How To Guide guide unlock bootloader & enable root (magisk)

Search This thread
By:
Advanced…
C

combinedfleet

Member
Jun 13, 2019
30
20
The .sin files are apparently just plain tar achives. Once you extract it, you'll notice that "boot_X-FLASH-ALL-8A63.sin" consists of "boot.000" and "boot.cms". The first one is the actual partition data, while boot.cms is a digital signature sort of thing (I don't know the details). I've compared "Customized EEA_62.0.A.3.163" with "Vodafone LC Not Net Locked_62.0.A.3.163" and the "boot.000" files are bit-for-bit identical, only the signature file differs. (See https://xdaforums.com/t/tool-window...-any-sony-firmware-file.3530077/post-72587162 for another post which mentions these .cms files)
My guess is that Sony signs each customized firmware bundle individually, resulting in multiple different signatures for the same data.
 
  • Like
Reactions: xperinaut
Velfess

Velfess

Senior Member
Jun 21, 2012
80
9
Vilnius
Google Pixel 7
Using this method to root with latest XQ-BT52_Customized EEA_62.0.A.3.163 - will results in bootloop.
To anyone stuck in it - just flash any firmware with newflasher.

To successfully root - download older XQ-BT52_Customized EEA_62.0.A.3.131, extract boot image from that version and patch then flash it. Works fine then. Even if you're on 163 firmware - using patched boot image from 131 is fine, no need to downgrade it on phone.
 
Last edited:
Velfess

Velfess

Senior Member
Jun 21, 2012
80
9
Vilnius
Google Pixel 7
OUTDATED:
Another update, the same problem again..
- Updated to the latest firmware 62.1.A.0.587
- Extracted boot.000 -> renamed to boot.img -> patched with Magisk 24.3
- Flashing patched image causes to bootloop.
- Flashing boot.img (which hasn't been patched yet) fixes everything.
Why won't my phone allow me to flash the latest patched boot images...


UPDATED:
Ok, so turn out probably some module wasn't playing nice. Flashed again patched image, ran
adb wait-for-device shell magisk --remove-modules and after few loops it finally booted.
 
Last edited:
T

threader

Senior Member
May 31, 2010
252
156
GitHub.com
combinedfleet said:
This is exactly the reason why I haven't rooted my device yet, too. If I understand it correctly, data in the TA partition is modified at the time the bootloader is unlocked, so if we were to create a backup, that would have to happen before unlocking.
The partition is only readable with root privileges, and rooting in general requires an unlocked bootloader. The only way forward is to wait until an exploit becomes available, allowing us to obtain a root shell with the bootloader still locked.
<snip>
Click to expand...
Click to collapse
I've hunted for an exploit that will work since i bought the phone, i discovered the nice tool 'cvehound' https://github.com/evdenis/cvehound to scan the kernel sources for CVE's. Also this https://github.com/nomi-sec/PoC-in-GitHub lists plenty of applicable exploits. https://github.com/polygraphene/DirtyPipe-Android is also promising but a slightly different path will need to be taken in our case, our kernel version is 4.19 and not google common kernel yet and i started trying to build dirty pipe just this morning but i'm running out of time since i now need to start using the phone for calls.
 
  • Like
Reactions: doniks, combinedfleet and wirespot
C

combinedfleet

Member
Jun 13, 2019
30
20
threader said:
I've hunted for an exploit that will work since i bought the phone, i discovered the nice tool 'cvehound' https://github.com/evdenis/cvehound to scan the kernel sources for CVE's. Also this https://github.com/nomi-sec/PoC-in-GitHub lists plenty of applicable exploits. https://github.com/polygraphene/DirtyPipe-Android is also promising but a slightly different path will need to be taken in our case, our kernel version is 4.19 and not google common kernel yet and i started trying to build dirty pipe just this morning but i'm running out of time since i now need to start using the phone for calls.
Click to expand...
Click to collapse
Nice find with that cvehound tool. I ran it on the 62.0.A.3.28 sources and indeed it listed a lot of CVE numbers. However, I fear that many of these are false positives. For example, in the case of the DirtyPipe exploit you mentioned, cvehound reports the v4.19.157 kernel as vulnerable, even though according to https://nvd.nist.gov/vuln/detail/CVE-2022-0847 this vulnerability only affects kernel versions from v5.8 and above.
At first, I thought that perhaps Sony has cherry picked some commits from future releases, but now I'm leaning more towards it just being a false positive on the side of cvehound, as the tool also reports vanilla Linux kernel v4.19.157 as vulnerable.
So unless I'm mistaken, I think trying to get DirtyPipe to run on the 10 III is unfortunately a waste of time.
 
T

threader

Senior Member
May 31, 2010
252
156
GitHub.com
combinedfleet said:
Nice find with that cvehound tool. I ran it on the 62.0.A.3.28 sources and indeed it listed a lot of CVE numbers. However, I fear that many of these are false positives. For example, in the case of the DirtyPipe exploit you mentioned, cvehound reports the v4.19.157 kernel as vulnerable, even though according to https://nvd.nist.gov/vuln/detail/CVE-2022-0847 this vulnerability only affects kernel versions from v5.8 and above.
At first, I thought that perhaps Sony has cherry picked some commits from future releases, but now I'm leaning more towards it just being a false positive on the side of cvehound, as the tool also reports vanilla Linux kernel v4.19.157 as vulnerable.
So unless I'm mistaken, I think trying to get DirtyPipe to run on the 10 III is unfortunately a waste of time.
Click to expand...
Click to collapse
cvehound will be a handy tool for years to come i hope, i'll be running it against my projects, also remember to reset to a commit near the fw version but i guess you've got sense and have updated. I was sure i checked if the commit was in place, i might have worked too fast, i also haven't had another look. i'm tying to wrap up a few things for msm8974/8994, two kernel merges and a twrp recovery, a memcpy and friends optimisation taken from "kryo" (isnt that the codename for this device? i just noticed i could halve the cacheline size and probably have something working) in CAF bionic atm. I ended up spending way more time than i should trying to fix the aosp 10 version of twrp and have it live with los-17.1, thought it would be easier and faster to test libc stuff with, and handy!
https://github.com/threader/android_bootable_rebcovery - anyone know why it was completely broken though?
Maybe i'll muster up the courage to try again in a few days.
 
You must log in or register to reply here.

Similar threads

A
How To Guide guide PHH GSI FLASH (AOSP 12)
Replies
81
Views
23K
D
docmorris90
W
Themes / Apps / Mods [Magisk] UnifiedNlp enabler module for stock ROM
Replies
30
Views
8K
G
gautxori
P
Themes / Apps / Mods Magisk module for enabling auto brightness & more
Replies
7
Views
4K
A
ada12
W
How To Guide How to backup your partitions with command line (requires root)
Replies
14
Views
8K
W
wirespot
A
General Sony Xperia 10 iii Additional LTE/5G Band Unlocks
Replies
12
Views
8K
L
liwetlt

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 4
    A
    ada12
    Code: 
    /*
* Your warranty is no longer valid, unless you lie.
*
* I am not responsible for bricked devices, strained relationships,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this kernel
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*
*/

    GUIDE UNLOCKING BOOTLOADER & ROOTING Xperia 10 III (PDX213)
    STEP 1 - UNLOCK YOUR BOOTLOADER

    1- GUIDE UNLOCK BOOTLOADER XPERIA

    2- WEB UNLOCK TOOLS BOOTLOADER XPERIA

    STEP 2 - DOWNLOAD FIRMWARE STOCK USING XPERIFIRM

    STEP 3 - extract boot_X-FLASH-ALL-8A63.sin using zip file manager ( 7zip, for ex here I used Ark zip manager from Fedora OS)
    rename boot.000 to boot.img

    STEP4 - install magisk manager in your phone from official github release

    - open magisk patch your boot.img

    STEP5 - go in fastboot and enter :

    fastboot flash boot boot_patched.img

    ENJOY:sneaky:
    View
    3
    T
    threader
    combinedfleet said:
    This is exactly the reason why I haven't rooted my device yet, too. If I understand it correctly, data in the TA partition is modified at the time the bootloader is unlocked, so if we were to create a backup, that would have to happen before unlocking.
    The partition is only readable with root privileges, and rooting in general requires an unlocked bootloader. The only way forward is to wait until an exploit becomes available, allowing us to obtain a root shell with the bootloader still locked.
    <snip>
    Click to expand...
    Click to collapse
    I've hunted for an exploit that will work since i bought the phone, i discovered the nice tool 'cvehound' https://github.com/evdenis/cvehound to scan the kernel sources for CVE's. Also this https://github.com/nomi-sec/PoC-in-GitHub lists plenty of applicable exploits. https://github.com/polygraphene/DirtyPipe-Android is also promising but a slightly different path will need to be taken in our case, our kernel version is 4.19 and not google common kernel yet and i started trying to build dirty pipe just this morning but i'm running out of time since i now need to start using the phone for calls.
    View
    2
    C
    combinedfleet
    Raubsau said:
    Check this: https://xdaforums.com/t/does-rooting-sony-phone-still-lower-their-quality.4318171/
    And more generally https://www.xda-developers.com/sony-xperia-android-pie-unlock-bootloader-drm-fix-camera/
    I gather that the devices with Android 9 or above can safely be unlocked, but that does not necessarily mean everything works with root.

    I just want to avoid rooting the device and realizing I need some DRM keys that I lost.

    Please update us should any problems arise! (y)
    Click to expand...
    Click to collapse
    This is exactly the reason why I haven't rooted my device yet, too. If I understand it correctly, data in the TA partition is modified at the time the bootloader is unlocked, so if we were to create a backup, that would have to happen before unlocking.
    The partition is only readable with root privileges, and rooting in general requires an unlocked bootloader. The only way forward is to wait until an exploit becomes available, allowing us to obtain a root shell with the bootloader still locked.
    Hopefully it's possible to flash older firmware onto this phone, which would mean we can downgrade to an older Android security patch level if needed (i.e. the potential exploit gets patched by Google or a vendor) - does anyone here know if that's the case? When installing an OTA update, the UI says we won't be able to return to a previous version, but I suppose it's still possible to flash any of the official firmware packages at any point.
    View
    1
    P
    pepijndevos
    Camera, bluetooth, microphone, calling, all working fine. No idea about safetynet haven't checked. As mentioned above, it does say I have an extra `su` that I don't know where it came from.
    View
    1
    P
    pepijndevos
    I did not. Not even sure what the TA partition is haha
    Of course backups are always a good idea when possible. It just seems a lot of the stuff out there assumes you have TWRP.
    View

New posts