This is a dynamic page, dedicated to those who have at least an ADB access on their device. Any change will be solely and exclusively due to you and your feedback.

In fact this will not be a complete guide without your help. We have a problem to solve and we can all do it together.

The problem to be solved is to get root access on devices that have at least an adb access but without debugging.

If you don't know what are ADB and Fastboot, read the dedicated guides.

How to start

Get an ADB access on your device

Alcatel Go Flip 3 / SMARTFLIP (USA)
Alcatel MyFlipby Tracfone (USA)
BLU Zoey Smart (Venezuela)
  1. On Alcatel MyFlip by Tracfone (USA), BLUE Zoey Smart (Venezuela) and Alcatel Go Flip 3 (USA) just dial the secret code *#*#33284#*#*, a bug icon should appear in the taskbar*;
  2. On Doro press "VolumeDown + Power", the phone will start in FFBM and from there you can start the command adb shell start b2g.

* If you have another device and the secret code is not enough to enable adb try to dial the addictional code *#*#0574#*#*

The /data/local/debugger-socket required for debugging seems to be missing. Without it we can't connect to WebIDE or execute the command

adb forward tcp:6000 localfilesystem:/data/local/debugger-socket

or debugging in general. All we can do is use basic commands to start a more in-depth search.

Explore the directory structure with "ls"

Where read-only can be accessed we can explore the device, particularly in the system partition, using the ls command. To know the basic commands available on the system, we can type the command:

adb shell ls /system/bin

all the files listed in /bin that correspond to the commands available in the shell.

Download folders and files with "pull"

Often the pull command works to extract single files or even a complete folder (unless it contains some files with special permissions). The files will be downloaded in alphabetical order. To get the folder containing all the pre-installed applications:

adb pull /system/b2g/webapps

Now you can start a thorough search to find all possible information, such as secret codes.

Find secret codes using "grep"

The "grep" command is used to search for terms and combinations of symbols (which can be replaced with numbers and letters).

If your device has ADB access, with or without debugging, all you need to do is extract the folder containing the pre-installed apps and search for them.

1. Now that you've downloaded the "webapps" folder, extract all the files contained in the sub-folders:

for f in $(find . -type d); do unzip $f/ -d $f/app/; done

in this way all the content of the files will be extracted into several new folders named "app".

2. Run the search filter, here for example there are the various correspondences to the sequences between # and * and the numbers from 0 to 9:

grep -EIro '[*#]+[0-9]+#[*#]*' .

if you want you can configure this command using different terms, for example:

grep -EIro 'debug' .

this will list all the files containing the word "debug", but this is just an example.

3. Read inside the file of each path the functions of those codes extracted. Be careful not to type in the codes right away, you may have unwanted effects on your device.

You can "push" things on /data/local/tmp

This is the most interesting part. If the one illustrated so far is dedicated to the study of the moves available to us by default, the push command serves to interact with the device, and more precisely with the /data/local/tmp folder. For example busybox, if removed by default from /system/bin:

adb push busybox /data/local/tmp

To use it (also using the CD command to enter the temporary folder):

adb shell
cd /data/local/tmp
chmod +x busybox

The shell will respond by showing all the commands available in busybox. You can repeat the same operation with any file or folder you want to insert in "tmp". For example you can use a script in which to compile a whole series of commands to test.

And that's where the problems come from (and that's where I got stuck). Unfortunately, I was unable to obtain the necessary permits to start certain actions. Personally, working on the Doro 7060 I often receive "Permission denied" messages. I obtained the most consistent results after stopping b2g and working on a black screen, using the command:

adb shell stop b2g

It's not much but I got different answers. For example trying to start a randomly modified file. I didn't get a consistent result, but at least I got a different response from the shell and the device.

I had to start again the server to get a normal mode, and the boot have not removed the files from the temporary folder (because after a reboot you have to "re-push" all again on tmp). After several months I can say that this is a start! Now it's up to you to complete this research with me.

Thanks for your cooperation.

Learn about root scripts (if them still work)

In the past on the Nokia 8110 4G to run a root shell we needed to use scripts to insert in /data/local/tmp and to execute using a link from the browser. This was possible thanks to a security hole present in all the firmware versions prior to 14 (never released in the West perhaps for this reason). This discovery may have illuminated the developers of KaiOS and then released a few months after firmware updates 15 and 16 (KaiOS 2.5.1). In fact the new update disables access to navigator.kaiosExtension, an extension for Gecko used in HMD and TCL firmwares to control some system functionality (click here for more informations).

  • tnroot (video) uses busybox over telnet, then after the installation you need to perform the command busybox telnet localhost to get the root shell;
  • adbroot is more direct, because you can use a root shell directly after adb shell.

Download one between tnroot or adbroot, in the following example replace the word "SCRIPT" with one between them:

1) perform the commands

adb push SCRIPT /data/local/tmp
adb shell
cd /data/local/tmp
chmod +x SCRIPT

2) open the following url in phone's browser: http://localhost:8080

3) click the button on the phone's browser to confirm (for adbroot this will close "adb shell");

4) perform the command:

  • For adbroot you have to re-open adb shell;
  • For tnroot, that doesn't close the shell, just perform busybox telnet localhost

These scripts are currently useless if you want to still rely on certain extensions, especially if these have been disabled with new updates, but read the scripts and modify them based on the use you make of them and based on the device you use it for, you could be successful in some way. Happy Hacking!