Did you try loading the update?

EDIT: I just tried it from internal SD memory - signature verification failed.

Yes, but since we already have Busybox it might open up some commands / exploits to get a su binary onto this thing... I'm digging around but not finding anything conclusive yet.

I posted this a few days ago in the other thread: http://www.freaktab.com/showthread.p...ll=1#post40415

The bottom half of the post shows the version of busybox that is installed and supported commands.

EDIT: symlink is not a supported command in the busybox as installed on our tablets.

They're all listed out in the /xbin directory but the text list helps for running searches! Based on the XDA post we could possibly put the su binary somewhere on the sd card or internal storage and set up a link ("ln" command I believe) between it and the /system/bin folder. I don't know what the heck I'm doing with anything beyond the basic ADB / fastboot commands but I'm all for trying out whatever I find.

Hey, it's worth a try!

I'm also finding a few files in the /system subdirectories with an RW permission. One of them in the /etc folder (init-pppd) has a rw permission and references Busybox and lists some commands modifying the system directory... I'm wondering if this init file or one like it with a RW permission couldn't be modified to place the su binary where we need it...

I'm starting to go crosseyed so this will probably be my last hoorah for the night. Hopefully this is something usable. Contents of the /system/etc/init-pppd.sh file, which has a RW permission and is editable to run busybox and it looks like other commands on the system directories. Based on a quick check on XDA this file is used to run or control connectivity hardware. Probably grasping at straws, but here it is:


#!/system/bin/sh
# An unforunate wrapper script
# so that the exit code of pppd may be retrieved




# this is a workaround for issue #651747
#trap "/system/bin/sleep 1;exit 0" TERM


SCRIPT=`/system/bin/getprop ril.ppp.script`
USER=`/system/bin/getprop ril.ppp.user`
PWD=`/system/bin/getprop ril.ppp.pwd`
APNNAME=`/system/bin/getprop ril.ppp.apn_name`


CHATSCRIBE="/system/bin/chat ABORT '\nBUSY\r' ABORT '\nNO ANSWER\r' ABORT '\nRINGING\r' TIMEOUT 30 '' \rAT OK AT+CGDCONT=1,\"IP\",\"$APNNAME\" '' ATDT*99***1# CONNECT '' "


/system/bin/log -t pppd "init-pppd.sh SCRIPT=$SCRIPT"
/system/bin/log -t pppd "init-pppd.sh user=$USER"
/system/bin/log -t pppd "init-pppd.sh pwd=$PWD"
/system/bin/log -t pppd "init-pppd.sh apn_name=$APNNAME"


if busybox [ "$SCRIPT" = "mcli-cdma" ] ; then
CHATSCRIBE="/system/bin/chat -s -S TIMEOUT 25 ABORT 'BUSY' '' AT '' ATH0 '' ATDT#777 CONNECT"
elif busybox [ "$SCRIPT" = "mcli-tdscdma" ] ; then
CHATSCRIBE="/system/bin/chat TIMEOUT 25 '' AT+CGDCONT=1,\"IP\",\"$APNNAME\" '' ATDT*99***1# CONNECT "
SCRIPT=mcli-gsm
fi


/system/bin/log -t pppd "Starting pppd $CHATSCRIBE"


#/system/bin/pppd file /system/etc/ppp/peers/mcli
/system/bin/pppd call $SCRIPT user $USER password $PWD connect "$CHATSCRIBE"




/system/bin/log -t pppd "init-pppd.sh exited "




exit $PPPD_EXIT

Just wanted to say thanks to you guys for going the distance. I've been following everything you've been doing, and I would be helping with testing but I first need to pick up a spare microSD as the one I had I used to run CM9 on my Nook Color.

Thanks, guys

You cannot write a simlink to /bin or /xbin because system in mounted RW.

Try this comand in a terminal and see if you can mount it RW. I doubt it will work because usually you have to have root to do this command. But hey... it's work a try!

mount -o rw,remount /system

If not you are giving me new ideas. boot.img is pretty basic. I can edit a new boot.img and in init.rc make system RW. I can even make the symlink happen! BUT.... someone will need to risk it and flash boot.img using the tool. Does that flash tool you guys found have the ability to flash only parts of a ROM like boot.img?

Bob

Hmmmmm that script it interesting!

ARe you sure you can edit it?

Please do this. edit it and at the beginning add a comment line
# test I can write to this file

Now save the file. Open it. Did the edit stick?

If so we may have found a vulnerability!

Bob

Where did everyone go? I have some ideas if we can edit that script.

I see the script is in fact run from init.rc as root! At least it is in my init.rc file.
So we have an exploit I think. Please check your init.rc file and see if it is being called.

service pppd_gprs /system/etc/init-pppd.sh
user root
group radio net_admin cache inet misc
disabled
oneshot

If this script can be edited maybe we can add this to the beginning:
mount -o rw,remount /system
cp /sdcard/su /system/bin/
cp /sdcard/Superuser.apk /system/app
chmod 06755 /system/bin/su
chown root:root /system/bin/su

of course from my update.zip extract su and Superuser.apk from it and put them at root of internal sdcard.

Bob

OK I am going to make a ROM for my Ramos that is not pre rooted. That is no su in /bin or /xbin
This will simulate your tablet.
Then I will see how to find a way to root it via ADB.

Also guys. please give me a dump of your init.rc file and default.prop file!!!
This is important that I have this so I can replicate your setup.

Bob

I'll be out until around 8pm Pacific tonight but as soon as I get home I'll start getting the data and test the file. The permissions on the init-ppp.sh file are definitely showing rw, I was able to rename / copy it in astro file manager

Using terminal emulator on the tablet, I get the following results:

mount: operation not permitted

How do we go about editing this file? On the device via the terminal app using sed, or something else?