• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

[Verizon] Galaxy Nexus root / un-root without unlocking bootloader

scary,

I tried the new script and still no joy (downloaded it after 3:30 EST). I uninstalled and reinstalled all the drivers for Windows, and uninstalled all the apps requiring root except Volume +. Cleared the log in Superuser and went ahead and removed Root Explorer also. When I run the unroot script Superuser is not uninstlled but the phone roboots and the script finishes by prompting me to press any button to continue.

I am starting to think it may be something with the 4.0.4 OTA not allowing this exploit unless you have verified that it works on 4.0.4.

Yeah, I'm guessing that the version of Linux in the kernel has been changed and it that the mempodroid exploit hole has been closed for 4.0.4?

Did you see the new output from the scripts where it tries to list whether the root files are now present (for rooting) or not present (for unrooting)?

The mempodroid exploit binary doesn't report success or failure, so its hard to tell that it works--that's why I added some new lines of code in the script.

Here's the root example output: View attachment windows-root-example.txt

Here's the unroot example output: View attachment windows-unroot-example.txt

Can you point me to the 4.0.4 OTA you used? If I have time tonight, I'll try installing that myself and see if our suspicions are true.

Thanks!
 
Upvote 0

Attachments

  • Root script results.jpg
    Root script results.jpg
    142.9 KB · Views: 196
Upvote 0
scary,

I used the file from seanmcnally over at android central. It is post 29 in this thread:

OTA Update IMM30B 4.04 - Page 3 - Android Forums at AndroidCentral.com

I attached a screen capture of the command window after the root script finished. Does that help?

Paul,

Sorry for the delayed reply, I was AFK for a few hours...

Yeah, it certainly looks like the exploit is not invoking the scripts on the phone (notice that after the "running the exploit script..." there's no "remounting /system" which is produced by the script2-root.sh script.

So, that indeed does tell me that the exploit isn't viable for some reason on 4.0.4.

Now, an idea occurred to me that the exploit does indeed work, but the offsets for the exit() function are different and need to be adjusted. I'm not sure I know how to determine this--I'll have to go back and re-read the original root exploit information to see if its a value I can try to determine myself (the prior values that I used were already published for us).

So, we're not totally dead in the water, but we're certainly stymied at the moment.

Let me do some more research and such and I'll get back with you (I'm not likely to discover this tonight, given the semi-later hour :)).

Cheers and sorry that the regaining root for 4.0.4 wasn't as straightforward.

I hope I can figure something out for everyone that will continue allowing them to gain root without unlocking your bootloader.

Thanks,
-SA
 
  • Like
Reactions: Paul1201
Upvote 0
scary,

The new scripts do not seem to work either.

Yeah, looks like it...:( :thinking: :mad:

Its actually getting a little farther with the auto-detect option: you can see that in both screen shots that /system was not able to be remounted as r/w (before, the script2-*.sh script was not even being invoked). So, the exploit is at least launching the script--its just not doing it with superuser/root permissions.

You can see that the su binary has been stripped of its SUID-bit in the permissions field (should be
"-rwsr-sr-x" vs. the "-rwxr-xr-x" you currently have).

Well, I might try to flash back to 4.0.2 stock and then install the 4.0.4 OTA tonight, but I'm thinking that might be a fruitless endeavor since you've done this for me, LOL...

Let me think and research this a little more (there's an IRC chat that one of the exploit researchers has offered-up that I might try to contact him about how to track-down what is happening).

Cheers!
-SA
 
  • Like
Reactions: Paul1201
Upvote 0
Paul,

Also, I just remembered this, and even though this doesn't help you now since you've applied the 4.0.4 OTA, there's an app called OTA RootKeeper that will save a copy of the su binaries in a protected /system folder. After an OTA is applied, you'll be able to re-root via the app itself because it will use the saved su binary to reapply the su binaries to the proper, normal places.

Anyway, just wanted to throw that out there while I was thinking about it...

-SA
 
  • Like
Reactions: PhilD and Paul1201
Upvote 0
Scary,

No problem. I'll wait until I hear from you if you are able to get it working on 4.0.4. If you can't I'll worry about fixing it then. I really wanted to do this without wiping or installing a custom bootloader. Anyhow my phone works and I'm on the leaked OTA so I'm fine for now. If you get it working I'll have to remember that app to preserve root. It might be a good idea to add that app recommendation to the OP for now.
 
  • Like
Reactions: scary alien
Upvote 0
Paul (and others, too ;)),

Just a quick update:


  • I restored back to stock 4.0.2 (again--#17 :p)
  • rooted w/this method
  • took a Nandroid to save me a little time in the future so I can revert back faster
  • downloaded/installed/ran OTA RootKeeper to save root for future
  • downloaded/installed the 4.0.4 OTA leak
  • took a 4.0.4 Nandroid (via soft-booting CWM)
  • tried the mempodroid exploit and verified that I'm getting the same behavior you were seeing (sh payload runs but isn't rooted)
  • finally regained rooted on 4.0.4 via OTA RootKeeper (works great!)

I launched an IRC chat session with the dev that provided the pre-compiled mempodroid exploit binary to talk with about how to figure-out the offsets we'll need for 4.0.4 (assuming exploit hasn't been patched); no answer last night or so far today.

I'll let you know what I find.

Cheers!
 
  • Like
Reactions: Paul1201
Upvote 0
It shows the big droid laying down and then I chose recovery and hit the power button, this brings me to another screen with small droid laying down with red triangle.... at this point no buttons work .... Help!


Edit: Ok I get it, now I am not seeing the update.zip file in there even though it had successfully copied over.... this is weird

Edit: Must have done something wrong, just redid all the steps and now I see the file. Update is being applied.

Thanks for these instructions and help.

This thread has been great and very helpful. I have successfully rooted my Gnex, but am still having trouble getting the 4.0.4 update applied.

I keep getting the small droid laying down after booting to recovery. I verified the update.zip is in /cache before rebooting to recovery. I tried getting into recovery from adb (adb reboot recovery) and from the hardware buttons, but in both cases I get that same icon (I think he is mocking me). There is no option from there and after a few minutes the phone boots normally.

Anyone have any thoughts or ideas what I may be doing wrong?

Thanks.
 
Upvote 0
This thread has been great and very helpful. I have successfully rooted my Gnex, but am still having trouble getting the 4.0.4 update applied.

I keep getting the small droid laying down after booting to recovery. I verified the update.zip is in /cache before rebooting to recovery. I tried getting into recovery from adb (adb reboot recovery) and from the hardware buttons, but in both cases I get that same icon (I think he is mocking me). There is no option from there and after a few minutes the phone boots normally.

Anyone have any thoughts or ideas what I may be doing wrong?

Thanks.

When are you at the android laying down, are you pressing the holding the power button and press the volume up to get in to the stock recovery?
 
Upvote 0
By the way, I've been in contact with saurik (Jay Freeman) re. determining the hex offsets for ICS 4.0.4 so that we'll be able to root it without also having to unlock the bootloader (I'm waiting on a reply from him, but also pursuing this information myself).

If you root in 4.0.2 with this method and wish to retain root in 4.0.4 (i.e., after accepting or installing the 4.0.4 OTA), then use OTA RootKeeper for now until we have/know the new hex offsets for the mempodroid exploit.

I'll update here when I found things out.

Thanks!
 
  • Like
Reactions: Paul1201
Upvote 0
Hi Scary! I'm kind of confused on step 4 for mac. Can you explain it to me better?

Welcome to the AndroidForums, eagle nexus!

I'll try--I don't have a Mac, but I know is a Linux/Unix-type system...

You're talking about the part where is says to "cd" (change directory), right?

So, I think you would start-up a Terminal session and then find / navigate to the folder where you extracted the contents of the .zip file.

I don't know too much about the Terminal session in the Mac world, but you would download and extract the .zip to a known folder location (say "/home/downloads" (I believe it should extract to the "simple-gnex-root-unroot" subfolder)), then startup your Terminal session, and type "cd /home/downloads/simple-gnex-root-unroot" before proceeding with step #5.

Does that help / make sense?

Apologies for not being more Mac-savvy...

Let me know :).

Cheers!
 
Upvote 0
Welcome to the AndroidForums, eagle nexus!

I'll try--I don't have a Mac, but I know is a Linux/Unix-type system...

You're talking about the part where is says to "cd" (change directory), right?

So, I think you would start-up a Terminal session and then find / navigate to the folder where you extracted the contents of the .zip file.

I don't know too much about the Terminal session in the Mac world, but you would download and extract the .zip to a known folder location (say "/home/downloads" (I believe it should extract to the "simple-gnex-root-unroot" subfolder)), then startup your Terminal session, and type "cd /home/downloads/simple-gnex-root-unroot" before proceeding with step #5.

Does that help / make sense?

Apologies for not being more Mac-savvy...

Let me know :).

Cheers!

I typed in "cd /home/downloads/simple-gnex-root-unroot" and pressed enter. It just said, "No such file or directory". Thank you for taking your time to read this.
 
Upvote 0
I typed in "cd /home/downloads/simple-gnex-root-unroot" and pressed enter. It just said, "No such file or directory". Thank you for taking your time to read this.

Oh, sorry...that was just an example directory name that I made up...your directory (folder) name will depend on where you downloaded and extracted the .zip file.

When you download the .zip file, can you identify where its located?

Then, if you extract it, can you tell where it gets extracted to?
 
Upvote 0
Oh, sorry...that was just an example directory name that I made up...your directory (folder) name will depend on where you downloaded and extracted the .zip file.

When you download the .zip file, can you identify where its located?

Then, if you extract it, can you tell where it gets extracted to?

It automatically unzips the file. Right now, i have the unzipped folder on my desktop. Would that be "cd /home/desktop/simple-gnex-root-unroot"?
 
Upvote 0
I found that the path of the file is actually "/Users/patrickutz/Desktop". What should I type in terminal now?

Well, the contents of the .zip file contain a folder with the same name (i.e., "simple-gnex-root-unroot"), so you'll probably have to type (in the Terminal window):

Code:
cd /Users/patrickutz/Desktop/simple-gnex-root-unroot
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones