Hi all,
ukoliko ste propustili, X10 korisnici su od nedavno vrlo sretni, X10 je rootan:
http://www.youtube.com/watch?v=Fb3v5X5-9oM
Orginalno from xda-developers:
I think that the root 'bounty' thread is getting us nowhere at the moment - many people are just continually asking for root, instead of doing something themselves.
I agree with biktor_gj, and have decided to set up a thread for any rooting and flashing exploits/ideas that can be used to our benefit. I'll try to add anything I can find to help people out, and maybe a solution can come from this.
P.S. Please don't treat this as an 'asking for root or custom ROM' thread. This should only be for helpful ideas/suggestions to develop a rooting and/or custom ROM flashing solution.
Helpful Stuff:
From Evostance -
Ok I've got a few things that might be of use
How to get your phone into Safe Mode
Turn the phone off
Power the phone back on
When it vibrates, press and hold the left menu button until it boots up and says SAFE MODE in the bottom left corner of the screen
How to get your phone into SE Flashing Mode:
Turn the phone off
Remove the battery for at least 5 seconds
Hold the right menu button (back) and insert the USB cable
Possible way of putting phone into bootloader with adb?
If you look on your SD card there is an autorun.ini file. If you open it up you can see various commands telling the phone to run various things. Is there anyway we could tell the phone to reboot into bootloader from here?
Some Ideas already thought up:
- Look at boot.sin (http://www.speedyshare.com/files/21948468/boot.zip)
Post #103 on root bounty thread
From Zephyrix -
If we can crack the loader for this and modify the firmware files directly, then it's simply a matter of changing ro.secure=1 to ro.secure=0 in default.prop inside the bin, then flashing.
FILE_277196794_1264160195000_1264061951000_2771967 91_87559_INFILE_LONGTERM -> S1_QSD8250_eSheep_Loader_1226-2250_LIVE_AID0x0001.sin
FILE_277286594_1270622078000_1268290408000_2772865 92_16629674_INFILE_LONGTERM -> APP-SW_RACHAEL_GENERIC_1227-4612_S1-SW-LIVE-AC12-0001-S1-PARTITION.zip
FILE_277307282_1269857081000_1269855077000_2773072 78_114482261_INFILE_LONGTERM -> FSP_X10a_ROG-CA_NAM1_1233-6929_S1-SW-LIVE-AC12-0001-S1-PARTITION-WITH-SPARE.zip
it also looks like their .zip format is custom cooked... if we can figure out how to modify these then we win.
edit:
it is SO nice that sony decided to do everything in java. i LOVE it. going to decompile the libs and see if i can find any code for opening these zips.
edit 2:
is anyone willing to risk their phone and test for me after i get things sorted out?
i need to go to school in a bit but i think i have more than enough info to root the phone.
From OwLOwLOwL -
Has anyone looked for any buffer overflow exploits for ARM in kernel 2.6.29?
I know there exist serveral for the x86 platform.. and probably a couple of them might be adaptable to the ARM architecture.
And when we have local root access, we have a lot of more options investigating the device.
Is there any passwd/shadow-file with an encoded root-password?.. maybe we could try brute-forcing that password using some oldschool "jack-the-ripper"-type applications...
Just ideas.....
Regards // OwL
From lollylost100 -
Post # 348 of root bounty thread
From goroh_kun -
here is jar files to rip raw, signed images by SEUS(Sonyericsson Update Service).
Overwrite jar files in plugin folder in SEUS program, and perform to re-flash your xperia.
then you can get (number).bin and (number).cert, and zipfilesX.zip.
http://hotfile.com/dl/39946584/1edafc6/upload4.zip.html
To rip zipfiles0.zip, we have to create an empty file named dump0 on SEUS top folder.
and To rip zipfiles1.zip, we have to create a file named dump1.
when we dump zipfilesX.zip, it's failed to flash phone. so after dump it, we have to remove files dump0, dump1.
(1)create a file named "dump0" on SEUS top folder.
(2)perform SEUS and flash your xperia ( it failes. )
(3)you can get zipfiles0.zip on SEUS top folder.
this zipfile includes signed kernel, amss(dsp) images.
(4)remove dump0, and create a file named dump1.
(5)perform SEUS and flash your xperia ( it failes. )
(6)you can get zipfiles1.zip on SEUS top folder.
this zipfile includes signed system,and data filesystem images.
(7)remove dump1 file.
(8)perform SEUS and flash your xperia ( it succeed )
From another post by goroh_kun
>Did you change the ro.secure=0 or did u add a bootloader with root acces too >it? I got the files now but the problem is that u used a Japanese version of the >firmware... or is that really a problem?
Yes, I tried to flash patched image, ro.secure=0. but I couldn't flash it because of signature validation error.
I tried to dump files with UK version and HK version, it works well.
From goroh_kun -
Post #541 and #542 of root bounty thread (Also look at other posts ahead)
From balsat -
I'm messing around with a 2.6.29 exploit for the HTC tattoo, it might work on the X10 if they haven't closed the hole.
Root exploit
I uploaded the m7 file to /data/local/bin with "adb push m7 /data/local/bin/m7" opened a shell on the phone with "adb shell" changed the permissions with "adb chmod 755 /data/local/bin/m7" and started the exploit with "cd /data/local/bin" "while `true` ; do /data/local/bin/m7; done" after a while i got this output :
usage: reboot [-n] [-p] [rebootcommand]
exit!
reroc/8446/cmdline[ WIN! 8446
EIP: 70000484 Instruction executed: e01858cd
Wrote shellcode e0400000 line 0
Wrote shellcode e3a07023 line 1
Wrote shellcode ef000000 line 2
Wrote shellcode e0400000 line 3
Wrote shellcode e3a07017 line 4
Wrote shellcode ef000000 line 5
Wrote shellcode e0433003 line 6
Wrote shellcode e28f0014 line 7
Wrote shellcode e50d0008 line 8
Wrote shellcode e50d3004 line 9
Wrote shellcode e24d1008 line 10
Wrote shellcode e24d2004 line 11
Wrote shellcode e3a0700b line 12
Wrote shellcode ef000000 line 13
Wrote shellcode 7379732f line 14
Wrote shellcode 2f6d6574 line 15
Wrote shellcode 2f6e6962 line 16
Wrote shellcode 6873 line 17
Wrote shellcode 0 line 18
[ Overwritten 0x70000484
But i still got NO root, id tell me :
$ /system/bin/id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(a db),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt ),3003(inet)
And it somehow fucks with the PATH :
$ ls
ls: not found
$ Cannot set process group (Operation not permitted) at 225
Maybe a hardcore coder can change the program so it will work!?
- Post #462 to #465 on root bounty thread
From Bin4ry -
So ...
working since yesterday has brought this:
http://rapidshare.com/files/382355748/tardis.tar.bz2
The problem is after compiling the program crashes with a segmentation fault.
Is someone here with good c-coding skills to correct the code please? I HOPE it should give us root after correcting my mistake oO
- Post #591 of root bounty thread
- Here's the X10 debranding thread at Esato:
http://www.esato.com/board/viewtopic.php?topic=195405
-Xperia X10 System Files
http://balsat.hopto.org/sex10/
These files are available in the /etc directory.
-rw-r--r-- root root 4217 2010-03-10 08:53 AudioFilter.csv
-rw-r--r-- root root 1971 2010-03-10 08:53 vold.conf
-rw-r--r-- root root 735 2010-03-10 08:53 gps.conf
-rw-r--r-- root root 177 2010-03-10 08:53 pvasflocal.cfg
-rw-r--r-- root root 7353 2010-03-10 08:53 event-log-tags
-rw-r--r-- root root 3365 2010-03-10 08:53 init.es209ra.bt.sh
-rw-r--r-- root root 458 2010-03-10 08:53 pvplayer.cfg
-rw-r--r-- root root 25 2010-03-10 08:53 hosts
-rw-r--r-- root root 1719 2010-03-10 08:53 loc_parameter.ini
-r--r----- bluetooth bluetooth 935 2010-03-10 08:53 dbus.conf
-rw-r--r-- root root 9390080 2010-03-10 08:53 dop.iso
-rw-r--r-- root root 96 2010-03-10 08:53 01_qc.cfg
-rw-r--r-- root root 197 2010-03-10 08:53 pvasfstreaming.cfg
-rw-r--r-- root root 2037 2010-03-10 08:53 bookmarks.xml
drwxr-xr-x root root 2010-03-10 08:53 semc
drwxr-xr-x root root 2010-03-10 08:53 firmware
drwxr-xr-x root root 2010-03-10 08:53 ppp
drwxr-xr-x root root 2010-03-10 08:53 permissions
drwxr-xr-x root root 2010-03-10 08:53 bluez
drwxr-xr-x root root 2010-03-10 08:53 dbus_bt
drwxr-xr-x root root 2010-03-10 08:53 security
drwxr-xr-x root root 2010-03-10 08:53 dhcpcd
drwxr-xr-x root root 2010-03-10 08:53 wifi
-rw-r--r-- root root 60179 2010-03-10 08:53 NOTICE.html.gz
-rw-r--r-- root root 275 2010-03-10 08:53 pvextensions.cfg
-rw-r--r-- root root 87 2010-03-10 08:53 mount_iso.sh
-r-xr-x--- root shell 1176 2010-03-10 08:53 init.goldfish.sh
Odgovori uz citat
Bookmarks