This thread is to announce a completely new vulnerability I've found within SONY XPERIA XZ1 Compact firmware.
It allows verified boot bypass with the latest available android pie fw (2019-09-01 security patch level, sony version 47.A.2.11.228 released on 2019-10-10).
Please see bellow for youtube video recordings showing the exploit and it's possibilities.
Permanently rooting Android PIE without bootloader unlock - SONY XPERIA XZ1 Compact Verified Boot Bypass
LOS16 with locked BL
short preview of Lineage OS 16.0 booting instead of stock fw with still locked bootloader including magisk root
(first announced here as part of my previous kernel exploit thread)
verified boot bypass:
- fastboot-ing twrp
- permanently flashing twrp as recovery
- permanently rooting stock fw with magisk without unlocking bootloader
LOS16 from sd card
installing LOS16 as an alternate OS to sdcard for multiboot via recovery
LOS16 instead of stock fw with locked BL
dual booting two LOS16 installations, one replacing stock fw, the other from sd card
replacing the 2nd LOS16 with twrp recovery being happy with just one LOS16 replacing stock fw with still locked bootloader
Playlist of all the above available here.
Vulnerability impact
This could be used to inject any software into a xperia phone, like remote root backdoor or some eavesdropping spyware.
An exploit may be implemented in a way that it could survive full firmware re-flash from computer or even system fota upgrade, including factory reset, making it very powerful.
If used with another temp (or remote) root exploit, this vulnerability may be leveraged without user noticing anything, so an attacker may do persistent changes even when bootloader is still locked with verified boot active.
Vulnerability scope
The proof of concept exploit is working with sony xperia xz1 compact phone.
It can be extended to support entire range of xperia phones running YOSHINO platform (qualcomm snapdragon 835) - XZ Premium, XZ1, XZ1 Compact (any of single/dual sim variants), including those that do not allow bootloader unlock as that is not needed.
First stage of the exploit has also been adapted for SONY XPERIA XZ2, as documented here and in following posts. That means the exploit could be extended to support entire TAMA platform, i.e. sony xperia XZ2/XZ3 (Compact/Dual/Premium) phones.
There is a chance that the exploit could be adapted to any recent xperia phone released since yoshino platform. It has not been checked/proved either way though.
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Even though this exploit is very powerful, my ultimate goal is TrustZone code execution hopefully allowing to inject custom verified boot keys and bootloader re-lock.
Unfortunately I can spend less and less time working on this stuff, so I would appreciate help from other developers, particularly experienced with reverse engineering to help me find a hole to get into TrustZone / Qualcomm Secure Execution Environment (QSEE).
I have already some ideas for very promising TZ attack vectors.
Please contact me if you would like to help me with TrustZone exploit development.
Thank you.
Please keep the thread clean
Please use the thanks button if you like my work.
Please post here only when you have something with real information value. General discussion may take place in my thread here.
Thank you.
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Android Attest Key thread
https://j4nn.github.io/
https://github.com/j4nn/
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
So, you just flashed TWRP, LineageOS & Magisk like normal?
Mazellat said:
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
Click to expand...
Click to collapse
@j4nn did adapt the same exploit of renoroot on the XZ2 which theoretically can be applied to the whole family since they are the same. But for now NO root on locked BL AFAIK.
YamiYukiSenpai said:
So, you just flashed TWRP, LineageOS & Magisk like normal?
Click to expand...
Click to collapse
No, he did a lot of work in order to find a new exploit that made him able to flash TWRP and lineage on a locked bootloader and be able to dualboot if he wants to.
@j4nn said in the OP that he wants this to be clean and for developers only who can help and general discussion will be found here https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
@j4nn your work for yoshino exploit is amazing, you have our respect, wish we could relock the BL so that i could sell my xzp with stock features. ?
j4nn said:
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Click to expand...
Click to collapse
Have you still decided what to do with it yet?
@Shahnewaz, well I put it aside - it is dangerous for general folks to use - really great risk of a brick.
Also I've released two new temp root exploits - one for xz1* phones and another one for xz2* phones even allowing to use magisk from it, not difficult to start after each boot.
I would still welcome a help with TrustZone exploit development - I have some progress there, but not enough time to do it alone.
Would the exploit also be possible with the 820 devices, or something similar?
Does the exploit for devices with LB have anything to do with treble implementation for the 835? Would like to accomplish a dual boot on XZ premium, and if possible have another that is an 820 with a LB; please advise.
This was probably the only option I had to extend the functional life of my SOV36. I just wish I knew that this would be the ONLY model with a locked bootloader.
Hi everyone,
My XZ1 has "Android attest key Not Provisioned" and "Fido Key Provisioned".
i had a problem with green camera in the past, but not anymore after update to Pie.
my question is: can i root without backing up DRM keys?
Moderator Edit, removal of attachment, showing IMEI.
How to format SD card and boot twrp ?
Wonderful. Can you tell me which fastboot partition is in /dev/block/. Thanks j4nn
@j4nn I overwritten the xfl file on / dev / block. and then my phone won't boot, can't enter flashmode or fastboot. do you have a solution to do?
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
j4nn said:
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
Click to expand...
Click to collapse
I used the command dd, sorry. So there's no way to bring it back to life?
@j4nn Btw I bought a new xz2 premium phone but with the docomo version. And I just found out that the docomo version can't use global rom. So can the docomo version use temproot?
@j4nn In my opinion, Sony might stick TrustZone with TA partition, injecting any boot keys might lead to the removal of TA and cause some brick ( i don't have any devices in Yoshino platform to test out, just my though )
Have you read this?
US20120190338A1 - Method for changing an operating mode of a mobile device - Google Patents
A method for changing an operating mode of a mobile device is provided. According to the method, a request from the user of the mobile device to change from a first operating mode to a second operating mode is received. In response to the received request a credential is requested from the user...
patents.google.com
Thanks for your work @j4nn . I hope this could help in enabling volte to my sov36 and also to be able to flash dual sim fw g8432. As everytime i flash g8342 fw i get no sim detected. In regards to volte i already tried other guides here with also the help of your exploit for oreo. However still no luck and just recently i noticed camera opens but doesnt work. Hope you can release the exploit for pie of course once you got your goal about the trustzone, specially for me and others who owns sov36 variant as this doesnt allow to unlock bl. Basically what i can only do to contribute is just test builds and provide feedback.
Related
Just a short notice about recent patched bug.
Link: https://source.android.com/security/advisory/2016-03-18.html
Google patched this vulnerability in its latest 3-18 kernels. In fact my team have been studying this vulnerability since last Dec and a conclusion has been made that this is HIGHLY exploitable. So if you expect a permanent/temporary (in case of dm-verity) root on your device, my suggestion is on hold any further OTA/update.
[OVER]
mark
On Xperia Z5 forums there's a lot of people waiting for "temporary root priviledges" in order to backup a special DRM partition that gets erased with Bootloader Unlock but is necessary for Warranty purpose by Sony.
Just temporary because we have Verified Boot (dm-verity) protection on our devices.
There's also a bounty for this http://forum.xda-developers.com/z5-compact/general/bounty-z5-compact-root-locked-t3242226
Here we started a thread about this specific exploit: http://forum.xda-developers.com/xperia-z5/general/cve-2015-1805-lb-root-waited-t3343839
Lollipop 5.1.1 firmwares of September/october 2015 seem exploitable
Hope you can get a working exploit
thanks
ninestarkoko said:
On Xperia Z5 forums there's a lot of people waiting for "temporary root priviledges" in order to backup a special DRM partition that gets erased with Bootloader Unlock but is necessary for Warranty purpose by Sony.
Just temporary because we have Verified Boot (dm-verity) protection on our devices.
There's also a bounty for this http://forum.xda-developers.com/z5-compact/general/bounty-z5-compact-root-locked-t3242226
Here we started a thread about this specific exploit: http://forum.xda-developers.com/xperia-z5/general/cve-2015-1805-lb-root-waited-t3343839
Lollipop 5.1.1 firmwares of September/october 2015 seem exploitable
Hope you can get a working exploit
thanks
Click to expand...
Click to collapse
Thanks. I'm not using Sony devices myself so I'm not able to test. But anyone interested in making an exploit can refer to my PoC and continue the work.
idler1984 said:
Thanks. I'm not using Sony devices myself so I'm not able to test. But anyone interested in making an exploit can refer to my PoC and continue the work.
Click to expand...
Click to collapse
Thank you very much for the interest!
Unfortunately i am not able myself to accomplish the job, as i've a limited knowledge of linux kernel, but i'm confident some developer will help.
I'm curious to see "live" or "tethered" root solutions , maybe along with "mini-system partition overlay in /data" idea as described here http://www.xda-developers.com/galaxy-s7-bootloader-lock-explained-you-might-not-get-aosp-after-all/
especially for devices with non-unlockable bootloaders
Hello to all great developers.
As we know that sony Xperia Devices are ‘Spectre’ and ‘Meltdown’ CPU vulnerabilities
So it is possible to use these vulnerabilities and make a tool that can backup TA Partition of Xperia XZ Premium ?
@munjeni
@DevShaft
@rayman
@serajr
@IgorEisberg
@zxz0O0
@AdrianDC
@sToRm//
Yes, it would be possible.
Someone just have to write something for it.
This would also be possible by abusing any critical vulnerability listed on the Android security bulletin.
zohaib0001 said:
Hello to all great developers.
As we know that sony Xperia Devices are ‘Spectre’ and ‘Meltdown’ CPU vulnerabilities
So it is possible to use these vulnerabilities and make a tool that can backup TA Partition of Xperia XZ Premium ?
Click to expand...
Click to collapse
You didn't ask @sToRm//
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
dazza9075 said:
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
Click to expand...
Click to collapse
No
dazza9075 said:
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
Click to expand...
Click to collapse
Spectre and Meltdown can only read kernel data as far as I'm aware.
TA backups would prob also take longer than usual using this since those exploits arent the fastest from what demos Ive seen
Mackay53 said:
No
Click to expand...
Click to collapse
Chocolate tea Pot
BigBrainAFK said:
Spectre and Meltdown can only read kernel data as far as I'm aware.
TA backups would prob also take longer than usual using this since those exploits arent the fastest from what demos Ive seen
Click to expand...
Click to collapse
Ok, so the exploits can read kernel level information but cant execute it which would mean it cant execute code to root a device, ok
but would it be possible to read and exploit other apps running, or gain access to memory that system apps or services are using which in turn could allow further exploits? I have no idea but it seems to me if we can take information out of secure memory, then if the right info was there to be taken then perhaps that might be useful?
Any update ?
This sounds very interesting... anybody here to help?
almost April. hope there will be one TA backup tool based on Spectre and Meltdown soon. I keep my XXP at 1st firmware of Oreo only for this purpose. XD So laggy but I won't move to current version unless i got TA backup'ed.
I'm holding back updates as well for this reason.
However, seeing that most people already updated and that there's noone working into this direction, I don't think there's a reason to keep doing this.
4rz0 said:
I'm holding back updates as well for this reason.
However, seeing that most people already updated and that there's noone working into this direction, I don't think there's a reason to keep doing this.
Click to expand...
Click to collapse
I think this is possible, though I don't have the skill to write an exploit for it.
First, the Meltdown vulnerability probably doesn't exist on the SD835, so we're relegated to the Spectre variants.
But essentially, it should be a matter of writing a Spectre exploit that can read the private TA sectors by priming the cache with known data, then speculatively calling functions which rely on calls to the private TA functions.
At the very least, it should, theoretically, be possible to get the device specific keys.
That said, I'm still applying updates to my XZ1c, simply because I don't want other people exploiting my device.
If you're holding back on updates, you may want to consider the fact that you can still revert back to older firmware versions if an exploit does become available. So even if you take an update, you could manually flash the device to an older firmware later.
On the XZ1c, the bootloader changed from LA1_1_O_77 with firmware 47.1.A.2.374 to version LA1_1_O_79 in firmware 47.1.A.5.51. I suspect that you can still flash the older bootloader, since the signing key's version signature hasn't changed, but I just choose to not flash the newer bootloader.
Basically, if you're paranoid that Sony will lock you out of flashing older firmware:
1 - Wait to see if anyone is reporting that you can't go back to an older firmware version.
2 - Don't flash updated bootloader versions if you don't have to, and
3 - Don't worry about updating everything else.
Otherwise, you're just risking your own security for no real benefit if you aren't keeping your firmware updated.
I know your idea.
But flashing backward will most likely ruin your data section.
And some apps just don't allow you to perform "adb backup".
Like some apps with security concerns or the authors of them just won't want data to be analyzed.
So that's one point I don't wanna upgrade.
pbarrette said:
I think this is possible, though I don't have the skill to write an exploit for it.
First, the Meltdown vulnerability probably doesn't exist on the SD835, so we're relegated to the Spectre variants.
But essentially, it should be a matter of writing a Spectre exploit that can read the private TA sectors by priming the cache with known data, then speculatively calling functions which rely on calls to the private TA functions.
At the very least, it should, theoretically, be possible to get the device specific keys.
That said, I'm still applying updates to my XZ1c, simply because I don't want other people exploiting my device.
If you're holding back on updates, you may want to consider the fact that you can still revert back to older firmware versions if an exploit does become available. So even if you take an update, you could manually flash the device to an older firmware later.
On the XZ1c, the bootloader changed from LA1_1_O_77 with firmware 47.1.A.2.374 to version LA1_1_O_79 in firmware 47.1.A.5.51. I suspect that you can still flash the older bootloader, since the signing key's version signature hasn't changed, but I just choose to not flash the newer bootloader.
Basically, if you're paranoid that Sony will lock you out of flashing older firmware:
1 - Wait to see if anyone is reporting that you can't go back to an older firmware version.
2 - Don't flash updated bootloader versions if you don't have to, and
3 - Don't worry about updating everything else.
Otherwise, you're just risking your own security for no real benefit if you aren't keeping your firmware updated.
Click to expand...
Click to collapse
XDA today published an article about a vulnerability in the OnePlus 6 bootloader that allows the booting of a custom boot.img image without unlocking the bootloader. This is of course a huge security risk but I'm sure OnePlus will patch it in an upcoming update. In the mean time, let's have some fun!
Back in the good old days of the Nexus 4, it was possible to install an app that would write boot config data to the device from userland, with root, to toggle the bootloader between the locked and unlocked states. The object of this post? Do this as a community for the OnePlus 6!
Why do this?
There are two major gains to being able to do this:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Netflix HD: Widevine L1 keys aren't accessible when the Bootloader is unlocked. This way, we may be able to get our Widevine keys accessible again to get HD Netflix with root
I attempted to reverse some of the bootloader on my own a few weeks back but didn't have much luck. With this vulnerability, my thoughts are that we could dump the data partitions with a locked device (that is exploited using this trick) and compare them with an unlocked device. This might give us the magic data that the bootloader uses to determine whether a device is locked or unlocked. Then, in theory, we should be able to toggle this data from userland. The only caveat to this is that I don't know whether the unlock state is stored somewhere in the TrustZone or if it is written to the flash like they did back in the Nexus days.
I honestly have no idea whether this will work, but surely it's worth a shot? Just for reference, I recommend we look at diffing following partitions before and after locking:
param
sec
sti
ssd
frp
config
misc
We should also, to ensure there is no confusion, stick to OOS 5.1.5 stock + Magisk for root. Images of the above partitions can be obtained using dd.
If anybody has any further tips on bootloaders that either proves that this won't work, or perhaps can suggest other places this lock data could be stored, please do let me know!
NB: getting this data will involve at least one full data wipe of the phone so it might take time to dump the data, switch lock state then dump it again.
I also strongly suspect that we might hit the issue of Android Verified Boot noticing that the device is locked (but has a modified boot image when rooted). This would depend on whether the Android security checks are implemented as per the Android Verified Boot specification.
Who's in?
Couldn't you just hide Netflix HD from root detection in Magisk?
dgunn said:
Couldn't you just hide Netflix HD from root detection in Magisk?
Click to expand...
Click to collapse
No. With an unlocked bootloader the device is switched to Widevine level 3 instead of level 1. This means no HD playback in Netflix (and I believe Amazon) regardless of Magisk hide status. This may be the new normal for all unlocked devices with the Qualcomm SD 845 or newer.
blackthund3r;76765953[* said:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Click to expand...
Click to collapse
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
RusherDude said:
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
Click to expand...
Click to collapse
Well, I can confirm that with SafetyNet test passing, and Magisk hide enabled for Netflix, I can not get HD streaming.
This is highly interesting. I will be following that threat constantly. Thanks for opening that discussion.
So does this vulnerability allow flashing or booting of TWRP through fastboot without unlocking the bootloader. I am interested in keeping Netflix HD and gaining root access, but don't want to brick the device. I know that under normal circumstances you always unlock the bootloader before flashing any mods, but was curious of some devs thoughts on it.
Interesting read. You can root the device without unlocked bootloader
https://www.androidcentral.com/oneplus-6-bootloader-vulnerability-lets-anyone-access-your-phone?amp
the question is can we keep opened this feature and force to be opened.
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
akaHardison said:
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
Click to expand...
Click to collapse
Not true booted a magisk patched boot image and installed some modules
Is there Maby another methode to root hold safety net for widevine lv3
---------- Post added at 06:28 PM ---------- Previous post was at 06:23 PM ----------
joemossjr said:
Not true booted a magisk patched boot image and installed some modules
Click to expand...
Click to collapse
And did you also installed magisk to the boot img?!
Widevine L1 + V4A would make me very happy. Perhaps we should add a financial incentive like a bug bounty? I would certainly contribute some loot for this noble cause!
Since some people with OP5s and OP5Ts sent there phone to OP for L1 with the bootloader unlocked, I wonder if OP would consider offering a similar service. Even if it wasn't completely free I would probably do it unless it required re-locking the bootloader...
Hello,
I resort to the kindness and experience of the forum to be able to advise me on the basic questions about the experience of rooting the Sony XZ Premium (G8142), since I spent several hours reading and searching the forum for information, but everything that is there is scattered, then I would like to know from those who directly did it, if it is worth it. Also, in order to help other users who are looking for concise information, they can have this link as a reference to remove all the most common doubts that arise in one place.
My doubts are the following:
is it advisable to root?
I have been researching about the camera problems that for Android 9 no longer have them, but in another article it describes that we lose the video enhancement X-Reality, DSEE HX, ClearAudio +, Widevine L1. All this arises because a certain system partition (TA) is erased when we unlock the bootloader. Does anyone have info how he remedied all these leaks? Custom ROMs fix this?
DRM issues: This is also something that was not clear to me. First do Backup DRM; In order to be able to backup to the partition with the locked bootloader I still need to run the temporary root. For that I need to downgrade the system to version 8 (G8142_47.1.A.16.20). Then run command lines to create the backup with the help of the tool that a forum user created. Please if I'm wrong correct me.
* The question is first to downgrade (Android 8),
* temporary root,
* then create the backup.
* Unlock bootloader from sony page
* then to restore the backup again, or not? Does restoring the backup lock and leave the device to a previous state? (undoing the changes), or does it just fix the DRM problem?
* In short, is it advisable to unlock the bootloader with Android 9 or earlier?
* Is it advisable to create the DRM backup?
* In which case would I have to restore this backup?
I have also seen that they mention a paid software that does all the work by yourself I do not know if it is for Android 9, it is just a matter of connecting the device in fastboot mode, then it automatically executes twrp, root, repairs DRM, but the cost of the software in my country it is something difficult to pay, that is why I am gathering as much information as possible before executing any procedure.
Custom ROMs: Regarding the user experience, does anyone have information about the rom that is more stable and recommended for this device? Does it cover all the holes or bugs that it leaves when erasing DRM after unlocking the bootloader?
I hope the reference text of what I write can be understood since my native language is Latin American Spanish, and I am using the Google translator.
I would appreciate any kind of suggestion or experience in this regard. Thank you.
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Aqq123 said:
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Click to expand...
Click to collapse
Thank you very much for answering my question, you have clarified several points that I had scattered about.
I still have some doubts reading more comments on the links that you have suggested. Perhaps you have an answer to such doubts:
I have read that a user has lost video enhancements, perhaps because he did something wrong here:
temp root for drm keys backup - anybody still interested?
--- edit 2018-11-03 --- Tools to backup TA partition before bootloader unlock have been released. Just check the [XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented thread. --- Just wondering if there is already drm keys backup...
forum.xda-developers.com
post #72 sulistyoarif:
Only Video Image Enhancement didnt work for me.
I have seen some videos of the YouTube profile of the user j4nn where he has all the libraries without problems, working perfectly, including the improvements of the video image.
About the installation processes for firmware I did a clean installation of firmware version 9 latest compilation with Xperia flashtool without problems. Do you think that I will be able to downgrade with Xperia flashtool without problems with the libraries or some other? I think that the experience serves me more than the tutorials .
For what remains in my information I found this steps:
*downgrade
* no flash - persist.sin
1) Use temp root and backup TA image
2) Unlock bootloader
3) Flash Newest firmware (or choice of yours)
4) Setup phone temporary and copy magisk files to
phone
5) flash twrp and temporary boot with twrp
(fastboot boot twrp.img)
6) flash magisk and reboot
7) Check Root privilege
8) Restore TA image and check DRM
8.1) (optional) factory reset if any fc issue
"Now You have unlocked and rooted phone with full DRM Support including OTA Support.
Everything is tested and working for XZP and XZP Dual"
Thanks again for the help and taking the time to read my post.
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Aqq123 said:
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Click to expand...
Click to collapse
What's the deal with persist.sin? I used flash tool to downgrade and managed to extract the unlocked-ta file. Did I somehow void the TA key?
Hi
I have an xperia 5
I want to unlock the bootloader
But I noticed that DRM will be disabled after unlocking the bootloader
I want to know if there is a way to backup the DRM and restore it after unlocking the bootloader
[xperia 1/5] temp root exploit via CVE-2020-0041 including magisk setup
temp root exploit for sony XPERIA 1 and XPERIA 5 with android 10 firmware including temporal magisk setup from the exploit The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9. This is a modification of the Pixel 3...
forum.xda-developers.com
I noticed this thread, which seems to make backups possible
But, how to export and restore the DRM?
Unless Sony is doing something out of the ordinary, the DRM key is not the issue. When the bootloader is unlocked, the device will fail Play Integrity, which most apps use as a measure of hardware and system integrity. You can fix this with a Magisk module.
More information here
V0latyle said:
Unless Sony is doing something out of the ordinary, the DRM key is not the issue. When the bootloader is unlocked, the device will fail Play Integrity, which most apps use as a measure of hardware and system integrity. You can fix this with a Magisk module.
More information here
Click to expand...
Click to collapse
Hi
I have not used sony for about 8 years
I remember that sony is using it to protect some patented technology
If the key disappears after unlocking the bootloader
After that the phone will permanently lose some functions