Device Rooting Guides
From Guardian Project Wiki
The Guardian Project - Better Living through Mobile Privacy
Device Rooting Guides
While rooting your Android device isn't for everyone, it provides many benefits. It allows you to load modified firmware (e.g. Cyanogenmod) and grant superuser permissions to select applications (e.g. Orbot). Pick any Android device and you'll find any number of rooting guides spread across the Internet. Some of them are on message board threads, others are blogs, and most of them are unclear at best.
Given the importance of root access for empowering Orbot, we thought we'd include some helpful tips on how to root devices for those who are interested. We don't have every device under the sun at our fingertips, so we'll begin small by including guides for those devices that we have personally rooted at Guardian - most of which are actively supporting trials of the Guardian App Suite. We hope that you'll help contribute to the knowledge base here with your own experience!
Disclaimers & Warnings
Standard Root Disclaimer
We are not responsible for any issues you may encounter on your quest to root. Such consequences may include anything from data loss to a 'bricked' device. By chosing to follow any of the guides or instructions included herein, you are assuming all responsibility for your own device. You should read through the full instructions below and browse relevant forums or related guides (like XDA) before you attempt to flash or manually configure any device. Consider this your last warning!
Iptables Version 1.3.7 Issues
We've found that simply rooting the latest round of Android 2.2 devices that run iptables version 1.3.7 is not enough to enable transparent proxying for apps like Orbot (or DroidWall). Instead this requires both root + custom rom -- e.g. flashing a custom mod like Cyanogen that ensures that the iptables OWNER module is included in the kernel. If you have a rooted device that can't correctly pass the Tor check test at https://check.torproject.org - this is probably your underlying issue.
To put it simply - without a custom ROM flashed to your device, you will have the same capabilities / access to Tor as non-rooted users. In other words, you will be able to manually configure application proxies to the Tor network but will not be able to transparently proxy application data traffic via the Orbot 'per app Torification'.
We couldn't have put together these guides without the dedication and support of the very active Android community. Some sites that we'd especially like to recognize include:
Released in January 2010, the Nexus One is Google's reigning flagship Android device. We're big fans of this device at Guardian and a few of us use this device as our everyday phone. While we try to test Guardian applications across as many flavors of Android and hardware as we can, the Nexus One serves as our primary testing and debugging device.
[add to me!]
T-Mobile MyTouch 4G
The T-Mobile MyTouch 4G [also known as the HTC Glacier] is T-Mobile's second 4G device (the first being the G2). Launched in early November 2010 running Android 2.2 / Froyo, it features a 5MP rear-facing camera as well as a front-facing VGA camera for video chat along with the 1GHz Qualcomm MSM8255 Snapdragon processor. We've spent a few long afternoons with this device, and it is a very nice piece of hardware. Its 3.8in, 800x480px LCD display and metal rear battery give it a very sharp look and feel. It lacks the physical keyboard of the G2 - depending on your preference this could be a good or bad thing - but the result is a device thats a full 30g lighter (150g vs. 180g).
We found the XDA thread here to be a very good one, and most of the instructions below are unabashedly lifted directly from it! However there were a few details that we felt were glossed over that we've included here.
To repeat the root disclaimer above - without a custom ROM flashed to your device, you will have the same capabilities / access to Tor as non-rooted users - i.e. you will be able to manually configure application proxies to the Tor network but will *not* be able to transparently proxy application data traffic via the Orbot 'per app Torification'.
The files you'll need to achieve root are available here. This includes the core files as well as a handy script that the XDA Dev folks included - however this script has issues that we'll get into below. As with all downloads please check the md5sum to ensure integrity. md5sum: 46361b0cc8652d88688c0ab66d44950b
A few applications are critical for this procedure. Get them installed before you move forward with the rooting instructions.
- Terminal Emulator - downloadable from the Android Market if you don't already have it installed. Lets you access your device's built-in Linux command line shell. More info: http://github.com/jackpal/Android-Terminal-Emulator/wiki
- VISIONary - An application that lets your temporarily (or in some cases permanently) root your device with a single touch. It takes advantage of the 'rageagainstthecage' exploid in Android - and as such has been booted from the Android Market. Grab it from here.
- Make sure that you've de-selected the option to 'Fastboot' your device and enabled USB Debugging option (in Settings->Applications->Development)
- After decompressing the relevant files package (see above), transfer the files to your device's sdcard root directory.
- Run VISIONary app. Ensure that the option to 'set system r/w after root' is selected, then select the option to temporarily root your device. Wait a minute or so.
- We've noticed that some versions of VISIONary have been buggy with notifying the user of successful root access. However all of them have displayed unsucessful root attempts. So after waiting a minute and you're transitioned to a plain black screen, the chances are that the root attempt was successful.
- Test to see if you have temporary root. Open the Terminal Emulator and type 'su.' If successful you will see a superuser request for the Terminal Emulator application appear. Go ahead and grant the application this access.
- While still in the Terminal Emulator app, enter the command 'cd /sdcard' to change directories to your sdcard root directory
- Next enter the following command into the Terminal Emulator app: 'insmod /wpx.ko' and press enter. You should see a response that states 'Function not implemented' - this is expected.
