• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[Guide] Safe bootloader unlock, restore DRM, custom recovery, root, bootloader relock

Search This thread

najoor

Senior Member
Mar 11, 2014
711
907
Los Angeles
** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​

The following is tested on model E6553. This may work for the dual sim model too but I have not verified it. Do not flash the ftf and kernel files intended for one model onto another.​

I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
Credits: @zxz0O0, @tobias.waldvogel

0- Prerequisites


You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your phone when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.


1- How to unlock your bootloader without losing the DRM keys


Sony has designed this phone such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each device and cannot be copied over from another) unlocking the bootloader results in an irreversible loss of some of your phone's features. Relocking the bootloader will not bring them back.
A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the Customized NL ftf that you can get from here.
1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable.
Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
1.3- Turn on usb debugging mode on your phone.
1.4- Download iovyroot zip v0.4 or higher from here.
1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
1.6- Connect the phone which is now in USB debugging mode to your PC and answer yes when the phone asks to authorize the PC to access it in USB debugging mode. You can check that the PC indeed sees the phone by running this command
Code:
adb devices
1.7- Run the following command:
Code:
tabackup
1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-05052016.img (the name may be different for you) with a size of 2MB in your folder.
1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
1.10- Reboot the device.
1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
1.12- Reboot the device and it will briefly enter recovery and then start the phone initial setup.
1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
Code:
fastboot boot boot.img
1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 E6553_Customized HK_1294-9654_32.1.A.1.185_R7C (the latest firmware at the time of this writing.)


2- How to emulate DRM keys and/or root and/or add recovery after unlocking the bootloader.


A hack exists that can emulate the DRM keys:
2.1- Extract the boot image from the 32.1.A.1.185 marshmallow ftf that you installed in step 1.15. Here are the steps to take:
Open the ftf file with 7-zip or any zip program that you have at your disposal
Look for a file called kernel.sin and extract it.
Start flashtool and from Tools menu choose Sin Editor.
Select the kernel.sin that you extracted in the previous step and hit Extract data.
Flashtool will create a file called kernel.elf which you will use in the next step.​
2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
2.3- Copy the kernel.elf that you got in step 2.1 to this folder. If you want root, follow this guide through to section 5 place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133 (The rootkernel tool has a bug in its built-in SuperSU integration. See: http://forum.xda-developers.com/showpost.php?p=67485478&postcount=838)
2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
Code:
rootkernel.cmd kernel.elf boot-patched.img
When prompted, answer as follows:
- Sony RIC is enabled. Disable? [Y/n] Y (if you want root plus write access)
- Install TWRP recovery? [Y/n] Y (if you want to have recovery)
- Install busybox? [Y/n] Y (if you want busybox. It is very useful)
- Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
- Install DRM fix? [Y/n] Y (if you want DRM emulation)
This will create a new kernel image called boot-patched.img which you will now flash on your phone.
2.5- Boot the phone in the fastboot mode and flash your patched image using the following fastboot command:
Code:
fastboot flash boot boot-patched.img
2.6- (Optional) You can reboot the phone and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is successful you will see this.


3- How to flash a custom or stock kernel


3.0- If you have already flashed the patched kernel in part 2 you will skip this part.
3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash a boot image (i.e. kernel) on your phone you need to restart the tablet in fastboot mode.
3.2- To flash the kernel use this command:
Code:
fastboot flash boot [I]name_of_your_kernel[/I]
You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)


4- How to add and use recovery


4.1- Recovery is added to your kernel in step 2.4.
4.2- To enter recovery reboot the phone and touch the volume up key when the LED turns yellow during the boot splash screen.



5- How to root


5.1- Place SuperSU 2.71 zip (or higher) on the phone's sdcard. The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
5.2- Reboot to recovery and flash the zip file.



6- How to relock bootloader and return it to original factory state


6.0- To relock the bootloader along with restoring the DRM keys the phone must have unmodified stock firmware.
6.1- Repeat step 1.1
6.2- Repeat steps 1.3, 1.4, and 1.5
6.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the phone. The command will look similar to this:
Code:
tarestore TA-05052016.img
Make sure the command completes with no error. If it fails the first time try again. Reboot the phone. Your bootloader is now locked and your DRM keys restored.
6.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.
 

Attachments

  • Screenshot_20160526-120543.jpg
    Screenshot_20160526-120543.jpg
    156.8 KB · Views: 5,077
Last edited:

arokososoo

Senior Member
Feb 7, 2015
146
34
Dehradun
Whoa Great

---------- Post added at 01:32 AM ---------- Previous post was at 12:50 AM ----------

** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​
The following is tested on model E6553. This may work for the dual sim model too but I have not verified it. Do not flash the ftf and kernel files intended for one model onto another.​
I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
Credits: @zxz0O0, @tobias.waldvogel

0- Prerequisites


You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your phone when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.


1- How to unlock your bootloader without losing the DRM keys


Sony has designed this phone such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each device and cannot be copied over from another) unlocking the bootloader results in an irreversible loss of some of your phone's features. Relocking the bootloader will not bring them back.
A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the UK Generic ftf that you can get from here.
1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable.
Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
1.3- Turn on usb debugging mode on your phone.
1.4- Download iovyroot zip v0.4 or higher from here.
1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
1.6- Connect the phone which is now in USB debugging mode to your PC and answer yes when the phone asks to authorize the PC to access it in USB debugging mode. You can check that the PC indeed sees the phone by running this command
Code:
adb devices
1.7- Run the following command:
Code:
tabackup
1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-05052016.img (the name may be different for you) with a size of 2MB in your folder.
1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
1.10- Reboot the device.
1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
1.12- Reboot the device and it will briefly enter recovery and then start the phone initial setup.
1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
Code:
fastboot boot boot.img
1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 E6553_Customized HK_1294-9654_32.1.A.1.185_R7C (the latest firmware at the time of this writing.)


2- How to emulate DRM keys and/or root and/or add recovery after unlocking the bootloader.


A hack exists that can emulate the DRM keys:
2.1- Extract the boot image from the 32.1.A.1.185 marshmallow ftf that you installed in step 1.15. Here are the steps to take:
Open the ftf file with 7-zip or any zip program that you have at your disposal
Look for a file called kernel.sin and extract it.
Start flashtool and from Tools menu choose Sin Editor.
Select the kernel.sin that you extracted in the previous step and hit Extract data.
Flashtool will create a file called kernel.elf which you will use in the next step.​
2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
2.3- Copy the kernel.elf that you got in step 2.1 to this folder. If you want root, place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
Code:
rootkernel.cmd kernel.elf boot-patched.img
When prompted, answer as follows:
- Sony RIC is enabled. Disable? [Y/n] Y (if you want root plus write access)
- Install TWRP recovery? [Y/n] Y (if you want to have recovery)
- Install busybox? [Y/n] Y (if you want busybox. It is very useful)
- Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
- Install DRM fix? [Y/n] Y (if you want DRM emulation)
This will create a new kernel image called boot-patched.img which you will now flash on your phone.
2.5- Boot the phone in the fastboot mode and flash your patched image using the following fastboot command:
Code:
fastboot flash boot boot-patched.img
2.6- (Optional) You can reboot the phone and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is successful you will see this.


3- How to flash a custom or stock kernel


3.0- If you have already flashed the patched kernel in part 2 you will skip this part.
3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash a boot image (i.e. kernel) on your phone you need to restart the tablet in fastboot mode.
3.2- To flash the kernel use this command:
Code:
fastboot flash boot [I]name_of_your_kernel[/I]
You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)


4- How to add and use recovery


4.1- Recovery is added to your kernel in step 2.4.
4.2- To enter recovery reboot the phone and touch the volume up key when the LED turns yellow during the boot splash screen.


5- How to relock bootloader and return it to original factory state


5.0- To relock the bootloader along with restoring the DRM keys the phone must have unmodified stock firmware.
5.1- Repeat step 1.1
5.2- Repeat steps 1.3, 1.4, and 1.5
5.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the phone. The command will look similar to this:
Code:
tarestore TA-05052016.img
Make sure the command completes with no error. If it fails the first time try again. Reboot the phone. Your bootloader is now locked and your DRM keys restored.
5.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.
Very usefull step by step guide.. But is there is any method to root phone without unlocking Bl? Quite curious to know from you.
 

ninjaijutsu

Member
Jun 2, 2010
41
1
Thanks ú so much! this is well writen, i will try this when i get the time to do a fresh install. Cheers mate
 

ChiDi9901

Senior Member
Sep 20, 2012
446
165
Wien
@arokososoo
Please, in the future never quote long OP and any other long posts. This is very annoying for mobile and desktop users to scroll to the next post. Thanks.

Sent from my Sony E6553 using XDA Labs
 
  • Like
Reactions: bjowol

Stoneybridge

Member
May 19, 2012
10
1
Got as far as going to the sony website, there's no mention of phones that can be unlocked there and for some reason Ive got bootloader unlock allowed no, even with a sim free phone and my xperia turned off.....bummer :(
 

KuroTheBang

Senior Member
Aug 17, 2014
304
153
Dortmund
Got as far as going to the sony website, there's no mention of phones that can be unlocked there and for some reason Ive got bootloader unlock allowed no, even with a sim free phone and my xperia turned off.....bummer :(

I also unlocked my Z3+, although it wasn't supported. I just picked Z4 Tablet since it is the "nearest" one. Worked :) Got MM rooted now.
 
  • Like
Reactions: SprindFinorilar
T

Trilliard

Guest
How long did that take on your devices? 1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the UK Generic ftf that you can get from here.

I am waiting for half an hour now...

Unbenannt.png
 
T

Trilliard

Guest
Well i got a soft brick, but was able to restore it trough Sony Companion. Here is the picture on another hoster http://fs5.directupload.net/images/160529/gr5fpf8t.png dont know on what point it stuck.

Funfact that two germans writting in english ;)

Edit, big thanks version 0.9.19 worked perfect. Cant understand why the newest one doesnt work

Edit 2: System boots up, but when the setup start the process com.android.phone stops instant and if i hit ok the message comes instantly again after about ten times the phone reboot, i cant do anything else... next repair through sony companion and back to stock german 6.0. I´ll stop try it for today.
 
Last edited:

Stoneybridge

Member
May 19, 2012
10
1
Well i got a soft brick, but was able to restore it trough Sony Companion. Here is the picture on another hoster http://fs5.directupload.net/images/160529/gr5fpf8t.png dont know on what point it stuck.

Funfact that two germans writting in english ;)

Edit, big thanks version 0.9.19 worked perfect. Cant understand why the newest one doesnt work

Edit 2: System boots up, but when the setup start the process com.android.phone stops instant and if i hit ok the message comes instantly again after about ten times the phone reboot, i cant do anything else... next repair through sony companion and back to stock german 6.0. I´ll stop try it for today.
Did you forget to wipe?
 

Rudjgaard

Senior Member
Jun 11, 2012
875
411
In a thread i opened in Q&A a user said that even though service info reported bl unlock allowed NO, he managed to unlock it anyways using standard procedure, what do you think?
 

sailay1980

Member
Apr 17, 2014
16
8
Hi thiefxhunter,
How you do this? could you explain us step by step. I like to root my dual sim model.
Thanks.
 

dil2abu

Member
Jul 20, 2012
26
4
Chennai
Hi.. I am stuck in 2.5 :(
My device is unlocked, It is connected in fastboot mode (blue led).
error msg
'Fastboot is not recognised as an internal or external command, operable program or batch file'

Please help me in this.

Solved..
Thanks for this post..
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 36
    ** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​

    The following is tested on model E6553. This may work for the dual sim model too but I have not verified it. Do not flash the ftf and kernel files intended for one model onto another.​

    I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
    Credits: @zxz0O0, @tobias.waldvogel

    0- Prerequisites


    You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your phone when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.


    1- How to unlock your bootloader without losing the DRM keys


    Sony has designed this phone such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each device and cannot be copied over from another) unlocking the bootloader results in an irreversible loss of some of your phone's features. Relocking the bootloader will not bring them back.
    A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
    1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
    1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the Customized NL ftf that you can get from here.
    1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable.
    Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
    1.3- Turn on usb debugging mode on your phone.
    1.4- Download iovyroot zip v0.4 or higher from here.
    1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
    1.6- Connect the phone which is now in USB debugging mode to your PC and answer yes when the phone asks to authorize the PC to access it in USB debugging mode. You can check that the PC indeed sees the phone by running this command
    Code:
    adb devices
    1.7- Run the following command:
    Code:
    tabackup
    1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-05052016.img (the name may be different for you) with a size of 2MB in your folder.
    1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
    1.10- Reboot the device.
    1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
    1.12- Reboot the device and it will briefly enter recovery and then start the phone initial setup.
    1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
    Code:
    fastboot boot boot.img
    1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
    1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 E6553_Customized HK_1294-9654_32.1.A.1.185_R7C (the latest firmware at the time of this writing.)


    2- How to emulate DRM keys and/or root and/or add recovery after unlocking the bootloader.


    A hack exists that can emulate the DRM keys:
    2.1- Extract the boot image from the 32.1.A.1.185 marshmallow ftf that you installed in step 1.15. Here are the steps to take:
    Open the ftf file with 7-zip or any zip program that you have at your disposal
    Look for a file called kernel.sin and extract it.
    Start flashtool and from Tools menu choose Sin Editor.
    Select the kernel.sin that you extracted in the previous step and hit Extract data.
    Flashtool will create a file called kernel.elf which you will use in the next step.​
    2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
    2.3- Copy the kernel.elf that you got in step 2.1 to this folder. If you want root, follow this guide through to section 5 place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133 (The rootkernel tool has a bug in its built-in SuperSU integration. See: http://forum.xda-developers.com/showpost.php?p=67485478&postcount=838)
    2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
    Code:
    rootkernel.cmd kernel.elf boot-patched.img
    When prompted, answer as follows:
    - Sony RIC is enabled. Disable? [Y/n] Y (if you want root plus write access)
    - Install TWRP recovery? [Y/n] Y (if you want to have recovery)
    - Install busybox? [Y/n] Y (if you want busybox. It is very useful)
    - Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
    - Install DRM fix? [Y/n] Y (if you want DRM emulation)
    This will create a new kernel image called boot-patched.img which you will now flash on your phone.
    2.5- Boot the phone in the fastboot mode and flash your patched image using the following fastboot command:
    Code:
    fastboot flash boot boot-patched.img
    2.6- (Optional) You can reboot the phone and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is successful you will see this.


    3- How to flash a custom or stock kernel


    3.0- If you have already flashed the patched kernel in part 2 you will skip this part.
    3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash a boot image (i.e. kernel) on your phone you need to restart the tablet in fastboot mode.
    3.2- To flash the kernel use this command:
    Code:
    fastboot flash boot [I]name_of_your_kernel[/I]
    You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)


    4- How to add and use recovery


    4.1- Recovery is added to your kernel in step 2.4.
    4.2- To enter recovery reboot the phone and touch the volume up key when the LED turns yellow during the boot splash screen.



    5- How to root


    5.1- Place SuperSU 2.71 zip (or higher) on the phone's sdcard. The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
    5.2- Reboot to recovery and flash the zip file.



    6- How to relock bootloader and return it to original factory state


    6.0- To relock the bootloader along with restoring the DRM keys the phone must have unmodified stock firmware.
    6.1- Repeat step 1.1
    6.2- Repeat steps 1.3, 1.4, and 1.5
    6.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the phone. The command will look similar to this:
    Code:
    tarestore TA-05052016.img
    Make sure the command completes with no error. If it fails the first time try again. Reboot the phone. Your bootloader is now locked and your DRM keys restored.
    6.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.
    3
    Can someone give me the link to the 28.0.A.8.266 firmware or upload it?

    The xperia-forum won't let me download it even though I have registered.

    Hi, Before you ask, just search first.
    Try this for E6533.
    https://drive.google.com/file/d/0B79PXa42-fRYY0ZHUEpwblVfd1E/view?pref=2&pli=1
    or
    http://www.mediafire.com/download/8iiaolfw7s7kg71/E6533_28.0.A.8.266_1295-9226_R17A.rar
    2
    Whoa Great

    ---------- Post added at 01:32 AM ---------- Previous post was at 12:50 AM ----------

    ** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​
    The following is tested on model E6553. This may work for the dual sim model too but I have not verified it. Do not flash the ftf and kernel files intended for one model onto another.​
    I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
    Credits: @zxz0O0, @tobias.waldvogel

    0- Prerequisites


    You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your phone when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.


    1- How to unlock your bootloader without losing the DRM keys


    Sony has designed this phone such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each device and cannot be copied over from another) unlocking the bootloader results in an irreversible loss of some of your phone's features. Relocking the bootloader will not bring them back.
    A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
    1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
    1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the UK Generic ftf that you can get from here.
    1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable.
    Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
    1.3- Turn on usb debugging mode on your phone.
    1.4- Download iovyroot zip v0.4 or higher from here.
    1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
    1.6- Connect the phone which is now in USB debugging mode to your PC and answer yes when the phone asks to authorize the PC to access it in USB debugging mode. You can check that the PC indeed sees the phone by running this command
    Code:
    adb devices
    1.7- Run the following command:
    Code:
    tabackup
    1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-05052016.img (the name may be different for you) with a size of 2MB in your folder.
    1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
    1.10- Reboot the device.
    1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
    1.12- Reboot the device and it will briefly enter recovery and then start the phone initial setup.
    1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
    Code:
    fastboot boot boot.img
    1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
    1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 E6553_Customized HK_1294-9654_32.1.A.1.185_R7C (the latest firmware at the time of this writing.)


    2- How to emulate DRM keys and/or root and/or add recovery after unlocking the bootloader.


    A hack exists that can emulate the DRM keys:
    2.1- Extract the boot image from the 32.1.A.1.185 marshmallow ftf that you installed in step 1.15. Here are the steps to take:
    Open the ftf file with 7-zip or any zip program that you have at your disposal
    Look for a file called kernel.sin and extract it.
    Start flashtool and from Tools menu choose Sin Editor.
    Select the kernel.sin that you extracted in the previous step and hit Extract data.
    Flashtool will create a file called kernel.elf which you will use in the next step.​
    2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
    2.3- Copy the kernel.elf that you got in step 2.1 to this folder. If you want root, place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
    2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
    Code:
    rootkernel.cmd kernel.elf boot-patched.img
    When prompted, answer as follows:
    - Sony RIC is enabled. Disable? [Y/n] Y (if you want root plus write access)
    - Install TWRP recovery? [Y/n] Y (if you want to have recovery)
    - Install busybox? [Y/n] Y (if you want busybox. It is very useful)
    - Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
    - Install DRM fix? [Y/n] Y (if you want DRM emulation)
    This will create a new kernel image called boot-patched.img which you will now flash on your phone.
    2.5- Boot the phone in the fastboot mode and flash your patched image using the following fastboot command:
    Code:
    fastboot flash boot boot-patched.img
    2.6- (Optional) You can reboot the phone and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is successful you will see this.


    3- How to flash a custom or stock kernel


    3.0- If you have already flashed the patched kernel in part 2 you will skip this part.
    3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash a boot image (i.e. kernel) on your phone you need to restart the tablet in fastboot mode.
    3.2- To flash the kernel use this command:
    Code:
    fastboot flash boot [I]name_of_your_kernel[/I]
    You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)


    4- How to add and use recovery


    4.1- Recovery is added to your kernel in step 2.4.
    4.2- To enter recovery reboot the phone and touch the volume up key when the LED turns yellow during the boot splash screen.


    5- How to relock bootloader and return it to original factory state


    5.0- To relock the bootloader along with restoring the DRM keys the phone must have unmodified stock firmware.
    5.1- Repeat step 1.1
    5.2- Repeat steps 1.3, 1.4, and 1.5
    5.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the phone. The command will look similar to this:
    Code:
    tarestore TA-05052016.img
    Make sure the command completes with no error. If it fails the first time try again. Reboot the phone. Your bootloader is now locked and your DRM keys restored.
    5.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.
    Very usefull step by step guide.. But is there is any method to root phone without unlocking Bl? Quite curious to know from you.
    1
    @arokososoo
    Please, in the future never quote long OP and any other long posts. This is very annoying for mobile and desktop users to scroll to the next post. Thanks.

    Sent from my Sony E6553 using XDA Labs
    1
    i need to back up TA partition not drm keys; what is the easy way to do that? i am on android 7 ; and how to downgrade to android 6 or 5? thanks in advance.

    1. TA Partition is contains DRM Keys (both meaning almost same)
    2. To get back your warranty, you need to restore TA Partition and need to lock bootloader, else it is not required. Patched / Custom kernel will do the job.
    3. You can flash any version of android (upgrade or downgrade) without unlocking bootloader using FLASH TOOL. But, you need to select all the check boxes of the following in wipe section APPS_LOG, DIAG, PERSIST, SSD & USERDATA (flash tool screenshot enclosed for reference)

    Note: Please read about Patched Kernel (DRM Fixed) for Stock ROM, Custom Kernel for Stock ROM, Switching of "My Xperia" (required for Patched / Custom Kernel, else phone will be soft bricked), USB Debugging Mode and other topics for experimenting with your phone / Stock ROM.