TEMPORARY ROOT APPLICATIONS & WALLACE TOOLBOX
To perform root access on a Linux Embedded device such as Android, we are often forced to use patches in the partitions, in order to add "busybox" to /system/bin or to change the permissions directly in the /boot partition.
On this page I will try to explain the functioning of the individual apps, focusing more attention on the Wallace project, which contains a real library for the implementation of root privileges and beyond.
All the applications in our resources will be listed in chronological order, starting from the least powerful (Telnetd) to the most complete (Wallace Toolbox).
Read their characteristics carefully, so that you can choose the right application for your KaiOS device. In fact, it is very likely that some features or even the whole application may not work, for reasons ranging from software features to hardware.
NOTE: installing them is not risky for the device, but the use you can accidentally make of them can be risky. It's your full responsibility learn about these apps and how to use them, at your own risk!
The origins of root app development
In the past on Nokia 8110 4G to run a root shell we needed to use scripts to be pushed in /data/local/tmp and using a link from the internal browser app, thanks to a security bug of the firmware versions prior to 14 (never released in the West perhaps for this reason) and solved with firmware updates 15 and 16 (learn more about navigator.kaiosExtension). Obviously nowadays these scripts are useless if you to get root privileges on a newer phone, but you can learn more about alternative usages of them in another guide of this website, dedicated to the "locked devices".
Telnetd, the first root app for KaiOS
from a PC the command telnet 192.168.1.125 (for example, just use the IP shown on display) will connect you to your phone;
using the adb shell then needs the command busybox telnet localhost , and it is faster because it uses USB instead of WLAN.
NOTE: most of the guides on this website have been compiled on the presupposition that you use this kind of connection. By using a different root app you don't need to write "busybox" everytime, or "busybox telnet localhost" after the adb shell command, and where is needed just write "exit" one time.
ADBroot, an easier way to root Nokia 8110 4G
To implement the ROOT access until the next reboot just click on the ENABLE button. To disable root access, press DISABLE. Its power comes from the implementation of its own adbd binary file.
Like Telnetd, it were initially designed to work on Nokia 8110 4G. Although these two applications seems to be similar, as we can see, they act differently to perform the same function. This idea of implementing important binary files directly within the application served to inspire further versions that could work on KaiOS devices other than Nokia.
Wallace: a more extensible root app for KaiOS
Wallace has the potential to work on the phones without busybox, since it carries its own unzip binary and uses its own resource loader function. So, despite rooting, this is also a testbed for sandbox escaping (at least for an app with "certified" permission):
Just press the central D-pad key and wait until Niander Wallace silhouette fully comes up. Then your ADB shell is rooted until the next reboot.
There's also a "secret" feature of privileged factory reset (with confirmation prompt, of course) if you press # instead of central key.
General flow is as follows:
First fitting master extension is selected depending on the platform (choice is done among engmodeExtension, jrdExtension and kaiosExtension);
Resource loader (see below) method is called to fetch "unzip" binary from the app resources into /data/local/tmp/unzip;
With the help of selected master extension startUniversalCommand method, a concatenated command is run to:
stop adbd service;
move the unzip binary from /data/local/tmp/unzip to /sbin/unzip and adjust its permissions (since /sbin structure is volatile until next reboot);
run the unzip command against the local application package to extract adbd binary to /sbin;
adjust the new /sbin/adbd permissions and start the adbd service again;
remove leftover folder from primary storage if it's empty.
The most interesting part in this app is the "Resource loader", that uses the fact that main storage [used by B2G API method navigator.getDeviceStorage("sdcard")] can always be referred to as /storage/self/primary/ in the actual FS tree. The only issue is that in some cases (for instance, on 8110 v16 without SD card) the actual storage is mounted onto /storage/self/primary/0but, due to some bug, the root of B2G "sdcard" storage handle still refers to /storage/self/primary/ itself, so attempts to write to the root result in DOM error. Hence, the logic of the loader method is as follows:
Shape the XHR with "application/octet-stream" content type and "blob" response type to fetch the necessary resource file. If succeeded, go to the next step, if not, return operation error.
Retreive the storage handle with navigator.getDeviceStorage("sdcard") and try writing the resulting blob to 0/tmpbin.bin file (relative to the B2G storage root, not physical location). On success, go to the next step, otherwise return operation error.
With the help of selected master extension startUniversalCommand method, run the command to move the file (found with the find command within the /storage/self/primary/ tree, because its location might be either /storage/self/primary/tmpbin.bin or /storage/self/primary/0/tmpbin.bin) to the target location. Return operation success.
Consult the libraries of the Wallace project on the official GitHub repository for more information:
Wallace "full" and "lite" versions
This application was strongly inspired by ADBroot, with the aim of being more extensible. In fact there are several variants of Wallace, which differ according to the device they are intended for:
A fork for Spreadtrum-based KaiOS devices
Wallace Toolbox, the best app ever!
Wallace Toolbox first release was published by Luxferre on December 7, 2019. As you may have guessed, Wallace uses its internal libraries to temporarily root a device. However, it was only a first experiment to test something wider, which can enrich a device with various additional functions. Even the installation of third-party applications involves the use of extensions and libraries on the system, but as has already happened for Jio Phone, these extensions can be lost through updates aimed at ensuring the total dependence of a device on the exclusive services of OEMs.
Wallace Toolbox is the most complete app ever! Once the application has started, a screen will appear on which the various functions are listed, each connected to a phone button.
We can consider this application as a sort of "secure patch" that adds some functions already present on GerdaOS, the first real custom rom of Nokia 8110 4G, but obviously security always depends on how you will use this application on your devices.
How it works
Each screen option is associated with a different color, which depends on the danger of the operation to be performed and, often, on the type of KaiOS device on which Wallace Toolbox is running:
the WHITE options are the safest to use;
the RED ones involve changes that can erase data or stop updates;
those that appear GRAY will not be available for a specific device.
Below, in detail, what each key is used for in Wallace Toolbox:
ADB root (needs Busybox for the operation, you may use OmniBB to install it if missing)
Call recording on/auto/off (works on KaiOS 2.5.2 and higher, tested on Nokia 2720 Flip and Nokia 800 Tough)
Install application package (OmniSD/GerdaPkg compatible, works when developer menu is enabled, tested on Nokias only)
Override TTL when tethering until reboot (Qualcomm devices only)
Edit IMEI1 (Nokia and MediaTek devices only)
Edit IMEI2 (Nokia and MediaTek devices in DSDS configuration only)
Toggle browser proxy on/off
Set browser proxy host and port
Override user agent (dangerous: affects KaiStore accessibility, can't be reset until the factory reset or manual device preferences editing in WebIDE)
0. Toggle diagnostics port (Qualcomm devices only)
*. Run overclocking script (Qualcomm devices only)
#. Enable developer menu and privileged access (via cache injection method)
Call. Edit Wi-Fi MAC address (Nokia and MediaTek devices only, temporary for MediaTeks)
Left soft key. Edit Bluetooth MAC address (Nokia devices only)
Right soft key. Make all apps removable (needs Busybox).
NOTE: in many countries of the world it is illegal to modify the IMEI, in this case use this tool only to repair it! This guide is for educational purposes only! I take no responsibility in case of loss of updates or malfunctions of your device!
History and support for Mediatek and Spreadtrum
the version 0.0.2 was released on July 2, 2020, with the following implementations:
IMEI editor also works for MediaTek KaiOS handsets (autodetecting whether it's Qualcomm Nokia or MTK);
on Nokias can be changed Wi-Fi MAC address.
the version 0.0.3 was released on July 3, and was just an important update to implement root access for all devices with Busybox, not just Nokias.
the version 0.0.4 was released on July 4, thanks to the contribution of Fabio Malagas (on Discord):
the TTL fixer is limited to Qualcomms only (didn't work on MTK anyway) for the time being;
the ADB root really works on Busybox-enabled Unisoc handsets just as well as on MTK and Qualcomms;
the rooting function will attempt to install and start adbd even without the previously running ADB service (no bug icon will appear in that case though).
the version 5 was released on July 9, features:
now getting to the privileged developer mode (# key function) doesn't require factory reset - it uses direct cache injection with both /cache and /persist partitions where applicable, and just reboots after the operation;
added experimental Wi-Fi MAC editor for MediaTek platform (unlike Nokias, works only after re-toggling Wi-Fi manually and until reboot);
added experimental Bluetooth MAC editor for Qualcomm Nokias.
the version 6 was released on September 28, with an option to make all pre-installed apps removable (requires Busybox).
OmniBB: temporary Busybox installer
OmniBB was released on July 3, 2020, together with Wallace Toolbox v0.0.3. This utility installs Busybox into /sbin until the next reboot.
Besides everything else, it allows the rooting functions of Wallace Toolbox (0.0.3+) and extractAppAsset method from libWallace to function correclty on the devices that didn't have Busybox installed. Tested on MediaTeks, need testing on Unisoc/Spreadtrum devices.
Terminal emulator on KaiOS
The terminal emulator for KaiOS was developed by Affe Null and published on May 28, 2020, on Google Groups. The app starts a telnet server (just like Telnetd) listening on 127.0.0.1 (localhost) and connects to it with the mozTCPSocket API. Use the call key as control key, '#' to toggle lowercase/uppercase, left soft key as tab. It lets you input special characters and also change the default foreground/background colors.
NOTE: it can be used together with OmniBB for devices that have not busybox.