FORUMS
Remove All Ads from XDA

iovyroot - (temp) root tool

1,534 posts
Thanks Meter: 5,129
 
By zxz0O0, Senior Member on 1st April 2016, 10:39 AM
Post Reply Email Thread
Today I present you
iovyroot - (temp) root tool
based on CVE-2015-1805

Requirements
  • USB debugging enabled
    Settings => About phone => Click 7 times on Android Build to unlock developer options
  • adb drivers installed
  • LP Kernel <= Dec 2015

Components
  1. Binary to get root shell
    • root/iovyroot
  2. Simple TA Backup / Restore script
    The author takes no responsibility
    • tabackup.bat & tarestore.bat (read second post for restore)

Download v0.4
If you found this tool useful, please consider donating (click here)


Supported models:
Code:
- M5 (all variants) (30.0.A.1.23 & 30.1.A.1.33)
- M5 Dual (all variants) (30.0.B.1.23 & 30.1.B.1.33)
- E5803 (32.0.A.6.200)
- E5823 (32.0.A.6.200)
- E6533 (28.0.A.8.266)
- E6553 (28.0.A.8.266)
- E6603 (32.0.A.6.152)
- E6633 (32.0.A.6.152)
- E6653 (32.0.A.6.152 & 32.0.A.6.200)
- E6683 (32.0.A.6.152)
- E6833 (32.0.A.6.170)
- E6853 (32.0.A.6.170 & 32.0.A.6.200)
- E6883 (32.0.A.6.160 & 32.0.A.6.170 & 32.0.A.6.209)
- SGP771 (28.0.A.8.260)
- SGP712 (28.0.A.8.260)
- LG G Flex 2 (5.1.1 LMY47S)
- Possibly all other devices with LP kernel from Dec 2015 or older
Credits:
- @idler1984 for his poc and great help
- @ninestarkoko and @rimmeda for testing
- @ipromeh for fixing ta scripts

XDA:DevDB Information
iovyroot - (temp) root tool, Tool/Utility for the Sony Xperia Z5 Compact

Contributors
zxz0O0, idler1984
Source Code: https://github.com/dosomder/iovyroot


Version Information
Status: Beta

Created 2016-04-01
Last Updated 2016-04-01
The Following 145 Users Say Thank You to zxz0O0 For This Useful Post: [ View ] Gift zxz0O0 Ad-Free
 
 
1st April 2016, 10:39 AM |#2  
zxz0O0's Avatar
OP Senior Member
Thanks Meter: 5,129
 
Donate to Me
More
Reserved
Questions

Is it possible to get full root without bootloader unlock?
  • No, dm-verity prevents write access to system
Can we disable dm-verity?
  • Temporarily yes, but it will be enabled again at next reboot. Any modification to /system would thus result in a bootloop. dm-verity resides in the kernel which we can't modify on locked bootloader.
Can we restore TA partition after unlocking bootloader?How to restore TA partition?
  • Method 1:
    1. Flash stock firmware from flashtool (supported by iovyroot) (you are now unrooted)
    2. Use tarestore.bat from iovyroot
  • Method 2 (fully rooted & unlocked bootloader):
    1. Use BackupTA and option "Convert v4 backup"
    2. Restore backup with BackupTA
    3. Flash stock firmware with flashtool
The Following 47 Users Say Thank You to zxz0O0 For This Useful Post: [ View ] Gift zxz0O0 Ad-Free
1st April 2016, 11:13 AM |#3  
devilmaycry2020's Avatar
Senior Member
Thanks Meter: 237
 
More
Couldn't download
The Following User Says Thank You to devilmaycry2020 For This Useful Post: [ View ] Gift devilmaycry2020 Ad-Free
1st April 2016, 11:15 AM |#4  
ipromeh's Avatar
Senior Member
Flag Kuala Lumpur
Thanks Meter: 3,505
 
Donate to Me
More
nice job! reserved for something else..

Please download the latest version by zxz0O0

E5803 (32.0.A.6.200) Malaysia Firmware (FTF)
Google drive link: https://drive.google.com/file/d/0B_u...ew?usp=sharing





<-- Outdated fixes for v0.1 -->
Fixes:
This file will fix "TA.img" not found issue (backup script fix)
https://drive.google.com/file/d/0B_u...ew?usp=sharing

This file will fix Z5C E5803 malaysia firmware "device not supported" issue and also included TA fix
https://drive.google.com/file/d/0B_u...ew?usp=sharing

Older post:

Edit:
E5803 (32.0.A.6.200) Malaysia Firmware (FTF)
Google drive link: https://drive.google.com/file/d/0B_u...ew?usp=sharing


Edit 2:
@zxz0O0 , there's something wrong with the binary device verification with the E5803 (32.0.A.6.200) Malaysia Firmware. It says "Error: Device not supported"
This modified binary file will work with this firmware:
https://drive.google.com/file/d/0B_u...ew?usp=sharing

Edit 3:
The backup TA script is not working, looks like the /dev partition style is different with the previous Z series
here is the dir list of the /dev/block
Code:
[email protected]:/dev/block $ ls
ls
bootdevice
dm-0
loop0
loop1
loop2
loop3
loop4
loop5
loop6
loop7
mmcblk0
mmcblk0p1
mmcblk0p10
mmcblk0p11
mmcblk0p12
mmcblk0p13
mmcblk0p14
mmcblk0p15
mmcblk0p16
mmcblk0p17
mmcblk0p18
mmcblk0p19
mmcblk0p2
mmcblk0p20
mmcblk0p21
mmcblk0p22
mmcblk0p23
mmcblk0p24
mmcblk0p25
mmcblk0p26
mmcblk0p27
mmcblk0p28
mmcblk0p29
mmcblk0p3
mmcblk0p30
mmcblk0p31
mmcblk0p32
mmcblk0p33
mmcblk0p34
mmcblk0p35
mmcblk0p36
mmcblk0p37
mmcblk0p38
mmcblk0p39
mmcblk0p4
mmcblk0p40
mmcblk0p41
mmcblk0p42
mmcblk0p43
mmcblk0p5
mmcblk0p6
mmcblk0p7
mmcblk0p8
mmcblk0p9
mmcblk0rpmb
mmcblk1
mmcblk1p1
platform
ram0
ram1
ram10
ram11
ram12
ram13
ram14
ram15
ram2
ram3
ram4
ram5
ram6
ram7
ram8
ram9
vold
zram0
Code:
[email protected]:/dev/block/platform $ ls
f9824900.sdhci
f98a4900.sdhci
anyway, it's confirmed that i got temp root access with this. Great job!


Edit 4:
Okay guys, confirmed that the TA partition for Z5 Compact is located at /dev/block/platform/f9824900.sdhci/by-name/TA


output of the terminal with fix
Code:
iovyroot by zxz0O0
poc by idler1984

[+] Changing fd limit from 1024 to 4096
[+] Changing process priority to highest
[+] Getting pipes
[+] Allocating memory
[+] Installing JOP
    [+] Patching address 0xffffffc00194f630
    [+] Start map/unmap thread
    [+] Start write thread
    [+] Spraying kernel heap
    [+] Start read thread
    [+] Done
[+] Patching addr_limit
    [+] Patching address 0xffffffc05b324008
    [+] Start map/unmap thread
    [+] Start write thread
    [+] Spraying kernel heap
    [+] Start read thread
    [+] Done
[+] Removing JOP
got root lmao

TA.img copied successfully
Press any key to continue . . .
Have a nice day!
The Following 7 Users Say Thank You to ipromeh For This Useful Post: [ View ] Gift ipromeh Ad-Free
1st April 2016, 11:15 AM |#5  
3Shirts's Avatar
Senior Member
Flag Bedford
Thanks Meter: 394
 
More
Since this is a temp root, presumably we cannot root then upgrade the firmware (to MM) as root will stop working? Correct?
1st April 2016, 11:21 AM |#6  
anjelz2012's Avatar
Senior Member
Flag Panama
Thanks Meter: 32
 
More
Couldn't download
1st April 2016, 11:30 AM |#7  
3Shirts's Avatar
Senior Member
Flag Bedford
Thanks Meter: 394
 
More
Here is a mirror in my Google Drive for people struggling to download: https://drive.google.com/open?id=0B3...XV0MzdNOHMySE0
The Following User Says Thank You to 3Shirts For This Useful Post: [ View ] Gift 3Shirts Ad-Free
1st April 2016, 11:31 AM |#8  
Senior Member
Thanks Meter: 188
 
More
Quote:
Originally Posted by devilmaycry2020

Couldn't download

Quote:
Originally Posted by anjelz2012

Couldn't download

Refresh and try again

Quote:
Originally Posted by 3Shirts

Since this is a temp root, presumably we cannot root then upgrade the firmware (to MM) as root will stop working? Correct?

The exploit here permits to gain temporary Root Command Shell # and backup/restore TA partition using it.
This has nothing to do with SuperSU: you cannot install it and phone apps cannot gain root access using this package. Installing SuperSU (nowadays) involves /system or /boot partition modification, that are prevented by dm-verity, as stated in the 2nd post.
1st April 2016, 11:35 AM |#9  
3Shirts's Avatar
Senior Member
Flag Bedford
Thanks Meter: 394
 
More
I see, sorry for the dumb question.

So we back up TA partition with this, then unlock the bootloader and get root that way. This just means we can then restore the device later, thanks to backed up TA?

Presumably you cannot restore the TA partition with the bootloader unlocked? Again, sorry if this seems dumb.
1st April 2016, 11:36 AM |#10  
anjelz2012's Avatar
Senior Member
Flag Panama
Thanks Meter: 32
 
More
Thanks!

Enviado desde mi E6653 usando Tapatalk 2
1st April 2016, 11:58 AM |#11  
Senior Member
Thanks Meter: 188
 
More
Quote:
Originally Posted by ipromeh

nice job! reserved for something else..

Edit 3:
The backup TA script is not working, looks like the /dev partition style is different with the previous Z series
here is the dir list of the /dev/block

Code:
[email protected]:/dev/block/platform $ ls
f9824900.sdhci
f98a4900.sdhci
anyway, it's confirmed that i got temp root access with this. Great job!


Edit 4:
Okay guys, confirmed that the TA partition for Z5 Compact is located at /dev/block/platform/f9824900.sdhci/by-name/TA

Have a nice day!

I do agree, Z5 compact E5823 here.

TA backup script not working NOW: please wait for an update from Zxz0O0 or if you want to correct the backup script yourself, just run the exploit iovyroot and use the command " ls -l /dev/block/platform "

EDIT: fix in the third post thanks to ipromeh
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes