[Verizon] Galaxy Nexus root / un-root without unlocking bootloader


Last Updated: 2012-11-10 04:29:36
  1. scary alien

    scary alien not really so scary Moderator

    Yeah, I'm guessing that the version of Linux in the kernel has been changed and it that the mempodroid exploit hole has been closed for 4.0.4?

    Did you see the new output from the scripts where it tries to list whether the root files are now present (for rooting) or not present (for unrooting)?

    The mempodroid exploit binary doesn't report success or failure, so its hard to tell that it works--that's why I added some new lines of code in the script.

    Here's the root example output: View attachment windows-root-example.txt

    Here's the unroot example output: View attachment windows-unroot-example.txt

    Can you point me to the 4.0.4 OTA you used? If I have time tonight, I'll try installing that myself and see if our suspicions are true.

    Thanks!

    Advertisement
  2. Paul1201

    Paul1201 Well-Known Member

    Attached Files:

  3. scary alien

    scary alien not really so scary Moderator

    Paul,

    Sorry for the delayed reply, I was AFK for a few hours...

    Yeah, it certainly looks like the exploit is not invoking the scripts on the phone (notice that after the "running the exploit script..." there's no "remounting /system" which is produced by the script2-root.sh script.

    So, that indeed does tell me that the exploit isn't viable for some reason on 4.0.4.

    Now, an idea occurred to me that the exploit does indeed work, but the offsets for the exit() function are different and need to be adjusted. I'm not sure I know how to determine this--I'll have to go back and re-read the original root exploit information to see if its a value I can try to determine myself (the prior values that I used were already published for us).

    So, we're not totally dead in the water, but we're certainly stymied at the moment.

    Let me do some more research and such and I'll get back with you (I'm not likely to discover this tonight, given the semi-later hour :)).

    Cheers and sorry that the regaining root for 4.0.4 wasn't as straightforward.

    I hope I can figure something out for everyone that will continue allowing them to gain root without unlocking your bootloader.

    Thanks,
    -SA
    Paul1201 likes this.
  4. Paul1201

    Paul1201 Well-Known Member

    Scary,

    No problem. I was at my keyboard for a while and too busy to post so I totally understand. I'll keep watching the thread for any updates.
    scary alien likes this.
  5. scary alien

    scary alien not really so scary Moderator

    Paul,

    I've found something! :eek: :D ;) :)

    I've built and added a new autodetect-gnex-root.zip to the OP.

    Try it out and let me know if it works for you (limited testing on my AOKP ROM shows that it works there, some I'm pretty confident it will work for you on 4.0.4!).

    Lemme know :).

    Cheers!
  6. Paul1201

    Paul1201 Well-Known Member

    scary,

    The new scripts do not seem to work either.

    Attached Files:

  7. scary alien

    scary alien not really so scary Moderator

    Yeah, looks like it...:( :confused: :mad:

    Its actually getting a little farther with the auto-detect option: you can see that in both screen shots that /system was not able to be remounted as r/w (before, the script2-*.sh script was not even being invoked). So, the exploit is at least launching the script--its just not doing it with superuser/root permissions.

    You can see that the su binary has been stripped of its SUID-bit in the permissions field (should be
    "-rwsr-sr-x" vs. the "-rwxr-xr-x" you currently have).

    Well, I might try to flash back to 4.0.2 stock and then install the 4.0.4 OTA tonight, but I'm thinking that might be a fruitless endeavor since you've done this for me, LOL...

    Let me think and research this a little more (there's an IRC chat that one of the exploit researchers has offered-up that I might try to contact him about how to track-down what is happening).

    Cheers!
    -SA
    Paul1201 likes this.
  8. scary alien

    scary alien not really so scary Moderator

    Paul,

    Also, I just remembered this, and even though this doesn't help you now since you've applied the 4.0.4 OTA, there's an app called OTA RootKeeper that will save a copy of the su binaries in a protected /system folder. After an OTA is applied, you'll be able to re-root via the app itself because it will use the saved su binary to reapply the su binaries to the proper, normal places.

    Anyway, just wanted to throw that out there while I was thinking about it...

    -SA
    PhilD and Paul1201 like this.
  9. Paul1201

    Paul1201 Well-Known Member

    Scary,

    No problem. I'll wait until I hear from you if you are able to get it working on 4.0.4. If you can't I'll worry about fixing it then. I really wanted to do this without wiping or installing a custom bootloader. Anyhow my phone works and I'm on the leaked OTA so I'm fine for now. If you get it working I'll have to remember that app to preserve root. It might be a good idea to add that app recommendation to the OP for now.
    scary alien likes this.
  10. scary alien

    scary alien not really so scary Moderator

    Yep! I'm on it ;) :) [I wish I had remembered it before...]

    Cheers and I'll keep working on this as I'm able.

    Thanks,
    -SA
  11. scary alien

    scary alien not really so scary Moderator

    Paul (and others, too ;)),

    Just a quick update:


    • I restored back to stock 4.0.2 (again--#17 :p)
    • rooted w/this method
    • took a Nandroid to save me a little time in the future so I can revert back faster
    • downloaded/installed/ran OTA RootKeeper to save root for future
    • downloaded/installed the 4.0.4 OTA leak
    • took a 4.0.4 Nandroid (via soft-booting CWM)
    • tried the mempodroid exploit and verified that I'm getting the same behavior you were seeing (sh payload runs but isn't rooted)
    • finally regained rooted on 4.0.4 via OTA RootKeeper (works great!)

    I launched an IRC chat session with the dev that provided the pre-compiled mempodroid exploit binary to talk with about how to figure-out the offsets we'll need for 4.0.4 (assuming exploit hasn't been patched); no answer last night or so far today.

    I'll let you know what I find.

    Cheers!
    Paul1201 likes this.
  12. Paul1201

    Paul1201 Well-Known Member

    No problem Scary. Kind of busy this week but will keep checking in.
  13. duperdog

    duperdog New Member

    This thread has been great and very helpful. I have successfully rooted my Gnex, but am still having trouble getting the 4.0.4 update applied.

    I keep getting the small droid laying down after booting to recovery. I verified the update.zip is in /cache before rebooting to recovery. I tried getting into recovery from adb (adb reboot recovery) and from the hardware buttons, but in both cases I get that same icon (I think he is mocking me). There is no option from there and after a few minutes the phone boots normally.

    Anyone have any thoughts or ideas what I may be doing wrong?

    Thanks.
  14. diverbelow

    diverbelow Member

    When are you at the android laying down, are you pressing the holding the power button and press the volume up to get in to the stock recovery?
    scary alien and duperdog like this.
  15. duperdog

    duperdog New Member

    Would help if I followed all of the directions wouldn't it? Thanks for the quick response, update is installing now.
  16. scary alien

    scary alien not really so scary Moderator

    By the way, I've been in contact with saurik (Jay Freeman) re. determining the hex offsets for ICS 4.0.4 so that we'll be able to root it without also having to unlock the bootloader (I'm waiting on a reply from him, but also pursuing this information myself).

    If you root in 4.0.2 with this method and wish to retain root in 4.0.4 (i.e., after accepting or installing the 4.0.4 OTA), then use OTA RootKeeper for now until we have/know the new hex offsets for the mempodroid exploit.

    I'll update here when I found things out.

    Thanks!
    Paul1201 likes this.
  17. Paul1201

    Paul1201 Well-Known Member

    Scary,

    Awesome to hear that.
  18. eagle nexus

    eagle nexus Active Member

    Hi Scary! I'm kind of confused on step 4 for mac. Can you explain it to me better?
  19. scary alien

    scary alien not really so scary Moderator

    Welcome to the AndroidForums, eagle nexus!

    I'll try--I don't have a Mac, but I know is a Linux/Unix-type system...

    You're talking about the part where is says to "cd" (change directory), right?

    So, I think you would start-up a Terminal session and then find / navigate to the folder where you extracted the contents of the .zip file.

    I don't know too much about the Terminal session in the Mac world, but you would download and extract the .zip to a known folder location (say "/home/downloads" (I believe it should extract to the "simple-gnex-root-unroot" subfolder)), then startup your Terminal session, and type "cd /home/downloads/simple-gnex-root-unroot" before proceeding with step #5.

    Does that help / make sense?

    Apologies for not being more Mac-savvy...

    Let me know :).

    Cheers!
  20. eagle nexus

    eagle nexus Active Member

    I typed in "cd /home/downloads/simple-gnex-root-unroot" and pressed enter. It just said, "No such file or directory". Thank you for taking your time to read this.
  21. scary alien

    scary alien not really so scary Moderator

    Oh, sorry...that was just an example directory name that I made up...your directory (folder) name will depend on where you downloaded and extracted the .zip file.

    When you download the .zip file, can you identify where its located?

    Then, if you extract it, can you tell where it gets extracted to?
  22. eagle nexus

    eagle nexus Active Member

    It automatically unzips the file. Right now, i have the unzipped folder on my desktop. Would that be "cd /home/desktop/simple-gnex-root-unroot"?
  23. scary alien

    scary alien not really so scary Moderator

    If that's the path where the file were extracted to, then yes sir! :)

    Let me know!
  24. eagle nexus

    eagle nexus Active Member

    I found that the path of the file is actually "/Users/patrickutz/Desktop". What should I type in terminal now?
  25. scary alien

    scary alien not really so scary Moderator

    Well, the contents of the .zip file contain a folder with the same name (i.e., "simple-gnex-root-unroot"), so you'll probably have to type (in the Terminal window):

    Code (Text):
    1. cd /Users/patrickutz/Desktop/simple-gnex-root-unroot

Share This Page