I updated to 3.0.1 binary and lost root, HELP!

While I was away in Italy, I was spending as much time as I could trying to find a fix for the issues that people were having with Superuser 3.0.5. One of the fixes involved a new binary that sets it’s own UID to that of the Superuser app before opening the database to prevent the WAL files belonging to root. This fix worked great and I am indebted to HomerSP for finding it. When I got home I set about updating my normal build machine to compile a new binary for release. I updated my AOSP trees agains the new repo that was put online while I was gone, compiled 3.0.1, and put it out there. That’s when things went wrong. I started getting reports that after people updated to 3.0.1, they lost root. Terrible thing is that it works great on all of my devices, as usual. I think the problem is that at some point the generic gingerbread AOSP tree went from compiling for arm generic to compiling for ARMv7-a, and su 3.0.1 is now compiled for ARMv7-a. There are many devices out there that use the older ARMv6 (ARM11) architecture, and all of the issues that have been reported to me that include what device they’re on happen to be ARMv6…

I’m trying to get a couple testers to help me make sure that this is the problem, but if no one comes forward willing to help in the next couple hours, I’m just going to have to pull the trigger and release a new binary compiled against arm generic. If you have a device that has an ARMv6 (ARM11) chipset, please email me at superuser.android@gmail.com to help me find the solution. You will need to have ADB up and running, and adb needs to give you a root prompt (#) when you run ‘adb shell’.

Thank you for your patience.

Update: The issue has been fixed and new versions of the su binary have been uploaded to here and ROM Manager. I know ROM Manager won’t help those of you with broken root, just download the update.zip from here, put it on your sdcard, reboot into recovery and install it.

Update 2: Another update, another binary. The code in 3.0.3 is the same as the code in 3.0.2, and 3.0.1 in fact, just built a different way. This version has been tested and verified to work on both ARMv7 and ARMv6 devices. Both

Status Update

I know there are bugs in the latest version of Superuser (3.0.5), and I’ll do my best to explain what is happening to you. Before that I need to make sure that you all understand that I am the only developer of Superuser (no team, just me), I work full time in the Air Force (Superuser is simply a hobby for me), and I am currently out of the country working.

Now let me say that the current version of Superuser works flawlessly on every device that I have on my test bench, which consists of:

  • Nexus S – CM7.0.1
  • Nexus One – stock rooted Froyo
  • MyTouch 3G – old version of CM based on Donut
  • MDP8660 – stock rooted Gingerbread
  • Xoom – stock rooted 3.2
  • Nook color – CM7 nightly

I do extensive testing of each version on every device that I have before release. That being said, there are thousands of combinations of devices and ROM, which makes ensuring compatibility with every one of them impossible.

The issues that people are having are, for the most part, down to using an outdated binary. With the last couple versions, I tried to remove the requirement to have the latest binary, since there are so many people out there that either have some form of write protection on their system partition at runtime (S-ON), or have the su binary installed in /sbin. Both of these things make it impossible for me to update the binary.

S-ON is easy, since those users can simply download the latest version through ROM Manager, or from this site and flash via recovery mode. This will install the latest binary, and fix the problems.

People with the su binary located in /sbin have a much tougher time. I’ve found that these are mostly Samsung users (with the notable exception of the Nexus S). I don’t know why it’s done this way, and if anybody does know, please let me know, but for some reason kernel and ROM devs for these devices put su in /sbin. /sbin is part of the boot.img, and therefore any modifications to that directory will be erased on boot.

The issues that people are having are caused by a binary that leaves the permissions.sqlite database open while it sends the intent for the prompt. This used to be ok, but sometime in Gingerbread, android started using WAL for SQLite, which causes the app to not be able to open the database if the binary has it open. The 3.0 binary is very good about handling the database, and has no issues if the app has the database open at the same time it needs to read from it. the 2.x binary is not so good about it. The fix that I have worked out for this, and am in the process of trying to implement is to have a service that will update the permissions.sqlite database as necessary, and if it fails to open the database, it will schedule itself to start again until it can gain access to the database.

The other issue I’ve seen is that on some devices, the WAL bits of the database are having their owner changed to root (0), the main database still belongs to the Superuser app, but the parts that are used by WAL belong to root, which makes it impossible for it to be opened by the app. This issue is being a lot harder to track down, because it seems very intermittent and there are so many users that are incapable of helping to track it down for whatever reason, but I am trying to find it.

As I said above, I do everything I can to make sure that things are working, but I can’t test on every device. So what I’ve decided to do is to create a Superuser tester program. I’ve created a form on Google Docs that you can sign up to receive test versions of Superuser before I publish them. There are three levels of testers; Alpha, Beta, and RC. Each will get test versions at different times and have different “responsibilities”. Hopefully I can get plenty of people to sign up and we can make the Superuser experience better for everybody. Please sign up here. Might take me a couple days to get things rolling with the program, but if you sign up, expect a test version soon.

I appreciate everybody’s patience as I get very little time lately to work on these things. Unfortunately I already offered my country 4 more years, so Superuser won’t be a full time job anytime soon. Just know that I am looking into your issues as I can. If you’re a better coder than me, with more time, please feel free to fork the project from my github and submit a pull request for any bugs you can fix.

Initial impressions of 3.0

Last night I released Superuser 3.0 final. After being in development for so long, you’d expect it to be bug free, but that’s never the case, is it? Nice thing about it is that here in the first few hours of the launch it seems that most of the problems aren’t anything I did. Here’s a rundown of what I’ve seen so far:

1) Signature error when updating from the Market – This is a common thing that’s been happening since I released Superuser to the market. All apps must be signed before being uploaded to the Market, so when I decided to put Superuser up on the Market, I generated a key, signed it, and uploaded the key to my github repository and the CyanogenMod repos. Once an app has been uploaded to the Market with a particular key, it can never be changed. So if the Market is telling you that the package is incorrectly signed, it’s because the Superuser that is included in your ROM is not signed with my keys (which are, again, publicly available). You can’t update an app if it’s signatures don’t match. Not the end of the world though, there are a couple ways to fix it. First thing you can do is try the Superuser Update Fixer from the Market. It doesn’t always work, but what it tries to do is fix the wrong signatures by replacing the Superuser.apk that’s installed on your system partition with one that’s signed with the proper keys. If that fails, you can try updating Superuser through ROM Manager. I’ll keep Superuser updated in both the Market and ROM Manager, so you’ll get the latest either way. The benefit of using ROM Manager is that it will also update the binary to the latest version without you needing to do anything.

2) Binary updater fails to update binary – This usually happens because for Superuser can’t write to the system partition where the binary is installed. This can happen for a couple reasons. First, and most common, is that your device has S-ON which prevents the system partition from being written to at runtime. Even if a remount succeeds, and the system thinks that the partition is mounted as rw, you can’t write to it. There are different solutions for different devices, but the easiest usually involves simply updating Superuser through ROM Manager. If you were able to flash a custom ROM, you’ll be able to update Superuser through ROM Manager. The other reason that updating the binary fails is that your ROM Dev did something silly like putting the su binary in /sbin. I have not found a reason why this would be done, but I’ve seen it many times. The problem with putting su in /sbin is that even though you may be able to modify it at runtime, the changes will not stick over a reboot. This is because /sbin is part of boot.img, which gets unpacked and loaded at boot. The other problem with having the su binary there is that it’s almost always the first entry in the PATH. If you’re unfamiliar with the PATH, it’s a list of places that the system will look for a program, once it finds one it stops looking. Superuser will not try to update su if it’s found to be in /sbin because the change will not persist. The fix for this is not quite so easy as before and you’ll likely have to change ROM, and let the developer of whatever you were using know that they’re doing it wrong.

3) No paid app support in your country – This one I can’t do much about currently. I do have plans to introduce other options for buying Elite, but it’s break time for me. In the future I intend to have PayPal and in-app billing suport, but that’s further down the road with no ETA. You may have the option of using an app like Market Enabler to trick the market into thinking that you’re somewhere else. I have no idea if that’ll work or not, but it doesn’t hurt to try.

4) Not in CM7 yet – This could take a little bit. The problem here is that since CM7 is built from source entirely, Superuser is also built on their computers against the AOSP tree. The Superuser source is one package for all all versions of Android from 1.6 all the way to 3.2, and it’s got references in it to Honeycomb specific things. This will break the build against a Gingerbread source tree since it won’t be able to find those Honeycomb specific references. I will get something put together to submit to the CyanogenMod team, but it’s gonna take me a couple days.

I hope that things will continue to run as smoothly as they have been, but that’s probably asking a whole lot. If you find issues not mentioned above, let me know. The best way is through email, at superuser.android@gmail.com, that way I can easily get back to you and sort it out. I’m gonna take a little bit of time off to relax, then I have another couple of projects that I’d like to explore. I will continue to work on Superuser and continue to implement new features as I come up with them, as well as implementing all of the other features that I have planned for Elite.

Thanks for all of your feedback, and enjoy!

Top 9 Root Apps

I asked on twitter what your favorite root apps are, and here are the results, with their market links.

9. ShootMe (free) – Shake or shout to take a screen shot of your phone. It can use the light sensor on your phone if it’s there, and even record video screencasts on some high-end phones.

8. Screenshot ER 2 ($1.49) – Shake, delay or notification icon capture. Also works on Honeycomb.

7. drocap2 (free) – Shake, delay or notification capture, like ER, only this one is free.

6. Terminal Emulator (free) – Terminal for your phone. Full access to the linux command line, if you know how to use it.

5. AdFree Android (free) – Block adds in the browser and apps with an updated hosts file. Please buy apps to support devs if you’re gonna use this.

4. SetCPU ($1.99) – Control the minimum and maximum frequencies of your phones CPU, as well as which governor controls them.

3. ROM Manager (free) A must have app for anyone who likes to change ROMs regularly. Easily download and flash a new ROM, or backup your current ROM. Buy the Premium version ($5.86) for even more ROMs and features.

2. Root Explorer (~$3.88) – A great file explorer for full access to the entire filesystem on your phone.

1. Titanium Backup (free) – The ultimate backup utility for your phone. Can backup data from any app, plus loads more. The Pro version (~$6.00) adds more great features and supports a great dev.

So there you have it. Top 9 root apps voted for by you. Try ‘em all out. Enjoy!

A Word About Superuser and Security

It has recently come to my attention that there are people out there that believe that Superuser in the wrong hands can be a dangerous thing. A quote from my @DroidSecurity on twitter (edit: @AVGFree agreed with this tweet shortly after DroidSecurity posted it):

@TeamAndIRC @ChainsDD @AVGFree : SuperUser is not considered bad , but rather can be dangerous in a non-techie hands , The Antivirus team

Now I may be arguing semantics here, but I have to disagree with this. The discussion came up because I asked AVG to reconsider their app flagging Superuser as a risk. While I can’t argue that a rooted phone can be a risk, Superuser itself is not. In fact, once a phone is rooted, Superuser is one of the few things that provides any sort of protection. Without it, any app would be able to use root at will and unchecked. Superuser gives the user a notification when an app is using the root user, and gives them a way to look back at what has used it and when. Similar to UAC on windows computers, it forces the user to consider what they are doing before they alter their system.

Regarding AVG, there are two situations in which their app would detect Superuser being installed. The first is that the user has rooted his phone. In this situation, Superuser.apk is installed in /system/app. In this case, there isn’t really anything that AVG can do about it. In order for it to remove the risk, it would have to remount the system partition (and it would have to use Superuser to achieve that), and manually remove the apk. Instead it displays the system’s uninstall window, which naturally fails to uninstall the app, and goes back to scanning, once again finding the “infected” Superuser thus starting the process all over again. Infinite loop?

The second situation is that the user does not have a rooted phone and they download Superuser from the market. In this case, Superuser is completely useless to them, as Superuser has no way of allowing other apps to use the root user without already having the su binary installed in a directory in the PATH. and since none of these directories are writeable at runtime, there is no way to do that. Superuser does not use any of the exploits that are widely available (Gingerbreak, Rageagainstthecage). Superuser will not root your phone by itself, it needs outside methods for it to do anything at all. This becomes a false positive for AVG, as Superuser cannot do any harm to the user or his phone.

This brings into question the method that AVG uses to find “infected” apps. This post did not start off to be a post slamming AVG, but I got really frustrated when, while researching for this post (installing AVG and trying it out), I found that AVG also flags Superuser Elite as “infected.” This made me realize AVG may be using some kind of sophisticated scanning, but more likely they are simply using a list of package names that they have deemed to be “infected.” I had planned to baksmali their app and dig around to see just how their “scanner” worked, but it seemed much easier to do it this way:

  1. Fire up Eclipse and make a new android app with the package name “com.noshufou.android.su.helloworld”.
  2. Do not change anything in the app.
  3. Install the app on my phone that is running AVG.

Result? Popup window on the phone telling me that this “Hello, World!” app is infected. Seems as though Google has some serious problems if a basic “Hello, World!” is a virus. More likely is that AVG is looking at nothing more than the package name and determining that the app is a threat simply because it has “com.noshufou.android.su” in the package name. I would have attempted making an app that has one of the exploits in it, but with a different package name to see if it gets caught, but that’s not something I have time for. I do encourage my readers to try this though. It would be interesting to see if AVG, or any of the Android “antivirus” apps, can detect a true threat.

At the end of the day, I hope this article encourages companies like AVG to implement true threat scanning, if they haven’t already, or stop posing as antivirus. A blacklist based on package name is not antivirus and provides the user with a dangerous sense of false security. I also welcome AVG or any other maker of an antivirus program for Android to come forward with a response to this telling the users how their app actually protects their phone.


Playing catch up, again

Ok, so I know, I totally suck at keeping you guys up to date about what all is going on. So every once in awhile, I’ve got to give multiple updates all at once. It’s that time again, so here it goes.

The UK #tweetup was a success. We had about 10 people show up, which wasn’t too bad as far as we were concerned. Things weren’t quite as spectacular as we had originally planned because I came down with pneumonia the day before the #tweetup. However, from the feedback that we have received, it seems like I still managed to pull it off. We had a few people who had to cancel at the last minute due to work issues, but otherwise, all went well. Those that were able to make it were treated to some home cooking, although it was no where near my usual level of awesomeness. We gave out #tweetup t-shirts that got lots of laughs. Even our kids stole a couple to add to their closets. Thanks to Flibblesan, we had a freeplay.com voucher to give out. We also has a $25 Visa gift card that was given away. ChainsDD and I also made sure that everyone here went home with a prize. We gave out nano bluetooth adapters and memory sticks/sd readers. They were pretty cool, at least, they were in my non-technical opinion. The real treat of the day was that those who attended were given the very first copies of Superuser 3 alpha and 1/2. ChainsDD isn’t quite ready to call it a beta. =) We had guests that stayed on into the evening and even one who stayed over for the night and was treated to a good old fashioned American breakfast of biscuits and gravy, cheesy scrambled eggs, bacon and fried potatoes. I think he was pretty happy with the morning spread. =D We would definitely like to thank R1lover (Rhett Buck) for making the awesome shirts. You can always get your Superuser swag (which now has bacon) at http://bit.ly/suswags

In other news, ChainsDD thinks he should be able to release Superuser 3.0 sometime during the couple of weeks that he is taking off for my surgeries. I’ll be down and out, the kids will be at school, so he is going to take full advantage of the opportunity to work on Superuser 3.0 and Elite. It’s coming guys. We are sorry about the wait, but appreciate all of the patience you’ve shown.

We are definitely excited about everything happening with Superuser this summer. We would love to get together with some more of you, but unfortunately, we won’t be able to do another free event on the level of the last one. Those shirts and freebies that we gave out added up for us pretty quickly. But if you’re cool with just hanging out and enjoying the company of other Android lovers, then you’ll definitely want to be at the next #tweetup.

Oh, just an FYI, Superuser customer service is going to be out of commission from June 7th-June 15th at a minimum. Your favorite representative is getting cut open and sliced and diced by the docs, and won’t really feel like dealing with complaints, bitching, whining, or stupid questions. So instead of making some poor lass cry, I’m just going to stay away from all Superuser emails for a bit.

Hugs to you all. Hope life is treating you like you want it too. Remember to take some time away from the computer this summer. The sunshine won’t kill you. It might sting a little though.

UK Tweet Up

So big news guys. On May 14th we are having an Android tweet up at our place. For those of you that don’t know what a tweet up is, well, it’s a casual get together. We’ve got some cool stuff planned for that day, so come on out. It’s going to be an all day event. It’s not going to be anywhere near the size of the Android BBQ, but consider this an appetizer to hold us over until someone gets the UK Android BBQ planned. If you’re interested in coming, get with me on twitter, MrsChains. We’re really excited about this and hope to see a few more people planning to attend.

SU Swag and International shipping

Well, we finally have the shirts, stickers and panties up for sale. Seems like there has been some concern over the cost of international shipping though. So what we are willing to offer is this. R1lover has agreed to send your international orders to me along with my shipments. It cost him the same if he sends me 1 or 10 shirts. From there, I will mail them out to you. Since I’m in the UK, it drastically cuts down shipping costs. Shipping from here seems to be extremely cheap. As long as it will cost me under 5quid to send it out to you, then we are willing to eat that cost to get you some swag. If it’s going to be over 5quid, which I think you’d have to live pretty far away for that to happen, then I only ask that you use ChainsDD’s donate button to make up the difference. If you are within driving distance to us, (We are in Thetford) then you are more than welcome to pick your order up at my house.

So here’s how to get your free or extremely discounted shipping.

Place your order here. When you get to the shipping choices, choose “in store pickup”. Then in the comments section, type “Ship to MrsChains”.

From there, simply send me the order confirmation to mrschains@gmail.com This way, once it gets to me, I have all of the information needed to send it out to you. Don’t worry, I don’t see anything dealing with your financials.

It does take just a little bit longer this way. But it cuts the cost to you drastically.

So go ahead and get your orders in soon. I have R1lover sending me a package next week. Get yours in before he ships! Otherwise, depending on the demand for this, I will be having him send me shipments once or twice monthly.

If the demand picks up and it’s worth it, I might start stocking things here at my place, so that once you give me your confirmation details, I could get it out to you that day. Unfortunately, this isn’t available just yet, because we haven’t had enough international interest. Hopefully soon though!

I know it’s a few extra steps, but the savings are well worth it.

I look forward to seeing the orders coming in. This stuff is really good quality and very nicely done.

Whirlwind of activity

So it’s been awhile since I’ve gotten on here and really updated you guys. I know you’re getting little snippets here and there, but I wanted to take the time to actually tell you what’s been going on.

We were recently contacted by a great group of guys from RootzWiki.com It started out as a simple request for them to use the Superuser icon on their shirts, that they were making to promote their own site. Well, Steven is a great businessman and we were happy to give our approval. Rhett has made some incredible designs that we are quite pleased with and there’s much more to come.

But now, it’s gone beyond just sharing swag. RootzWiki.com is an incredible site that has so much information there regarding rooting. They are updating more and more every day and we are excited to be working with them. For many of you, your questions will be redirected to them. The site is informative and well written. They have included the community in this and it’s definitely run by a wonderful part of the Android family.

Thanks to RootzWiki.com doing so much on the rooting side, ChainsDD has been able to work more on the Superuser side of things. He’s currently working on two projects, both of which sort of tie in together. At the moment, he’s working hard on Superuser 3.0. He’s trying to clean the app up and is also doing his best to get a good tablet version out. His progress was slowed while he waited on his Xoom to get here, but it’s picking up pace again. He wants to give you guys a version that he can be proud of. Since Elite will need 3.0 in order to properly function, he has to get that up and running first. So yes, he is working on Elite. He just has to get 3.0 out there first.

There has been some beta testing done and unfortunately, ChainsDD realized that it’s not quite ready for release yet. He’s finicky. Everyone always says how great Superuser is, but to let you in on a little secret, he’s never been completely happy with it. So he’s taking his time and doing this one right. (His version of right). Expect great things, because they are coming, just show some patience. Please

Now, many of you know that developing is not his full time job. In fact, he doesn’t make enough off of it to pay any of the bills. It pretty much takes care of him ordering the tools that he needs to be a better developer for the community. Most of you are understanding of that. However, there are some that think that he needs to work on developing and only developing. He can’t. It’s not possible. He is in the military and his hours get crazy at times. He also has a wife (me) who would like to see him on occasion and 2 sons that literally do not see their father 5 days a week because of their schooling and his work hours. So please try to keep that in mind before you contact me yelling and screaming that you paid a dollar for an app that hasn’t been released yet.

I love the Android community and am looking forward to working with a lot of you more in the future. Remember, most of your devs have other responsibilities, so while I’m sure they would love to do this full time, reality doesn’t always allow for that to happen.

So while you’re waiting, go to the rootzwiki store and get yourself some swag. They’ve got rootzwiki, clockworkmod, and of course superuser swag there. And I know that I forgot to mention many of the awesome guys working on that site, but trust me, I think you’ll like it. Amazing amazing guys to work with. They have definitely made life easier for us and a lot more fun. Go get your swag on!!

Hugs and hot asses to you all! Will update soon.

Superuser swag now available

Our new friends, rootzwiki.com have decided to offer more than just rootz wiki gear. They have now started offering Superuser swag. Get your t-shirts, hoodies, thongs and more there. You can also get your rootz wiki and clockworkmod gear there too. The quality is exceptional and these guys make every item as it’s ordered.

Here’s the link for your awesome new swag! https://www.exactservers.com/store/index.php?main_page=index&amp;cPath=25

Hope you enjoy it as much as we have. MrsChains will be rocking her superuser hoodie and her boy shorts soon. We’ve already been rocking out our Got Root shirts. This is the only place that has authorized Superuser Swag, so if you are seeing it for sale elsewhere, it’s not approved by us.