Sign in or 
Share this
Rooting
Gaining superuser (root) access on the Toshiba AC100.
Rooting an Android device usually means to gain the ability to run applications that require superuser (root) access.
There are now 3 documented ways and a fourth that can be perused by fiddling with the backups and then restoring them back to the device.
In any way you will need the Androis Debug Bridge (ABD) from the sdk (get it from here). In order to use ADB you will need to enable the "USB Debugging" feature on the ac100 from the settings menu.
You should now choose which method you wish to use to root your ac100.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The newest and the easiest way to root a AC100:
Use on youre own risk!
Works also on android 2.2
1: Instal z4root.
- Link to z4root page.
- Download the APK file and instal it on youre AC100.
2: The usb debugging mode must be turn on.
- Settings> applications > development > click usb debugging on.
3: No SD card insert!
-unmount the Sd card
4: Root whit z4root.
-Start the app z4root.
-Click on permament root.
-The app is loading and is trying to root youre AC100.
-When it is done. You're AC100 should be turned of automatically.
-Turn on your AC100.
-There should be a app called Superuser.
-When yes, congratulations. When no, try again.
That was easy he!
Thanks to the maker of z4root.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Extract the contents of the update.zip to a directory, and copy the files Superuser.apk and su from their respective subdirectories into whatever location you downloaded rageagainstthecage-arm.bin.
The next step is to push the rageagainstthecage-arm.bin file to your device.
Note in the following, [HOST], [AC100 $ prompt], [AC100 # prompt] indicates the sort of shell/prompt you should be at when typing the command.
From your host command prompt:
This should copy rageagainstthecage-arm5.bin to /data/local/tmp on the AC100.
Now to run the binary on the device, enter from the command prompt:
You should connect to the AC100 and get a $ prompt:
Your ADB connection will drop. After a few seconds, your AC100 should chirp to indicated that USB debugging has been connected again. If you run "adb shell" again, you should now get a # prompt indicating you have superuser access. If you do not, follow these instructions again from your $ prompt until you do:
IMPORTANT: This exploit does not survive a device reboot!
Assuming you at a # prompt, the next step is to remount /system as r/w, with the following command:
You should now exit the ADB shell, and enter the following commands from your host command prompt:
From now on, you can gain su access via adb by entering su at the device shell prompt.
Now, we need to install ChainsDDs excellent Superuser application for Android:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Ok you need the rageagainstthecage source code. I got it form here but link may get broken so you might haveto google a little to find it. You might also like to google to learn how the exploit works.
You need the android SDK to do testing and Android Debug Bridge stuff. You can download it from here.
To build the binary you will need a cross compiler for android-7 api. I downloaded the NDK that has such cross compiler for all android api from here. There are known issues with the android NDK but for compiling these 2 simple programs it's OK. If you prefer you can get a cross compiler from codesourcery here. You will need to setup a different runsdk script for using the codesourcery cross compiler though but if you want to compile busybox or other more complex projects I strongly advise the use of codesourcery's cross compiler or some other third party cross compiler .
I did not want to go trough all the crap for using it with eclips I just wanted to use it from command line (like I used to do for Zaurus) so I made a runsdk script to set the environment variables for using it.
You obviously also need a linux based pc to run the NDK ;-)
I extracted the NDK to /root/ac100/devel/android-ndk-r6 ... modify to suit your needs:
#User configureble
ARCHITECTURE=arm
API_LEVEL=7
NDK=/root/ac100/devel/android-ndk-r6
#END User configureble
TOOLCHAIN_SYSROOT=$NDK/platforms/android-${API_LEVEL}/arch-$ARCHITECTURE
TOOLCHAIN_PREFIX=${ARCHITECTURE}-linux-androideabi
CC="$TOOLCHAIN_PREFIX-gcc --sysroot=$TOOLCHAIN_SYSROOT"
PATH=$NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin:${PATH}
export NDK ARCHITECTURE API_LEVEL TOOLCHAIN_SYSROOT TOOLCHAIN_PREFIX CC PATH
echo -n "Press ENTER to start using the NDK end/or type 'exit' to quit NDK"
read
bash
Place such a script in the NDK root directory.
No extract the rageagainstthecage source tarball wherever you like. You will see other code if you got it from the same place where I got it all you are interested in is just the rageagainstthecage.c code.
Now before you proceed in building the binary you might want to examine the code to see if it looks safe then proceed in compiling first by setting up the cross compiler environment with the runsdk scrip above
then proceed to compile the bin by typing something like:
$CC -o rageagainstthecage-android-7.bin rageagainstthecage.c
This should produce a binary called rageagainstthecage-android-7.bin that should run on your AC100. You can first test it out on an android virtual device using the android-sdk and once you're satisfied you then use adb to push it to your AC100 like this:
adb push rageagainstthecage-android-7.bin /data/local/tmp/rageagainstthecage-android-7.bin
Make sure you writhe the bin in a place that will allow unprivileged user to execute it. If you change destination you may run into trouble when you try executing the bin.
After you pushed it to your AC100 you need to enter a shell prompt on the AC100 using the adb again like this:
adb shell
Once you get the shell prompt give execute permissions to and execute it. Things should work exactly like stated in "The Easy Way":
Your ADB connection will drop. After a few seconds, your AC100 should chirp to indicated that USB debugging has been connected again. If you run "adb shell" again, you should now get a # prompt indicating you have superuser access. If you do not, go and execute again rageagainstthecage-android-7.bin until you do. It may take several more then one attempt to drop into a root shell but generally it works first go whils the downloaded bin generally takes more then one go (indicating that it may be doing other things while making it look like attempting the exploit).
Once you drop into a temporary root shell you will need to do something in order to make it easy to get a root shell again in the future. You could compile yourself busybox and what more but the easiest way is to make a very simple c program that gets you root and drops you in a shell. The binary needs to be setuid or it will not work anyway. Jus incase yo've no idea how to to that here is a small and very basic code fragment that does this (make sure the path to your system's sh is correct the code below is the one I used on my spartphone):
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{ int current_uid = getuid();
printf("My UID is: %d. My GID is: %d\n", current_uid, getgid());
system("/usr/bin/id");
if (setuid(0))
{ perror("setuid");
return 1;
}
//I am now root!
printf("My UID is: %d. My GID is: %d\n", getuid(), getgid());
system("/system/bin/sh");
return 0;
}
Compile this just like you did for the rageagainstthecage source and push this on your device, drop in to the adb root shell again and make sure root owns it and give it setuid like this:
chmod 6555
You will need to put it in a place where it's allways executable (like /system.bin) which will require you to remount with read write permissions a filesystem (see "The Easy Way" for remounting).
Have fun.
Rooting an Android device usually means to gain the ability to run applications that require superuser (root) access.
VERY IMPORTANT NOTICE!
It seems that the Toshiba factory reset option does not truly reflash back to the original ROM on the device. In this tutorial, we will be making the /system partition writeable, and the factory reset does not amend this partition. Therefore, any changes you make to /system will persist even after a factory reset. If you do something silly in /system you could potentially get your device into a state where it no longer boots.
If you intent to follow this tutorial, I take no responsibility for any damage you may do to your device and its configuration, so if you are in any doubt whatsoever about what you are doing, my advice would be to stop now and progress no further!
Be also warned that precompiled bins can contain Trojan so if you can it's a good choice to compile the stuff you are going to use from source.
Be also warned that precompiled bins can contain Trojan so if you can it's a good choice to compile the stuff you are going to use from source.
There are now 3 documented ways and a fourth that can be perused by fiddling with the backups and then restoring them back to the device.
In any way you will need the Androis Debug Bridge (ABD) from the sdk (get it from here). In order to use ADB you will need to enable the "USB Debugging" feature on the ac100 from the settings menu.
You should now choose which method you wish to use to root your ac100.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The newest and the easiest way to root a AC100:
Use on youre own risk!
Works also on android 2.2
1: Instal z4root.
- Link to z4root page.
- Download the APK file and instal it on youre AC100.
2: The usb debugging mode must be turn on.
- Settings> applications > development > click usb debugging on.
3: No SD card insert!
-unmount the Sd card
4: Root whit z4root.
-Start the app z4root.
-Click on permament root.
-The app is loading and is trying to root youre AC100.
-When it is done. You're AC100 should be turned of automatically.
-Turn on your AC100.
-There should be a app called Superuser.
-When yes, congratulations. When no, try again.
That was easy he!
Thanks to the maker of z4root.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The Easy Way
You now need to download two items:- rageagainstthecage-arm.bin (from Joey Krim's website here - note that you only need the rageagainstthecage-arm.bin binary, none of the others are required or source can be retreived from here)
- Superuser.apk (from ChainsDD's XDA post here - you need the Eclair/Froyo update.zip or alternatively you can use a suid copy of the original sh in tour device to get you rooted after tou have your first root prompt)
Extract the contents of the update.zip to a directory, and copy the files Superuser.apk and su from their respective subdirectories into whatever location you downloaded rageagainstthecage-arm.bin.
The next step is to push the rageagainstthecage-arm.bin file to your device.
Note in the following, [HOST], [AC100 $ prompt], [AC100 # prompt] indicates the sort of shell/prompt you should be at when typing the command.
From your host command prompt:
[HOST] adb push rageagainstthecage-arm5.bin /data/local/tmp/rageagainstthecage-arm5.bin
This should copy rageagainstthecage-arm5.bin to /data/local/tmp on the AC100.
Now to run the binary on the device, enter from the command prompt:
[HOST] adb shell
You should connect to the AC100 and get a $ prompt:
You should get a message similar to this:
[AC100 $ prompt] chmod 755 /data/local/tmp/rageagainstthecage-arm5.bin
[AC100 $ prompt] cd /data/local/tmp
[AC100 $ prompt] ./rageagainstthecage-arm5.bin
[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C [*] checking NPROC limit ...
[+] RLIMIT_NPROC={3584, 3584}
[*] Searching for adb ...
[+] Found adb as PID 777
[*] Spawning children. Dont type anything and wait for reset!
[*]
[*] If you like what we are doing you can send us PayPal money to
[*] 7-4-3-C@web.de so we can compensate time, effort and HW costs.
[*] If you are a company and feel like you profit from our work,
[*] we also accept donations > 1000 USD!
[*]
[*] adb connection will be reset. restart adb server on desktop and re-login.
Your ADB connection will drop. After a few seconds, your AC100 should chirp to indicated that USB debugging has been connected again. If you run "adb shell" again, you should now get a # prompt indicating you have superuser access. If you do not, follow these instructions again from your $ prompt until you do:
[AC100 $ prompt] cd /data/local/tmp
[AC100 $ prompt] ./rageagainstthecage-arm5.bin
IMPORTANT: This exploit does not survive a device reboot!
Assuming you at a # prompt, the next step is to remount /system as r/w, with the following command:
[AC100 # prompt] mount -o rw,remount -t ext3 /dev/block/mmcblk0p1 /system
You should now exit the ADB shell, and enter the following commands from your host command prompt:
[HOST] adb push su /system/bin
[HOST] adb shell
[AC100 # prompt] chmod 6755 /system/bin/su
[AC100 # prompt] ln -s /system/bin/su /system/xbin/su
From now on, you can gain su access via adb by entering su at the device shell prompt.
Now, we need to install ChainsDDs excellent Superuser application for Android:
[HOST] adb push Superuser.apk /system/appOnce this is done, you should find the Superuser application in your application drawer, and whenever a new application requires root access, it should pop up to give you the option to allow or deny access.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The Hard Way
You chose the more impervious way because you're paranoid about Trojans and what more or because you just want to learn how to use a cross compiler or whatever pushed you to the hard way.Ok you need the rageagainstthecage source code. I got it form here but link may get broken so you might haveto google a little to find it. You might also like to google to learn how the exploit works.
You need the android SDK to do testing and Android Debug Bridge stuff. You can download it from here.
To build the binary you will need a cross compiler for android-7 api. I downloaded the NDK that has such cross compiler for all android api from here. There are known issues with the android NDK but for compiling these 2 simple programs it's OK. If you prefer you can get a cross compiler from codesourcery here. You will need to setup a different runsdk script for using the codesourcery cross compiler though but if you want to compile busybox or other more complex projects I strongly advise the use of codesourcery's cross compiler or some other third party cross compiler .
I did not want to go trough all the crap for using it with eclips I just wanted to use it from command line (like I used to do for Zaurus) so I made a runsdk script to set the environment variables for using it.
You obviously also need a linux based pc to run the NDK ;-)
I extracted the NDK to /root/ac100/devel/android-ndk-r6 ... modify to suit your needs:
#User configureble
ARCHITECTURE=arm
API_LEVEL=7
NDK=/root/ac100/devel/android-ndk-r6
#END User configureble
TOOLCHAIN_SYSROOT=$NDK/platforms/android-${API_LEVEL}/arch-$ARCHITECTURE
TOOLCHAIN_PREFIX=${ARCHITECTURE}-linux-androideabi
CC="$TOOLCHAIN_PREFIX-gcc --sysroot=$TOOLCHAIN_SYSROOT"
PATH=$NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin:${PATH}
export NDK ARCHITECTURE API_LEVEL TOOLCHAIN_SYSROOT TOOLCHAIN_PREFIX CC PATH
echo -n "Press ENTER to start using the NDK end/or type 'exit' to quit NDK"
read
bash
Place such a script in the NDK root directory.
No extract the rageagainstthecage source tarball wherever you like. You will see other code if you got it from the same place where I got it all you are interested in is just the rageagainstthecage.c code.
Now before you proceed in building the binary you might want to examine the code to see if it looks safe then proceed in compiling first by setting up the cross compiler environment with the runsdk scrip above
then proceed to compile the bin by typing something like:
$CC -o rageagainstthecage-android-7.bin rageagainstthecage.c
This should produce a binary called rageagainstthecage-android-7.bin that should run on your AC100. You can first test it out on an android virtual device using the android-sdk and once you're satisfied you then use adb to push it to your AC100 like this:
adb push rageagainstthecage-android-7.bin /data/local/tmp/rageagainstthecage-android-7.bin
Make sure you writhe the bin in a place that will allow unprivileged user to execute it. If you change destination you may run into trouble when you try executing the bin.
After you pushed it to your AC100 you need to enter a shell prompt on the AC100 using the adb again like this:
adb shell
Once you get the shell prompt give execute permissions to and execute it. Things should work exactly like stated in "The Easy Way":
Your ADB connection will drop. After a few seconds, your AC100 should chirp to indicated that USB debugging has been connected again. If you run "adb shell" again, you should now get a # prompt indicating you have superuser access. If you do not, go and execute again rageagainstthecage-android-7.bin until you do. It may take several more then one attempt to drop into a root shell but generally it works first go whils the downloaded bin generally takes more then one go (indicating that it may be doing other things while making it look like attempting the exploit).
Once you drop into a temporary root shell you will need to do something in order to make it easy to get a root shell again in the future. You could compile yourself busybox and what more but the easiest way is to make a very simple c program that gets you root and drops you in a shell. The binary needs to be setuid or it will not work anyway. Jus incase yo've no idea how to to that here is a small and very basic code fragment that does this (make sure the path to your system's sh is correct the code below is the one I used on my spartphone):
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{ int current_uid = getuid();
printf("My UID is: %d. My GID is: %d\n", current_uid, getgid());
system("/usr/bin/id");
if (setuid(0))
{ perror("setuid");
return 1;
}
//I am now root!
printf("My UID is: %d. My GID is: %d\n", getuid(), getgid());
system("/system/bin/sh");
return 0;
}
Compile this just like you did for the rageagainstthecage source and push this on your device, drop in to the adb root shell again and make sure root owns it and give it setuid like this:
chmod 6555
You will need to put it in a place where it's allways executable (like /system.bin) which will require you to remount with read write permissions a filesystem (see "The Easy Way" for remounting).
Have fun.
|
louigi600 |
Latest page update: made by louigi600
, Oct 6 2011, 2:57 AM EDT
(about this update
About This Update
rearrange the info and the common required bits on top
- louigi600
85 words added 173 words deleted view changes - complete history) |
|
Keyword tags:
AC100
Android
Dynabook AZ
root
rooting
More Info: links to this page
|
| Started By | Thread Subject | Replies | Last Post | ||
|---|---|---|---|---|---|
| louigi600 | setting up codesourcery's cross compiler | 0 | Aug 25 2011, 4:33 AM EDT by louigi600 | ||
|
Thread started: Aug 25 2011, 4:33 AM EDT
Watch
Supposing you extract the tarball to /root/ac100/devel/arm-2008q1 this is how the runsdk might look like:
#User configureble BASEDIR=/root/ac100/devel/arm-2008q1 PREFIX=arm-none-linux-gnueabi- #END User configureble CC="${PREFIX}gcc" PATH=$BASEDIR/bin:${PATH} export BASEDIR PREFIX CC PATH echo -n "Press ENTER to start using the cross compiler end/or type 'exit' to quit" read bash
Do you find this valuable?
Keyword tags:
AC100
Android
Dynabook AZ
root
rooting
|
|||||
| bantolph | Alternate rooting method with Linux and nvflash utility from NVIDIA | 4 | May 18 2011, 1:05 PM EDT by vondrach | ||
|
Thread started: Sep 22 2010, 5:34 AM EDT
Watch
A bit more complicated, but works nonetheless is to use the nvflash utility from the linux for tegra project. I test this and it works using Ubutntu 10.04. The general procedure is:
1. Install the Linux for Tegra package from NVIDIA on your host machine. 2. Put the AC100 in recovery mode. 3. Use the nvflash utility to download a copy of the AC100's system partition: LD_LIBRARY_PATH=. ./nvflash -w --bl fastboot.bin --read 8.part.img 4. Mount up the partition image as a loopback filesystem on the host computer and mount the file system up. 5. Have your way with the system partition. 6. Write the new partition back to the AC100: LD_LIBRARY_PATH=. ./nvflash -r --download 8 8.part.img
1
out of
2 found this valuable.
Do you?
Keyword tags:
AC100
Android
Dynabook AZ
root
rooting
|
||||
| legostein | Rooting Android 2.2 | 10 | May 5 2011, 6:32 PM EDT by Darkij | ||
|
Thread started: Mar 6 2011, 10:13 AM EST
Watch
Anyone done that yet? rageagainstthecage doesn't seem to work on my box. However, succeeded with another exploit, implemented in a tool called 'psneuter'. Worth an update?
2
out of
2 found this valuable.
Do you?
Keyword tags:
AC100
Android
Dynabook AZ
root
rooting
|
|||||
Showing 3 of 4 threads for this page
- view all
