• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

iovyroot - (temp) root tool

Search This thread

zxz0O0

Senior Member
Apr 18, 2011
1,533
5,162
Today I present you
iovyroot - (temp) root tool
based on CVE-2015-1805​

Requirements
  • USB debugging enabled
    Settings => About phone => Click 7 times on Android Build to unlock developer options
  • adb drivers installed
  • LP Kernel <= Dec 2015

Components
  1. Binary to get root shell
    • root/iovyroot
  2. Simple TA Backup / Restore script
    The author takes no responsibility
    • tabackup.bat & tarestore.bat (read second post for restore)

Download v0.4
If you found this tool useful, please consider donating (click here) :)


Supported models:
Code:
- M5 (all variants) (30.0.A.1.23 & 30.1.A.1.33)
- M5 Dual (all variants) (30.0.B.1.23 & 30.1.B.1.33)
- E5803 (32.0.A.6.200)
- E5823 (32.0.A.6.200)
- E6533 (28.0.A.8.266)
- E6553 (28.0.A.8.266)
- E6603 (32.0.A.6.152)
- E6633 (32.0.A.6.152)
- E6653 (32.0.A.6.152 & 32.0.A.6.200)
- E6683 (32.0.A.6.152)
- E6833 (32.0.A.6.170)
- E6853 (32.0.A.6.170 & 32.0.A.6.200)
- E6883 (32.0.A.6.160 & 32.0.A.6.170 & 32.0.A.6.209)
- SGP771 (28.0.A.8.260)
- SGP712 (28.0.A.8.260)
- LG G Flex 2 (5.1.1 LMY47S)
- Possibly all other devices with LP kernel from Dec 2015 or older

Credits:
- @idler1984 for his poc and great help
- @ninestarkoko and @rimmeda for testing
- @ipromeh for fixing ta scripts

XDA:DevDB Information
iovyroot - (temp) root tool, Tool/Utility for the Sony Xperia Z5 Compact

Contributors
zxz0O0, idler1984
Source Code: https://github.com/dosomder/iovyroot


Version Information
Status: Beta

Created 2016-04-01
Last Updated 2016-04-01
 
Last edited:

zxz0O0

Senior Member
Apr 18, 2011
1,533
5,162
Reserved

Questions

Is it possible to get full root without bootloader unlock?
  • No, dm-verity prevents write access to system
Can we disable dm-verity?
  • Temporarily yes, but it will be enabled again at next reboot. Any modification to /system would thus result in a bootloop. dm-verity resides in the kernel which we can't modify on locked bootloader.
Can we restore TA partition after unlocking bootloader?
How to restore TA partition?
  • Method 1:
    1. Flash stock firmware from flashtool (supported by iovyroot) (you are now unrooted)
    2. Use tarestore.bat from iovyroot
  • Method 2 (fully rooted & unlocked bootloader):
    1. Use BackupTA and option "Convert v4 backup"
    2. Restore backup with BackupTA
    3. Flash stock firmware with flashtool
 
Last edited:

ipromeh

Senior Member
Oct 8, 2012
1,382
3,472
23
Kuala Lumpur
nice job! reserved for something else..

Please download the latest version by zxz0O0

E5803 (32.0.A.6.200) Malaysia Firmware (FTF)
Google drive link: https://drive.google.com/file/d/0B_uYldsE-h2sRmNlUjZOQVgwQlU/view?usp=sharing





<-- Outdated fixes for v0.1 -->
Fixes:
This file will fix "TA.img" not found issue (backup script fix)
https://drive.google.com/file/d/0B_uYldsE-h2sb1FKM19HMi02TzQ/view?usp=sharing

This file will fix Z5C E5803 malaysia firmware "device not supported" issue and also included TA fix
https://drive.google.com/file/d/0B_uYldsE-h2sTnQ1cUVGX2xfSTg/view?usp=sharing

Older post:

Edit:
E5803 (32.0.A.6.200) Malaysia Firmware (FTF)
Google drive link: https://drive.google.com/file/d/0B_uYldsE-h2sRmNlUjZOQVgwQlU/view?usp=sharing


Edit 2:
@zxz0O0 , there's something wrong with the binary device verification with the E5803 (32.0.A.6.200) Malaysia Firmware. It says "Error: Device not supported"
This modified binary file will work with this firmware:
https://drive.google.com/file/d/0B_uYldsE-h2sMTZKUi1VcjFjM3c/view?usp=sharing

Edit 3:
The backup TA script is not working, looks like the /dev partition style is different with the previous Z series
here is the dir list of the /dev/block
Code:
[email protected]:/dev/block $ ls
ls
bootdevice
dm-0
loop0
loop1
loop2
loop3
loop4
loop5
loop6
loop7
mmcblk0
mmcblk0p1
mmcblk0p10
mmcblk0p11
mmcblk0p12
mmcblk0p13
mmcblk0p14
mmcblk0p15
mmcblk0p16
mmcblk0p17
mmcblk0p18
mmcblk0p19
mmcblk0p2
mmcblk0p20
mmcblk0p21
mmcblk0p22
mmcblk0p23
mmcblk0p24
mmcblk0p25
mmcblk0p26
mmcblk0p27
mmcblk0p28
mmcblk0p29
mmcblk0p3
mmcblk0p30
mmcblk0p31
mmcblk0p32
mmcblk0p33
mmcblk0p34
mmcblk0p35
mmcblk0p36
mmcblk0p37
mmcblk0p38
mmcblk0p39
mmcblk0p4
mmcblk0p40
mmcblk0p41
mmcblk0p42
mmcblk0p43
mmcblk0p5
mmcblk0p6
mmcblk0p7
mmcblk0p8
mmcblk0p9
mmcblk0rpmb
mmcblk1
mmcblk1p1
platform
ram0
ram1
ram10
ram11
ram12
ram13
ram14
ram15
ram2
ram3
ram4
ram5
ram6
ram7
ram8
ram9
vold
zram0

Code:
[email protected]:/dev/block/platform $ ls
f9824900.sdhci
f98a4900.sdhci

anyway, it's confirmed that i got temp root access with this. Great job! :D


Edit 4:
Okay guys, confirmed that the TA partition for Z5 Compact is located at /dev/block/platform/f9824900.sdhci/by-name/TA


output of the terminal with fix
Code:
iovyroot by zxz0O0
poc by idler1984

[+] Changing fd limit from 1024 to 4096
[+] Changing process priority to highest
[+] Getting pipes
[+] Allocating memory
[+] Installing JOP
    [+] Patching address 0xffffffc00194f630
    [+] Start map/unmap thread
    [+] Start write thread
    [+] Spraying kernel heap
    [+] Start read thread
    [+] Done
[+] Patching addr_limit
    [+] Patching address 0xffffffc05b324008
    [+] Start map/unmap thread
    [+] Start write thread
    [+] Spraying kernel heap
    [+] Start read thread
    [+] Done
[+] Removing JOP
got root lmao

TA.img copied successfully
Press any key to continue . . .

Have a nice day! :)
 
Last edited:

3Shirts

Senior Member
Jan 18, 2009
1,612
401
Bedford
Since this is a temp root, presumably we cannot root then upgrade the firmware (to MM) as root will stop working? Correct?
 

ninestarkoko

Senior Member
Nov 26, 2013
516
213


Refresh and try again

Since this is a temp root, presumably we cannot root then upgrade the firmware (to MM) as root will stop working? Correct?

The exploit here permits to gain temporary Root Command Shell # and backup/restore TA partition using it.
This has nothing to do with SuperSU: you cannot install it and phone apps cannot gain root access using this package. Installing SuperSU (nowadays) involves /system or /boot partition modification, that are prevented by dm-verity, as stated in the 2nd post.
 

3Shirts

Senior Member
Jan 18, 2009
1,612
401
Bedford
I see, sorry for the dumb question.

So we back up TA partition with this, then unlock the bootloader and get root that way. This just means we can then restore the device later, thanks to backed up TA?

Presumably you cannot restore the TA partition with the bootloader unlocked? Again, sorry if this seems dumb.
 

ninestarkoko

Senior Member
Nov 26, 2013
516
213
nice job! reserved for something else..

Edit 3:
The backup TA script is not working, looks like the /dev partition style is different with the previous Z series
here is the dir list of the /dev/block

Code:
[email protected]:/dev/block/platform $ ls
f9824900.sdhci
f98a4900.sdhci

anyway, it's confirmed that i got temp root access with this. Great job! :D


Edit 4:
Okay guys, confirmed that the TA partition for Z5 Compact is located at /dev/block/platform/f9824900.sdhci/by-name/TA

Have a nice day! :)

I do agree, Z5 compact E5823 here.

TA backup script not working NOW: please wait for an update from Zxz0O0 or if you want to correct the backup script yourself, just run the exploit iovyroot and use the command " ls -l /dev/block/platform "

EDIT: fix in the third post thanks to ipromeh
 
Last edited:

ipromeh

Senior Member
Oct 8, 2012
1,382
3,472
23
Kuala Lumpur
I do agree, Z5 compact E5823 here.

TA backup script not working NOW: please wait for an update from Zxz0O0 or if you want to correct the backup script yourself, just run the exploit iovyroot and use the command " ls -l /dev/block/platform "

You'll have to modify backup.sh to change the command (as root user) ;)

Anyway, I've uploaded a fix at post #4 in case someone need it. I hope zxz0O0 can update his op too :victory:
 
  • Like
Reactions: zxz0O0

zxz0O0

Senior Member
Apr 18, 2011
1,533
5,162
You'll have to modify backup.sh to change the command (as root user) ;)

Anyway, I've uploaded a fix at post #4 in case someone need it. I hope zxz0O0 can update his op too :victory:

Thanks for the fix. I changed the script to use the first folder in "/dev/block/platform". This way there is also compatibility for those with msm_sdcc.1
 
  • Like
Reactions: ipromeh

Daniel_GB

Senior Member
Jul 30, 2010
645
142
31
Noshahr,IR
thank you for the great work...

So,
1) backup TA partition with temp root,
2) unlock the bootloader and root the device permanently
3) then we can use DRM restore to have all that SONY stuff working while having root

So the question is in case of re-locking the bootloader and restoring factory condition...is it how it should work?
flash stock firmware, restore TA partition and then re-locking bootloader
 

ninestarkoko

Senior Member
Nov 26, 2013
516
213
I see, sorry for the dumb question.

So we back up TA partition with this, then unlock the bootloader and get root that way. This just means we can then restore the device later, thanks to backed up TA?

Presumably you cannot restore the TA partition with the bootloader unlocked? Again, sorry if this seems dumb.

Please, wait for the fix in the first post before unlocking or use the fix from ipromeh in the 4th post.

No problem, that's a good question.
After you successfully backup TA partion, if you want SuperSU and root for apps you must unlock the bootloader.
If you want to restore the TA partition in the future, you must/should flash a stock original .tft firmware because if it is like previous Xperia Z phones, restoring TA backup would RELOCK the bootloader and so custom kernel (needed for root) won't boot and the phone would go in bootloop (because locked bootloader refuses to boot not-SOny-signed kernel).
So, you cannot have permanent root (SuperSU) and TA partition restored at the same time.
If you want DRM key functions and root, you must stay unlocked and use the DRM patch provided by Tobias.waldvogel.

These are my thoughts based on my knoledge and experience taken from previous Xperia Z devices.
 

devilmaycry2020

Senior Member
Apr 27, 2013
1,386
247
Please, wait for the fix in the first post before unlocking or use the fix from ipromeh in the 4th post.

No problem, that's a good question.
After you successfully backup TA partion, if you want SuperSU and root for apps you must unlock the bootloader.
If you want to restore the TA partition in the future, you must/should flash a stock original .tft firmware because if it is like previous Xperia Z phones, restoring TA backup would RELOCK the bootloader and so custom kernel (needed for root) won't boot and the phone would go in bootloop (because locked bootloader refuses to boot not-SOny-signed kernel).
So, you cannot have permanent root (SuperSU) and TA partition restored at the same time.
If you want DRM key functions and root, you must stay unlocked and use the DRM patch provided by Tobias.waldvogel.

These are my thoughts based on my knoledge and experience taken from previous Xperia Z devices.
So we can't restore TA backup while using custom kernel? We must flash stock rom then restore TA, Right?
 

najoor

Senior Member
Mar 11, 2014
711
907
Los Angeles
Supported models:
Code:
- E5803 (32.0.A.6.200)
- E5823 (32.0.A.6.200)
- E6533 (28.0.A.8.266)
- E6603 (32.0.A.6.152)
- E6633 (32.0.A.6.152)
- E6653 (32.0.A.6.152 & 32.0.A.6.200)
- E6683 (32.0.A.6.152)
- E6833 (32.0.A.6.170)
- E6853 (32.0.A.6.170 & 32.0.A.6.200)
- E6883 (32.0.A.6.160 & 32.0.A.6.170 & 32.0.A.6.209)
- Possibly all other devices with LP kernel from Dec 2015 or older

Is it possible to add support for Xperia Tablet Z4? And if so, what can I provide to facilitate it? Thanks in advance.
 

ninestarkoko

Senior Member
Nov 26, 2013
516
213
So we can't restore TA backup while using custom kernel? We must flash stock rom then restore TA, Right?

If it's like previous Xperia Z devices, yes, you must restore stock pure original firmware (particularly the kernel) because TA restore would automatically relock the bootloader, thus giving device bootloop. And you cannot have permanent root on pure stock kernel (kernel signed by Sony, i'm not talking about stock-based custom kernels), as stated before, so No permanent root and restored TA partition at the same time.

Though, until someone tests it, we cannot be 100% sure that restoring TA partition relocks the bootloader on Z5 devices like it happens on Xperia Z2, Z3,,..
 
  • Like
Reactions: devilmaycry2020

Top Liked Posts

  • There are no posts matching your filters.
  • 146
    Today I present you
    iovyroot - (temp) root tool
    based on CVE-2015-1805​

    Requirements
    • USB debugging enabled
      Settings => About phone => Click 7 times on Android Build to unlock developer options
    • adb drivers installed
    • LP Kernel <= Dec 2015

    Components
    1. Binary to get root shell
      • root/iovyroot
    2. Simple TA Backup / Restore script
      The author takes no responsibility
      • tabackup.bat & tarestore.bat (read second post for restore)

    Download v0.4
    If you found this tool useful, please consider donating (click here) :)


    Supported models:
    Code:
    - M5 (all variants) (30.0.A.1.23 & 30.1.A.1.33)
    - M5 Dual (all variants) (30.0.B.1.23 & 30.1.B.1.33)
    - E5803 (32.0.A.6.200)
    - E5823 (32.0.A.6.200)
    - E6533 (28.0.A.8.266)
    - E6553 (28.0.A.8.266)
    - E6603 (32.0.A.6.152)
    - E6633 (32.0.A.6.152)
    - E6653 (32.0.A.6.152 & 32.0.A.6.200)
    - E6683 (32.0.A.6.152)
    - E6833 (32.0.A.6.170)
    - E6853 (32.0.A.6.170 & 32.0.A.6.200)
    - E6883 (32.0.A.6.160 & 32.0.A.6.170 & 32.0.A.6.209)
    - SGP771 (28.0.A.8.260)
    - SGP712 (28.0.A.8.260)
    - LG G Flex 2 (5.1.1 LMY47S)
    - Possibly all other devices with LP kernel from Dec 2015 or older

    Credits:
    - @idler1984 for his poc and great help
    - @ninestarkoko and @rimmeda for testing
    - @ipromeh for fixing ta scripts

    XDA:DevDB Information
    iovyroot - (temp) root tool, Tool/Utility for the Sony Xperia Z5 Compact

    Contributors
    zxz0O0, idler1984
    Source Code: https://github.com/dosomder/iovyroot


    Version Information
    Status: Beta

    Created 2016-04-01
    Last Updated 2016-04-01
    47
    Reserved

    Questions

    Is it possible to get full root without bootloader unlock?
    • No, dm-verity prevents write access to system
    Can we disable dm-verity?
    • Temporarily yes, but it will be enabled again at next reboot. Any modification to /system would thus result in a bootloop. dm-verity resides in the kernel which we can't modify on locked bootloader.
    Can we restore TA partition after unlocking bootloader?
    How to restore TA partition?
    • Method 1:
      1. Flash stock firmware from flashtool (supported by iovyroot) (you are now unrooted)
      2. Use tarestore.bat from iovyroot
    • Method 2 (fully rooted & unlocked bootloader):
      1. Use BackupTA and option "Convert v4 backup"
      2. Restore backup with BackupTA
      3. Flash stock firmware with flashtool
    29
    For all of you who managed to backup for TA partition I created a new version of my kernel repack tool, which extracts the device key from your TA backup and reactivates it after unlocking your bootloader. This will make your DRM keys work the same ways as before.
    http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605/post64990566#post64990566

    Cheers Tobias
    20
    [*]Yes but this will also relock the bootloader. To keep bootloader unlocked and get DRM features back you can use this: http://forum.xda-developers.com/xperia-z5/development/sony-credentials-restore-unlocking-t3296383
    Congratulations, really an excellent job :D

    For the DRM fix I plan to release an alternative solution, which will use your original device key from the TA backup rather then injecting the credentials. This will make absolutely everything work.
    Future versions of my kernel repack tool will then accept an additional parameter with the TA backup and incorporate it into your kernel image.

    Unfortunately I unlocked my phone already long time ago, so would need a volunteer to PM me a TA backup of an unlocked phone for test purposes. I promise not to share it with anyone or publishing any parts of it.
    8
    Example :my phone was unlocked bootloader so do i have to flash original stock rom then restore TA by using tarestore.bat tool ? Or just use BackupTA instead and choose "Convert v4 Backup".

    You unlocked bootloader. Now you want to restore TA partition and relock bootloader again =>

    Method 1:
    1. Flash stock firmware from flashtool (supported by iovyroot) (you are now unrooted)
    2. Use tarestore.bat from iovyroot

    Method 2 (rooted & unlocked bootloader):
    1. Use BackupTA and option "Convert v4 backup"
    2. Restore backup with BackupTA
    3. Flash stock firmware with flashtool