When I got my N9 I of course wanted root but by this time there wasnt really any other devs to work with this time around. They all moved on to to other "unlockable" devices or dissappeared entirely.
This didn't stop me though as at this point finding ways to break Sammy was now my favorite past time!
Of course previous exploits were now patched and couldnt mix/match firmware. Combo was still possible so I spent most of my time on factory firmware searching for exploits.
During my research I noticed there was a init script in /vendor/etc/init/hw that was executed on boot that had reference to another script at /persist/coresight/qdss.agent.sh. Of course we couldnt at this stage mount or touch the script on vendor partition so I started trying to access the qdss script which was executed by init on start up while on combo.
Eventually, surprising enough, I found you could pull persist.img from combo firmware/tar and mount it and edit the qdss script and then flash it in ODIN. Samsung for some reason at this stage didnt check persist for integrity while flashing in ODIN.
So edit persist where I would push my root files then my su install script would be in qdss script then flash in odin and upon reboot device was rooted!
Only problem with this was that we couldnt mount odm, vendor or system since it would insta crash due to security in place. So root had to be installed in daemon mode to /sbin on each boot by the qdss/init script.
Before moving further, at some ppint sammy fixed the bug so could no longer flash modified persist in ODIN. Bummer.
I began to dig further and eventually Persist Root v2.0 was born. Again looking into the init scripts I found one that seemed to set full r/w permissions to a script (i forget exactly where it was) I believe was at /data/lab/run_lab_app.sh which we could modify and then ultimately execute by setting a prop that was something like "setprop sec_lab_abc_start 1".
The lab script however was executed with system privs, not root. However, persist partition was also set for system user. So basically at this point could first modify the lab script to change permissions on persist then execute it by setting the prop value. Then we could again access persist to push our root files and modify qdss to install the root in daemon mode on each reboot!
Now we are back to where we were before. Root in daemon mode installed to /sbin on each reboot.
I then upgraded to S10 and sold my N9 but eventually after a while came across another N9 and figured I'd give it another go.
We needed to find a way to be able to mount system and other partitions without write protection kicking in and killing the device.
It took a while to figure it out but ultimately again using an old patched exploit that shouldnt have worked we made it happen!
Basically found that renaming boot to recovery and recovery to boot (i call it boot_swap lol) then rebooting while holding the recovery buttons that the device will think its booting into recovery (but its not) and therefore loads the OS with write protection disabled! Now we could mount system and install proper root and thus SamPWND v2.0 was born!