Community

Obtaining (pre-)root access in Jelly Bean (firmware builds 6.2.A.0.400 and 6.2.A.1.100) without unlocking the bootloader

Update: I've fixed the updater-script issue that was breaking all connectivity. You can read on now.

Before you start, please take some time to consider this for your own benefit. As the reader, I feel you should have the right to know all this. I urge you to read this through section at least once, even if you have rooted before and think you already know all that there is about rooting.

Root access grants great power, but also brings with it great risks and responsibilities. Responsibilities that directly impact yourself, and potentially others as well. Why?
Obviously, the first thing that comes to mind is premature hardware failure due to overly aggressive tweaks (i.e. bricking due to aggressive overclocking). Yes, that's certainly possible if one is reckless, but that's just but one amongst the myriad of other ways that you can potentially get into trouble. Contrary to what one might think, the risks aren't over even after you complete the rooting process successfully - if anything, you've just made it possible to royally screw yourself over in a single step. But I'm talking about much more severe consequences. You're likely wondering, what could possibly be more severe than a catastrophic failure that turns one's phone into an elegantly designed brick that warranty won't even cover?
Unlike your computer, your phone is essentially an important communications device that contains a wealth of important information, information that malicious individuals want for (their own) financial gains. Said individuals will stop at nothing to achieve their goals, and granting yourself root access to your phone makes you much more vulnerable.
Ever noticed how Android always prompts you with a list of permissions required by the app you're installing when seeking your approval? There's a reason for it - the principle of least privilege. If every single app out there had access to your contacts list, your IMEI number, your phone number, along with all the other details that can be used against / to uniquely identify you, then Android would be the most insecure platform ever. But it's not. By granting yourself (and apps) root access, that's exactly what you're getting into.
With root access, any app can do virtually anything. Root access allows an app to break out of the protective (and figurative) cage it is placed into by Android for security (the sandbox) and wreak havoc if it wants to - and you can't stop it once unleashed. They can spy on you without your knowledge, they can steal all the info in your phone, they can even lock you out of your own phone. Yes, root access regulation apps (e.g. Superuser) exist to mitigate that by seeking your approval whenever any app requests for elevated / root privileges. The flaw here is that these apps cannot control what an app actually does using root privileges. Instead, all they (the root access regulation apps) do is merely to grant / deny its request for them, depending on what you choose. That's all. No further safeguards, nothing whatsoever. And to further compound the issue, these apps have absolutely no idea why the app is requesting root access and what it's even needed for, so they look to you for advice on what to do. But if you're none the wiser, then there is clearly a major issue at hand. As a rule of thumb, never grant any app root access until you are certain you know why it's needed, and what it's doing with those privileges. With root access, you only have one chance, just one life. If you're compromised by even a single app, then it's game over. Granting a maliciously crafted app root access is surely the end of your safety and security, and nothing less. Given root access and the right conditions, an attacker can take over your device and track your each and every move without you even knowing it. More details on this are available in this article, I strongly recommend it.
So how does this affect others around you? Stop for a moment to recall those who are stored on your list of contacts. If your phone is maliciously compromised, then their details - names, phone numbers, email addresses, etc. - are likely stolen and transmitted before you can do anything about it. Stolen right under your nose, through your grasp. And thanks to you, they now have to deal with unsolicited international calls, harassment calls and SMSes from telemarketers, and spam messages in their inboxes. Aren't you such an awesome friend? That's not exactly fair to them, is it?

[/EndCautionNote]

"Shut up about all that already - I have no need to know! Stop trying to scare me, and quit lecturing me already, sheesh!";
"I know what I'm getting into.";
"Now just tell me how I can do it!"

I sure hope so too. Please note that you're doing this at your own risk. By performing the following steps, your warranty may be void. Proceed on to learn how to obtain root access for your phone.

I recommend reading through everything at least once before doing anything to get at least a rough idea of how things work. If you can spare the time, use it to understand the procedure and how everything fits together - doing so makes it much quicker and easier for you to deal with unexpected problems if any appear, yours truly can attest to that fact. If you're in a hurry or have a lack of time, take my advice and postpone this until you are able to get a continuous block of spare time. If you're rushing, the chances of you missing steps and screwing everything up is very high, so don't take that risk. However, if you have a lack of patience... I'm sorry, I can't help you there. It's terminal.

Annotations have been embedded within the following sections in order to avoid disrupting the flow of the instructions, and to improve readability. Annotations are of the form ∗n, where n represents an index corresponding to an entry in the Explanation and rationale section further below. Annotations marked in red are of importance, please pay special attention to them.

Although this guide is primarily targeted at the Xperia go, it can also be used with the Xperia P.

Prerequisites:
Please do not proceed to perform the procedure until all of the following requirements are met.

• Your phone, with at least 85% battery charge (full charge preferred)*¹
  • Unlocking the bootloader is not required and not recommended*²
• Your own*³ 6.2.A.0.400 or 6.2.A.1.100 firmware for your phone model, converted to an FTF form (do this first before proceeding, if you haven't already done so)
  • If you do not know how to do this, please read this post
• 6.1.1.B.1.10 (Xperia go) / 6.1.B.0.599 (Xperia P) firmware in FTF form (Ice Cream Sandwich firmware)*⁴ *⁵
• Flashtool 0.9.10.1, available here
• Root with Restore by Bin4ry, available here
  • For reference's sake, I used version 30 of the toolkit
• ClockworkMod Recovery 6.0.1.2 for Locked Bootloader (by atis112)*⁶
  • Xperia go version
  • Xperia P version
• CWM-compatible .zip to store the (JB) system files to be flashed. I've prepared one here. Mirror 1 • Mirror 2 • SHA-1 hash: 8AFFA81FF161DF20C05C638E0C4CC4BD7E06FC83
  • I am using an open source version of the Superuser app and its accompanying su binary that enforces a 3 second delay each time before the Allow button can be pressed.
    If this is not desirable, please download this version instead, but also note that its safety and security cannot be guaranteed as it is not open source (as far as I can tell; feel free to correct me if I'm mistaken). Alternate Variant Mirror 1 • Alternate Variant Mirror 2 • SHA-1 hash: 923388B7E31E492E920B1E00F218F08D844F1757
  • Please note that you cannot simply use this file as-is, you must copy in the JB system files yourself first, instructions are provided below
• Android ICS/JB EXT4 imagefile unpacker, available here
• 7-Zip (freeware), WinRAR, or an equivalent file archival tool
• A computer running Windows XP / Vista / 7
  • I do not have Windows 8, nor do I own a Mac, nor have I tested this on Linux so your mileage may vary on those operating systems. If you're going to try it regardless, you're on your own
• At least 3 GB of hard disk space
• Several hours to spare, preferably more just in case the unthinkable happens and you find yourself in troubleshooting mode

Procedure:
Please do not perform this procedure until all of the above requirements have been met.

Preparation phase:

1. Open up the .ftf file of the JB firmware using 7-Zip, WinRAR, or any equivalent file archival tool

2. Extract system.sin and use Flashtool to extract its contents:

1. Open Flashtool and go to Tools → Sin Editor and open system.sin
2. Click on the Dump data button. Two new files will be created in the same folder, system.ext4 and system.partinfo

3. Extract ext4_unpacker_exe.zip and run ext4_unpacker.exe, then open system.ext4

4. Select all the items listed, then right-click → Extract and extract them into a new folder. You can delete system.sin, system.ext4 and system.partinfo if you are running low on hard disk space at this point, but first ensure that the extraction has completed

5. If you're using either variant of my jb_system.zip I provided above, then all you have to do will be simply to copy all the folders inside the system folder of jb_system.zip (guide image) - my updater-script takes care of everything else for you, inclusive of the rooting process. The compression level doesn't matter - I used Ultra with no issues. Just make sure the compression method is set to Deflate (and nothing else!). Check the size of your jb_system.zip, it should be about 586 MB or more. Otherwise you're not doing something right, retry it again

6. That's it - you're all set. Proceed on to the next phase below

Flashing phase:
If you have not performed the steps listed in the Preparation phase above, please do so first. At this point, if you're one of those who are (still) expecting to flash the unmodified jb_system.zip, you're missing out some vital steps - stop here right now and go back to do those steps first!

0. You will lose everything on your phone, so back it up before proceeding. Also disconnect your phone from your computer, turn it off, remove both the SIM and microSD cards and ensure that the USB cable is plugged into the phone's port (but with the larger rectangular end disconnected at this point in time) before proceeding to the next step

1. Flash the phone back to ICS with either firmware build 6.1.1.B.1.10 or 6.1.1.B.1.54, depending on which you have with you (6.1.1.B.1.10 preferred if the full firmware is available):*⁵

1. Open Flashtool and click on the large button with a lightning bolt icon
2. Select Flashmode and click on OK
3. Select the .ftf containing the complete ICS firmware (i.e. not just the kernel), then tick the boxes labeled Exclude TA*⁷ and No final verification. Also ensure that the options grouped in the Wipe: section are ticked as well
4. Click on the OK button and when prompted to, press and hold the volume down button and connect the loose end of the USB cable to the computer. Release the button when the phone's LED turns yellowish-green (similar to this color) or it will abort and enter charging mode instead
5. Allow Flashtool to flash the firmware into the phone's memory and disconnect the phone only when prompted to do so*⁸

2. If firmware build 6.1.1.B.1.54 is flashed, then the kernel needs to be flashed back to 6.1.1.B.1.10 in order for the rooting process later on to function correctly. Otherwise, skip this step (and all substeps)

1. If the phone is already turned off, leave it off. Otherwise, shut it down (you simply couldn't resist, couldn't you?). Leave one end of the USB cable connected to the phone in the same manner as above (step 0)
2. Open Flashtool and click on the large button with a lightning bolt icon
3. Select Flashmode and click on OK
4. Select the .ftf containing the .10 kernel, then tick the No final verification box (and the Exclude TA box, if present)
5. Click on the 'OK' button and when prompted to, press and hold the volume down button and connect the loose end of the USB cable to the computer. Release the button when the phone's LED turns yellowish-green or it will abort and enter charging mode instead
6. Allow Flashtool to flash the kernel into the phone's memory and disconnect the phone only when prompted to do so*⁸

3. Power up the phone and allow it to boot into ICS, then go to Settings → Developer Options and tick USB debugging. Connect the phone to the computer

4. Extract Bin4ry's rooting toolkit into a new folder, then execute RunMe.bat and enter 1 when prompted to make a selection

5. Follow the provided instructions to root the phone, then verify that it has been rooted by opening the apps tray and searching for an app called Superuser*⁹

6. Extract cwm-1.0-lotus.zip into a new folder and execute install.bat to install ClockworkMod recovery*⁶

7. Copy the resultant jb_system.zip from the earlier procedure into the root directory of the phone's internal memory. An external microSD card is not required

8. Power off the phone and turn it back on again, pressing the volume down button repeatedly on the Sony logo until CWM appears. Merely holding the button down does not trigger it

9. Using the volume buttons to navigate and the power button to select, mount system, data and cache:

1. Navigate to mounts and storage
2. Select mount /system and mount /data (and mount /cache if it is not mounted)

10. Select the option to wipe data/factory reset

11. Select jb_system.zip and flash it in. The process will take approximately 2-5 minutes:

1. Navigate to install zip from sdcard
2. Select choose zip from sdcard
3. Select jb_system.zip

12. Upon completion, hold down both the power and volume up buttons simultaneously until three vibrations are felt to force the phone to shut down*¹⁰

13. Flash the Jelly Bean kernel into the phone:

1. Leave the phone off, then follow all the substeps of step 2, but this time select the .ftf containing the JB firmware and tick Exclude system (pay special attention to this one, or you'd have gone through all of the above for nothing!) and Exclude TA for step 2.4 (guide image).
   This will flash the following into the phone:
   • loader.sin
   • partition-image.sin
   • kernel.sin
   • fotakernel.sin
   • modemfs.sin
   • prcmu.sin
   • modem.sin
   • apps_log.sin
   • userdata.sin
   • cache.sin

14. Upon completion, start the phone and allow it to boot up. You may see a pop up with two large buttons labeled POWER OFF and Use phone, simply click on Use phone and proceed on your merry way. It is normal for apps to force close on the initial boot, a restart will resolve the issue*¹¹

15. Check for the presence of the Superuser app, the phone has successfully been rooted if it is present

Explanation and rationale:
Reading this section in the form it is presented here is likely to be confusing, please read the above procedure first and follow the embedded annotations to their corresponding explanations here.
∗1: This is required because the phone does not accept any charge through the USB port during the flashing and initial bootup phases. A power failure at any point within these phases could potentially be catastrophic.
∗2: What's all this fuss about unlocking the bootloader, anyway? What's the deal, why are you placing so much emphasis on it? Unlocking the bootloader makes irreversible changes to your phone, voids your warranty, and irreversibly disables certain software based features such as Mobile BRAVIA Engine and TrackID. It also prevents Sony PC Companion and Sony Update Service from recognizing your phone, so you can no longer use them. Relocking the bootloader is possible, but it does not restore use of the software features (i.e. Mobile BRAVIA Engine will still remain disabled). More details are available here (the lower half of the linked post) and here.
∗3: It is strongly recommended that you first make a backup of your own carrier customized firmware that is provided by Sony PC Companion / Sony Update Service for three reasons:

1. You have no way of telling if the firmware you downloaded elsewhere is actually safe or if it has been maliciously tainted (they are typically safe, but you might just get (un)lucky and hit the worst lottery ever);
2. Your SI number changes depending on the locale of the firmware you flash. If you are sending your phone in for servicing and the SI number reported by the phone's firmware differs from your actual phone's SI number (printed on its label), you might get some unnecessary trouble if tech support decides to check for whatever reason (and since you don't have root access, you can't fix it up either!);
3. You can use this firmware as a base to create your own trusted, pre-rooted firmware. With root access, you can easily throw out all bloatware on your own anyway. ↓↓↓

Even if the Jelly Bean update is not yet available in your locale, you should still make a backup of the latest firmware downloaded by Sony PC Companion / Sony Update Service (presumably ICS) so you can flash that back should you need to send your phone in for servicing.
∗4: If the full firmware cannot be obtained, then at least an FTF containing the 6.1.1.B.1.10 kernel AND the FULL 6.1.1.B.1.54 firmware must be acquired before proceeding (those listed are for the Xperia go, Xperia P users should use at least the 6.1.B.0.599 kernel AND a full version of the ICS firmware for their device). This is an integral requirement; do not proceed until this is satisfied. You can obtain the firmware from these threads: 6.1.1.B.1.10 full by Nabeel (Xperia go) • 6.1.1.B.1.54 full by xfahim (Xperia go) • 6.1.1.B.1.10 kernel by xfahim (Xperia go; search for .10 Kernel)
The same applies to the Xperia P, but you should use the 6.1.B.0.599 kernel instead (available here), and a full version of the ICS firmware for your device (it should be obvious, but do not flash an Xperia go image if you are an Xperia P user). 6.1.1.B.1.54 and 6.1.B.0.544 by Nabeel (Xperia P)
∗5: But what in the world does this have to do with ICS? Why is it necessary to flash an older firmware to gain root access on Jelly Bean? This doesn't make any sense! Here's why: Since there is currently no known way of obtaining root access through one-click methods on the Jelly Bean firmware, an alternate technique must be taken. This technique involves modifying the Jelly Bean firmware to embed the Superuser app and its accompanying su binary, then flashing that modified firmware into the phone. This is known as pre-rooting. By flashing back to ICS, we return to the phone a version of the firmware which has a known weakness. With the help of a rooting toolkit (in this case, provided by Bin4ry), we exploit that weakness to obtain root access, which in turn allows us to install ClockworkMod recovery (more on this later).
∗6: This is a special version of the ClockworkMod recovery that piggybacks off the charging subsystem, so it is not necessary to unlock the bootloader. For pre-rooting, the flashing procedure has two parts - first for the system, and another for the kernel (and baseband, but don't worry about that for now). In essence, what we're trying to achieve is to flash the modified system image into the phone. Yes, I know what you're wondering - why all these steps? Why does it have to be so complicated? Can't we just modify the system image and use Flashtool to flash it back in? I sure wish it was that easy, then I wouldn't have to spend so many hours writing this guide (hat tip here to all others involved; see credits below). As far as I know, modifying the system image in its raw form (.sin file) prevents it from being flashed into the phone, or prevents the phone from booting. Hence, we jump through a series of flaming hoops have to go back to ICS, root it, install CWM, use CWM to flash our modified system image, power off, use Flashtool to flash the remaining parts (kernel and baseband). Sounds like fun, eh?
∗7: It is of critical importance that you ensure that Exclude TA is always ticked. Failure to do so could prevent your phone from recognizing your SIM card!
∗8: If Flashtool aborts without flashing the phone, claiming that:

19/050/2013 01:50:24 - INFO - Device disconnected

then you should reinstall the drivers inside Flashtool's drivers folder, ticking the options that correspond to Xperia P, Xperia U, and Xperia sola drivers and Flashmode Drivers. If that does not resolve the issue, your downloaded firmware may be corrupted.
∗9: This is a critical requirement. If the Superuser app is not present, rooting has failed. Please ensure that you have flashed at least the 6.1.1.B.1.10 kernel - it's mandatory to obtain root access. Flash it and try running the rooting toolkit again.
∗10: At this point, CWM is lost as soon as the phone shuts down or restarts. This is because CWM resides inside the /system partition, and that has been completely overwritten in step 11 above. But if that's the case, how is it still working fine? It's still functional because the CWM you interact with is a copy that is currently stored in RAM. As soon as you shut down or restart the phone, that copy is lost. If you want CWM back, you can simply reinstall it again after booting into JB since you already have root access.
∗11: The random crashing is likely due to the dalvik cache being cleared. Restarting the phone will allow Android to rebuild it, after which all apps will function normally again.

Disaster recovery:
"OMGWTFBBQ!!!!!!! WTAF HAPPENED, YOU MURDERED MY PHONE???????????!!!!! OMFG YOU ARE A #@$%ING MONSTER!!!!!"
(Seriously, some of you out there should give your punctuation keys a break because honestly, spamming them isn't going to get you taken seriously. ↑↑↑ is what you look like when you do that. Ugly and childish, don't you think?)

Calm down and keep your cool - panicking and acting like a child isn't going to solve your situation. What you should be doing instead should be to read through the steps again and try to figure out what went wrong. Perhaps it's a step you missed by accident, or a step you didn't comply with.

If your phone is bootlooping (i.e. restarting continuously), save its battery power - force it to shut off by pressing and holding the volume up and power buttons simultaneously until three vibrations are felt. It's probably pointless to start the phone up at this point anyway, so either flash ICS again and retry, or - if you're running out of time and you need your phone in a functional state - flash in your stock firmware backup (see how handy it is now?).

Unless you do something exceedingly dumb that I don't even dare to imagine, it's unlikely that you will permanently damage your phone. At worst, you can simply flash in the stock firmware and try again some other time.

Credits:

• Sony: For releasing the Jelly Bean update. Yes, it was undoubtedly late. But that's still better than never, because the NovaThor U8500 is apparently a royal PITA to work with without proper documentation. So - like it or not - the official release of JB has saved the community some hassle.
• percy_g2: For his guide here. Give your thanks there.
• Androxyde: For his versatile Flashtool utility. Give your thanks here.
• Bin4ry: For his handy rooting toolkit. Give your thanks here.
• atis112: For his version of ClockworkMod recovery for locked bootloaders. Give your thanks here.
• xfahim: For his guide on rooting the ICS firmware here.
• Nabeel: For hosting and maintaining all the different variants of firmware and making them publicly available here.
• Bahurs1: For making me guide him through the rooting process, which essentially laid down the foundation for this lengthy post.    Give your thanks here. If you're feeing generous, I'm also in that thread, with the same name I have here.

Well, that's all there is. How this post ended up this long, I have no idea either. Anyway, that's several continuous hours - I lost count halfway - I've spent typing and reading through all this already, so hopefully it's of some use to you, the reader.

Edit:

LOL wow, this post is 10 pages long in PDF view, what have I done!