Is anybody work on root for the Xperia Z4 Tablet?
Last edited by a moderator:
[Q] Anybody work on Root?
- Thread starter Koto99
- Start date
Stuck on SELinux
I am working on it.
So far I have not succeded in disabling SELinux.
setprop selinux.reload_policy 0 in init.rc seems to disable adb here
I can not figure out how to trigger a kernel commandline witk mkbootimg:
selinux=0 --> bootloop
androidboot.seliux=permissive or disabled is only marginally better
I am pondering two other approaches:
a) edit the policy (have never done this before)
b) build a kernel w/o SELinux, root the tablet and then back to stock kernel
I am working on it.
So far I have not succeded in disabling SELinux.
setprop selinux.reload_policy 0 in init.rc seems to disable adb here
I can not figure out how to trigger a kernel commandline witk mkbootimg:
selinux=0 --> bootloop
androidboot.seliux=permissive or disabled is only marginally better
I am pondering two other approaches:
a) edit the policy (have never done this before)
b) build a kernel w/o SELinux, root the tablet and then back to stock kernel
try
http://forum.xda-developers.com/z3/...pluskernel-t2925999/post60568900#post60568900
or
https://github.com/AndroPlus-org/an...mmit/5ec1615d1a6045ddf56a8436022592b3087703df
I'm also working to make kernel to root, currently build succeeded but didn't boot (remote test without actual device on my hand:crying
beware of RIC
This is how far I am:
The problem are not the first two lines. It seems in this context it is not allowed to write to "/".
The last one is: I want to make /system writable when RIC steps in.
This is another layer of security from SONY.
I want to move a su to /system/xbin or execute the update-binary script from chainfire's SuperSU.
Maybe I have the time to figure out how to disable RIC and do this.
Another approach:
william-roberts writes no disabling SELinux on production kernels
So compile an engineering kernel.
Or another one: investigate the source of init from the Z3 AOSP and try (impossible?) to use this as 64bit on the Z4. I think the patch to prevent SELinux here is a very useful hack.
Still another one: edit the system partition to include a su in xbin and reflash that
My kernel actually booted but when going in your direction via .configure (disabling SELiunux and RIC) it bootlooped ...
This is how far I am:
Code:
<5>[ 8.132868] type=1400 audit(3943802.429:4): avc: denied { create } for pid=435 comm="touch" name="killroy.txt" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 ppid=434 pcomm="rootsh" pgid=434 pgcomm="rootsh"
<5>[ 8.139599] type=1400 audit(3943802.439:5): avc: denied { create } for pid=434 comm="rootsh" name="killroy.txt" scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 ppid=1 pcomm="init" pgid=1 pgcomm="init"
<4>[ 8.145329] RIC: /system remount denied, mnt_flags:0x8020The last one is: I want to make /system writable when RIC steps in.
This is another layer of security from SONY.
I want to move a su to /system/xbin or execute the update-binary script from chainfire's SuperSU.
Maybe I have the time to figure out how to disable RIC and do this.
Another approach:
william-roberts writes no disabling SELinux on production kernels
So compile an engineering kernel.
Or another one: investigate the source of init from the Z3 AOSP and try (impossible?) to use this as 64bit on the Z4. I think the patch to prevent SELinux here is a very useful hack.
Still another one: edit the system partition to include a su in xbin and reflash that
Last edited:
On Z3, I could disable sony_ric by commenting out "CONFIG_SECURITY_SONY_RIC" in defconfig (for Z4T, kitakami_defconfig)
and/or modify some lines in init.sony-platform.rc in ramdisk
Code:
# Start RIC
service ric /sbin/ric
user root
group root drmrpc trimarea system
class main
seclabel u:r:ric:s0
Code:
# Start RIC
service ric /sbin/ric
user root
group root drmrpc trimarea system
class main
seclabel u:r:ric:s0
disabledmodify
Code:
# SONY: Enable Sony RIC
mount securityfs securityfs /sys/kernel/security nosuid nodev noexec
write /sys/kernel/security/sony_ric/enable 1
Code:
# SONY: Enable Sony RIC
mount securityfs securityfs /sys/kernel/security nosuid nodev noexec
write /sys/kernel/security/sony_ric/enable 0RIC is zombie
It is gone in Z4 init - maybe because RIC seems to be hardwired into the build as SELinux is.
