Post Reply

Unlock bootloader on GT-I9250 without wipe and without root

OP nichtverstehen

27th November 2012, 03:33 PM   |  #1  
nichtverstehen's Avatar
OP Junior Member
Thanks Meter: 35
 
3 posts
Join Date:Joined: Nov 2012
Hi! After latest OTA update I was left with an unbootable Galaxy Nexus (zygote couldn't start) and I lost root (su needed activitymanager up). So I needed to unlock to revive the phone, but I really didn't want to lose my data. After some exploration I could come up with a way to unlock bootloader without wipe and without root. I have seen several questions about this here and this was deemed impossible, so I decided to share my findings and expect they might help someone. Should work with GSM tuna phones.

Components for success:
— unlocking without wipe via putting a byte in param partition (needs root):
[1] http://forum.xda-developers.com/show...650830&page=15
— OMAPFlash, a low-level utility for manipulating and flashing chipset (usually used to unbrick phones)
[2] http://forum.gsmhosting.com/vbb/f634...i9300-1465412/

Take the two of them and you have a solution. I could successfully flash unlock byte to param partition using OMAPFlash.

A sketch of a guide:
1. Boot windows xp, download OMAPFlash (http://d-h.st/XNv), connect a turned off phone without battery, install drivers for omap device. (Mod edit: I've updated the download link.)
2. Dump a part of param partition. You don't need to dump the whole partition, but I think it is safer if you dump a sector-aligned area (512*n). I used 4KB (8 sectors).
Code:
OMAPFlash -omap 4 -2 -p OMAP4460_TUNA_8G_HS_PRO -t 36000 chip_upload EMMC@1800000 1000 param.img
chip_upload is for downloading data from device memory
EMMC@1800000 is the start of params partition (check /sys/block/mmcblk0/mmcblk0p4/start, multiply by sector size 512 and convert to hex)
1000 is to copy 4KB.
Sometimes the process stalls (esp if you try to download larger dumps), just reconnect and retry.
3. Verify that the content is similar to first 4 KB of the dumps of param partitions attached in the thread [2]. For me they matched entirely.
4. Change the byte at offset 124 (0x7C) from 01 to 00.
Code:
echo -ne "\x00" | dd obs=1 count=1 seek=124 of=param.img conv=notrunc
5. Flash it back to the device.
Code:
OMAPFlash -omap 4 -2 -p OMAP4460_TUNA_8G_HS_PRO -t 36000 chip_download EMMC@1800000 param.img
Reboot, you are unlocked.

Additional links:
[3] http://forum.gsmhosting.com/vbb/f634...joooy-1463061/ GT-I9250 JTAG pinout. Not directly releavant to the guide, but I found it while searching for solution, thought that can help someone in future.
Last edited by efrant; 4th September 2013 at 12:29 AM. Reason: only tuna
The Following 25 Users Say Thank You to nichtverstehen For This Useful Post: [ View ]
27th November 2012, 03:39 PM   |  #2  
nichtverstehen's Avatar
OP Junior Member
Thanks Meter: 35
 
3 posts
Join Date:Joined: Nov 2012
Additional reading
The dangers of OTA when you have root, or why I was stuck with an unbootable phone at all
I learned the hard way that OTA may cause unpleasant results if you are trying to preserve root and mess with filesystem.

I was trying to preserve root in a way similar to one used by rootkeeper apps: put a copy of su somewhere in /system and make it immutable. So I went and put my su to /tts (thought that it's unprobable that OTA will do something there), and made it immutable.

And then the update came. As part of the the update process it copied a new version of /system/usr/share/zoneinfo/zoneinfo.version file and the file got 660 perms (package_extract_dir("system", "/system") in the update_script). Then it went on to recursively fix permissions so that the mentioned file would be made readable (set_perm_recursive(0, 0, 0755, 0644, "/system")). But the set_perm_recursive was met by immutable su in tts directory, chmod returned error and the recursive process was stopped before it got to zoneinfo.version file. So the latter file remained unreadable.

Unfortunately during startup zygote preloadsClasses, static constructor in some sqlite class needs DateFormat, and DateFormat reads zoneinfo. And fails cause it's unreadable. Exception, System.exit. Phone boot stuck.

To work my copy of su needs to send a message to ActivityManager service using binder. I wrote a dirty mock for AM but servicemanager didn't accept my fraud, it checked uid. I tried to bypass preloadClasses with overflowing system file descriptors count to prevent zygote from reading preload class list, but somehow it didn't succeed. Thus the only option I had was unlocking bootloader.

So it may end bad if you mess with /system on a stock rom with locked bootloader and want to receive OTA. It may seem natural, but sometimes the changes seem irrelevant, and then a chain of small failures leads you to loss of everything: boot, root, and data.
Last edited by nichtverstehen; 27th November 2012 at 04:14 PM.
The Following 7 Users Say Thank You to nichtverstehen For This Useful Post: [ View ]
28th November 2012, 04:54 AM   |  #3  
efrant's Avatar
Senior Moderator
Flag Montreal Bow2DaCow
Thanks Meter: 8,101
 
9,548 posts
Join Date:Joined: Feb 2009
Donate to Me
More
This is great work! Kudos to you for figuring it out.

By the way, where did you find the syntax for OMAPFlash commands?
The Following User Says Thank You to efrant For This Useful Post: [ View ]
28th November 2012, 05:48 AM   |  #4  
nichtverstehen's Avatar
OP Junior Member
Thanks Meter: 35
 
3 posts
Join Date:Joined: Nov 2012
Quote:
Originally Posted by efrant

This is great work! Kudos to you for figuring it out.

By the way, where did you find the syntax for OMAPFlash commands?

There are some docs in OMAPFlash_tuna.zip package. The most interesting is OMAPFlash.txt that lists options and commands and has some examples.

Also I was lucky that there is a complete example for unbricking GT-I9250 in Targets/Projects/tuna. This is where I took the options specific for this device.
The Following 3 Users Say Thank You to nichtverstehen For This Useful Post: [ View ]
18th December 2012, 09:55 PM   |  #5  
beekay201's Avatar
Senior Member
Thanks Meter: 1,129
 
4,647 posts
Join Date:Joined: Nov 2010
More
Quote:
Originally Posted by nichtverstehen

There are some docs in OMAPFlash_tuna.zip package. The most interesting is OMAPFlash.txt that lists options and commands and has some examples.

Also I was lucky that there is a complete example for unbricking GT-I9250 in Targets/Projects/tuna. This is where I took the options specific for this device.

Exactly. I haven't needed this yet, but i had looked in those board files, cross examining with omap 4460 manual that can be found on the web. Thanks for sharing.
I was not aware that JTAG method had been found. Great news.

Sent from my i9250
19th May 2013, 11:25 PM   |  #6  
Member
Thanks Meter: 7
 
77 posts
Join Date:Joined: Jan 2010
More
Smile Works!
Awesome - this worked for me! Unlocked, unrooted, TAKJU Galaxy Nexus w/JB 4.2.2. I used OMAPFlash_tuna.zip (download link).

I had issues when the downloaded param.img file was long, so I replaced 1000 with 200 in the commands. Regardless, it still took me probably 5-10 tries on each command to get it working (unplugging and replugging the phone in between), and sometimes it would freeze up and I'd have to restart Windows. If it takes longer than 5 seconds, you should press Ctrl+C and restart that step.

My problem was that one of my volume buttons is messed up, and as a result the fastboot screen doesn't work - Windows doesn't detect a fastboot device, and none of the hardware buttons or the touchscreen works either. As a result I needed to unlock the bootloader without using fastboot (oem unlock), and this did the trick!

Also, on Windows, I downloaded a hex editor (i.e., HxD) to do the editing. My modified param.img (only 512 bytes) is attached as well.

Attached Files
File Type: img param.img - [Click for QR Code] (512 Bytes, 138 views)
Last edited by codeslicer; 19th May 2013 at 11:45 PM.
The Following 6 Users Say Thank You to codeslicer For This Useful Post: [ View ]
21st May 2013, 04:43 AM   |  #7  
Junior Member
Thanks Meter: 0
 
1 posts
Join Date:Joined: May 2008
Thank you!!! It worked for me too!

The volume buttons on my Galaxy Nexus didn't work and I can't recharge the battery via USB. The USB works only as data connection. Despite all these issues on my phone, it worked for me too!!

I replaced the size in the commands from 1000 to 400 (1024 bytes = 2*512), and I had to put the battery on the phone.
Last edited by hallysson; 21st May 2013 at 04:52 AM.
5th June 2013, 10:13 AM   |  #8  
techobrien's Avatar
Junior Member
Flag San Luis Obispo, CA
Thanks Meter: 2
 
13 posts
Join Date:Joined: Mar 2011
More
Sweet jesus I cannot express enough gratitude for this post. While I was a little worried about bricking my device, it would up working perfectly.

A couple of confusing points for anyone out there trying to do this:

- The dump / reflash should only take a few seconds each. If it hangs, cancel and re-start the process.

- Install the drivers with the device OFF but plugged in. You will have an OMAP device without a driver in your device manager. Update the device driver and you're good to go.

- I didn't know how to get the dd command to work on windows, so I also went the Hex editor route it it worked flawlessly

- The only snag I ran into was that it did not boot into my flashed CWM after doing an "adb reboot recovery" from the stock rom. It went back to the stock android recovery. From there I did "fastboot boot cwmrecovery.img" and installed my rom and gapps. After that initial boot, it rebooted into recovery just fine! It seems like a weird glitch (maybe just a one-off).

Cheers
The Following User Says Thank You to techobrien For This Useful Post: [ View ]
5th June 2013, 12:55 PM   |  #9  
beekay201's Avatar
Senior Member
Thanks Meter: 1,129
 
4,647 posts
Join Date:Joined: Nov 2010
More
Quote:
Originally Posted by techobrien

- Install the drivers with the device OFF but plugged in. You will have an OMAP device without a driver in your device manager. Update the device driver and you're good to go.

This is a critical step right here. This thread either should be linked on the 101 FAQ if it's not already or stickied.

a maguro wrote this.
Last edited by beekay201; 5th June 2013 at 12:59 PM.
5th June 2013, 01:17 PM   |  #10  
Senior Member
Thanks Meter: 109
 
299 posts
Join Date:Joined: Feb 2010
Quote:
Originally Posted by techobrien

- The only snag I ran into was that it did not boot into my flashed CWM after doing an "adb reboot recovery" from the stock rom. It went back to the stock android recovery. From there I did "fastboot boot cwmrecovery.img" and installed my rom and gapps. After that initial boot, it rebooted into recovery just fine! It seems like a weird glitch (maybe just a one-off).

Cheers

Sounds like you are getting hit with the /system/recovery-from-boot.p file. When you boot into Android, this file checks to see if you have stock recovery...if not, it replaces it with stock recovery. You can rename, move, delete the file safely. It shouldn't exist in custom ROMs, which would explain why after installing a ROM and Gapps you were fine.

This is pretty cool. Nice find OP.

The Following User Says Thank You to cupfulloflol For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Galaxy Nexus General by ThreadRank