Softbank 007SH Unlock FOUND!

**masipah** · 06-06-2012, 12:51 AM

bbs.blueshow.net/thread-1721752-1-2.html

it's in chinese, please help! supposedly the 007SH has two lock functions by Softbank:

nand & "miyabi.lsm"

**SuperSZ** · 06-06-2012, 01:45 AM

Instructions (adapted by me, from google translator)
WARNING: All I've done is to improve the google translation of this process. I haven't tried it yet, so I can not confirm if it is exactly like this or if something is different.

In theory (based on the poor google traduction), the whole rooting and unlocking process would be like this: you install the drivers first, then you install the superuser and IS03rootsw134 apks, and also enable "phone -> Settings -> application, check the unknown source". Then you run connect the phone to the PC. You run menu.exe, press "YES" two times, press number 2, then temp-root via IS03rootsw134 apk and press any key to continue. It appears something about "busybox" and you press 1 to install it. After that, press any key to continue, then it'll ask you if you want to install superuser; as you already did you press 2 and you'll get bakc to the main menu. Select backup of your machine's documentation to the memory card (the space of your memory card at least 1.5GB).

Unrar "007sh0038.rar". Grab the bootxxxxx.img file that you got by making the backup and rename it to boot.img. Put the "boot.img" file in the same folder as 007sh0038 (so you'll have 007sh0038.exe and boot.img in the same folder). Run 007sh0038.exe and it will generate a new "boot.img" file, and rename the boot.img file you had before to "boot.OLD". You can rename your new generated boot.img file to whatever you like; the creator of the post named it MasterT.img. Move the file to the folder where "menu.exe" is located.

Run menu.exe, and enter YES. It will ask you something about temporary root, press any key to continue. Press 2. In the main menu, press 5 (flash the rom to recovery ) and you'll be asked to write the rom name. The creator of the post named it MasterT.img so he typed MasterT.img
Then press enter, type uppercase YES to confirm execution, and then are you'll be asked to install autoxexc.sh .type "y" to install this, and then a bunch of stuff suggesting that the copy files to / data / local?
Type "y", and a any key to continue to the point that it'll ask you nandunlock? (Y / [N]) He directly enter uppercase N! (I don't really understand WHY of this last step, I mean, he selects "no" to nandunlock, but WE DO want to nandunlock... so... I'm confused). And the device should be rooted.

To check if it is rooted, you should start the device in recovery mode (not sure how to do that, maybe it's like in this tutorial: http://www.youtube.com/watch?v=gIyYHfb1Afg ) and it should say somewhere "ROOT succesful" but I didn't really understand where.

Files download:
http://www.sendspace.com/file/df29k4

**SuperSZ** · 06-06-2012, 01:53 AM

From what I understood, the file he provided, 007sh0038.rar is a custom rom which already incorporates the NANDunlock (for both, the nand file and the "miyabi.lsm").

But tokyo_dom said that the NAND lock and the SIM lock are different things

.... so in theory now the 007SH is full rooted, NAND Unlocked ...but still SIM locked

**klanse** · 06-06-2012, 02:10 AM

Hi,
This is just rooting, not unlock.

nand & "miyabi.lsm"

those two locks are something related to unlockng the root or some sort not sim-unlocking.

**SuperSZ** · 06-06-2012, 08:15 AM

UPDATE

The same guy made another post, this one: http://bbs.blueshow.net/thread-1722269-1-1.html

He says it's another root in which you don't need to extract boot.img to create the ROM anymore ... however he never mentions if this also NANDUnlocks the device, or if there is some kind of improvement of something.
Oh and he didn't put instructions of how to procedure with this version.

Download link: http://115.com/file/e7ckgg87 (click the green icon to download)

Remember that you still need to download and install the drivers before: http://www.sendspace.com/file/rjxyuw

I've used google translator. The guy said that they couldn't find the SIM Lock (at least for now). But if they have come this far I'm pretty sure he'll find it some day. Also, his phone is bricked (not because of this itself, but he did it in the process of discovering this whole stuff ... or at least that's what I understood)

So basicly what I recommend to anyone who wanna try this: if you want this JUST for the SIM Unlock (like me ), just wait a little more till he releases a better version with that included. If you are allright with the phone using hypersim and you just wanted a full root, you can try this.

**kusai** · 06-06-2012, 08:34 AM

I'll wait patiently, thank you for the updates

**tokyo_dom** · 06-07-2012, 03:09 AM

Guys, NAND unlock means to enable writing to the Android system folders. MIYABI is another lock put on by sharp

Both of these are required in order to get full root (i.e. not just temporary root), because they do this by writing a root enabled ROM into the phone.

Please, before you all go and brick your phones, read up on Android rooting and what it means. The following guide is for HTC, but many of the concepts are the same. http://nder.com/images/Android%20HTC...ing%20v0.5.pdf
Note that these 'images' that you are writing to the phone do nothing with the radio, which is probably where the SIM lock is stored

**martindesu** · 06-07-2012, 03:15 AM

Can the 007SH officially roam? Perhaps the lock is similar to the 910SH, in that it only ever gets reception if it is a "SOFTBANK" carrier name?

**yamanote** · 06-07-2012, 06:23 AM

Originally Posted by martindesu

Can the 007SH officially roam? Perhaps the lock is similar to the 910SH, in that it only ever gets reception if it is a "SOFTBANK" carrier name?

It does have Global Roaming enabled.

**SuperSZ** · 06-07-2012, 06:36 PM

Originally Posted by tokyo_dom

Guys, NAND unlock means to enable writing to the Android system folders. MIYABI is another lock put on by sharp

Both of these are required in order to get full root (i.e. not just temporary root), because they do this by writing a root enabled ROM into the phone.

Please, before you all go and brick your phones, read up on Android rooting and what it means. The following guide is for HTC, but many of the concepts are the same. http://nder.com/images/Android%20HTC...ing%20v0.5.pdf
Note that these 'images' that you are writing to the phone do nothing with the radio, which is probably where the SIM lock is stored

Thanks, that pdf clarified some concepts to me; so basicly now we have to wait till someone releases a ROM which also includes a modification of something inside the radio folder.

when you said "before you all go and brick your phones?" it was like a joke or you know that this will, indeed, brick them?

**tokyo_dom** · 06-07-2012, 07:18 PM

I know from reading the 2ch threads about the 005SH rooting process (which by the way, is a bit more advanced than this early hack - they have a modified ROM and proper recovery features). There are still people who manage to 'brick' their phones; it happens at least once or twice a week; something goes wrong during writing (even when they do the process properly), and the response is ALWAYS "You need to take it back to Softbank for repairs"

I am hesitant to do it on my phone, and i know i could easily just walk into a SB shop for a warranty request. For you guys overseas, it is considerably more risky

**SuperSZ** · 06-07-2012, 07:48 PM

Originally Posted by tokyo_dom

I know from reading the 2ch threads about the 005SH rooting process (which by the way, is a bit more advanced than this early hack - they have a modified ROM and proper recovery features). There are still people who manage to 'brick' their phones; it happens at least once or twice a week; something goes wrong during writing (even when they do the process properly), and the response is ALWAYS "You need to take it back to Softbank for repairs"

I am hesitant to do it on my phone, and i know i could easily just walk into a SB shop for a warranty request. For you guys overseas, it is considerably more risky

What is the factor that makes .. I dunno, a galaxy S2 for example practically unbrickable (when trying to root), but makes these keitai phones rooting more risky? Just luck?

BTW, you mentioned that in 2ch threads they're more advanced about rooting these android keitai phones. ... nobody said nothing yet there about a SIM Unlock? is it THAT well hidden in the radio folder of the NAND?

**yamanote** · 06-07-2012, 08:15 PM

With GSIIs and most other internationally available Android devices, you usually have to install a custom recovery like cwm before flashing ROMs. Thus there's always a safeguard- if it won't boot, go into the bootloader, select recovery, clear /system and flash a new ROM on.

But we don't have that barrier on the Japanese Androids because nobody can seem to figure out how to access the stock recovery, much less flash one which'll let you install any ROM.

**tokyo_dom** · 06-07-2012, 11:34 PM

They have figured it out on the 005SH

However it doesnt seem to be as stable, or there are still quite a few risks

As for the talk of SIM locking, i have asked this several times on the 2ch threads. The responses were "Those who know, have already taken the sim lock off, but we wont publish how its done. Suffice to say, Qualcomm's NAND code is not particularly unique or difficult to understand, so if you are adept with that, you will figure it out. Any more discussion is taboo."

And that was it. Taboo. Apparently one guy was going to build a tool for reading/and then writing to the radio portion of the NAND, but he never published it.