[HOW TO] Rooting the LT25i without unlocking the bootloader (4.0.4)

[Gasai Yuno]

Rooting the Xperia V: How-To.

(XDA member datagubben requested that I post this here, as per http://forum.xda-developers.com/showpost.php?p=36753824&postcount=19)

Mirrors for the files provided are welcome.

This root method is courtesy of Xperia-Freaks.org, originally developed for the Xperia AX, translated and adapted by me for the LT25i.

Supported firmware: 9.0.1.D.0.10, probably also 9.0.D.0.484.

Reportedly does not work with 9.1.A.0.489.

You will need: TRIMMED-LT25i-SOL21_9.0.F.0.195.ftf (direct link: TRIMMED-LT25i-SOL21_9.0.F.0.195.ftf) or the original LT25i-SOL21_9.0.F.0.195.ftf (this FTF has its loader.sin replaced with LT25i's loader.sin; the trimmed version lacks unneeded files like baseband etc. and as such removes unneeded wipe/exclude options, leaving only the three files we actually need) and an LT25i FTF of your choice; the rootkit (this one is "translated" and edited for convenience; do NOT use regular GX/SX rootkits blindly as they require modification).

Make a backup using the stock Backup and Restore app in case something goes wrong so you can perform a factory reset.

Once rooted, you can safely restore from that backup.

1. Power the phone up in Flashmode (hold Volume down; connect USB). Using Flashtool, flash TRIMMED-LT25i-SOL21_9.0.F.0.195.ftf (or the untrimmed version if you like fiddling with excess checkboxes) using:
kernel.sin
loader.sin
system.sin
(Remember to uncheck the wipe options!)

2. Unplug USB. Turn the phone on. Enable USB debugging if it wasn't enabled previously. Connect the phone via USB again.

3. Unpack the Rootkit and start it (run install.bat). Confirm restore of the backup as requested, and press any key in the cmd window. Press any key again; the device will reboot (twice).

4. Run adb shell. To do it, you can open the rootkit folder in Windows Explorer, and shift-Right Click the "files" folder inside it. Choose "Open command window here". Type "adb shell" in that window.

If you're presented with a prompt that ends with "$", type "su".

The prompt should end with "#" now.

Type "echo ro.kernel.qemu=1 > /data/local.prop" and check if the file was created successfully by typing "ls -l /data/local.prop": below you will find an example of what the output looks like.

C:\Software\Rootkit\files\> adb shell
[email protected]:/ $ su
su
[email protected]:/ # echo ro.kernel.qemu=1 > /data/local.prop
echo ro.kernel.qemu=1 > /data/local.prop
[email protected]:/ # ls -l /data/local.prop
ls -l /data/local.prop
-rw-r--r-- system   system         17 2013-01-15 17:29 local.prop
[email protected]:/ #

5. Turn the phone off, and connect it in Flashmode again. Using Flashtool, flash your firmware of choice with:
loader.sin
system.sin
(Remember to uncheck the wipe options!)

6. Turn the phone on. Open a command prompt into the files subfolder of the rootkit folder, like in step 4, or return to that window if you haven't closed it.

Type "adb shell". If you get a $ prompt, try "su" to get to "#". Once in adb, type "/data/local/tmp/step2.sh", then "reboot". The phone will reboot.

When it boots back, run adb shell again, and type "/data/local/tmp/step3.sh". You'll witness another reboot or maybe two. You should be rooted now.

C:\Software\Rootkit\files\> adb shell

[email protected]:/ # /data/local/tmp/step2.sh
/data/local/tmp/step2.sh
0+1 records in
0+1 records out
57 bytes transferred in 0.001 secs (57000 bytes/sec)
[email protected]:/ # reboot

C:\Software\Rootkit\files\> adb shell

[email protected]:/ # data/local/tmp/step3.sh
data/local/tmp/step3.sh
43+1 records in
43+1 records out
22364 bytes transferred in 0.002 secs (11182000 bytes/sec)
1647+1 records in
1647+1 records out
843503 bytes transferred in 0.123 secs (6857747 bytes/sec)
2119+1 records in
2119+1 records out
1085140 bytes transferred in 0.089 secs (12192584 bytes/sec)

7. Turn the phone off, and connect it in Flashmode again. Using Flashtool, flash your firmware of choice with:
kernel.sin
loader.sin
(Remember to uncheck the wipe options!)

Do NOT skip this step: you need the LT25i kernel on your LT25i system!

8. Let's finish.

We will need adb shell once again. This time, you will need to type a few lines as follows:

Obtain root:
su

Remount /system:
mount -o remount,rw -t ext4 /dev/block/mmcblk0p12 /system

Remove /data/local.prop since it's a security hole; this is important and is normally done by the rootkit's step 3, but we needed to save the file to get to keep root access on our LT25i firmware:
rm /data/local.prop

And finally reboot:
reboot

G:\Android\LT25i\rootkitGXSX_v3\files>adb shell
[email protected]:/ $ su
su
[email protected]:/ # mount -o remount,rw -t ext4 /dev/block/mmcblk0p12 /system
mount -o remount,rw -t ext4 /dev/block/mmcblk0p12 /system
[email protected]:/ # rm /data/local.prop
rm /data/local.prop
[email protected]:/ # reboot
reboot

Done. You now have busybox, Superuser and su on your stock LT25i firmware.

Remember to clean up those pesky au apps.

 

[gregbradley]

Will link to the all in one. Many thanks

 

[-SlenderMan-]

Good job translating!

Sent from your backyard...
Slender watches what you do...

 

[datagubben]

I did some n00b experiments:

First I flash kernel.sin-, system.sin and loader.sin from above VL-firmware(Japan), then Bin4ary for root (OK) and back to V-kernel with system.sin again, but I lost root ofcourse :crying:

anyway, the first post is working but I get reboots when deleting something from system/apps/. Any fix?

 

[Gasai Yuno]

First I flash kernel.sin-, system.sin and loader.sin from above VL-firmware(Japan), then Bin4ary for root (OK) and back to V-kernel with system.sin again, but I lost root ofcourse

anyway, the first post is working but I get reboots when deleting something from system/apps/. Any fix?

Using the Bin4ry approach should be possible since as far as I know it's the exact same backup/restore timing exploit, you probably need to recreate /data/local.prop though before flashing the V's system.sin. Or do you mean reducing the number of flashing operations to 2? That won't work, we need to regain root on V's system to get it to enable adb root shell with the V's kernel.

If you delete something from /system/app and the phone starts rebooting, it means you just deleted a part of the Timescape framework, I'd presume?

 

[rickywk]

This method will clean up my installed app?

 

[Aaron_035]

Dude i'm step 6 but I keep getting this prompt.


C:\Users\user\Documents\Development\Xperia\Xperia V\rootkit-sony\files>adb shell

[email protected]:/ $ su
su
/system/bin/sh: su: not found
127|[email protected]:/ $

edit: now do i panic?

 

[Gasai Yuno]

Aaron_035, this means you did not obtain root during previous steps.

Did you verify that /data/local.prop was successfully created during step 4?

 

[Aaron_035]

Aaron_035, this means you did not obtain root during previous steps.

Did you verify that /data/local.prop was successfully created during step 4?

Found my mistake, I'm going to try again Fifth time!

Edit: Done! Love you dude.

 

[sunny7day]

All I want is just to root the phone. Why is this flash some japanese firmware to my phone!
Yes I am a n00b.

 

[datagubben]

All I want is just to root the phone. Why is this flash some japanese firmware to my phone!
Yes I am a n00b.

Because "some japanese" firmware is with exploit before it was fixed by Sony

 

[sunny7day]

where can I download official hong kong firmware? I am stuck on step 5.

 

[datagubben]

where can I download official hong kong firmware? I am stuck on step 5.

I haven't seen HK firmware beeing uploaded here on XDA yet, but you can make yourself with PPC + flashtool (its not difficult, look in the forum how to do).

 

[sunny7day]

I just got the hk firmware and finished all the steps in the first post, now i am rooted.
Yes it is rooted but it left alot of unwanted au japanese sofware in my phone.
It should be noted in the first line in the first post of this thread.
But thank you anyways.

So, I have to wipe and re-flash my stock HK firmware.
Are there any other way to root my Xperia V without flashing other firmware?

 

[Gasai Yuno]

If you did everything according to the howto I posted, you would be running your stock HK firmware, rooted.

All those au apps left after flashing back the stock LT25i firmware can be easily uninstalled. They're in /data/app, not in /system/app.

And, quoting the last line from the howto I posted,

Remember to clean up those pesky au apps.

Are there any other way to root my Xperia V without flashing other firmware?

You're welcome to find one and share it with us. Believe me, I'd rather do something simple than bother with all this reflashing and app removal.

Also, if you really want it simple, unlock your bootloader already.

 

[datagubben]

If you did everything according to the howto I posted, you would be running your stock HK firmware, rooted.

All those au apps left after flashing back the stock LT25i firmware can be easily uninstalled. They're in /data/app, not in /system/app.

And, quoting the last line from the howto I posted,

You're welcome to find one and share it with us. Believe me, I'd rather do something simple than bother with all this reflashing and app removal.

Also, if you really want it simple, unlock your bootloader already.

First of all, thanks for doing the tutorial for us with locked bootloader. :good: :highfive:

a) But you need a ftf-file in order to flash back the original kernel and HK is not available as a download here on XDA yet (If you don't do it yourself).

b) Not everybody has a Ph.d in translation and "pesky" is rarely used by less educated, at least in my case.

c) I have an app_log.sin that bothers me, when trying to flash back the LT25i kernel and system, does it matter?

d) Will this work when we get Jelly Bean?

Ps. Watashi wa Tokyo no Yukigaya-Otsuka de sunde ima****a. Boku no okusan wa nihonjin de****a. Demo owari desu :crying:

Ps. ps. The language filter on XDA removed S and H and I and T. WTF!

 

[gregbradley]

First of all, thanks for doing the tutorial for us with locked bootloader. :good: :highfive:

a) But you need a ftf-file in order to flash back the original kernel and HK is not available as a download here on XDA yet (If you don't do it yourself).

And if you do please PLEASE share it as we could do with it here

b) Not everybody has a Ph.d in translation and "pesky" is rarely used by less educated, at least in my case.

not a scooby doo fan then?

c) I have an app_log.sin that bothers me, when trying to flash back the LT25i kernel and system, does it matter?

d) Will this work when we get Jelly Bean?

There is no way to know untill it lands on our devices, Sony can(and do) monitor what we do on this forum and, allthough they are quite dev friendly, do find way to fix the loopholes we exploit to get root access. They want us only to get that via an official unlocking from their site. You cant blame them for that, they are a big company and have lots of ways of losing contracts if they cant secure their system.

But you can be your bottom dollar tha if they close that exploit, we will find another way
[/quote]

Ps. Watashi wa Tokyo no Yukigaya-Otsuka de sunde ima****a. Boku no okusan wa nihonjin de****a. Demo owari desu :crying:

I know this is a personal message but the rules state this is an english speaking forum. You can post in other languages but an english translation is always required. (I know you dont need this next bit but..) Please use google translate if you have trouble with getting an english translation

Ps. ps. The language filter on XDA removed S and H and I and T. WTF!

lol!

 

[datagubben]

I can only post the ftf.firmware from operators in Nordic/Sweden:
http://www.swedroid.se/forum/showthread.php?t=86895

What about "app_log.sin", does it matter? Cause it is flashed together with the Kernel.sin and system.sin

I don't watch Scooby Doo.

I speak japanese and I said "I lived in Tokyo but not now".

S,h,i,t

 

[gregbradley]

I can only post the ftf.firmware from operators in Nordic/Sweden:
http://www.swedroid.se/forum/showthread.php?t=86895

I meant the other guy, in response to your post about making his own ftf, if he does, he should post it and share

What about "app_log.sin", does it matter? Cause it is flashed together with the Kernel.sin and system.sin

not sure

I don't watch Scooby Doo.

google it and watch, a clasic kids cartoon with a classic catchphrase of "I would have got clean away with it, if it wasnt for you PESKY kids!

I speak japanese and I said "I lived in Tokyo but not now".

thanks

S,h,i,t

I gathered that

 

[Gasai Yuno]

c) I have an app_log.sin that bothers me, when trying to flash back the LT25i kernel and system, does it matter?

d) Will this work when we get Jelly Bean?

c) Make a copy of your stock FTF file. Open the copy in Total Commander or 7-Zip. Delete everything except the manifest, loader.sin, kernel.sin and system.sin. No more app_log.sin appearing in Flashtool, yay!

d) Depends on two factors.

First, if the 4.1 update will replace the keys used to sign .sin files, removing compatibility with older firmware, this approach will be unavailable. This is what Motorola did with the DROID 2/X/2 GLOBAL.

Second, provided they don't replace the bootloader, and we can still flash back to 4.0: whether we will be able to retain root during firmware update (via OTA RootKeeper or whatever else exists).

As for the language filter, use Kunrei romaji (you know, the system where you use “si” instead of “shi” for し and “ti” instead of “chi” for ち) to work around it.