• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[PoC][Work in progress] Trim Area Proof Of Concept

Search This thread

munjeni

Senior Member
Jun 2, 2011
9,454
22,048
Disclaimer:

PoC was made for testing and educational purposes, ME is not responsible for what you do on/with your device using PoC, you must agree that you using PoC on your own risk, I am not responsible if you brick your device, you lost your personal data or anything else!

Hello!
First of all this tool fully replaces DRM fix! So do not use our tool with DRM fix!!! I'm going to explain what is this, how it working. Everybody know what drm fix doing and everybody know whats happening when bootloader is unlocked. Ok. This PoC is designed for unlocked devices and makes things identic to having bootloader never unlocked! Which mean this is for peoples who have backup of the trim area BEFORE unlocking bootloader! This PoC mounts your trim area backup (TA.img) to the kernel loop5 device which makes your trim area like real trim area partition (in our case it mounts your backup TA.img and uses it instead of unlocked trim area partition) so everything after android boot up is like having locked bootloader which mean all drm keys, widevine keys and etc is fully functional! And most better thing, we can use PoC with AOSP, CM or whatever for having trim area fully functional!!!
Do in mind this is for stock roms only! Only nougat and marchmallow by now, some of before marchmalow too.

Supported kernel images:

- SIN (kernel.sin)
- ELF (kernel.elf)
- IMG (boot.img)
So you no need to extract elf from kernel since our tool extract any sony format, sin,img,elf autodetection.

Credits:

- I must give big creadits to @steom since he tested things very deeply on his xperia x compact, he tested things more than 7 days, he tested it very frequently and I must say... big respect to him! Thanks man!
- Also respect to @tobias.waldvogel ! His mkinitfs source code (idea about #perm appended to file names) helped me a lot making our tool for windows. His scripts helped me a lot figuring out all things! Thanks man! Original forum thread for tobias.waldvogel great work -> https://forum.xda-developers.com/xp...oot-automatic-repack-stock-kernel-dm-t3301605
- Uhh sorry, forgot to give credit to @osm0sis for great extended version of the boot image tools https://github.com/osm0sis/mkbootimg
- @serajr mate sorry, forgot your great scripts!
- @the_laser for figuring out that poc is working by directly using TA.img, no need to mount to loop, thanks man!
- @mbc07 for this post https://forum.xda-developers.com/showpost.php?p=73232574&postcount=1547
 

Attachments

  • ta_poc.rar
    3.5 MB · Views: 7,201
Last edited:

munjeni

Senior Member
Jun 2, 2011
9,454
22,048
How to extend our tool:

I have reserved some spaces for everybody who need to extend our tool (tool looks for user script.sh or script.bat), so if tool found user script tool will execute that scipt which mean everybody can make own scipt to extend ramdisk patching mechanism (e.g. to add su... etc). If tool didn't find user script, tool pause so you have enough time to modify everything you need manualy and continue tool by pressing any key on your keyboard. Tool didn't delete output folder so you can use for example something from unmodified boot.img-ramdisk.gz if you need. Also sepolicy binary file have a backup (backupsepolicy) so you can use it too if you need.

How to fix byself denials from dmesg:

This explains how: https://forum.xda-developers.com/showpost.php?p=70955889&postcount=47
And finaly this is a tool: https://forum.xda-developers.com/showpost.php?p=70973513&postcount=120
 
Last edited:

munjeni

Senior Member
Jun 2, 2011
9,454
22,048
Everybody and every device is involved! You need at least good knownledge in getting logcat and dmesg if you want to help here! You can suggest, speak whatewer you want in this thread since this thread is for everybody! Need your words about tool and suggestions! Please if you want to post logcat or dmesg please use http://www.pastebin.com for it! If you need tool working for your device please get involved here!
 
Last edited:

fluffi444

Senior Member
Nov 19, 2012
1,582
919
That mean we can use stock camera blobs finaly with AOSP, CM or whatewer!!!
This will change everything regarding (not stock based) custom ROMs... If this is proved to work...
Outstanding job! Even if this post has no logcat/dmesg attached I felt like that I have to say some respectful words! :good:
 
  • Like
Reactions: munjeni

steom

Senior Member
Oct 15, 2010
58
12
I officially declare that the @munjeni PoC work! also with Nougat!
A new era is begun!
 

Attachments

  • configuration.png
    configuration.png
    95 KB · Views: 8,854
  • security.png
    security.png
    51.8 KB · Views: 8,760
Last edited:

nailyk

Senior Member
Oct 3, 2015
1,503
2,955
haha was thinking of the same thing some weeks ago :p
tad_static can be cheated easily but what about suntrold and rmt_storage?
Where are your sources please?
 

maksim_kw

Member
Jul 30, 2016
28
30
Kaliningrad
having problems
Code:
hash:0x54288A7A calc_hash:0x54288A7A
hash:0x4CBAA939 calc_hash:0x4CBAA939
hash:0x9B8793E3 calc_hash:0x9B8793E3
hash:0x482AF9EB calc_hash:0x482AF9EB
device: F8331
serial number: CB512BEE32
drm key: 0001046B 0010 44 98 8A 61 A3 B2 10 48 02 19 38 59 73 7F 7E 52
Trim area dump is a valid.
Locked bootloader.
Deleting old folder ramdisk if exist...
if exist ramdisk (rd ramdisk /s/q)
returned: 0.
New directory ramdisk created.
Created ouput folder "out"
opening kernelX.sin
unable to open kernelX.sin
Kernel dump tool returned an error!

Mmm.... rename kernel.sin to kerlelX.sin helped
 
Last edited:

fluffi444

Senior Member
Nov 19, 2012
1,582
919
Using EliteKernelV3 (Z3C) did not work with following output:

Code:
------------------------------------------------------------------------
     Nougat Trim Area PoC kernel image patcher by Munjeni @ 2017
------------------------------------------------------------------------

hash:0x037C9C1E calc_hash:0x037C9C1E
hash:0x90A0164B calc_hash:0x90A0164B
hash:0x04E5A139 calc_hash:0x04E5A139
device: D5803
serial number: YT911BPNF7
drm key: 0001046B 0010 ED EE 37 63 7B D8 AD 8B 03 C4 8C 1C 2A 3C 61 B0
Trim area dump is a valid.
Locked bootloader.
Deleting old folder ramdisk if exist...
if exist ramdisk (rd ramdisk /s/q)
returned: 0.
New directory ramdisk created.
Created ouput folder "out"
opening boot_Z3c.img
boot_Z3c.img is Android image format.
Dumping to out...
BOARD_KERNEL_CMDLINE androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3b7 ehci-hcd.park=3 androidboot.bootdevice=msm_sdcc.1 vmalloc=400M dwc3.
maximum_speed=high dwc3_msm.prop_chg_detect=Y androidboot.selinux=permissive
BOARD_KERNEL_BASE 00000000
BOARD_NAME
BOARD_PAGE_SIZE 2048
BOARD_KERNEL_OFFSET 00008000
BOARD_RAMDISK_OFFSET 02000000
BOARD_TAGS_OFFSET 01e00000
BOARD_DT_SIZE 284672
Done.
Gunziping...
setting up infflate...
infflating...
infflate returned: -3
gzpipe: invalid or incomplete deflate data
Error gunziping boot_Z3c.img!
Drücken Sie eine beliebige Taste . . .

I compared the the files in folder "out" with the one of osmosis' Android Image Kitchen:
This is TA Tool: boot.img-ramdisk.gz
And this AIK: boot_Z3c.img-ramdisk.cpio.gz

But both with exact the same file size...

Ramdisk is not decompressed successfully.... Looks for me like an mismatch while decompressing cpio and gunzip.
My thought: Your tool is expecting gzip files - But EliteKernelV3 was compressed first with cpio and then with gzip.

kernel.sin and kernel.elf are working fine!
 

x_one

Senior Member
Feb 21, 2011
316
147
Wroclaw
Using EliteKernelV3 (Z3C) did not work with following output:



I compared the the files in folder "out" with the one of osmosis' Android Image Kitchen:
This is TA Tool: boot.img-ramdisk.gz
And this AIK: boot_Z3c.img-ramdisk.cpio.gz

But both with exact the same file size...

Ramdisk is not decompressed successfully.... Looks for me like an mismatch while decompressing cpio and gunzip.
My thought: Your tool is expecting gzip files - But EliteKernelV3 was compressed first with cpio and then with gzip.

kernel.sin and kernel.elf are working fine!
It's for stock kernel. EliteKernel has own fix method.
 
  • Like
Reactions: munjeni

munjeni

Senior Member
Jun 2, 2011
9,454
22,048
haha was thinking of the same thing some weeks ago :p
tad_static can be cheated easily but what about suntrold and rmt_storage?
Where are your sources please?

Hi! Till after ta is mounted whole things working like real trim area on locked bootloader! Things which might not work (untested curently) is fota and other things, but I realy not going to mess with it, you guys can make your own scripts for fine tune purpose! ;) Source code as I promised after my ban not going to be public available because my ban.
 

fluffi444

Senior Member
Nov 19, 2012
1,582
919
EliteKernel has own fix method.

You know that I know that - But I really prefer this TA solution than DRM fix which I removed from Kernel as soon as I got the manual TA mod working on EliteKernel.
You know that I have an working EliteKernel with TA mount... But it would also be nice to get this tool working for such custom kernel as well.

Anyway - I really appreciate @munjeni 's work. And if the answers is ONLY for stock kernel than it's fine for me as well (the manual way works - as I said)
 
  • Like
Reactions: x_one

munjeni

Senior Member
Jun 2, 2011
9,454
22,048
You know that I know that - But I really prefer this TA solution than DRM fix which I removed from Kernel as soon as I got the manual TA mod working on EliteKernel.
You know that I have an working EliteKernel with TA mount... But it would also be nice to get this tool working for such custom kernel as well.

Anyway - I really appreciate @munjeni 's work. And if the answers is ONLY for stock kernel than it's fine for me as well (the manual way works - as I said)

In general it will work on any kernel since I have made some free space for userscripts! It will come later till after poc starts working!
 
Last edited:
  • Like
Reactions: fluffi444

munjeni

Senior Member
Jun 2, 2011
9,454
22,048
New version is out and finaly it is a first one working for nougat! Only one problem thought is tool have an bug which I need to figure our (you must copy TA.img to the /data/local/tmp) folder to get poc working! I will solve that soon! :)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 181
    Disclaimer:

    PoC was made for testing and educational purposes, ME is not responsible for what you do on/with your device using PoC, you must agree that you using PoC on your own risk, I am not responsible if you brick your device, you lost your personal data or anything else!

    Hello!
    First of all this tool fully replaces DRM fix! So do not use our tool with DRM fix!!! I'm going to explain what is this, how it working. Everybody know what drm fix doing and everybody know whats happening when bootloader is unlocked. Ok. This PoC is designed for unlocked devices and makes things identic to having bootloader never unlocked! Which mean this is for peoples who have backup of the trim area BEFORE unlocking bootloader! This PoC mounts your trim area backup (TA.img) to the kernel loop5 device which makes your trim area like real trim area partition (in our case it mounts your backup TA.img and uses it instead of unlocked trim area partition) so everything after android boot up is like having locked bootloader which mean all drm keys, widevine keys and etc is fully functional! And most better thing, we can use PoC with AOSP, CM or whatever for having trim area fully functional!!!
    Do in mind this is for stock roms only! Only nougat and marchmallow by now, some of before marchmalow too.

    Supported kernel images:

    - SIN (kernel.sin)
    - ELF (kernel.elf)
    - IMG (boot.img)
    So you no need to extract elf from kernel since our tool extract any sony format, sin,img,elf autodetection.

    Credits:

    - I must give big creadits to @steom since he tested things very deeply on his xperia x compact, he tested things more than 7 days, he tested it very frequently and I must say... big respect to him! Thanks man!
    - Also respect to @tobias.waldvogel ! His mkinitfs source code (idea about #perm appended to file names) helped me a lot making our tool for windows. His scripts helped me a lot figuring out all things! Thanks man! Original forum thread for tobias.waldvogel great work -> https://forum.xda-developers.com/xp...oot-automatic-repack-stock-kernel-dm-t3301605
    - Uhh sorry, forgot to give credit to @osm0sis for great extended version of the boot image tools https://github.com/osm0sis/mkbootimg
    - @serajr mate sorry, forgot your great scripts!
    - @the_laser for figuring out that poc is working by directly using TA.img, no need to mount to loop, thanks man!
    - @mbc07 for this post https://forum.xda-developers.com/showpost.php?p=73232574&postcount=1547
    40
    How to extend our tool:

    I have reserved some spaces for everybody who need to extend our tool (tool looks for user script.sh or script.bat), so if tool found user script tool will execute that scipt which mean everybody can make own scipt to extend ramdisk patching mechanism (e.g. to add su... etc). If tool didn't find user script, tool pause so you have enough time to modify everything you need manualy and continue tool by pressing any key on your keyboard. Tool didn't delete output folder so you can use for example something from unmodified boot.img-ramdisk.gz if you need. Also sepolicy binary file have a backup (backupsepolicy) so you can use it too if you need.

    How to fix byself denials from dmesg:

    This explains how: https://forum.xda-developers.com/showpost.php?p=70955889&postcount=47
    And finaly this is a tool: https://forum.xda-developers.com/showpost.php?p=70973513&postcount=120
    27
    Everybody and every device is involved! You need at least good knownledge in getting logcat and dmesg if you want to help here! You can suggest, speak whatewer you want in this thread since this thread is for everybody! Need your words about tool and suggestions! Please if you want to post logcat or dmesg please use http://www.pastebin.com for it! If you need tool working for your device please get involved here!
    19
    New version is out, hope this -> https://forum.xda-developers.com/showpost.php?p=73232574&postcount=1547 isue solved. I am back and just to tell you about reason for post removal... done that because all executables was UPX packed by me but every UPX version curently which I found on internet is reported as a malware on virustotal! I have no idea why virustotal reports upx as a malware but if you not believe me just download any version of the upx, submit it to the virustotal you will notice the same malware, I realy don't know if that malware is false or true but better idea is omiting upx packer, curently I going to recompile all my tools and not use upx anymore. Enjoy!
    19
    scripts - v2

    First of all thanks @munjeni again for the PoA (Art) :highfive:

    I've made some scripts to disable dm-verity, Sony RIC and force-encrypt. I put the scripts as separated files into \scripts folder (maybe this will be usefull for new scripts).
    Download attached zip and unpack it into \ta_poc folder (replacing script.bat file). Also make sure you have the latest version of PoC that comes with busybox.exe.
    Not tested on linux. Windows only (see log blue lines):

    Code:
    E:\Android\ta_poc>nougat_ta_poc n_39.2.A.0.417_kernel.elf TA.img ramdisk
    ------------------------------------------------------------------------
               Trim Area PoC kernel image patcher by Munjeni @ 2017
    ------------------------------------------------------------------------
    
    hash:0x4A2463D0 calc_hash:0x4A2463D0
    hash:0x1847E017 calc_hash:0x1847E017
    hash:0x7E6F8C67 calc_hash:0x7E6F8C67
    hash:0x8BFE56C7 calc_hash:0x8BFE56C7
    device: F8131
    serial number: CB512AD0TJ
    drm key: 0001046B 0010 B8 1F 52 03 D0 39 6C 60 85 C0 A9 9D FE 4F D1 B8
    Trim area dump is a valid.
    Locked bootloader.
    Deleting old folder ramdisk if exist...
    if exist ramdisk (rd ramdisk /s/q)
    returned: 0.
    New directory ramdisk created.
    Using folder "out"
    opening n_39.2.A.0.417_kernel.elf
    Extracting file n_39.2.A.0.417_kernel.elf
    ELF magic found
    Entry point          : 0x80080000
    Class                : 64-bit objects
    Program Header start : 0x40
    Program Header size  : 0x38
    Program Header count : 3
       PH[0], type=1, offset=0x000000E8, virtual=0x80080000, phy=0x80080000, size=0x01BC9C00
       PH[1], type=1, offset=0x01BC9CE8, virtual=0x82200000, phy=0x82200000, size=0x0059FDA8
       PH[2], type=1, offset=0x02169A90, virtual=0x82000000, phy=0x82000000, size=0x001AFB54
    0. Dumping out/boot.img-zImage
    1. Dumping out/boot.img-ramdisk.gz
    2. Dumping out/boot.img-dt
       Seeking to cmdline address = 0x023195EC
    3. Dumping cmdline to out/boot.img-cmdline
    Done.
    No file exist out/n_39.2.A.0.417_kernel.elf.elf .
    Gunziping...
    setting up infflate...
    infflating...
    infflate returned: 0
    gzpipe: ok.
    unziped: ok.
    Extracting ramdisk.cpio...
    Searching for file_contexts...
    ramdisk/[email protected] file is binary.
    Converting ramdisk/[email protected] to plaintext...
    Converted.
    Patching file "ramdisk/[email protected]"
    Patching file "ramdisk/[email protected]"
    Patching file "ramdisk/[email protected]"
    Patching file "ramdisk/[email protected]"
    Converting plaintext file_contexts to binary...
    ---- Now you have some chance to modify plaintext file_contexts
    ---- before it is converted to the binary.
    Pressione qualquer tecla para continuar. . .
    Converted.
    Create ta scipt.
    Create busybox.
    TA.img (TA.img) installed.
    Making sepolicy backup: ramdisk/[email protected]
    Patching sepolicy...
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18233 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18233 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18234 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18235 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18236 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18236 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18237 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18238 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18238 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18239 rules, 0 cond rules
    Success
    libsepol.policydb_index_others: security:  1 users, 2 roles, 1387 types, 0 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  63 classes, 18240 rules, 0 cond rules
    Success
    [COLOR="Blue"]Runing user script...
    
    dm-verity:
    - dm-verity is enabled. Disable? (Say yes if you modify /system) [Y/n] Y
      Disabling dm-verity...
    
    Sony RIC:
    - Sony RIC is enabled. Disable? (Say yes if you mount /system) [Y/n] Y
      Disabling Sony RIC...
      Patching sepolicy...
      Success
    
    force-encrypt:
    - force-encrypt is enabled. Disable? (Say yes if you wipe and decrypt /data) [Y/n] Y
      Disabling force-encrypt...
    
    Pressione qualquer tecla para continuar. . .[/COLOR]
    script.bat ramdisk nougat_ta_poc
    returned: 0.
    Repacking ramdisk...
    ramdisk.cpio done.
    Making ramdisk.gz
    defflating...
    defflate returned: 0
    setting up infflate...
    infflating...
    infflate returned: 0
    gzpipe: ok.
    gzip: ok.
    ramdisk.gz done.
    Found kernel dt.
    No QCDT magic string.
    Packing new_boot.img
    cmdline="androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 [email protected] coherent_pool=2M"
    base="0x00000000"
    pagesize="4096"
    ramdiskoff="0x82200000"
    defflating...
    defflate returned: 0
    setting up infflate...
    infflating...
    infflate returned: 0
    gzpipe: ok.
    gzip: ok.
    zImage-dtb , dt appended.
    making new_boot.img
    new_boot.img created.
    Done.
    
    Pressione qualquer tecla para continuar. . .
    
    E:\Android\ta_poc>

    Changelog:
    v1 - Initial release
    v2 - Updated scripts (script.bat and *.sh) with PoC's parameters and errors handling ( thanks @munjeni )