• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
  • Fill out your device list and let everyone know which phones you have!    Edit Your Device Inventory

[DEVS] XZ Premium DRM fix - Let's find a solution together (brainstorming)

Search This thread

sToRm//

Senior Member
Jun 24, 2017
524
2,032
Munich
Edit: I DID IT! DRM is fixed...
Here we go: https://forum.xda-developers.com/xz...hack-mod-sony-xperia-xz-premium-twrp-t3695171




Hello forum community,
Hello developer,

Maybe you've read the last few weeks already that I am currently looking for a solution for the limitations after an unlocked bootloader. Previous solutions (DRM recovery by Tobias Waldvogel and others) unfortunately do not work, since various libraries and other system data have changed. Also in the TrustZone there are various changes, which lead to the fact that previous solutions no longer work.

For some time, I'm busy with the Sony system protection. Although I am very experienced in the field of reverse engineering, but unfortunately I have little experience with the procedure with Android systems, especially with Sony.

I would like to take the opportunity in this thread to exchange ideas with other users about the possible solutions. In order to better understand the connections and thus possibly find a gap in the system, it would be good if we share our knowledge about Sony DRM. What files might be patched, what dependencies exist, ...

It would be great if we could work together and maybe get a DRM fix for the XZ Premium.

Cheers!

To the moderators: I hope the thread is okay. If not, please just lightly hit the back of the head. Thank you! :cowboy:
 
Last edited:

cdnutter

Member
Jan 28, 2014
21
11
Fullerton
Thanks for creating a thread for this. I have an interesting question. You may have looked a while back at the one thread with a working Google Camera build. Is there any idea as to why it worked? Maybe instead of fixing DRM, we can work around it.
 

sToRm//

Senior Member
Jun 24, 2017
524
2,032
Munich
Thanks for creating a thread for this. I have an interesting question. You may have looked a while back at the one thread with a working Google Camera build. Is there any idea as to why it worked? Maybe instead of fixing DRM, we can work around it.

Yepp, it's my own thread. ;) The working Google camera is just a compensation for unlocked/rooted users. Because after you unlock/root your XZP, the camera doesn't work (green pictures). It's not working with full supported "specials" from Sony. The resolution of the images is smaller, too. The 3rd-party camera apps are using their own image processing and/or the API to the system camera. So with Google camera or other Apps, we can take pictures, but in relatively bad quality because the resolution for 3rd-party apps is locked by Sony. Other apps are using the system camera with a "light mode" of it. So they take pictures without special effects, but with the stock camera, so you have a green pic after your shot.

So... The big problem is: Without hacking/patching/fixing the Sony device security (DRM/TrustZone) we can not use the full features of the camera. I don't understand why Sony is so bad to their customers, because their "special camera algos" are absolutely not interesting to me. But it's really bad to lock down the whole camera (green pictures). If they would only lock their own algos, it would be absolutely okay (because otherwise other vendors could copie them). But Sony... No... That's not the way to hold customers at a company. If I unlock/root my phone, I want to use the hardware like i want to. And if I install my own camera app with own functions, I don't need the Sony algos. The pictures would be nice, too. I think that's the reason why Sony did that on XZP...

My idea a few days ago was that we could try to port other camera to the stock XZP firmware. Something like Snapdragon Camera (used in AndroPlus AICP for XZP). But my knowledge about that is to bad. I did a few things to test something like that, but everything I tried crashed. I think we would need to patch the driver, libraries, cameraserver and other binary to get a full unlocked camera, that works without Sony. I am a freak on Windows systems, web applications and PC software. But on Android I must pass if it goes to "hacks" like these... sorry.

But... okay... let's find a way to "crack" that security (that's my passion on win/web)... anyway. :cool:
 

sToRm//

Senior Member
Jun 24, 2017
524
2,032
Munich
What I have been asking myself for some time is why Sony should make so many changes to the system on a single device. Other devices that have also been introduced to the market in this vehicle can be patched with the Tobias solution. If, therefore, Sony had made fundamental changes to the security of the devices, then theoretically all new devices would be affected.

I have compared the XZ Premium with the XZ and the XZs. I had to realize that different libraries and applications have changed. And that's the reason why the DRM fix doesn't work in it's form.

The binary file:
/system/bin/secd

The libraries in /system/lib/ :

- libcredential-manager-service.so
- libdevice_security.so
- libsuntory.so


The libraries in /system/lib64/ :

- libcredential-manager-service.so
- libdevice_security.so
- libsuntory.so


These are high relevant files for the device security in relation to Sony DRM. The "secd" uses "libsuntory" and checks if the keys are stored, active and legit.

The main differences I found, were...

- The secd was merged with other binaries. The old size was ~150 KB and in XZ Premium it's ~1130 KB. I think they merged other functions from old libraries to the file, because they did that to other files, too.

- The old secd uses libtee.so and the new one uses libQSEEComAPI.so. And that's the big problem I think.

I will try to patch the relevant files and test if it works. With modified libsuntory I was able zu manipulate the blob status from "generic error" to "blobs not found". So maybe there is a way to fix this.
 

sToRm//

Senior Member
Jun 24, 2017
524
2,032
Munich
Hahaha...

Nice job Sony! I patched the whole libsuntory.so to get "all fine here" everywhere (~300 patches in ONE f*** library!). On the half way it's working and I was really happy to be on the right way - I can manipulate the status of CKB. Buuuuuuuuuuut....

If I am right in my thinking, then Sony uses backup tests and checks if there is some "huj huj huj" (you would laugh... that's really literally there in the functions) ongoing on the phone. So there (maybe) are backup tests in the TrustZone and in other system files, too. And the annoying part is, that if the system recognizes manipulations in relation to the security, some things will be dropped in hidden zones. After that the HUK is f*** up and the camera shows the typical "camera is used by another application" error. Funny is: Also the Google camera doesn't work anymore (green pics... hahaha). The only way to fix it, is flashing the system partition. Simply restore the original files doesn't work.

But... okay... That would have been tooooo easy. So let's check some other files, too. It's almost weekend and I think there will be a bit more time for some crazy things like this. ;)

Why are you all so quiet? :)
 

dazza9075

Senior Member
Jul 22, 2007
2,854
490
Glasgow
Whats required is someone to take lead and to distribute work. Create a list of possible avenues or things to look in to and let folk who have the ability to see whats going on then use that list to support the project.
 

mirhl

Senior Member
Oct 15, 2012
3,079
1,151
Maybe you've read the last few weeks already that I am currently looking for a solution for the limitations after an unlocked bootloader. Previous solutions (DRM recovery by Tobias Waldvogel and others) unfortunately do not work, since various libraries and other system data have changed.
You might want to check the actual more recent one tbh.

You still need a root exploit for TA backup in the first place (and the lesser kernel being 4.4.21, it's not exactly a cakewalk), but still
 

sToRm//

Senior Member
Jun 24, 2017
524
2,032
Munich
You might want to check the actual more recent one tbh.

You still need a root exploit for TA backup in the first place (and the lesser kernel being 4.4.21, it's not exactly a cakewalk), but still

My goal is to find a solution for already unlocked/rooted users (like me). A backup of the TA is useless, if the BL was unlocked before. So we have to find a way to simulate the key(s) or to crack the device security and gain uncontrolled access to functions in the TZ. Would be really nice if we could find a way to get temp root on unlocked devices, to dump the TA and get the original keys to mount them later. But there are a lot of users that have already unlocked. :)
 

mirhl

Senior Member
Oct 15, 2012
3,079
1,151
Oh I see what you mean here. A noCD instead of emulating protection.
I hope you'll release as much info as possible ?
 

sToRm//

Senior Member
Jun 24, 2017
524
2,032
Munich
He said, if the bootloader has been unlocked already there's no point in backing up TA as the keys are already gone.

Yeeeeepp... :) So, why should I backup the TA and mount it if the key is already gone? If the key would be stored on a place somewhere and unlocking the bootloader would only effect that this place is inaccessable, then a relock, export and mount of the TA would be interesting for already rooted users. But if there is no key in the backed TA, mount it is useless. That's what I mean. :) I want to find a way to get the device thinking there is a valid key in the TA. Maybe it's possible with patching some system files.

@all
Is there somebody with a locked XZ Premium?

I would need a /system/build.prop file from an untouched phone. with working keys.

A friend wants to buy the XZP, too. Maybe I can get her phone to do some research on a unlocked system. I only have to persuade her :laugh:
 
  • Like
Reactions: JosephDM

zxz0O0

Senior Member
Apr 18, 2011
1,534
5,159
The device key is used to decrypt credentials for various Sony apps. On older Sony phones (e.g. Z3C), there is over 200 credentials. While the device key is device specific, these credentials are not. The drm fix works by hardcoding these credentials and hooking the function to return them when they are requested. The original function would fail to get the credentials because the device key is missing.

Maybe Sony changed these credentials / added additional ones and that's why the drm fix is not working anymore.
 

sToRm//

Senior Member
Jun 24, 2017
524
2,032
Munich
The reason why I asked for the build.prop is, that there are some properties which are checked in the secd. When I change them, the FIDO_KEY and ATTEST_KEY change from "Not provisioned" to "Provisioned" in the service menu.

Changed:
Code:
# FIDO key provision state and version
persist.keyprovd.fido.prov=false
persist.keyprovd.fido.version=0

# Attestation Key provision state and version
persist.keyprovd.attest.prov=false
persist.keyprovd.attest.version=0

# Suntory BLOBs have been processing state
persist.keyprovd.suntory.prov=false

to:

Code:
# FIDO key provision state and version
persist.keyprovd.fido.prov=1
persist.keyprovd.fido.version=0

# Attestation Key provision state and version
persist.keyprovd.attest.prov=1
persist.keyprovd.attest.version=0

# Suntory BLOBs have been processing state
persist.keyprovd.suntory.prov=1

Strange...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 35
    Hey my friends...
    Please, do the following...


    1. Listen to this...
    https://www.youtube.com/watch?v=NMGqbXiAY20

    2. Open the spoiler...
    I... DID... IT... !!!
    DRM is FIXED!
    Hahahaaaaa... I never give up... Like I said...
    I will do some testing. After that I will make a flashable kernel and flashable patch.

    :cowboy::cool:
    34
    Edit: I DID IT! DRM is fixed...
    Here we go: https://forum.xda-developers.com/xz...hack-mod-sony-xperia-xz-premium-twrp-t3695171




    Hello forum community,
    Hello developer,

    Maybe you've read the last few weeks already that I am currently looking for a solution for the limitations after an unlocked bootloader. Previous solutions (DRM recovery by Tobias Waldvogel and others) unfortunately do not work, since various libraries and other system data have changed. Also in the TrustZone there are various changes, which lead to the fact that previous solutions no longer work.

    For some time, I'm busy with the Sony system protection. Although I am very experienced in the field of reverse engineering, but unfortunately I have little experience with the procedure with Android systems, especially with Sony.

    I would like to take the opportunity in this thread to exchange ideas with other users about the possible solutions. In order to better understand the connections and thus possibly find a gap in the system, it would be good if we share our knowledge about Sony DRM. What files might be patched, what dependencies exist, ...

    It would be great if we could work together and maybe get a DRM fix for the XZ Premium.

    Cheers!

    To the moderators: I hope the thread is okay. If not, please just lightly hit the back of the head. Thank you! :cowboy:
    19
    Hahahahaha.... Hey dudes...

    I spent some time this night. And... ahm... I found a way to patch system files without loosing functionality (like i reported a few weeks ago). So... now I am able to get things done MY WAY! And you should know that MY WAY works 99,9999% of the time. And you know what? I will pwn that b***...

    Sony you are out of the comfort zone... Hahaha...
    18
    This one is one which I need to simulate:

    Code:
    int __fastcall sub_18A00(int a1, unsigned int a2)
    {
      int v2; // [email protected]
      bool v3; // [email protected]
      unsigned int v4; // [email protected]
      int v5; // [email protected]
      int v6; // [email protected]
      int v7; // [email protected]
      int v8; // [email protected]
      int v10; // [sp+10h] [bp-30h]@6
      int v11; // [sp+14h] [bp-2Ch]@7
      unsigned int v12; // [sp+18h] [bp-28h]@4
      int v13; // [sp+1Ch] [bp-24h]@4
      int v14; // [sp+20h] [bp-20h]@4
      int v15; // [sp+24h] [bp-1Ch]@4
    
      v2 = a2 <= 0;
      if ( a1 )
        v3 = a2 <= 0;
      else
        v3 = 0;
      v4 = a2;
      v12 = 0;
      v13 = 0;
      v5 = a1;
      v14 = 0;
      v15 = 0;
      if ( v3 )
      {
        v6 = 0x800C0002;
      }
      else
      {
        if ( sub_1C6D8(0x7DA, &v13, &v10) < 0 || sub_1C6D8(0x851, &v14, &v11) < 0 )
          goto LABEL_28;
        if ( !v5 )
          v2 |= 1u;
        if ( v2 )
        {
          if ( sub_1C6D8(0x8B2, &v15, &v12) < 0 )
          {
            v15 = 0;
            v12 = 0;
          }
        }
        else
        {
          v15 = v5;
          v12 = v4;
        }
        v6 = sub_1ED38(v7C8457EC, v13, v10, v14);
        if ( v6 < 0 )
    LABEL_28:
          v6 = 0x8008000A;
        if ( v13 )
          sub_1BC18(v13, v7, v8);
        if ( v14 )
          sub_1BC18(v14, v7, v8);
        if ( !v5 && v15 )
          sub_1BC18(v15, v7, v8);
      }
      return v6;
    }

    Function use 3 units from trim area: 0x8b2, 0x7da and 0x851

    Units from trim area (hex):
    0x8b2 (that unit is plain text unlock key received from sony: A676046F27115134 and it replaces unit 0x1046b when bootloader gets unlocked)
    Code:
    41 36 37 36 30 34 36 46 32 37 31 31 35 31 33 34

    0x7da (this is in most case signed configuration):
    Code:
    2C 0A FC C6 84 AB CC F2 32 57 5B 6F 67 FD 88 9A 79 92 37 91 02 00 05 0A 02 00 00 00 0A 8D E3 1F E7 B3 05 2E F3 84 56 29 11 59 6B E1 CA 89 6B BD 1C 20 97 FA C6 38 AB F1 5D 13 B3 2B 89 00 07 9E 56 16 14 CB 48 92 CA 72 F2 EE EA 64 17 6F 72 85 0D 81 02 00 00 00 0A C2 F6 EB DD 93 F3 75 0B B9 95 53 16 AA 05 04 69 73 17 2F 4D 20 90 2C 87 80 3B B3 E1 36 F8 73 56 C4 FF 98 2C E7 31 73 1C 18 AF 0A F3 60 90 99 E0 47 53 6B 0E 1B 00 90 4F 50 5F 49 44 3D 22 36 33 39 22 3B 4F 50 5F 4E 41 4D 45 3D 22 43 75 73 74 6F 6D 69 7A 65 64 22 3B 43 44 41 5F 4E 52 3D 22 31 32 37 39 2D 36 39 37 36 22 3B 52 4F 4F 54 49 4E 47 5F 41 4C 4C 4F 57 45 44 3D 22 31 22 3B 52 43 4B 5F 48 3D 22 34 45 44 43 32 30 32 46 34 38 34 39 38 44 45 33 41 45 37 36 30 46 32 42 41 38 34 35 43 39 37 35 43 31 44 30 43 36 43 42 30 45 42 34 43 35 46 30 41 43 31 44 37 46 39 36 45 34 42 32 42 42 45 32 22 00 43 53 45 52 56 45 52 49 44 3D 22 62 6D 63 73 65 63 73 30 32 22 3B 41 55 54 48 43 45 52 54 3D 22 55 4E 4B 4E 4F 57 4E 22 3B 54 49 4D 45 53 54 41 4D 50 3D 22 31 34 30 32 31 37 20 32 30 3A 31 32 3A 34 32 22 00 09 00 07 30 30 31 30 31 2D 2A 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 0A C8 24 C1 2C 52 C3 BE 9D B8 07 ED 2F 7D E8 E3 4A 04 33 D2 3E 20 51 18 58 D3 93 4F A1 95 8A 10 2D 21 CF 1B 9F 88 DA 56 CE 17 4A C3 4B 17 47 4D CC CD 41 76 F9 73 02 00 00 00 0A 8B 05 7B 92 78 D2 AB 7C 4B 38 6B C6 A3 40 A4 37 D6 86 9D FF 20 2D 04 E0 60 43 5B E7 83 36 4F D3 E2 87 51 DE 54 2E 8A 53 25 D6 6F 36 F4 60 FC 01 AC 0B 14 6A D7 02 00 00 00 0A 45 47 ED 72 B5 2F B0 33 57 35 46 8D 94 A4 58 44 84 C7 A8 D9 20 D9 C6 ED 36 76 C0 C3 6E 43 DB 63 BD 59 39 2B 95 23 2A 7C 5D 70 D1 3E 65 AC 3E B7 A7 55 C0 C4 86 02 00 00 00 0A 1E 2D A0 C1 A1 6E 24 D4 FF 1E C9 1A 34 49 78 A1 7C B0 7A 30 20 F7 7D 1C 16 A5 7D 9E AC 8A C1 D5 46 9A 24 6D F6 D9 7E AC 29 B5 12 42 D5 BF B4 92 76 B0 1B 53 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 32 FD 02 66 08 3D 17 1B 41 6C C0 F5 E3 3F 22 BC 4B 3B F8 AA

    0x851 (certificate):
    Code:
    02 00 09 07 DA 27 0F 00 15 02 4E 00 03 BC 00 01 02 B5 02 B3 30 82 02 AF 30 82 01 97 A0 03 02 01 02 02 01 04 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 17 31 15 30 13 06 03 55 04 03 14 0C 53 31 5F 52 6F 6F 74 5F 36 37 33 32 30 1E 17 0D 31 32 31 32 30 37 30 39 33 35 32 31 5A 17 0D 33 32 31 32 30 39 30 39 33 35 32 31 5A 30 10 31 0E 30 0C 06 03 55 04 03 14 05 53 31 5F 53 4C 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 BD 82 BF A7 83 24 B4 8A C8 E9 3E D0 4D 31 66 EF CA F7 48 6E 57 EC 5C B8 DB CB 75 6C 77 6D 7B 70 01 C2 82 7D 73 B8 5B 84 45 CB A4 43 C7 0D B1 EF 3E 6E 57 F0 C9 ED 46 87 7E C9 CE 20 06 EC 98 4B 35 40 C2 FA 3C BA 48 48 10 49 98 53 8F 0B 9F C8 5D F6 87 FB 55 C8 E2 8E 20 5C B3 D9 8D 91 A3 77 A6 DF 91 6C 3D 32 C2 38 CA F7 BC 40 B1 58 CD A8 FF BF 63 CD B0 DF 60 DE EA 54 87 3D 90 FF CA 5F F7 50 46 C6 42 1A CD DF 06 4E 9A E1 03 1F 50 F7 C9 12 AC B0 5C 51 1D 62 05 DB F6 F2 9C 70 D9 0C D3 3A 14 DF 2B FF EF 8D 47 5A A5 2C 91 1E 6C 97 A8 0E F1 69 A8 79 E3 66 29 24 70 46 98 BB 38 30 54 7B 78 0D B5 0A AD CF 13 4B E9 59 41 8B 06 50 36 01 0E 73 65 D0 17 24 40 9B 25 4C DA 25 DC 2A 4A C2 6D BA 5C 26 C0 99 2D 11 41 C4 85 6E C7 34 AC E9 91 8B 4A 58 A8 8A F8 18 CF 11 12 12 5F 47 02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 75 83 DF A2 FF 11 4F 09 60 DC BA 2B 2D E3 07 3F 31 EE C1 2B 58 38 67 A8 57 75 C5 E9 1D B6 06 57 B4 A2 DD AF 2E 84 82 E8 94 B9 B6 D2 9A 8B 35 68 42 12 D4 EC 9D 3B D0 56 2A 74 EA 50 EA 49 F7 33 5E 74 CA CA 2F 95 64 03 5C 88 98 67 37 88 56 CC 2C 62 01 3A B3 09 CD 84 EC AF FA 09 95 80 BE 9B 3C 3A 53 2D F7 DA EC 15 CC E4 80 04 C4 A0 08 DC B5 14 FF 42 66 10 F5 0C B4 5F 25 0D 08 55 F9 A0 E5 13 3B 26 3E 11 8D 4D 8D 6D C4 0B BE 75 44 6F CA 14 2E CB A4 C0 3D 45 4D 07 EC 25 A7 DB 4E 09 D7 76 5D 41 36 9D E0 74 AE B3 AC 16 B2 09 74 E9 5A 70 14 13 10 D4 86 09 4A B0 DE A6 BE A6 7F CC 21 74 13 1A E3 7C 55 96 B5 2F 6F CC 19 A8 2C 26 4D 68 05 04 83 21 4D 34 C6 9C 0C FA B6 BA BF FF 99 BA 0C 3F 05 2E DC 14 3F 9C DF 78 04 28 E1 87 3D 1E B5 CA 5B F0 C3 CE B7 DF 34 9C A6 AA 61 C2 02 01 00 6F 78 5A 78 E2 8E 48 88 7E F9 15 96 CB 9C 83 E1 0F C6 2F 68 51 2D CA 9E D7 84 CB 3F C1 E0 C0 05 B6 AD 24 53 E9 70 10 EA 18 A2 46 49 81 74 97 BC CA 51 10 E6 02 9F AB 69 D7 50 07 70 69 17 20 DA 04 99 65 CC C8 B2 00 2E 37 28 35 70 C1 59 2E 56 14 F9 DF 9E 9A E8 40 70 37 94 A8 FE 70 3E 77 2B DD 41 A9 E2 55 21 A8 D0 B0 ED C3 32 8F FD 56 64 6F 6E B0 19 8F 3C F2 C2 12 2D D9 24 DF E1 0A 5C 6B DB A7 E3 2D 79 DC 52 B7 BC D6 5B AA F3 12 7B C3 67 D1 63 76 DB 75 A2 F2 F0 45 84 20 C5 83 B8 92 55 C6 F0 A0 70 22 4E 77 90 25 38 6A 36 1A 4B 4D DB 4B 15 65 A5 CF 4A 29 B9 E9 C6 AE 50 B9 F5 D6 B9 11 DF 23 59 F7 5B 27 3F 2B 3C 53 35 6B B4 FF 5B 96 2A 22 93 04 E3 DE 91 71 E1 58 E8 82 13 9D C6 52 39 17 A6 DE 67 FD B4 E0 E6 A6 7A 3B 13 11 E7 C0 3D D4 B6 E0 C5 0D 01 86 50 98 10 13 4C

    This one thing is easy for simulate and it is clear! Rch_h from unit 0x7da: RCK_H="4EDC202F48498DE3AE760F2BA845C975C1D0C6CB0EB4C5F0AC1D7F96E4B2BBE2" is sha256 hash of the unit 0x8B2! I can simulate that very simple using openssl, sha256 hash of the unit 0x8b2 is excatly the same like RCK_H. But function above is stil not a clear for me, function uses that 3 units somehow in diferent way. E.g. for example if we change ROOTING_ALLOWED="1" to ROOTING_ALLOWED="0" hardbrick happen, so thats indication that function check that things diferent way. Thats why I need to simulate things using openssl just for understanding it. I have tried many things simulating unit 1046b to get rch_h hash, have no idea what is use of 1046b, have no idea how to simulate 1046b :(


    This one is a main thing which I need to understand/simulate, have no idea how:
    ///////////////////////////////////////////////////////////////////////////////////////////////////////////////
    Drm key (unit 0x1046b):
    Code:
    F9 9D 9B 12 4C A1 F7 75 D4 DB C8 C5 31 13 E4 34

    This can help you? What is unit 0x1046b here (in case bootloader locked && unit 0x8b2 didn't replaced unit 0x1046b)? And finaly thing which confuse me: What is than that unit 0x1046b, is it hash??? Can we simulate whole thing using openssl just for better understanding??

    Unit 0x8b2 is empty on my TA (unlocked).
    Unit 0x1046b is empty, too.





    Wait... Ahm...

    Unit 0x1046b (66667) is the unique device key, right? But... Who said that this key is deleted when we unlock the device? I bet it's not irreversible deleted. Just moved to another place. If you are a vendor of smartphones and you know that a lot of customers would try to root the device and they send it for repair if it fails or maybe something else would f*** up the device security (bugs in firmware, apps from Sony, ...) you wouldn't be so dumb and send the unique key to hell. You would move it to another place and give your service team relevant tools, to reconfigure the TA with the working key.

    Take a look at this:
    Let's be a bit nooby and do a primitve compare between an untouched TA image and an unlocked TA image from the same device (Xperia X Performance).

    TA.img (clean / locked): Unit 0x1046b => @ offset+ 0x000420A8:
    Code:
    B8  1F  52  03  D0  39  6C  60  85  C0  A9  9D  FE  4F  D1  B8
    Wohooo key is there, no problems at all.


    TA.img (clean / unlocked): Unit 0x1046b => @ offset+ 0x000420A8:
    Code:
    10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
    Oh dammit... No I'm really f*** up. My key is gone forever. I will end my life, because it's useless without 19mp selfies.

    Okay.... We would think the system has written this unit and the key is lost.
    But... Wait... I remind my theory and oh, what's this?

    TA.img (clean / unlocked): @ offset+ 0x00089688:
    Code:
    B8  1F  52  03  D0  39  6C  60  85  C0  A9  9D  FE  4F  D1  B8

    Stop! Sony... Are you kidding me? Wait... I'm sure it's just some other useless part in the TA and I bet it's there in the original locked clean TA, too. Sure... it's a coincidence. But I'm dumb, so I will take a look at the locked TA, just to be sure it's a coincidence.

    But... Wait...

    TA.img (clean / locked): @ offset+ 0x00089688:
    Code:
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    Now.... THIS is interesting!

    Fact:
    The unique device key (drm key) is in unit 0x1046b on a fresh locked device. The key is found only ONCE in the locked device! If we unlock the bootloader, the unit 0x1046b will be overwritten and also a lot of things around it. But if we search the key on the unlocked TA, we will find it! In an area that is empty on locked devices. And there is a lot of interesting stuff around it. Looks like the credentials db.

    I will take a deeper look at this. Maybe it's nevertheless possible to reconstruct the TA and mount it with a modified boot image (-> ta_poc).

    I'm just rubbing my hands now. That's really interesting stuff! :laugh: