1. 2015 is going to be a great year for Android! Why wait??
    Samsung Galaxy Note 5 | Samsung Galaxy S6 | HTC One M9
  2. New Forum Created: Samsung Gear VR!

Galaxy Nexus root / un-root without unlocking bootloader


  1. scary alien

    scary alien not really so scary Moderator

    .
    Introducing the Samsung Galaxy Nexus root / un-root without needing to unlock your bootloader. Yep! ;) :p :D

    Note: it appears that this will only work for GNex phones running Android ICS 4.0.2--the exploit that this method utilizes does not seem to work for 4.0.4; if you use this method to gain root in 4.0.2 and wish to retain it later in 4.0.4, be sure to use a utility like my app Android Root Toolkit or OTA RootKeeper to save root in 4.0.2 so that you don't lose it when you install the 4.0.4 OTA.

    I've now updated this with un-root options and support for Linux (32-bit installs) and Mac/OSX.

    Download for the simple-gnex-root-unroot.zip package is located at the bottom of this post.

    How to use:
    1. Download simple-gnex-root-unroot.zip to your PC

    2. Extract the contents of the above .zip file to a working folder on your PC

    3. Start-up a command (Windows) or Terminal (Linux or Mac/OSX) session

    4. Change to (cd) to folder (directory) location where you've extracted the simple-gnex-root-unroot.zip file's contents

    5. For Windows PCs, make sure you have the proper USB adb drivers installed:

    .....How to install the adb & fastboot USB drivers

    6. Make sure you have USB debugging enabled on your device:

    .....Settings -> Developer options -> USB debugging (checked)

    7. Connect your phone to your PC via the USB cable

    8. Run the desired script:


    • Windows:

      to root:

      Code:
      [COLOR="blue"][B]c:\temp> root-for-windows.bat[/B][/COLOR]
      to un-root:

      Code:
      [COLOR="blue"][B]c:\temp> unroot-for-windows.bat[/B][/COLOR]
    • Linux (32-bit installs):

      note: there's a sudo invocation for the first adb command in the shell script; this will cause you to be prompted for entry of your administrator / root password (this is so that the adb daemon is started-up with the proper privileges to work on your Linux system)

      to root or unroot (you'll be prompted to select option):

      Code:
      [B][COLOR="Blue"]. ./root-unroot-for-linux.sh[/COLOR][/B]
    • Mac (OSX):

      note: there's a sudo invocation for the first adb command in the shell script; this will cause you to be prompted for entry of your administrator / root password (this is so that the adb daemon is started-up with the proper privileges to work on your Linux system); I'm not sure if this is necessary for the Mac/OSX system, so you might need to remove it from the script if needed

      to root or unroot (you'll be prompted to select option):

      Code:
      [B][COLOR="Blue"]. ./root-unroot-for-mac-osx.sh[/COLOR][/B]
    Notes:
    1. this root exploit should work on any Linux kernel 2.6.39 and above; this means that it should currently work on both the GSM and the VZW LTE variants of the Samsung Galaxy Nexus (and indeed, several other devices running this Linux kernel; the key to using the exploit lies in using different hex values corresponding to the offset of the exit() function)

    2. this current root package I have assembled for you has been tested on a VZW (LTE/CDMA) Samsung Galaxy Nexus running Android 4.0.2 using both a Windows 7 and Linux 10.x PC; I believe that it should work on a Mac/OSX system, but I am unable to test that at this time

    3. it appears that the adb-linux binary included with this root package only works on 32-bit installs of Linux; I and another member were unable to get the adb binary to execute properly on a 64-bit install of Ubuntu 11.10 (it worked just fine on the 32-bit version)

    4. since this rooting package / method doesn't require you to unlock your bootloader, you don't have to risk that operation and its warranty implications; additionally, you could use an application like Titanium Backup to save your applications and their data/setup for easier recovery and re-setup later

    5. note that this rooting method does not allow you to install a custom recovery and therefore you will be unable to make a Nandroid backup, or install a custom ROM or theme or kernel--you would still need to unlock your bootloader to do these things

    6. you should also take all due precautions and care when undertaking any modifications to your phone (especially system-related apps) without having the protection of a custom recovery and a Nandroid backup; you always have the fall-back option of unlocking your bootloader and restoring back to stock, too: How to un-root (return to stock)

    7. if you use this rooting method on 4.0.2 as a stepping-stone towards manually installing the 4.0.4 OTA, you might want to think about using an app like OTA RootKeeper to preserve root and have the option to restore it once you are on 4.0.4 (currently, this rooting exploit does not appear to work on ICS 4.0.4)
    Credits / references:
    Original thread content:
    Okay, I did a little searching and haven't seen that anyone else has yet posted something like this (apologies if they have), but I was reading around this afternoon and discovered a couple of cool things that allows you to install the root binaries without unlocking your bootloader.

    Yes...you heard right: root the Samsung Galaxy Nexus without unlocking the bootloader ;) :).

    I just did this process manually myself and it works great.

    Note: this does involve using adb and assumes that you've already got the proper USB adb drivers installed (although these are usually less finicky than the fastboot drivers (not an issue for Mac or Linux users, though)).

    Okay, here's the details of what I did:
    • re-flashed my device back to stock 4.0.2 and re-locked the bootloader

    • used adb to push the exploit and root binaries over to /data/local:

      c:\gnex\root-exp> adb push mempodroid /data/local/mempodroid
      c:\gnex\root-exp> adb push su /data/local/su
      c:\gnex\root-exp> adb push Superuser.apk /data/local/Superuser.apk
      c:\gnex\root-exp> adb shell chmod 777 /data/local/mempodroid
    • the remaining operations take place using adb:

      c:\gnex\root-exp> adb shell
      -
      - navigate to where the my files are:
      -
      $ cd /data/local
      -
      - remount /system as read-write using the exploit binary:
      -
      $ ./mempodroid 0xd7f4 0xad4b mount -o remount,rw '' /system
      -
      - verify /system now mounted as r/w (other mount info redacted):
      -
      $ mount
      /dev/block/platform/omap/omap_hsmmc.0/by-name/system /system ext4 rw,relatime,barrier=1,data=ordered 0 0
      -
      - use the exploit binary to start-up root shell (could've done this earlier, too):
      -
      $ ./mempodroid 0xd7f4 0xad4b sh
      -
      - navigate back to /data/local (probably could have done "sh -"):
      -
      # cd /data/local
      -
      - install and secure the root binaries:
      -
      # cat su > /system/bin/su
      # cat Superuser.apk > /system/app/Superuser.apk
      # chmod 6755 /system/bin/su
      -
      - that's it...root has been installed! :)
      -
      # exit
      $ exit
      c:\gnex\root-exp>

    Next, I just downloaded and launched Titanium Backup to verify that my apps have root (I also did another "adb shell" and then "su" to test root that way, too). Works great.
    MS/Windows-compatible script available at the end of this post.

    Here's what it looks like when you run it:
    Code:
    ECHO is off.
    # ==========================================================================
    # Samsung Galaxy Nexus Simple Root by AndroidForums "scary alien"
    #
    # Written for and tested on Samsung Galaxy Nexus running stock Android 4.0.2
    #
    # This script will install the root binaries (su, busybox, Superuser.apk) on
    # an unrooted GNex without needing to unlock the bootloader
    #
    # For additional details, credits, etc., please visit:
    #
    # [url]http://androidforums.com/verizon-galaxy-nexus-all-things-root/499117-root-gnex-without-unlocking-bootloader-yep.html[/url]
    #
    # Instructions:
    #
    # 1) Make sure you have the adb USB device drivers installed
    #
    # 2) Make sure you have USB debugging enabled on your phone
    #
    # 3) Connect your phone and computer via your USB cable
    #
    # 4) Run this script from the same directory where the rest of the
    #    files from the extracted .zip file are located
    #
    # ==========================================================================
    #
    The system cannot find the file specified.
    Press any key to continue . . .
    [-] waiting for adb USB connectivity to your device
    #
    [-] connectivity established! here we go! :)
    #
    [-] pushing our binaries and scripts over to the phone...
    1915 KB/s (37273 bytes in 0.019s)
    1985 KB/s (22364 bytes in 0.011s)
    3327 KB/s (1867568 bytes in 0.548s)
    3324 KB/s (843503 bytes in 0.247s)
    60 KB/s (124 bytes in 0.002s)
    169 KB/s (520 bytes in 0.003s)
    #
    [-] securing work files...
    #
    [-] rooting the phone...
     [-] running the exploit script...
      [-] remounting /system
      [-] installing root binaries
       [-] installing su
       [-] installing Superuser.apk
       [-] installing busybox
     [-] exploit completed, root installed
    #
    [-] cleaning-up /data/local...
    #
    # Congratulations, your GNex has just been rooted :)
    #
    # Use your new root powers carefully and wisely.
    #
    # --- all done ---
    Press any key to continue . . .
    Hope you found this interesting.

    Cheers and let me know if you have any questions.

    -SA


    Notes / Cautions:

    - this works for the Samsung Galaxy Nexus running Android 4.0.2 and should work for both the GSM/HSPA+ and the VZW LTE/CDMA version of the phone; I also suspect that it will work for 4.0.1 but I haven't test that (yet)

    - rooting your device without unlocking your bootloader will basically only let you run root apps; you won't be able to install (or run) a custom recovery, a custom ROM / theme / kernel, etc.

    - since you can't install a custom recovery, you won't be able to make a Nandroid backup to put yourself back to a safe, known setup, so keep this in mind when doing any root-related operations (such as using SetCPU for underclocking, or making any system tweaks that can only be done with root) [although you'll always be able to unlock your bootloader and How to un-root (return to stock) the old-fashioned way].
    simple-gnex-root-unroot.zip:

    .....File size: ..........946,051 (bytes)
    .....MD5 checksum: d562b501a37a7fbb7e4174c335f5c881
    .....Download: ........ View attachment simple-gnex-root-unroot.zip


    Example rooting session outputs:

    ..... View attachment windows-root-example.txt
    ..... View attachment windows-unroot-example.txt
    ..... View attachment linux-root-example.txt
    ..... View attachment linux-unroot-example.txt

    Kudos and props to onfire4g05 for the tweaked version of the shell script for the Mac/OSX system! Thank you!!!

    Advertisement
    :
    domenukk, cconover, Dignan17 and 26 others like this.
  2. Hipe0ples555

    Hipe0ples555 Well-Known Member

    Have any Mac commands?

    Do you just put ./ in front of adb-----> ./adb????
  3. scary alien

    scary alien not really so scary Moderator

    Well, this really isn't Windows or Mac specific...its mostly adb-specific. So, if you know and are familiar with adb, its fairly straight-forward.

    There's a ADB Guide that contains a "Mini-SDK" section with a downloadable sdk-tools.zip file that contains an "adb-mac" file that you can use in place of the "adb" referenced above.

    Also, I think I could script this...it should be possible to do this, but I've just finished playing-around with this myself (need a few minutes to finish some other stuff up ;) :)).

    Lemme know if you have other questions :).

    Cheers!

    edit: you ninja'd me with your edits, LOL....yes, you basically start-up a terminal session and prefix your "adb" (or adb-mac) references with "./" (as in "./adb devices", etc.).
  4. Paul1201

    Paul1201 Well-Known Member

    Would this allow you to place the 4.0.4 OTA in the cache folder and install the OTA without unlocking?
  5. scary alien

    scary alien not really so scary Moderator

    I suppose so...

    Since you'll be gaining basic root ability (su / Superuser.apk, etc. (busybox installation is easy, too), you'd be able to place the file in the /cache partition.

