So, I was screwing around in best buy one day and found my self not being able to resist the sale price on a Galaxy Tab 2 7.0. I needed a little something for laying around the house browsing the web, checking twitter, reading emails, etc. So it fit the bill. After a few hours of exploring Google Play and downloading some apps, I wanted to see what else I could do with this thing. Fortunately there’s a wealth of information out there on playing with (or modding) these things. But first things, first I was really new to the Android platform and needed to get a little better acquainted.
My fist step was to dig into some of the developer forums and look at the Android SDK site. As it turns out the first thing I needed to do was get familiar with adb, the developers debugging environment when connected to a Linux/MAC/PC. It lets you view system logs, pull and push files, reboot into the various modes, and get ahell on the device to do a little playing and poking around. These are the 2 sites that I got the most valuable information regarding adb and getting up and running on my Ubuntu box:
- ADB Basics: http://www.pocketables.com/2011/06/adb-basics-for-htc-evo-users.html
- Ubuntu Install Guide: http://forum.xda-developers.com/showpost.php?p=19446284&postcount=62
This was pretty straightforward to set up and I did not deviate to far from the guide posted to xda-developers.com, with the exception of not needing to play with permissions in /etc/udev/rules.d. Once I got through it I just fired up ADB and it worked right out of the box, no need to mess around with drivers. The commands I found my self using the most were:
- adb push
- adb logcat
- adb reboot download (more on this later)
- adb reboot recovert (more on this later too)
- adb shell
“Shell” is were you can do most of the playing. The Android OS is a dumbed down Unix with most of the good stuff missing. It doesn’t even have grep. If you want to see the commands available, do an ls on “/system/bin/”. That’s pretty much all you got. You do have ipconfig, id, route, ls, ps, lsof, top, cat, and netcfg…it’s a start. So after playing with that for a bit I went back to the App store and found Nmap for Android (I heard about this some time ago), although it’s now called “Pamn Ip Scanner”. Gave it a wirl, and like any version of nmap OS detection needs root. So there’s my justification, let try not to brick it
I’m not a one-click-root kind of guy, so I wanted to learn a thing or two. After several hours of research, all the methods point to getting an su binary in the system directory for persistent root access, and to accomplish this you need elevated permissions. The 3 basic ways to do this are: Use a Privilege Escalation exploit and copy the files in, overwrite (flash) the recovery mode with a custom recovery and use it to install the files, or flash the OS itself with a custom ROM. I found 2 escalation exploits that did not involve flashing anything, unfortunately they were for holes that had been patched in the version my device was running (Android 4.1.1 JB).
Another few details that I learned from my bout with google is that this device has 2 reboot modes: recovery(power+up volume) and download(power+down volume). The “recovery” mode is the factory reset mode and recovery to fresh from the store. The “download” mode is the state the device needs to be in in order to have the firmware updated/flashed. SO, since the exploits failed, the next best method was to flash the factory recovery with a “custom” recovery image that allows for installing packages from a .zip file. Then use that recovery to install the latest version of the “SuperUser” app that can be found in Google Play, which seems to be the defacto standard for managing root access for applications. I settled on ClockWorkMod for the custom recovery and Heimdall(Linux compatible..I like my Ubuntu box) as the tool to do the flashing. A side note on CWM: This is an interesting application that has alot more functionality beside just installing zips, check it out. Below are the steps and the guides that I followed:
- Installed Heimdall:
- I grabbed the .deb from here https://github.com/Benjamin-Dobell/Heimdall/downloads and installed it. Just the basic package not the suite or the frontend
- Grabbed the appropriate version of ClockWorkMod from this thread http://forum.xda-developers.com/showthread.php?p=27812563
- Grabbed the most recent version of SuperUser from the developers site http://download.chainfire.eu/310/SuperSU/UPDATE-SuperSU-v1.04.zip and copied it to the external SD card in my device
- Referenced this guide (http://forum.xda-developers.com/showthread.php?t=1861838) to get an idea of how to get the recovery replaced with CWM. I did not use the root package they referenced there, no need to. Once CWM is installed, you can just install the regular Superuser app. No exploit needed. CWM bypasses the need for that.
Here’s what the process looked like after I extracted the recovery.img from the CWM tar:
Once done, and rebooted into recovery it looked like the screen shot below. You can do an “adb reboot recovery” or hold down the power and up volume buttons.
I then used the “Install zip from sdcard” option to install the Superuser app I copied to the SD card. Upon reboot I have root
…And I also installed Terminal EMulator and busybox. I used “BusyBox Free” by Stephen Erickson, it seemed to be the best option and allowed me to set the installation directory to system/xbin instead of system/bin. Then I installed a few apps…some for remote access, others for WiFi analysis:
- WiGGLE Wifi Wardriving
- Pamn IP Scanner