In some devices "persist.service.adb.enable=1" already exists, but it becomes useless without "ro.secure=0" and "ro.debuggable=1".

There are two known ways to get ADB shell on some locked devices:

1. just dial the secret code *#*#33284#*#*, a bug icon should appear in the taskbar

In this guide I will show you how to use some simple ADB commands in detail to perform searches like secret codes, run scripts locally or explore the device without root permissions, where possible.

Where read-only can be accessed we can explore the device, particularly in the system partition, using the "ls" command. To know the basic commands available on the system, we can type the command:

adb shell ls /system/bin

all the files listed in /bin correspond to the commands available in the normal shell.

1. Now that you've downloaded the "webapps" folder, extract all the application.zip files contained in the sub-folders:

for f in $(find . -type d); do unzip $f/application.zip -d $f/app/; done

in this way all the content of the application.zip files will be extracted into several new folders named "app".

2. Run the search filter, here for example there are the various correspondences to the sequences between # and * and the numbers from 0 to 9:

grep -EIro '[*#]+[0-9]+#[*#]*' .

if you want you can configure this command using different terms, for example:

grep -EIro 'debug' .

this will list all the files containing the word "debug", but this is just an example.

3. Read inside the file of each path the functions of those codes extracted. Be careful not to type in the codes right away, you may have unwanted effects on your device.

Busybox is a very important binary file within Linux systems, as it allows you to perform all possible actions with root privileges, that's why many manufacturers remove it from their devices. It is usually found in /system/bin, but if it is removed you can take advantage of it from the busybox official website (you can also rename it to made it easier to use, for example "busybox-armv7l" become "busybox") from a more accessible path for a common user:

adb push busybox /data/local/tmp

adb shell

cd /data/local/tmp

chmod +x busybox

./busybox

The shell will respond by showing all commands available in busybox. You can repeat the same operation with any file or folder you wish to insert in "tmp". Note that to use any file from /data/local/tmp or in any other path, you must always add "./" if the shell starts from there (we used cd /data/local/tmp for convenience).

After placing "busybox" in /data/local/tmp and enabling local permissions, you can extract a copy of many system files to a .tar archive on the SD card with the command:

./busybox tar -cvf /sdcard/system.tar /system

now you can study many more things about the system.

Here are what the scripts were and how they worked:

• tnroot (video) uses busybox over telnet, then after the installation you need to perform the command busybox telnet localhost to get the root shell;

• adbroot is more direct, because you can use a root shell directly after adb shell.

Download one between tnroot or adbroot, in the following example replace the word "SCRIPT" with one between them:

1) perform the commands

adb push SCRIPT /data/local/tmp

adb shell

cd /data/local/tmp

chmod +x SCRIPT

./SCRIPT

2) open the following url in phone's browser: http://localhost:8080

3) click the button on the phone's browser to confirm (for adbroot this will close "adb shell");

4) perform the command:

• For adbroot you have to re-open adb shell;

• For tnroot, that doesn't close the shell, just perform busybox telnet localhost