• Login:

Welcome to the Toshiba Thrive Forum.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed.

Page 24 of 26 FirstFirst ... 142223242526 LastLast
Results 231 to 240 of 256
Like Tree50Likes

Thread: Toshiba Excite 10 SE (AT300SE) root [SOLVED]

  1. #231
    Thrive Lurker
    Member #
    28528
    Join Date
    Dec 2016
    Posts
    7
    Liked
    0 times
    Thanks pio_masaki. Just one last question, if you don't mind.
    Can I access the /system when it boots for recovery menu?
    ADB seems to not being able to find the device...

    I think I bricked it after I changed the
    name of the device model and manufacturer on build.prop and would try to undo it.

  2. Ads


  3. #232
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1904 times
    Twitter
    piomasaki
    If you can get ADB to work then you can access /system IF you retained root.

    If you've never used ADB on it before it may be tricky, but adb comes up almost as soon as the sparkles do.

    Once you see it with ADB devices you can use a root shell to fix your build.prop. I won't get into the step how unless it's needed, and it would be tedious on phone keyboard lol.

    Of note, even the "unrootable" AT300 gives up a root shell, we just can't write to /system, so nothing permanent can be done. The AT300SE had a fluke update where the kernel module was left out that prevents it.

    That said, it can be done, I've done it quite a few times on the AT300. Even have a script setup for triggering the exploit for root shell, just never got past sealime.

    Sent from my A0001 using Tapatalk

    Edit: just realized you want to use recovery for ADB, no, you can't access /system from it, it's just the stock 3e recovery, only signed zips will flash from it, we can't manually change anything like cwm or TWRP. Bootloader SIG checks recovery, so we can't just put a custom one there.
    Last edited by pio_masaki; 12-19-2016 at 07:35 AM. Reason: Oops
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  4. #233
    Thrive Lurker
    Member #
    28528
    Join Date
    Dec 2016
    Posts
    7
    Liked
    0 times
    Thanks A LOT pio_masaki. Yes, problem is I never see the 'sparkles', only the Toshiba logo. Guess I will have to bring it to Toshiba.

    PS: Computer still detects something's there, but ADB fails to work...

  5. #234
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1904 times
    Twitter
    piomasaki
    Quote Originally Posted by Quid View Post
    Thanks A LOT pio_masaki. Yes, problem is I never see the 'sparkles', only the Toshiba logo. Guess I will have to bring it to Toshiba.

    PS: Computer still detects something's there, but ADB fails to work...
    That's likely the APX mode, I know some, or all, tegra devices will fault to APX mode for repair if it can't do anything, but Toshiba chose to lock that as well, without the key we can't access APX mode either.

    Let me figure out some stuff for a minute and I'll post something to try.

    Sent from my A0001 using Tapatalk
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  6. #235
    Thrive Lurker
    Member #
    28528
    Join Date
    Dec 2016
    Posts
    7
    Liked
    0 times
    Quote Originally Posted by pio_masaki View Post
    let me figure out some stuff for a minute and i'll post something to try.
    thanks!!!

  7. #236
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1904 times
    Twitter
    piomasaki
    Quote Originally Posted by Quid View Post
    thanks!!!
    OK, let's test. Since you rooted I take it you at one point had ADB setup and working, if so let me know. If you already know where I'm going with this then skip ahead.

    Open up a prompt, wherever you have ADB.exe unless it's system wide, then anywhere, if you don't know what that means then it probably isn't lol

    Turn off the excite, plug it in with a micro USB cable, in the terminal type adb logcat. If it takes it'll say waiting for device, then try to turn on the excite. If logcat jumps then you have ateast a small window of ADB access, and we can maybe work something out.

    If ADB errors or something we'll address that. It's hard to tell but if the system was the same that rooted it ADB should work, drivers wise. If it has a driver issue it'll be hard to track down. If after a couple tries it doesn't kick logcat over, press ctrl and c to exit that command, then boot the excite into recovery (power and volume down iirc, maybe it's up) then tell me what options you have.

    I'm looking for ADB updating, in that mode it'll trigger ADB on the PC as well, but not logcat, but the PC will tell you if it's there in device manager.

    If this is all over your head just let me know and we can setup a Skype or duo or something call and I can walk you through it while I see what's going on your screens.

    Sent from my A0001 using Tapatalk
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  8. #237
    Thrive Lurker
    Member #
    28528
    Join Date
    Dec 2016
    Posts
    7
    Liked
    0 times
    PC detects it as "MTP USB Device" called... "Nexus" (it's the name I gave it on build.prop, lol)


    adb logcat waits forever for device and nothing happens.


    In "Recovery mode" I have the usual, including update from adb and factory reset which, as you know, wont work in this case. (I've tried anyway)


    Using update from adb I get an "Unknown USB Device".

  9. #238
    Thrive Lurker
    Member #
    28542
    Join Date
    Dec 2016
    Posts
    9
    Liked
    3 times
    Quote Originally Posted by pio_masaki View Post
    That said, it can be done, I've done it quite a few times on the AT300. Even have a script setup for triggering the exploit for root shell, just never got past sealime.
    Hi pio_masaki,

    how did you get the root shell? What exploit did you use?
    I've been playing around with dirtyC0W but it doesn't work at all on my AT300. ;(

    The SELINUX code used (sealime) seems to be totally different from what's used by current android versions, too...

    P.S.: I found your AT300 kernel repositories on github, but unfortunately it only contains the source for the old 4.0.3 AT300 firmware. Do you have the kernel source for the current Android 4.1.1 image, too? Or is it identical to the AT300se kernel? (As far as I know, both AT300 and AT300se are basically identical devices).

    Edit: Does the root shell at least allow you to read files only visible to root or system?

    P.S.: Great work getting the root shell at all!
    Last edited by UserName; 12-27-2016 at 12:21 PM.
    pio_masaki likes this.

  10. #239
    Developer

    Member #
    18359
    Join Date
    Sep 2012
    Location
    Surprise, Az (that's a real place)
    Posts
    3,783
    Liked
    1904 times
    Twitter
    piomasaki
    Motochopper is able to get root in shell, it's not 100% but its about 75% success rate, if it doesn't work reboot then try it again, it's never taken me more than twice to get root shell with it.

    SEALime is a modified version of what was then SELinux, and is not very similar to SELinux found on android from 4.3 on, so attacks against SELinux won't work that I know of.

    The kernel source for 4.1 is under the JB branch, master is 4.0 or ICS. I don't recall if I got it for the SE model or not. The SE had a single update that didn't include SEALime, or at least it wasn't loaded, there was an update since that put it back on, that's why the SE could gain permanent root and /system write and the AT300 can't. They should be similar otherwise, but the hardware did differ slightly so I'm not sure its a straight exchange for the two. We can't flash a custom kernel anyways, the bootloader would fail the sig check on the boot.img even on the SE.

    In shell with root you have every power root normally has EXCEPT write on certain partitions, like /system, and the ability to unload the SEALime module. Anything SEALime prohibits it will regardless of what level you run at.

    If you know how to poke at kernel memory then SEALime can be bypassed since we have shell root, however it's beyond me how to do that so I never got past it. The last idea I had was to use some utility to write or block reading from sealime.ko, or knock it out of memory completely. Unlike the AT100 4.0 version it's active, it doesn't just load and sit there, the kernel queries it and it reacts, so the little loophole we used to symlink it to another path no longer works.

    There was a PoC program that was called seakiller, the source is gone now, however it's purpose was to get past SEALime on the AT300 device, used at a security conference. You can still find info if you google seakiller, the attacks outlined in the presentation seemed valid, but in practice I was unable to replicate it. I do have a built seakiller binary, though, I managed to build it before the sources were removed, but it doesn't work. It calls for a name that doesn't appear to work, and when I first read about it (before the information started to vanish) it was mentioned it was a 4.3 updated AT300, which stopped at 4.1, and some of the processes mentioned don't exist on the 4.1 AT300, such as app controlled SEALime. I had thought it was the next generation, the Pro or whatever, with the Tegra 4, but they specifically said AT300, which seemed odd to me. Something about the module returning null, if you get it to not, then the kernel proceeds as requested, I think.

    Quote Originally Posted by UserName View Post
    Hi pio_masaki,

    how did you get the root shell? What exploit did you use?
    I've been playing around with dirtyC0W but it doesn't work at all on my AT300. ;(

    The SELINUX code used (sealime) seems to be totally different from what's used by current android versions, too...

    P.S.: I found your AT300 kernel repositories on github, but unfortunately it only contains the source for the old 4.0.3 AT300 firmware. Do you have the kernel source for the current Android 4.1.1 image, too? Or is it identical to the AT300se kernel? (As far as I know, both AT300 and AT300se are basically identical devices).

    Edit: Does the root shell at least allow you to read files only visible to root or system?

    P.S.: Great work getting the root shell at all!
    JB/ICS OC Kernels | My ROMs section | TWRP Recovery for Thrive
    CM10 General Thread | Jelly Bean Guide
    Donations, always appreciated!
    Need a rollback or reflash? Just send a PM!

  11. #240
    Thrive Lurker
    Member #
    28528
    Join Date
    Dec 2016
    Posts
    7
    Liked
    0 times
    Thanks pio_masaki for being so helpful to everyone. About my case, better take it to Toshiba, no?


 
Page 24 of 26 FirstFirst ... 142223242526 LastLast


Remove Ads

Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Search tags for this page

at300 root
,
custom rom for toshiba at300
,
how to root at300
,
how to root at300 motochopper
,

how to root toshiba at300

,
how to root toshiba excite at300
,
how to root toshiba excite tablet
,
jro03c at300
,

root toshiba at300

,
root toshiba excite 10
,
root toshiba excite at300
,
root toshiba tablet at300se
,

toshiba at300 root

,
toshiba excite 10 at300 root
,

toshiba excite at300 root

Click on a term to search our site for related topics.