[Tutorial] Root Without Unlocking (Alternative way for all ROMs Vodafone,Korean,US)

This is an alternative approach of rooting the Nexus without touching the bootloader.
-no downgrade neccessary
-no battery modification neccessary
-no messing around with SD card slot
-you don't even have to open your phone...
Working and confirmed for ALL ROMs, including European Vodafone EPF30/FRF91, Korean FRF91, AT&T/T-Mo Stock including FRF91


-------
Credits:
-------
- The Android Exploid Crew:
http://c-skills.blogspot.com/2010/07/android-trickery.html
- Amon_RA
- cyanogen

-------
Notes:
-------

- The exploit wasn't found by me (see credits), I just implemented it as a proof of concept for the Nexus One

- Basically this method should work on all currently known ROM versions.
- I tested it on EPF30, Korean FRF91, Vodafone FRF91, US Stock FRF91.
- As usual when doing this kind of stuff: DO THIS AT YOUR OWN RISK.
- It could even work on other Android devices as long as their system partition is at
/dev/block/mtdblock3/ with yaffs2 file system and there is still some space left on the system partition (without any changes).


-------
Prerequisites:
-------
- Locked Nexus One
- Latest Android SDK incl. USB drivers
- Working ADB
- The file "freenexus.zip"
edit:
get it here:
http://multiupload.com/MVT98F5HBY
or
http://dl.dropbox.com/u/1327667/freenexus.zip
MD5: 947C20222056D7C070733E7FCF85CF15

-------
Step-by-step guide:
-------
1. install android sdk & USB drivers
2. extract the content of the zip file into the tools directory of SDK (i.e. \android-sdk-windows\tools)
-> For all Newbies: Take care that you extract the files directly to the tools folder and don't create a new subdirectory freenexus within tools!!! If you did, delete the folder and extract again!!! Check twice that there is no FOLDER freenexus in your tools directory before you continue!!!
3. open a command prompt (Windows: Start, Run, "cmd", OK; Linux: Terminal)
4. change to SDK tools directory (i.e. cd \android-sdk-windows\tools)
5. connect Nexus to USB and check if debugging mode is activated
(Settings/Application/Development/USB Debugging)
6. run "adb devices" in shell and see if there is a device listed. if not back to step 5 or reinstall USB-drivers

7a. for Windows: run "freenexus.bat" in command shell (this copies the neccessary files to /data/local/tmp)
7b. for Linux or manual installation: run the following commands

8. run the following commands:

9. on your phone go to a screen where you can easily toggle wifi (widget or settings/wireless)
10. be prepared to toggle wifi immediately after you execute the next step
11. run
12. toggle wifi on
13. you should see something like that:

[*] Android local root exploid (C) The Android Exploid Crew

[*] Modified by ak for HTC Nexus One
[+] Using basedir=/sqlite_stmt_journals, path=/data/local/tmp/freenexus
[+] opening NETLINK_KOBJECT_UEVENT socket
[+] sending add message ...

[*] Try to invoke hotplug now, clicking at the wireless

[*] settings, plugin USB key etc.

[*] You succeeded if you find /system/bin/rootshell.

[*] GUI might hang/restart meanwhile so be patient.

13b) if you get "permission denied" error, you have most likely not followed the big red newbie hint after point 2. check this by entering "ls -l", if you see a "drwxr-xr-x" and not "-rwxr-xr-x" in front of the line where freenexus is listed you did not follow properly. Search the posts in the thread on how to correct this.

14. run
15. if you succeeded you will be asked for a password, if not try again from step 10
16. enter the password "freenexus"
17. now you should see a "#" as a prompt -> you are root now
18. run the following commands:
19. Check if you keep root rights:
20. after you executed the su command the Superuser app on your device should ask you for allowance
21. you should see the "#" prompt again, if you didn't get that try su again
22. done

-------
Comments:
-------
- General
If you are not planning to wipe your data partition (what you probably will do when installing CM6 first time) you should think about deleting all the temp files still lying in /data/local/tmp (for safety reasons and to have more space on /data):

- Installation of Custom Recovery
If you only want root rights you are done here. If you want to install custom ROMs you have to install
a custom recovery first. Easiest way would be to download "ROM Manager" from the market. There are plenty of tutorials on how to install custom recovery/ROM at xda.