    Its been a while since I've done this (did it once on my Eris a long while back).

    Also, the way the exploit works, you wouldn't even have to root to do this...you could just tweak the process and use the exploit binary to start a temporary rooted shell to accomplish your copies (no need to insert the su and Superuser binaries).

    By the way, I'm working on making this into a script...still testing and playing.

    Cheers!
    Paul1201 likes this.
  6. gapi

    gapi VIP Member VIP Member

    Just to once again show my noobness, what are the reasons or advantages of having a locked or unlocked boot-loader option? Why would a person chose one over the other?
  7. Paul1201

    Paul1201 Well-Known Member

    Total noob on this also but it is my understanding that unlocking the bootloader is the step that wipes your data from the phone. Also unlike the OG Droid where you could just rename the OTA update.zip and load the OTA early, the GNex requires the file to be loaded into the cache partition which requires root. Using the method discussed by scary alien those who wish to remain stock but have the update early may be able finally accomplish it without having their phones data wiped.

    Of course the other advantage is that if you can gain root first you can download Titanium Backup and backup your phone prior to unlocking the bootloader. There is a way to backup using ADB commands but I think Titanium may be easier to restore your data on your phone.
    jmar likes this.
  8. scary alien

    scary alien not really so scary Moderator

    The biggest reason for unlocking your bootloader is the ability to flash new files such as a custom recovery (and thereby custom ROMs / themes / kernels), as well as being able to flash back to stock / factory images.

    While I've not been a big fan of simple one-click root packages (because it makes rooting too easy for some and sometimes get people into trouble), this method falls in line to make rooting the Galaxy Nexus similar to other phones in that a particular exploit will give root access without having to have an unlocked bootloader.

    I did more testing last night and have a simple script that one could run from your PC that will install root, but I've got a little polishing I need to do on it before posting.

    Additionally, I believe I can make an Android app out of this, too :).

    Stay tuned.
    jmar, cwkiakacw and Paul1201 like this.
  9. Paul1201

    Paul1201 Well-Known Member

    Scary alien,

    Thank you for investigating this. I have always chosen to unlock/root and run stock roms anyhow so this will make it possible for those like me to use apps that require root (TB, Root Explorer, etc.) and stay on a stock rom.
    jmar likes this.
  10. scary alien

    scary alien not really so scary Moderator

    No problem, Paul! I'm happy to help re. this (and its been a fun and interesting challenge ;)).

    I'm pretty sure I can "simply" (yeah, its really not that simple ;)) throw these commands in an app and make this a one-click rooter. I'm hopeful that the exploit will remain open for near-future versions of ICS besides 4.0.2.

    More to come later!
  11. diverbelow

    diverbelow Member

    So I was able to push update.zip to /cache with minor adjustments. More to come
    Paul1201 and scary alien like this.
  12. scary alien

    scary alien not really so scary Moderator

    Cool! Looking forward to it.

    Yeah, I did some streamlining to the process in the scripts I built and tested last night.

    I'll be posting a script later this evening (at least that's my plan). Will have to flash back to stock 4.0.2 for about the 14th time now (I'm losing count :p) to test this.

    What's cool about this is that you can re-purpose this exploit to gain selective root access when you want.

    Cheers!
    jmar likes this.
  13. diverbelow

    diverbelow Member

    My GNex was on 4.0.2 with locked boot loader, non-root and completely stock. I wanted to remain locked and non-rooted (promised the wife) but wanted to see if 4.0.4 was able to fix the random reboot and increase battery life.

    Need to know how to use adb and not responsible for bricking the phone.

    I used scary alien steps and had to add chmod 777 where it was need.

    Download the following files and place it in C:\Android\platform-tools directory or what ever directory you want.:
    Android 4.0.4
    mempodroid
    su

    used adb to push the exploit and root binaries over to /data/local:
    used adb to push the update.zip to /cache

    Upgrade from 4.0.2 to 4.0.4 section
    C:\Android\platform-tools> adb push mempodroid /data/local
    C:\Android\platform-tools> adb push su /data/local

    the remaining operations take place using adb:

    C:\Android\platform-tools> adb shell
    $ cd /data/local
    $ chmod 777 mempodroid
    $ chmod 777 su
    $ ./mempodroid 0xd7f4 0xad4b mount -o remount,rw '' /cache
    $ PATH=/data/local:$PATH
    $ ./mempodroid 0xd7f4 0xad4b sh
    # chmod 777 /cache

    Open another command prompt or term and browse to your
    browse to directory you placed update.zip in /cache
    adb push update.zip /cache

    the remaining operations take place using adb from above:
    # chmod 770 /cache
    # PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
    ---Optional--- If you want to remove these files from /data/local. You can also do a factory wipe
    # cd /data/local
    # rm mempodroid
    # rm su
    exit

    * Power off phone
    * Press and hold the volume up/down buttons then press the power button
    * Arrow to Recovery
    * Phone will reboot in to recovery mode
    * With Android laying down, press and hold the power button and volume up (possible volume up couple of times)
    * apply update from /cache
    * reboot

    For Upgrade 4.0.4 to newest 4.0.4

    Looks like the exploit that was in 4.0.2 kernel has been patched. Looking for workarounds.
    Untested, will test late tonight.
    used adb to push the exploit and root binaries over to /data/local:
    used adb to push the update.zip to /cache

    C:\Android\platform-tools> adb push mempodroid /data/local
    C:\Android\platform-tools> adb push su /data/local

    the remaining operations take place using adb:

    C:\Android\platform-tools> adb shell
    $ cd /data/local
    $ chmod 777 mempodroid
    $ chmod 777 su
    $ ./mempodroid 0xd7cc 0xad27 mount -o remount,rw '' /cache
    $ PATH=/data/local:$PATH
    $ ./mempodroid 0xd7cc 0xad27 sh
    # chmod 777 /cache

    Open another command prompt or term and browse to your
    browse to directory you placed update.zip in /cache
    adb push update.zip /cache

    the remaining operations take place using adb from above:
    # chmod 770 /cache
    # PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
    ---Optional--- If you want to remove these files from /data/local. You can also do a factory wipe
    # cd /data/local
    # rm mempodroid
    # rm su
    exit

    * Power off phone
    * Press and hold the volume up/down buttons then press the power button
    * Arrow to Recovery
    * Phone will reboot in to recovery mode
    * With Android laying down, press and hold the power button and volume up (possible volume up couple of times)
    * apply update from /cache
    * reboot


    Hope this helps.
    domenukk, Larzzzz, jmar and 2 others like this.
  14. diverbelow

    diverbelow Member


    So I use the steps to update my wife's Galaxy Nexus and removed a step.

    My wife's GN was completely stock with locked boot loader and non-rooted.
    scary alien likes this.
  15. scary alien

    scary alien not really so scary Moderator

    Little thread bump to let everyone know that I've finished the installation script.

    Here's how to use the script:

    1. Download the simple-gnex-root.zip file to your MS/Windows PC (found at the bottom of the first post of this thread)

    2. Extract the contents to a folder

    3. Make sure you have USB debugging enabled on your phone (Settings -> Developer options -> USB debugging (checked))

    4. Make sure you the proper adb USB drivers installed:

    How to install the adb & fastboot USB drivers (MS/Windows users only)

    5. Connect the phone and your computer together with your USB cable

    6. Double-click the runme.bat file that's in the folder where you extracted the contents of the simple-gnex-root.zip file

    7. The installation goes pretty quickly.

    8. Enjoy your new root abilities :).


    Obligatory root disclaimer / reminder:

    As always, you are ultimately responsible for any root-related activities on your phone.

    You should understand not only the benefits of rooting, but also any possible consequences (voided warranty, boot-loops, bricking, etc.) that might occur as a result of your root-related actions.

