Root Root exploit = easier rooting without having to flash the whole firmware

[giantpune]

This thread is here to offer up a different method for rooting our phone. So far, this is verified working on VM696. I have read the kernel source, and the relevant portion there is dated 2009/2010, so it seems like it should be possible for a few other LG devices, but it is yet untested.

Here's a copy/paste of the readme.txt, which should work. There is no 1-click-bat installer for this one. In its current form, its pretty much read the readme and follow it step by step. Most of it is issuing commands into a command prompt. I will link relevant files at the end of this post. This little guide assumes you already have adb from the android sdk installed and working. If it isn't, go do that before continuing.




Before you start, get in the application settings in your phone and enable Debug mode, enable installation of non-market apps, and set your phone screen to timeout at like 30 minutes or something. Don't let your phones screen go off.

1. 
   
   • ) Remove the symlink file if it exists. If it doesn't exist, don't worry about it. Run the following 2 lines to start an adb shell and then delete the file from the phone.
     

     ./adb shell   
     $ rm /data/img/image.bmp

   • ) Create the symlink. Run the following 2 commands. They will create the link and then check that it was created correctly. The 3rd line is what we hope the phone will print back if everything worked correctly.
     

     $ ln -s /data/local.prop /data/img/image.bmp
     $ ls -l /data/img
     lrwxrwxrwx shell    shell             2012-07-20 16:37 image.bmp -> /data/local.prop

2. 
   
   • )Enable Diag mode. The following 4 lines will exit the adb shell, then install 2 packages and copy the su binary to your phone for later use. You can find these files in the links at the end of this post.
     

     $ exit
     ./adb install -r './apks/Ministro II.apk'
     ./adb install -r ./apks/LG_OE_DiagMode-debug-unaligned.apk
     ./adb push ./apks/su /data/local/tmp/su

   • )Now, run the packages with the command below. Something wil pop up on your phones screen. If it asks to download some libraries, let it. When it gets done, another thing will pop up that says "Push Me". Push it and then enable the Diag mode
     

     ./adb shell am start -n org.kde.necessitas.example.LG_OE_DiagMode/org.kde.necessitas.origo.QtActivity

3. )Run the lgoeExploit program. Under windows, this requires fiddling with some drivers. Linux users can skip to 3c.
   
   • )You need WinUSB drivers installed for 3 of the interfaces provided by the phone - numbers 0, 2, and 3. Install the newest version of Zadig.exe (libwdi - Browse /zadig at SourceForge.net). Click options->List all devices. It should populate the dropdown list. To install a driver, you need to select it in the dropdown, then click the big "reinstall driver" button. Do this 3 times; CDC Serial (Interface 0), LG Android USB Device (Interface 2), and LG Android USB Device (Interface 3).
     
     
     
     
     
   • )When you're done, you can verify it was done correctly by looking for these 3 Universal Serial Bus Devices at the bottom of the device manager.
     
     
     
     
     
   • )Run the program.
     
     
     
   
   
4. )Disable Diag mode. If the diag menu is still on the screen of your phone, just click disable on it. If that menu is not still on your screen, you can get it back by finding the 'LG_OE_DiagMode' app on your phone and running it. This app has a white icon with a green 'Q'.
   
   
5. )
   
   • )Go back to the the adb shell
     

     adb shell

     Run the following command to overwrite the file
     

     $ echo ro.kernel.qemu=1 > /data/local.prop

   • )Make sure it was written. Run this first line and make sure the phone spits the second line back at you
     

     $ cat ./data/local.prop
     ro.kernel.qemu=1

   • )Type the following to exit the adb shell and reboot the phone
     

     $ exit
     ./adb reboot

     
     NOTE: When the phone reboots, it will be stuck in a boot loop. Your computer may not be able to see it with ./abd.
     What worked for me, was I had to unplug the phone, take out the battery, and then reboot my PC, and then plug the phone
     back in. If your PC cannot see the device with ./adb after rebooting the phone, then reboot the PC. You must then
     Open up a terminal, go into the ./adb directory, and continue from there.
     To be clear - it is ok, and even expected if your phone is in a boot loop. What matters is that you can access it with adb. Continue on and the boot loop will be fixed later.
6. ) Run the following lines, one at a time. The '#' at the beginning of some of these lines is not meant to be type by you. It is put at the start of each line by the phone to remind you that you are ronning as root and you need to be careful.
   

   ./adb shell
   # mount -o remount,rw /dev/block/mmcblk0p12 /system
   # cat /data/local/tmp/su > /system/xbin/su
   # chown 0.0 /system/xbin/su
   # chmod 6755 /system/xbin/su
   # mount -o remount,ro /dev/block/mmcblk0p12 /system
   # rm /data/local/tmp/su
   # rm /data/img/image.bmp
   # rm /data/local.prop
   # exit
   ./adb reboot

7. )The phone should boot up correctly now, and it will be rooted.
   

LINKS!
lgoeExploit - 64bit linux Download lgoeExploit from Sendspace.com - send big files the easy way
md5 - 88d34a67e4e69e01ba4e7f73d7add5b8

lgoeExploit - 32bit linux Download lgoeExploit from Sendspace.com - send big files the easy way
md5 - 81c5c12999d2a0daccdd61b9285b27d0

lgoeExploit - windoze. Download lgoeExploit.exe from Sendspace.com - send big files the easy way
md5sum - 274ad4fb92ba3a2a8d8d180cebf840c9

lgoeExploit source code, su binary, Diag enabler apks - Download rootIt.tar.gz from Sendspace.com - send big files the easy way
md5 - 0f61c6f6ba905bea6318f76822481e55

 

[Hashtag]

To other people reading this, the "sudo apt-get install build-essential libusb-1.0.0-dev", is not for windows. It is for Debian variants of linux. If you're on windows you have to get that a different way. And also, if you're on windows, you can just type "adb" instead of "./adb" every time.

Sweet tut though! Much faster than flashing it

 

[giantpune]

Ok, I had some time today with windoze7 and managed to get this to work. It involves replacing(gasp) the official LG drivers. Anyways, here's a quick rundown of how I did it. If somebody can confirm that this is working for them, then I'll add it to the first post.

First, setup the drivers. You need WinUSB drivers installed for 3 of the interfaces provided by the phone - numbers 0, 2, and 3. Install the newest version of Zadig.exe (libwdi - Browse /zadig at SourceForge.net). Click options->List all devices. It should populate the dropdown list. To install a driver, you need to select it in the dropdown, then click the big "reinstall driver" button. Do this 3 times; CDC Serial (Interface 0), LG Android USB Device (Interface 2), and LG Android USB Device (Interface 3).

When you're done, you can verify it was done correctly by looking for these 3 Universal Serial Bus Devices at the bottom of the device manager.

Download the lgoeExploit program for windoze. Download lgoeExploit.exe from Sendspace.com - send big files the easy way
md5sum - 274ad4fb92ba3a2a8d8d180cebf840c9

Run the program.

 

[rob11223]

I tried this, using vista though, having used windows 7 its not much different from vista, but none of the drivers even shown in the picture even come up on zadig. so I tried without doing that, and got a line 404 error.

 

[giantpune]

Maybe you have to run it as the administrator?

 

[rob11223]

Maybe you have to run it as the administrator?

I tried that d= with just running the loeg file, but nothing happened... then I read more and assumed I had to do it from cmd, and that gave me the line 404 error. IDK how to run something through cmd as admin )= and zadig same as without admin. Maybe I just don't know enough though. Either way wtg on finding an easier root! I wonder if it works with the evo 4g , as the only root ive seen involves gettin the msl as well.

 

[giantpune]

Is your phone in diag mode? When you switch it to that mode, the pid changes. Line 404 is my copy is "WRN << "libusb_open_device_with_vid_pid()" << endl;" If your phone doesn't have the pid for the diag mode, then this line would fail.

And this method probably won't work for any non-LG phones. It is using one of their debugging commands that creates a screenshot.

 

[Hashtag]

Crap, I would totally help test this on win7 but im in Kansas city for a week with my grandparents. Sorry. Im sure you'll have it down by Saturday, but if not I'll try it out

 

[Spiify]

I am getting "device not found" when trying to use adb in DIAG mode. It reads the phone when DIAG mode is disabled though. This is on Windows 7 after installing the drivers.

 

[giantpune]

It looks like the windows adb is still able to see the phone with it in Diag mode and the WinUSB drivers installed, but it thinks the phone is offline, so it won't talk to it. You can verify this with "adb.exe devices".

Either way, as long as you are able to use the lgoeExploit, I think we can reorder the steps and make it work. As long as you are able to get back into the phone with adb once diag mode is turned off. Something like this -

Move step 1b (enabling diag mode) to right before we need it. So move it to Right before 3c. And then move the last step (disabling diag mode) up the list between 3C and step 4. All that last step is doing is running a program with adb. If you can't get adb to connect, then you can find the "LG_OE_Diag" app installed on your phone and click its pretty icon. It should be white and green with a 'Q' on it.

 

[Spiify]

It looks like the windows adb is still able to see the phone with it in Diag mode and the WinUSB drivers installed, but it thinks the phone is offline, so it won't talk to it. You can verify this with "adb.exe devices".

Either way, as long as you are able to use the lgoeExploit, I think we can reorder the steps and make it work. As long as you are able to get back into the phone with adb once diag mode is turned off. Something like this -

Move step 1b (enabling diag mode) to right before we need it. So move it to Right before 3c. And then move the last step (disabling diag mode) up the list between 3C and step 4. All that last step is doing is running a program with adb. If you can't get adb to connect, then you can find the "LG_OE_Diag" app installed on your phone and click its pretty icon. It should be white and green with a 'Q' on it.

No devices are showing up. Maybe 2a and 2b are were i am messing up. I do not really understand what to do here. When i get to ro.kernel.qeme=1 i get a permission denied.

 

[giantpune]

It's working here. But again, that shouldn't matter. You can disable the diag mode on your phone without using adb, and then adb should be able to see your phone again. You can also try "adb.exe kill-server" and see if it magically works.

 

[Spiify]

It's working here. But again, that shouldn't matter. You can disable the diag mode on your phone without using adb, and then adb should be able to see your phone again. You can also try "adb.exe kill-server" and see if it magically works.

Edited last post. Thank you for trying to help me. Hopefully we get it figured out.

 

[giantpune]

You aren't supposed to type "ro.kernel.qeme=1". That is something the phone will tell you if everything is going correctly.

in 4a, you typed

echo ro.kernel.qemu=1 > /data/local.prop

which is supposed to write the text "ro.kernel.qemu=1" into a file at "/data/local.prop".

Then in 4b, you are typing

cat /data/local.prop

and the phone is going to open up that "/data/local.prop" file and read it back to you. This line is making sure that it contains the text we want it to, and nothing more.

Lines starting with a '$' are something you are typing into the adb shell under normal circumstances. Lines starting with a '#' are what you are typing into the adb shell while running as root. That '#' is there to remind you to be careful because you can break the thing.

 

[Spiify]

You aren't supposed to type "ro.kernel.qeme=1". That is something the phone will tell you if everything is going correctly.

in 4a, you typed

echo ro.kernel.qemu=1 > /data/local.prop

which is supposed to write the text "ro.kernel.qemu=1" into a file at "/data/local.prop".

Then in 4b, you are typing

cat /data/local.prop

and the phone is going to open up that "/data/local.prop" file and read it back to you. This line is making sure that it contains the text we want it to, and nothing more.

Lines starting with a '$' are something you are typing into the adb shell under normal circumstances. Lines starting with a '#' are what you are typing into the adb shell while running as root. That '#' is there to remind you to be careful because you can break the thing.

Thank you for the help, my phone is now rooted!

 

[giantpune]

And thank you for your feedback. I rearranged the steps so they should work in the situation where adb didn't talk to the phone while in diag mode. And I went ahead and included the windows stuff in the first post and removed the steps for building the program, since we now have binaries that cover most people.

 

[amobley0]

Do you think this method will work for the Sprint version?

 

[giantpune]

I believe this should work on the sprint model. I can't see any reason why it would brick the phone. If anything, it just wont work.

 

[Hashtag]

giantpune, I'm gonna put in the guide that your method works on windows. Anything specific that needs to be pointed out?

 

[giantpune]

As far as I know, it should be fine as it is. If somebody tries to follow it and hits a snag, then maybe something will need changed.

 

[Deleted User]

Is there a original .tot file out there so I can put my phone back to non-root Stock phone? Wanted to test this procedure out.

 

[Hashtag]

Here you go- http://uploaded.to/file/a6klyplk

 

[l0uisl0uis]

Hey everyone I'm new here but been following these threads since i got my phone. Giantpune, im on windows vista and I've installed the zadiag program but i got a problem. I dont got none of these drivers installed.

CDC Serial (Interface 0),
LG Android USB Device (Interface 2),
and LG Android USB Device (Interface 3)

The ones i have are these..

LGE AndroidNet USB Modem (Interface 0)
LGE AndroidNet USB Serial Port (Interface 2)
LGE AndroidNet USB GPS NMEA Port (Interface 3)
LGE AndroidNet NDIS Ethernet Adapter (Interface 4)
USB Mass Storage Device (Interface 6)

Would i need to install the missing drivers above? If yes any idea were i could download and install them?

Thanks..

 

[giantpune]

Is this the Virgin Mobile version of the phone? If you are using the sprint version, they may have changed the endpoints and names around. Or it may just be that windows vista gives them different names. If your phone is the Virgin Mobile one, then I would guess that you can replace interfaces 0, 2, and 3, regardless of the names.

In any case, you are in uncharted waters. If you do decide to do anything, let us know what happens.

 

[l0uisl0uis]

Is this the Virgin Mobile version of the phone? If you are using the sprint version, they may have changed the endpoints and names around. Or it may just be that windows vista gives them different names. If your phone is the Virgin Mobile one, then I would guess that you can replace interfaces 0, 2, and 3, regardless of the names.

In any case, you are in uncharted waters. If you do decide to do anything, let us know what happens.

Yes, it's the virgin mobile version. Alright gonna give it a shot in a bit. Will post the results..