Ok we have ROOT!
As above, load into Test Mode and use ADB Shell
then run the following
cd /system/bin
cat btld_testmode > ../btld_testmode (this backs up the file)
cat sh >> btld_testmode (we append it first, don't know why, but we cant just overwrite it at first)
cat sh > btld_testmode (overwrite it)
Now, it lost is setuid. but that is fine, the factorytest.rc will restore it. so reboot the phone, reloading test mode.
cd /system/bin
./btld_testmode
Now you are in a root shell, you know what to do
cat sh > su
chmod 4755 su
exit
./su
Now we will put btld_testmode back.
cat ../btld_testmode > btld_testmode
chmod 6777 btld_testmode
Currently the su looses it's setuid on reboot, so it is not permanent.
Still working on that.
Edit: it seems all permissions get reset, then are set up by the init script.
Sadly, we can't overwrite the init script because changes in / do not persist.
All we can use this root access for is flashing, unless we find another way to persist our setuid...
But hey, at least we have a root shell! It is a start
EDIT: here is a cheap hack that will restore root when the splash logo is played:
Done! I made a wrapper around the playlogo script, which plays teh carrier logo:
first, while root still in testmode:
cd /system/bin
mv playlogo playlogo_real
Then create this file locally, and name it playlogo:
Code:
#!/system/bin/sh
/system/bin/mount -o remount,rw,codepage=utf8,vfat,fcache\(blks\)=128,xattr,check=no /dev/stl5 /system
/system/bin/chmod 4755 /system/bin/su
/system/bin/chmod 0755 /system/bin/playlogo_real
/system/bin/mount -o remount,ro,codepage=utf8,vfat,fcache\(blks\)=128,xattr,check=no /dev/stl5 /system
/system/bin/playlogo_real
push it to /system
back in the shell:
chmod 755 /system/playlogo
mv /system/playlogo /system/bin/playlogo
reboot
now it will restore your su root access when the boot logo plays.
cheap hack for now
More here, including a trick to guarantee test mode will activate:
http://midnightchannel.net/blog/255-...ng-moment.html