This is an alternative approach of rooting the Nexus without touching the bootloader.
-no downgrade neccessary
-no battery modification neccessary
-no messing around with SD card slot
-you don't even have to open your phone...
Working and confirmed for ALL ROMs, including European Vodafone EPF30/FRF91, Korean FRF91, AT&T/T-Mo Stock including FRF91
- The Android Exploid Crew:
- The exploit wasn't found by me (see credits), I just implemented it as a proof of concept for the Nexus One
- Basically this method should work on all currently known ROM versions.
- I tested it on EPF30, Korean FRF91, Vodafone FRF91, US Stock FRF91.
- As usual when doing this kind of stuff: DO THIS AT YOUR OWN RISK.
- It could even work on other Android devices as long as their system partition is at
/dev/block/mtdblock3/ with yaffs2 file system and there is still some space left on the system partition (without any changes).
- Locked Nexus One
- Latest Android SDK incl. USB drivers
- Working ADB
- The file "freenexus.zip"
get it here:
1. install android sdk & USB drivers
2. extract the content of the zip file into the tools directory of SDK (i.e. \android-sdk-windows\tools)
-> For all Newbies: Take care that you extract the files directly to the tools folder and don't create a new subdirectory freenexus within tools!!! If you did, delete the folder and extract again!!! Check twice that there is no FOLDER freenexus in your tools directory before you continue!!!
3. open a command prompt (Windows: Start, Run, "cmd", OK; Linux: Terminal)
4. change to SDK tools directory (i.e. cd \android-sdk-windows\tools)
5. connect Nexus to USB and check if debugging mode is activated
6. run "adb devices" in shell and see if there is a device listed. if not back to step 5 or reinstall USB-drivers
7a. for Windows: run "freenexus.bat" in command shell (this copies the neccessary files to /data/local/tmp)
7b. for Linux or manual installation: run the following commands
adb push freenexus /data/local/tmp/freenexus adb push Superuser.apk /data/local/tmp/Superuser.apk adb push su /data/local/tmp/su adb push busybox /data/local/tmp/busybox adb shell chmod 755 /data/local/tmp/freenexus adb shell chmod 755 /data/local/tmp/busybox
adb shell (you should see a "$" prompt now) cd /data/local/tmp
10. be prepared to toggle wifi immediately after you execute the next step
13. you should see something like that:
[*] Android local root exploid (C) The Android Exploid Crew
[*] Modified by ak for HTC Nexus One
[+] Using basedir=/sqlite_stmt_journals, path=/data/local/tmp/freenexus
[+] opening NETLINK_KOBJECT_UEVENT socket
[+] sending add message ...
[*] Try to invoke hotplug now, clicking at the wireless
[*] settings, plugin USB key etc.
[*] You succeeded if you find /system/bin/rootshell.
[*] GUI might hang/restart meanwhile so be patient.
13b) if you get "permission denied" error, you have most likely not followed the big red newbie hint after point 2. check this by entering "ls -l", if you see a "drwxr-xr-x" and not "-rwxr-xr-x" in front of the line where freenexus is listed you did not follow properly. Search the posts in the thread on how to correct this.
16. enter the password "freenexus"
17. now you should see a "#" as a prompt -> you are root now
18. run the following commands:
./busybox cp busybox /system/bin chmod 4755 /system/bin/busybox busybox cp Superuser.apk /system/app busybox cp su /system/bin chmod 4755 /system/bin/su rm /system/bin/rootshell exit exit
adb shell su
21. you should see the "#" prompt again, if you didn't get that try su again
If you are not planning to wipe your data partition (what you probably will do when installing CM6 first time) you should think about deleting all the temp files still lying in /data/local/tmp (for safety reasons and to have more space on /data):
adb shell cd /data/local/tmp rm busybox rm su rm Superuser.apk rm freenexus rm flash_image (will only exist if you executed the steps below in recovery section)
If you only want root rights you are done here. If you want to install custom ROMs you have to install
a custom recovery first. Easiest way would be to download "ROM Manager" from the market. There are plenty of tutorials on how to install custom recovery/ROM at xda.
Edit: It is safer to install the recovery manually. In this case or for those of you running into problems with installing custom recovery with ROM Manager (doesn't stick) you can continue with
these steps (without remount of system partition, now tested successfully):
1) Download recovery-RA-nexus-v18.104.22.168.img to the root directory of your SD-Card
- Note: UnMount your SD-Card after copying these files, but keep your phone plugged in
- or don't mount SD-Card at all and push the file via adb to /sdcard
2) Save file "flash_image" to sdk tools directory:
3) In your terminal run
adb push flash_image /data/local/tmp/flash_image adb shell su
- $ should now be replaced with #
5) run the following commands:
mount -o rw,remount /dev/block/mtdblock3 /system cd /data/local/tmp chmod 755 flash_image ./flash_image recovery /sdcard/recovery-RA-nexus-v22.214.171.124.img rm /system/etc/install-recovery.sh rm /system/recovery-from-boot.p (and if everything worked fine:) rm flash_image
to manually install Amon_RA's recovery. You will also need the file flash_image for that (link taken from HBOOT thread).
If you rooted from a Korean Rom or have installed the latest Vodafone Rom via PASSIMG you probably have
HBOOT 0.35 which makes it currently difficult to install Cyanogenmod (there is an assertion failure in the install script, at least with CM6 RC1/2. Maybe future versions of CM6 will include HBOOT 0.35 in the script) or other custom ROMs. (You are still on 0.33 if you just installed the Vodafone OTA Update)
There is a tutorial to revert HBOOT here:
Instead of using the EPF30 image you can also use any other PASSIMG file (at least if it has HBOOT 0.33,
otherwise this step wouldn't make sense...)
Note that when flashing a PASSIMG with a different HBOOT version there is a reboot after the HBOOT has been flashed, then after reboot the PASSIMG will be loaded again and the rest of the image will be flashed.
To check HBOOT and Radio version: press and hold trackball while turning on the phone. To exit select Reboot with Vol+/- and press Power button.
After you have reverted your HBOOT, you have lost your root rights and you are back on stock recovery.
But you can (or have to) repeat the above procedure to get root rights back.
The downgrading also downgrades your radio!!! Before installing CM6 you have to flash a Froyo Radio!
Latest one can be found here:
After trying to flash a custom ROM with ROM Manager one user wasn't able to boot the phone normally and also no longer able to boot to recovery. In this rare case try to download a compatible PASSIMG file:
For example EPF30 (Europe Vodafone 2.1)
or FRF91 (Europe Vodafone 2.2):
http://shipped-roms.com/shipped/Pass...ipment_ROM.zip (<-this one is currently a zip in zip. You have to extract it once to get the working PASSIMG.zip)
(Appropriate US-PASSIMGs can also be found on shipped-roms.com, most likely EPE76)
Rename the file to PASSIMG.zip (case sensitive, Windows users take care that the file isn't called PASSIMG.zip.zip hidden extension)
Copy it to main folder of SD card.
Boot phone into Bootloader mode (press and hold trackball when turning on the phone, until fastboot mode starts)
Select Bootloader mode by pressing power button.
The bootloader should then start to analyse the PASSIMG.zip and ask you afterwards to install it.
You're phone (not your SD) will be completely wiped after the procedure but should work again (and can be rooted again...)