Hello,
I resort to the kindness and experience of the forum to be able to advise me on the basic questions about the experience of rooting the Sony XZ Premium (G8142), since I spent several hours reading and searching the forum for information, but everything that is there is scattered, then I would like to know from those who directly did it, if it is worth it. Also, in order to help other users who are looking for concise information, they can have this link as a reference to remove all the most common doubts that arise in one place.
My doubts are the following:
is it advisable to root?
I have been researching about the camera problems that for Android 9 no longer have them, but in another article it describes that we lose the video enhancement X-Reality, DSEE HX, ClearAudio +, Widevine L1. All this arises because a certain system partition (TA) is erased when we unlock the bootloader. Does anyone have info how he remedied all these leaks? Custom ROMs fix this?
DRM issues: This is also something that was not clear to me. First do Backup DRM; In order to be able to backup to the partition with the locked bootloader I still need to run the temporary root. For that I need to downgrade the system to version 8 (G8142_47.1.A.16.20). Then run command lines to create the backup with the help of the tool that a forum user created. Please if I'm wrong correct me.
* The question is first to downgrade (Android 8),
* temporary root,
* then create the backup.
* Unlock bootloader from sony page
* then to restore the backup again, or not? Does restoring the backup lock and leave the device to a previous state? (undoing the changes), or does it just fix the DRM problem?
* In short, is it advisable to unlock the bootloader with Android 9 or earlier?
* Is it advisable to create the DRM backup?
* In which case would I have to restore this backup?
I have also seen that they mention a paid software that does all the work by yourself I do not know if it is for Android 9, it is just a matter of connecting the device in fastboot mode, then it automatically executes twrp, root, repairs DRM, but the cost of the software in my country it is something difficult to pay, that is why I am gathering as much information as possible before executing any procedure.
Custom ROMs: Regarding the user experience, does anyone have information about the rom that is more stable and recommended for this device? Does it cover all the holes or bugs that it leaves when erasing DRM after unlocking the bootloader?
I hope the reference text of what I write can be understood since my native language is Latin American Spanish, and I am using the Google translator.
I would appreciate any kind of suggestion or experience in this regard. Thank you.
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Aqq123 said:
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Click to expand...
Click to collapse
Thank you very much for answering my question, you have clarified several points that I had scattered about.
I still have some doubts reading more comments on the links that you have suggested. Perhaps you have an answer to such doubts:
I have read that a user has lost video enhancements, perhaps because he did something wrong here:
temp root for drm keys backup - anybody still interested?
--- edit 2018-11-03 --- Tools to backup TA partition before bootloader unlock have been released. Just check the [XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented thread. --- Just wondering if there is already drm keys backup...
forum.xda-developers.com
post #72 sulistyoarif:
Only Video Image Enhancement didnt work for me.
I have seen some videos of the YouTube profile of the user j4nn where he has all the libraries without problems, working perfectly, including the improvements of the video image.
About the installation processes for firmware I did a clean installation of firmware version 9 latest compilation with Xperia flashtool without problems. Do you think that I will be able to downgrade with Xperia flashtool without problems with the libraries or some other? I think that the experience serves me more than the tutorials .
For what remains in my information I found this steps:
*downgrade
* no flash - persist.sin
1) Use temp root and backup TA image
2) Unlock bootloader
3) Flash Newest firmware (or choice of yours)
4) Setup phone temporary and copy magisk files to
phone
5) flash twrp and temporary boot with twrp
(fastboot boot twrp.img)
6) flash magisk and reboot
7) Check Root privilege
8) Restore TA image and check DRM
8.1) (optional) factory reset if any fc issue
"Now You have unlocked and rooted phone with full DRM Support including OTA Support.
Everything is tested and working for XZP and XZP Dual"
Thanks again for the help and taking the time to read my post.
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Aqq123 said:
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Click to expand...
Click to collapse
What's the deal with persist.sin? I used flash tool to downgrade and managed to extract the unlocked-ta file. Did I somehow void the TA key?
Related
Evening all,
Just placed an order for the Z5 Compact after my Z has started playing up after 3 years of use,
Basically I had mine rooted a long time ago, and I havnt really touched it since or done any rooting/customization in ages and im drawing a blank..
Basically want to root the Z5 and downgrade to the 4.42 firmware as I have on my Z, as I dislike the 5.51 software the menu options etc looks very tacky for stock Sony layout, and it looks like 6 marshmallow is the same.
Is this feasible or reccomended?
Is there a step by step guide I can follow as I am seriously ****e with computers and all this stuff, I also wanted to learn about and if there are guides on how I can customise the menu etc If I can keep 5.51 or even upgrade to 6.0 and root the device and install a custom theme and change the menu layout etc?
Is this possible at all, I know people have custom software but I havnt a clue on how to go about rooting it let alone customising it...
Any help much appreciated!
There is no 4.4.2 firmware available for z5 series...
Daniel_GB said:
There is no 4.4.2 firmware available for z5 series...
Click to expand...
Click to collapse
lol cool well that answers that, can the menu/ settings etc be customized and changed,
kam90 said:
lol cool well that answers that, can the menu/ settings etc be customized and changed,
Click to expand...
Click to collapse
I don't think you can customize settings menu in stock roms...
Daniel_GB said:
I don't think you can customize settings menu in stock roms...
Click to expand...
Click to collapse
Im planning on rooting from 5.51 found a decent guide with use of command prompt so should be easy I hope! Is there an app/program downloadable after root which will allow me to apply custom themes/ menu layouts.
I can only remember Super SU, and theres an aptoide one I had iirc
hey. no offense but i'd suggest you read and learn a bit more about rooting newer xperia devices before you do any mistake.
its for sure no easy thing if you arent much into this stuff. just to mention one thing: at this moment there is no way to root the z5
with locked bootloader. unlocking your bootloader means, that you most probably lose your warranty and the drm keys. those keys
can be simulated by a workaround, but infact they are gone forever without any chance to restore them.
in the end, rooting the z5 now is a process of unlocking bootloader (via flashtool or adb), flash kernel via adb, flash twrp recovery via adb
and finally install supersu via twrp flash.
these should be enough keywords to google for, and/or getting knowledge here in xda forums. once again, i just can advice
you read all those guides twice....
VorlonKosh said:
hey. no offense but i'd suggest you read and learn a bit more about rooting newer xperia devices before you do any mistake.
its for sure no easy thing if you arent much into this stuff. just to mention one thing: at this moment there is no way to root the z5
with locked bootloader. unlocking your bootloader means, that you most probably lose your warranty and the drm keys. those keys
can be simulated by a workaround, but infact they are gone forever without any chance to restore them.
in the end, rooting the z5 now is a process of unlocking bootloader (via flashtool or adb), flash kernel via adb, flash twrp recovery via adb
and finally install supersu via twrp flash.
these should be enough keywords to google for, and/or getting knowledge here in xda forums. once again, i just can advice
you read all those guides twice....
Click to expand...
Click to collapse
DRM keys arent really required though are they? are they not restorable/ way to back them up prior, ive googled Z5 compact root and ive got loads of links on search results though
Voiding warranty of new device and god knows what will be with restored fake DRM keys with further updates, and no, there is NO rooting Z5 series with having Bootloader locked for now, i doubt there will ever be a method but hope im wrong. You might want to reconsider Z5 series, replace your Z with Z3 that is easily rootable even with locked BL and is on Marshmallow list.
kam90 said:
DRM keys arent really required though are they? are they not restorable/ way to back them up prior, ive googled Z5 compact root and ive got loads of links on search results though
Click to expand...
Click to collapse
well, the drm keys are required for e.g. x-reality, camera postprocessing, ps controller support and much more. at the moment the drm restore patch works, but who knows, google or sony could counterpatch this aswell. you can only backup them with root. to get root you need to unlock your bootloader first. unlock bootloader = drm key lost forever. you cant lock your bootloader without original drm keys, and with unlocked bootloader you dont have ota updates and pc companion wont work anymore. means, you always have to update manually with
flashtool.
Really?! Cause with my Z I could link up with pc companion and do a factory reset which wiped out the root and everything on it when it froze up..
What about the main thread on this forum... is there any other reading or threads/guides in relation to this
Hello! I'm new here and actually the main purpose of my registration on this wonderful website is the amount of helpful and skillful people I saw in various threads I read before, giving me hope for the solution of my problem.
As stated in the title, I'm currently unable to get OTA updates on my phone.
Some time ago I unlocked the bootloader (so my bl is unlocked now) in order to have my Z5 rooted. Apparently something went awfully wrong while flashing the TWRP or perhaps I was just awfully stupid and missed a step... Anyways I ended up without any OS and started searching on the web for some solutions.
I came across FlashTool and XperiFirm, then downloaded and flashed the (at the time) latest firmware, which is the one i currently have (Service Menu shows "GENERIC_32.2.A.0.224"). So now my phone seems perfectly fine: stock rom, no custom recovery (as far as I know), no root privileges. The only problem it shows is the fingerprint hardware that stops working every once in a while; something a simple reboot fixes.
But I have been unable to update since then, with my "software update" tab showing no available updates (nor could I get one via Sony PC Companion, furthermore getting errors while trying fo repair software) while under "diagnostics" it clearly says "new software available".
I just want to get everything back as it was before, and to get my OTA updates to work; I'm not interested in custom ROMs or custom recoveries or SU.
I apologize in advance in case an identical thread had already been opened and closed; I hope you guys can help me solve this mess I did.
Thanks a lot
I found out my problem is connected with the DRM Keys loss caused by unlocking the bootloader. I'll try this out: http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
scacio said:
I found out my problem is connected with the DRM Keys loss caused by unlocking the bootloader. I'll try this out: http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
Click to expand...
Click to collapse
Once you have unlocked the Bootloader ota updates don't work EVER only manually flashing the ftf via flashtool will get you updated. If you unlocked the Bootloader without backing up the drm/ta keys then re-lock the Bootloader ota updates will Not work. If you unlock the Bootloader and then re-lock with previously backed up drm/ta keys ota updates WILL work.
The drm fix does NOT replace the missing drm/ta keys it merely tricks the device into thinking that those required for x-reality, low light conditions, and noise reduction in the camera are there to reactivate those features.
Also DO NOT try to use a other Xperia devices drm/ta keys on your own unless you want a permanent paperweight.
Sent from my Xperia XA using XDA Labs
Ah, so I should have backed those up before unlocking the bootloader. It seems I'll have to spend a few minutes on flashtool every once in a while to get updates, nevermind.
Anyway is it worth it to try this DRM fix? I did not notice any changes to the quality of the camera.
And another noob question: if I flash this "modified kernel" will my device be wiped? Or I just flash it, reboot the phone and enjoy DRM features?
Just a quick update to let you know, I have installed the drm fix and rooted, the funny thing is that now I receive ota updates.. But of course I'm unable to install them. Not that I want them anyway, so no problem. I have reconsidered the potentiality of a rooted device and started to appreciate the benefits; thanks for the help
Hello to all great developers.
As we know that sony Xperia Devices are ‘Spectre’ and ‘Meltdown’ CPU vulnerabilities
So it is possible to use these vulnerabilities and make a tool that can backup TA Partition of Xperia XZ Premium ?
@munjeni
@DevShaft
@rayman
@serajr
@IgorEisberg
@zxz0O0
@AdrianDC
@sToRm//
Yes, it would be possible.
Someone just have to write something for it.
This would also be possible by abusing any critical vulnerability listed on the Android security bulletin.
zohaib0001 said:
Hello to all great developers.
As we know that sony Xperia Devices are ‘Spectre’ and ‘Meltdown’ CPU vulnerabilities
So it is possible to use these vulnerabilities and make a tool that can backup TA Partition of Xperia XZ Premium ?
Click to expand...
Click to collapse
You didn't ask @sToRm//
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
dazza9075 said:
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
Click to expand...
Click to collapse
No
dazza9075 said:
taking this further, is it possible to gain root access without having to unlock bootloader and flash a custom ROM? reason I ask is that there are a number of users out here with locked bootloaders and are unable to unlock them,
Click to expand...
Click to collapse
Spectre and Meltdown can only read kernel data as far as I'm aware.
TA backups would prob also take longer than usual using this since those exploits arent the fastest from what demos Ive seen
Mackay53 said:
No
Click to expand...
Click to collapse
Chocolate tea Pot
BigBrainAFK said:
Spectre and Meltdown can only read kernel data as far as I'm aware.
TA backups would prob also take longer than usual using this since those exploits arent the fastest from what demos Ive seen
Click to expand...
Click to collapse
Ok, so the exploits can read kernel level information but cant execute it which would mean it cant execute code to root a device, ok
but would it be possible to read and exploit other apps running, or gain access to memory that system apps or services are using which in turn could allow further exploits? I have no idea but it seems to me if we can take information out of secure memory, then if the right info was there to be taken then perhaps that might be useful?
Any update ?
This sounds very interesting... anybody here to help?
almost April. hope there will be one TA backup tool based on Spectre and Meltdown soon. I keep my XXP at 1st firmware of Oreo only for this purpose. XD So laggy but I won't move to current version unless i got TA backup'ed.
I'm holding back updates as well for this reason.
However, seeing that most people already updated and that there's noone working into this direction, I don't think there's a reason to keep doing this.
4rz0 said:
I'm holding back updates as well for this reason.
However, seeing that most people already updated and that there's noone working into this direction, I don't think there's a reason to keep doing this.
Click to expand...
Click to collapse
I think this is possible, though I don't have the skill to write an exploit for it.
First, the Meltdown vulnerability probably doesn't exist on the SD835, so we're relegated to the Spectre variants.
But essentially, it should be a matter of writing a Spectre exploit that can read the private TA sectors by priming the cache with known data, then speculatively calling functions which rely on calls to the private TA functions.
At the very least, it should, theoretically, be possible to get the device specific keys.
That said, I'm still applying updates to my XZ1c, simply because I don't want other people exploiting my device.
If you're holding back on updates, you may want to consider the fact that you can still revert back to older firmware versions if an exploit does become available. So even if you take an update, you could manually flash the device to an older firmware later.
On the XZ1c, the bootloader changed from LA1_1_O_77 with firmware 47.1.A.2.374 to version LA1_1_O_79 in firmware 47.1.A.5.51. I suspect that you can still flash the older bootloader, since the signing key's version signature hasn't changed, but I just choose to not flash the newer bootloader.
Basically, if you're paranoid that Sony will lock you out of flashing older firmware:
1 - Wait to see if anyone is reporting that you can't go back to an older firmware version.
2 - Don't flash updated bootloader versions if you don't have to, and
3 - Don't worry about updating everything else.
Otherwise, you're just risking your own security for no real benefit if you aren't keeping your firmware updated.
I know your idea.
But flashing backward will most likely ruin your data section.
And some apps just don't allow you to perform "adb backup".
Like some apps with security concerns or the authors of them just won't want data to be analyzed.
So that's one point I don't wanna upgrade.
pbarrette said:
I think this is possible, though I don't have the skill to write an exploit for it.
First, the Meltdown vulnerability probably doesn't exist on the SD835, so we're relegated to the Spectre variants.
But essentially, it should be a matter of writing a Spectre exploit that can read the private TA sectors by priming the cache with known data, then speculatively calling functions which rely on calls to the private TA functions.
At the very least, it should, theoretically, be possible to get the device specific keys.
That said, I'm still applying updates to my XZ1c, simply because I don't want other people exploiting my device.
If you're holding back on updates, you may want to consider the fact that you can still revert back to older firmware versions if an exploit does become available. So even if you take an update, you could manually flash the device to an older firmware later.
On the XZ1c, the bootloader changed from LA1_1_O_77 with firmware 47.1.A.2.374 to version LA1_1_O_79 in firmware 47.1.A.5.51. I suspect that you can still flash the older bootloader, since the signing key's version signature hasn't changed, but I just choose to not flash the newer bootloader.
Basically, if you're paranoid that Sony will lock you out of flashing older firmware:
1 - Wait to see if anyone is reporting that you can't go back to an older firmware version.
2 - Don't flash updated bootloader versions if you don't have to, and
3 - Don't worry about updating everything else.
Otherwise, you're just risking your own security for no real benefit if you aren't keeping your firmware updated.
Click to expand...
Click to collapse
Hi all, Forgive me for my confusion.
Name: TKBS (New to root etc)
Sony:Xperia L2, Latest Software & update
Bootloader: Unlocked
AIM/GOAL: Re-lock Bootloader, return phone to original state (without killing phone, before 12noon 25th june UK)
What i have done:
- I spent numerous days researching before i attempted to unlock the Bootloader on my new Xperia L2.
The bootloader has been unlocked
After unlocking it (which initially failed numerous times, tried many different fastboot and device driver downloads) i then read about a "TA.img" and Sony "DRM keys".
- Well i guess its too late for that Sony Specific Stuff now, since it looks like that stuff needs a backup before unlocking the bootloader, however, every guide stated "to make a full system backup you need a rooted phone, which needs an unlocked bootloader to be rooted".
I would simply like to re-lock my bootloader and send the phone back to the store (not happy with device), but i do not want to be simply given a link to a guide that will give me the same negative experiences as i have had before.
* I need a guaranteed 100% fool proof-noob files and guide/ support to ensure my phone is returned to its Locked bootloader without killing the phone, i would appreciate any support for this..
- If i am correct i now need to root the phone and flash it with an official Sony ROM ??
Here is a list of links and guides i have already looked at or used:
https://easy-firmware.com/home/browse/category/id/32512/
http://www.flashtool.net/downloads_windows.php
https://forum.xda-developers.com/xperia-z4/general/guide-safe-bootloader-unlock-restore-t3386915
https://forum.xda-developers.com/xp...nt/tool-z-flashtool-version-0-9-11-0-t2162907
https://forum.xda-developers.com/showthread.php?p=45653511#post45653511
https://twrp.me/app/
https://www.digitbin.com/sony-xperia-xz-unlock-bootloader-flash-twrp/
https://www.kingoapp.com/root-tutorials/how-to-unlock-bootloader-on-sony-phones.htm
Current Tools/ Downloads:
Sony PC Companion
TWRP for Sony L2??? --> "twrp-3.2.1-0-taoshan.img"
Latest Flash Tool??? ---> "flashtool-0.9.25.0-windows.exe"
UniversalAdbDriverSetup
CarbonSetup.msi
KingoRoot.apk
Helium_com.koushikdutta.backup.apk
dr.fone_com.wondershare.drfone.apk
RomasterSu_3.4.5_170811T1200_2075_r.apk
Magisk-v16.0.zip/ Magisk-uninstaller-20180429/ Mount-Magisk
Please do not send a barrage of comments about how i am stupid or how i have missed a link or a guide. As you can see from above, Sony l2 is not as simple to do this process with as other phones, and for a new person who has already basically ruined a new phone those comments will not help.. I am currently overwhelmed
Many Thanks in advance,
TKBS
End Notes:
I originaly wanted to backup my entire phone as brand new. It looked like i needed to unlock the bootloader, Root phone, install software for backup, backup the phone, then use the backup to return it to original state. I then learnt, after the bootloader was unlocked, it effects sony phones in some special way (deleted keys or something). I now want to return my phone back to normal. It is my understanding that i may need to "flash" a Stock Sony Rom onto the phone to do this, but i will mess this up without 100% knowledge and undertsanding, which is why am i here.
TKBS_UnrealEngine said:
Hi all, Forgive me for my confusion...
Click to expand...
Click to collapse
I don't have this device and i tried to perform a search on the forum a few different ways but, I can't locate any more than 1 other thread that's completely different from your question.
I did locate the following links where you may be able to obtain some information and member guidance as well that's specific to your device.
These may be for unlocking but, you may find or obtain some guidance for a Relock as well.
https://www.howardforums.com/showth...ia-L2-By-Unlock-Code-To-Work-With-Any-Network
https://www.howardforums.com/showthread.php/1904545-How-to-unlock-Sony-Xperia-L2-by-Unlock-Code
You may also be able to obtain some member guidance within one of the following Forum Threads from other sites as well...
https://talk.sonymobile.com/t5/Xperia-L2/bd-p/Xperia-L2
http://forum.gsmhosting.com/vbb/f1044/new-update-firmware-sony-xperia-06-05-2018-a-2415971/
http://forum.gsmhosting.com/vbb/f1044/new-update-sony-firmware-04-11-2018-a-2381286/
There's other resources out there but, the above links should give you a good start... :thumbup:
Good Luck!
~~~~~~~~~~~~~~~
I DO NOT provide support via PM unless asked/requested by myself. PLEASE keep it in the threads where everyone can share.
Thank you for taking the time to respond.
I will check those links to see if there is anything that can assist me and i shall return to add helpful info that i find for other users with teh same device.
Please note: Sony official Support advise Sony Xperia L device to be relevant to L1 and L2 users (just incase this helps)
I Hope the store will accept the phone with the Bootloader Unlocked, but if they do not, and IF i get it locked again i will write it up here and change titleOP
The Links posted by the user above did not help.
They lead to unofficial, uneccesary files, another forum which has less activity than this one and outdated links... - Completely pointless.
I also discovered that " Xperia L2 does not support OTG / USB Host.". I do not recommend this Phone to anyone, it is a slap in the face to Sony fans, the more i learn about it the more i am annoyed with this purchase. Will post progress if i make it.
This thread is to announce a completely new vulnerability I've found within SONY XPERIA XZ1 Compact firmware.
It allows verified boot bypass with the latest available android pie fw (2019-09-01 security patch level, sony version 47.A.2.11.228 released on 2019-10-10).
Please see bellow for youtube video recordings showing the exploit and it's possibilities.
Permanently rooting Android PIE without bootloader unlock - SONY XPERIA XZ1 Compact Verified Boot Bypass
LOS16 with locked BL
short preview of Lineage OS 16.0 booting instead of stock fw with still locked bootloader including magisk root
(first announced here as part of my previous kernel exploit thread)
verified boot bypass:
- fastboot-ing twrp
- permanently flashing twrp as recovery
- permanently rooting stock fw with magisk without unlocking bootloader
LOS16 from sd card
installing LOS16 as an alternate OS to sdcard for multiboot via recovery
LOS16 instead of stock fw with locked BL
dual booting two LOS16 installations, one replacing stock fw, the other from sd card
replacing the 2nd LOS16 with twrp recovery being happy with just one LOS16 replacing stock fw with still locked bootloader
Playlist of all the above available here.
Vulnerability impact
This could be used to inject any software into a xperia phone, like remote root backdoor or some eavesdropping spyware.
An exploit may be implemented in a way that it could survive full firmware re-flash from computer or even system fota upgrade, including factory reset, making it very powerful.
If used with another temp (or remote) root exploit, this vulnerability may be leveraged without user noticing anything, so an attacker may do persistent changes even when bootloader is still locked with verified boot active.
Vulnerability scope
The proof of concept exploit is working with sony xperia xz1 compact phone.
It can be extended to support entire range of xperia phones running YOSHINO platform (qualcomm snapdragon 835) - XZ Premium, XZ1, XZ1 Compact (any of single/dual sim variants), including those that do not allow bootloader unlock as that is not needed.
First stage of the exploit has also been adapted for SONY XPERIA XZ2, as documented here and in following posts. That means the exploit could be extended to support entire TAMA platform, i.e. sony xperia XZ2/XZ3 (Compact/Dual/Premium) phones.
There is a chance that the exploit could be adapted to any recent xperia phone released since yoshino platform. It has not been checked/proved either way though.
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Even though this exploit is very powerful, my ultimate goal is TrustZone code execution hopefully allowing to inject custom verified boot keys and bootloader re-lock.
Unfortunately I can spend less and less time working on this stuff, so I would appreciate help from other developers, particularly experienced with reverse engineering to help me find a hole to get into TrustZone / Qualcomm Secure Execution Environment (QSEE).
I have already some ideas for very promising TZ attack vectors.
Please contact me if you would like to help me with TrustZone exploit development.
Thank you.
Please keep the thread clean
Please use the thanks button if you like my work.
Please post here only when you have something with real information value. General discussion may take place in my thread here.
Thank you.
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Android Attest Key thread
https://j4nn.github.io/
https://github.com/j4nn/
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
So, you just flashed TWRP, LineageOS & Magisk like normal?
Mazellat said:
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
Click to expand...
Click to collapse
@j4nn did adapt the same exploit of renoroot on the XZ2 which theoretically can be applied to the whole family since they are the same. But for now NO root on locked BL AFAIK.
YamiYukiSenpai said:
So, you just flashed TWRP, LineageOS & Magisk like normal?
Click to expand...
Click to collapse
No, he did a lot of work in order to find a new exploit that made him able to flash TWRP and lineage on a locked bootloader and be able to dualboot if he wants to.
@j4nn said in the OP that he wants this to be clean and for developers only who can help and general discussion will be found here https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
@j4nn your work for yoshino exploit is amazing, you have our respect, wish we could relock the BL so that i could sell my xzp with stock features. ?
j4nn said:
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Click to expand...
Click to collapse
Have you still decided what to do with it yet?
@Shahnewaz, well I put it aside - it is dangerous for general folks to use - really great risk of a brick.
Also I've released two new temp root exploits - one for xz1* phones and another one for xz2* phones even allowing to use magisk from it, not difficult to start after each boot.
I would still welcome a help with TrustZone exploit development - I have some progress there, but not enough time to do it alone.
Would the exploit also be possible with the 820 devices, or something similar?
Does the exploit for devices with LB have anything to do with treble implementation for the 835? Would like to accomplish a dual boot on XZ premium, and if possible have another that is an 820 with a LB; please advise.
This was probably the only option I had to extend the functional life of my SOV36. I just wish I knew that this would be the ONLY model with a locked bootloader.
Hi everyone,
My XZ1 has "Android attest key Not Provisioned" and "Fido Key Provisioned".
i had a problem with green camera in the past, but not anymore after update to Pie.
my question is: can i root without backing up DRM keys?
Moderator Edit, removal of attachment, showing IMEI.
How to format SD card and boot twrp ?
Wonderful. Can you tell me which fastboot partition is in /dev/block/. Thanks j4nn
@j4nn I overwritten the xfl file on / dev / block. and then my phone won't boot, can't enter flashmode or fastboot. do you have a solution to do?
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
j4nn said:
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
Click to expand...
Click to collapse
I used the command dd, sorry. So there's no way to bring it back to life?
@j4nn Btw I bought a new xz2 premium phone but with the docomo version. And I just found out that the docomo version can't use global rom. So can the docomo version use temproot?
@j4nn In my opinion, Sony might stick TrustZone with TA partition, injecting any boot keys might lead to the removal of TA and cause some brick ( i don't have any devices in Yoshino platform to test out, just my though )
Have you read this?
US20120190338A1 - Method for changing an operating mode of a mobile device - Google Patents
A method for changing an operating mode of a mobile device is provided. According to the method, a request from the user of the mobile device to change from a first operating mode to a second operating mode is received. In response to the received request a credential is requested from the user...
patents.google.com
Thanks for your work @j4nn . I hope this could help in enabling volte to my sov36 and also to be able to flash dual sim fw g8432. As everytime i flash g8342 fw i get no sim detected. In regards to volte i already tried other guides here with also the help of your exploit for oreo. However still no luck and just recently i noticed camera opens but doesnt work. Hope you can release the exploit for pie of course once you got your goal about the trustzone, specially for me and others who owns sov36 variant as this doesnt allow to unlock bl. Basically what i can only do to contribute is just test builds and provide feedback.