[Guide] How to root Z5C - the new, less painful way (using dirtycow exploit)

Search This thread

mhaha

Senior Member
Feb 13, 2014
337
214
0
Why yet another guide? Why should you follow this guide?
This is more of a future reference for myself, but might be beneficial to some other people, hence why I decided to post it.

Thanks to the "dirty cow" exploit (CVE-2016-5195), we now have a more simple way of backing up the TA partition compared to existing guides, which all relied on another exploit that involved downgrading the firmware, thus making the whole process a bit more complicated.
Unfortunately, as you can probably tell, it's still not a painless ordeal, just "less" painful. But hey, at least you have a choice.

To keep this step-by-step walkthrough guide simple and straightforward, I am focusing on just the steps and skipping the explanations.
Let's get started!

Prerequisites
  • Important: Your phone must be vulnerable to the "dirty cow" exploit, any firmware version with security patch level 2016-12-01 or earlier should work, such as 32.2.A.5.11. Basically, any MM or LP firmware.
    Currently there is no way of backing up the TA partition on Android 7.0 Nougat firmware, you will need to downgrade to MM or earlier firmware first.

    Remember to backup all your data before you downgrade, since a downgrade is akin to a factory reset. Downgrade instructions:
    1. Follow Step 0, skip Step 1 and 2
    2. In Step 3, download a MM or LP version firmware. For the sake of simplicity, I suggest you download the one labeled Storefront.
    3. Follow Step 4 and 5
    4. Done, your phone is now downgraded, skip the remaining steps. Continue with the guide as usual from Step 1
    Note: If the DRM keys are irrelevant to you (TA partition already backed up/restored/lost) and would just like to root, then you can root using this guide on all firmware versions including Android 7.0 Nougat without downgrading. In this case, you can skip Step 1 and Step 7. Depending on your situation, you can also skip other parts of this guide, such as Step 2 if your bootloader is already unlocked, or in Step 5 don't wipe anything (leave all boxes unchecked) to retain your apps and data for a firmware upgrade.
  • Computer setup with correct drivers and adb/fastboot connection ability.
  • Enable USB debugging on the phone:
    1. Settings > About phone > Tap multiple times on Build number until Developer options is enabled
    2. Settings > Developer options > USB debugging > Toggle ON
  • XperiFirm for downloading official Sony firmware directly from Sony's servers
  • Flashtool for flashing firmware
  • Battery preferably more than 80% remaining, loss of power while flashing can brick your phone

Step 0 - Backup your phone (optional)
  • Move all your data to your SD card using the native tool: Settings > Storage > Transfer data to SD card
  • Use Sony's Backup & restore app to make a backup: Settings > Backup & reset > Xperia Backup & restore > More > Manual backup > Select SD card > Select content to backup
    Personally, I choose everything except apps, they can be re-downloaded from the Play Store at any time, plus they take a long time to backup and restore not to mention eats up free space

Step 1 - Backup the TA partition
  • Download this wonderful TA Backup tool, unzip to desired location
  • With the phone powered on, connect the USB cable to the computer, then plug the micro USB end to the phone
  • Open command prompt (Start > Run > cmd), navigate to the directory where you unzipped the TA Backup tool
  • Run the following command:
    Code:
    backupTA
    The tool will run and if successful, you should see at the bottom the words "TA Successfully pulled to TA_E5823.img".
    TA_E5823.img is the TA partition image file, actual filename will be longer and differ for everyone so to keep it simple we'll just refer to it as TA_E5823.img in this guide.
  • Please check that the file is 2,097,152 bytes. If not or file is missing, then the backup has failed.
    If it fails, just run the tool again a few times, or try rebooting your phone then rerun the tool. If you just can't get it to work, seek help from the tool thread.

Step 2 - Unlock the boot loader
  • Visit Sony's website and follow the instructions carefully
    Important: Pay attention to the warnings. No, really, unlocking the boot loader will wipe your DRM keys (hence the need to back them up in Step 1) and trigger a factory reset, erasing everything on your phone.
  • After you've successfully unlocked the boot loader, unplug your phone and leave it powered off

Step 3 - Download stock firmware
  • Run XperiFirm, locate the correct Xperia Z5 Compact version of your phone (E5803/E5823) and download the firmware of your choice.
    General recommendation is to download the "Customized" version that's available for your country.

Step 4 - Create a FTF file from the firmware
  • Open Flashtool
  • Tools > Bundle > Create
  • Select source file > Locate the folder where you saved the firmware from XperiFirm in step 3 > You should see your device name appear automatically in Device and the folder list below populated
  • Branding > The same as Operator in XperiFirm, e.g. Customized AU
  • Version > The version you downloaded, e.g. 32.2.A.5.11
    Hint: Both Branding and Version information is in the folder name
  • In folder list, select the first item, hold SHIFT and select the last item so that all items are highlighted, then click the "- >" button > The folder list should now be empty, and the Firmware content field populated
  • Click Create, if successful you will see "Bundle creation finished"
    Note: The FTF file is saved to %userprofile%\.flashTool\firmwares by default

Step 5 - Flash the FTF file
  • Click the lightning symbol in Flashtool > Flashmode
  • Source folder should be pre-selected to the default location mentioned above and "Sony Xperia Z5 Compact" listed in Firmwares
  • Expand all the arrows and select the version number
  • Under Wipe/Sin check all options (APPS_LOG, DIAG, SSD, USERDATA), leave all other options unchecked
  • Click Flash, wait for an instruction prompt to pop up
  • Plug the USB cable to your computer if it isn't already plugged
  • Turn off your phone if it isn't powered off, hold the VOLUME DOWN button while connecting the micro USB end to your phone. Keep the VOL DOWN button held until the prompt disappears, which indicates that Flashtool has detected it and is correctly in flashmode.
  • Flashtool will begin flashing the firmware automatically. It can take a long time, 10~15 minutes is normal, wait until completed
  • Unplug your phone and do not power it on yet

Step 6 - Patch the kernel
  • Download this awesome rootkernel tool, unzip to desired location.
  • Extract the kernel image file kernel.sin from the FTF file using any file compression program such as 7zip, WinZip, WinRAR, etc.
  • Open Flashtool > Tools > Sin Editor > Sin file > Locate the kernel you just extracted > Click Extract data. You should now have a file named kernel.elf in the same folder
  • Copy kernel.elf to the rootkernel folder
  • Download the latest stable version of the SuperSU ZIP file and copy the entire ZIP file to the rootkernel folder. Do NOT unzip it!
  • Rename the SuperSU ZIP file name so that it starts with SuperSU (case sensitive) instead of UPDATE-SuperSU, e.g. SuperSU-v2.79-20161211114519.zip
    Note: if you're patching Nougat firmware, you may want to use phh's superuser instead of SuperSU due to potential battery drain. See rootkernel thread for more info. If you use phh's superuser, you will need to install the apk from the Play store after Step 8.
  • (optional) Download the latest Xposed framework ZIP file and copy it to the rootkernel folder. Do NOT unzip it!
    Note: this only works with rootkernel v5.0 or later, if you're using an earlier version of the rootkernel tool, skip this and skip Step 9
    At time of this edit (2017/2/22), Xposed does not support Android 7.0 (Nougat), so if you're trying to patch a Nougat kernel, do not include xposed. You can check the official Xposed thread for latest announcements to see if it's supported
  • Open command prompt and navigate to the rootkernel directory
  • Enter the following command:
    Code:
    rootkernel kernel.elf boot.img
    You will be prompted to make a series of choices, including whether you want to install SuperSU and Xposed. Type Y for all of them.
    If you didn't see the prompt for SuperSU (required) or Xposed (optional), check the filename of the ZIP files. Remember they're case sensitive.
  • You should now have a boot.img file in the rootkernel folder, that is your rooted kernel

Step 7 - Flash the DRM keys (one-time procedure)
tobias.waldvogel (rootkernel developer) said:
Flashing this file with flashtool will write your device key to an alternative unit, from where the drmfix library will pick it up.
This is a one-time task. It will survive a complete reset of the phone or Android system upgrade.
  • Copy the TA backup file TA_E5823.img from Step 1 to the rootkernel folder, then enter the following command in command prompt:
    Code:
    flash_dk TA_E5823.img DK.ftf
    This will create a DK.ftf file in the rootkernel folder
  • Open Flashtool > Click the lightning symbol > Flashmode > Source folder > Locate the rootkernel folder
  • "Sony Xperia Z5 Compact" should appear under Firmwares, expand the arrows until you see DeviceKey and 1.0. Select 1.0, click Flash and wait for an instruction prompt to pop up
  • Hold the VOLUME DOWN button while connecting the micro USB end to your phone. Keep the VOL DOWN button held until the prompt disappears, which indicates that Flashtool has detected it and is correctly in flashmode.
  • Wait until operation is completed, then unplug the cable from your phone. Do not power on yet

Step 8 - Flash the kernel
  • Hold the VOLUME UP button and plug in the micro USB cable. Wait until the LED indicator turns blue, then release the VOL UP button.
  • Enter the following command in command prompt to flash the rooted kernel:
    Code:
    fastboot flash boot boot.img
  • After completion, congratulations, you've successfully rooted your phone!
    Now you can turn on your phone, the first boot will take a very long time to initialize, don't worry.
    If you see the boot animation for more than 30 minutes, then it's time to worry. First try again from Step 6, and if you still can't complete boot, go up a step starting from Step 5. If that still fails, start over from Step 3.

Step 9 - Finish installation of Xposed (optional)
In Step 6, if you chose to include the Xposed ZIP file, which means you want to install Xposed, then there's one more step to complete the installation.
  • Download the unofficial Material Design Xposed Installer.
    Currently, this is the only Xposed Installer that works with the systemless Xposed integration method used by the rootkernel tool. Using the official Xposed Installer will not work.
  • Go to Settings > Security > Unknown sources > Toggle ON
  • Copy the Xposed Installer apk to your phone and install it.
  • Done!

Personal list of xposed modules to install for self reference. This is in no way a recommendation list, your preferences will vary.

Amplify
Android Phone Vibrator
App Locale
BootManager
Disable Low Battery Notifications
DynamicAlarmIcon 2
HideBatteryLowAlert
Keep Trash (broken at the moment)
Lockscreen Album Art Remover
MinMinGuard
NeoPowerMenu
NoHeadsetNotification
Ringer and Notification Volume Unlink
RootCloak
Use USB for Marshmallow V 1.2
XperiaFMwoHS
Xposed Torch: Physical keys
Youtube AdAway


Bonus - How to unroot/fully restore DRM/return to 100% factory state

 
Last edited:

Malcolm143

Member
Dec 9, 2016
10
2
0
Fantastic guide, Thank you very much for that!

I had trouble getting the latest version of flashtool (09231) to work (mac and PC). It froze when I was trying to create the new bundle.
After downloading the older version (09186) it worked without problems.

However, currently I am stuck at step 6, running cmd 'rootkernel kernel.elf boot.img':
I get the message:
Code:
Rootkernel V5.11

- Unpacking kernel
error: Android boot magic not found

Unknown boot image format
Aborting

UPDATE:
I found the reason for the img file creation failure.
I was not patient enough in copying the kernel.elf file over. While the flashtool says file with size X created it was still compiling and only a minute later or so finished writing the file. In other words, I copied over the 'unfinished' kernel.elf and that's what caused the issue.

Trying to boot now :)

Thanks again for this nice guide!
Cheers,
Malcolm
 
Last edited:
  • Like
Reactions: mhaha

Faz196

Member
Dec 7, 2016
5
0
0
good news

thanks for your help. very good tutorial, realy made easy to understand
successfully rooted my nougat z5c with this,
you the best thanks
 

Malcolm143

Member
Dec 9, 2016
10
2
0
Hey Malcolm, did you manage to complete the process successfully?

Hi Brokich,

Unfortunately not (yet).
After finishing step 7 my device is stuck at the bootloader :(
I've tried now several times re-flashing (steps 5-7) but unfortunately no luck yet...Will try to repeat the whole procedure over the next days again.
 

notabene

Senior Member
Jan 2, 2011
116
16
38
Brno, CZ
I am getting problem with flashing kernel :

FAILED (remote: Command not allowed) my bootloader status was unknown at first, then I got unlock code at sony website, then it said my bootloader is unlocked, followed your tutorial and now I not able to flash kernel.. :(
 

Major00101

New member
Feb 5, 2017
1
0
0
Hello guys
On step 5 i get this error
5/031/2017 13:31:03 - INFO - Device connected in flash mode
05/031/2017 13:31:28 - INFO - Selected Bundle for Sony Xperia Z5 Compact(E5823). FW release : 1298-5497_32.2.A.5.11_R13C. Customization : Customized UK
05/031/2017 13:31:28 - INFO - Preparing files for flashing
05/033/2017 13:33:12 - INFO - Please connect your device into flashmode.
05/033/2017 13:33:13 - INFO - Opening device for R/W
05/033/2017 13:33:14 - INFO - Start Flashing
05/033/2017 13:33:14 - INFO - Processing loader.sin
05/033/2017 13:33:14 - INFO - Checking header
05/033/2017 13:33:14 - ERROR - Processing of loader.sin finished with errors.
05/033/2017 13:33:14 - INFO - Ending flash session
05/033/2017 13:33:14 - ERROR - null
05/033/2017 13:33:14 - ERROR - Error flashing. Aborted
05/033/2017 13:33:14 - INFO - Device connected in flash mode

Any idea why ?
 

zegovernator

Senior Member
Jan 7, 2013
60
15
38
I am getting problem with flashing kernel :

FAILED (remote: Command not allowed) my bootloader status was unknown at first, then I got unlock code at sony website, then it said my bootloader is unlocked, followed your tutorial and now I not able to flash kernel.. :(

Did you backup your TA-partition before the bootloader status was unknown?
 

zegovernator

Senior Member
Jan 7, 2013
60
15
38

Okay. It sounds like you wiped your TA partition. On which firmware did you backup your TA? Lollipop using Iovy.root or Marshmallow using this guide? I experienced the same problem once. I recovered my TA partition via Iovy.root. (because back then the only possibility was to downgrade to LP and then backup/restore TA).

Check if the service menue states:

[Bootloader unlock allowed:no] and [Remote Lock State: Locked]

If so, restore TA.
 

notabene

Senior Member
Jan 2, 2011
116
16
38
Brno, CZ
Okay. It sounds like you wiped your TA partition. On which firmware did you backup your TA? Lollipop using Iovy.root or Marshmallow using this guide? I experienced the same problem once. I recovered my TA partition via Iovy.root. (because back then the only possibility was to downgrade to LP and then backup/restore TA).

Check if the service menue states:

[Bootloader unlock allowed:no] and [Remote Lock State: Locked]

If so, restore TA.

This guide, latest firmware 32.2.A.5.11.
Currently my phone stucked at after boot in TM logo.
Trying to repair via PC Companion

Phone booted. Will check if bootloader is really unlocked.

Bootloader unlock allowed : yes
Remote Lock state : UnLockd
Checked DRM all OK
 
Last edited:

zegovernator

Senior Member
Jan 7, 2013
60
15
38
This guide, latest firmware 32.2.A.5.11.
Currently my phone stucked at after boot in TM logo.
Trying to repair via PC Companion

Phone booted. Will check if bootloader is really unlocked.

Flash a .tft from the MM version your backed up your TA image from. When flashing, ensure to tick everything under wipe except TA Misc.
 

Malcolm143

Member
Dec 9, 2016
10
2
0
Yeah, same here.
Tried now multiple times but it always gets stuck at the xperia screen with orange/yellow LED :(

One thing that I noticed was "ERROR - root : this bundle is not valid" when I start to create the bundle. Straight after locating the custom firmware that I dowloaded with Xperifirm the message comes up in the log. Thought that this is not an issue though, or is it?

Cheers,
Malcolm
 

notabene

Senior Member
Jan 2, 2011
116
16
38
Brno, CZ
Need to use phone tomorrow, how can i revert to stock for a while since I cannot do it throught Xperia companion?

---------- Post added at 03:37 PM ---------- Previous post was at 03:26 PM ----------

Yeah, same here.
Tried now multiple times but it always gets stuck at the xperia screen with orange/yellow LED :(

One thing that I noticed was "ERROR - root : this bundle is not valid" when I start to create the bundle. Straight after locating the custom firmware that I dowloaded with Xperifirm the message comes up in the log. Thought that this is not an issue though, or is it?

Cheers,
Malcolm

Did you use customized firmware? I did not, i used Tmobile CZ

Now with bootloader unlocked even PC Companion doesnt work..

So the problem is after flashing custom kernel with rootkernel+DRM fix.

So after hours of trying from step 5 with different settings for kernel, I ended up with stock rom flashed via flashtool..

tried to flash back DRM keys from Dirty cow TA Backup, using this command flash_dk TA_E5823.img DK.ftf but when rebooted in service menu drm keys are still gone.. :(

EDIT:

Seems like there is more users with same issue with Z5C and latest rootkernel

https://forum.xda-developers.com/xp...matic-repack-stock-kernel-dm-t3301605/page200
 
Last edited:

mhaha

Senior Member
Feb 13, 2014
337
214
0
Hmm, I never ran into the stuck at boot problem, and I just successfully flashed a new phone on the same day I posted the guide. That said, I was using v5.0 of the rootkernel tool, not the latest v5.11. The rootkernel developer mentioned that there's battery drain problems with v5.11, so I decided to use the older v5.0 that helped me root two Z5C's several times in the past. Try patching the kernel again using v5.0 and see if that fixes it.

Note that v5.0 only supports up to firmware version 32.A.0.253 out of the box, you will need to make the following modification to support up to 32.2.A.5.11:
  • Download and unzip rootkernel v5.11 and v5.0.
  • Open folder \rootkernel_v5.11_Windows_Linux\Android\twrp_common_kmodules
  • Copy and overwrite all 7 sub-folders (folder names look like 3.10.49-perf-g83fc9bc etc.) to \rootkernel_v5.0_Windows_Linux\Android\twrp_common_kmodules
Then patch the kernel using v5.0 tool.
 

notabene

Senior Member
Jan 2, 2011
116
16
38
Brno, CZ
Hmm, I never ran into the stuck at boot problem, and I just successfully flashed a new phone on the same day I posted the guide. That said, I was using v5.0 of the rootkernel tool, not the latest v5.11. The rootkernel developer mentioned that there's battery drain problems with v5.11, so I decided to use the older v5.0 that helped me root two Z5C's several times in the past. Try patching the kernel again using v5.0 and see if that fixes it.

Note that v5.0 only supports up to firmware version 32.A.0.253 out of the box, you will need to make the following modification to support up to 32.2.A.5.11:
  • Download and unzip rootkernel v5.11 and v5.0.
  • Open folder \rootkernel_v5.11_Windows_Linux\Android\twrp_common_kmodules
  • Copy and overwrite all 7 sub-folders (folder names look like 3.10.49-perf-g83fc9bc etc.) to \rootkernel_v5.0_Windows_Linux\Android\twrp_common_kmodules
Then patch the kernel using v5.0 tool.

Thanks, will try in the evening.
 

Rufo3

Member
Jan 23, 2013
33
7
0
Just to know, if I'm upgrading from previous firmware version, do I have to do all steps or I can start from step 4 (flashing ftf file)?
 
  • Like
Reactions: pelago

Top Liked Posts

  • There are no posts matching your filters.
  • 49
    Why yet another guide? Why should you follow this guide?
    This is more of a future reference for myself, but might be beneficial to some other people, hence why I decided to post it.

    Thanks to the "dirty cow" exploit (CVE-2016-5195), we now have a more simple way of backing up the TA partition compared to existing guides, which all relied on another exploit that involved downgrading the firmware, thus making the whole process a bit more complicated.
    Unfortunately, as you can probably tell, it's still not a painless ordeal, just "less" painful. But hey, at least you have a choice.

    To keep this step-by-step walkthrough guide simple and straightforward, I am focusing on just the steps and skipping the explanations.
    Let's get started!

    Prerequisites
    • Important: Your phone must be vulnerable to the "dirty cow" exploit, any firmware version with security patch level 2016-12-01 or earlier should work, such as 32.2.A.5.11. Basically, any MM or LP firmware.
      Currently there is no way of backing up the TA partition on Android 7.0 Nougat firmware, you will need to downgrade to MM or earlier firmware first.

      Remember to backup all your data before you downgrade, since a downgrade is akin to a factory reset. Downgrade instructions:
      1. Follow Step 0, skip Step 1 and 2
      2. In Step 3, download a MM or LP version firmware. For the sake of simplicity, I suggest you download the one labeled Storefront.
      3. Follow Step 4 and 5
      4. Done, your phone is now downgraded, skip the remaining steps. Continue with the guide as usual from Step 1
      Note: If the DRM keys are irrelevant to you (TA partition already backed up/restored/lost) and would just like to root, then you can root using this guide on all firmware versions including Android 7.0 Nougat without downgrading. In this case, you can skip Step 1 and Step 7. Depending on your situation, you can also skip other parts of this guide, such as Step 2 if your bootloader is already unlocked, or in Step 5 don't wipe anything (leave all boxes unchecked) to retain your apps and data for a firmware upgrade.
    • Computer setup with correct drivers and adb/fastboot connection ability.
    • Enable USB debugging on the phone:
      1. Settings > About phone > Tap multiple times on Build number until Developer options is enabled
      2. Settings > Developer options > USB debugging > Toggle ON
    • XperiFirm for downloading official Sony firmware directly from Sony's servers
    • Flashtool for flashing firmware
    • Battery preferably more than 80% remaining, loss of power while flashing can brick your phone

    Step 0 - Backup your phone (optional)
    • Move all your data to your SD card using the native tool: Settings > Storage > Transfer data to SD card
    • Use Sony's Backup & restore app to make a backup: Settings > Backup & reset > Xperia Backup & restore > More > Manual backup > Select SD card > Select content to backup
      Personally, I choose everything except apps, they can be re-downloaded from the Play Store at any time, plus they take a long time to backup and restore not to mention eats up free space

    Step 1 - Backup the TA partition
    • Download this wonderful TA Backup tool, unzip to desired location
    • With the phone powered on, connect the USB cable to the computer, then plug the micro USB end to the phone
    • Open command prompt (Start > Run > cmd), navigate to the directory where you unzipped the TA Backup tool
    • Run the following command:
      Code:
      backupTA
      The tool will run and if successful, you should see at the bottom the words "TA Successfully pulled to TA_E5823.img".
      TA_E5823.img is the TA partition image file, actual filename will be longer and differ for everyone so to keep it simple we'll just refer to it as TA_E5823.img in this guide.
    • Please check that the file is 2,097,152 bytes. If not or file is missing, then the backup has failed.
      If it fails, just run the tool again a few times, or try rebooting your phone then rerun the tool. If you just can't get it to work, seek help from the tool thread.

    Step 2 - Unlock the boot loader
    • Visit Sony's website and follow the instructions carefully
      Important: Pay attention to the warnings. No, really, unlocking the boot loader will wipe your DRM keys (hence the need to back them up in Step 1) and trigger a factory reset, erasing everything on your phone.
    • After you've successfully unlocked the boot loader, unplug your phone and leave it powered off

    Step 3 - Download stock firmware
    • Run XperiFirm, locate the correct Xperia Z5 Compact version of your phone (E5803/E5823) and download the firmware of your choice.
      General recommendation is to download the "Customized" version that's available for your country.

    Step 4 - Create a FTF file from the firmware
    • Open Flashtool
    • Tools > Bundle > Create
    • Select source file > Locate the folder where you saved the firmware from XperiFirm in step 3 > You should see your device name appear automatically in Device and the folder list below populated
    • Branding > The same as Operator in XperiFirm, e.g. Customized AU
    • Version > The version you downloaded, e.g. 32.2.A.5.11
      Hint: Both Branding and Version information is in the folder name
    • In folder list, select the first item, hold SHIFT and select the last item so that all items are highlighted, then click the "- >" button > The folder list should now be empty, and the Firmware content field populated
    • Click Create, if successful you will see "Bundle creation finished"
      Note: The FTF file is saved to %userprofile%\.flashTool\firmwares by default

    Step 5 - Flash the FTF file
    • Click the lightning symbol in Flashtool > Flashmode
    • Source folder should be pre-selected to the default location mentioned above and "Sony Xperia Z5 Compact" listed in Firmwares
    • Expand all the arrows and select the version number
    • Under Wipe/Sin check all options (APPS_LOG, DIAG, SSD, USERDATA), leave all other options unchecked
    • Click Flash, wait for an instruction prompt to pop up
    • Plug the USB cable to your computer if it isn't already plugged
    • Turn off your phone if it isn't powered off, hold the VOLUME DOWN button while connecting the micro USB end to your phone. Keep the VOL DOWN button held until the prompt disappears, which indicates that Flashtool has detected it and is correctly in flashmode.
    • Flashtool will begin flashing the firmware automatically. It can take a long time, 10~15 minutes is normal, wait until completed
    • Unplug your phone and do not power it on yet

    Step 6 - Patch the kernel
    • Download this awesome rootkernel tool, unzip to desired location.
    • Extract the kernel image file kernel.sin from the FTF file using any file compression program such as 7zip, WinZip, WinRAR, etc.
    • Open Flashtool > Tools > Sin Editor > Sin file > Locate the kernel you just extracted > Click Extract data. You should now have a file named kernel.elf in the same folder
    • Copy kernel.elf to the rootkernel folder
    • Download the latest stable version of the SuperSU ZIP file and copy the entire ZIP file to the rootkernel folder. Do NOT unzip it!
    • Rename the SuperSU ZIP file name so that it starts with SuperSU (case sensitive) instead of UPDATE-SuperSU, e.g. SuperSU-v2.79-20161211114519.zip
      Note: if you're patching Nougat firmware, you may want to use phh's superuser instead of SuperSU due to potential battery drain. See rootkernel thread for more info. If you use phh's superuser, you will need to install the apk from the Play store after Step 8.
    • (optional) Download the latest Xposed framework ZIP file and copy it to the rootkernel folder. Do NOT unzip it!
      Note: this only works with rootkernel v5.0 or later, if you're using an earlier version of the rootkernel tool, skip this and skip Step 9
      At time of this edit (2017/2/22), Xposed does not support Android 7.0 (Nougat), so if you're trying to patch a Nougat kernel, do not include xposed. You can check the official Xposed thread for latest announcements to see if it's supported
    • Open command prompt and navigate to the rootkernel directory
    • Enter the following command:
      Code:
      rootkernel kernel.elf boot.img
      You will be prompted to make a series of choices, including whether you want to install SuperSU and Xposed. Type Y for all of them.
      If you didn't see the prompt for SuperSU (required) or Xposed (optional), check the filename of the ZIP files. Remember they're case sensitive.
    • You should now have a boot.img file in the rootkernel folder, that is your rooted kernel

    Step 7 - Flash the DRM keys (one-time procedure)
    tobias.waldvogel (rootkernel developer) said:
    Flashing this file with flashtool will write your device key to an alternative unit, from where the drmfix library will pick it up.
    This is a one-time task. It will survive a complete reset of the phone or Android system upgrade.
    • Copy the TA backup file TA_E5823.img from Step 1 to the rootkernel folder, then enter the following command in command prompt:
      Code:
      flash_dk TA_E5823.img DK.ftf
      This will create a DK.ftf file in the rootkernel folder
    • Open Flashtool > Click the lightning symbol > Flashmode > Source folder > Locate the rootkernel folder
    • "Sony Xperia Z5 Compact" should appear under Firmwares, expand the arrows until you see DeviceKey and 1.0. Select 1.0, click Flash and wait for an instruction prompt to pop up
    • Hold the VOLUME DOWN button while connecting the micro USB end to your phone. Keep the VOL DOWN button held until the prompt disappears, which indicates that Flashtool has detected it and is correctly in flashmode.
    • Wait until operation is completed, then unplug the cable from your phone. Do not power on yet

    Step 8 - Flash the kernel
    • Hold the VOLUME UP button and plug in the micro USB cable. Wait until the LED indicator turns blue, then release the VOL UP button.
    • Enter the following command in command prompt to flash the rooted kernel:
      Code:
      fastboot flash boot boot.img
    • After completion, congratulations, you've successfully rooted your phone!
      Now you can turn on your phone, the first boot will take a very long time to initialize, don't worry.
      If you see the boot animation for more than 30 minutes, then it's time to worry. First try again from Step 6, and if you still can't complete boot, go up a step starting from Step 5. If that still fails, start over from Step 3.

    Step 9 - Finish installation of Xposed (optional)
    In Step 6, if you chose to include the Xposed ZIP file, which means you want to install Xposed, then there's one more step to complete the installation.
    • Download the unofficial Material Design Xposed Installer.
      Currently, this is the only Xposed Installer that works with the systemless Xposed integration method used by the rootkernel tool. Using the official Xposed Installer will not work.
    • Go to Settings > Security > Unknown sources > Toggle ON
    • Copy the Xposed Installer apk to your phone and install it.
    • Done!

    Personal list of xposed modules to install for self reference. This is in no way a recommendation list, your preferences will vary.

    Amplify
    Android Phone Vibrator
    App Locale
    BootManager
    Disable Low Battery Notifications
    DynamicAlarmIcon 2
    HideBatteryLowAlert
    Keep Trash (broken at the moment)
    Lockscreen Album Art Remover
    MinMinGuard
    NeoPowerMenu
    NoHeadsetNotification
    Ringer and Notification Volume Unlink
    RootCloak
    Use USB for Marshmallow V 1.2
    XperiaFMwoHS
    Xposed Torch: Physical keys
    Youtube AdAway


    Bonus - How to unroot/fully restore DRM/return to 100% factory state

    4
    My phone is overheating.
    I flashed the E5823_Customized NOBA_1298-7782_32.3.A.0.378_R3D and repacked the boot.img using rootkernel v5.23.
    I have tried with and without flashing super su, and with and without kcal.
    It does not make any differences hot phone and battery drain.

    Anyone got the same experience?
    edit: i did not restore the ta partition as described in the tutorial, but i don´t think that will do any difference

    I'm only testing for one day, so this is not gonna be complete.

    My experience.
    1st attempt to install Nougat, I did a clean install (the same as you), restored data partition I had, rebooted and flashed gapps. After that I debloated (uninstalled) some apps and I heavily restricted MyAndroidTools.

    It was a mistake.
    A. Dirty flash (or restoring data partition from MM) caused the same heating and battery problems.
    B. A lot of apps wouldn't work properly (crashes), probably a combination of dirty flash and too much debloating.
    C. Some apps wouldn't work, like WhatApp couldn't connect to the servers anymore. Maybe because of the dirty install, maybe because I blocked some stuff from Google Play Services in MyAndroidTools.
    (I didn't take much time to investigate what was going wrong. I just moved on.)

    2nd attempt
    • Complete new clean install, also with 32.3.A.0.378 and patched/rooted stock kernel.
    • Flashed Gapps (before first boot) with aroma installer. I immediately removed what that aroma offered me to remove.
    • Google Play Store automatically reinstalled my apps. I didn't install MyAndroidTools anymore.

    Optimalizations:
    ** Settings **
    • Location mode is still on high security (don't know why, probably I forgot about it)
    • Location > (3dots) Scanning > WiFi-scanning off / Bluetoot scanning off
    • WiFi > (3dots) Modify network > Static IP and DNS (not DHCP)
    • About phone > Status > Charging optimization OFF
    • Data Usage > Data saver ON > added a few exceptions to my list
    • Battery > (3dots) Battery Optimization > I added messengers/chat, Greenify, Alarm Clock (Xtreme), Tasker, Transparent Weather Widget

    ** Some debloating **
    • I uninstalled a few apps like OfficeSuite, AVG Antivirus, Playstation and crap that could be easily uninstalled.
    • In Titanium I frooze a whole bunch of apps. For reference, this is a zip with 9 screenshots of apps I frooze. It's work in progress, that list might become bigger or smaller. It's stuff I don't use, I knew(/hoped) it could be froozen safely or I replaced it with a 3rd party app.

    ** Extra's **
    • 1 tasker profile to switch off auto-sync at night
    • Kernel Adiuator to change
      CPU governor: BIG to powersafe // LITTLE to interactive
      GPU governor: powersafe (Probably not the best option)
      I/O scheduler: noop​
    • Doze Settings Editor with the built-in "GeraldRudi"-profile.
    • Greenify with Shallow Hibernation ENabled and Aggressive Doze DISabled (I might try if it's better to put it on, somewhere in the future when I feel like)

    ** Result **
    • No performance issues (yet). No crashes at all.
    • No issues with sound or volume whatsoever.
    • Probably the thing where I powersaved GPU is too much. It causes stuttering video and makes it a ***** to play games on the phone.
    • Phone doesn't get hot anymore.
    • Excellent battery life. During my first test I already tested behavior while idle/screen off. During 10 hours, battery drain was 0,0% per hour. (This is my Better Battery Stats log)
    • For reference, I did a Antutu Benchmark, but I don't know (yet) what I can learn from these numbers.
      Optimized for battery life: 32853 is a BAD benchmark. (3D: 16625/ UX: 7862/ CPU: 6354/ RAM 2012).
      I did one benchmark with the standard CPU and GPU governor: 75444 (3D: 38623 / UX: 17323/ CPU: 13454 / RAM: 6044)​

    ** Conclusion **
    A. There's nothing wrong with 32.3.A.0.378, but I definitely recommend a FULL wipe before you install it. In fact it doesn't matter too much which Android you flash, or which kernel. Impact of that version is neglectable. In other words: if you experience problems with functionality, battery drain or overheating, a dirty flash with another (or a newer) android version is NOT gonna help you.
    B. Android 7.0 + Z5C can give you an excellent battery life without overheating.
    C. Finding the best balance between powersaving and performance needs more testing. This can be different for every other user.
    4
    Restore DRM (unroot + relock bootloader)

    OP here, I've recently upgraded to the XZ1 Compact, so I'm no longer in possession of a Z5 Compact, therefore generally will not be able to provide any further updates or assistance to this thread.

    A principle of mine is to only write about what I have personally experimented (and had success) with.
    This is largely the reason why I did not include any information about unrooting or restoring the DRM to factory state, I simply had not done it myself.
    Of course, it was also somewhat "off-topic" since we're focusing on how to root the phone here, but then again, it's perfectly logical to expect instructions on how to "undo" things.

    So, now that I have had the chance to actually restore my Z5 Compact to factory state with DRM keys properly restored as if the bootloader has never been unlocked, here's the step-by-step for doing the same.
    Here it is assumed that you've rooted your phone using my guide.

    Step 0 - As always, remember to backup all your data before trying anything.
    • Since you're already rooted, it's highly recommended to make a nandroid backup in TWRP in addition to regular backups.

    Step 1 - Prepare the necessary tools
    • Download Backup TA v9.11 by DevShaft
      Don't worry about the unmaintained status or the compatibility list, it's compatible, it works
    • Make a duplicate copy of your TA_E5823.img file from Step 1 in the root guide and rename it to TA.img - exact letters

    Step 2 - Prepare your phone
    • Enable USB Debugging
      Settings > About Phone > Tap Build Number multiple times to unlock Developer Options > Return to Settings > Developer Options > USB Debugging
    • Navigate to the folder where you unzipped the Backup-TA-9.11 tool
    • Run Backup-TA.bat
    • Read disclaimer (or don't), press ENTER
    • The prompt will say "Waiting for USB Debugging..."
    • Plug in the USB cable from your computer to the phone
    • A prompt will show on your phone titled "Allow USB Debugging?", check "Always allow from this computer" and tap OK
    • SuperSU (or whatever superuser manager you're using) will also prompt for permission for ADB Shell, grant it

    Step 3 - Convert your TA backup
    • In the Backup-TA tool command console, type 4 to select Convert TA.img
    • Check that the message is "CONVERT TA.IMG", type Y
    • Copy the file TA.img from Step 1 to the sub-folder "\convert-this" within the "\Backup-TA-9.11" folder
    • Type Y
    • Confirm success message on screen, then press ENTER and move on to the next step.

    Step 4 - Simulation run (optional but highly recommended)
    • Type 3 to select Restore dry-run
    • Type Y
    • Type 1, press ENTER
    • Type Y
    • Check the on screen log, if you see *** Restore successful *** type N then proceed to next step.

    Step 5 - Restore your DRM
    • Type 2 to select Restore
    • Type Y
    • Type 1, press ENTER
    • Type Y
    • Check the on screen log, you should see *** Restore successful *** indicating success. Type Y to restart your phone.

    That's it!

    PS. You might need to flash a pure stock firmware afterwards. My phone got into a soft brick after the last step, but since I was going to reflash a clean image anyway, the reflash fixed the soft brick for me.

    If you run into any problems, please check the Backup TA tool thread, chances are your questions have already been answered. If not, post a reply there.
    For example, it seems there's a slight problem with the tool under Windows 10, but easily fixed, just search the thread. I'm using Windows 7, no issues for me.

    Please refrain from asking unroot/restore/relock etc. questions in this thread. Thanks!
    3
    Hmm, I never ran into the stuck at boot problem, and I just successfully flashed a new phone on the same day I posted the guide. That said, I was using v5.0 of the rootkernel tool, not the latest v5.11. The rootkernel developer mentioned that there's battery drain problems with v5.11, so I decided to use the older v5.0 that helped me root two Z5C's several times in the past. Try patching the kernel again using v5.0 and see if that fixes it.

    Note that v5.0 only supports up to firmware version 32.A.0.253 out of the box, you will need to make the following modification to support up to 32.2.A.5.11:
    • Download and unzip rootkernel v5.11 and v5.0.
    • Open folder \rootkernel_v5.11_Windows_Linux\Android\twrp_common_kmodules
    • Copy and overwrite all 7 sub-folders (folder names look like 3.10.49-perf-g83fc9bc etc.) to \rootkernel_v5.0_Windows_Linux\Android\twrp_common_kmodules
    Then patch the kernel using v5.0 tool.
    3
    Additional information for Nougat 7.1, TWRP and Xposed

    Hello,

    I followed the guide given in the first page of this topic. But in order I root an Xperia Z5 Compact with Nougat 7.1.1 and install the latest TWRP and Xposed modules, I had to change a few things.
    My Sony Z5 Compact 5803 was initially running Nougat 7.1.1 and I used a Dell laptop E7270 with Windows 10 for all the tasks involving a computer.

    First comment:
    For all the flashboot operations with flashtool, it may not work with USB 3.0 ports on some computers.
    On my Dell laptop (E7270) it did not and as I do not have any USB 2 ports, I used a Dell docking station which has USB 2 ports, and it did the trick.​

    Step 0 - Backup your phone (optional)
    Nothing to add.​

    Step 1 - Backup the TA partition
    Nothing to add.​

    Step 2 - Unlock the boot loader
    Some additional info about the instructions from Sony website.
    To be able to unlock your Xperia Z5 Compact, prepare it by following these steps:​
    • Go into Settings > About phone and tap seven times on Build number to enable developer options.
    • From Settings, go into Developer options and enable OEM unlocking and USB debugging.
    • After they send you the unlock code by Email, you have to install Android SDK and its drivers:
    • The SDK Manager is included in Android Studio, but you don’t need to install more than the basic Android command line tools. These can be found at the bottom of this page.
    • When completing the installation, open the Android SDK Manager and, in the Packages window, scroll down, and in the Extras folder tick the box in front of Google USB driver and install it.
    • Download and install an updated Fastboot driver .
    • This is the standardandroid_winusb.inf-file, with a few lines of code added to enable Fastboot to support Sony devices.
    • Replace the original android_winusb.inf-file with the downloaded file in C:\ > Progran Files (x86) > Android > sdk > extras > google > usb_driver folder on your computer.
    • Turn off your Xperia Z5 Compact.
    • Connect a USB-cable to your computer.
    • On your Xperia™ Z5 Compact, press the Volume up button at the same time as you connect the other end of the USB-cable.

    • Original instruction (which did not work for me, maybe because I have Windows 10) : When asked for a driver (on your computer) to recognize the phone, open the Devices and Printers directory, click on the fastboot driver and press Update. Browse and point towards the location of the new android_winbus.inf file.

    • What worked for me: When asked for a driver (on your computer) to recognize the phone, go to Device Manager (I usually just type device manager in the search bar, I don't know where Windows has hidden it), and under "Other devices", you may see your device with a yellow triangle "problem" icon.
    • To install the driver, right click on your device, select "update driver", "browse my computer for driver software", "let me pick from a list of available drivers on my computer", then select "show all devices" at the top of the list, click next, then "have disk".
    • Finally you can go select the path to the Google USB driver, usually there (C:\Program Files (x86)\Android\android-sdk\extras\google\usb_driver) and install the driver!
    • This guide was found here.
    • After that you can continue to follow the steps from Sony website.

    Step 3 - Download stock firmware
    If the firmware list is empty and the software cannot find any firmware for any models, it probably means that you do not have the latest version of XperiFirm.
    Download it from here.​

    Step 4 - Create a FTF file from the firmware
    • If the device name doesn't appear in Flashtool, it means that you have to double click in the Device field to select the name of your device.
    • Nothing else to add.

    Step 5 - Flash the FTF file
    Nothing to add.​

    Step 6 - Patch the kernel
    The procedure is a bit different in order to work with Nougat 7.1.1, TWRP and Xposed (for Nougat 7.1.1).
    At first, let's follow the original method (I only tried with phh superuser):​

    • Download rootkernel tool, unzip to desired location.
    • Extract the kernel image file kernel.sin from the FTF file (you created in step 4) using any file compression program such as 7zip, WinZip, WinRAR, etc.
    • Open Flashtool > Tools > Sin Editor > Sin file > Locate the kernel you just extracted > Click Extract data. You should now have a file named kernel.elf in the same folder
    • Copy kernel.elf to the rootkernel folder.
    • Download the latest stable version of the phh's superuser.
    • Open command prompt and navigate to the rootkernel directory
    • Enter the following command: <rootkernel kernel.elf boot.img>
    • You will be prompted to make a series of choices, including whether you want to install phh superuser and Xposed. Type Y for all of them.
    • If you didn't see the prompt for phh (required) or Xposed (optional), check the filename of the ZIP files. Remember they're case sensitive.
    • You should now have a boot.img file in the rootkernel folder, that is your rooted kernel.

    However, for Nougat 7.1.1, this method might return you: "Skiping TWRP recovery. No kernel modules for 3.10.84-perf-xxxxxxx available" when you create the boot.img file.
    And you will probably not have any proposition of installing Xposed. The boot.img file will work, but you won't have TWRP nor Xposed.

    Including TWRP:
    • To include TWRP in the boot.img file the solution is to follow this guide.
    • Extract the file system.sin from the FTF file (you created in step 4) using any file compression program such as 7zip, WinZip, WinRAR, etc.
    • Open Flashtool > Tools > Sin Editor > Sin file > Locate the system.sin file you just extracted > Click Extract data. You should now have a file named system.ext4 in the same folder (5.2GB or bigger)
    • Use Ext2Read to open the system.ext4 file.
    • Find the folder: "/lib/modules", and save it on your desktop
    • Create a folder named "3.10.84-perf-xxxxxxxx" into rootkernel_v5.23_Windows_Linux/Android/twrp_common_kmodules (replace xxxxxxxxx by the number given in the error warning by rootkernel)
    • Copy the following files from "/lib/modules" into this new folder:
    core_ctl.ko
    ecryptfs.ko
    kscl.ko
    mhl_sii8620_8061_drv.ko
    texfat.ko​
    • Then if you re-run: rootkernel kernel.elf boot.img
    • You should now have a message telling you that TWRP was included successfully.

    Including Xposed:
    • At time of this edit (2018/1/27), Xposed does now support Android 7.0, 7.1.1 (Nougat) and 8.0, 8.1 (Oreo).
    • However, I didn't manage to include it into the rooted kernel. But I managed to install it afterwards.

    Step 7 - Flash the DRM keys (one-time procedure)
    Nothing to add except that in Flashtool, if the Device filter field is empty, you will probably have to double click to select Sony Xperia Z5 compact.​

    Step 8 - Flash the kernel
    Nothing to add.​

    Step 9 - Finish installation of Xposed framework with TWRP
    TWRP is a very useful module as it allows you to backup your system and also flash/install (not sure of the correct term) modules like Xposed framework.​
    First, how to start TWRP?
    • You have to reboot your phone, then, press the VOL UP button repeatedly while it is starting. In many tutorials I read to press continuously the VOL UP or VOL DOWN button during startup. I am sure it works on other phones, but with the Sony Xperia Z5 Compact, only pressing VOL UP repeatedly was able to prompt the TWRP main menu (and it took me some time to figure out!).
    • You can then backup your system from there. And you can also flash the Xposed framework:

    Xposed:
    • Download the latest Xposed framework ZIP file from here.
    • Select the link to download the framework and chose the good version (I would recommend the latest stable one (non beta)) according to your processor (arm, arm64, x86).
    • If you don't know, you can easily check by installing droid hardware info from the Play store, as explained here.
    • You can also download the uninstaller, just in case. And you will also need to download Xposed installer .apk file (this file will be installed later).
    • Put these 3 files somewhere on the phone (in a folder you will find easily).
    • Also, go to Settings > Lock screen & Security > Unknown sources > Toggle ON
    • Also, install phh's superuser app (from Play Store for example), so you can grant root access to applications that need it (which is the main point of being root!).
    • Now, restart your phone and start TWRP. Then select Install and navigate to the Xposed framework zipfile you downloaded (not the apk), and flash it.
    • You can now restart and install the Xposed apk installer (maybe you can do it before installing the framework, I don't know if one order is better).
    • As you have enabled "unknown sources" it should be easy to install it just by clicking on it.

    Step 10 - Tadaaa
    If every thing worked well, you now have your Sony Xperia Z5 compact rooted with phh superuser, coming with the latest TWRP and Xposed modules.
    If it didn't work well, maybe I forgot a step somewhere, I tried so many solutions to make it work, that remembering only the good steps and in the right order wasn't really easy.​

    Battery drain and epilog:
    Finally, you must know that I did all of it because my Z5C had an abnormal battery drain and I have tried everything else before, to solve it, with no success.
    So, rooting it to use Amplify was the ultimate resort. And it... didn't work, still an empty battery in 18h with wifi and data off.
    But, just when I was ready to burn it in a fire of despair I finally found the truth!
    It was automatically trying to connect to one network, failing, trying again, failing, etc.
    (when being in a place with no network at all, instead of draining more power (as expected), it was draining a lot less, probably because it wasn't seeing the network it was desperately trying to connect to (TPO))
    Anyway, in Settings > More > Mobile networks > Service providers, I selected Manual search mode, selected the good network, and now my Z5C lasts 4 days (with wifi and data on) instead of 18h with wifi and data off!!!!!

    I know this information should belong to another post, but since it was the only reason why I did all of it, I think it is a good conclusion!​
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone