FORUMS
Remove All Ads from XDA

Universal (Dirtycow-based) TA Backup v2

280 posts
Thanks Meter: 1,292
 
By rayman, Recognized Developer on 6th December 2016, 09:57 PM
Post Reply Email Thread
Dirtycow-based TA Dumper for Sony Xperia Devices. (v2.0)

Author:
Jens Andersen
Xda: rayman
Twitter: @droidray
GitHub: EnJens

Source can be found on https://github.com/EnJens/backupTA.
Must be built within AOSP (e.g. checkout to external/backupTA)

Changelog:
  • More devices supported. The dreaded "Permission denied" should be long gone
  • Stability improved
  • TA dump is now verified before pulling
  • An error message is correctly shown when the process fails.

Requirements:
Phone running a dirtycow capable OS (E.g. recent N builds won't work).
If you have already upgraded, downgrading (temporarily) should be possible.
It should work on all recent xperia phones, but there might be exceptions.

It works on Linux, Windows and Mac (OS X)

Instructions:
  1. Ensure you have adb access (e.g. drivers installed, enabled etc)
  2. Run backupTA.sh (linux) or backupTA.cmd (windows) in the root directory.
  3. TA will be saved as TA-ModelNumber-Serial-Timestamp.img in
    the backupTA.sh directory.
  4. On failure, the TA file should be missing, but please check that the file is 2.097.152 bytes

Download:
Credits:
  • rayman
  • Bumble-Bee (Testing)
  • Myself5 (Testing and some scripts)
  • oshmoun (Testing)
  • Androxyde (Testing)
  • munjeni (checkta source)

Tested on:
  • Xperia Z1
  • Xperia ZL
  • Xperia Z2
  • Xperia Z3
  • Xperia Z5
  • Xperia Z5 Compact
  • Xperia E5
  • Xperia M5
  • Xperia M4 Aqua
  • Xperia C5
  • Xperia X
  • Xperia XA
  • Xperia XA Ultra
  • Xperia X Performance
  • Xperia X Compact
  • Xperia XZ

XDA:DevDB Information
Universal (Dirtycow-based) TA Backup, Tool/Utility for the OEM Cross Device Development

Contributors
rayman, rayman
Source Code: https://github.com/EnJens/backupTA


Version Information
Status: Stable

Created 2016-12-07
Last Updated 2017-02-19
The Following 117 Users Say Thank You to rayman For This Useful Post: [ View ]
 
 
6th December 2016, 09:57 PM |#2  
OP Recognized Developer
Thanks Meter: 1,292
 
Donate to Me
More
How it works
A very quick primer on how backupTA works now the source is out:
Sony's devices are extremely locked down with SELinux, and even getting root (with dirtycow) leaves you with very little access to the system.
Other than true root (which is rather difficult to get, although not impossible), only the Sony TA daemon has access to the partition required. But the TA daemon has no access to write any files anywhere on the device where we can pull them...

The basic approach is:
* Overwrite run-as binary with a custom binary
* When executed it switches to root and sets platform_app permissions, which for some bizarre reason is allowed from run-as explicitly. (See note 1)
* Once it has these privileges, it has access to dirtycow /sbin/tad_static
* It overwrites tad_static with a special daemon that allows reading the entire TA partition over the tad socket already used by the system. (See note 2)
* The run-as replacement reads the TA dump over the tad socket and pipes it to stdout to write to a file. (See note 3)

Note 1:
Dirtycow cannot increase the size of any binaries on the system, so to make things actually work, this solution also overwrites screenrecord binary (which is significantly bigger). run-as then executes this after setting up root and does all the fancy things. On some devices the platform-app context with root does not allow reading or writing files anywhere. To get around this, it reads the replacement tad_static from stdin and writes the dump to stdout. The script that runs run-as handles the piping.

Note 2:
When tad_static is first executes during boot, it's cached by linux. For efficiency reasons and because it's on a read-only filesystem, it's executed from this cache in memory. When dirtycow replaces the binary on /sbin, it actually replaces the running binary's code in memory, forcing it to crash. Init automatically restarts it, but now it's the replaced binary running which allows us to dump what we need.

Note 3:
The tad socket is actually quite limited permission-wise too. Only a limited subset of selinux contexts are allowed to read/write to it and the same goes for users. Luckily, root user with some supplementary groups, and the platform_app selinux context does have access to it, so we abuse that fact to talk to the replaced TA daemon.
6th December 2016, 09:57 PM |#3  
OP Recognized Developer
Thanks Meter: 1,292
 
Donate to Me
More
FAQ:
  • Q: Why is the backup different between reboots?
  • A: There is other data stored in the TA partition than just the TA Units. On some devices, the bootloader bootlog is stored there along with other pieces of data.
The Following 6 Users Say Thank You to rayman For This Useful Post: [ View ]
6th December 2016, 10:03 PM |#4  
josephnero's Avatar
Senior Member
Flag Sanford NC
Thanks Meter: 645
 
More
Awesome. was waiting for this.thanks
6th December 2016, 10:24 PM |#6  
kistigun's Avatar
Senior Member
Flag Weert
Thanks Meter: 316
 
Donate to Me
More
wow nice find! I'm a bit bumped out I allready unlocked my booloader but this is great news!
6th December 2016, 11:48 PM |#7  
serajr's Avatar
Recognized Developer / Recognized Themer
Flag Rafard - SP
Thanks Meter: 17,208
 
Donate to Me
More
Awesome... Congrats!!

XP F8131 output
Code:
Picking 64-bit version
Running on F8131 on 64-bit platform
Pushing files
886 KB/s (9984 bytes in 0.010s)
743 KB/s (6088 bytes in 0.008s)
1072 KB/s (14280 bytes in 0.013s)
901 KB/s (10184 bytes in 0.011s)
122 KB/s (876 bytes in 0.006s)
Running scripts to dump ta to "TAIMG" on device
Overwriting run-as
Attempting to dirtycow
Done dirtycowing
Overwriting secondary payload (screenrecord)
Attempting to dirtycow
dirtycow failed
Attempting to dirtycow
Attempting to dirtycow
Done dirtycowing
Attempting exploit
Attempting to dirtycow
dirtycow failed
Waiting for result....
Bad reply received, failing...
Attempting exploit
Attempting to dirtycow
Attempting to dirtycow
dirtycow failed
Waiting for result....
Got a total of 2097152 bytes
Exploit successful!
Dumped TA as TA_F8131_CB512AD0TJ_06122016-2207.img
Pulling image
735 KB/s (2097152 bytes in 2.784s)
Cleaning up
TA Sucessfully pulled to TA_F8131_CB512AD0TJ_06122016-2207.img
****NOTE: Please verify filesize is 2MB ****
Pressione qualquer tecla para continuar. . .


Just a quick heads up. The first attempt failed because /data/local/tmp was not empty! It has two "flat..." files inside it (Stock fw).
Fix can be to change .sh and .cmd scripts to chmod each pushed file separately (instead of *), or even clear that folder.
Code:
Picking 64-bit version
Running on F8131 on 64-bit platform
Pushing files
180 KB/s (9984 bytes in 0.054s)
742 KB/s (6088 bytes in 0.008s)
1983 KB/s (14280 bytes in 0.007s)
1421 KB/s (10184 bytes in 0.006s)
213 KB/s (876 bytes in 0.004s)
chmod: chmod '/data/local/tmp/flatland' to 100755: Operation not permitted
chmod: chmod '/data/local/tmp/flatland64' to 100755: Operation not permitted
Running scripts to dump ta to "TAIMG" on device
...
Anyways... It did work like a charm! Respect!!
The Following 4 Users Say Thank You to serajr For This Useful Post: [ View ]
6th December 2016, 11:50 PM |#8  
Sonic Dash's Avatar
Junior Member
Flag Manchester
Thanks Meter: 4
 
More
Quote:
Originally Posted by rayman

Dirtycow-based TA Dumper for Sony Xperia Devices.

Author:
Jens Andersen
Xda: rayman
Twitter: @droidray
GitHub: EnJens

Source will follow later this week.

Requirements:
Phone running a dirtycow capable OS (E.g. recent N builds won't work).
If you have already upgraded, downgrading (temporarily) should be possible.
It should work on all recent xperia phones, but there might be exceptions.

Instructions:

  1. Ensure you have adb access (e.g. drivers installed, enabled etc)
  2. Run backupTA.sh (linux) or backupTA.cmd (windows) in the root directory.
  3. TA will be saved as TA-ModelNumber-Serial-Timestamp.img in
    the backupTA.sh directory.

Download (Temporary. Will be moved, so please don't link to it):
Credits:
  • rayman
  • Bumble-Bee
  • Myself5 (Testing and some scripts)
  • oshmoun

Tested on:
  • Xperia Z3
  • Xperia Z5
  • Xperia Z5 Compact
  • Xperia X
  • Xperia XP
  • Xperia XC
  • Xperia XZ

So just to confirm, this fully backs up the TA partition including DRM keys on the Xperia XZ. So it's okay for me to now unlock the bootloader and restore everything with this? If so this is just what I've been waiting for!
The Following User Says Thank You to Sonic Dash For This Useful Post: [ View ] Gift Sonic Dash Ad-Free
7th December 2016, 05:51 AM |#9  
Member
Thanks Meter: 12
 
More
Just to confirm, after TA (including DRMs) is backed up, I can unlock -> root -> then relock + restoring TA so I can have both root and DRMs working flawlessly? including OTA updates?
The Following 2 Users Say Thank You to boydzethuong For This Useful Post: [ View ] Gift boydzethuong Ad-Free
7th December 2016, 07:22 AM |#10  
Member
Thanks Meter: 12
 
More
I don't think root with locked bootloader is possible. But if you got TA backup you can restore whenever you want and relock bootloader. Maybe important if you want to sell phone or if you need guarantee. @rayman
Will it be possible to create. ftf to flash drm key just like in Z5 line?
7th December 2016, 08:48 AM |#11  
Aaskereija's Avatar
Senior Member
Thanks Meter: 109
 
Donate to Me
More
Whats the difference?
Post Reply Subscribe to Thread

Tags
backup, dirtycow, trim area, xperia
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes