1. #!/bin/bash
  2. NXT=0
  3. echo "======================================================================"
  4. echo "= This script will root your Android phone with adb restore function ="
  5. echo "= Script by Bin4ry (thanks to Goroh_kun and tkymgr for the idea) ="
  6. echo "= Idea for Tablet S from Fi01_IS01 ="
  7. echo "= (18.12.2012) v17 ="
  8. echo "= ported to Linux by Kamistral (15.09.2012), ="
  9. echo "= updated by codeworkx (01.10.2012) ="
  10. echo "======================================================================"
  11. echo
  13. choice() {
  14. echo "Device type:"
  15. echo "1) Normal"
  16. echo "2) Special (for example: Sony Tablet S, Medion Lifetab)"
  17. echo "x) Unroot"
  18. echo "Make a choice: "
  19. read type
  20. case $type in
  21. 1*) echo "Normal mode enabled!"
  22. do_test
  23. ;;
  24. 2*) echo "Special mode enabled!"
  25. tabsmenu
  26. ;;
  27. x*) echo "Unroot mode"
  28. do_unroot
  29. ;;
  30. *) clear
  31. echo "Please enter a valid command (1, 2, x)"
  32. choice
  33. ;;
  34. esac
  35. }
  37. tabsmenu() {
  38. echo
  39. echo "Special mode:"
  40. echo "1) Root"
  41. echo "2) Rollback"
  42. echo "Make a choice:"
  43. read reply
  44. case $reply in
  45. 1*) do_root
  46. ;;
  47. 2*) tablets_rollback
  48. ;;
  49. *) clear
  50. echo "Please enter a valid number (1 or 2)"
  51. tabsmenu
  52. ;;
  53. esac
  54. }
  56. do_test() {
  57. RIC=0
  58. echo "Checking if i should run in Normal Mode or special Sony Mode"
  59. echo "Please connect device with ADB-Debugging enabled now ..."
  60. adb wait-for-device
  61. mkdir -p tmp
  62. adb pull /system/bin/ric tmp/ric
  63. if [ -e tmp/ric ]; then
  64. echo "Found RIC-Daemon"
  65. echo
  66. RIC=1
  67. rm tmp/ric
  68. do_root
  69. fi
  70. adb pull /system/app/Backup-Restore.apk tmp/Backup-Restore.apk
  71. if [ -e tmp/Backup-Restore.apk ]; then
  72. echo "Found Sony Backup-Restore.apk"
  73. echo "LT26,LT22 etc. mode enabled!"
  74. echo
  75. rm tmp/Backup-Restore.apk
  76. NXT=1
  77. do_root
  78. else
  79. echo "Normal Mode enabled!"
  80. do_root
  81. fi
  82. }
  84. do_root() {
  85. echo "Please connect device with ADB-Debugging enabled now ..."
  86. adb wait-for-device
  87. if [ "$type" == "2" ]; then
  88. tabtrick
  89. else
  90. echo "Pushing busybox ..."
  91. adb push stuff/busybox /data/local/tmp/.
  92. echo "Pushing su binary ..."
  93. adb push stuff/su /data/local/tmp/.
  94. echo "Pushing Superuser app"
  95. adb push stuff/Superuser.apk /data/local/tmp/.
  96. echo "Pushing ric"
  97. adb push stuff/ric /data/local/tmp/ric
  98. echo "Making busybox runable ..."
  99. adb shell chmod 755 /data/local/tmp/busybox
  100. if [ "$RIC" == "1" ]; then
  101. adb push stuff/ric /data/local/tmp/ric
  102. fi
  103. if [ "$NXT" == "1" ]; then
  104. xpstrick
  105. else
  106. adb restore stuff/fakebackup.ab
  107. echo "Please look at your device and click RESTORE!"
  108. echo "If all is successful i will tell you, if not this shell will run forever."
  109. echo "Running ..."
  110. adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done" > /dev/null
  111. echo "Successful, going to reboot your device in 10 seconds!"
  112. ping -c 10 127.0.0.1 > /dev/null
  113. adb reboot
  114. echo "Waiting for device to show up again ..."
  115. ping -c 10 127.0.0.1 > /dev/null
  116. adb wait-for-device
  117. do_copy
  118. fi
  119. fi
  120. }
  122. do_unroot() {
  123. echo "Really? (y/n)"
  124. read reply
  125. case $reply in
  126. y*)
  127. adb push stuff/busybox /data/local/tmp/busybox
  128. adb shell "chmod 755 /data/local/tmp/busybox"
  129. adb shell "su -c '/data/local/tmp/busybox mount -o remount,rw /system'"
  130. adb shell "su -c 'rm /system/xbin/su'"
  131. adb shell "su -c 'rm /system/app/Superuser.apk'"
  132. exit 0
  133. ;;
  134. n*)
  135. clear
  136. choice
  137. ;;
  138. *)
  139. clear
  140. do_unroot
  141. ;;
  142. esac
  143. }
  145. do_copy() {
  146. echo "Copying files to it's place ..."
  147. if [ "$RIC" == "1" ]; then
  148. adb shell "/data/local/tmp/busybox mount -o remount,rw /system && /data/local/tmp/busybox mv /data/local/tmp/su /system/xbin/su && /data/local/tmp/busybox mv /data/local/tmp/Superuser.apk /system/app/Superuser.apk && /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin/busybox && chown 0.0 /system/xbin/su && chmod 06755 /system/xbin/su && chmod 655 /system/app/Superuser.apk && chmod 755 /system/xbin/busybox && rm /data/local.prop && reboot"
  149. else
  150. adb shell "/data/local/tmp/busybox mount -o remount,rw /system && /data/local/tmp/busybox mv /data/local/tmp/ric /system/bin/ric && chmod 755 /system/bin/ric && /data/local/tmp/busybox mv /data/local/tmp/su /system/xbin/su && /data/local/tmp/busybox mv /data/local/tmp/Superuser.apk /system/app/Superuser.apk && /data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin/busybox && chown 0.0 /system/xbin/su && chmod 06755 /system/xbin/su && chmod 655 /system/app/Superuser.apk && chmod 755 /system/xbin/busybox && rm /data/local.prop && reboot"
  151. fi
  152. }
  154. tabtrick() {
  155. adb install -s stuff/Term.apk
  156. adb push stuff/busybox /data/local/tmp/.
  157. adb push stuff/su /data/local/tmp/.
  158. adb push stuff/Superuser.apk /data/local/tmp/.
  159. adb push stuff/rootkittablet.tar.gz /data/local/tmp/rootkittablet.tar.gz
  160. adb shell "chmod 755 /data/local/tmp/busybox"
  161. adb shell "/data/local/tmp/busybox tar -C /data/local/tmp -x -v -f /data/local/tmp/rootkittablet.tar.gz"
  162. adb shell "chmod 644 /data/local/tmp/VpnFaker.apk"
  163. adb shell "touch -t 1346025600 /data/local/tmp/VpnFaker.apk"
  164. adb shell "chmod 755 /data/local/tmp/_su"
  165. adb shell "chmod 755 /data/local/tmp/su"
  166. adb shell "chmod 755 /data/local/tmp/onload.sh"
  167. adb shell "chmod 755 /data/local/tmp/onload2.sh"
  168. adb shell "rm -r /data/data/com.android.settings/a/*"
  169. adb restore stuff/tabletS.ab
  170. echo "Please look at your device and click \"Restore my data\""
  171. echo
  172. adb shell "while [ ! -d /data/data/com.android.settings/a/file99 ] ; do echo 1; done" > /dev/null
  173. ping -c 3 127.0.0.1 > /dev/null
  174. echo "1st RESTORE OK"
  175. read -p "Press [Enter] key to continue ..."
  176. adb shell "rm -r /data/data/com.android.settings/a"
  177. adb restore stuff/tabletS.ab
  178. echo "Please look at your device and click \"Restore my data\""
  179. echo
  180. adb shell "while : ; do ln -s /data /data/data/com.android.settings/a/file99; [ -f /data/file99 ] && exit; done" > /dev/null
  181. adb shell "rm -r /data/file99"
  182. ping -c 3 127.0.0.1 > /dev/null
  183. echo "Achieved!"
  184. read -p "Press [Enter] key to continue ..."
  185. adb shell "/data/local/tmp/busybox cp -r /data/system /data/system2"
  186. adb shell "/data/local/tmp/busybox find /data/system2 -type f -exec chmod 666 {} \;"
  187. adb shell "/data/local/tmp/busybox find /data/system2 -type d -exec chmod 777 {} \;"
  188. adb shell "mv /data/system /data/system-"
  189. adb shell "mv /data/system2 /data/system"
  190. adb shell "mv /data/app /data/app-"
  191. adb shell "mkdir /data/app"
  192. adb shell "mv /data/local/tmp/VpnFaker.apk /data/app"
  193. adb shell "/data/local/tmp/busybox sed -f /data/local/tmp/packages.xml.sed /data/system-/packages.xml > /data/system/packages.xml"
  194. adb shell "sync; sync; sync"
  195. echo "Need to reboot now!"
  196. adb reboot
  197. ping -c 3 127.0.0.1 > /dev/null
  198. echo "Waiting for device to come up again ..."
  199. adb wait-for-device
  200. echo "Unlock your device, a Terminal will show now, type this 2 lines, after each line press ENTER"
  201. echo /data/local/tmp/onload.sh
  202. echo /data/local/tmp/onload2.sh
  203. echo "after this is done press a key here in this shell to continue!"
  204. echo "If the shell on your device does not show please re-start the process!"
  205. adb shell "am start -n com.android.vpndialogs/.Term"
  206. read -p "Press [Enter] key to continue ..."
  208. # tabtrick1
  209. adb push stuff/script1.sh /data/local/tmp/.
  210. adb shell "chmod 755 /data/local/tmp/script1.sh"
  211. adb shell "/data/local/tmp/script1.sh"
  212. echo "Almost complete! Reboot and cleanup."
  213. adb reboot
  214. ping -c 3 127.0.0.1 > /dev/null
  215. echo "Waiting for device to come up again ..."
  216. adb wait-for-device
  217. adb shell "su -c 'rm -r /data/app2'"
  218. adb shell "su -c 'rm -r /data/system2'"
  219. adb shell "su -c 'rm -r /data/local/tmp/*'"
  220. }
  222. tablets_rollback() {
  223. echo
  224. echo "Tablet S Rollback"
  225. echo
  226. echo "Please connect device with ADB-Debugging enabled now ..."
  227. adb wait-for-device
  228. adb shell "if [ -d /data/app- ]; then echo 1 ; else echo 0 ; fi" > reply
  229. if [ "$reply" == "1" ]; then
  230. adb shell "rm -r /data/data/com.android.settings/a/*"
  231. adb restore stuff/tabletS.ab
  232. echo Please look at your device and click "Restore my data"
  233. echo.
  234. adb shell "while [ ! -d /data/data/com.android.settings/a/file99 ] ; do echo 1; done" > /dev/null
  235. echo "1st RESTORE OK"
  236. read -p "Press [Enter] key to continue ..."
  237. adb shell "rm -r /data/data/com.android.settings/a"
  238. adb restore stuff/tabletS.ab
  239. echo Please look at your device and click "Restore my data"
  240. echo.
  241. adb shell "while : ; do ln -s /data /data/data/com.android.settings/a/file99; [ -f /data/file99 ] && exit; done" > /dev/null
  242. adb shell "rm -r /data/file99"
  243. echo "Achieved!"
  244. read -p "Press [Enter] key to continue ..."
  245. adb shell "mv /data/system /data/system3"
  246. adb shell "mv /data/system- /data/system"
  247. adb shell "mv /data/app /data/app3"
  248. adb shell "mv /data/app- /data/app"
  249. echo "Rollback compelted."
  250. else
  251. echo "Rollback failed."
  252. exit 1
  253. fi
  254. }
  256. xpstrick() {
  257. NXT=0
  258. echo "Pushing fake Backup"
  259. adb push stuff/RootMe.tar /data/local/tmp/RootMe.tar
  260. adb shell "mkdir /mnt/sdcard/.semc-fullbackup > /dev/null 2>&1"
  261. echo "Extracting fakebackup on device ..."
  262. adb shell "cd /mnt/sdcard/.semc-fullbackup/; /data/local/tmp/busybox tar xf /data/local/tmp/RootMe.tar"
  263. echo "Watch now your device. Select the backup named RootMe and restore it!"
  264. adb shell "am start com.sonyericsson.vendor.backuprestore/.ui.BackupActivity"
  265. echo "If all is successful i will tell you, if not this shell will run forever."
  266. echo "Running ..."
  267. adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done" > /dev/null
  268. echo
  269. echo "Good, it worked! Now we are rebooting soon, please be patient!"
  270. ping -c 3 127.0.0.1 > /dev/null
  271. adb shell "rm -r /mnt/sdcard/.semc-fullbackup/RootMe"
  272. adb reboot
  273. ping -c 10 127.0.0.1 > /dev/null
  274. echo "Waiting for device to come up again ..."
  275. adb wait-for-device
  276. do_copy
  277. }
  279. # Main
  280. choice
  281. echo "You can close all open command-prompts now!"
  282. echo "After reboot all is done! Have fun!"
  283. echo "Bin4ry"
  284. read -p "Press key to exit ..."
  285. exit 0