Android OS Forum banner
1 - 20 of 20 Posts

·
Registered
Joined
·
22 Posts
This is for original Droid2 and Droid R2D2. If you have issues booting after root, check the end of this post.

I've been working on root for a few days after having to flash stock 621. I've tested this with my R2D2 running 621.

7/25/2012 - Thanks to beh for putting together an EzSBF cd for this! Just burn, boot from CD and follow the directions. It can flash to the stock 621 update for those that want the stock Gingerbread image, then gives you the option to root if you like. You can also create a bootable USB stick with the iso using http://unetbootin.sourceforge.net/

Droid 2 621 EzSBF with root option
[background=rgb(245, 245, 245)]The MD5 is[/background]
[background=rgb(245, 245, 245)]e50bc7914c4852ca32e9f08f7744c056[/background]

The instructions below work, but beh's EzSBF is far superior.

If you want to use CyanogenMod 7.2 after root with this method check this post.

Windows (Easy way)
Install Motorola drivers and RDS Lite if you don't already have them installed.
Get RootDroid2update.7z (md5 sum FCB9D5BC5225894CA66A9729E3FFD1C5), extract folder, run RootDroid2.bat and follow the instructions.
You'll have to flash the phone as part of the process.

Linux (Easy way)
You'll need adb and sbf_flash.
1) Download the RootDroid2update file (md5 sum FCB9D5BC5225894CA66A9729E3FFD1C5), extract it wherever you like.
2) Using adb enter "adb shell ln -s /data/local.prop /data/preinstall_md5/magic.md5"
3) Flash using sbf file in download, wait for full boot.
4) Reboot again.
5) "adb shell" should be root, you can now install the root utils from the zip

Linux (Long way)
What you need: Stock SBF (thanks to droid-developers.org), custom preinstall.img (md5 sum 02A7EB41DF2622974912E8D143295E9F), adb (from android sdk), and sbf_flash

1) Enable USB debugging on your phone and send this adb command:

adb shell ln -s /data/local.prop /data/preinstall_md5/magic.md5

2) Unpack the custom preinstall file, then reboot your phone into flash mode by holding the up arrow on the keypad. Then send the custom SBF file with sbf_flash:
sbf_flash -r --preinstall preinstall.img <stock sbf filename>

(For example, I used 1FF-p2a_droid2_cdma_droid2-user-2.3.4-4.5.1_57_DR4-51-120117-release-keys-signed-Verizon-US.sbf so the command is "sbf_flash -r --preinstall preinstall.img 1FF-p2a_droid2_cdma_droid2-user-2.3.4-4.5.1_57_DR4-51-120117-release-keys-signed-Verizon-US.sbf")

3) Wait for phone to boot after flashing, then reboot again one final time.
4) "adb shell" should give you a root prompt (# instead of $)

5)Send superuser utils from http://androidsu.com/superuser/

adb shell mount -o remount,rw /dev/block/system /system
adb push su /system/bin/su
adb shell chmod 4755 /system/bin/su

adb push Superuser.apk /system/app/Superuser.apk
adb shell chmod 644 /system/app/Superuser.apk
adb shell mount -o remount,ro /dev/block/system /system

Thanks to Dan Rosenberg (djrbliss) and those that helped him research http://vulnfactory.o...ng-the-droid-3/ for ideas :)

Important
If you are having issues booting, you may need to remove the exploit files and clear the cache, as reported by Morlok8k.

Literary almost every other reboot was failing...

so i went into terminal emulator (this could also be done in adb shell, i guess)

i did the following:

su
rm /data/preinstall_md5/magic.md5
rm /system/preinstall/md5/magic.md5
rm /system/preinstall/app/magic

then i went into clockworkmod recovery and cleared the cache. (not data and cache, just cache)

I have rebooted many times since doing the above (i did each one with some reboots in between, just to see which step fixed it), but clearing the cache after removing the hack has seemed to fix my issue.

I don't know how other devices are handling your hack but my Droid 2 Global needed the hack cleaned up to restore stability. It works though! very clever.
 

·
Registered
Joined
·
22 Posts
Well there's an exploit in loadpreinstall.sh. It compares md5 sum files of preinstalled apps and if they're different, copies the md5 to the local cache. The preinstall just has an empty file in app/ so it will parse the md5 for it. Instead of an md5 sum, it contains a local.prop that allows adb root shell. So the system thinks it's copying the md5sum to the cache when it bounces off the symlink and overwrites the /data/local.prop, giving adb root on next reboot. You can modify CG66 without the phone barfing on startup.
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #8 ·
Ok so fuck it I'll give this a whirl. I'm just letting my battery charge up.

Quick question... Flashing .621 over my .622 will work right? Assuming, yes, since Droid 2 SBF's always worked on the R2D2.
I just tried and it worked, other than an error message saying it couldn't load the Best of R2D2. I also use a Droid R2D2 =)
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #11 ·
Sure can, the only reason a SBF flash is needed is to add two files to part of the file system that is not normally writable. Flashing the whole phone for 2 files (1 empty, the other 10 lines of text) is a bit silly, but a limitation of RDS Lite.
 

·
Registered
Joined
·
22 Posts
Wait, so a rooting method so we can flash custom recovery and get off of this stock ROM?

Oh goodness, PLEASE, I hope that this method tweaked a bit will work for the Global because I haven't had the balls to try and brick and unbrick my phone in order to finally try and get off of stock again...
In theory this should work on the D2 Global. The 629 sbf seems to have the same vulnerability, but I don't have a D2G to test it on. You'd need linux and have to use the long method. I just don't know if the exploit would run or if the preinstall code group is verified on boot (it probably isn't, which is good for us.)
 

·
Registered
Joined
·
22 Posts
slogar25, check if linux recognizing your phone by typing "lsusb" to list usb devices. There should be Motorola PCS or something similar listed. If it's there, you might need to su to root or put "sudo" in front of sbf_flash to run as root.
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #30 ·
It might not work on that phone then
"adb shell ln -s /data/local.prop /data/preinstall_md5/magic.md5" without quotes. I sent you a PM, it might be easier to go back and forth through that or AIM and not clutter up this thread.

Phantom, did you root a D2 or D2 global?
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #32 ·
After the flashing that fixed sbf and the phone automatically reboots, you have to reboot 1 more time, but yes :)
 

·
Registered
Joined
·
22 Posts
Hm. First do "adb shell cat /data/local.prop" if it has "ro.sys.atvc_allow_all_adb=1", reboot and "adb shell" should give you a root prompt #. Otherwise flash the fixed sbf, then reboot again after phone automatically boots from the flash process. It's important that the phone comes up fully after you flash the sbf before rebooting again. What model phone?

You might just need to remove the link and recreate it just in case it points to the wrong place
"adb shell rm /data/preinstall_md5/magic.md5"
"ln -s /data/local.prop /data/preinstall_md5/magic.md5"
Then flash if you haven't, but reboot again
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #40 ·
Even with the big FAIL "Error verifying Code Group 66 checksums" the phone will boot fine. Code group 66 is modified with files that make the exploit work. If you rebooted the phone after getting the error you likely have root :)
 

·
Registered
Joined
·
22 Posts
That's new to me.. The md5 sums for the downloaded files should be
[background=rgb(245, 245, 245)]F9E9B920B83EC1837F3E520812A84D76 [/background][background=rgb(245, 245, 245)]RootDroid2.7z [/background]
308734B3863A36937401FDC3AB661904 [background=rgb(245, 245, 245)]A955.2.3.4.fixed.sbf[/background]

[background=rgb(245, 245, 245)]Sorry to ask but are you sure it's not a Droid 2 Global? Take out your battery and look for Model: It should be A955 or A957 for this method. If you can get a shell via "adb shell" at a command prompt and list the output of "cat /data/local.prop", "ls /data/preinstall_md5/", "ls /preinstall/app/", and "ls /preinstall/md5/" it would be helpful. The only other idea I have without getting further info is try a factory reset from the recovery menu and flash again. [/background]

[background=rgb(245, 245, 245)]Sorry your root is going so craptastic. [/background]
 

·
Registered
Joined
·
22 Posts
http://img4.imagesha...rootproblem.jpg

Any thoughts? This method appears to have something to do with preinstall_md5/magic.md5, but there appears to be a problem on my phone. It flashed until I got the CodeGroup 66 error, but the phone did not restart. The instructions say to wait until "phone has fully rebooted", but when rebooting my phone it states "Code Corrupt".

Thoughts?
It sounds like something other than code group 66 didn't flash correctly. The "rm failed" is ok, I just put it there in case a file is there instead of the link. As long as the "Creating link." step doesn't error, it's ok. As for "code corrupt" it sounds like something didn't flash correctly. Make sure the md5 sums match what is listed above to make sure the downloaded files aren't corrupted.
 

·
Registered
Joined
·
22 Posts
RSD Lite doesn't verify the checksum until after it's flashed to the phone, so that shouldn't be a problem. I fixed the checksum error since it will make the process a bit smoother (not yet ready). The exact same thing happened to me while testing the new checksum fixed sbf. RDS Lite was stuck at 99%, phone stuck on "SW Update in progress.." and I had to remove the battery. Then got "Code Corrupt" bootloader screen once I put the battery back. I flashed with RDS Lite again from that screen and the phone rebooted at the end of flashing, but RDS still said failed, but 100% executed. I hate flashing with RDS Lite because it can be somewhat flaky.
 

·
Registered
Joined
·
22 Posts
Updated files to smooth things out a bit.

So does anyone know if this will work on a droid x or not?
Do not flash with the windows/easy packages, it will likely soft-brick your droid x. If you're comfortable enough flashing using linux, the long method should work, just be sure to include the DroidX SBF instead of the Droid2.
 

·
Registered
Joined
·
22 Posts
I feel like I know just enough to be dangerous to myself.

I followed to the easy linux instructions (but using a mac), flashed the fixed sbf and rebooted twice with no problem. However, I still don't seem to have root as none of my root-only programs are able to gain root access. What am I missing?

This is on a Droid2.

Thanks.
The root utils probably need to be installed. Cd to wherever you unpacked the zip and enter:

adb shell mount -o remount,rw /dev/block/system /system
adb push su /system/bin/su
adb shell chown root.root /system/bin/su
adb shell chmod 4755 /system/bin/su
adb push Superuser.apk /system/app/Superuser.apk
adb shell chown root.root /system/app/Superuser.apk
adb shell chmod 644 /system/app/Superuser.apk
adb shell mount -o remount,ro /dev/block/system /system
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #75 ·
Thanks for testing and the writeup Morlok8k! I suspect this works for a lot of Motorola phones at the moment, though most have already rooted. :)

Sorry I didn't respond sooner, but yes I did mean the D2 preinstall file. Stock, the preinstall area only contains Flash player and Need For Speed. It doesn't seem to have any critical system files. While testing, I flashed a preinstall image with exploit data only (shrunk to 10MB) and the phone worked fine.
 

·
Registered
Joined
·
22 Posts
Thanks Morlok8k. I put the information in the main post, just in case it pops up for others. I'll also update the 1-click to clean up after itself. It crossed my mind, but I didn't think it would be too much of a problem. Whoops.
 

·
Registered
Joined
·
22 Posts
I think it would work fine on the droid X2 also. The file size doesn't seem to matter. When I was testing on the D2, I wiped the cruft and shrunk the preinstall.img to 10MB uncompressed. It flashes a whole lot faster than 250MB
The only issue is if /preinstall contained crucial system data. On the D2 it only had flash player and need for speed.

Also, you can't write the preinstall while the phone is running, it's mounted read only. Part of the reason the exploit works is that the phone doesn't dump you to bootloader on startup with a modified CG66 (preinstall), which is why flashing with RDSLite or sbf_flash is necessary. To make an image, just mount preinstall (CG66.img), make an empty file in app/, adb pull /data/local.prop and change [background=rgb(245, 245, 245)]ro.sys.atvc_allow_all_adb=0[/background] to [background=rgb(245, 245, 245)]ro.sys.atvc_allow_all_adb=1 and copy it to md5/file.md5, where "file" is the name of the file you created earlier. Unmount and flash :)[/background]

[background=rgb(245, 245, 245)]Making an SBF for RDSLite is a bit more involved. With an already rooted phone and the preinstall data flashed in place, dd if=/dev/block/preinstall of=/mnt/sdcard/CG66.smg then repack the SBF the wonderful SBFcodec replacing stock CG66 with the one you just made. [/background]
 
1 - 20 of 20 Posts
Top