But I could not find more than you ...
is this supposed to work init.rc?
I can not find errors for wrong syntax only for permission problems.
still:
thanks - I did not know this one
It is gone in Z4 init - maybe because RIC seems to be hardwired into the build as SELinux is.
But I could not find more than you ...
is this supposed to work init.rc?
Code:
exec /system/bin/chcon u:object_r:su_exec:s0 /sbin/rootshstill:
Code:
-r-xr-xr-x root root u:object_r:rootfs:s0 rootsh
Last edited:
RIC OK, SELinux?
@AndroPlus
Getting rid of RIC and SELinux was a bit more work than in your repository.
But the kernel is fine and you can see my dumb-patched source in the attachments. Look for "//ew"
Comments welcome
Still some issues left:
- get rid of nosuid on mounts:
or I have an oversight in my patches.
- I can not get into root-shell
I will try to nail things via an init-service.
The royal flush will be a successful run of Chainfire's update-binary. The neccessary ingredients (files) are already in my boot.img ...
insecure c-files are originally from http://developer.sonymobile.com/dow...archives/open-source-archive-for-28-0-a-7-24/
@AndroPlus
Getting rid of RIC and SELinux was a bit more work than in your repository.
But the kernel is fine and you can see my dumb-patched source in the attachments. Look for "//ew"
Comments welcome
Code:
rootfs / rootfs rw,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,size=1418940k,nr_inodes=354735,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
...
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,size=1418940k,nr_inodes=354735,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,size=1418940k,nr_inodes=354735,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,relatime,size=1418940k,nr_inodes=354735,mode=755 0 0
/dev/block/bootdevice/by-name/system /system ext4 rw,seclabel,relatime,discard,data=ordered 0 0
/dev/block/bootdevice/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/bootdevice/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,data=ordered 0 0
/dev/block/bootdevice/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,data=ordered 0 0
...
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other,allow_utime_grp 0 0
/dev/block/vold/179:65 /mnt/media_rw/sdcard1 texfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,umask=0007,allow_utime=0020,iocharset=utf8,min_prealloc_size=64k,max_prealloc_size=122598k,readahead=4M,fail_safe,discard,hidden=show,errors=continue 0 0
/dev/block/vold/179:65 /mnt/secure/asec texfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,gid=1023,umask=0007,allow_utime=0020,iocharset=utf8,min_prealloc_size=64k,max_prealloc_size=122598k,readahead=4M,fail_safe,discard,hidden=show,errors=continue 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other,allow_utime_grp 0 0- get rid of nosuid on mounts:
Code:
type=1400 audit(1436734934.698:20): avc: denied { execute_no_trans } for pid=5927 comm="sh" path="/sbin/su" dev="rootfs" ino=10535 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 ppid=5487 pcomm="sh" pgid=5487 pgcomm="sh"- I can not get into root-shell
I will try to nail things via an init-service.
The royal flush will be a successful run of Chainfire's update-binary. The neccessary ingredients (files) are already in my boot.img ...
insecure c-files are originally from http://developer.sonymobile.com/dow...archives/open-source-archive-for-28-0-a-7-24/
Last edited:
Another one bites the dust! -> tastes ...
Finally I made it but it is not for the faint of heart and an ugly hack and procedure.
You need a patched kernel (see the files in the previous post). Just fiddling with the .config does not cut it since stock rom does some very thorough checks of modifications.
I guess it is even hardcoded in the init but I have no source for that and did not debug it.
My patches just make the SELinux and RIC checks say "everything OK" but for SONY's behind the scenes magic it looks like everything is set up normally.
Then you need to tweak a rootfs:
http://whiteboard.ping.se/Android/Rooting
Thank you, Mikael Q Kuisma!
I changed chmod 4750 sbin/rootsh to chmod 6750 sbin/rootsh
Do not follow his link for root-finishing the SAMSUNG device!
It is for 32bit. Look at the date of the post.
Do this:
Get the latest SuperSU from Chainfire. I used BETA-SuperSU-v2.49 because of the tweaks for Lollipop (I might enable SELinux again, if I can surgically remove the SONY tweaks on top of it and beside: RIC).
Problem here: Chainfire has the correct installer for a recovery and we do not have one (yet) on stock rom.
So I copied the relevant files (common and arm64) into /SuperSU_files and the su on top of it into /sbin.
Then I ran my script install_SuperSU.sh (see attachment) stolen and edited from Chainfires update-binary.
After a reboot you are done.
SuperSU works as intended (just made my first Titanium backup) but complains it needs to update his su binary. Ignore this message. It did not go away after flashing the SuperSU.zip with FlashFire.
I guess it is because the apk is checking the existence of a su in the recovery. No recovery -> no su. Hence the message.
To be very clear:
- you need to unlock your boot loader
- you are running without the IMO useful protection of SELinux
- you are running without SONY's protection (gone for good IMO)
Finally I made it but it is not for the faint of heart and an ugly hack and procedure.
You need a patched kernel (see the files in the previous post). Just fiddling with the .config does not cut it since stock rom does some very thorough checks of modifications.
I guess it is even hardcoded in the init but I have no source for that and did not debug it.
My patches just make the SELinux and RIC checks say "everything OK" but for SONY's behind the scenes magic it looks like everything is set up normally.
Then you need to tweak a rootfs:
http://whiteboard.ping.se/Android/Rooting
Thank you, Mikael Q Kuisma!
I changed chmod 4750 sbin/rootsh to chmod 6750 sbin/rootsh
Do not follow his link for root-finishing the SAMSUNG device!
It is for 32bit. Look at the date of the post.
Do this:
Get the latest SuperSU from Chainfire. I used BETA-SuperSU-v2.49 because of the tweaks for Lollipop (I might enable SELinux again, if I can surgically remove the SONY tweaks on top of it and beside: RIC).
Problem here: Chainfire has the correct installer for a recovery and we do not have one (yet) on stock rom.
So I copied the relevant files (common and arm64) into /SuperSU_files and the su on top of it into /sbin.
Then I ran my script install_SuperSU.sh (see attachment) stolen and edited from Chainfires update-binary.
After a reboot you are done.
SuperSU works as intended (just made my first Titanium backup) but complains it needs to update his su binary. Ignore this message. It did not go away after flashing the SuperSU.zip with FlashFire.
I guess it is because the apk is checking the existence of a su in the recovery. No recovery -> no su. Hence the message.
To be very clear:
- you need to unlock your boot loader
- you are running without the IMO useful protection of SELinux
- you are running without SONY's protection (gone for good IMO)
Last edited:
If I had a stock ftf I would try just in case something goes wrong then I would flash back the stock rom
Thanks for the effort!
but does this method effects the sony warranty ?
I do not think so - I flashed a SONY provided stock ROM.
Unlocking the bootloader can affect your warranty.
Last edited:
Wow. ... you have certainly put a lot of effort into this. THank you very much. I promised myself that as soon as ROOT was available, I would purchase the Z4 Tablet!!! THanks again.:good::good:Finally I made it but it is not for the faint of heart and an ugly hack and procedure.
You need a patched kernel (see the files in the previous post). Just fiddling with the .config does not cut it since stock rom does some very thorough checks of modifications.
I guess it is even hardcoded in the init but I have no source for that and did not debug it.
My patches just make the SELinux and RIC checks say "everything OK" but for SONY's behind the scenes magic it looks like everything is set up normally.
Then you need to tweak a rootfs:
http://whiteboard.ping.se/Android/Rooting
Thank you, Mikael Q Kuisma!
I changed chmod 4750 sbin/rootsh to chmod 6750 sbin/rootsh
Do not follow his link for root-finishing the SAMSUNG device!
It is for 32bit. Look at the date of the post.
Do this:
Get the latest SuperSU from Chainfire. I used BETA-SuperSU-v2.49 because of the tweaks for Lollipop (I might enable SELinux again, if I can surgically remove the SONY tweaks on top of it and beside: RIC).
Problem here: Chainfire has the correct installer for a recovery and we do not have one (yet) on stock rom.
So I copied the relevant files (common and arm64) into /SuperSU_files and the su on top of it into /sbin.
Then I ran my script install_SuperSU.sh (see attachment) stolen and edited from Chainfires update-binary.
After a reboot you are done.
SuperSU works as intended (just made my first Titanium backup) but complains it needs to update his su binary. Ignore this message. It did not go away after flashing the SuperSU.zip with FlashFire.
I guess it is because the apk is checking the existence of a su in the recovery. No recovery -> no su. Hence the message.
To be very clear:
- you need to unlock your boot loader
- you are running without the IMO useful protection of SELinux
- you are running without SONY's protection (gone for good IMO)
Same. I really need it to work with Six axis controller app and Folder Mount! Though I'd be too scared to try the above! I'm waiting for a flashable .zip to come along!
better wait for AOSP
For the newer kernels you'd need a still undiscovered exploit that also needs to defeat SELinux and RIC in order to install a su executable.
I bought the tablet since I am quite satisfied with my venerable Tablet Z and like more speed, less weight, better display and not fiddling with the USB-cap.
AND: SONY make it easy to unlock the bootloader and have an AOSP-policy for their devices.
http://developer.sonymobile.com/knowledge-base/open-source/open-devices/
There is not too much available (the kernel source I used) right now but I am confident, soon we will have the AOSP version of the ROM code availabe. This will be Android 5.1 I guess and from there it is not too complicated to build a M version or a CyanogenMod or ... .
If you do not do it yourself it will be a 2 GBytes download for the ROM image and you will flash it with fastboot (another plus for SONY devices) or Androxyde's flashtool.
I hope the AOSP sources will be available any day. Maybe the 64bitness of the new processor delays the release a bit.
I guess from the availability of the sources it would be less of a month to find a downloadable release of the ROM somewhere (you better trust the builder ...).
My bet (a bottle of non-vintage Pol Roger :highfive is that such a ROM will be available before November 2015.
I doubt there ever will be one.
For the newer kernels you'd need a still undiscovered exploit that also needs to defeat SELinux and RIC in order to install a su executable.
I bought the tablet since I am quite satisfied with my venerable Tablet Z and like more speed, less weight, better display and not fiddling with the USB-cap.
AND: SONY make it easy to unlock the bootloader and have an AOSP-policy for their devices.
http://developer.sonymobile.com/knowledge-base/open-source/open-devices/
There is not too much available (the kernel source I used) right now but I am confident, soon we will have the AOSP version of the ROM code availabe. This will be Android 5.1 I guess and from there it is not too complicated to build a M version or a CyanogenMod or ... .
If you do not do it yourself it will be a 2 GBytes download for the ROM image and you will flash it with fastboot (another plus for SONY devices) or Androxyde's flashtool.
I hope the AOSP sources will be available any day. Maybe the 64bitness of the new processor delays the release a bit.
I guess from the availability of the sources it would be less of a month to find a downloadable release of the ROM somewhere (you better trust the builder ...).
My bet (a bottle of non-vintage Pol Roger :highfive
is that such a ROM will be available before November 2015.
Last edited:
Many thanks, DHGE, for the link about the AOSP policy. That alleviates *some* of my concern.
Cheers mate. I'll probably stick with my Tab S then for now until a working build of a custom ROM or some how root is available. My tab S is a bit slow when it comes to gaming so I though this would be a hell of a lot better, though without being able to use apps like Six Axis controller would defeat the purpose for me.
Its a big shame it's obviously quite a difficult task to get this device rooted compared to others due to the 64bit architecture. I'm not going to pretend that I understand how the rooting process works but I do have some contacts with Sony and there Xperia development team. If I can be of any help in anyway I'll try my best if you need software or have questions etc...
Its a big shame it's obviously quite a difficult task to get this device rooted compared to others due to the 64bit architecture. I'm not going to pretend that I understand how the rooting process works but I do have some contacts with Sony and there Xperia development team. If I can be of any help in anyway I'll try my best if you need software or have questions etc...
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone