Page 5 of 33 FirstFirst 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ... LastLast
Results 61 to 75 of 484

Thread: Softbank 007SH Unlock FOUND!

  1. #61
    Join Date
    Jun 2012
    Posts
    51
    Feedback Score
    0
    Quote Originally Posted by tokyo_dom View Post
    [*]If you have software version 0038, use the 007sh0038.exe to modify your boot image
    How do you determine your software version?

  2. #62
    Join Date
    Sep 2007
    Location
    Bulgaria
    Posts
    1,446
    Device(s)
    Aquos Zeta SH-01G
    Carrier(s)
    Mtel Bulgaria
    Feedback Score
    1 (100%)
    Quote Originally Posted by 白い熊 View Post
    How do you determine your software version?
    Settings > About phone > Build version (at the very bottom)
    Sharp mobile devices database & tips for Sharp smartphones: http://sharp.cheeseus.org
    Selling: Near mint Sharp SoftBank 005SH: SIM unlocked, permanent root, 16 GB microSD, leather case
    Selling: Sharp Aquos Phone 007SH – The Hybrid, SIM-unlocked, permanent root, 16 GB microSD, optimised.

  3. #63
    Join Date
    Jun 2012
    Posts
    51
    Feedback Score
    0
    Quote Originally Posted by tokyo_dom View Post
    [*]If you have software version 0038, use the 007sh0038.exe to modify your boot image
    [LIST][*]If not, there are some details on what to edit in order to allow root (http://www45.atwiki.jp/aquosphonesh12c/m/pages/28.html)[*]And what to edit to disable MIYABI LSM (allow writing to /System directory) (http://ameblo.jp/zoe0226/entry-11219520727.html)
    Do you have 0037? I have 0047 and the strings to edit, are at different locations in the boot image, should not be surprising, however this could go wrong seriously.

    Do I understand it correctly, if I flash to recovery and it does not behave well, I should still be able to boot OK, right?

  4. #64
    Join Date
    Jun 2012
    Posts
    51
    Feedback Score
    0
    Also to disable Miyabi LSM, how do you replace 002F73797374656D2F00 with 0073797374656D00 and 00FFFFFFFFFFFFFFFF00 with 00FFFFFFFFFFFF00?

    When hex editing the replacements have to be one to one in terms of length, so on which side did you pad?

    EDIT: OK, seems I am confused, you should replace 002F73797374656D2F00 with 00FFFFFFFFFFFFFFFF00 and 0073797374656D00 with 00FFFFFFFFFFFF00, right?

  5. #65
    Join Date
    Jun 2012
    Posts
    51
    Feedback Score
    0
    OK, I guess I'm halfway there, but need some help.

    Modified boot.img, but can't flash it with original menu, as it tells me "Failed" when getting temp root on startup. If I enter menu anyway, obviously it doesn't flash, as it doesn't have root rights.

    I succeeded flashing to recovery with the new menu, however it doesn't copy /data/local/ files, doesn't set up autoexec and unlock NAND, it didn't say anything at least.

    After rebooting to recovery from it, it hung on the Aquos Phone rotating flashing logo. I assume it's due to the absence of the three steps above. Is it?

    Alternatively, could be that the boot.img that I edited is borked, was surprised that when editing the Miyabi LSM step found the string 0073797374656D00 twice, so changed it twice, as opposed to once with the longer string.

    Anyhow can't proceed. Can you help me?

    EDIT: OK, overcame it with getting temp root from the new menu, then flashing from the original menu. Anyhow the boot.img is borked as I get stuck at the logo, so seems maybe it went wrong with the Miyabi... Any hints, tokyo_dom, did you replace the .system. string twice? Or anything else?

    EDIT 2: OK, almost there. Went back, edited boot.img, left out the Miyabi part now. It boots from recovery, I get root after initializing it after boot, and - differing from tokyo_dom - I get the su prompt and everything works as expected. I can't mount /system rw as that's the part I left out, so need guidance there, what am I doing wrong in editing boot.img? I found the ./system/. string once and replaced it and the .system. string twice and replaced. Obviously that's not right...

    EDIT 3: OK, got it! Only changed the first occurrence and it boots no prob. Thanks a lot, tokyo_dom, for the guide, it's all thanks to you ! :@)
    Last edited by 白い熊; 06-19-2012 at 07:21 PM.

  6. #66
    Join Date
    Nov 2006
    Location
    Back in Japan
    Posts
    908
    Device(s)
    NEC Medias X (N-04E)
    Carrier(s)
    Docomo (Japan)
    Feedback Score
    1 (100%)
    Sorry, different timezone meant i didnt get to answer any of your questions before you figured it out. I guess now you understand why i try to stress the dangers of doing this - if you had no real idea what you were doing, you would have given up halfway, or possibly even just thought "stuff it, lets try the system partition"

    Yes, you should only change the first occurrence of that second search string. i.e.:

    002F73797374656D2F00 <-- This occurs only once... Replace it with
    00FFFFFFFFFFFFFFFF00

    0073797374656D00 <-- This occurs twice.... Replace the FIRST occurence with
    00FFFFFFFFFFFF00
    (do not modify the second occurrence)

    Sounds like you got it all in the end tho... Congrats!

    So are you still getting the SU prompt?
    Note that the second "menu0526" does install SU and copy the /data/local files - it does it at the start when it says "working..."

  7. #67
    Join Date
    Jun 2012
    Posts
    51
    Feedback Score
    0
    I see, so maybe then it's easier to just use the new menu, as I had to employ the workaround mentioned to get temp root on the originar.

    Yes, I get the regular superuser prompt when su, so something differs from your setup - in a positive way.

    Now off to block all the unnecessary Sharp services and stuff, the phone runs unbelievably slow. I was just gonna do it via freezing from Titanium, but I've seen CLI commands to suspend Sharp services. Have you experimented with it? Is the CLI way necessary or can I just go freeze?

  8. #68
    Join Date
    Jun 2012
    Posts
    51
    Feedback Score
    0
    Quote Originally Posted by tokyo_dom View Post
    0073797374656D00 <-- This occurs twice.... Replace the FIRST occurence with
    00FFFFFFFFFFFF00
    (do not modify the second occurrence)
    Yep :@) That's what the page says. Though being lazy, didn't read past the numbers and then had the slap-the-forehead moment later on :@)

  9. #69
    Join Date
    Nov 2006
    Location
    Back in Japan
    Posts
    908
    Device(s)
    NEC Medias X (N-04E)
    Carrier(s)
    Docomo (Japan)
    Feedback Score
    1 (100%)
    You should be able to just freeze them with Titanium. The CLI commands are for those who only have temporary root (achieved through "au" rather than "su")

  10. #70
    Join Date
    Feb 2012
    Location
    Buenos Aires
    Posts
    310
    Carrier(s)
    Personal (Argentina)
    Feedback Score
    0
    No news about a newer version of the root, or a sim-unlock?

    tokyo_dom, you mentioned before that there was someone from the 2ch forum who was working on a tool for reading and then writing to the radio portion of the NAND, but he never published it. I was wondering, if you know who he is, you could maybe send him a message and ask what happened (MAYBE he finished it but he never published it)

  11. #71
    Join Date
    Nov 2006
    Location
    Back in Japan
    Posts
    908
    Device(s)
    NEC Medias X (N-04E)
    Carrier(s)
    Docomo (Japan)
    Feedback Score
    1 (100%)
    He did, and i have it. Problem is, its a lot more complex than it first sounded.

    First issue, it ONLY works on the 005SH. The reason i can even see the radio NAND is because there is a custom kernel (i.e. Android OS) available for the 005SH which allows access to it. So even if we work out how the sim lock works on that phone, it will require a custom kernel on the 007SH (i.e. compiled from source).

    Also, i fully anticipate there being a few bricks created out of this unlocking attempt.

  12. #72
    Join Date
    Feb 2012
    Location
    Buenos Aires
    Posts
    310
    Carrier(s)
    Personal (Argentina)
    Feedback Score
    0
    Quote Originally Posted by tokyo_dom View Post
    He did, and i have it. Problem is, its a lot more complex than it first sounded.

    First issue, it ONLY works on the 005SH. The reason i can even see the radio NAND is because there is a custom kernel (i.e. Android OS) available for the 005SH which allows access to it. So even if we work out how the sim lock works on that phone, it will require a custom kernel on the 007SH (i.e. compiled from source).

    Also, i fully anticipate there being a few bricks created out of this unlocking attempt.

    So basicly now you can access the 005SH's radio and try to find the sim-lock. I have a few questions:

    1) Do you know specifically how to search for the sim-lock in the 005SH's radio?

    2) When we talk about performing root of these phones, you can always try the recovery partition first to see if it worked (if it didn't you can go back). But when talking about radio modification, is there some kind of "backup" or something you can do first? Or if something goes wrong, it automatically will equal to brick?

    3) Supposing that you know how to search for the sim-lock and that there IS some way of preventing brick; if you find the sim-lock and manage to unlock it, will you tell us how did you do it? (with the 005SH of course (because you can't see the radio on the 007SH because of the non existance of custom kernel))



    4) You mentioned that this tool that you've got just works for the 005SH because the existance of a custom kernel for THAT phone. If you could tell me very briefly what "custom kernel" means to have a very basic idea, I'd be glad .
    Anyways, I found a guide which teaches how to CREATE a custom kernel (this would be useful for someone who knows about this stuff and would like to contribute and create a 007SH custom kernel) : http://forum.xda-developers.com/show....php?t=1594875 and here's another one: http://android-dls.com/wiki/index.ph..._custom_kernel.
    Source code is needed for that, and I think that here it is for the 007SH: https://sh-dev.sharp.co.jp/android/m...dex.php?/007sh

    Here's the Source code for the 005SH (in case someone want to create a new custom kernel for that phone) :
    https://sh-dev.sharp.co.jp/android/m...dex.php?/005sh

    Here's the source code for the 003SH: https://sh-dev.sharp.co.jp/android/m...dex.php?/003sh
    Here's the source code for the 007SHJ: https://sh-dev.sharp.co.jp/android/m...ex.php?/007shj
    Here's the source code for the 007SHKT: https://sh-dev.sharp.co.jp/android/m...x.php?/007shkt


    (I don't know why there are so many 007SH source codes, if they are all supposed to be the same but with different colors)

    The custom kernel creation is something that only someone who knows about this stuff can do, not a noob like me




    I just know that the kernel is something INSIDE the rom (boot.img), right?. If I'm correct then it would be convenient to use directly the custom ROM (The boot.img with the root) for the creation of the custom kernel (so that we get a Rom with both, root and custom kernel that allows to view the radio of the NAND).
    Last edited by SuperSZ; 06-21-2012 at 12:30 AM.

  13. #73
    Join Date
    Nov 2006
    Location
    Back in Japan
    Posts
    908
    Device(s)
    NEC Medias X (N-04E)
    Carrier(s)
    Docomo (Japan)
    Feedback Score
    1 (100%)
    1. I have no idea where the sim lock part is. I'm looking, but it all looks like machine code; impossible to read. The guys on 2ch specifically said they would only provide the tools to get the radio NAND, but that i would have to find the unlock part myself

    2. AFAIK there is no brick protection when writing to the radio. The phone can be brought back to life using JTAG, but that involves sending it to Russia

    3. *IF* i find anything, i will be happy to report on it. Of course I think it would be fair to ask for 'donations' if i do manage to crack it, but to be honest, i dont have much hope!

    4. Basically you are on the right track. You download the 007SH kernel source (from the link you provided), and make a change in one of the source code files (kernel/arch/arm/mach-msm/nand_partitions.c)

    You could then put the kernel back in the boot.img; along with the root/disable of MIYABI and you have a custom rom which would not only allow access to the radio, have root etc, but also as side benefit, gets you to software version s0048 (since that is the latest kernel source that was released)

  14. #74
    Join Date
    Feb 2012
    Location
    Buenos Aires
    Posts
    310
    Carrier(s)
    Personal (Argentina)
    Feedback Score
    0
    tokyo_dom, do you think that if you create a post in xda developers forum people will help you? Because there are a lot of experts there, and if in the 2ch forums they said that "the qualcomm NAND isn't very hard to understand" or something like that, then, if we are lucky, some expert will help us and find the sim-lock. The thing is that I don't know if you can upload somehow a copy of the radio of the NAND or if it is something that can't be copied (I mean, if you just can access it ONLY with the phone connected to the computer). If it can be done, then you can do that, and also upload the tool you've got so that somebody else can take a look of the NAND's radio. ....

    also, you can ask if somebody wanna help by creating a custom kernel for the 007SH it would be nice

  15. #75
    Join Date
    Nov 2006
    Location
    Back in Japan
    Posts
    908
    Device(s)
    NEC Medias X (N-04E)
    Carrier(s)
    Docomo (Japan)
    Feedback Score
    1 (100%)
    I already put up a question on XDA. No bites yet.

Page 5 of 33 FirstFirst 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ... LastLast

Similar Threads

  1. Replies: 2
    Last Post: 04-27-2014, 10:15 PM
  2. Software unlocked Softbank 007SH review
    By Jphoner in forum Japanese Phones
    Replies: 28
    Last Post: 08-12-2012, 12:37 AM
  3. Replies: 23
    Last Post: 12-17-2006, 06:56 PM
  4. SoftBank X01HT Unlockable?
    By LqSilver in forum Windows Mobile (Before 7)
    Replies: 3
    Last Post: 10-05-2006, 10:35 AM
  5. fs: Sony Ericsson T600 unlocked Found Manual!
    By r1lee in forum GSM phone Buy/Sell/Trade Archive
    Replies: 6
    Last Post: 04-30-2003, 04:50 PM

Tags for this Thread

Bookmarks