh
~ # chown 0.0 /data/local/tmp/installsu.sh

Later, after the phone is rebooted and root is lost:

Method:

1. The first step is to run cydia-impactor to start the telnet daemon for root access (# start telnetd as root on port 22).

2. execute the script:
adb shell /data/local/tmp/installsu.sh

To improve the script, it would be nice to somehow be able to run cydia-impactor from the phone by including it in the script before running telnet. I messed around with somehow trying to "capture" the payload used by cydia-impactor so it can be run on a command line. Haven't spent much time on it and don't know if I can figure it out. The installsu.sh script could be executed directly from the phone but it is not worth much if it can't somehow be integrated with cydia-impactor. It's a kludge.

Here's the script, installsu.sh:

#!/system/bin/sh
# telnet in and install su

( \
echo 'stty -echo'; sleep 2; \
echo 'su'; sleep 2; \
echo 'exit'; sleep 2; \
echo 'mount -o rw,remount /system'; sleep 2; \
echo 'cp /sdcard/su /system/xbin/su'; sleep 2; \
echo 'chmod 06755 /system/xbin/su'; sleep 2; \
echo 'chown 0.0 /system/xbin/su'; sleep 2; \
echo 'exit'; sleep 2 ) \
| busybox telnet 127.0.0.1 22

if [ -f /system/xbin/su ]; then
echo "\nsu successfully copied into /system/xbin"
else
echo "\nfailed to copy su into /system/xbin"
fi

Here's a link to the script:

https://drive.google.com/file/d/0Bw7b4Sw9CtykQklvQTJlWFFjVUU/edit?usp=sharing

Of course, it fails for me when it tries to copy to /system/xbin but otherwise runs OK.

 

[mainefungi]

Still can't copy to /system. Oh well.

It was mentioned before about automating the temp rooting. In doing a little searching, I haven't seen any sources available for cydia-impactor other than a gui interface.

Cydia Impactor exploits bug #9950697 to start a telnetd session as either user id 'system' or 'root'. The author goes into it a little bit HERE.

I have not run your script yet, but if some skilled individual (more than I) can write a program to implement the bug, collect the phone's IP, and run the exploit via telnet... The entire process could (in theory) be built into a one-click style application.

EDIT: There is a script written for the Xperia that uses bug #9950697... It is discussed HERE... I have put the zip in my dropbox for easy access.

If someone can use the scripting in it to make a easier temp root for our Valet phones, have at it... It does not work in it's current state because the program it is exploiting is not on our phones... But it is worth looking at anyway...

Also, the echoed progress statements are not in english, but all the code is... so some translation would be good... LOL

 

[karmmisht]

I have not run your script yet, but if some skilled individual (more than I) can write a program to implement the bug, collect the phone's IP, and run the exploit via telnet... The entire process could (in theory) be built into a one-click style application.

The script installsu.sh does not require the wifi IP although it would be fairly easy to add it. Instead, it comes in through localhost so I think that problem is solved. It simply implements the method you outlined above where you took out some of the extra steps listed by Unkn0wn0ne.

Here is the output I get after running the script:

mark@play:~$ adb shell /data/local/tmp/installsu.sh

Entering character mode
Escape character is '^]'.


stty -echo
~ # stty -echo
/ # FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # exit
/ # / # cp: can't create '/system/xbin/su': Read-only file system
/ # chmod: /system/xbin/su: No such file or directory
/ # chown: /system/xbin/su: No such file or directory
/ # Connection closed by foreign host

failed to copy su into /system/xbin
mark@play:~$

The blue font text above is the output from the script.

The advantage of the script, if it works, is that it standardizes the installation and removes the uncertainty caused by the user pushing buttons, etc. The "only" thing to do now, if possible, is to include the exploit above the 4th line of the script that would start telnetd (e.g., "busybox telnetd -p 22 -l /system/bin/sh"). Adding the exploit is beyond my current skills too but I can help with the shell script, if that is what is needed.

On a somewhat unrelated note, if anyone is looking to buy the ZTE Valet Z665, it is on sale now at Fred Meyer for $49.99. The sale goes on until next week, I believe. Still a little expensive for a brick.

 

[bummpr]

If someone can use the scripting in it to make a easier temp root for our Valet phones, have at it... It does not work in it's current state because the program it is exploiting is not on our phones... But it is worth looking at anyway...

Also, the echoed progress statements are not in english, but all the code is... so some translation would be good... LOL

https://dl.dropboxusercontent.com/u/67816104/%5BEASY%5DROOT%20FOR%20LOCKED%20bootloader%20rootkit%20Xperia_20131207.zip

Here is link for an updated version of your Xperia root process with English comments. Thanks again for your unrelenting pursuit of a solution!!!!!

 

[echristopherson]

Still can't copy to /system. Oh well.

It was mentioned before about automating the temp rooting. In doing a little searching, I haven't seen any sources available for cydia-impactor other than a gui interface. Possibly, "expect" could be used in linux to automate the procedure but this wouldn't be convenient. To provide a start in the automation, here's a script that runs telnet and installs su.

Preliminaries:

a. enable USB debugging.
b. place su under /sdcard.
c. push the script described below, installsu.sh, to /data/local/tmp.
d. get root using one of the previously described methods and change permissions of installsu.sh to execute:

Does this mean you've achieved (temporary) root? If so, which method worked?

(some of original message snipped)

Here's the script, installsu.sh:

#!/system/bin/sh
# telnet in and install su

( \
echo 'stty -echo'; sleep 2; \
echo 'su'; sleep 2; \
echo 'exit'; sleep 2; \
echo 'mount -o rw,remount /system'; sleep 2; \
echo 'cp /sdcard/su /system/xbin/su'; sleep 2; \
echo 'chmod 06755 /system/xbin/su'; sleep 2; \
echo 'chown 0.0 /system/xbin/su'; sleep 2; \
echo 'exit'; sleep 2 ) \
| busybox telnet 127.0.0.1 22

if [ -f /system/xbin/su ]; then
echo "\nsu successfully copied into /system/xbin"
else
echo "\nfailed to copy su into /system/xbin"
fi

Here's a link to the script:

https://drive.google.com/file/d/0Bw7b4Sw9CtykQklvQTJlWFFjVUU/edit?usp=sharing

Of course, it fails for me when it tries to copy to /system/xbin but otherwise runs OK.

So the script runs on the phone itself but telnets into the phone? Why would that be necessary?

 

[echristopherson]

mainefungi, I followed your version of Unkn0wn's instructions to the letter; but still got the I/O error.

$ telnet -l system 192.168.1.101 2222
Trying 192.168.1.101...
Connected to android-254e67b6c48bb123.localnet.
Escape character is '^]'.

~ $ ls
acct                     init.qcom.class_core.sh  persist
cache                    init.qcom.class_main.sh  proc
charger                  init.qcom.rc             res
config                   init.qcom.ril.path.sh    root
d                        init.qcom.sh             sbin
data                     init.qcom.usb.rc         sdcard
default.prop             init.qcom.usb.sh         storage
dev                      init.rc                  sys
etc                      init.target.rc           system
fstab.msm7627a           init.trace.rc            ueventd.goldfish.rc
init                     init.usb.rc              ueventd.qcom.rc
init.charger.rc          logo.bmp                 ueventd.rc
init.goldfish.rc         mnt                      vendor
~ $ cd system
/system $ cd xbin
/system/xbin $ ls
dexdump
/system/xbin $ su
su: must be suid to work properly
/system/xbin $ exit
Connection closed by foreign host.
$ telnet -l root 192.168.1.101 22
Trying 192.168.1.101...
Connected to android-254e67b6c48bb123.localnet.
Escape character is '^]'.

~ # su
FIX ME! implement ttyname_r() bionic/libc/bionic/stubs.c:466
root@android:/ # cp
sh: cp: not found
127|root@android:/ # mount -o rw,remount /system
root@android:/ # mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p19 /system ext4 rw,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.3/by-num/p22 /data ext4 rw,nosuid,nodev,relatime,noauto_da_alloc,data=ordered 0 0
/dev/block/mmcblk0p10 /persist ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/block/mmcblk0p21 /cache ext4 rw,nosuid,nodev,relatime,data=ordered 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/vold/179:33 /storage/sdcard0 vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:33 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0002,dmask=0002,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /storage/sdcard0/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
/dev/block/dm-0 /mnt/asec/com.atari.mobile.amazon.greatesthitspro-1 ext4 ro,dirsync,nosuid,nodev,noatime 0 0
/dev/block/dm-1 /mnt/asec/com.eamobile.tetris_full_azn-1 ext4 ro,dirsync,nosuid,nodev,noatime 0 0
/dev/block/dm-2 /mnt/asec/com.mantano.reader.android.lite-1 ext4 ro,dirsync,nosuid,nodev,noatime 0 0
root@android:/ # busybox cp /sdcard/su /system/xbin/su
cp: can't create '/system/xbin/su': Input/output error

 

[karmmisht]

echristopherson,

In response to your questions:

1) Does this means you've achieved (temporary) root? If so, which method worked?

Yes and no. Yes, I have always gotten temporary root through telnet since first reported on the xda-developers site. No, like you, I'm still not able to write to /system. I just want to nail down the procedure more definitely since you and I are having problems with writing to /system/xbin and others are wondering if we are pressing the right keys. BTW, my prior post (#240) shows the output after a repeated attempt. If I run the script after a fresh reboot, it is able to remount /system but then the script gives me the I/O error when trying to copy su.

2) So the script runs on the phone itself but telnets into the phone? Why would that be necessary

Yes, the script runs on the phone itself. Since cydia-impactor is successful in getting root access via telnet, it is still necessary to access the phone by telnet. Originally, I thought telnet had to be through the wifi to get root. After testing it out, I found that root can be achieved by telnet through localhost (127.0.0.1).

 

[mainefungi]

OKay, so I got the script to work on my end. I did make one small modification to symlink /system/xbin/su to /system/bin/su, just because I have heard some apps look for it there.

The updated script can be downloaded here...

Also, I have started using this su binary again.

The 90k version has been working for me in ADB shell, and showing up as root in Root Checker Basic as having root access. However, I realized it was never allowing me to allow/approve root access for any apps...

The 22k version I got from stayboogy would never give me privileges... It just never worked for me.

This version I am using again is from the latest Superuser-3.1.3-arm-signed.zip available from ChainsDD. It seems to be working well, and I get asked to 'Allow' apps as expected.

As for those that have not been able to get /system to properly remount with write access... Have you tried a different USB port? I have read on the forums that simply changing USB ports has made a difference for some exploits.

Here is a screenshot of this script running successfully on my setup...

 

[mainefungi]

https://dl.dropboxusercontent.com/u/67816104/%5BEASY%5DROOT%20FOR%20LOCKED%20bootloader%20rootkit%20Xperia_20131207.zip

Here is link for an updated version of your Xperia root process with English comments. Thanks again for your unrelenting pursuit of a solution!!!!!

Unfortunately, this one uses the CVE-2013-6282 vulnerability in the kernel, rather than the bug 9950697 exploit...

Maybe someone more smart than I will be able modify the files to use either of these for the Valet...

 

[karmmisht]

As for those that have not been able to get /system to properly remount with write access... Have you tried a different USB port? I have read on the forums that simply changing USB ports has made a difference for some exploits.

Thanks for the suggestion. Tried another port - didn't work for me. Still have to see if it works on my wife's Win7 computer. My adb connection seems fine as it should. Given that the cp fails while just working on the phone, it's difficult to understand that it is my computer. Logically, I see two possibilities: 1) my phone started out being a little different, or 2) I did something to my phone like install different apps that prevent me from writing to /system. To address the first item, here's my "about phone" (see attachment below). Any different from yours?

I don't want to dwell on my problems here - better to work towards the goal. I'll study the files you linked to but my main strategy is to hope someone smart comes along and helps us.

 

[echristopherson]

Mine (which I haven't been able to temproot either) has exactly the same "About" screen, FWIW.

 

[mainefungi]

Mine (which I haven't been able to temproot either) has exactly the same "About" screen, FWIW.

And mine it exactly the same as well.

I first tried these methods (mine and unknownone's) after getting my replacement phone when I bricked my old one... Meaning it was a clean install, and I ave not tried other methods since...

I know it is a pain in the butt, but maybe a wipe and restore to factory from recovery will help. This would at least get rid of any extras left on your phone from other failed methods...

 

[echristopherson]

And mine it exactly the same as well.

I first tried these methods (mine and unknownone's) after getting my replacement phone when I bricked my old one... Meaning it was a clean install, and I ave not tried other methods since...

I know it is a pain in the butt, but maybe a wipe and restore to factory from recovery will help. This would at least get rid of any extras left on your phone from other failed methods...

Ok, good to know at least that hardware/rom differences aren't the problem. Is there any way to back up app data without root?