- If you see the correct response from the step above, enter the following into Terminal Emulator and press enter: 'dd if=hboot_dhd.nb0 of=/dev/block/mmcblk0p18' <-- beware! make sure this command is entered properly or you can easily brick your device! If executed successfully, you'll see the application respond with a number of returned byte addresses.
- If successful, exit out of Terminal Emulator and open VISIONary. Select 'Get permanent root' - your device *should* reboot itself after performing this step - if not you should manually do so.
- Reboot your device into Recovery by holding down the Volume Down key while powering on the device. At the top of the screen you should see the line 'S-OFF' - which translates to 'Security Off' - and gives you write permission to the /system partition
- Reboot your phone normally and open the Terminal Emulator. Type 'su' to check to see if your permanent root attempt was successful. If you see a response like 'not permitted' - then re-open the VISIONary app, try to get Permanent root again and more-or-less repeat steps 9 and 10 above. This shouldn't take more than one or two attempts and you should be set!
Check the very nicely worded XDA thread for more information and instructions on reverting to S-ON should you want to revert to non-root.
Motorola MilestoneThe Euro GSM step-brother of the incredibly successful US Motorola Droid, the Milestone is a very capable and resilient Android handset, launched in winter 2009 and featuring Eclair 2.1-update1 firmware, a 5.0MP autofocus camera and capable of 720x480 video recording at 30fps. For those who prefer a physical keyboard, this is the Android device of choice - although it does make the device a bit heftier than other devices at 169g.
You'll need the files from the drop here to continue.
Flashing a 'Vulnerable' Recovery Image
The bootload process on the Milestone has unfortunately been locked down by Motorola. As a result, the process to root the Milestone is slightly more complicated as you need to flash a 'vulnerable' recovery image (SBF) to the device in order to make an 'unrootable' firmware into a rootable one. This can be done on either Windows or Linux (sorry Mac users, no dice). In either case, the goal is to flash the file vulnerable_recovery_only_RAMDLD90_78.sbf to your device in order to be able to apply further changes. Pick your poison below.
Make Your Milestone Vulnerable (Linux)
- Unpack the VulnerableRecovery.zip archive (from here) and copy the files sbf_flash and vulnerable_recovery_only_RAMDLD90_78.sbf to your computer's file system (NOT the Milestone's)
- Open a terminal and grant executable permissions to sbf_flash with the following command: 'chmod +x sbf_flash'
- Boot your Milestone into 'Bootloader Mode' by powering it on while Holding the 'Up' button of the D-pad. The 'Up' button is Up when holding the device in landscape (sideways) mode, and Right when holding the device in portrait (normal) mode. You should see the device boot into a black screen like the following:
- Connect your Milestone via USB cable and flash the vulnerable recovery file to your Milestone with the following command: 'sudo ./sbf_flash vulnerable_recovery_only_RAMDLD90_78.sbf'. The output should look something like this:
Make Your Milestone Vulnerable (Windows) -
- Download and Install Motorola Mobile Phone USB Drivers from motorola.com -- Windows 32-bit / Windows 64-bit
- Download and install RSD Lite with at least minimum version of 4.5.3 here
- Connect your Milestone via USB cable and flash the vulnerable recovery file to your Milestone by running RSD Lite. The device should be listed as 'Connected.' Select the vulnerable recovery SBF file and select 'Start'. The Milestone will reboot automatically to bootloader mode and start flashing the vulnerable recovery firmware. Once done, power off the phone.
Root It! (with a handy custom Recovery)
Now that your Milestone is vulnerable, we can flash whatever we want -- including custom ROMs, themes etc. But what we're interested in is gaining root access.
- Unpack the OpenRecovery.zip archive (again, from here) and transfer the contents (OpenRecovery folder and update.zip) to the root of your Milestone's SD card. Next power-off your Milestone.
- Boot your Milestone into 'Recovery Mode' by powering it on while holding the 'X' key of the keypad until you see a triangle icon appear on the screen. Once you see the Triangle, hold down the Volume Up and Camera buttons simultaneously to access Recovery Mode.<br>Note: If your device powers up normally (very possible), try again a few times. If you find it to be stubbornly refusing to cooperate, try the alternate strategy of holding down the 'Camera' button while powering on the device until you see a triangle appear on the screen.
- Choose the option to apple update.zip. After a moment you should see your menu replaced by a red one (see below). You are now in Open Recovery.
- Choose 'Root Phone' from the menu, then choose 'Reboot System' and you're rooted! You'll automatically be notified from here on out if applications or processes are requesting to access your phone as root.
AT&T LG P-506 (Thrive)
LG Thrive (P-506) link is a cheap and affordable cellphone sold by AT&T GoPhone. Despite its locked status (including CarrierIQ) at the beginning, it is possible to easyly unlock the phone, root it and load Cyanogen in order to remove unnecesary programs and run the guardianproject applications properly. A step-by-step tutorial using Debian Sid is available at XDA forums.