rooting - How to Root SpreadTrum SC6830 Kernel 2.6.35.7

Model - Callbar A1
Android - 2.3.5
Kernel Version – 2.6.35.7
Software version – 2.3.001.P1.12065
Hardware version – P1
CPU – SC6820 (1 GHz.)
Screen – 3.5” HVGA

I tried several methods such as Doom Lord, Super One Click, Unlock Root, Z4Root to root the phone but none worked.

Tried ADB to manually root the phone through commands but almost every command returns – “Permission Denied” or “Read Only System”. However files su, SuperUsr.apk, Busy Box were easily pushed into /data/local/tmp. Further steps like making local.prop and onwards could not be executed and returned above stated errors.

Also tried modifications by putting update.zip on SD Card root and running Android Recovery System but this method also returned error “Signature Verification Failed”.

Tried Nautilus on Linux Mint with OpenSSH while running DroidSSH on the phone but could not mount device by any means.

Scanned my device with ‘X-Ray’ app which reported that device or firmware I am using had been patched and is not vulnerable to any of the exploit available at the moment.

I desperately need rooting to remove pre-installed bloatwares and applications to free internal memory which is very less. I am trying to root phone for the last several days but every method has failed. Can any one help ?

I am providing complete details of System Memory Map, MTD Tables, Symbolic Links, Directory Permissions and File Permissions of my android phone. I hope some one having knowledge of android system can help me by suggesting custom exploit after going through details given below.

## system memory map

00000000-00000000 : sprd-battery.0


00000061-00000061 : sprd-sdhci.0

00000064-00000064 : sprd-sdhci.1

00463000-0047ffff : System RAM

004e0000-004fefff : System RAM

01a00000-0fffffff : System RAM


0452c000-04a08fff : Kernel text

04a24000-04b65a67 : Kernel data

0eee0000-0eefffff : ram_console.0

84000000-840000ff : NK reserved I/O

8e002000-8e002fff : sprd_spi.0


8e003000-8e003fff : sprd_spi.1

9c004300-9c004400 : example.0

a0010000-a0010097 : Mali-300 GP

a0011000-a001102f : Mali-300 L2 cache

a0012000-a0012027 : Mali-300 PMU


a0013000-a0013023 : Mali-300 MMU for GP

a0014000-a0014023 : Mali-300 MMU for PP

a0018000-a00190ef : Mali-300 PP

e0002000-e0002fff : sc8800g_dcam.0

e0006000-e0006fff : sprd-sdhci.0


e0007000-e0007fff : sprd-sdhci.1

e0010000-e0017fff : sprd_nand

e0024000-e0024fff : serial_res0

e0025000-e0025fff : serial_res1

e0028000-e0028fff : sc8810-i2c.0


e0029000-e0029fff : sc8810-i2c.1

e002a000-e002afff : sc8810-i2c.2

e002b000-e002bfff : sc8810-i2c.3

e0036000-e0036fff : serial_res2

e0037280-e00372c4 : sprd-tp.0


e003c000-e013bfff : dwc_otg.0

## mtd table

NAND device: Manufacturer ID: 0x2c, Chip ID: 0xbc (Micron NAND 512MiB 1,8V 16-bit)

Good Block: 4034  Bad Block: 0  Reserved Block: 62

dev:        size       erasesize  name

mtd0: 00040000 00020000 "spl"


mtd1: 00080000 00020000 "2ndbl"

mtd2: 00040000 00020000 "params"

mtd3: 00080000 00020000 "vmjaluna"

mtd4: 00a00000 00020000 "modem"

mtd5: 003c0000 00020000 "fixnv"


mtd6: 003c0000 00020000 "backupfixnv"

mtd7: 00500000 00020000 "dsp"

mtd8: 003c0000 00020000 "runtimenv"

mtd9: 00a00000 00020000 "boot"

mtd10: 00a00000 00020000 "recovery"


mtd11: 10e00000 00020000 "system"

mtd12: 07800000 00020000 "userdata"

mtd13: 03c00000 00020000 "cache"

mtd14: 00040000 00020000 "misc"

mtd15: 00100000 00020000 "boot_logo"


mtd16: 00100000 00020000 "fastboot_logo"

mtd17: 003c0000 00020000 "productinfo"

mtd18: 00080000 00020000 "kpanic"

## symbolic links

symlink("/data/bin/bash","/system/xbin/bash");


symlink("/data/bin/oprofile/lop.dump","/system/xbin/lop.dump");

symlink("/data/bin/oprofile/lop.init","/system/xbin/lop.init");

symlink("/data/bin/oprofile/lop.reset","/system/xbin/lop.reset");

symlink("/data/bin/oprofile/lop.start.kernel","/system/xbin/lop.start.kernel");

symlink("/data/bin/oprofile/lop.start.user","/system/xbin/lop.start.user");


symlink("/data/bin/oprofile/lop.stop","/system/xbin/lop.stop");

symlink("/system/bin/alsa_aplay","/system/bin/alsa_arecord");

symlink("/system/sps/FT5206/firmware/ft5206_fw.bin","/system/etc/firmware/ft5206_fw.bin");

symlink("/system/sps/headset-soc/ko/headset.ko","/system/lib/modules/headset.ko");

symlink("/system/sps/mali/ko/mali.ko","/system/lib/modules/mali.ko");


symlink("/system/sps/mali/ko/ump.ko","/system/lib/modules/ump.ko");

symlink("/system/sps/msg2133/firmware/henghao_fw.bin","/system/etc/firmware/henghao_fw.bin");

symlink("/system/sps/msg2133/firmware/huangze_fw.bin","/system/etc/firmware/huangze_fw.bin");

symlink("/system/sps/msg2133/firmware/oufeiguang_fw.bin","/system/etc/firmware/oufeiguang_fw.bin");

symlink("/system/sps/rda5802/ko/rda5802.ko","/system/lib/modules/rda5802.ko");


symlink("/system/sps/rtl8723as/firmware/rlt8723a_chip_b_cut_bt40_fw","/system/etc/firmware/rtl8723as/rlt8723a_chip_b_cut_bt40_fw");

symlink("/system/sps/rtl8723as/firmware/rtk8723_bt_config","/system/etc/firmware/rtl8723as/rtk8723_bt_config");

symlink("/system/sps/rtl8723as/ko/8723as.ko","/system/lib/modules/8723as.ko");

symlink("/system/sps/snd_dummy_alsa_audio/ko/snd_dummy.ko","/system/lib/modules/snd_dummy.ko");

symlink("/system/sps/tools-binary/tools/boot_must_complete.sh","/system/xbin/boot_must_complete.sh");


symlink("/system/sps/tools-binary/tools/busybox","/system/bin/df");

symlink("/system/sps/tools-binary/tools/busybox","/system/bin/mkdir");

symlink("/system/sps/tools-binary/tools/busybox","/system/bin/rm");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/ash");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/busybox");


symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/bzip2");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/cp");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/du");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/env");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/find");


symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/grep");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/hexdump");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/killall");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/md5sum");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/reset");


symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/tar");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/uname");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/uptime");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/vi");

symlink("/system/sps/tools-binary/tools/busybox","/system/xbin/which");


symlink("/system/sps/tools-binary/tools/gcom.arm","/system/xbin/gcom.arm");

symlink("/system/sps/tools-binary/tools/gsnap.save_anr_tombstones.sh","/system/xbin/gsnap.save_anr_tombstones.sh");

symlink("/system/sps/tools-binary/tools/ll","/system/xbin/ll");

symlink("/system/sps/tools-binary/tools/localtime","/system/etc/localtime");

symlink("/system/sps/tools-binary/tools/logs4android.bt.service.sh","/system/xbin/logs4android.bt.service.sh");


symlink("/system/sps/tools-binary/tools/logs4android.bt.sh","/system/xbin/logs4android.bt.sh");

symlink("/system/sps/tools-binary/tools/logs4android.sdcard.umount.sh","/system/xbin/logs4android.sdcard.umount.sh");

symlink("/system/sps/tools-binary/tools/logs4android.sh","/system/xbin/logs4android.sh");

symlink("/system/sps/tools-binary/tools/logs4modem.sh","/system/xbin/logs4modem.sh");

symlink("/system/sps/tools-binary/tools/lrz","/system/xbin/lrz");


symlink("/system/sps/tools-binary/tools/lsof","/system/xbin/lsof");

symlink("/system/sps/tools-binary/tools/lsz","/system/xbin/lsz");

symlink("/system/sps/tools-binary/tools/mkcached.sh","/system/xbin/mkcached.sh");

symlink("/system/sps/tools-binary/tools/mkinternal.sh","/system/xbin/mkinternal.sh");

symlink("/system/sps/tools-binary/tools/mkswapd.sh","/system/xbin/mkswapd.sh");


symlink("/system/sps/tools-binary/tools/preloadapp.sh","/system/xbin/preloadapp.sh");

symlink("/system/sps/tools-binary/tools/strace","/system/xbin/strace");

symlink("/system/sps/tools-binary/tools/tree","/system/xbin/tree");

symlink("/system/sps/tools-binary/tools/uevent","/system/xbin/uevent");

symlink("/system/sps/tools-binary/tools/upnvpropd.sh","/system/xbin/upnvpropd.sh");


symlink("iwmulticall","/system/bin/iwconfig");

symlink("iwmulticall","/system/bin/iwevent");

symlink("iwmulticall","/system/bin/iwgetid");

symlink("iwmulticall","/system/bin/iwlist");

symlink("iwmulticall","/system/bin/iwpriv");


symlink("iwmulticall","/system/bin/iwspy");

symlink("toolbox","/system/bin/cat");

symlink("toolbox","/system/bin/chmod");

symlink("toolbox","/system/bin/chown");

symlink("toolbox","/system/bin/cmp");


symlink("toolbox","/system/bin/date");

symlink("toolbox","/system/bin/dd");

symlink("toolbox","/system/bin/dmesg");

symlink("toolbox","/system/bin/getevent");

symlink("toolbox","/system/bin/getprop");


symlink("toolbox","/system/bin/hd");

symlink("toolbox","/system/bin/id");

symlink("toolbox","/system/bin/ifconfig");

symlink("toolbox","/system/bin/iftop");

symlink("toolbox","/system/bin/insmod");


symlink("toolbox","/system/bin/ioctl");

symlink("toolbox","/system/bin/ionice");

symlink("toolbox","/system/bin/kill");

symlink("toolbox","/system/bin/ln");

symlink("toolbox","/system/bin/log");


symlink("toolbox","/system/bin/ls");

symlink("toolbox","/system/bin/lsmod");

symlink("toolbox","/system/bin/lsof");

symlink("toolbox","/system/bin/mount");

symlink("toolbox","/system/bin/mv");


symlink("toolbox","/system/bin/nandread");

symlink("toolbox","/system/bin/netstat");

symlink("toolbox","/system/bin/newfs_msdos");

symlink("toolbox","/system/bin/notify");

symlink("toolbox","/system/bin/printenv");


symlink("toolbox","/system/bin/ps");

symlink("toolbox","/system/bin/reboot");

symlink("toolbox","/system/bin/renice");

symlink("toolbox","/system/bin/rmdir");

symlink("toolbox","/system/bin/rmmod");


symlink("toolbox","/system/bin/route");

symlink("toolbox","/system/bin/schedtop");

symlink("toolbox","/system/bin/sendevent");

symlink("toolbox","/system/bin/setconsole");

symlink("toolbox","/system/bin/setprop");


symlink("toolbox","/system/bin/sleep");

symlink("toolbox","/system/bin/smd");

symlink("toolbox","/system/bin/start");

symlink("toolbox","/system/bin/stop");

symlink("toolbox","/system/bin/sync");


symlink("toolbox","/system/bin/top");

symlink("toolbox","/system/bin/umount");

symlink("toolbox","/system/bin/uptime");

symlink("toolbox","/system/bin/vmstat");

symlink("toolbox","/system/bin/watchprops");


symlink("toolbox","/system/bin/wipe");

## diretory permissions

set_perm_recursive(0,0,0755,0644,"/system");

set_perm_recursive(0,0,0700,0644,"/system/lost+found");

set_perm_recursive(0,2000,0755,0755,"/system/bin");

set_perm_recursive(0,2000,0755,0755,"/system/xbin");

## file permissions

set_perm(0,0,0555,"/system/etc/ppp/ip-up-vpn");

set_perm(0,2000,0550,"/system/etc/init.goldfish.sh");

set_perm(0,2000,06750,"/system/bin/run-as");

set_perm(0,2000,0755,"/system/etc/pvplayer.cfg");


set_perm(0,2000,0755,"/system/etc/rc.local");

set_perm(0,2000,0755,"/system/opl/etc/vt_substitute.jpg");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/boot_must_complete.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/busybox");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/gcom.arm");


set_perm(0,2000,0755,"/system/sps/tools-binary/tools/gsnap.save_anr_tombstones.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/ll");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/localtime");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/logs4android.bt.service.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/logs4android.bt.sh");


set_perm(0,2000,0755,"/system/sps/tools-binary/tools/logs4android.sdcard.umount.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/logs4android.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/logs4modem.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/lrz");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/lsof");


set_perm(0,2000,0755,"/system/sps/tools-binary/tools/lsz");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/mkcached.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/mkinternal.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/mkswapd.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/preloadapp.sh");


set_perm(0,2000,0755,"/system/sps/tools-binary/tools/strace");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/tree");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/uevent");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/upnvpropd.sh");

set_perm(0,2000,0755,"/system/sps/tools-binary/tools/xmlprecopy.sh");


set_perm(0,3003,02750,"/system/bin/netcfg");

set_perm(0,3004,02755,"/system/bin/ping");

set_perm(1000,1000,0640,"/system/etc/bluetooth/auto_pairing.conf");

set_perm(1002,1002,0440,"/system/etc/bluetooth/audio.conf");

set_perm(1002,1002,0440,"/system/etc/bluetooth/input.conf");


set_perm(1002,1002,0440,"/system/etc/bluetooth/main.conf");

set_perm(1002,1002,0440,"/system/etc/dbus.conf");

set_perm(1014,2000,0550,"/system/etc/dhcpcd/dhcpcd-run-hooks");

set_perm(3002,3002,0444,"/system/etc/bluetooth/blacklist.conf");