Background steev's found out that init.rc runs a shell script called "install-recovery.sh" during boot with root privileges. The file is located in /etc which is also writable, so even with stock Android one should be able to copy files to this folder. More info in steev's initial post here. His solution requires that Python for Android to be installed, so I decided to create a "simpler" solution that only requires adb or terminal. This RootKit has su and Superuser.apk, both from signed package from adroidsu.com website. Should work with any MIDx024 (7024, 8024, 1024) tablet with Froyo installed. May work with other models if the requirements in the original thread by steev are met. PS: it seems that AllDro2 derived custom ROMs do not allow writing to /etc, so you cannot use this. Anyway, most custom ROMs already come with root activated so it's not a bid deal. PS2: I will check steev's suggestion for debuggered method and add an universal build if it works on both Froyo and Gingerbread. Installation 1. Using Terminal Emulator - download file, unzip contents to a folder (for instance, /sdcard/RootKit - it will hold 4 files: install-recovery.sh, patch2.sh, su and Superuser.apk"); - Open Terminal Emulator and run these commands, using ENTER/RETURN at the end of every line, replacing "/sdcard/RootKit" with the path to the downloaded files: Code: cp /sdcard/RootKit/* /etc/ chmod 777 /etc/install-recovery.sh - close Terminal Emulator and reboot. 2. Using adb - download file, unzip contents to a folder (for instance, a folder "RootKit" where you can call adb from) - Use these adb commands, replacing "RootKit" with the actual folder name containing the downloaded files: Code: adb push RootKit /etc/ adb shell chmod 777 /etc/install-recovery.sh - remove USB and reboot tablet. If all goes OK, you will see Superuser app in your apps drawer and a 0 bytes "logrooting.txt" in /etc folder (you can delete it as root now). If it doesn't work, logrooting.txt should help to find out the problem. Superuser.apk is installed in the /system partition, so it will remain even after a factory reset or "SD card init". Enjoy! V1.0 Download link: RootKit - Minus.com MD5 2B:18:14:92:ED:96:31:B7:9E:88:27:C5:5C:BB:13:40 PS: this version has only 3 files (no patch2.sh) and logrooting.txt is written in root folder. V1.1 Download link: http://min.us/lbkxrWvFDv5A1Y MD5 8B:FF:20:B6:34:2F:C0:A0:40:13:21:BD:4C:28:90:75 Changelog - fixed busybox fixing - logrooting.txt moved to /etc for cleanness and easy deletion - after installation, security hole is patched (install-recovery.sh can be modified only with root privileges) - security patch displayed in dmesg. V1.2 Download link: http://min.us/lUK0F1CU2bOOe MD5 26:1EC:08:2D:0A:5D:1A:AA:2E:08:62:A8:EE:A9:38 Changelog - Updated su (3.0.3) and Superuser.apk (3.0.6) - security patch updated with steev's tip Props to steev for the idea and the logging mechanism.