Rooted my Nikon Coolpix S800c on Oct 15, 2012

The GingerBreak-v1.20.apk app from this xda-developers post did not work, but it mysteriously acted like it thought it had worked.

The GingerBreak executable from the GingerBreak.tgz tar file obtained from the initial gingerbreak exploit web site did, however, work when I ran it manually via adb. (Note that you may need to do some of the stuff I describe over here to get adb working on this thing.)

The mount command reveals a strange looking set of mountpoints. Most android devices I've seen have /system as a mount point, but on the camera, the only readonly mountpoint was /dev/root mounted on / readonly (ext4), no separate mountpoint for /system.

# mount
rootfs / rootfs rw 0 0
/dev/root / ext4 ro,relatime,barrier=1,data=ordered 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
/dev/block/mmcblk0p6 /data ext4 rw,nosuid,relatime,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p5 /cache ext4 rw,nosuid,relatime,barrier=1,data=ordered 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/vold/179:3 /mnt/sdcard mickxx_vfat rw,dirsync,nosuid,nodev,noexec,relatime 0 0
/dev/block/vold/179:3 /mnt/secure/asec mickxx_vfat rw,dirsync,nosuid,nodev,noexec,relatime 0 0
tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
/dev/block/vold/252:1 /mnt/sdcard/external_sd mickxx_vfat rw,dirsync,nosuid,nodev,noexec,relatime 0 0

Having achieved root with the exploit, and not having any su binaries handy, I did this hack so I could easily get root access again:

mount -o remount,rw /dev/root /
cd /system/bin
cat sh > rootsh
chown root rootsh
chmod 4755 rootsh

Then I rebooted the camera to back out any strange side effects of gingerbreak and test my rootsh hack.

Getting back into adb after reboot, I typed rootsh and was rewarded with a # prompt. It works! Now I just need a real su...

After various futile attempts to dig something up, I finally found the .zip file download for flashing the SuperSu app: I unzipped it, found the su binary, pushed it to a writable location on the camera with adb, then did a similar trick to the one above to get the app installed with setuid access in /system/xbin.

One more reboot to get everything back to a normal state, and I can install SuperSu from Google Play. I run it, it tells me it needs to update the binary, and finally I have a proper working su!

I try to install busybox the via busybox installer and it keeps saying it failed to install busybox. Maybe the funny mountpoints confuse it? I manually run the remount again to make root rw, and then I am able to install busybox in /system/bin. Finally, real commands I can type!

Next, I install Titanium Backup and Gemini App Manager (they seem to get root access OK, as does FileExpert now that I have su).

Next up: Try the experiments I've seen on the net related to cell standby eating batteries on tablets with no cell radios:

mount -o remount,rw /dev/root /
cd /system/app
mv TelephonyProvider.apk TelephonyProvider.OLD
mv Phone.apk Phone.OLD
mount -o remount,ro /dev/root /

Then get all charged up to reset the battery statistics and see if cell standby is still eating the whole camera...

Nope, The dialg box saying “The application (process has stopped unexpectedly. Please try again.” keeps popping up incessantly. Someone really wants to run this thing bad :-).

Let's put the Phone.apk back and try the Block App feature in Gemini App Manager for the phone call app.

That didn't work, but I realized that I foolishly forgot to shutdown/power cycle the phone the first time I renamed the phone apk file. I did it again, and this time did the proper power cycling, and it is amazing, but the cell standby stat is finally gone!

Of course, I have no idea if the battery will actually last any longer, but at least it isn't talking about hardware that doesn't exist using the battery anymore :-) [and after using it for an evening after all these changes, the battery seems to be draining about as fast as always, so maybe all this accomplished was making the statistics more accurate].

Meanwhile, having rooted this thing, I can take a look at reverse engineering the camera to see if I can find any clues.

Page last modified Fri Oct 26 18:12:07 2012