TA Backup by using ‘Spectre’ and ‘Meltdown’ CPU vulnerabilities - Sony Xperia XZ Premium Questions & Answers

Hello to all great developers.
As we know that sony Xperia Devices are ‘Spectre’ and ‘Meltdown’ CPU vulnerabilities
So it is possible to use these vulnerabilities and make a tool that can backup TA Partition of Xperia XZ Premium ?
@munjeni
@DevShaft
@rayman
@serajr
@IgorEisberg
@zxz0O0
@AdrianDC
 @sToRm//

Yes, it would be possible.
Someone just have to write something for it.
This would also be possible by abusing any critical vulnerability listed on the Android security bulletin.

zohaib0001 said:
Hello to all great developers.
As we know that sony Xperia Devices are ‘Spectre’ and ‘Meltdown’ CPU vulnerabilities
So it is possible to use these vulnerabilities and make a tool that can backup TA Partition of Xperia XZ Premium ?
Click to expand...
Click to collapse
You didn't ask @sToRm//

taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,

dazza9075 said:
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
Click to expand...
Click to collapse
No

dazza9075 said:
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
Click to expand...
Click to collapse
Spectre and Meltdown can only read kernel data as far as I'm aware.
TA backups would prob also take longer than usual using this since those exploits arent the fastest from what demos Ive seen

Mackay53 said:
No
Click to expand...
Click to collapse
Chocolate tea Pot
BigBrainAFK said:
Spectre and Meltdown can only read kernel data as far as I'm aware.
TA backups would prob also take longer than usual using this since those exploits arent the fastest from what demos Ive seen
Click to expand...
Click to collapse
Ok, so the exploits can read kernel level information but cant execute it which would mean it cant execute code to root a device, ok
but would it be possible to read and exploit other apps running, or gain access to memory that system apps or services are using which in turn could allow further exploits? I have no idea but it seems to me if we can take information out of secure memory, then if the right info was there to be taken then perhaps that might be useful?

Any update ?

This sounds very interesting... anybody here to help?

almost April. hope there will be one TA backup tool based on Spectre and Meltdown soon. I keep my XXP at 1st firmware of Oreo only for this purpose. XD So laggy but I won't move to current version unless i got TA backup'ed.

I'm holding back updates as well for this reason.
However, seeing that most people already updated and that there's noone working into this direction, I don't think there's a reason to keep doing this.

4rz0 said:
I'm holding back updates as well for this reason.
However, seeing that most people already updated and that there's noone working into this direction, I don't think there's a reason to keep doing this.
Click to expand...
Click to collapse
I think this is possible, though I don't have the skill to write an exploit for it.
First, the Meltdown vulnerability probably doesn't exist on the SD835, so we're relegated to the Spectre variants.
But essentially, it should be a matter of writing a Spectre exploit that can read the private TA sectors by priming the cache with known data, then speculatively calling functions which rely on calls to the private TA functions.
At the very least, it should, theoretically, be possible to get the device specific keys.
That said, I'm still applying updates to my XZ1c, simply because I don't want other people exploiting my device.
If you're holding back on updates, you may want to consider the fact that you can still revert back to older firmware versions if an exploit does become available. So even if you take an update, you could manually flash the device to an older firmware later.
On the XZ1c, the bootloader changed from LA1_1_O_77 with firmware 47.1.A.2.374 to version LA1_1_O_79 in firmware 47.1.A.5.51. I suspect that you can still flash the older bootloader, since the signing key's version signature hasn't changed, but I just choose to not flash the newer bootloader.
Basically, if you're paranoid that Sony will lock you out of flashing older firmware:
1 - Wait to see if anyone is reporting that you can't go back to an older firmware version.
2 - Don't flash updated bootloader versions if you don't have to, and
3 - Don't worry about updating everything else.
Otherwise, you're just risking your own security for no real benefit if you aren't keeping your firmware updated.

I know your idea.
But flashing backward will most likely ruin your data section.
And some apps just don't allow you to perform "adb backup".
Like some apps with security concerns or the authors of them just won't want data to be analyzed.
So that's one point I don't wanna upgrade.
pbarrette said:
I think this is possible, though I don't have the skill to write an exploit for it.
First, the Meltdown vulnerability probably doesn't exist on the SD835, so we're relegated to the Spectre variants.
But essentially, it should be a matter of writing a Spectre exploit that can read the private TA sectors by priming the cache with known data, then speculatively calling functions which rely on calls to the private TA functions.
At the very least, it should, theoretically, be possible to get the device specific keys.
That said, I'm still applying updates to my XZ1c, simply because I don't want other people exploiting my device.
If you're holding back on updates, you may want to consider the fact that you can still revert back to older firmware versions if an exploit does become available. So even if you take an update, you could manually flash the device to an older firmware later.
On the XZ1c, the bootloader changed from LA1_1_O_77 with firmware 47.1.A.2.374 to version LA1_1_O_79 in firmware 47.1.A.5.51. I suspect that you can still flash the older bootloader, since the signing key's version signature hasn't changed, but I just choose to not flash the newer bootloader.
Basically, if you're paranoid that Sony will lock you out of flashing older firmware:
1 - Wait to see if anyone is reporting that you can't go back to an older firmware version.
2 - Don't flash updated bootloader versions if you don't have to, and
3 - Don't worry about updating everything else.
Otherwise, you're just risking your own security for no real benefit if you aren't keeping your firmware updated.
Click to expand...
Click to collapse

Related

[Q] About bootloader versions

Hey guys,
I've been playing around with the firmware on my Moto G and I didn't understand some things related to bootloader/partition table version and I hope someone more knowledgeable can explain me some things, in a more technical way if possible. Links to documentation are also appreciated!
So, apparently you have to keep an eye on bootloader, partition table, and OS versions so they match. You also cannot easily downgrade bootloader versions.
Also, I saw that you can brick your device if you try to flash 5.0.1 ota, then go back to 4.4.2 and flash 4.4.4 ota because of mismatched bootloader versions and will have to wait for official motorola 5.0.1 images.
My first question is why does this happen? If I get stuck on a particular bootloader version (in this case 5.0.1 GPE, right?) why can't I just boot the corresponding OS, why does the device brick (is it incompatible bootloader and partition table, so the bootloader can't find stage 2)?
Second question, apparently you CAN downgrade the bootloader versions, but have to follow some specific steps and use specific files. Why is that? What checks does the devices makes when upgrading bootloaders and what kind of files allow me to downgrade while passing those checks?
Third, why can't you boot older android versions with newer bootloaders? Doesn't the bootloader just initialize some devices and loads the kernel, can't you modify and older kernel to boot with the new bootloader or chainload and older kernel from a newer one? Also why does the boot processes change so frequently when it should be something very stable?
Fourth, what is the rationale behind not allowing you to freely switch bootloader versions?
Well, thats it. Sorry for the long post and thanks to anyone that can help me . Maybe I should post this in android development instead?
I follow .
I believe on Nexus hardware changing Bootloader is an easier process as those devices are deliberately Developer friendly. Motorola are open enough to allow unlocking, but as you have discovered, flashing an older Bootloader is a messy and dangerous process. Perhaps if enough people petitioned for a change, things might be different.
The Bootloader and Kernel are interrelated and that is why newer Bootloader versions break compatibility with previous iterations of Android (each with a unique Kernel.)
It's possible Kernel DEVs could offer a solution, but I suspect the reality is so few people care. The majority of users will get OTA Updates and never go back.
Uh, bump?
Anyone can tell me if there is a more appropriate place to ask question like these?
I hope it will give you some reference in these topics.
http://elinux.org/Android_Booting
http://androidforums.com/threads/android-partitions-kernels-explained.278898/
aryal.subasha said:
I hope it will give you some reference in these topics.
http://elinux.org/Android_Booting
http://androidforums.com/threads/android-partitions-kernels-explained.278898/
Click to expand...
Click to collapse
Thanks, but I already found those in Google and they aren't very useful. Too superficial and both focus on what happens AFTER the kernel is loaded, I'm interested more in the bootloader, how it verifies the signatures, etc.
Anyone?

[Q] Z3 Root Reality Check

I've been watching the developer board regarding the root and locked bootloader issue, and I've spent hours researching this and have yet to find a solution that's known to work without loss of something, likely a permanent or semi permanent loss. My device is a Z3 model D6616. I'm unhappy with the phone for several other reasons, but haven't owned an un-rooted phone for some time, and prefer keeping this phone if I can root it successfully. Root with stock firmware is my objective and am only interested in responses from people that have themselves rooted (and dealt with bootloader issues) a Z3.
- Root phone installing current T-mobile stock firmware.
- Known loss of function: Sony DRM dependant features/funtion only (from memory, mostly related to camera low light performance and DRM playback issues)
- Other loss of function experienced with stock features, or any other problem with any other app. Especially concerned with root dependant features of Play apps? Also ad blockers?
- Waranty loss (potential) and loss of OTA updates understood.
- Feature/function loss with workarounds or fixed that survive power cycle?
- Expect permament bootlocker inability to relock
- A link to the specific process you used, any problems you encountered whatever the cause. For example it usually takes me at least 3 attempts to root using any complex process, and I always read through 5 times before starting and download every needed file and program in advance.
Again: Sony Xperia z3 D6616 T-mobile
Firmware: 4.4.4 23.0.3.1.123
Software: D6166 R16B
In the past, I've had the most problems when an understood part of a process is not explicitly stated, or I've ignored or misunderstood a step. Plugging and unplugging from usb to PC a typical example. I don't have the technical know how to critique or ignore, so always attempt to follow all instructions without variance. I've had some problems, and most were solved by starting the process again. I hesitate to ask for help since the last time I did that I was attacked for witholding information when asked if I had backed up the phone. Since i didn't have access to the PC at the time of the question I honestly answered I didn't know (since I had attempted to but couldn't confirm). If you've ever answered a question here implying the request or requester is stupid or dishonest, I'm fully aware of my ignorance and my own integrity, and other personality traits, so please ignore this request, which accepts my lack of knowlege and has no tolerance for your issues not previously resolved through your own peaceful and respectful process.
Please only respond if you have personally rooted this specific phone model. If you have not, but know someone who has, please ask them to review this post and respond.
Nobody has rooted this phone without unlocking the bootloader. If you unlock to root, you will permanently lose DRM keys from the TA partition with no way to recover. No current root method works on 4.4.4 on the Z3. No one knows when or if an exploit will be found. We all want root. If you want it now, unlock the bootloader. If you can wait, wait. It's your call either way. As soon as a root method surfaces, best believe it will be in these forums. I'll be waiting with you...
First of all, check *#*#7378423#*#* to see if you bootloader can be unlocked or not.
Coz I think 6616's bootloader is unlockable.
freddy1991 said:
First of all, check *#*#7378423#*#* to see if you bootloader can be unlocked or not.
Coz I think 6616's bootloader is unlockable.
Click to expand...
Click to collapse
This is true. D6616 owner here, T-MO not unlockable yet :/ eagerly awaiting root as well as I really enjoy the z3, maybe even more than my Nexus 6 (gasp, blasphemy!)
Thanks For the Responses
freddy you addressed my concern, exactly. My phone reports:
Rooting Status:
Boot Unlocker Allowed: No
Although variants of the z3 have been bootlocker unlocked and rooted, I have not found a clear claim that was successfully done with D6616 z3. Since I'm a new T-mobile customer, this and their attitude about it are a poor way to start. I have a HTC phone I haven't returned, maybe I can get them to take the Z3 back instead. While I have benefited from and appreciate the great work so many people have done to make our phones usable and available to us, I've seen how carriers, mfgs, and users push good phones to market crippled by junk and unecessarily locked down. it's time to consider the mamufacturers that have been successful building good phones and selling in places like China at much lower prices.
Regarding any loss of DRM, I couldn't care less. This phone takes worse low light photos and video than my rooted Samsung G3, making it functionaly useless to me. Add to that the lack of a rational UI for telephony and IM, and done with Sony.
To be clear, if the bootloader can be unlocked and the phone can be rooted and you have done this yourself, please post.
Well...
I think there is no way you could unlock the bootloader of 6616.
The only way is to wait for the root on locked bootloader.
Check here http://forum.xda-developers.com/showthread.php?t=2940539
But that means you have to stick in the .93 firmware, even if the exploit is also usable for Z3.
Or return your 6616 and buy a 6603 or 6653 variant.
BREAKING NEWS
http://forum.xda-developers.com/crossdevice-dev/sony/giefroot-rooting-tool-cve-2014-4322-t3011598
Man, No bootloader unlock = Useless phone
HORiZUN said:
BREAKING NEWS
http://forum.xda-developers.com/crossdevice-dev/sony/giefroot-rooting-tool-cve-2014-4322-t3011598
Click to expand...
Click to collapse
Nope.
http://forum.xda-developers.com/showpost.php?p=58468332&postcount=815
I'm similarly confused about this whole thing, this new Giefroot program means we can all potentially get root for our devices, but we still lose the DRM keys right? So that means we can never have the Sony camera/image processing processes back again right?
Thwwack said:
I'm similarly confused about this whole thing, this new Giefroot program means we can all potentially get root for our devices, but we still lose the DRM keys right? So that means we can never have the Sony camera/image processing processes back again right?
Click to expand...
Click to collapse
NO
Unlocking the bootloader = loss of DRM
Rooting that does not involve unlocking the bootloader means you keep the DRM keys
gregbradley said:
NO
Unlocking the bootloader = loss of DRM
Rooting that does not involve unlocking the bootloader means you keep the DRM keys
Click to expand...
Click to collapse
Thanks, I'm new to Android and this is all over my head. To clarify, Giefroot does this without unlocking the bootloader?
It's all pretty frustrating, I gotta say... I'd love to install Cyanogenmod on this, but losing key features on the device is a pretty harsh trade off.
Thwwack said:
Thanks, I'm new to Android and this is all over my head. To clarify, Giefroot does this without unlocking the bootloader?
It's all pretty frustrating, I gotta say... I'd love to install Cyanogenmod on this, but losing key features on the device is a pretty harsh trade off.
Click to expand...
Click to collapse
Yes, giefroot does not unlock the boot. There is only one way to do that and that is to obtaining the code from sony and fastboot it either manually or using flashtool.
Delete

[ROOT] About CVE-2015-1805

Just a short notice about recent patched bug.
Link: https://source.android.com/security/advisory/2016-03-18.html
Google patched this vulnerability in its latest 3-18 kernels. In fact my team have been studying this vulnerability since last Dec and a conclusion has been made that this is HIGHLY exploitable. So if you expect a permanent/temporary (in case of dm-verity) root on your device, my suggestion is on hold any further OTA/update.
[OVER]
mark
On Xperia Z5 forums there's a lot of people waiting for "temporary root priviledges" in order to backup a special DRM partition that gets erased with Bootloader Unlock but is necessary for Warranty purpose by Sony.
Just temporary because we have Verified Boot (dm-verity) protection on our devices.
There's also a bounty for this http://forum.xda-developers.com/z5-compact/general/bounty-z5-compact-root-locked-t3242226
Here we started a thread about this specific exploit: http://forum.xda-developers.com/xperia-z5/general/cve-2015-1805-lb-root-waited-t3343839
Lollipop 5.1.1 firmwares of September/october 2015 seem exploitable
Hope you can get a working exploit
thanks
ninestarkoko said:
On Xperia Z5 forums there's a lot of people waiting for "temporary root priviledges" in order to backup a special DRM partition that gets erased with Bootloader Unlock but is necessary for Warranty purpose by Sony.
Just temporary because we have Verified Boot (dm-verity) protection on our devices.
There's also a bounty for this http://forum.xda-developers.com/z5-compact/general/bounty-z5-compact-root-locked-t3242226
Here we started a thread about this specific exploit: http://forum.xda-developers.com/xperia-z5/general/cve-2015-1805-lb-root-waited-t3343839
Lollipop 5.1.1 firmwares of September/october 2015 seem exploitable
Hope you can get a working exploit
thanks
Click to expand...
Click to collapse
Thanks. I'm not using Sony devices myself so I'm not able to test. But anyone interested in making an exploit can refer to my PoC and continue the work.
idler1984 said:
Thanks. I'm not using Sony devices myself so I'm not able to test. But anyone interested in making an exploit can refer to my PoC and continue the work.
Click to expand...
Click to collapse
Thank you very much for the interest!
Unfortunately i am not able myself to accomplish the job, as i've a limited knowledge of linux kernel, but i'm confident some developer will help.
I'm curious to see "live" or "tethered" root solutions , maybe along with "mini-system partition overlay in /data" idea as described here http://www.xda-developers.com/galaxy-s7-bootloader-lock-explained-you-might-not-get-aosp-after-all/
especially for devices with non-unlockable bootloaders

Android PIE VerifiedBoot Bypass: sony xperia XZ1 locked bootloader permanently rooted

This thread is to announce a completely new vulnerability I've found within SONY XPERIA XZ1 Compact firmware.
It allows verified boot bypass with the latest available android pie fw (2019-09-01 security patch level, sony version 47.A.2.11.228 released on 2019-10-10).
Please see bellow for youtube video recordings showing the exploit and it's possibilities.
Permanently rooting Android PIE without bootloader unlock - SONY XPERIA XZ1 Compact Verified Boot Bypass
LOS16 with locked BL
short preview of Lineage OS 16.0 booting instead of stock fw with still locked bootloader including magisk root
(first announced here as part of my previous kernel exploit thread)
verified boot bypass:
- fastboot-ing twrp
- permanently flashing twrp as recovery
- permanently rooting stock fw with magisk without unlocking bootloader
LOS16 from sd card
installing LOS16 as an alternate OS to sdcard for multiboot via recovery
LOS16 instead of stock fw with locked BL
dual booting two LOS16 installations, one replacing stock fw, the other from sd card
replacing the 2nd LOS16 with twrp recovery being happy with just one LOS16 replacing stock fw with still locked bootloader
Playlist of all the above available here.
Vulnerability impact
This could be used to inject any software into a xperia phone, like remote root backdoor or some eavesdropping spyware.
An exploit may be implemented in a way that it could survive full firmware re-flash from computer or even system fota upgrade, including factory reset, making it very powerful.
If used with another temp (or remote) root exploit, this vulnerability may be leveraged without user noticing anything, so an attacker may do persistent changes even when bootloader is still locked with verified boot active.
Vulnerability scope
The proof of concept exploit is working with sony xperia xz1 compact phone.
It can be extended to support entire range of xperia phones running YOSHINO platform (qualcomm snapdragon 835) - XZ Premium, XZ1, XZ1 Compact (any of single/dual sim variants), including those that do not allow bootloader unlock as that is not needed.
First stage of the exploit has also been adapted for SONY XPERIA XZ2, as documented here and in following posts. That means the exploit could be extended to support entire TAMA platform, i.e. sony xperia XZ2/XZ3 (Compact/Dual/Premium) phones.
There is a chance that the exploit could be adapted to any recent xperia phone released since yoshino platform. It has not been checked/proved either way though.
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Even though this exploit is very powerful, my ultimate goal is TrustZone code execution hopefully allowing to inject custom verified boot keys and bootloader re-lock.
Unfortunately I can spend less and less time working on this stuff, so I would appreciate help from other developers, particularly experienced with reverse engineering to help me find a hole to get into TrustZone / Qualcomm Secure Execution Environment (QSEE).
I have already some ideas for very promising TZ attack vectors.
Please contact me if you would like to help me with TrustZone exploit development.
Thank you.
Please keep the thread clean
Please use the thanks button if you like my work.
Please post here only when you have something with real information value. General discussion may take place in my thread here.
Thank you.
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Android Attest Key thread
https://j4nn.github.io/
https://github.com/j4nn/
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
So, you just flashed TWRP, LineageOS & Magisk like normal?
Mazellat said:
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
Click to expand...
Click to collapse
@j4nn did adapt the same exploit of renoroot on the XZ2 which theoretically can be applied to the whole family since they are the same. But for now NO root on locked BL AFAIK.
YamiYukiSenpai said:
So, you just flashed TWRP, LineageOS & Magisk like normal?
Click to expand...
Click to collapse
No, he did a lot of work in order to find a new exploit that made him able to flash TWRP and lineage on a locked bootloader and be able to dualboot if he wants to.
@j4nn said in the OP that he wants this to be clean and for developers only who can help and general discussion will be found here https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
@j4nn your work for yoshino exploit is amazing, you have our respect, wish we could relock the BL so that i could sell my xzp with stock features. ?
j4nn said:
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Click to expand...
Click to collapse
Have you still decided what to do with it yet?
@Shahnewaz, well I put it aside - it is dangerous for general folks to use - really great risk of a brick.
Also I've released two new temp root exploits - one for xz1* phones and another one for xz2* phones even allowing to use magisk from it, not difficult to start after each boot.
I would still welcome a help with TrustZone exploit development - I have some progress there, but not enough time to do it alone.
Would the exploit also be possible with the 820 devices, or something similar?
Does the exploit for devices with LB have anything to do with treble implementation for the 835? Would like to accomplish a dual boot on XZ premium, and if possible have another that is an 820 with a LB; please advise.
This was probably the only option I had to extend the functional life of my SOV36. I just wish I knew that this would be the ONLY model with a locked bootloader.
Hi everyone,
My XZ1 has "Android attest key Not Provisioned" and "Fido Key Provisioned".
i had a problem with green camera in the past, but not anymore after update to Pie.
my question is: can i root without backing up DRM keys?
Moderator Edit, removal of attachment, showing IMEI.
How to format SD card and boot twrp ?
Wonderful. Can you tell me which fastboot partition is in /dev/block/. Thanks j4nn
@j4nn I overwritten the xfl file on / dev / block. and then my phone won't boot, can't enter flashmode or fastboot. do you have a solution to do?
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
j4nn said:
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
Click to expand...
Click to collapse
I used the command dd, sorry. So there's no way to bring it back to life?
@j4nn Btw I bought a new xz2 premium phone but with the docomo version. And I just found out that the docomo version can't use global rom. So can the docomo version use temproot?
@j4nn In my opinion, Sony might stick TrustZone with TA partition, injecting any boot keys might lead to the removal of TA and cause some brick ( i don't have any devices in Yoshino platform to test out, just my though )
Have you read this?
US20120190338A1 - Method for changing an operating mode of a mobile device - Google Patents
A method for changing an operating mode of a mobile device is provided. According to the method, a request from the user of the mobile device to change from a first operating mode to a second operating mode is received. In response to the received request a credential is requested from the user...
patents.google.com
Thanks for your work @j4nn . I hope this could help in enabling volte to my sov36 and also to be able to flash dual sim fw g8432. As everytime i flash g8342 fw i get no sim detected. In regards to volte i already tried other guides here with also the help of your exploit for oreo. However still no luck and just recently i noticed camera opens but doesnt work. Hope you can release the exploit for pie of course once you got your goal about the trustzone, specially for me and others who owns sov36 variant as this doesnt allow to unlock bl. Basically what i can only do to contribute is just test builds and provide feedback.

All my unsolved questions researching before XZ Premium Bootloader Unlock. Please read.

Hello,
I resort to the kindness and experience of the forum to be able to advise me on the basic questions about the experience of rooting the Sony XZ Premium (G8142), since I spent several hours reading and searching the forum for information, but everything that is there is scattered, then I would like to know from those who directly did it, if it is worth it. Also, in order to help other users who are looking for concise information, they can have this link as a reference to remove all the most common doubts that arise in one place.
My doubts are the following:
is it advisable to root?
I have been researching about the camera problems that for Android 9 no longer have them, but in another article it describes that we lose the video enhancement X-Reality, DSEE HX, ClearAudio +, Widevine L1. All this arises because a certain system partition (TA) is erased when we unlock the bootloader. Does anyone have info how he remedied all these leaks? Custom ROMs fix this?
DRM issues: This is also something that was not clear to me. First do Backup DRM; In order to be able to backup to the partition with the locked bootloader I still need to run the temporary root. For that I need to downgrade the system to version 8 (G8142_47.1.A.16.20). Then run command lines to create the backup with the help of the tool that a forum user created. Please if I'm wrong correct me.
* The question is first to downgrade (Android 8),
* temporary root,
* then create the backup.
* Unlock bootloader from sony page
* then to restore the backup again, or not? Does restoring the backup lock and leave the device to a previous state? (undoing the changes), or does it just fix the DRM problem?
* In short, is it advisable to unlock the bootloader with Android 9 or earlier?
* Is it advisable to create the DRM backup?
* In which case would I have to restore this backup?
I have also seen that they mention a paid software that does all the work by yourself I do not know if it is for Android 9, it is just a matter of connecting the device in fastboot mode, then it automatically executes twrp, root, repairs DRM, but the cost of the software in my country it is something difficult to pay, that is why I am gathering as much information as possible before executing any procedure.
Custom ROMs: Regarding the user experience, does anyone have information about the rom that is more stable and recommended for this device? Does it cover all the holes or bugs that it leaves when erasing DRM after unlocking the bootloader?
I hope the reference text of what I write can be understood since my native language is Latin American Spanish, and I am using the Google translator.
I would appreciate any kind of suggestion or experience in this regard. Thank you.
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Aqq123 said:
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Click to expand...
Click to collapse
Thank you very much for answering my question, you have clarified several points that I had scattered about.
I still have some doubts reading more comments on the links that you have suggested. Perhaps you have an answer to such doubts:
I have read that a user has lost video enhancements, perhaps because he did something wrong here:
temp root for drm keys backup - anybody still interested?
--- edit 2018-11-03 --- Tools to backup TA partition before bootloader unlock have been released. Just check the [XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented thread. --- Just wondering if there is already drm keys backup...
forum.xda-developers.com
post #72 sulistyoarif:
Only Video Image Enhancement didnt work for me.
I have seen some videos of the YouTube profile of the user j4nn where he has all the libraries without problems, working perfectly, including the improvements of the video image.
About the installation processes for firmware I did a clean installation of firmware version 9 latest compilation with Xperia flashtool without problems. Do you think that I will be able to downgrade with Xperia flashtool without problems with the libraries or some other? I think that the experience serves me more than the tutorials .
For what remains in my information I found this steps:
*downgrade
* no flash - persist.sin
1) Use temp root and backup TA image
2) Unlock bootloader
3) Flash Newest firmware (or choice of yours)
4) Setup phone temporary and copy magisk files to
phone
5) flash twrp and temporary boot with twrp
(fastboot boot twrp.img)
6) flash magisk and reboot
7) Check Root privilege
8) Restore TA image and check DRM
8.1) (optional) factory reset if any fc issue
"Now You have unlocked and rooted phone with full DRM Support including OTA Support.
Everything is tested and working for XZP and XZP Dual"
Thanks again for the help and taking the time to read my post.
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Aqq123 said:
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Click to expand...
Click to collapse
What's the deal with persist.sin? I used flash tool to downgrade and managed to extract the unlocked-ta file. Did I somehow void the TA key?

Categories

Resources