Is anybody work on root for the Xperia Z4 Tablet?
Last edited by a moderator:
tryI am working on it.
So far I have not succeded in disabling SELinux.
setprop selinux.reload_policy 0 in init.rc seems to disable adb here
I can not figure out how to trigger a kernel commandline witk mkbootimg:
selinux=0 --> bootloop
androidboot.seliux=permissive or disabled is only marginally better
I am pondering two other approaches:
a) edit the policy (have never done this before)
b) build a kernel w/o SELinux, root the tablet and then back to stock kernel
My kernel actually booted but when going in your direction via .configure (disabling SELiunux and RIC) it bootlooped ...I'm also working to make kernel to root, currently build succeeded
<5>[ 8.132868] type=1400 audit(3943802.429:4): avc: denied { create } for pid=435 comm="touch" name="killroy.txt" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 ppid=434 pcomm="rootsh" pgid=434 pgcomm="rootsh"
<5>[ 8.139599] type=1400 audit(3943802.439:5): avc: denied { create } for pid=434 comm="rootsh" name="killroy.txt" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 ppid=1 pcomm="init" pgid=1 pgcomm="init"
<4>[ 8.145329] RIC: /system remount denied, mnt_flags:0x8020
On Z3, I could disable sony_ric by commenting out "CONFIG_SECURITY_SONY_RIC" in defconfig (for Z4T, kitakami_defconfig)The problem are not the first two lines. It seems in this context it is not allowed to write to "/".
The last one is: I want to make /system writable when RIC steps in.
This is another layer of security from SONY.
I want to move a su to /system/xbin or execute the update-binary script from chainfire's SuperSU.
Maybe I have the time to figure out how to disable RIC and do this.
# Start RIC
service ric /sbin/ric
user root
group root drmrpc trimarea system
class main
seclabel u:r:ric:s0
# Start RIC
service ric /sbin/ric
user root
group root drmrpc trimarea system
class main
seclabel u:r:ric:s0
disabled
# SONY: Enable Sony RIC
mount securityfs securityfs /sys/kernel/security nosuid nodev noexec
write /sys/kernel/security/sony_ric/enable 1
# SONY: Enable Sony RIC
mount securityfs securityfs /sys/kernel/security nosuid nodev noexec
write /sys/kernel/security/sony_ric/enable 0
thanks - I did not know this onewrite /sys/kernel/security/sony_ric/enable 0
exec /system/bin/chcon u:object_r:su_exec:s0 /sbin/rootsh
-r-xr-xr-x root root u:object_r:rootfs:s0 rootsh
rootfs / rootfs rw,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=1418940k,nr_inodes=354735,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
...
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,size=1418940k,nr_inodes=354735,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,size=1418940k,nr_inodes=354735,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,relatime,size=1418940k,nr_inodes=354735,mode=755 0 0
/dev/block/bootdevice/by-name/system /system ext4 rw,seclabel,relatime,discard,data=ordered 0 0
/dev/block/bootdevice/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,data=ordered 0 0
/dev/block/bootdevice/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
...
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other,allow_utime_grp 0 0
/dev/block/vold/179:65 /mnt/media_rw/sdcard1 texfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,umask=0007,allow_utime=0020,iocharset=utf8,min_prealloc_size=64k,max_prealloc_size=122598k,readahead=4M,fail_safe,discard,hidden=show,errors=continue 0 0
/dev/block/vold/179:65 /mnt/secure/asec texfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,umask=0007,allow_utime=0020,iocharset=utf8,min_prealloc_size=64k,max_prealloc_size=122598k,readahead=4M,fail_safe,discard,hidden=show,errors=continue 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other,allow_utime_grp 0 0
type=1400 audit(1436734934.698:20): avc: denied { execute_no_trans } for pid=5927 comm="sh" path="/sbin/su" dev="rootfs" ino=10535 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 ppid=5487 pcomm="sh" pgid=5487 pgcomm="sh"

flashtool (with xperifirm)If I had a stock ftf I would try just in case something goes wrong then I would flash back the stock rom
Thanks for the effort!flashtool (with xperifirm)
had to use it twice in my endavours ...
I do not think so - I flashed a SONY provided stock ROM.this method ... ?
Wow. ... you have certainly put a lot of effort into this. THank you very much. I promised myself that as soon as ROOT was available, I would purchase the Z4 Tablet!!! THanks again.:good::good:Finally I made it but it is not for the faint of heart and an ugly hack and procedure.
You need a patched kernel (see the files in the previous post). Just fiddling with the .config does not cut it since stock rom does some very thorough checks of modifications.
I guess it is even hardcoded in the init but I have no source for that and did not debug it.
My patches just make the SELinux and RIC checks say "everything OK" but for SONY's behind the scenes magic it looks like everything is set up normally.
Then you need to tweak a rootfs:
http://whiteboard.ping.se/Android/Rooting
Thank you, Mikael Q Kuisma!
I changed chmod 4750 sbin/rootsh to chmod 6750 sbin/rootsh
Do not follow his link for root-finishing the SAMSUNG device!
It is for 32bit. Look at the date of the post.
Do this:
Get the latest SuperSU from Chainfire. I used BETA-SuperSU-v2.49 because of the tweaks for Lollipop (I might enable SELinux again, if I can surgically remove the SONY tweaks on top of it and beside: RIC).
Problem here: Chainfire has the correct installer for a recovery and we do not have one (yet) on stock rom.
So I copied the relevant files (common and arm64) into /SuperSU_files and the su on top of it into /sbin.
Then I ran my script install_SuperSU.sh (see attachment) stolen and edited from Chainfires update-binary.
After a reboot you are done.
SuperSU works as intended (just made my first Titanium backup) but complains it needs to update his su binary. Ignore this message. It did not go away after flashing the SuperSU.zip with FlashFire.
I guess it is because the apk is checking the existence of a su in the recovery. No recovery -> no su. Hence the message.
To be very clear:
- you need to unlock your boot loader
- you are running without the IMO useful protection of SELinux
- you are running without SONY's protection (gone for good IMO)
Same. I really need it to work with Six axis controller app and Folder Mount! Though I'd be too scared to try the above! I'm waiting for a flashable .zip to come along!Wow. ... you have certainly put a lot of effort into this. THank you very much. I promised myself that as soon as ROOT was available, I would purchase the Z4 Tablet!!! THanks again.:good::good:
I doubt there ever will be one.I'm waiting for a flashable .zip to come along!