2nd-init POC for kyocera Rise

2nd-init

Replace file with
https://github.com/Hashcode/android_device_safestrap-common/blob/master/sbin/2nd-init

busybox

Replace file with any busybox binary which supports unzip

hijack.killall

#!/sbin/busybox sh
# from https://github.com/Hashcode/android_device_safestrap-common/blob/master/sbin/hijack.killall
PATH=/sbin
SKIP_SERVICE=${1}
## BEGIN KILL ALL ##
busybox sleep 1s

# kill all services
for i in $(getprop | busybox grep init.svc | busybox sed -r 's/^\[init\.svc\.(.+)\]:.*$/\1/'); do
  if busybox [[ ! "${i}" = "$SKIP_SERVICE" ]]; then
		echo "stopping ${i}"
		stop ${i}
		busybox sleep 1
	fi
done

# unmount /tmp
echo "umount /tmp"
for i in $(busybox seq 1 10); do
	TMP=$(busybox mount | busybox grep /tmp)
	if busybox [[ -z "$TMP" ]] ; then
		break
	fi
	busybox umount -l /tmp
	busybox sleep 1
done

# unmount all yaffs2 partitions
for i in $(busybox seq 1 10); do
	TMP=$(busybox mount | busybox grep yaffs2 | busybox awk '{print $3}')
	if busybox [[ -z "$TMP" ]] ; then
		break;
	fi
	for j in $(busybox mount | busybox grep yaffs2 | busybox awk '{print $3}'); do
		echo "umount -l $j"
		busybox umount -l "$j"
	done
	busybox sleep 1
done

# unmount all ext3 partitions
for i in $(busybox seq 1 10); do
	TMP=$(busybox mount | busybox grep ext3 | busybox awk '{print $3}')
	if busybox [[ -z "$TMP" ]] ; then
		break;
	fi
	for j in $(busybox mount | busybox grep ext3 | busybox awk '{print $3}'); do
		busybox umount -l "$j"
	done
	busybox sleep 1
done

# unmount all ext4 partitions
for i in $(busybox seq 1 10); do
	TMP=$(busybox mount | busybox grep ext4 | busybox awk '{print $3}')
	if busybox [[ -z "$TMP" ]] ; then
		break;
	fi
	for j in $(busybox mount | busybox grep ext4 | busybox awk '{print $3}'); do
		busybox umount -l "$j"
	done
	busybox sleep 1
done

# kill any existing adbd processes
busybox kill $(busybox ps | busybox grep adbd)
#busybox echo "msc_adb" > /dev/usb_device_mode
busybox kill -s KILL `busybox ps | busybox grep ueventd | busybox head -n 1 | busybox sed 's_ root       [0-9]* [A-Z]    /sbin/ueventd__'`

# try to remove our sockets!
busybox rm -f /dev/socket/*

run.bat

@echo off
cls
color 0E
TITLE ║2nd-init Prof of Concept for Kyocera Rise by dtalley11║
echo ███████████████████████████████████████████████████████████████████████████████
echo ▌     ▄                                                                       ▐
echo ▌     █      After this script is done, your phone will boot into TWRP.       ▐
echo ▌     ▀                 Make sure your phone is ready for adb                 ▐
echo ▌     ▀                                                                       ▐
echo ███████████████████████████████████████████████████████████████████████████████
pause
cls
color 0A
echo ███████████████████████████████████████████████████████████████████████████████
echo ▌                                                                             ▐
echo ▌                     Setting up Files for Temp. Recovery                     ▐
echo ▌                                                                             ▐
echo ███████████████████████████████████████████████████████████████████████████████
adb shell su -c "echo 'started 2nd-init batch file' > /dev/kmsg"
echo pushing TWRP zip
adb push TWRP.zip /sdcard/
rem echo pushing killall script
rem adb push hijack.killall /sdcard/
echo pushing busybox
adb push busybox /sdcard/
echo pushing stage2 script
adb push stage2.sh /sdcard/
echo pushing 2nd-init
adb push 2nd-init /sdcard/
echo mounting root as writable
adb shell su -c "echo 'mounting root as writable' > /dev/kmsg"
adb shell su -c "mount -wo remount rootfs /"
echo unlinking /etc
adb shell su -c "echo 'unlinking /etc' > /dev/kmsg"
adb shell su -c "rm /etc && mkdir /etc"
echo copying busybox to sbin
adb shell su -c "cat /sdcard/busybox > /sbin/busybox"
echo copying 2nd-init to sbin
adb shell su -c "cat /sdcard/2nd-init > /sbin/2nd-init"
echo copying stage 2 script to sbin
adb shell su -c "cat /sdcard/stage2.sh > /sbin/stage2.sh"
rem echo copying killall script to sbin
rem adb shell su -c "cat /sdcard/hijack.killall > /sbin/hijack.killall"
echo making busybox executable 
adb shell su -c "chmod 777 /sbin/busybox"
echo making 2nd-init executable 
adb shell su -c "chmod 777 /sbin/2nd-init"
echo making killall exicutable
adb shell su -c "chmod 777 hijack.killall"
echo extracting TWRP to rootfs
adb shell su -c "ln -s /sbin/busybox /sbin/unzip"
adb shell su -c "echo 'extracting TWRP' > /dev/kmsg"
adb shell su -c "unzip -q -o /sdcard/twrp.zip -d /"
rem echo starting stage2 script
rem adb shell su -c "echo 'passing off to stage 2' > /dev/kmsg"
rem adb shell su -c "sh /sbin/stage2.sh"
echo starting 2nd-init
adb shell su -c "/sbin/2nd-init"
echo .
echo All Done! The magic should be happining now!
pause

stage2.sh

#!/sbin/busybox sh
echo "starting killall script"
echo "starting killall script" > /dev/kmsg
busybox sh /sbin/hijack.killall
echo "starting 2nd-init"
echo "starting 2nd-init" > /dev/kmsg
/sbin/2nd-init

twrp.zip

grab the files out of http://downloads.codefi.re/dtalley11/ramdisk-recovery.img and put them in a zip file (7-zip does it just fine)