Unlock bootloader on GT-I9250 without wipe and without root
Hi! After latest OTA update I was left with an unbootable Galaxy Nexus (zygote couldn't start) and I lost root (su needed activitymanager up). So I needed to unlock to revive the phone, but I really didn't want to lose my data. After some exploration I could come up with a way to unlock bootloader without wipe
and without root
. I have seen several questions about this here and this was deemed impossible, so I decided to share my findings and expect they might help someone. Should work with GSM tuna phones.
Components for success:
— unlocking without wipe via putting a byte in param partition (needs root):
— OMAPFlash, a low-level utility for manipulating and flashing chipset (usually used to unbrick phones)
Take the two of them and you have a solution. I could successfully flash unlock byte to param partition using OMAPFlash.
A sketch of a guide:
1. Boot windows xp, download OMAPFlash (http://d-h.st/XNv
), connect a turned off phone without battery, install drivers for omap device. (Mod edit: I've updated the download link.)
2. Dump a part of param partition. You don't need to dump the whole partition, but I think it is safer if you dump a sector-aligned area (512*n). I used 4KB (8 sectors).
OMAPFlash -omap 4 -2 -p OMAP4460_TUNA_8G_HS_PRO -t 36000 chip_upload EMMC@1800000 1000 param.img
chip_upload is for downloading
data from device memory
EMMC@1800000 is the start of params partition (check /sys/block/mmcblk0/mmcblk0p4/start, multiply by sector size 512 and convert to hex)
1000 is to copy 4KB.
Sometimes the process stalls (esp if you try to download larger dumps), just reconnect and retry.
3. Verify that the content is similar to first 4 KB of the dumps of param partitions attached in the thread . For me they matched entirely.
4. Change the byte at offset 124 (0x7C) from 01 to 00.
echo -ne "\x00" | dd obs=1 count=1 seek=124 of=param.img conv=notrunc
5. Flash it back to the device.
OMAPFlash -omap 4 -2 -p OMAP4460_TUNA_8G_HS_PRO -t 36000 chip_download EMMC@1800000 param.img
Reboot, you are unlocked.
GT-I9250 JTAG pinout. Not directly releavant to the guide, but I found it while searching for solution, thought that can help someone in future.