Piratenpartei Zürich
PC 85-112704-0

Der Politnetz Auftritt von Marc Wäckerlin Im Politnetz unterstützen

Root Asus Transformer T101G ICS on Linux

To get root on Asus Transformer T101G ICS, there are some Windoze-batch files around, but running that file first only works on Windoze, not on Linux and second you don't know what happens.

Sources: The expolit is known as «miloj TF300 exploit» and I got my information by analyzation of, but a better explanation and simpler approach is at


Precondition: You must install the Android SDK for Linux to get the tool adb. Mine is in stalled in ~/android-sdks/platform-tools/adb, so on a shell in a terminal, I define an alias to be able to call adb without having to set the full path or to change the $PATH variable:

alias adb=/home/marc/android-sdks/platform-tools/adb

Now adb calls /home/marc/android-sdks/platform-tools/adb and passes the parameter, but in only this shell.

An your Andorid, in the settings, section developer you must enable debugging.

If you are successful, then the command adb devices lists your device.

Check Android Version

Android must be in Version ICS, otherwise forget it.

Check it, the following command must give a version number, that starts with 9:

adb shell getprop

I get WW_epad- which is perfectly fine.

The Hack

Call adb shell, then call:

mv /data/local/tmp /data/local/tmp.bak
ln -s /dev/block/mmcblk0p1 /data/local/tmp

That removes /data/local/tmp and fakes a new temprary dir, that points to /system (note device /dev/block/mmcblk0p1 is mounted to /system).

If everything was correct, ls -l in /data/local now shows:

shell@android:/data/local $ ls -l
lrwxrwxrwx shell    shell             2012-08-20 14:23 tmp -> /dev/block/mmcblk0p1
drwxrwx--x shell    shell             2009-01-01 02:31 tmp.bak

Now press ctrl-D or call exit to quit the adb shell and reboot the device:

adb reboot

Now wait for the device to reappear:

adb wait-for-device

Download the files su, debugfs and push them to your Android by typing: <source bash> adb push su /data/local; adb push debugfs /data/local; </source>

Start a shell on your android device calling adb shell, then enter:

cd /data/local
chmod 755 debugfs

This makes debugfs executable.

Now use debugfs and the faked link to copy su into /system/xbin/su:

/data/local/debugfs -w /data/local/tmp
debugfs: cd xbin

At this place, if you previously installed su, remove it first:

debugfs: rm su

If you call rm su but have not installed it, you get an error message here, simply ignore it.

debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit

Stay in adb shell and cleanup:

cd /data/local
rm tmp su debugfs
mv tmp.bak tmp

Leave adb shell by hitting ctrl-D or typing exit and reboot once more:

adb reboot
adb wait-for-device

Now you're the master of your device, call adb shell then test if you can get root:

adb shell
$ /system/xbin/su
# id
id=0(root) gid=0(root) ....
# exit
$ exit

Now immediately disable USB-debugging and install Superuser from the market.