Hi guys,
Just wondering if anyone has an update on the availability or possibility of root for LB Xperia Z5s on Marshmallow?
Also, can I assume that because root is not available on Marshmallow, then it will be equally unavailable on Nougat?
Just a quick thought for the more technically minded - Would it not be possible to deconstruct a valid stock .ftf file and insert a modified kernel, allowing root, before recompiling it and flashing it? I know the locked bootloader stops us from flashing a custom kernel, but is there no way to spoof an .ftf file into using a modified kernel?
Sorry for the n00bish questions, just wondering aloud.
Cheers!
As far as I know you need to disable some security settings in the kernel to have permanent root access. But a locked bootloader won't let the system boot with this modified kernel.
I don't think there will come a method to have root without unlocking the bootloader in the near future.
Nope. No root without unlocked the BL as far as I am informed.
ianrobbie said:
Hi guys,
Just wondering if anyone has an update on the availability or possibility of root for LB Xperia Z5s on Marshmallow?
Also, can I assume that because root is not available on Marshmallow, then it will be equally unavailable on Nougat?
Just a quick thought for the more technically minded - Would it not be possible to deconstruct a valid stock .ftf file and insert a modified kernel, allowing root, before recompiling it and flashing it? I know the locked bootloader stops us from flashing a custom kernel, but is there no way to spoof an .ftf file into using a modified kernel?
Sorry for the n00bish questions, just wondering aloud.
Cheers!
Click to expand...
Click to collapse
Short answer: not possible without unlocking the bootloader.
Long answer:
There are two possible methods for acquiring permanent root on Marshmallow on the Z5:
Conventional root - you provide root by modifying certain /system files on the phone. The problem with this is that you are modifying the system partition on the phone. The stock kernels on the Z5 (and most other phones) have something called dm-verity which basically checks everything on the system partition against what it expects to be there. If the kernel notices that something in the system partition has changed, the phone will fail to boot. You can install a modified kernel that has dm-verity disabled, but then you run into the issue described with systemless root.
Systemless root - you modify the kernel to allow for root either with Systemless SuperSU or through Magisk. This allows for you to have an unmodified system partition and pass any potential system checks, however you have to modify and flash a new kernel. Herein lies the problem with a locked bootloader. A locked bootloader checks the file signature for the file you're trying to flash. These files are typically signed by the phone manufacturer or carrier, so when the bootloader checks the file signature and it matches what it expects, then it allows the flash, if the signature doesn't match, then it aborts the flash. If you modify a stock kernel to disable dm-verity or try to flash a custom kernel, you will be prevented doing so because your signature won't match what the bootloader expects. By unlocking the bootloader you are essentially disabling that signature check process.
So basically permanent root on Marshmallow isn't possible unless somebody can exploit a vulnerability in the boot chain.
As for modifying a stock ftf package. You again run into issues with the bootloader signature checks. The ftf files is basically a special zip container that contains a bunch of files. Most of these files if not all of them are signed by either the manufacturer or carrier so you are able to flash it because all of these files pass the bootloader signature checks. Once you modify one of those files within the ftf, you destroy the signature and flashing of the ftf file will abort.
In summary, you need to unlock the bootloader so that you can flash a modified kernel that has dm-verity disabled.
Thanks very much for all the replies. Looks like I'm stuck with stock for the time being.
Ever since TA backup and bypassing the TA checks was possible since MM or whatever, unlocking the bootloader is not a big deal. Very easy to backup, unlock, root, re-lock, restore.
xasbo said:
Ever since TA backup and bypassing the TA checks was possible since MM or whatever, unlocking the bootloader is not a big deal. Very easy to backup, unlock, root, re-lock, restore.
Click to expand...
Click to collapse
Yeah, but unfortunately I'm not allowed to unlock my bootloader.
ianrobbie said:
Yeah, but unfortunately I'm not allowed to unlock my bootloader.
Click to expand...
Click to collapse
Ahhh, sure, forgot that some carriers lock these phones. I had that same problem on my Z1, but fortunately they found a LB root exploit.
How long have you had your phone? If the upcoming Nokia offering looks good, I'll sell you my mint condition UB Z5
Related
Could someone just confirm that I got this right:
-if I want reaver on my phone, I have to root it
-if I root it, I lose low light camera quality
So I have to choose between rooting the phone (for installing reaver, airmon and apps like that, I don't need anything else) and having great low-light camera?
Yep.
It was true 2 weeks ago.
Now that the root method for locked bootloader becomes avaiable so you won't lose the drm keys if you root..
freddy1991 said:
It was true 2 weeks ago.
Now that the root method for locked bootloader becomes avaiable so you won't lose the drm keys if you root..
Click to expand...
Click to collapse
What do you mean?
Is it already available or?....
http://forum.xda-developers.com/showthread.php?t=3011598
To clarify:
Unlocking the bootloader wipes your DRM keys and losing those is what reduces the camera quality (among other things)
Previously, the only way to get root was to unlock the bootloader.
It is now possible (via giefroot exploit) to get root WITHOUT unlocking the bootloader. This means your DRM keys are unaffected.
Once you have root you can actually backup your DRM keys so you are then free to unlock the bootloader if you want (for customer kernels and stuff) and restore your DRM keys afterwards
3Shirts said:
To clarify:
Unlocking the bootloader wipes your DRM keys and losing those is what reduces the camera quality (among other things)
Previously, the only way to get root was to unlock the bootloader.
It is now possible (via giefroot exploit) to get root WITHOUT unlocking the bootloader. This means your DRM keys are unaffected.
Once you have root you can actually backup your DRM keys so you are then free to unlock the bootloader if you want (for customer kernels and stuff) and restore your DRM keys afterwards
Click to expand...
Click to collapse
Yes, but people should also know that restoring your DRM keys relocks the bootloader.
So, you can either have an unlocked bootloader without DRM keys (You can boot a custom kernel so can run CM etc)
or
a locked bootloader with DRM keys. (You cannot boot a custom kernel so are stuck to stock firmware)
You cannot have an unlocked bootloader with DRM keys.
Ah, thanks for the clarification, I didn't realise that. I've not unlocked my BL as I'm happy with root on stock.
Do you need to unlock for a custom rom and, if so, can you unlock, install the rom, and then relock?
3Shirts said:
Ah, thanks for the clarification, I didn't realise that. I've not unlocked my BL as I'm happy with root on stock.
Do you need to unlock for a custom rom and, if so, can you unlock, install the rom, and then relock?
Click to expand...
Click to collapse
If the custom rom relies on a custom kernel then yes you have to unlock. Custom kernels can only boot on an unlocked bootloader.
However, once you relock (Or restore the TA partition containing the DRM keys, this also relocks the boot) then you cannot boot a custom kernel so you get a bootloop until you either unlock again or restore a stock rom.
Locked bootloader = stock kernel only (Custom kernels will cause a bootloop)
Unlocked bootloader = any modified kernel and stock kernel (No DRM keys)
Here's one last question before following this guide http://forum.xda-developers.com/crossdevice-dev/sony/giefroot-rooting-tool-cve-2014-4322-t3011598
If something happens to my phone and I need to get it serviced, is it possible to remove root? Will there be any traces of root, or nobody'll ever know it'd been rooted?
David47 said:
Here's one last question before following this guide http://forum.xda-developers.com/crossdevice-dev/sony/giefroot-rooting-tool-cve-2014-4322-t3011598
If something happens to my phone and I need to get it serviced, is it possible to remove root? Will there be any traces of root, or nobody'll ever know it'd been rooted?
Click to expand...
Click to collapse
Flash a FTF or force repair with pccompanion.
That's removes root and no one can tell.
Hello !
I recently bought a used Z3 6603, and wanted to update it to lollipop.
But it seems it has a unlocked bootloader (according to service menu) and when i recieved it, it was factory reset, but some 3rd party apps were still installed.
One of them Super SU, so it was rooted.
I was told that i could update the firmware if i just used the Full Uninstall feature in Super Su, so i did that.
I still can't update using sony companion, becouse it knows the software is not the original one.
And i cant reinstall super su, its saying that there is no SU binary installed and the program cant install it.
I have flashed phones before, but it was really a long time ago, so im asking for some help to fix this.
Its running 4.4.4 build 23.0.1.A.5.77 and stock rom i think.
Please tell me what to do, and what info you might need !
I want to have the phone in lollipop, but everything stock, no root, no bootloader etc.
And somewhere I read something about DRM keys. Please help me with fixing that aswell thank you.
Regards ImmoralCore
ImmoralCore said:
Hello !
I recently bought a used Z3 6603, and wanted to update it to lollipop.
But it seems it has a unlocked bootloader (according to service menu) and when i recieved it, it was factory reset, but some 3rd party apps were still installed.
One of them Super SU, so it was rooted.
I was told that i could update the firmware if i just used the Full Uninstall feature in Super Su, so i did that.
I still can't update using sony companion, becouse it knows the software is not the original one.
And i cant reinstall super su, its saying that there is no SU binary installed and the program cant install it.
I have flashed phones before, but it was really a long time ago, so im asking for some help to fix this.
Its running 4.4.4 build 23.0.1.A.5.77 and stock rom i think.
Please tell me what to do, and what info you might need !
I want to have the phone in lollipop, but everything stock, no root, no bootloader etc.
And somewhere I read something about DRM keys. Please help me with fixing that aswell thank you.
Regards ImmoralCore
Click to expand...
Click to collapse
Your DRM keys are lost forever.
TheTeslaCoil said:
Your DRM keys are lost forever.
Click to expand...
Click to collapse
Ok, so they are lost even if I use the first backup that was made by the person I bought it from ?
DRM=Hardcoded=Once unlocked, always DRM free, even if you use the recovery image ?
And the rest of the questions, what am I supposed to do to get stock lollipop?
In the matter of fact it does not matter if its unlocked or locked, I just want legit lollipop, with the possibility to update regularly. (But if root is possible at the same, it can still be rooted)
Thanks for your reply !
You need the TA backup. Not system backup.
And careful not to restore some other TA.
If the previous owner backed up TA, good. If not, no chance to recover them.
Download your specific firmware in ftf format and flash it with Flashtool.
Make a clean install.
You cannot recieve OTA with an unlocked bootloader, only if you relock, but there is no point in doing that if the DRM keys are lost.
So, from where you stand, keep it rooted and unlocked, because you can do much more with it : Custom ROM' s [at the moment stock is best]...custom kernels with recovery...mods...etc.
After you flash the ftf, flash via adb a custom kernel with recovery and from recovery flash SuperSU update, as a flashable zip, that will root the phone and install SuperSU.Search also for busybox flashable zip.
TheTeslaCoil said:
You need the TA backup. Not system backup.
And careful not to restore some other TA.
If the previous owner backed up TA, good. If not, no chance to recover them.
Download your specific firmware in ftf format and flash it with Flashtool.
Make a clean install.
You cannot recieve OTA with an unlocked bootloader, only if you relock, but there is no point in doing that if the DRM keys are lost.
So, from where you stand, keep it rooted and unlocked, because you can do much more with it : Custom ROM' s [at the moment stock is best]...custom kernels with recovery...mods...etc.
After you flash the ftf, flash via adb a custom kernel with recovery and from recovery flash SuperSU update, as a flashable zip, that will root the phone and install SuperSU.Search also for busybox flashable zip.
Click to expand...
Click to collapse
Ok, I will try that then, but if I use flashtool to update to lollipop, will I still be able to root easy, or should I reinstall 4.4.4 clean, then root, fix recovery kernel and everything, and then lollipop or what goes first?
Does flash/kernel etc affect the fact that it has an unlocked bootloader ? do i need to do anything with that, or do it stay unlocked?
ImmoralCore said:
Ok, I will try that then, but if I use flashtool to update to lollipop, will I still be able to root easy, or should I reinstall 4.4.4 clean, then root, fix recovery kernel and everything, and then lollipop or what goes first?
Does flash/kernel etc affect the fact that it has an unlocked bootloader ? do i need to do anything with that, or do it stay unlocked?
Click to expand...
Click to collapse
If you have unlocked the bootloader it is always a trivial matter to root.
Just flash an insecure kernel.
If one does not exist use [NUT]'s online kernel builder to make one with recovery incorporated in it. Its very straightforward and an automated process.
So, update using flashtool, flash your custom kernel, and you have root and recovery.
gregbradley said:
If you have unlocked the bootloader it is always a trivial matter to root.
Just flash an insecure kernel.
If one does not exist use [NUT]'s online kernel builder to make one with recovery incorporated in it. Its very straightforward and an automated process.
So, update using flashtool, flash your custom kernel, and you have root and recovery.
Click to expand...
Click to collapse
1. Sorry for my noobish question, but define insecure kernel?
2. Did I get it right? I read about ppl downgrading their phones to 4.4.4 and then installing stuff. And for me it does not matter wich version it is, becouse the unlocked bootloader makes it easy to flash, even what version you are running?
ImmoralCore said:
1. Sorry for my noobish question, but define insecure kernel?
2. Did I get it right? I read about ppl downgrading their phones to 4.4.4 and then installing stuff. And for me it does not matter wich version it is, becouse the unlocked bootloader makes it easy to flash, even what version you are running?
Click to expand...
Click to collapse
1) a rooted kernel.
2) If you have unlocked there is no need to follow any of the locked bootloader guides, they are a waste of your time. One of the points point of unlocking the phone is to easily get root. You just flash a custom kernel to gain root.
If you have a locked bootloader then you have to go through all the fuss of downgrading etc etc.... but with an unlocked bootloader its so easy and straightforward
gregbradley said:
1) a rooted kernel.
2) If you have unlocked there is no need to follow any of the locked bootloader guides, they are a waste of your time. One of the points point of unlocking the phone is to easily get root. You just flash a custom kernel to gain root.
If you have a locked bootloader then you have to go through all the fuss of downgrading etc etc.... but with an unlocked bootloader its so easy and straightforward
Click to expand...
Click to collapse
Ok, thank you very much for your answers both of you!
I understand everything much better, now its just some flashing to do, c ya ! :good:
ImmoralCore said:
Ok, thank you very much for your answers both of you!
I understand everything much better, now its just some flashing to do, c ya ! :good:
Click to expand...
Click to collapse
Good luck.
Hey guys,
I tried out the Android Concept MM when it first came out and i was a huge fan and insanely satisfied due to it's stock-like android experience, however the only thing keeping me away from using it is lack of root and xposed, however i was wondering can i just make a pre-rooted ftf with the ftf of the concept with recroot 4? like i would with a normal Marshmallow ftf or am i completely wrong?
I would appreciate the help thanks!
Concept ROM uses dm-verify, so it's unrootable on locked bootloader. However I've managed to root it on unlocked bootloader before somehow. I'll try to explain as best as I can:
1. Download and flash concept FTF http://forum.xda-developers.com/z3/...arshmallow-t3229030/post66825447#post66825447 (this is latest one I could find)
2. OTA update to the latest version if you want
3. Download Systemless SuperSU zip and place it on SD card https://download.chainfire.eu/921/SuperSU/UPDATE-SuperSU-v2.65-20151226141550.zip
4. Flash recovery via fastboot (it needs unlocked bootloader) (for recovery I used this one) : http://forum.xda-developers.com/z3/development/z3-twrp-2-8-7-0-d6603-t3273996
5. Don't leave fastboot mode! Navigate with volume keys to "recovery mode" and click power button to enter it.
6. Flash SuperSu you downloaded earlier and then reboot.
7. Done, enjoy your rooted Concept.
Nojus33 said:
Concept ROM uses dm-verify, so it's unrootable on locked bootloader. However I've managed to root it on unlocked bootloader before somehow. I'll try to explain as best as I can:
1. Download and flash concept FTF http://forum.xda-developers.com/z3/...arshmallow-t3229030/post66825447#post66825447 (this is latest one I could find)
2. OTA update to the latest version if you want
3. Download Systemless SuperSU zip and place it on SD card https://download.chainfire.eu/921/SuperSU/UPDATE-SuperSU-v2.65-20151226141550.zip
4. Flash recovery via fastboot (it needs unlocked bootloader) (for recovery I used this one) : http://forum.xda-developers.com/z3/development/z3-twrp-2-8-7-0-d6603-t3273996
5. Don't leave fastboot mode! Navigate with volume keys to "recovery mode" and click power button to enter it.
6. Flash SuperSu you downloaded earlier and then reboot.
7. Done, enjoy your rooted Concept.
Click to expand...
Click to collapse
Thanks but damn that sucks, i don't really wanna' lose DRM keys plus i still have 1 year of warranty left.
Also, (http://forum.xda-developers.com/z3/development/rom-zyxxos-5-1-1-v1-0-pure-stable-fast-t3229169) ZyxxOS requires a unlocked bootloader, however is there anyway i can replace the boot.img with one that's utilized on a locked bootloader ROM or will that not work
Salaminator said:
Thanks but damn that sucks, i don't really wanna' lose DRM keys plus i still have 1 year of warranty left.
Also, (http://forum.xda-developers.com/z3/development/rom-zyxxos-5-1-1-v1-0-pure-stable-fast-t3229169) ZyxxOS requires a unlocked bootloader, however is there anyway i can replace the boot.img with one that's utilized on a locked bootloader ROM or will that not work
Click to expand...
Click to collapse
Well, ZyxxOS has Sony's Concept based kernel. The developer itself at first thought it will work on locked bootloader, but it didn't. You could try to flash original Concept .2099 kernel, but I don't think it will work.
As for DRM, you can easily backup them before unlocking, but it's up to you.
Nojus33 said:
Well, ZyxxOS has Sony's Concept based kernel. The developer itself at first thought it will work on locked bootloader, but it didn't. You could try to flash original Concept .2099 kernel, but I don't think it will work.
As for DRM, you can easily backup them before unlocking, but it's up to you.
Click to expand...
Click to collapse
I'm confused with the effect DRM has but is there anyway to avoid them? Like if i backup do i just restore them after unlocking my bootloader?
Ideally, i wanted to run a AOSP like ROM and i hoped to remove all Sony stuff etc from Concept, However i'm just reluctant to unlocking my bootloader
This is probably the stupidest idea ever, I have close to no knowledge however what happens if i put Stock Sony 6.0.1 Kernel which has already obtained recovery without unlocking bootloader and flash SuperSU via that?
Alternatively, is there anyway to convert Our current Stock 6.0.1 into True Stock Android
Salaminator said:
I'm confused with the effect DRM has but is there anyway to avoid them? Like if i backup do i just restore them after unlocking my bootloader?
Ideally, i wanted to run a AOSP like ROM and i hoped to remove all Sony stuff etc from Concept, However i'm just reluctant to unlocking my bootloader
This is probably the stupidest idea ever, I have close to no knowledge however what happens if i put Stock Sony 6.0.1 Kernel which has already obtained recovery without unlocking bootloader and flash SuperSU via that?
Alternatively, is there anyway to convert Our current Stock 6.0.1 into True Stock Android
Click to expand...
Click to collapse
Maybe, but this is beyond my knowlege. Sorry.
EDIT: Or just use concept haha
Nojus33 said:
Maybe, but this is beyond my knowlege. Sorry.
EDIT: Or just use concept haha
Click to expand...
Click to collapse
Looking into Android 6.0 Complications from this article (http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/)
It states the following:
If you want root today, on Android Marshmallow (6.0), you’re going to need to use a modified boot image. While it remains to be seen if this remains true indefinitely, it looks likely to be the case for some time – SELinux changes make it much harder to get root access without modifying the boot image. And as modifying the boot image requires an unlocked bootloader
Click to expand...
Click to collapse
So i'm assuming Z3 Has SELinux thus preventing us from editting the boot image for Marshmallow Concept hence leaving us with the only option to unlock out bootloader?
Lastly: Is there a potential to convert Stock Sony ROM into an AOSP looking/feeling rom?
I am on the Google variant. I'm curious whether simply unlocking the bootloader will prevent me from using Android Pay (and similarly protected apps). And same question for SuperSU systemless root?
As a bonus, if I were to unlock, root, modify a file (like hosts), then unroot and relock, would it complain?
NegativeOne said:
I am on the Google variant. I'm curious whether simply unlocking the bootloader will prevent me from using Android Pay (and similarly protected apps). And same question for SuperSU systemless root?
As a bonus, if I were to unlock, root, modify a file (like hosts), then unroot and relock, would it complain?
Click to expand...
Click to collapse
If you modify the system and relock the bootloader, you risk bricking the device entirely, if it won't accept fastboot commands
NegativeOne said:
I am on the Google variant. I'm curious whether simply unlocking the bootloader will prevent me from using Android Pay (and similarly protected apps). And same question for SuperSU systemless root?
As a bonus, if I were to unlock, root, modify a file (like hosts), then unroot and relock, would it complain?
Click to expand...
Click to collapse
First question, I think on some firmware, custom Kernel with root is allowing Android Pay for some users on some carriers. I wouldn't universalize, you have to try.
However, only unlocking bootloadet doesn't work, but in addition a custom kernel can fix what breaks is needed.
ndarkside93 said:
If you modify the system and relock the bootloader, you risk bricking the device entirely, if it won't accept fastboot commands
Click to expand...
Click to collapse
Second question:
EXACTLY: the bootloader detects changes in the system partition away from pure stock, so if you change things, that signals "corruption" to the bootlader so it will PREVENT boot and as ndarkside says, RISK OF BRICK
Sent from my sailfish using XDA Labs
nednednerb said:
First question, I think on some firmware, custom Kernel with root is allowing Android Pay for some users on some carriers. I wouldn't universalize, you have to try.
However, only unlocking bootloadet doesn't work, but in addition a custom kernel can fix what breaks is needed.
Second question:
EXACTLY: the bootloader detects changes in the system partition away from pure stock, so if you change things, that signals "corruption" to the bootlader so it will PREVENT boot and as ndarkside says, RISK OF BRICK
Click to expand...
Click to collapse
Very true, but on the pixel with the November update, safety net checks for bootloader unlock, but I think Franco kernel can hide it to pass the check, if there is no root.
Hi,
I have seen that the Samsung Galaxy edge 7 with a Qualcomm Snapdragon 820 cpu, running Nougat & has a permanently locked bootloader has been rooted. As seen here:
https://forum.xda-developers.com/tm...eres-how-rooted-nougat-s7-edge-g935t-t3567502
My question is, could that same method be applied to the Xperia XZ, just using Flashtool instead of Odin & obviously using XZ drivers instead of samsung?
GoodguyUK said:
Hi,
Could that same method be applied to the Xperia XZ, just using Flashtool instead of Odin?
Click to expand...
Click to collapse
Short: No
I have not found the boot.tar he mentions ...
Odin is a different beast than Flashtool.
Interesting for me is that the contents of the magical boot.tar flashed via Odin totally enable mounting, modifying system etc.
To make root.bat work adb must run as root on the device!
Not easy but can be achieved. I did this with a modified kernel in 2015 when rooting the first DM-Verity protected device from SONY. Find a link for that (long read) in my [GUIDE]. I guess here are similar things at work, maybe with the patched libs in the Nougat_S7_Root_2_82_All_Carriers_V1.zip
But to use this you have to be root in adb to get the libs to the proper places in /system.
For SONY devices DM-Verity and SONY-RIC are in the stock kernels. Modifying anything on the kernel or system partitions will result in a bootloop.
This can not be defeated unless you have SONY's private key to sign your ROM.
In order to modify (e.g. rooting) /system you need a kernel with DM-Verity and SONY-RIC off and an unlocked bootloader to boot this kernel.
I can imagine a way using the exploit that enables us to backup the TA to copy a modified/patched kernel onto the kernel partition.
Will it be possible for the locked bootloader to boot this kernel? I do not know.
BTW I wonder that Flashfire is included. AFAIK this is payware from @Chainfire
On SONY devices I would not bother.
On devices where there is Marshmallow available you can backup your TA and afterwards unlock the bootloader to do what you intend: rooting or flashing custom ROMs or ....
When you sell the device you just restore the TA and flash a stock ROM -> everything SONY blessed and locked again.