Instructions for aquiring permanent root access on the the Docomo SH-12C have been available for a while now on Japanese blogs. A while ago I asked XDA member ghostparty13 to help translate them into English. Thanks to his efforts I was able to root a friend's SH-12C. Later on I decided to review the instructions and realised the ones in the Readme.txt file were much more detailed. Below is my translation of these instructions as well as some tips. Some of ghostparty13's translation has been used.
Please perform the procedures below with caution and at your own risk. Be warned that if you reset the phone to factory settings after rooting it, it might go a boot loop! If your SH-12C goes into a boot loop, scroll to the bottom of the page and read the instructions on how to resurrect it. DO NOT FORGET TO MAKE BACKUPS!
1. Make sure ADB is installed, and you have Sharp's ADB drivers. Enable USB debugging on your phone.
2. Download the following and install but do not run:
* SHBreak4 requires a lot of RAM so you'll need to free some up. You can either kill or uninstall some apps that run all the time, for example Facebook and GoSMS (these two it's best to uninstall as they cannot be stopped). Make sure you have more than 100 MB of free RAM before you launch SHBreak4.
2.3. Download the modded boot image for the SH-12C from the "Download" button at the bottom of this page, which is what gives you the permanent root option.
3. Create a new folder called "root" (or whatever you prefer) in C:\ and unpack all archives you just downloaded in it.
Running the commands
1. Restart the device, wait until fully booted, kill any apps that are using up precious RAM, e.g. Google Play, Software Update, HDMI, Sharp IPC Service.
* Do not use your phone for anything. Actually, it might be best to turn off Wi-Fi and the radio by going into OFFLINE MODE.
2. Acquire temp root. THere are three ways you can do this:
2.1. Use SHBreak4. It might take a few seconds to start. You should see only an "EXIT" button. Tap it to close the app. Wait around 30 seconds, without touching or running ANYTHING else.
Launch SHbreak4 again. This might take even longer but not more than a minute. If nothing happens in more than one minute, exit to Home screen, tap the "Running apps" icon and close SHBreak4 --- or kill it from Settings > Applications > Running Services.
* If SHBreak4 opened, you will see a screen with several options - all should be ticked. Press the "BREAK" button (only hit it once even though it looks like it doesn’t recognise your click). After a few seconds (up to 10), a pop-up window will appear with a bunch of different info and a nice little success notification at the end. This means we’ve successfully removed the nandlock.
2.2. Use SHBreak 1.7 or 1.8 together with SHBreak4. Reboot the phone and free up RAM as above. Now launch SHBreak 1.8. During the first launch, you will see a "Break 1" and a "Break 2" button. Press either. The app will close. Wait for 3-5 seconds. Launch it again --- you will now see more options but you only need the first one, "Copy au". Hit it. The app will close. Now run SHBreak4. This time you should see the screen described above. Hit "BREAK" and you should see the Success pop-up.
2.3. Use SHBreak 1.7 or 1.8 with ISTweak. Reboot, free up RAM, and launch SHBreak 1.7 (1.8). Press "Break 1" or "Break 2". Launch again and press "Copy au". Now launch ISTweak. The first button should say "Enable SU". Press it --- the Superuser icon will appear in your Notifications bar.
NOTE: If you get "permission denied" on ADB when you type "adb shell" and then "su", if you have used either of the first two methods, you will still need to use ISTweak to enable su.
3. Backing up the boot/recovery images. It is very important to create backups!
On your PC, open a command prompt window, navigate to C:\root, then type adb shell. You will see the $ symbol. Now type
*** typing “su” should change the $ sign to # which means we have root abilities now ***
Type the following commands (line by line) and execute to make backups.
mkdir -p /mnt/sdcard/mtdbackup/
cat /dev/mtd/mtd0ro > /mnt/sdcard/mtdbackup/boot.img
cat /dev/mtd/mtd3ro > /mnt/sdcard/mtdbackup/recovery.img
# Just to make sure, we create a backup in one more way.
dd if=/dev/mtd/mtd0ro of=/mnt/sdcard/mtdbackup/boot_dd.bin
dd if=/dev/mtd/mtd3ro of=/mnt/sdcard/mtdbackup/recovery_dd.bin
# And some more backups
cat /dev/mtd/mtd2 > /mnt/sdcard/mtdbackup/mtd2.img
cat /dev/mtd/mtd4 > /mnt/sdcard/mtdbackup/mtd4.img
cat /dev/mtd/mtd7 > /mnt/sdcard/mtdbackup/mtd7.img
# We're done. Let's exit:
* This will change the cursor to $
* This will get you out of adb shell
Now let's copy the backups to your PC and check if the boot.img and recovery.img files were indeed copied correctly. Type the following into command prompt:
adb pull /mnt/sdcard/mtdbackup/boot.img
adb pull /mnt/sdcard/mtdbackup/recovery.img
adb pull /mnt/sdcard/mtdbackup/boot_dd.bin
adb pull /mnt/sdcard/mtdbackup/recovery_dd.bin
fc /b boot.img boot_dd.bin
fc /b recovery.img recovery_dd.bin
These last two ‘fc’ commands look for any differences between the .img and .bin files that we made earlier. If it says that there are differences between the files, then something went wrong. Try making the backups again and re-verifying with the ‘fc’ commands.
After verifying that the backups were done successfully don’t forget to copy the other backed up partitions to your computer for safe keeping as well (on your own time!)
4. Copying the rootkit files to the phone. For ease of access, I have copied all the necessary files directly into C:\root. If you haven't, or you don't want to, you'll need to adjust the paths respectively.
# Transfer custom ROM image to the phone:
adb push boot_rescue0910.img /mnt/sdcard/
# Create the folder on your phone to put the rootkit files in:
adb shell mkdir /data/local/bin/
# Push the files into it:
adb push nandunlockshspamp /data/local/bin/
adb push flash_image /data/local/bin/
# Change access rights to these files:
adb shell chmod 755 /data/local/bin/nandunlockshspamp
adb shell chmod 755 /data/local/bin/flash_image
# Break the NAND lock:
# You will see the following output:
addr = 0xc08a9648
Is this addr correct? (y: continue)
# NAND lock successfully broken!
5. Flashing the ROM
# First write to RECOVERY partition, check operation. If you see an "Out of memory" error, re-flash, until no errors are reported:
./flash_image recovery /mnt/sdcard/boot_rescue0910.img
* If this returns an error of the 'image not found', you'll need to mount the SD card. Type:
* and then try to flash again.
* When ready, type:
adb reboot recovery
6. Booting into RECOVERY MODE.
After typing the above command, the phone will reboot. Once you see the DOCOMO logo, if the image has been flashed correctly, a few seconds after rebooting the MENU, HOME and BACK buttons on the phone will start flashing lightly. At this point press the HOME button. If you do, then the flashing should speed up, this lets us know that we have entered recovery mode.
7. Backing up partitions that we haven’t backed up yet. Execute each of the commands below:
mkdir -p /mnt/sdcard/mtdbackup
dump_image_oob persist /mnt/sdcard/mtdbackup/mtd1_persist_oob010106.img
dump_image_oob system /mnt/sdcard/mtdbackup/mtd5_system_oob010106.img
dump_image_oob cache /mnt/sdcard/mtdbackup/mtd6_cache_oob010106.img
dump_image_oob battlog /mnt/sdcard/mtdbackup/mtd8_battlog_oob010106.img
dump_image_oob calllog /mnt/sdcard/mtdbackup/mtd9_calllog_oob010106.img
dump_image_oob ldb /mnt/sdcard/mtdbackup/mtd10_ldb_oob010106.img
dump_image_oob userdata /mnt/sdcard/mtdbackup/mtd11_data_oob010106.img
* Note that each of the backup images has 010106 in its name. This stands for your build version. If it's 01.01.04, write this instead.
Now let’s temporarily unmount the sdcard card. Type:
8. Installing su (for people who want to place su inside of /system/bin/). Execute the following:
# Remount and change permissions so that you are able to copy su
mount -o remount,rw /
chmod 777 /
# Copy su to / from Windows
mount -o remount,rw /mnt/system/
cp /mnt/data/local/bin/su /mnt/system/bin/su
# Change permissions
chown 0.0 /mnt/system/bin/su
chmod 6755 /mnt/system/bin/su
# Exit recovery and boot into normal mode
Once you’ve typed to this point the phone should leave recovery (rescue) mode and boot into Android.
9. Copying backup files to PC. On your phone's SD card there will be a folder called “mtdbackup” which contains all the backups you've made. It's a good idea to also copy it to your computer for safekeeping.
10. Installing and running the Superuser app. Type:
adb install Superuser.apk
Now your phone should have Superuser installed.
11. Flashing the custom ROM to the boot partition and restoring the recovery partition.
# Enter recovery mode again:
adb reboot recovery
*** Hit the HOME button when you first see flashing lights around the HOME, BACK, and MENU buttons and make sure you can connect via adb ***
Execute the following commands:
flash_image recovery /mnt/sdcard/mtdbackup/recovery.img
flash_image boot /mnt/data/local/boot_rescue0910.img
If the flash_image commands don’t give you any errors then you flashed successfully. If you did get errors, then keep trying the flash_image commands until it flashes without error. If the recovery.img flash keeps giving you errors, we can fix that later but definitely make sure that the boot partition is flashed to without error or else you will have successfully bricked your phone.
* If you do not want to restore the recovery partition, skip that command. There are cases where you DON'T WANT TO RESTORE IT. READ BELOW.
# For the time being, boot normally. Type the following:
Congratulations! You have sucessfully rooted your SH-12C.
You should be able to boot into recovery mode (if you need to) using the following command:
adb reboot recovery
but only if you have not restored the recovery image to its original state. Otherwise you will see a picture of a surprised droid. In this case, you'll need to use the adb reboot command --- or pull the battery. Press the HOME button to enter recovery mode.
IF YOUR SH-12C IS RUNNING BUILD VERSION 01.01.02 OR LOWER, WI-FI WILL MOST PROBABLY STOP WORKING. You will see "Error" when you try to start Wi-Fi.
In this case, flash the custom ROM image to the boot partition, start the phone (you will have root), do whatever you want to do, then reboot into recovery, and flash back the original boot.img image to the boot partition. You will lose root permissions but your Wi-Fi will work. And you will still have done whatever you've needed root permissions for.
Here's what you can do:
1. Install Link2SD and integrate all updates to built-in apps into /sysem/app. This will free up onboard memory. You can clean the Dalvik cache as well. You can also delete the huge device log build-up, located inside /data/system/dropbox and inside /data/system/usagestats.
2. Install Titanium Backup and FIRST create backups of built-in bloatware, THEN uninstall it (or just freeze/disable it).
3. Install AutoStarts and disable some of the unwanted startup items. This will free up RAM and make the phone faster.
RESURRECTING THE PHONE IN CASE OF A BOOT LOOP (after resetting to factory settings from Settings > Privacy > Reset all)
1. Power up the phone. Wait a few seconds till the buttons start flashing. Press HOME - they fill start flashing faster. You are now in recovery (rescue) mode.
2. Plug the USB cable to connect the phone to the PC. Start ADB.
You will see $. Now type
The cursor will change to #. You now have SU.
4. We assume that you have backed up both the recovery and boot partitions of the phone to the microSD. Now type:
flash_image recovery /mnt/sdcard/mtdbackup/recovery.img
If you get a "can't open" error and you are sure the folder and file exist, just change the file's permissions:
chmod 755 /mnt/sdcard/mtdbackup/recovery.img
Now do the same with the boot image:
flash_image boot /mnt/sdcard/mtdbackup/boot.img
The phone should now boot normally. You will not have root permissions. If you want them, you'll need to re-root.
Only registered, logged in and activated users can post comments!