Bounty Z5 Lineup - Root with locked bootloader & working DRM-keys

@All donors so far: Would you agree if i add the Z5 & Z5P to the bounty?

  • Yes

    Votes: 13 59.1%
  • No

    Votes: 9 40.9%

  • Total voters
    22
  • Poll closed .
Search This thread

kafisc

Senior Member
Aug 30, 2011
62
29
Update 03-01-2016:
I've decided to extend the bounty for 2 months till March 1st 2016.
I think it's a great phone and it's worth to wait a little longer.
If you do not agree to extend the bounty for another 2 months, please contact me and i will strike you of from the donors list.

Update 12-03-2015:
I've decided to open the bounty for the whole Z5 Lineup (including Z5 Compact, Z5 Premium and the Z5).
This thread has been extended to the entire Z5 lineup since throughout it the software similarities abound. T
herefore, an exploit in any device of this series would result in a nearly 100% probability of an exploit in each and every device of the series.
To all doners till 12-03-2015: If you do not agree with opening this bounty for the Z5 Lineup, please contact me and i will strike you of from the donors list.

Thank you:
Thank you Pyres for inspiring me to create this thread.
I made this Thread for all the Z5 series ownerss who would like to have his device rooted without loosing the DRM-functions like miracast, noise cancelling and the low-light photo enhancing quality algorithms.

Fullfillment
Obtaining root access in order to be able to backup the TA partition.

Requirements
In order to claim this bounty, you will need to fulfill each and every one of this points:
1. Be the first person to create or find a method to obtain root access in any software release (maybe an old release with stagefright leaks can be used) on any device from the Z5 series, without neither unlocking the bootloader nor compromising (or affecting) the TA partition in any way that could prevent a correct and successful backup of it.
2. Give proof of point #1 by posting an adequate quantity of screenshots to illustrate it, together with step by step instructions, in a fashion such that everyone can follow them and reproduce the exploit;
4. Claim your bounty via PM from pledgers.

List of Pledges so far (The payments will be processed between each member and the bounty collector via PM on an individual basis.)
kafisc – 25€
AiMwasNeD - 20€
mele80 - 10€
Romka_by - 10€
limduldk - 10€
juupke76 - 10€
yannik~ - 15$
williamgrant - 20€
gustav_b - 50€
hispanico957 - 5€
farfetch - 20€
ths_ - 50$
CLShortFuse - 25$
CLShortFuse - 50$ (if also successful on Z5P)
girthmaul - 10$
FlipFlopHHJ - 15€
electusrum - 20€
burk3 - 100$
criscodecookies - 30$
the fez - 19$
UggaBugga - 15€
smartphone-tester - 25€
Ernstjan - 25€
clriis - 20€
qery - 10€
vibo2013 -15€
lutanica - 15€
schmolch - 20€
the_brad - 10€
the_brad - 20€ (if also successful on Z5P)
Funkmasterchilla - 10€
DeanoBurrito - 50$
Roelosaurus - 4,20€
arjun.arora - 50$ (if also successful on Z5P Dual)
rib king - 20$
orrorin - 20$
camaro322hp - 20$
kanthai - 20$
tgwhth - 20€
thedreamix - 20€
langeveld024 - 20€
marksms - 20€
sxtester - 50€
hartmark - 10€
bahkata - 20€
lpchaz - 10€
xda_shinyda - 10$
xda_shinyda - 5$
inteltecra1700 - 20$
halfblack - 10$
sovanyio - 20$
Aeny - 20€
bruno$0 - 10$ (if the method works on Z3+ too)
[NUMINIT] - 20€ (if it also works on the Z3+/4).
Aeny - 20€ (another 20€)
dayofdoom - 10€
cngn - 100$
whitenight639 - 10€
deaix - 15€
GeramanX - 25$
LazyLucretia - 5$ (for root without bootloader unlock)
LazyLucretia - 25$ (for all DRM functions on unlocked bootloader)
ciopik - 5$
Patrykinfo27 - 5€
jzdhgkd - 10$
indianmeister - 10$
drugone - 10$
Alex2221 - 15€
honam1021 - 30$
spyvsspy - 20$
ASLANOO - 10€
ali112 - 20€
tsolx2001 - 25€
stclem - 10€
Smokey_Steve - 20$
vacuumocean - 40$
theskig - 10€
amadib - 20$
emko7 - 15$
leobiagi - 15$
_________________
Euro pledged so far: 734,20€
Dollar pledged so far: 805$

Rules
1. Before making a post in the thread please refer to the below list to see if your post will be acceptable. If it is not part of this list, your post will be reported and you may risk getting an infraction as per forum moderators.
2. By making a post with your contribution price you are agreeing to paying out based on all terms listed in OP only and nowhere else.
3. Please be advised that if Sony is to release an official method of rooting without unlocking the bootloader or restoring TA partitions lost by officially unlocking the bootloader (extremely unlikely but must be accounted for) prior to any member of XDA's submission, this bounty automatically becomes invalidated.
4. The bounty ends automatically by March 1st 2016 if no one reaches the goal and no pledges will be collected or paid.

Greetings
kafisc
 
Last edited:
Mar 16, 2015
33
29
1. Be the first person to create or find a method to obtain root access in the latest available software release on the Z5 Compact, without neither unlocking the bootloader nor compromising (or affecting) the TA partition in any way that could prevent a correct and successful backup of it;

May I ask why does it has to be the latest software release? I believe Xperia phones are downgradable, correct me if I'm wrong.
The Z3 root bounty was successful and achieved by downgrading to the earliest version which had an exploit. It's likely that stagefreight 2.0 will be needed in conjunction with a future exploit.
 
Last edited:

kafisc

Senior Member
Aug 30, 2011
62
29
Didn't thought about that. You're right. Xperia phones are downgradable as far as i know.
I will change that in the requirements.
May I ask why does it has to be the latest software release? I believe Xperia phones are downgradable, correct me if I'm wrong.
The Z3 root bounty was successful and achieved by downgrading to the earliest version which had an exploit. It's likely that stagefreight 2.0 will be needed in conjunction with a future exploit.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 16
    Update 03-01-2016:
    I've decided to extend the bounty for 2 months till March 1st 2016.
    I think it's a great phone and it's worth to wait a little longer.
    If you do not agree to extend the bounty for another 2 months, please contact me and i will strike you of from the donors list.

    Update 12-03-2015:
    I've decided to open the bounty for the whole Z5 Lineup (including Z5 Compact, Z5 Premium and the Z5).
    This thread has been extended to the entire Z5 lineup since throughout it the software similarities abound. T
    herefore, an exploit in any device of this series would result in a nearly 100% probability of an exploit in each and every device of the series.
    To all doners till 12-03-2015: If you do not agree with opening this bounty for the Z5 Lineup, please contact me and i will strike you of from the donors list.

    Thank you:
    Thank you Pyres for inspiring me to create this thread.
    I made this Thread for all the Z5 series ownerss who would like to have his device rooted without loosing the DRM-functions like miracast, noise cancelling and the low-light photo enhancing quality algorithms.

    Fullfillment
    Obtaining root access in order to be able to backup the TA partition.

    Requirements
    In order to claim this bounty, you will need to fulfill each and every one of this points:
    1. Be the first person to create or find a method to obtain root access in any software release (maybe an old release with stagefright leaks can be used) on any device from the Z5 series, without neither unlocking the bootloader nor compromising (or affecting) the TA partition in any way that could prevent a correct and successful backup of it.
    2. Give proof of point #1 by posting an adequate quantity of screenshots to illustrate it, together with step by step instructions, in a fashion such that everyone can follow them and reproduce the exploit;
    4. Claim your bounty via PM from pledgers.

    List of Pledges so far (The payments will be processed between each member and the bounty collector via PM on an individual basis.)
    kafisc – 25€
    AiMwasNeD - 20€
    mele80 - 10€
    Romka_by - 10€
    limduldk - 10€
    juupke76 - 10€
    yannik~ - 15$
    williamgrant - 20€
    gustav_b - 50€
    hispanico957 - 5€
    farfetch - 20€
    ths_ - 50$
    CLShortFuse - 25$
    CLShortFuse - 50$ (if also successful on Z5P)
    girthmaul - 10$
    FlipFlopHHJ - 15€
    electusrum - 20€
    burk3 - 100$
    criscodecookies - 30$
    the fez - 19$
    UggaBugga - 15€
    smartphone-tester - 25€
    Ernstjan - 25€
    clriis - 20€
    qery - 10€
    vibo2013 -15€
    lutanica - 15€
    schmolch - 20€
    the_brad - 10€
    the_brad - 20€ (if also successful on Z5P)
    Funkmasterchilla - 10€
    DeanoBurrito - 50$
    Roelosaurus - 4,20€
    arjun.arora - 50$ (if also successful on Z5P Dual)
    rib king - 20$
    orrorin - 20$
    camaro322hp - 20$
    kanthai - 20$
    tgwhth - 20€
    thedreamix - 20€
    langeveld024 - 20€
    marksms - 20€
    sxtester - 50€
    hartmark - 10€
    bahkata - 20€
    lpchaz - 10€
    xda_shinyda - 10$
    xda_shinyda - 5$
    inteltecra1700 - 20$
    halfblack - 10$
    sovanyio - 20$
    Aeny - 20€
    bruno$0 - 10$ (if the method works on Z3+ too)
    [NUMINIT] - 20€ (if it also works on the Z3+/4).
    Aeny - 20€ (another 20€)
    dayofdoom - 10€
    cngn - 100$
    whitenight639 - 10€
    deaix - 15€
    GeramanX - 25$
    LazyLucretia - 5$ (for root without bootloader unlock)
    LazyLucretia - 25$ (for all DRM functions on unlocked bootloader)
    ciopik - 5$
    Patrykinfo27 - 5€
    jzdhgkd - 10$
    indianmeister - 10$
    drugone - 10$
    Alex2221 - 15€
    honam1021 - 30$
    spyvsspy - 20$
    ASLANOO - 10€
    ali112 - 20€
    tsolx2001 - 25€
    stclem - 10€
    Smokey_Steve - 20$
    vacuumocean - 40$
    theskig - 10€
    amadib - 20$
    emko7 - 15$
    leobiagi - 15$
    _________________
    Euro pledged so far: 734,20€
    Dollar pledged so far: 805$

    Rules
    1. Before making a post in the thread please refer to the below list to see if your post will be acceptable. If it is not part of this list, your post will be reported and you may risk getting an infraction as per forum moderators.
    2. By making a post with your contribution price you are agreeing to paying out based on all terms listed in OP only and nowhere else.
    3. Please be advised that if Sony is to release an official method of rooting without unlocking the bootloader or restoring TA partitions lost by officially unlocking the bootloader (extremely unlikely but must be accounted for) prior to any member of XDA's submission, this bounty automatically becomes invalidated.
    4. The bounty ends automatically by March 1st 2016 if no one reaches the goal and no pledges will be collected or paid.

    Greetings
    kafisc
    6
    Well of course i dont know how many has give bounty for zxz, but only few has said to do so. Zxz has only asked bounty once and no private message about bounty from op or zxz

    I'm not messaging people because I'm not begging. Those who are honest and appreciate my work fullfill their pledge. As of today I received around 250$, thanks to those who kept their word. Of course technically the root tool is also one month late since the OP says the bounty will expire on March 1st.

    It's very common that less than 30% of the actual bounty is donated that's probably why some devs like jcase started selling their tools.
    6
    I'm a little lost here so correct me if I'm wrong. So with this tool I can backup my TA pattition, then I can use another tool by another developer to non-temporary root my device with all DRM functions still working, then if something goes wrong I can flash stock rom and restore my TA partition to have my DRM keys back right?

    You can use my tool to backup TA partition. After unlocking bootloader you can use the other tool and it will basically inject your DRM keys from the TA backup to your current TA and make the phone believe the bootloader is actually locked thus keeping all DRM features intact while having the possibilty of booting custom kernels.

    With the TA backup you can also properly relock the bootloader again.
    6
    @ninestarkoko notified me about this bounty. Myself is not using Sony devices anymore but anyone interested in making a working exploit could refer to the PoC I posted last Dec: https://github.com/idl3r/testcode. It works on Nexus 6P, which shall also work on Z5/Z5P as well. Just a kernel jop/rop chain and overwrite the ptmx_fops entry would do the job.