Android OS Forum banner
1 - 20 of 313 Posts

·
Registered
Joined
·
22 Posts
This is for original Droid2 and Droid R2D2. If you have issues booting after root, check the end of this post.

I've been working on root for a few days after having to flash stock 621. I've tested this with my R2D2 running 621.

7/25/2012 - Thanks to beh for putting together an EzSBF cd for this! Just burn, boot from CD and follow the directions. It can flash to the stock 621 update for those that want the stock Gingerbread image, then gives you the option to root if you like. You can also create a bootable USB stick with the iso using http://unetbootin.sourceforge.net/

Droid 2 621 EzSBF with root option
[background=rgb(245, 245, 245)]The MD5 is[/background]
[background=rgb(245, 245, 245)]e50bc7914c4852ca32e9f08f7744c056[/background]

The instructions below work, but beh's EzSBF is far superior.

If you want to use CyanogenMod 7.2 after root with this method check this post.

Windows (Easy way)
Install Motorola drivers and RDS Lite if you don't already have them installed.
Get RootDroid2update.7z (md5 sum FCB9D5BC5225894CA66A9729E3FFD1C5), extract folder, run RootDroid2.bat and follow the instructions.
You'll have to flash the phone as part of the process.

Linux (Easy way)
You'll need adb and sbf_flash.
1) Download the RootDroid2update file (md5 sum FCB9D5BC5225894CA66A9729E3FFD1C5), extract it wherever you like.
2) Using adb enter "adb shell ln -s /data/local.prop /data/preinstall_md5/magic.md5"
3) Flash using sbf file in download, wait for full boot.
4) Reboot again.
5) "adb shell" should be root, you can now install the root utils from the zip

Linux (Long way)
What you need: Stock SBF (thanks to droid-developers.org), custom preinstall.img (md5 sum 02A7EB41DF2622974912E8D143295E9F), adb (from android sdk), and sbf_flash

1) Enable USB debugging on your phone and send this adb command:

adb shell ln -s /data/local.prop /data/preinstall_md5/magic.md5

2) Unpack the custom preinstall file, then reboot your phone into flash mode by holding the up arrow on the keypad. Then send the custom SBF file with sbf_flash:
sbf_flash -r --preinstall preinstall.img <stock sbf filename>

(For example, I used 1FF-p2a_droid2_cdma_droid2-user-2.3.4-4.5.1_57_DR4-51-120117-release-keys-signed-Verizon-US.sbf so the command is "sbf_flash -r --preinstall preinstall.img 1FF-p2a_droid2_cdma_droid2-user-2.3.4-4.5.1_57_DR4-51-120117-release-keys-signed-Verizon-US.sbf")

3) Wait for phone to boot after flashing, then reboot again one final time.
4) "adb shell" should give you a root prompt (# instead of $)

5)Send superuser utils from http://androidsu.com/superuser/

adb shell mount -o remount,rw /dev/block/system /system
adb push su /system/bin/su
adb shell chmod 4755 /system/bin/su

adb push Superuser.apk /system/app/Superuser.apk
adb shell chmod 644 /system/app/Superuser.apk
adb shell mount -o remount,ro /dev/block/system /system

Thanks to Dan Rosenberg (djrbliss) and those that helped him research http://vulnfactory.o...ng-the-droid-3/ for ideas :)

Important
If you are having issues booting, you may need to remove the exploit files and clear the cache, as reported by Morlok8k.

Literary almost every other reboot was failing...

so i went into terminal emulator (this could also be done in adb shell, i guess)

i did the following:

su
rm /data/preinstall_md5/magic.md5
rm /system/preinstall/md5/magic.md5
rm /system/preinstall/app/magic

then i went into clockworkmod recovery and cleared the cache. (not data and cache, just cache)

I have rebooted many times since doing the above (i did each one with some reboots in between, just to see which step fixed it), but clearing the cache after removing the hack has seemed to fix my issue.

I don't know how other devices are handling your hack but my Droid 2 Global needed the hack cleaned up to restore stability. It works though! very clever.
 

·
Registered
Joined
·
22 Posts
Well there's an exploit in loadpreinstall.sh. It compares md5 sum files of preinstalled apps and if they're different, copies the md5 to the local cache. The preinstall just has an empty file in app/ so it will parse the md5 for it. Instead of an md5 sum, it contains a local.prop that allows adb root shell. So the system thinks it's copying the md5sum to the cache when it bounces off the symlink and overwrites the /data/local.prop, giving adb root on next reboot. You can modify CG66 without the phone barfing on startup.
 

·
That guy who&#39;s not sexy but thinks he is.
Joined
·
120 Posts
Ok so fuck it I'll give this a whirl. I'm just letting my battery charge up.

Quick question... Flashing .621 over my .622 will work right? Assuming, yes, since Droid 2 SBF's always worked on the R2D2.
 

·
You can haz Developer Status
Joined
·
1,090 Posts
Well there's an exploit in loadpreinstall.sh. It compares md5 sum files of preinstalled apps and if they're different, copies the md5 to the local cache. The preinstall just has an empty file in app/ so it will parse the md5 for it. Instead of an md5 sum, it contains a local.prop that allows adb root shell. So the system thinks it's copying the md5sum to the cache when it bounces off the symlink and overwrites the /data/local.prop, giving adb root on next reboot. You can modify CG66 without the phone barfing on startup.
What an interesting method... not unlike other root tools, except in how it's delivered. :D
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #8 ·
Ok so fuck it I'll give this a whirl. I'm just letting my battery charge up.

Quick question... Flashing .621 over my .622 will work right? Assuming, yes, since Droid 2 SBF's always worked on the R2D2.
I just tried and it worked, other than an error message saying it couldn't load the Best of R2D2. I also use a Droid R2D2 =)
 

·
That guy who&#39;s not sexy but thinks he is.
Joined
·
120 Posts
Cool cool, I'm almost about to give it a go. Battery is almost done.

Few more questions...
-We can flash ROM's back over this, right? I'm rooting it regardless just to give Moto the finger.
-Should I use the Full Droid 2 SBF first since I have an R2D2 or is using the one mentioned in your little tutorial good?
(I just don't wanna hose my phone)
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #11 ·
Sure can, the only reason a SBF flash is needed is to add two files to part of the file system that is not normally writable. Flashing the whole phone for 2 files (1 empty, the other 10 lines of text) is a bit silly, but a limitation of RDS Lite.
 

·
Registered
Joined
·
1 Posts
Did this last night and worked perfectly!

Thank you so much for providing me the means get rid of that atrocious Motorola Gingerbread ROM. This really does deserve some extra praise since so many had tried and failed to get a consistant root method.

So thanks again!!
 

·
Android Apprentice
Joined
·
149 Posts
Wait, so a rooting method so we can flash custom recovery and get off of this stock ROM?

Oh goodness, PLEASE, I hope that this method tweaked a bit will work for the Global because I haven't had the balls to try and brick and unbrick my phone in order to finally try and get off of stock again...
 

·
You can haz Developer Status
Joined
·
1,090 Posts
Wait, so a rooting method so we can flash custom recovery and get off of this stock ROM?

Oh goodness, PLEASE, I hope that this method tweaked a bit will work for the Global because I haven't had the balls to try and brick and unbrick my phone in order to finally try and get off of stock again...
You can't brick a Moto phone... It's near impossible. And according to how it works, you /should/ be trying it as it's non-destructive.
 

·
Registered
Joined
·
22 Posts
Wait, so a rooting method so we can flash custom recovery and get off of this stock ROM?

Oh goodness, PLEASE, I hope that this method tweaked a bit will work for the Global because I haven't had the balls to try and brick and unbrick my phone in order to finally try and get off of stock again...
In theory this should work on the D2 Global. The 629 sbf seems to have the same vulnerability, but I don't have a D2G to test it on. You'd need linux and have to use the long method. I just don't know if the exploit would run or if the preinstall code group is verified on boot (it probably isn't, which is good for us.)
 

·
Androidian
Joined
·
301 Posts
So, help an idiot grasp what all this means. Does this simply allow folks to run kicking & screaming as fast as possible away from .621/622, or does this also allow folks to keep the new features of .621/622 like the "Wireless Alerting System" & still flash custom ROMs? I'm guessing the second point is possible, but only if devs purposely merge the new features into custom ROMs like Cyanogen or MIUI?
 

·
ヤンデレ
Joined
·
836 Posts
The “new features” are included in the stock ROM and installing a custom ROM will of course kill these. It's not about merging, it's about developing these from scratch if they aren't in AOSP and are proprietary Blur enhancements.
 
1 - 20 of 313 Posts
Top