FORUMS

[GUIDE] Back up DRM Keys & unlock/relock Bootloader (Noob proof)

1,534 posts
Thanks Meter: 5,161
 
By zxz0O0, Senior Member on 9th February 2014, 01:52 PM
Post Reply Email Thread
10th March 2014, 01:02 PM |#121  
F308's Avatar
Senior Member
Thanks Meter: 39
 
More
Quote:
Originally Posted by Riyal

look at that... a Z1 Compact device flashing a z1 compact docomo firmware and also a honami firmware haha!

And hence TA backup can be made only on rooted phone - there's no way to have this log empty.
I wonder how log looks like after unlocking BL.
10th March 2014, 01:46 PM |#122  
Senior Member
Flag Iloilo City
Thanks Meter: 1,767
 
Donate to Me
More
Quote:
Originally Posted by F308

And hence TA backup can be made only on rooted phone - there's no way to have this log empty.
I wonder how log looks like after unlocking BL.

Still the same the logs are still there. There's just some lines in the TA backup that got changed on the upper part. So that must be where the DRM keys are located(I know it's there because I got 20 different backups of both unlocked and lockesd TA partitions and compared then one by one). I also have a TA dump of an unlock bootloader in fact I made a flashable zip of my TA backup for locking(with DRM Keys) and unlocking my bootloader. That way I won't have to rely on a PC when I wanted to unlock or lock my bootloader.

I have a script where it dd's the TA partition to mmcblk0p1, checks the md5 of mmcblk0p1 and if it fails it dd again for up to 20 tries. And if it still fails shows a log on recovery that it fails and restores it back from previous state
10th March 2014, 03:18 PM |#123  
F308's Avatar
Senior Member
Thanks Meter: 39
 
More
How you did review of TA.img ?
I tried mount it under Linux directory with '-o loop' option but could not.
Don't know filesystem type.

Added later:
This vbindiff is good soft. Allows review binaries. Didn't know it until today.
Still I would like to see directory tree of this partition (if exists).
10th March 2014, 04:36 PM |#124  
zxz0O0's Avatar
OP Senior Member
Thanks Meter: 5,161
 
Donate to Me
More
Quote:
Originally Posted by Riyal

Still the same the logs are still there. There's just some lines in the TA backup that got changed on the upper part. So that must be where the DRM keys are located(I know it's there because I got 20 different backups of both unlocked and lockesd TA partitions and compared then one by one). I also have a TA dump of an unlock bootloader in fact I made a flashable zip of my TA backup for locking(with DRM Keys) and unlocking my bootloader. That way I won't have to rely on a PC when I wanted to unlock or lock my bootloader.

I have a script where it dd's the TA partition to mmcblk0p1, checks the md5 of mmcblk0p1 and if it fails it dd again for up to 20 tries. And if it still fails shows a log on recovery that it fails and restores it back from previous state

Sounds cool, mind to share the script? By the way as far as I know flashing firmwares does not void warranty and even if it would, I'm pretty sure it's not hard to fake the log.
Quote:
Originally Posted by F308

How you did review of TA.img ?
I tried mount it under Linux directory with '-o loop' option but could not.
Don't know filesystem type.

Added later:
This vbindiff is good soft. Allows review binaries. Didn't know it until today.
Still I would like to see directory tree of this partition (if exists).

I also recommend WinMerge (free) and Beyond Compare (paid)

And check out this: http://forum.xda-developers.com/show...&postcount=119
11th March 2014, 04:14 AM |#125  
Senior Member
Flag Iloilo City
Thanks Meter: 1,767
 
Donate to Me
More
Quote:
Originally Posted by F308

How you did review of TA.img ?
I tried mount it under Linux directory with '-o loop' option but could not.
Don't know filesystem type.

Added later:
This vbindiff is good soft. Allows review binaries. Didn't know it until today.
Still I would like to see directory tree of this partition (if exists).

You can't... The partition is encrypted. If it were possible to mount and browse it then I'm pretty sure the devs here already made a way to unlock our bootloader without deleting the DRM Keys. This is what happened on the Xperia 2011 devices... The TA partition can be mounted by shorting some connectors in the board hence we manage to unlock the devices without erasing DRM Keys.

Quote:
Originally Posted by zxz0O0

Sounds cool, mind to share the script? By the way as far as I know flashing firmwares does not void warranty and even if it would, I'm pretty sure it's not hard to fake the log.

I also recommend WinMerge (free) and Beyond Compare (paid)

And check out this: http://forum.xda-developers.com/show...&postcount=119

I just made the script like 2 days ago though... I am very reluctant to share it to the public specially if it's not fully tested yet. I don't wanna get blames if someone bricked their device using my script. TA partition is a very sensitive partition. Messing it would render your device useless and unrecoverable unless you have those boxes to write specific data on boards without having to boot it.

Although I did try it 6 times already and so far so good Haven't manage to try the fail safe codes though(Like I'm not sure if my script would work in case of a md5 mismatch).

Also yeah flashing firmwares doesn't void warranty but flashing a firmware of a different device would! Also it's hard to fake the logs specially if it's inside the TA partition. In fact there's no way we could alter it. Or maybe we can alter it using hex but I wouldn't risk my chances faking a log over permanently bricking my device.
11th March 2014, 10:11 AM |#126  
F308's Avatar
Senior Member
Thanks Meter: 39
 
More
Quote:
Originally Posted by Riyal

You can't... The partition is encrypted.

I don't discuss facts but this thing is funny.
On encrypted partition you would never catch any sense in what you see.
Here you may do it.
------------------------ small part of hex view -----------------------------
A.R.E._. V.E.R._. M.I.N.O. R...F. E.A.T.U. R.E.S.. .T.E.M. P.L.A.T. E..0.. .T.E.M. P.L.A.T. E...C. L.O.C.K. .1../. C.L.O.C. K...... .S.E.C. U.R.E.C. L.O.C.K. ..U.R. L..h.t. t.p.:./. /.g.o... m.i.c.r.
------------------------------------------ end ------------------------------------
If I would want hide something - I would do it better.
11th March 2014, 10:44 AM |#127  
Senior Member
Flag Iloilo City
Thanks Meter: 1,767
 
Donate to Me
More
Well there are 2 types of encryption...

The first one would be data encryption. That would surely encrypt all the data contents like the one you're talking about. This encryption is secure but also take too much resources to decrypt hence not very resource friendly.

second should be disk encryption. That is by locking a disk image for use without a passcode or something. Ubuntu and Windows both use disk encryption but a simple dd image of both can also show some minor data info like filenames etc. This encryption just encrypts the header of the image so it won't be readable and mountable without decrypting it first. Hence why the data is partially readable.
It is actually possible to decode this by understanding the algorithm used in this encryption however it would take too much time. A time that would be very easy for sony to patch up and waste an effort

Quote:
Originally Posted by F308

I don't discuss facts but this thing is funny.
On encrypted partition you would never catch any sense in what you see.
Here you may do it.
------------------------ small part of hex view -----------------------------
A.R.E._. V.E.R._. M.I.N.O. R...F. E.A.T.U. R.E.S.. .T.E.M. P.L.A.T. E..0.. .T.E.M. P.L.A.T. E...C. L.O.C.K. .1../. C.L.O.C. K...... .S.E.C. U.R.E.C. L.O.C.K. ..U.R. L..h.t. t.p.:./. /.g.o... m.i.c.r.
------------------------------------------ end ------------------------------------
If I would want hide something - I would do it better.

11th March 2014, 10:52 AM |#128  
Member
Thanks Meter: 19
 
More
Guide worked perfectly for me on my new Z1C. Only did first part though as just wanted root at the minute. Thanks

Sent from my D5503 using Tapatalk
11th March 2014, 03:12 PM |#129  
Member
Thanks Meter: 19
 
More
Can someone please tell me how to now boot into recovery. When I turn the phone on I don't get the led lighting up so when I press the volume up button it just boots normally. Also tried ndr tools and again it just boots normally?

Sent from my D5503 using Tapatalk
11th March 2014, 05:03 PM |#130  
zxz0O0's Avatar
OP Senior Member
Thanks Meter: 5,161
 
Donate to Me
More
Quote:
Originally Posted by stringy2010

Can someone please tell me how to now boot into recovery. When I turn the phone on I don't get the led lighting up so when I press the volume up button it just boots normally. Also tried ndr tools and again it just boots normally?

Sent from my D5503 using Tapatalk

Try also volume down key. If you can't get into the recovery anymore you probably did some steps wrong (maybe missed step 19.2). If you still have root, you can try with Z1C-lockeddualrecovery(...)installer.zip's install.bat (choose installation on rooted phone).
11th March 2014, 05:23 PM |#131  
Member
Thanks Meter: 19
 
More
I figured out what I missed. I didn't select the clean to install new rom option. I completed all the steps again after trying the install.bat again and the only thing I did differently was select that option.

Everything is working like a champ now. Thanks

Sent from my D5503 using Tapatalk
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes