[Guide] Safe bootloader unlock, restore DRM, custom recovery, root, bootloader relock

Search This thread

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​
The following is tested on model SGP-771. For Wifi-only model the procedure is the same but you should use the files and kernels for the Wifi model. Do not flash the ftf and kernel files intended for the cellular model on a Wifi-only tablet.​
I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
Credits: @zxz0O0, @AndroPlus, @tobias.waldvogel

0- Prerequisites


You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your tablet when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.


1- How to unlock your bootloader without losing the DRM keys


Sony has designed this tablet such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each tablet and cannot be copied over from another tablet) unlocking the bootloader results in an irreversible loss of some of your tablet's features. Relocking the bootloader will not bring them back.
A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
1.1- Start by clean flashing any 28.0.A.8.260 firmware, For this tutorial I used SGP771_Customized HK_1296-4830_28.0.A.8.260_R10A. You can download it from https://mega.nz/#!YsUWwY5Y!0775_vLpjV9-UkoGjMWP6-Yu8L31LkJVHEyUwA7X9NA. For the wifi only model SGP712 use
https://mega.nz/#!wlIl0JDa!DR0lRL6dDn5Y-K_4768oJnLGWQyrxNV0xLHgKVVesFw (thanks to @kuroneko007)
1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable. (To access service menu on SGP712 (Wi-Fi only model) see: http://forum.xda-developers.com/showpost.php?p=66164176&postcount=5) Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
1.3- Turn on usb debugging mode on your tablet.
1.4- Download iovyroot zip v0.4 or higher from here.
1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
1.6- Connect the tablet which is now in USB debugging mode to your PC and answer yes when it asks to authorize the PC to access the tablet in USB debugging mode. You can check that the PC indeed sees the tablet by running this command
Code:
adb devices
1.7- Run the following command:
Code:
tabackup
1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-07102015.img (the name may be different for you) with a size of 2MB in your folder.
1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
1.10- Reboot the device.
1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
1.12- Reboot the device and it will briefly enter recovery and then start the tablet initial setup.
1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
Code:
fastboot boot boot.img
1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 SGP771_Customized DE_1295-6955_32.1.A.1.185_R4C (the latest firmware at the time of this writing.)


2- How to emulate DRM keys and/or root after unlocking the bootloader.


A hack exists that can emulate the DRM keys:
2.1- Obtain a kernel boot image. If you want to stick with the stock kernel you need to extract kernel.elf from the ftf that you flashed in step 1.15. If you want a custom kernel you can download one from https://kernel.andro.plus/kitakami.html Note that whatever kernel you are using in this step must match the firmware version currently installed on your system. For this example I downloaded Z4T_SGP771_AndroPlusKernel_v27.zip and extracted the boot.img file from the zip, which matches Marshmallow 32.1.A.1.185.
2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
2.3- Copy the kernel (e.g. boot.img) to this folder. If you want root, place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
Code:
rootkernel.cmd boot.img boot-patched.img
When prompted, answer as follows:
- Sony RIC is enabled. Disable? [Y/n] Y
- Install TWRP recovery? [Y/n] N
- Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
- Install DRM fix? [Y/n] Y (if you want DRM emulation)
This will create a new kernel image called boot-patched.img which you will now flash on your tablet.
2.5- Boot the tablet in the fastboot mode and flash your patched image using the following fastboot command:
Code:
fastboot flash boot boot-patched.img
2.6- (Optional) You can reboot the tablet and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is succesfull you will see this but if it hasn't been successful you will see this.


3- How to flash a custom or stock kernel


3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash it on your tablet you need to restart the tablet in fastboot mode.
3.2- To flash the kernel use this command:
Code:
fastboot flash boot [I]name_of_your_kernel[/I]
You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)


4- How to flash recovery


4.0- To install TWRP recovery you need to flash AndroPlus kernel first (see sections 2.1 and 3).
4.1- Download a TWRP image from the same webpage. For this tutorial I used TWRP-3.0.2-0-20160417.img.
4.2- Reboot into fastboot mode and run this command:
Code:
fastboot flash recovery TWRP-3.0.2-0-20160417.img
4.3- Reboot the tablet. To enter recovery touch the volume keys when the LED turns yellow during the boot splash screen.


5- How to relock bootloader and return it to original factory state


5.0- To relock the bootloader along with restoring the DRM keys the tablet must have unmodified stock firmware.
5.1- Repeat step 1.1
5.2- Repeat steps 1.3, 1.4, and 1.5
5.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the tablet. The command will look similar to this:
Code:
tarestore TA-07102015.img
Make sure the command completes with no error. If it fails the first time try again. Reboot the tablet. Your bootloader is now locked and your DRM keys restored.
5.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.
 

Attachments

  • NODRM.jpg
    NODRM.jpg
    142.8 KB · Views: 2,253
  • DRM.jpg
    DRM.jpg
    151.6 KB · Views: 2,295
Last edited:

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
Thanks for this great guide.

My question is this. Since it would be easier to avoid all this, can this tool help us do it without having to downgrade?
http://www.xda-developers.com/chainfires-flashfire-can-now-create-fastboot-flashable-backups/

I mean would it also backup the DRM keys? Has anyone tried (preferably with a TA backup already in place so that he may not lose the keys in case that this won't work)...

No. This tool cannot help you and trust me there is no shortcut to avoid all of this.

Flashfire (the tool you mentioned) only works if you already have root access. There is no root available for this tablet without unlocking the bootloader, and unlocking the bootloader means you lose the TA partition immediately. So by the time you get this tool to work your TA partition will have been long erased.
 
  • Like
Reactions: DHGE

mrdarek

Member
Jul 21, 2009
26
2
Not understand step:
1.1- Start by clean flashing any 28.0.A.8.260 firmware
without this step temporary root not work...
But how flash firmware if device has still locked bootloader? What tool using for this step?
 

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
Not understand step:
1.1- Start by clean flashing any 28.0.A.8.260 firmware
without this step temporary root not work...
But how flash firmware if device has still locked bootloader? What tool using for this step?

You can download a tool called flashtool from http://www.flashtool.net/index.php and flash an unmodified ftf firmware. Because the firmware is unmodified the bootloader doesn't have to be unlocked. Many tutorials are available on xda and elsewhere about using this tool, which you can find by doing a Google search. As I said in the prerequisite section, "You should be able to flash an ftf file using flashtool. "
 
Last edited:

mrdarek

Member
Jul 21, 2009
26
2
I learned how flash and succesfully do my first flash.
Currently I have problem with iovyroot
It always say

Error: Device not supported
rm: /data/local/tmp/tabackup/TA-*.img: No such file or directory

My current software is:
SGP771_28.0.A.8.251_R15A_UK Generic_1295-4697
and it earlier then december 2015 like need iovyroot

I can't find software *.260 like in guide, I don't know if this created that problem...

Maybe najoor version work because it was "customized" - it mean - with patched kernel. But if locked bootloader allow me flash customized firmware?
 
Last edited:

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
I learned how flash and succesfully do my first flash.
Currently I have problem with iovyroot
It always say

Error: Device not supported
rm: /data/local/tmp/tabackup/TA-*.img: No such file or directory

My current software is:
SGP771_28.0.A.8.251_R15A_UK Generic_1295-4697
and it earlier then december 2015 like need iovyroot

I can't find software *.260 like in guide, I don't know if this created that problem...

Maybe najoor version work because it was "customized" - it mean - with patched kernel. But if locked bootloader allow me flash customized firmware?

As you said it, the problem was that you didn't flash the 260 version, not that it wasn't customized.

If you can't find the right version I upload it and post a link in the OP. It takes a little time so check this thread again in about 5 hours.
 

mrdarek

Member
Jul 21, 2009
26
2
I found "260" firmware and magically all start work :). I finished all job and have now root and recovery :).
It worth add tips about fastboot - you can check connection by command but also you can see - if LED on device is blue - connection in fastboot work (if not - try again)
My last question is about how check that DRM emulation work - under security after phone code is still errors. I 100% patched kernel and flash it properly.
Thanks for tutorial and support

Something just not work... Someone can check sizes ?:
boot.img - original kernel androplus 2.5: 17 756 160
andropatched.img - patched with my drm keys: 17 760 256
keys: 2 097 152
 
Last edited:

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
I found "260" firmware and magically all start work :). I finished all job and have now root and recovery :).
It worth add tips about fastboot - you can check connection by command but also you can see - if LED on device is blue - connection in fastboot work (if not - try again)
My last question is about how check that DRM emulation work - under security after phone code is still errors. I 100% patched kernel and flash it properly.
Thanks for tutorial and support

Something just not work... Someone can check sizes ?:
boot.img - original kernel androplus 2.5: 17 756 160
andropatched.img - patched with my drm keys: 17 760 256
keys: 2 097 152

The sizes sound about right. What errors are you getting?

You can try to relock the bootloader using the instructions and see if your TA backup works. If that works then we can see why the kernel is patched correctly.
 

mrdarek

Member
Jul 21, 2009
26
2
Hi - I succesfully restored bootloader (=locked it, and no errors in service) - so I'm sure - my keys are OK. It was very hard - 3x flash, 3 x try use restore (still was errors), and at last success!!!
Now all procedure again, almost from start - but I also more try if need - I send info tomorrow :)
---------------------------------------
Hmmm not work... Tested original marsmallow germany kernel and androkernel 2.4. Image test described in step 2.6 fail
Under security is: Blobs : generic error!
HUK: generic error!

Flashed kernels names are properly recognized under settings. root work. I not have idea where is bug. It must be during creating andropatched image - but no errors here:
C:\rootkit>drmonly boot.img andropatched.img TA-07102015.img
- Unpacking kernel
Found android boot image
Kernel version: 3.10.84
- Detected vendor: somc (Sony), device: karin, variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 6.0
- Skipping drmfix. Unsuppported/untested for model karin
- Creating new initramfs
- Creating boot image
- Cleaning up
Done

C:\rootkit>


--------------------Maybe that line is wrong!!!!!!!!
Skipping drmfix. Unsuppported/untested for model karin

but how fix it?
 
Last edited:

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
Hi - I succesfully restored bootloader (=locked it, and no errors in service) - so I'm sure - my keys are OK. It was very hard - 3x flash, 3 x try use restore (still was errors), and at last success!!!
Now all procedure again, almost from start - but I also more try if need - I send info tomorrow :)
---------------------------------------
Hmmm not work... Tested original marsmallow germany kernel and androkernel 2.4. Image test described in step 2.6 fail
Under security is: Blobs : generic error!
HUK: generic error!

Flashed kernels names are properly recognized under settings. root work. I not have idea where is bug. It must be during creating andropatched image - but no errors here:
C:\rootkit>drmonly boot.img andropatched.img TA-07102015.img
- Unpacking kernel
Found android boot image
Kernel version: 3.10.84
- Detected vendor: somc (Sony), device: karin, variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 6.0
- Skipping drmfix. Unsuppported/untested for model karin
- Creating new initramfs
- Creating boot image
- Cleaning up
Done

C:\rootkit>


--------------------Maybe that line is wrong!!!!!!!!
Skipping drmfix. Unsuppported/untested for model karin

but how fix it?

You need to follow the instructions to the letter:

1- flash the esaxt same firmware that you made the TA backup with.

2- Restore TA backup.

I guarantee you it will work or l will help you debug it.
 

mrdarek

Member
Jul 21, 2009
26
2
Not very understand. It was done. TA backup was done with "260" firmware. I'm able lock that firmware again, so it work. but it only lollipop, can't go into marshmallow from it.

Goal is: marshmallow with root twrp and drm. How achieve it?

I see - I have new device version (karin) so (hopefully) temporary this solution not work for me. I can have only marshmallow with root and twrp (no DRM) or marshmallow with DRM (no root and twrp). I must wait as developers support my device, and keep my keys in safe place to that time.
 
Last edited:
  • Like
Reactions: najoor

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
Goal is: marshmallow with root twrp and drm. How achieve it?

Tested original marsmallow germany kernel and androkernel 2.4. Image test described in step 2.6 fail
...
Flashed kernels names are properly recognized under settings. root work. I not have idea where is bug. It must be during creating andropatched image - but no errors here:
...
C:\rootkit>drmonly boot.img andropatched.img TA-07102015.img
...
- Skipping drmfix. Unsuppported/untested for model karin
...

OK, I see what is going on.

When I use drmonly script version 4.24 I get the following:
Code:
C:\Users\najoor\Desktop\rootkernel_v4.24_Windows_Linux>drmonly.cmd boot.img test.img TA-07102015.img
- Unpacking kernel
  Found android boot image
- Unpacking initramfs
- 64-bit platfrom detected
- Configuring secd
- Configuring wvkbd
- Configuring drmserver
- Creating new initramfs
- Creating boot image
- Cleaning up
Done

But if I use version 4.31:
Code:
C:\Users\shervin\Desktop\working\Download\rootkernel_v4.31_Windows_Linux>drmonly
.cmd boot.img x.img TA-07102015.img
- Unpacking kernel
  Found android boot image
  Kernel version: 3.10.84
- Detected vendor: somc (Sony), device: karin, variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 6.0
- Skipping drmfix. Unsuppported/untested for model karin
- Creating new initramfs
- Creating boot image
- Cleaning up
Done

I have no idea why @tobias.waldvogel decided to remove the support for Tablet Z4 in the latest version of the drmonly script, but I can see that the DRM works fine with the old version.

I do not have persmission from @tobias.waldvogel to post the older version of his script here so you have to ask him to either add support in the new version or give you the older version.
 
Last edited:

mrdarek

Member
Jul 21, 2009
26
2
Thanks - so now I see where is problem. I try contact with author.

Heh - I send PM him but it was my fault :( [added: it not totally fault - Tobias work on new version and soon we should have new working utility for all :) ]
I'm enough clever to modify script in 5 minutes (it txt :p ), and enough stupid to flash it immediately. Now I have....
rooted marshmallow with DRM KEY and TWRP - job finished :)

To finish job I disabled in settings auto-update, because now it start possible :p
 
Last edited:
  • Like
Reactions: najoor

Hybel1507

Member
May 27, 2016
12
2
Hamburg
FAILED <remote dtb not found>

Unlocked the bootloader and successfully retrieved TA partion with SGP771_28.0.A.8.260 , installed stock 32.1.A.1.185, tablet runs fine without problems.
Retrieving the boot.img from Z4T_SGP771_AndroPlusKernel_v27 for my SGP771 device and running

Code:
fastboot boot boot.img
gives

downloading 'boot.img' ...
OKAY [ 0.347s]
booting ....
FAILED <remote: dtb not found>

This happens even with the 32.1.A.1.185 stock boot.img. Tried on Kubuntu 16.04 and WIN7. Same result. When I flash
the AndroPlusKernel_v27 boot.img,

Code:
fastboot flash boot boot.img

finishes without errors and tablet does not boot any more but -thanks God- fastboot mode still functioning.

I am lost. Can not root my tablet :( . Any clues?

---------- Post added at 04:14 PM ---------- Previous post was at 03:41 PM ----------

Sorry, correction:
first retrieved TA partion, then unlocked bootloader.
 

najoor

Senior Member
Mar 11, 2014
711
908
Los Angeles
Unlocked the bootloader and successfully retrieved TA partion with SGP771_28.0.A.8.260 , installed stock 32.1.A.1.185, tablet runs fine without problems.
Retrieving the boot.img from Z4T_SGP771_AndroPlusKernel_v27 for my SGP771 device and running

Code:
fastboot boot boot.img
gives



This happens even with the 32.1.A.1.185 stock boot.img. Tried on Kubuntu 16.04 and WIN7. Same result. When I flash
the AndroPlusKernel_v27 boot.img,

Code:
fastboot flash boot boot.img

finishes without errors and tablet does not boot any more but -thanks God- fastboot mode still functioning.

I am lost. Can not root my tablet :( . Any clues?

---------- Post added at 04:14 PM ---------- Previous post was at 03:41 PM ----------

Sorry, correction:
first retrieved TA partion, then unlocked bootloader.

Please follow the following steps exactly and let me know in what step things fail. If you do not provide detailed information I will not be able to help you.

1- Clean flash a 185 ftf and make sure system boots fine.
2- extract the kernel.elf from the ftf and I use fastboot to see if you can boot using fastboot with this kernel.
3- extract boot.img from AndroPlusKernel_v27 and see if you can use fastboot to boot with this image.
4- use the procedure in the OP to patch AndroPlus kernel and see if you can use fastboot to boot with this image.
5- flash this image using fastboot to see if the system boots fine.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 17
    ** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​
    The following is tested on model SGP-771. For Wifi-only model the procedure is the same but you should use the files and kernels for the Wifi model. Do not flash the ftf and kernel files intended for the cellular model on a Wifi-only tablet.​
    I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
    Credits: @zxz0O0, @AndroPlus, @tobias.waldvogel

    0- Prerequisites


    You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your tablet when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.


    1- How to unlock your bootloader without losing the DRM keys


    Sony has designed this tablet such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each tablet and cannot be copied over from another tablet) unlocking the bootloader results in an irreversible loss of some of your tablet's features. Relocking the bootloader will not bring them back.
    A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
    1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
    1.1- Start by clean flashing any 28.0.A.8.260 firmware, For this tutorial I used SGP771_Customized HK_1296-4830_28.0.A.8.260_R10A. You can download it from https://mega.nz/#!YsUWwY5Y!0775_vLpjV9-UkoGjMWP6-Yu8L31LkJVHEyUwA7X9NA. For the wifi only model SGP712 use
    https://mega.nz/#!wlIl0JDa!DR0lRL6dDn5Y-K_4768oJnLGWQyrxNV0xLHgKVVesFw (thanks to @kuroneko007)
    1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable. (To access service menu on SGP712 (Wi-Fi only model) see: http://forum.xda-developers.com/showpost.php?p=66164176&postcount=5) Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
    1.3- Turn on usb debugging mode on your tablet.
    1.4- Download iovyroot zip v0.4 or higher from here.
    1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
    1.6- Connect the tablet which is now in USB debugging mode to your PC and answer yes when it asks to authorize the PC to access the tablet in USB debugging mode. You can check that the PC indeed sees the tablet by running this command
    Code:
    adb devices
    1.7- Run the following command:
    Code:
    tabackup
    1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-07102015.img (the name may be different for you) with a size of 2MB in your folder.
    1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
    1.10- Reboot the device.
    1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
    1.12- Reboot the device and it will briefly enter recovery and then start the tablet initial setup.
    1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
    Code:
    fastboot boot boot.img
    1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
    1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 SGP771_Customized DE_1295-6955_32.1.A.1.185_R4C (the latest firmware at the time of this writing.)


    2- How to emulate DRM keys and/or root after unlocking the bootloader.


    A hack exists that can emulate the DRM keys:
    2.1- Obtain a kernel boot image. If you want to stick with the stock kernel you need to extract kernel.elf from the ftf that you flashed in step 1.15. If you want a custom kernel you can download one from https://kernel.andro.plus/kitakami.html Note that whatever kernel you are using in this step must match the firmware version currently installed on your system. For this example I downloaded Z4T_SGP771_AndroPlusKernel_v27.zip and extracted the boot.img file from the zip, which matches Marshmallow 32.1.A.1.185.
    2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
    2.3- Copy the kernel (e.g. boot.img) to this folder. If you want root, place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
    2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
    Code:
    rootkernel.cmd boot.img boot-patched.img
    When prompted, answer as follows:
    - Sony RIC is enabled. Disable? [Y/n] Y
    - Install TWRP recovery? [Y/n] N
    - Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
    - Install DRM fix? [Y/n] Y (if you want DRM emulation)
    This will create a new kernel image called boot-patched.img which you will now flash on your tablet.
    2.5- Boot the tablet in the fastboot mode and flash your patched image using the following fastboot command:
    Code:
    fastboot flash boot boot-patched.img
    2.6- (Optional) You can reboot the tablet and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is succesfull you will see this but if it hasn't been successful you will see this.


    3- How to flash a custom or stock kernel


    3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash it on your tablet you need to restart the tablet in fastboot mode.
    3.2- To flash the kernel use this command:
    Code:
    fastboot flash boot [I]name_of_your_kernel[/I]
    You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)


    4- How to flash recovery


    4.0- To install TWRP recovery you need to flash AndroPlus kernel first (see sections 2.1 and 3).
    4.1- Download a TWRP image from the same webpage. For this tutorial I used TWRP-3.0.2-0-20160417.img.
    4.2- Reboot into fastboot mode and run this command:
    Code:
    fastboot flash recovery TWRP-3.0.2-0-20160417.img
    4.3- Reboot the tablet. To enter recovery touch the volume keys when the LED turns yellow during the boot splash screen.


    5- How to relock bootloader and return it to original factory state


    5.0- To relock the bootloader along with restoring the DRM keys the tablet must have unmodified stock firmware.
    5.1- Repeat step 1.1
    5.2- Repeat steps 1.3, 1.4, and 1.5
    5.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the tablet. The command will look similar to this:
    Code:
    tarestore TA-07102015.img
    Make sure the command completes with no error. If it fails the first time try again. Reboot the tablet. Your bootloader is now locked and your DRM keys restored.
    5.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.
    3
    Great guide, although us SGP712 Wifi owners are left to do a lot of extra work to fill in the missing steps.
    Perhaps you could add the following info to the first post?

    28.0.A.8.260 for SGP712 (Wi-Fi only model):
    https://mega.nz/#!wlIl0JDa!DR0lRL6dDn5Y-K_4768oJnLGWQyrxNV0xLHgKVVesFw

    How to access service menu on SGP712 (Wi-Fi only model) - needed as we have no dialer app:
    http://forum.xda-developers.com/showpost.php?p=66164176&postcount=5

    Thanks, & much appreciation for the hard work to put together the guide.
    2
    Hi everyone,

    I have a Xperia Z4 Tablet Wifi (SGP712) and I followed the tuto to root it. Everything went fine but when I flashed a custom Kernel (2.4 - 2.5 section of the tutorial), my screen stopped responding. It is as if the Kernel was broken or something, so is the link between the hardware and the software.

    To sum up,

    - I created and backup my TA partition --> OK
    - I unlocked the bootloader --> OK
    - I flashed the last tft file : 32.2.A.0.253 / R4C --> OK
    - On this site (https://kernel.andro.plus/kitakami.html) I downloaded the last version of the kernel (v31) : Z4T_SGP712_AndroPlusKernel_v31.zip, which is the one matching my tft version
    - I downloaded the rootkernel from this site (http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605) and copied the boot.img file as it was specified in the tuto. I also placed in the folder a SuperSU zip to root the tablet.
    - I entered the command :
    HTML:
    rootkernel.cmd boot.img boot-patched.img
    and answered the questions like this :
    - Sony RIC is enabled. Disable? [Y/n] Y
    - Install TWRP recovery? [Y/n] TWRP automatically didn't install because of the kernel but I don't remember the error message
    - Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y
    - Install DRM fix? [Y/n] Y​
    It created the boot-patched.img file.
    - I then rebooted in fastboot mode and entered the command
    HTML:
    fastboot flash boot boot-patched.img

    Now my screen does not respond anymore. I can't stop or reboot it using the physical buttons because it needs an input on the screen. All I can do is lanching the camera by double tapping the power button (yay !).
    I can't do anything with Xperia Compagnion because it needs to use the MTP mode on the tablet, neither Flashtool because I can't turn it off.

    The only idea that comes to my mind is to let the tablet run out of energy (this can be long...). Then use Flashtool to flash the last 32.2.A.0.253 / R4C once again with wipe mode. Do you think that this will put the stock Kernel back ? Do I have to flash it separately ? What would you do in my case ?

    Thank you very much, great tuto by the way ;)

    Hello,

    I had exactly same problem. You need to use rootkernel 4.51 with a fix instead of rootkernel 5 which causes a screenrespond problem. The fix below is needed if using a firmware .253 or newer. This method works with a newest firmware .305 and Androplus v40 kernel. Hope this helps :)

    To fix rootkernel 4.51:


    1) Go to rootkernel/Android/twrp_common_kmodules
    2) Make a copy of the 3.10.84-perf-g4a67e86 folder
    3) Rename the new folder you just copied to 3.10.84-perf-gf1cfa5f
    4) Use RootKernel as usual
    2
    Please read the answer I gave you before asking the exact same question:

    hey... sorry if I annoyed you in any way...

    It's just that I'm really new to this, so half of the time I don't understand what you are saying, and when I was trying to do this, I ran into series of problems...

    eg. I'm using SGP712 so I can't dial *#*#7378423#*#*, and cant use the firmware you provided, googled a hidden trick in contact setting to solve that issue
    adb devices: shows up empty, when I finally got it to show, its status was offline
    how to create FTF file from downloaded files from XperiFirm
    how to open command line in folder
    have to put boot-patch file in device
    etc etc...

    I'm sure most of problems were due to lack of knowledge on this field... (of course the problem I ran into now is no exception)

    but everything seems to working fine now... (although it took me literally 11 hours)

    Thanks for everything! You are wonderful!
    1
    Thanks for this great guide.

    My question is this. Since it would be easier to avoid all this, can this tool help us do it without having to downgrade?
    http://www.xda-developers.com/chainfires-flashfire-can-now-create-fastboot-flashable-backups/

    I mean would it also backup the DRM keys? Has anyone tried (preferably with a TA backup already in place so that he may not lose the keys in case that this won't work)...

    No. This tool cannot help you and trust me there is no shortcut to avoid all of this.

    Flashfire (the tool you mentioned) only works if you already have root access. There is no root available for this tablet without unlocking the bootloader, and unlocking the bootloader means you lose the TA partition immediately. So by the time you get this tool to work your TA partition will have been long erased.