• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[HOW-TO] [GSM & CDMA] How to root without unlocking bootloader (for ITL41D to JRO03O)

Search This thread

efrant

Retired Senior Moderator & Developers Relations
Feb 12, 2009
11,466
10,954
Montreal
Samsung Galaxy S20
[HOW-TO] [GSM & CDMA] How to root without unlocking bootloader (for ITL41D to JRO03O)

As of Oct 10, 2012: Google has patched this vulnerability starting with JRO03U. That is to say, this works on versions of ICS and JB from ITL41D to JRO03O inclusive. It will not work for JRO03U or newer. (My previous guide found here only worked on Android versions 4.0.1 and 4.0.2, i.e., ITL41D/F and ICL53F.

Once you have root, you can use segv11's BootUnlocker app to unlock your bootloader without wiping anything. Easy as pie!

Disclaimer: I take no credit for this exploit or the implementation of it. All credit goes to Bin4ry and his team. I just isolated the parts required for the GNex, modified it slightly and eliminated the script.

So, it looks like Bin4ry (with the help of a couple of others) has managed to find a way to exploit a timing difference in the "adb restore" command. See source here. (Although this may be old news to some, I hadn't seen it before a few days ago.) This is more for informational purposes, as having a Nexus device, we are able to backup our data, unlock the bootloader and restore the backup, so this is guide is not really that useful for most, but you still have those users who are scared to unlock their bootloader. It is useful however, for those with a broken power button, as it allows them to unlock their bootloader without the power button.

How this works
The way this works is as follows: the "adb restore" command needs to be able to write to /data to restore a backup. Because of this, we can find a way to write something to /data while this is being done. Now, Android parses a file called /data/local.prop on boot. If the following line exists in local.prop, it will boot your device in emulator mode with root shell access: ro.kernel.qemu=1. So, if we can place a file called local.prop with the aforementioned line in /data, once your device boots, it will boot in emulator mode and the shell user has root access, so we now can mount the system partition as r/w.

So what does this all mean:
  • You can now root any version of ICS and JB released to-date without having to unlock your bootloader (and without losing your data).
  • Moreover, you should now be able to root your device even if your hardware buttons are not working.
  • Additionally, this allows those who have not received an OTA update and want to apply it without having an unlocked bootloader or root to do so by copying the OTA update to /cache from /sdcard.

Notes:
1) Please read the entire post before attempting this.
2) This does not wipe any of your data, but I take no responsibility if something happens and you lose your data. Maybe consider doing a backup as per this thread before attempting this.
3) This assumes that you have USB Debugging enable on your device (Settings > Developer Options > Enable USB Debugging) and the drivers for your device installed on your computer. For the drivers, I would recommend you remove all old drivers and install these. If you don't know how to install them, or are having issues, look here.
4) This obviously needs to be done over ADB, as you cannot run adb in a terminal emulator on-device. If you do not have ADB, I've attached it in the zip (Windows and Linux versions). Unzip all files.

Step-by-step:
1) Download the attached files to your computer and unzip them;
2) Open a command prompt in that same directory;
3) Copy the root files to your device:

adb push su /data/local/tmp/su
adb push Superuser.apk /data/local/tmp/Superuser.apk


4) Restore the fake "backup": adb restore fakebackup.ab Note: do not click restore on your device. Just enter the command into the command prompt on your PC and press the enter key.
5) Run the "exploit": adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done" Note: when you enter this command, you should see your adb window flooded with errors -- this is what is supposed to happen.
6) Now that the "exploit" is running, click restore on your device.
7) Once it finishes, reboot your device: adb reboot Note: Do not try and use your device when it reboots. Running this exploit will reboot your device into emulator mode, so it will be laggy and the screen will flicker -- this is normal.
8) Once it is rebooted, open a shell: adb shell

Note: Once you do step 8, your should have a root shell, i.e., your prompt should be #, not $. If not, it did not work. Start again from step 4. (It may take a few tries for it to work. Thanks segv11.)

Now we can copy su and Superuser.apk to the correct spots to give us root.

9) Mount the system partition as r/w: mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system
10) Copy su to /system: cat /data/local/tmp/su > /system/bin/su
11) Change permissions on su: chmod 06755 /system/bin/su
12) Symlink su to /xbin/su: ln -s /system/bin/su /system/xbin/su
13) Copy Superuser.apk to /system: cat /data/local/tmp/Superuser.apk > /system/app/Superuser.apk
14) Change permissions on Superuser.apk: chmod 0644 /system/app/Superuser.apk
15) Delete the file that the exploit created: rm /data/local.prop
16) Exit the ADB shell: exit (May have to type exit twice to get back to your command prompt.)
17) Type the following (not sure if this is needed for the GNex, but it shouldn't matter): adb shell "sync; sync; sync;"
18) Reboot: adb reboot
19) Done. You now should have root without having to unlock your bootloader. If you want to unlock now, you can without wiping anything. See segv11's app linked at the beginning of this post.

Note: If you still do not have root access after doing these steps, redo them and add this step between 10 and 11:

10b) Change the owner of su: chown 0.0 /system/bin/su (Thanks maxrfon.)
 

Attachments

  • Root-without-unlock.zip
    1.5 MB · Views: 17,748
Last edited:

Lorenzo_9

Member
Sep 16, 2012
38
4
You can open the app but whith apps that requires root there are no requestes and they don't... Even using root checker you see that you're not rooted
 

efrant

Retired Senior Moderator & Developers Relations
Feb 12, 2009
11,466
10,954
Montreal
Samsung Galaxy S20
You can open the app but whith apps that requires root there are no requestes and they don't... Even using root checker you see that you're not rooted
Re-run the entire procedure again (including pushing the su and Superuser.apk files). When I had done it, I used the latest version of su and Superuser.apk, but when I uploaded the files in the attachment in post #1, I used the files that Bin4ry had in his package, which I assume are older. Regardless, re-download the attachment in the first post and try it again.
 
  • Like
Reactions: OfficeNinja

Lorenzo_9

Member
Sep 16, 2012
38
4
Re-run the entire procedure again (including pushing the su and Superuser.apk files). When I had done it, I used the latest version of su and Superuser.apk, but when I uploaded the files in the attachment in post #1, I used the files that Bin4ry had in his package, which I assume are older. Regardless, re-download the attachment in the first post and try it again.

Ok I'll do it and then I'll report you what happens. So now have you updated su and superuser.apk?
 

serty4011

Member
Feb 26, 2012
17
11
I can confirm that this works, and also that step 10b was not needed for me. This is the first time I have not used a toolkit so if I can do it, anyone can.

Running a Verizon Galaxy Nexus, this allowed me to update to the leaked Jelly Bean OTA with a locked bootloader. I first flashed stock 4.0.4 and locked the bootloader. I then used the exploit to gain root access, allowing me to apply IMM76Q and JRO03O OTA updates via stock recovery. (Rebooting between updates.) Thank you for creating a guide that this newb could easily understand and follow.
 

efrant

Retired Senior Moderator & Developers Relations
Feb 12, 2009
11,466
10,954
Montreal
Samsung Galaxy S20
I can confirm that this works, and also that step 10b was not needed for me. This is the first time I have not used a toolkit so if I can do it, anyone can.

Running a Verizon Galaxy Nexus, this allowed me to update to the leaked Jelly Bean OTA with a locked bootloader. I first flashed stock 4.0.4 and locked the bootloader. I then used the exploit to gain root access, allowing me to apply IMM76Q and JRO03O OTA updates via stock recovery. (Rebooting between updates.) Thank you for creating a guide that this newb could easily understand and follow.

Thanks for confirming that step was not needed.
 

efrant

Retired Senior Moderator & Developers Relations
Feb 12, 2009
11,466
10,954
Montreal
Samsung Galaxy S20
Works fine for my GNex, big thanks! How about putting it into a script for non-advanced users here?
Glad you got it working!

As for putting it into a script, I could but I'd rather not. As with most of the guides that I have written up, I purposely do not put things into a script so that people would actually go through all the steps and, by doing so, maybe get an understanding of what they are actually doing, and hopefully learn something in the process. If I would have packaged it up into a script, a lot of the less experienced users would not even try to go through the steps -- they would just use the script, and no one learns anything yet again. See here for some discussion on one-click scripts. Granted, blindly following a step-by-step is not much better, but I have tried to put comments and explanations throughout to facilitate learning. It's about the journey...

P.S.: I would appreciate it if no one else posts a script in this thread.
 

wictor1992

Senior Member
Sep 19, 2012
126
73
Aachen
Heh, fair enough. I think I'm learning a bit about adb :)

One question: I can't replace system APKs by installing them, it tells me that there is a signature conflict. How can I fix that? I thought it shouldn't happen after rooting. (I'm trying to install the "international" velvet.apk).
 

efrant

Retired Senior Moderator & Developers Relations
Feb 12, 2009
11,466
10,954
Montreal
Samsung Galaxy S20
Heh, fair enough. I think I'm learning a bit about adb :)

One question: I can't replace system APKs by installing them, it tells me that there is a signature conflict. How can I fix that? I thought it shouldn't happen after rooting. (I'm trying to install the "international" velvet.apk).
Let's try to keep this thread on-topic please.

But to answer your question, don't install the apk. Using a file explorer that has root access, copy it to /system/app (after making sure that system is r/w) and make sure the permissions are set to match the other apks in that directory.
 

monkeypaws

Senior Member
Feb 19, 2012
2,075
557
when running adb after running the command where i tell it to restore fake restore and then while the "exploit" is running ikeep getting , in cmd, link failed, no such file or directory, and it just keep doing that. is this normal or did i do something wrong.
Let's try to keep this thread on-topic please.

But to answer your question, don't install the apk. Using a file explorer that has root access, copy it to /system/app (after making sure that system is r/w) and make sure the permissions are set to match the other apks in that directory.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 88
    [HOW-TO] [GSM & CDMA] How to root without unlocking bootloader (for ITL41D to JRO03O)

    As of Oct 10, 2012: Google has patched this vulnerability starting with JRO03U. That is to say, this works on versions of ICS and JB from ITL41D to JRO03O inclusive. It will not work for JRO03U or newer. (My previous guide found here only worked on Android versions 4.0.1 and 4.0.2, i.e., ITL41D/F and ICL53F.

    Once you have root, you can use segv11's BootUnlocker app to unlock your bootloader without wiping anything. Easy as pie!

    Disclaimer: I take no credit for this exploit or the implementation of it. All credit goes to Bin4ry and his team. I just isolated the parts required for the GNex, modified it slightly and eliminated the script.

    So, it looks like Bin4ry (with the help of a couple of others) has managed to find a way to exploit a timing difference in the "adb restore" command. See source here. (Although this may be old news to some, I hadn't seen it before a few days ago.) This is more for informational purposes, as having a Nexus device, we are able to backup our data, unlock the bootloader and restore the backup, so this is guide is not really that useful for most, but you still have those users who are scared to unlock their bootloader. It is useful however, for those with a broken power button, as it allows them to unlock their bootloader without the power button.

    How this works
    The way this works is as follows: the "adb restore" command needs to be able to write to /data to restore a backup. Because of this, we can find a way to write something to /data while this is being done. Now, Android parses a file called /data/local.prop on boot. If the following line exists in local.prop, it will boot your device in emulator mode with root shell access: ro.kernel.qemu=1. So, if we can place a file called local.prop with the aforementioned line in /data, once your device boots, it will boot in emulator mode and the shell user has root access, so we now can mount the system partition as r/w.

    So what does this all mean:
    • You can now root any version of ICS and JB released to-date without having to unlock your bootloader (and without losing your data).
    • Moreover, you should now be able to root your device even if your hardware buttons are not working.
    • Additionally, this allows those who have not received an OTA update and want to apply it without having an unlocked bootloader or root to do so by copying the OTA update to /cache from /sdcard.

    Notes:
    1) Please read the entire post before attempting this.
    2) This does not wipe any of your data, but I take no responsibility if something happens and you lose your data. Maybe consider doing a backup as per this thread before attempting this.
    3) This assumes that you have USB Debugging enable on your device (Settings > Developer Options > Enable USB Debugging) and the drivers for your device installed on your computer. For the drivers, I would recommend you remove all old drivers and install these. If you don't know how to install them, or are having issues, look here.
    4) This obviously needs to be done over ADB, as you cannot run adb in a terminal emulator on-device. If you do not have ADB, I've attached it in the zip (Windows and Linux versions). Unzip all files.

    Step-by-step:
    1) Download the attached files to your computer and unzip them;
    2) Open a command prompt in that same directory;
    3) Copy the root files to your device:

    adb push su /data/local/tmp/su
    adb push Superuser.apk /data/local/tmp/Superuser.apk


    4) Restore the fake "backup": adb restore fakebackup.ab Note: do not click restore on your device. Just enter the command into the command prompt on your PC and press the enter key.
    5) Run the "exploit": adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done" Note: when you enter this command, you should see your adb window flooded with errors -- this is what is supposed to happen.
    6) Now that the "exploit" is running, click restore on your device.
    7) Once it finishes, reboot your device: adb reboot Note: Do not try and use your device when it reboots. Running this exploit will reboot your device into emulator mode, so it will be laggy and the screen will flicker -- this is normal.
    8) Once it is rebooted, open a shell: adb shell

    Note: Once you do step 8, your should have a root shell, i.e., your prompt should be #, not $. If not, it did not work. Start again from step 4. (It may take a few tries for it to work. Thanks segv11.)

    Now we can copy su and Superuser.apk to the correct spots to give us root.

    9) Mount the system partition as r/w: mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system
    10) Copy su to /system: cat /data/local/tmp/su > /system/bin/su
    11) Change permissions on su: chmod 06755 /system/bin/su
    12) Symlink su to /xbin/su: ln -s /system/bin/su /system/xbin/su
    13) Copy Superuser.apk to /system: cat /data/local/tmp/Superuser.apk > /system/app/Superuser.apk
    14) Change permissions on Superuser.apk: chmod 0644 /system/app/Superuser.apk
    15) Delete the file that the exploit created: rm /data/local.prop
    16) Exit the ADB shell: exit (May have to type exit twice to get back to your command prompt.)
    17) Type the following (not sure if this is needed for the GNex, but it shouldn't matter): adb shell "sync; sync; sync;"
    18) Reboot: adb reboot
    19) Done. You now should have root without having to unlock your bootloader. If you want to unlock now, you can without wiping anything. See segv11's app linked at the beginning of this post.

    Note: If you still do not have root access after doing these steps, redo them and add this step between 10 and 11:

    10b) Change the owner of su: chown 0.0 /system/bin/su (Thanks maxrfon.)
    8
    Works fine for my GNex, big thanks! How about putting it into a script for non-advanced users here?
    Glad you got it working!

    As for putting it into a script, I could but I'd rather not. As with most of the guides that I have written up, I purposely do not put things into a script so that people would actually go through all the steps and, by doing so, maybe get an understanding of what they are actually doing, and hopefully learn something in the process. If I would have packaged it up into a script, a lot of the less experienced users would not even try to go through the steps -- they would just use the script, and no one learns anything yet again. See here for some discussion on one-click scripts. Granted, blindly following a step-by-step is not much better, but I have tried to put comments and explanations throughout to facilitate learning. It's about the journey...

    P.S.: I would appreciate it if no one else posts a script in this thread.
    3
    I made a backup using the TWRP recovery. Is there a way to restore the TWRP recovery files using adb?
    Why not use TWRP??
    3
    I can confirm that this works, and also that step 10b was not needed for me. This is the first time I have not used a toolkit so if I can do it, anyone can.

    Running a Verizon Galaxy Nexus, this allowed me to update to the leaked Jelly Bean OTA with a locked bootloader. I first flashed stock 4.0.4 and locked the bootloader. I then used the exploit to gain root access, allowing me to apply IMM76Q and JRO03O OTA updates via stock recovery. (Rebooting between updates.) Thank you for creating a guide that this newb could easily understand and follow.
    2
    Okay. Hold long does it take because I start it the. Hit restore and nothing happens but the repeated line of code saying the error mentions above

    Sent from my Galaxy Nexus using xda app-developers app
    You need to run the "adb shell while ..." command before you click restore on your device. It shouldn't take more than a few seconds.
    Giving it a shot tomorrow, will report back. A big thank you for posting this, I was really not wanting to unlock the bootloader. Just as an aside, how would I go about revoking root access without unlocking the bootloader?

    Don't worry if that's too much of a hassle. But I'm guessing I could just delete the superuser app using ADB and remove the su folder and I'd essentially revoke root access, correct?
    Yes, if you want to remove root access, just delete the two files: /system/bin/su and /system/app/Superuser.apk.
    Anyone can confirm that this work on nexus 7 ?
    Why don't you try it and find out? It will either work (which it should) or it won't do anything. It won't mess anything up if it doesn't work.