Related
I haven't checked XDA in awhile because I gave up hope of ever having a good root solution for the Z5. But I have been looking around lately and have seen roms such as [ROM][E6653] Slim Stock 32.0.A.6.200 and the [LP][UB][ROOT][DRM][KERNEL][RECOVERY](TWRP3.0) Z5 ADV STOCK KERNEL (2016/03/04) (v1g) kernel. So as of now, I'm a little lost here. Of the 15+ Android phones I've had, this has been the most complicated.
I understand that root is possible by unlooking the bootloader and that as of now, there is no root solution for a locked bootloader. Are you now able to unlock the bootloader and root with phone without losing any features?
You still lose DRM. There is a possibility to trick the phone into thinking the DRM keys aren't wiped restoring the DRM features after unlocking the bootloader but the DRM is still missing.
Mr_Bartek said:
You still lose DRM. There is a possibility to trick the phone into thinking the DRM keys aren't wiped restoring the DRM features after unlocking the bootloader but the DRM is still missing.
Click to expand...
Click to collapse
So you'll lose DRM keys but you can still retain all the features? I hope the same will be true for the Marshmallow update.
That's right. We don't have a kernel to run modified system images on MM just yet so can't confirm nor deny it working.
XDA today published an article about a vulnerability in the OnePlus 6 bootloader that allows the booting of a custom boot.img image without unlocking the bootloader. This is of course a huge security risk but I'm sure OnePlus will patch it in an upcoming update. In the mean time, let's have some fun!
Back in the good old days of the Nexus 4, it was possible to install an app that would write boot config data to the device from userland, with root, to toggle the bootloader between the locked and unlocked states. The object of this post? Do this as a community for the OnePlus 6!
Why do this?
There are two major gains to being able to do this:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Netflix HD: Widevine L1 keys aren't accessible when the Bootloader is unlocked. This way, we may be able to get our Widevine keys accessible again to get HD Netflix with root
I attempted to reverse some of the bootloader on my own a few weeks back but didn't have much luck. With this vulnerability, my thoughts are that we could dump the data partitions with a locked device (that is exploited using this trick) and compare them with an unlocked device. This might give us the magic data that the bootloader uses to determine whether a device is locked or unlocked. Then, in theory, we should be able to toggle this data from userland. The only caveat to this is that I don't know whether the unlock state is stored somewhere in the TrustZone or if it is written to the flash like they did back in the Nexus days.
I honestly have no idea whether this will work, but surely it's worth a shot? Just for reference, I recommend we look at diffing following partitions before and after locking:
param
sec
sti
ssd
frp
config
misc
We should also, to ensure there is no confusion, stick to OOS 5.1.5 stock + Magisk for root. Images of the above partitions can be obtained using dd.
If anybody has any further tips on bootloaders that either proves that this won't work, or perhaps can suggest other places this lock data could be stored, please do let me know!
NB: getting this data will involve at least one full data wipe of the phone so it might take time to dump the data, switch lock state then dump it again.
I also strongly suspect that we might hit the issue of Android Verified Boot noticing that the device is locked (but has a modified boot image when rooted). This would depend on whether the Android security checks are implemented as per the Android Verified Boot specification.
Who's in?
Couldn't you just hide Netflix HD from root detection in Magisk?
dgunn said:
Couldn't you just hide Netflix HD from root detection in Magisk?
Click to expand...
Click to collapse
No. With an unlocked bootloader the device is switched to Widevine level 3 instead of level 1. This means no HD playback in Netflix (and I believe Amazon) regardless of Magisk hide status. This may be the new normal for all unlocked devices with the Qualcomm SD 845 or newer.
blackthund3r;76765953[* said:
Security: once a device is rooted we'd be able to re-lock the bootloader to prevent tampering or unauthorised images from being booted whilst keeping the perks of being rooted
Click to expand...
Click to collapse
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
RusherDude said:
Are you sure about this? On Nexus 4 days Android didn't check at boot that all partitions were correct in order to boot, since some version ago it does (DM-verity). Are you sure you can re-lock the phone with root (system or boot modified) and still boot normally to userspace?
Click to expand...
Click to collapse
Well, I can confirm that with SafetyNet test passing, and Magisk hide enabled for Netflix, I can not get HD streaming.
This is highly interesting. I will be following that threat constantly. Thanks for opening that discussion.
So does this vulnerability allow flashing or booting of TWRP through fastboot without unlocking the bootloader. I am interested in keeping Netflix HD and gaining root access, but don't want to brick the device. I know that under normal circumstances you always unlock the bootloader before flashing any mods, but was curious of some devs thoughts on it.
Interesting read. You can root the device without unlocked bootloader
https://www.androidcentral.com/oneplus-6-bootloader-vulnerability-lets-anyone-access-your-phone?amp
the question is can we keep opened this feature and force to be opened.
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
akaHardison said:
Unfortunately oneplus bootloader doesn‘t support EIO mode,so it can't be boot if anything modified.
Click to expand...
Click to collapse
Not true booted a magisk patched boot image and installed some modules
Is there Maby another methode to root hold safety net for widevine lv3
---------- Post added at 06:28 PM ---------- Previous post was at 06:23 PM ----------
joemossjr said:
Not true booted a magisk patched boot image and installed some modules
Click to expand...
Click to collapse
And did you also installed magisk to the boot img?!
Widevine L1 + V4A would make me very happy. Perhaps we should add a financial incentive like a bug bounty? I would certainly contribute some loot for this noble cause!
Since some people with OP5s and OP5Ts sent there phone to OP for L1 with the bootloader unlocked, I wonder if OP would consider offering a similar service. Even if it wasn't completely free I would probably do it unless it required re-locking the bootloader...
This thread is to announce a completely new vulnerability I've found within SONY XPERIA XZ1 Compact firmware.
It allows verified boot bypass with the latest available android pie fw (2019-09-01 security patch level, sony version 47.A.2.11.228 released on 2019-10-10).
Please see bellow for youtube video recordings showing the exploit and it's possibilities.
Permanently rooting Android PIE without bootloader unlock - SONY XPERIA XZ1 Compact Verified Boot Bypass
LOS16 with locked BL
short preview of Lineage OS 16.0 booting instead of stock fw with still locked bootloader including magisk root
(first announced here as part of my previous kernel exploit thread)
verified boot bypass:
- fastboot-ing twrp
- permanently flashing twrp as recovery
- permanently rooting stock fw with magisk without unlocking bootloader
LOS16 from sd card
installing LOS16 as an alternate OS to sdcard for multiboot via recovery
LOS16 instead of stock fw with locked BL
dual booting two LOS16 installations, one replacing stock fw, the other from sd card
replacing the 2nd LOS16 with twrp recovery being happy with just one LOS16 replacing stock fw with still locked bootloader
Playlist of all the above available here.
Vulnerability impact
This could be used to inject any software into a xperia phone, like remote root backdoor or some eavesdropping spyware.
An exploit may be implemented in a way that it could survive full firmware re-flash from computer or even system fota upgrade, including factory reset, making it very powerful.
If used with another temp (or remote) root exploit, this vulnerability may be leveraged without user noticing anything, so an attacker may do persistent changes even when bootloader is still locked with verified boot active.
Vulnerability scope
The proof of concept exploit is working with sony xperia xz1 compact phone.
It can be extended to support entire range of xperia phones running YOSHINO platform (qualcomm snapdragon 835) - XZ Premium, XZ1, XZ1 Compact (any of single/dual sim variants), including those that do not allow bootloader unlock as that is not needed.
First stage of the exploit has also been adapted for SONY XPERIA XZ2, as documented here and in following posts. That means the exploit could be extended to support entire TAMA platform, i.e. sony xperia XZ2/XZ3 (Compact/Dual/Premium) phones.
There is a chance that the exploit could be adapted to any recent xperia phone released since yoshino platform. It has not been checked/proved either way though.
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Even though this exploit is very powerful, my ultimate goal is TrustZone code execution hopefully allowing to inject custom verified boot keys and bootloader re-lock.
Unfortunately I can spend less and less time working on this stuff, so I would appreciate help from other developers, particularly experienced with reverse engineering to help me find a hole to get into TrustZone / Qualcomm Secure Execution Environment (QSEE).
I have already some ideas for very promising TZ attack vectors.
Please contact me if you would like to help me with TrustZone exploit development.
Thank you.
Please keep the thread clean
Please use the thanks button if you like my work.
Please post here only when you have something with real information value. General discussion may take place in my thread here.
Thank you.
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Android Attest Key thread
https://j4nn.github.io/
https://github.com/j4nn/
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
So, you just flashed TWRP, LineageOS & Magisk like normal?
Mazellat said:
Hi, is possible to root with locked BL on Xperia XZ2 Premium running Android 9?
Click to expand...
Click to collapse
@j4nn did adapt the same exploit of renoroot on the XZ2 which theoretically can be applied to the whole family since they are the same. But for now NO root on locked BL AFAIK.
YamiYukiSenpai said:
So, you just flashed TWRP, LineageOS & Magisk like normal?
Click to expand...
Click to collapse
No, he did a lot of work in order to find a new exploit that made him able to flash TWRP and lineage on a locked bootloader and be able to dualboot if he wants to.
@j4nn said in the OP that he wants this to be clean and for developers only who can help and general discussion will be found here https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
@j4nn your work for yoshino exploit is amazing, you have our respect, wish we could relock the BL so that i could sell my xzp with stock features. ?
j4nn said:
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Click to expand...
Click to collapse
Have you still decided what to do with it yet?
@Shahnewaz, well I put it aside - it is dangerous for general folks to use - really great risk of a brick.
Also I've released two new temp root exploits - one for xz1* phones and another one for xz2* phones even allowing to use magisk from it, not difficult to start after each boot.
I would still welcome a help with TrustZone exploit development - I have some progress there, but not enough time to do it alone.
Would the exploit also be possible with the 820 devices, or something similar?
Does the exploit for devices with LB have anything to do with treble implementation for the 835? Would like to accomplish a dual boot on XZ premium, and if possible have another that is an 820 with a LB; please advise.
This was probably the only option I had to extend the functional life of my SOV36. I just wish I knew that this would be the ONLY model with a locked bootloader.
Hi everyone,
My XZ1 has "Android attest key Not Provisioned" and "Fido Key Provisioned".
i had a problem with green camera in the past, but not anymore after update to Pie.
my question is: can i root without backing up DRM keys?
Moderator Edit, removal of attachment, showing IMEI.
How to format SD card and boot twrp ?
Wonderful. Can you tell me which fastboot partition is in /dev/block/. Thanks j4nn
@j4nn I overwritten the xfl file on / dev / block. and then my phone won't boot, can't enter flashmode or fastboot. do you have a solution to do?
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
j4nn said:
@Rhamadhany, why would you overwrite xfl partition?
What did you overwrite xfl partition with exactly?
Unfortunately I do not have a hard brick recovery method.
I have managed to get sony firehose boot image which works with xz1* EDL boot mode, but all commands are protected by sony sake auth (rsa2048), so it is not useful at all.
Click to expand...
Click to collapse
I used the command dd, sorry. So there's no way to bring it back to life?
@j4nn Btw I bought a new xz2 premium phone but with the docomo version. And I just found out that the docomo version can't use global rom. So can the docomo version use temproot?
@j4nn In my opinion, Sony might stick TrustZone with TA partition, injecting any boot keys might lead to the removal of TA and cause some brick ( i don't have any devices in Yoshino platform to test out, just my though )
Have you read this?
US20120190338A1 - Method for changing an operating mode of a mobile device - Google Patents
A method for changing an operating mode of a mobile device is provided. According to the method, a request from the user of the mobile device to change from a first operating mode to a second operating mode is received. In response to the received request a credential is requested from the user...
patents.google.com
Thanks for your work @j4nn . I hope this could help in enabling volte to my sov36 and also to be able to flash dual sim fw g8432. As everytime i flash g8342 fw i get no sim detected. In regards to volte i already tried other guides here with also the help of your exploit for oreo. However still no luck and just recently i noticed camera opens but doesnt work. Hope you can release the exploit for pie of course once you got your goal about the trustzone, specially for me and others who owns sov36 variant as this doesnt allow to unlock bl. Basically what i can only do to contribute is just test builds and provide feedback.
I need some function that move my old sony phone data to my new phone. my old phone is android 6. are there idea for transfer my all app datas to my new phone.
on my old phone I have unlock BL and root ,I use "Titanium Backup" for backup and recovery my app data .I can use this backup data recovery on any android phone whitch has be root
can Xperia 5 II make temp root for support some operation whitch need after root
is "gravity box" can run on android 11 with TWRP . I need some function like double click screen make my screan turn on of off
the finaly may be root is the best way. can I backup my TA and recovery it after unlock BL for keep video enhach and DRM keys
1838878287 said:
I need some function that move my old sony phone data to my new phone. my old phone is android 6. are there idea for transfer my all app datas to my new phone.
on my old phone I have unlock BL and root ,I use "Titanium Backup" for backup and recovery my app data .I can use this backup data recovery on any android phone whitch has be root
can Xperia 5 II make temp root for support some operation whitch need after root
is "gravity box" can run on android 11 with TWRP . I need some function like double click screen make my screan turn on of off
the finaly may be root is the best way. can I backup my TA and recovery it after unlock BL for keep video enhach and DRM keys
Click to expand...
Click to collapse
You can't temp root without unlocking bootloader and you can't back up TA
Hi,
I don't think that Mackay53 is right because you just need an exploit and someone how knows to handle this exploit to gain temporary root access - WITHOUT unlocking Bootloader.
I've had some SONY devices and except my Xperia 5 II I had backed up the DRM-keys before rooting it (ok, I did a permanent root, but the way is the same ;-) )
So you have to wait for an exploit and someone who knows to use it
klausstoertebeker said:
Hi,
I don't think that Mackay53 is right because you just need an exploit and someone how knows to handle this exploit to gain temporary root access - WITHOUT unlocking Bootloader.
I've had some SONY devices and except my Xperia 5 II I had backed up the DRM-keys before rooting it (ok, I did a permanent root, but the way is the same ;-) )
So you have to wait for an exploit and someone who knows to use it
Click to expand...
Click to collapse
how do u backup them, what is type command line or some app to save them ?
@pEtErtgh:
Do you have an exploit and know how to gain temporary root? Then I would be interested in how you did it
what's gone if i root/UBL this phone?
like drm or else?
Hello,
I resort to the kindness and experience of the forum to be able to advise me on the basic questions about the experience of rooting the Sony XZ Premium (G8142), since I spent several hours reading and searching the forum for information, but everything that is there is scattered, then I would like to know from those who directly did it, if it is worth it. Also, in order to help other users who are looking for concise information, they can have this link as a reference to remove all the most common doubts that arise in one place.
My doubts are the following:
is it advisable to root?
I have been researching about the camera problems that for Android 9 no longer have them, but in another article it describes that we lose the video enhancement X-Reality, DSEE HX, ClearAudio +, Widevine L1. All this arises because a certain system partition (TA) is erased when we unlock the bootloader. Does anyone have info how he remedied all these leaks? Custom ROMs fix this?
DRM issues: This is also something that was not clear to me. First do Backup DRM; In order to be able to backup to the partition with the locked bootloader I still need to run the temporary root. For that I need to downgrade the system to version 8 (G8142_47.1.A.16.20). Then run command lines to create the backup with the help of the tool that a forum user created. Please if I'm wrong correct me.
* The question is first to downgrade (Android 8),
* temporary root,
* then create the backup.
* Unlock bootloader from sony page
* then to restore the backup again, or not? Does restoring the backup lock and leave the device to a previous state? (undoing the changes), or does it just fix the DRM problem?
* In short, is it advisable to unlock the bootloader with Android 9 or earlier?
* Is it advisable to create the DRM backup?
* In which case would I have to restore this backup?
I have also seen that they mention a paid software that does all the work by yourself I do not know if it is for Android 9, it is just a matter of connecting the device in fastboot mode, then it automatically executes twrp, root, repairs DRM, but the cost of the software in my country it is something difficult to pay, that is why I am gathering as much information as possible before executing any procedure.
Custom ROMs: Regarding the user experience, does anyone have information about the rom that is more stable and recommended for this device? Does it cover all the holes or bugs that it leaves when erasing DRM after unlocking the bootloader?
I hope the reference text of what I write can be understood since my native language is Latin American Spanish, and I am using the Google translator.
I would appreciate any kind of suggestion or experience in this regard. Thank you.
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Aqq123 said:
First of all, have you seen these threads:
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact by j4nn https://j4nn.github.io/ As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera...
forum.xda-developers.com
[XZp] rooted kernel hiding bootloader unlock with working fota
rooted kernel hiding bootloader unlock with working sony stock fw fota updates for Sony Xperia XZ Premium Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader. Also many sony...
forum.xda-developers.com
It's all there really, explained step by step. Thanks to @j4nn you can run stock firmware with superuser access concealed from the system so that it doesn't know the phone is unlocked, with all the DRM-restricted functionality still available.
The relative benefits of unlocking depend on your specific needs. But considering there are no more official updates, being able to use aftermarket firmware like this: https://forum.xda-developers.com/t/rom-lineageos-18-1-unofficial-updated-2021-3-31.4221427/ already makes it worthwhile in my opinion.
The only drawback of an unlock is that there is a scary message displayed on every boot, which also adds 1 or 2 seconds to the startup sequence.
Regardless of whether you decide to unlock or not, there is no downside to having a TA backup. It might come useful one day.
All you need is Android Platform Tools (adb, fastboot), and: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ There is no need to pay for any of these, although you can donate to @j4nn and @munjeni: they both put a lot of effort into making this possible.
Click to expand...
Click to collapse
Thank you very much for answering my question, you have clarified several points that I had scattered about.
I still have some doubts reading more comments on the links that you have suggested. Perhaps you have an answer to such doubts:
I have read that a user has lost video enhancements, perhaps because he did something wrong here:
temp root for drm keys backup - anybody still interested?
--- edit 2018-11-03 --- Tools to backup TA partition before bootloader unlock have been released. Just check the [XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented thread. --- Just wondering if there is already drm keys backup...
forum.xda-developers.com
post #72 sulistyoarif:
Only Video Image Enhancement didnt work for me.
I have seen some videos of the YouTube profile of the user j4nn where he has all the libraries without problems, working perfectly, including the improvements of the video image.
About the installation processes for firmware I did a clean installation of firmware version 9 latest compilation with Xperia flashtool without problems. Do you think that I will be able to downgrade with Xperia flashtool without problems with the libraries or some other? I think that the experience serves me more than the tutorials .
For what remains in my information I found this steps:
*downgrade
* no flash - persist.sin
1) Use temp root and backup TA image
2) Unlock bootloader
3) Flash Newest firmware (or choice of yours)
4) Setup phone temporary and copy magisk files to
phone
5) flash twrp and temporary boot with twrp
(fastboot boot twrp.img)
6) flash magisk and reboot
7) Check Root privilege
8) Restore TA image and check DRM
8.1) (optional) factory reset if any fc issue
"Now You have unlocked and rooted phone with full DRM Support including OTA Support.
Everything is tested and working for XZP and XZP Dual"
Thanks again for the help and taking the time to read my post.
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Aqq123 said:
@sergioemmr
It should work like you describe it, except with newflasher: https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/ FlashTool is for older devices.
That guy did something wrong, so don't be like him. Just follow @j4nn's instructions.
You can downgrade to an earlier firmware on this device, no problem here. Do not flash persist.sin like you said, and you're good to go. If you run into any problems, just post in that thread, and you'll get more people's attention.
Click to expand...
Click to collapse
What's the deal with persist.sin? I used flash tool to downgrade and managed to extract the unlocked-ta file. Did I somehow void the TA key?