Edit: It is safer to install the recovery manually. In this case or for those of you running into problems with installing custom recovery with ROM Manager (doesn't stick) you can continue with
these steps (without remount of system partition, now tested successfully):
1) Download recovery-RA-nexus-v1.7.0.1.img to the root directory of your SD-Card
- Note: UnMount your SD-Card after copying these files, but keep your phone plugged in
- or don't mount SD-Card at all and push the file via adb to /sdcard
2) Save file "flash_image" to sdk tools directory:
3) In your terminal run
- At this point, it will hang until you choose "Allow" on your phone with the SuperUser app pop-up
- $ should now be replaced with #
5) run the following commands:

Alternatively you can continue with step 9 and then steps 16-24 from the old rooting method tutorial
to manually install Amon_RA's recovery. You will also need the file flash_image for that (link taken from HBOOT thread).

- HBOOT
If you rooted from a Korean Rom or have installed the latest Vodafone Rom via PASSIMG you probably have
HBOOT 0.35 which makes it currently difficult to install Cyanogenmod (there is an assertion failure in the install script, at least with CM6 RC1/2. Maybe future versions of CM6 will include HBOOT 0.35 in the script) or other custom ROMs. (You are still on 0.33 if you just installed the Vodafone OTA Update)
There is a tutorial to revert HBOOT here:
http://xdaforums.com/showthread.php?t=726258
Instead of using the EPF30 image you can also use any other PASSIMG file (at least if it has HBOOT 0.33,
otherwise this step wouldn't make sense...)
Note that when flashing a PASSIMG with a different HBOOT version there is a reboot after the HBOOT has been flashed, then after reboot the PASSIMG will be loaded again and the rest of the image will be flashed.
To check HBOOT and Radio version: press and hold trackball while turning on the phone. To exit select Reboot with Vol+/- and press Power button.

Caution:
After you have reverted your HBOOT, you have lost your root rights and you are back on stock recovery.
But you can (or have to) repeat the above procedure to get root rights back.

Edit:
The downgrading also downgrades your radio!!! Before installing CM6 you have to flash a Froyo Radio!
Latest one can be found here:
http://xdaforums.com/showthread.php?t=723839

-------
Troubleshooting:
-------
After trying to flash a custom ROM with ROM Manager one user wasn't able to boot the phone normally and also no longer able to boot to recovery. In this rare case try to download a compatible PASSIMG file:
For example EPF30 (Europe Vodafone 2.1)
http://shipped-roms.com/shipped/Pas...ogle_WWE_1.14.1700.1_EPF30_release_signed.zip
or FRF91 (Europe Vodafone 2.2):
http://shipped-roms.com/shipped/Pas...on_VF_2.15.151.5_R_FRF91_MFG_Shipment_ROM.zip (<-this one is currently a zip in zip. You have to extract it once to get the working PASSIMG.zip)
(Appropriate US-PASSIMGs can also be found on shipped-roms.com, most likely EPE76)
Rename the file to PASSIMG.zip (case sensitive, Windows users take care that the file isn't called PASSIMG.zip.zip hidden extension)
Copy it to main folder of SD card.
Boot phone into Bootloader mode (press and hold trackball when turning on the phone, until fastboot mode starts)
Select Bootloader mode by pressing power button.
The bootloader should then start to analyse the PASSIMG.zip and ask you afterwards to install it.
You're phone (not your SD) will be completely wiped after the procedure but should work again (and can be rooted again...)

file section edited.

if you click on that there should be a subfolder "nexus" that should be clickable too. at least it works here... anyway. someone wants to upload the file to a hoster? rapidshare... contact me

for the early adaptors (will only work 10 times):

rapidshare.com/files/409266634/freenexus.zip
MD5: 947C20222056D7C070733E7FCF85CF15

thank you. added the link.

@fc_themaster:
if the superuser app popped up at step 19/20 then you have root rights. you can try to install ROM Manager from the market and install a custom recovery with that porgram. it also needs root rights so superuser should pop up again at that point.

@PSeeCO: you don't need to change a password. the password was only used for the temporary rootshell which you (hopefully) deletetd with the command "rm /system/bin/rootshell" in step 18. From that point on root rights are controlled via the Superuser app. If you install an already rooted custom ROM it is obsolete anyway.

@jivemaster: yes, we can! just use ROM Manager from the market to install custom recovery.