Root Asus Transformer T101G ICS on Linux
To get root on Asus Transformer T101G ICS, there are some Windoze-batch files around, but running that file first only works on Windoze, not on Linux and second you don't know what happens.
Sources: The expolit is known as «miloj TF300 exploit» and I got my information by analyzation of http://forum.xda-developers.com/showthread.php?t=1689193, but a better explanation and simpler approach is at http://forum.xda-developers.com/showthread.php?t=1704209.
Preparations
Precondition: You must install the Android SDK for Linux to get the tool adb
. Mine is in stalled in ~/android-sdks/platform-tools/adb
, so on a shell in a terminal, I define an alias to be able to call adb
without having to set the full path or to change the $PATH
variable:
alias adb=/home/marc/android-sdks/platform-tools/adb
Now adb
calls /home/marc/android-sdks/platform-tools/adb
and passes the parameter, but in only this shell.
An your Andorid, in the settings, section developer
you must enable debugging
.
If you are successful, then the command adb devices
lists your device.
Check Android Version
Android must be in Version ICS 4.0.xxx, otherwise forget it.
Check it, the following command must give a version number, that starts with 9
:
adb shell getprop ro.build.version.incremental
I get WW_epad-9.2.2.6-20120525
which is perfectly fine.
The Hack
Call adb shell
, then call:
mv /data/local/tmp /data/local/tmp.bak ln -s /dev/block/mmcblk0p1 /data/local/tmp
That removes /data/local/tmp
and fakes a new temprary dir, that points to /system
(note device /dev/block/mmcblk0p1
is mounted to /system
).
If everything was correct, ls -l
in /data/local
now shows:
shell@android:/data/local $ ls -l lrwxrwxrwx shell shell 2012-08-20 14:23 tmp -> /dev/block/mmcblk0p1 drwxrwx--x shell shell 2009-01-01 02:31 tmp.bak
Now press ctrl-D
or call exit
to quit the adb shell
and reboot the device:
adb reboot
Now wait for the device to reappear:
adb wait-for-device
Download the files su, debugfs and push them to your Android by typing: <source bash> adb push su /data/local; adb push debugfs /data/local; </source>
Start a shell on your android device calling adb shell
, then enter:
cd /data/local chmod 755 debugfs
This makes debugfs
executable.
Now use debugfs
and the faked link to copy su
into /system/xbin/su
:
/data/local/debugfs -w /data/local/tmp debugfs: cd xbin
At this place, if you previously installed su
, remove it first:
debugfs: rm su
If you call rm su
but have not installed it, you get an error message here, simply ignore it.
debugfs: write /data/local/su su debugfs: set_inode_field su mode 0106755 debugfs: set_inode_field su uid 0 debugfs: set_inode_field su gid 0 debugfs: quit
Stay in adb shell
and cleanup:
cd /data/local rm tmp su debugfs mv tmp.bak tmp
Leave adb shell
by hitting ctrl-D
or typing exit
and reboot once more:
adb reboot adb wait-for-device
Now you're the master of your device, call adb shell
then test if you can get root:
adb shell $ /system/xbin/su # id id=0(root) gid=0(root) .... # exit $ exit
Now immediately disable USB-debugging and install Superuser
from the market.
Diskussion