    AndroidForums.com / Phandroid.com, its owner, and staff are not liable for any root actions you might undertake as a result of information used from this site.

    Reading, researching, understanding, and carefully following the published steps and instructions can go a long way towards helping to make your rooting efforts a successful one.
    Paul1201 likes this.
  16. Paul1201

    Paul1201 Well-Known Member

    Scary & diver,

    Awesome work. I'm really busy this week but hope to take advantage of this over the weekend.
    scary alien likes this.
  17. blackberrycubed

    blackberrycubed Active Member

    How do you do last step ?

    Whenever I reboot my completely stock phone into recovery mode I get the damn dead droid icon with the red triangle and then after a little bit it reboots.

    How do I complete the last part of applying the update?

    Thanks
  18. diverbelow

    diverbelow Member

    Once you are at the robot laying down press and hold the power button and press volume + and use the arrow keys to move up and down and power button to select.
  19. blackberrycubed

    blackberrycubed Active Member

    It shows the big droid laying down and then I chose recovery and hit the power button, this brings me to another screen with small droid laying down with red triangle.... at this point no buttons work .... Help!


    Edit: Ok I get it, now I am not seeing the update.zip file in there even though it had successfully copied over.... this is weird

    Edit: Must have done something wrong, just redid all the steps and now I see the file. Update is being applied.

    Thanks for these instructions and help.
  20. Yeahha

    Yeahha Usually off topic VIP Member

    On this menu if you choose apply update from cache now it does nothing?

    [​IMG]

    If so I would suggest rebooting and trying again.

    @SA this method will not prevent OTA updates so if an OTA comes I take it root would be lost. If so should this work should this work on newer version of the OS in theory?

    This may be a good thing to add to the beginning of the how to root process to allow people to make backups of the app data then unlock the bootloader which wipes everything, once the phone is fully rooted someone could push the backups back to the phone and restore the app data...just a thought
  21. scary alien

    scary alien not really so scary Moderator

    Yeah, an OTA will kill root because the su binary gets its execute and SUID-bit permissions reset.

    I'm pretty sure that this will work on future versions of ICS unless and until the exploit is patched in the kernel (or a different compiler is used by Google that breaks the exploit).

    I'm a little fuzzy on your last paragraph...are you talking about using something like TiBu to back stuff up and later restore after an OTA comes in and you've re-rooted?

    (sorry for being fuzzy, LOL, I'm working on a 1-click app version of this method (and was up way too late last night with it ;) :))

    Cheers!
  22. Yeahha

    Yeahha Usually off topic VIP Member

    No problem on the fuzziness ;)

    Using TiBU or a similar app was my thought exactly. You would need to transfer the data to a CPU or a dropbox type thing before unlocking the boot loader but it would basically be a loss less root
    scary alien likes this.
  23. scary alien

    scary alien not really so scary Moderator

    Ugh! I'm a doofus! :p

    Totally spaced the blurb in the exploit details:

    so, my (failed) efforts last night and tonight trying to create a 1-click app were all for naught :p.

    Oh, well, the script is easy enough to use...

    I'll concentrate on updating the first post with the stuff discussed just above, and making a Mac and Linux version of the .zip.

    Cheers!
  24. rickt1152

    rickt1152 New Member

    This could not have been easier. Worked perfectly, took five minutes including downloading the drivers. Such a great option to be able to root, use Titanium Backup and then unlock the bootloader without losing all my app data. The solution I've been looking for. Thanks scary alien.
    Yeahha and scary alien like this.
  25. scary alien

    scary alien not really so scary Moderator

    Thanks, Rick! :)

    It was a gas reading through the threads and getting the realization that this would work.

    It should actually work for several devices running ICS and/or the certain kernel version (you'd just need to adjust the hex offset values that are used by mempodroid--maybe I'll make the script a little more generic).

    Glad it worked for you :).

    I'll get the first post updated tomorrow with what you and Yeahha mentioned above.

    Cheers!
Loading...

Share This Page