Post Reply

[HOW-TO] [GSM & CDMA] Root without Unlocking Bootloader via exploit (for 4.0.1/4.0.2)

OP efrant

5th March 2012, 05:00 PM   |  #1  
efrant's Avatar
OP Senior Moderator
Flag Montreal Bow2DaCow
Thanks Meter: 8,101
 
9,548 posts
Join Date:Joined: Feb 2009
Donate to Me
More
Edit: This does not works on anything newer than ICL53F (i.e., 4.0.2). It works fine on ITL41D (4.0.1), ITL41F (4.0.1) and ICL53F (4.0.2)

Once you have got root, you can now use segv11's BootUnlocker app to unlock your bootloader without wiping anything. Easy as pie!

Disclaimer: I take no credit for this exploit or the implementation of it (but I will take credit for the step-by step ). Thanks to kendong2 for pointing it out to me here.

So, it looks like zx2c4 has found a local privilege escalation exploit. See source here, and saurik has managed to package it together for Android. See here. Although this may be old news to some, I hadn't seen it before.

So what does this all mean:
  • If you are running a 2.6.39 kernel (or above), which all Galaxy Nexus' are, you can now root your device without having to unlock your bootloader (and without losing your data).
  • Moreover, you should now be able to root your device even if your hardware buttons are not working.
  • Additionally, this allows those who have not received an OTA update and want to apply it without having an unlocked bootloader or root to do so by copying the OTA update to /cache from /sdcard.

Notes:
1) This assumes that you have USB Debugging enable on your device (Settings > Developer Options > Enable USB Debugging) and the drivers for your device installed on your computer. For the drivers, I would recommend you remove all old drivers and install these. If you don't know how to install them, or are having issues, look here.
2) This needs to be done over ADB, as a terminal emulator on-device does not have the appropriate access. If you do not have ADB, I've attached it in the zip. Unzip all files.
3) Some users indicate that, once finished the procedure, they needed to open the Superuser app.

Step-by-step:
1) Download the attached files to your computer and unzip them in the same directory as your adb.exe file;
2) Open a command prompt in the same directory;
3) Copy the files to your device:

adb push mempodroid /data/local/tmp/mempodroid
adb push su /data/local/tmp/su
adb push Superuser.apk /data/local/tmp/Superuser.apk


4) Open a shell: adb shell
5) Change permission on mempodroid to allow it to run: chmod 777 /data/local/tmp/mempodroid
6) Run the exploit: ./data/local/tmp/mempodroid 0xd7f4 0xad4b sh

Note: Once you do step 6, your prompt should change from $ to #. If not, it did not work.

7) Mount the system partition as rw: mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system
8) Copy su to /system: cat /data/local/tmp/su > /system/bin/su
9) Change permissions on su: chmod 06755 /system/bin/su
10) Copy Superuser.apk: cat /data/local/tmp/Superuser.apk > /system/app/Superuser.apk
11) Change permissions on Superuser.apk: chmod 0644 /system/app/Superuser.apk
12) Mount the system partition as r/o: mount -o remount,ro -t ext4 /dev/block/mmcblk0p1 /system
13) Rescind root: exit
14) Exit the ADB shell: exit
15) Done. You now should have root without having to unlock your bootloader.
Attached Files
File Type: zip Root-locked-GN.zip - [Click for QR Code] (479.8 KB, 1775 views)
File Type: zip platform-tools-v19.zip - [Click for QR Code] (661.9 KB, 1281 views)
Last edited by efrant; 15th July 2012 at 12:50 AM.
The Following 30 Users Say Thank You to efrant For This Useful Post: [ View ]
5th March 2012, 05:00 PM   |  #2  
efrant's Avatar
OP Senior Moderator
Flag Montreal Bow2DaCow
Thanks Meter: 8,101
 
9,548 posts
Join Date:Joined: Feb 2009
Donate to Me
More
Arrow
Reserved
Last edited by KennyG123; 19th September 2012 at 05:11 PM.
5th March 2012, 05:00 PM   |  #3  
efrant's Avatar
OP Senior Moderator
Flag Montreal Bow2DaCow
Thanks Meter: 8,101
 
9,548 posts
Join Date:Joined: Feb 2009
Donate to Me
More
Arrow
Reserved
Last edited by KennyG123; 19th September 2012 at 05:12 PM.
5th March 2012, 07:32 PM   |  #4  
times_infinity's Avatar
Senior Member
Thanks Meter: 1,599
 
1,512 posts
Join Date:Joined: Oct 2010
More
This is the same as https://github.com/saurik/mempodroid

saurik ftw.
5th March 2012, 07:36 PM   |  #5  
efrant's Avatar
OP Senior Moderator
Flag Montreal Bow2DaCow
Thanks Meter: 8,101
 
9,548 posts
Join Date:Joined: Feb 2009
Donate to Me
More
Quote:
Originally Posted by times_infinity

This is the same as https://github.com/saurik/mempodroid

saurik ftw.

Not sure what you are getting at? I mentioned saurik in the first post, and the link you posted is in the first post. And I mentioned that this may be old news, but I haven't seen it anywhere before today in the GN forums.
5th March 2012, 08:03 PM   |  #6  
Sleuth255's Avatar
Retired Senior Moderator
Flag Milwaukee
Thanks Meter: 39
 
3,543 posts
Join Date:Joined: Mar 2006
More
Yikes! This exploit works on any kernel from 2.6.39 and >. This could become a common root method for many devices. Linus Torvalds himself posted the fix commit! Nice work by zx2c4!
5th March 2012, 09:56 PM   |  #7  
renaud's Avatar
Recognized Developer
Flag Braine-l'Alleud
Thanks Meter: 2,227
 
2,326 posts
Join Date:Joined: Aug 2010
Donate to Me
More
Quote:
Originally Posted by Sleuth255

Yikes! This exploit works on any kernel from 2.6.39 and >. This could become a common root method for many devices. Linus Torvalds himself posted the fix commit! Nice work by zx2c4!

You need ics to have a vulnerable kernel version, so given the number of devices which currently have ics officially, I doubt it will be common. I'd also expect Google and vendors to correct this in next release.

Also many custom kernels don't have this flaw as they are at or over 3.0.18 or have patched it. This prevents gaining unnoticed root.

Sent from my Galaxy Nexus
6th March 2012, 12:54 AM   |  #8  
Sleuth255's Avatar
Retired Senior Moderator
Flag Milwaukee
Thanks Meter: 39
 
3,543 posts
Join Date:Joined: Mar 2006
More
Hmmm I thought 2.6.39 was found in GB builds. This exploit is almost a root fix for the Moto DX 4.5.621 fiasco. Unfortunately the kernel for that build is 2.6.32.9.

Sent from my Galaxy Nexus using xda premium
6th March 2012, 01:21 AM   |  #9  
Senior Member
Thanks Meter: 11
 
258 posts
Join Date:Joined: Aug 2010
More
This was huge in the headlines a few weeks back. It's nice to see someone putting it to a good use!

Sent from my Galaxy Nexus using xda premium
6th March 2012, 01:48 AM   |  #10  
Junior Member
Thanks Meter: 0
 
7 posts
Join Date:Joined: Mar 2012
Hi, been lurking awhile, registered to clear up somethings.

I did some research while attempting to access the /data/local/ -folder with terminal emulator and I found that it would be impossible to write or to find it while being unrooted. Rooting a phone through using an unrooted access root seems impossible.

Did I miss something or is there any other way to copy mempodroid to the data- folder? I sure would like to keep all my files.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Galaxy Nexus General by ThreadRank