Summary/tutorial: Root on Sony Xperia Z5 Compact (E5823) with DRM keys backup

Search This thread

DuncanV

Member
Feb 21, 2017
10
1
0
Actually maybe I am wrong if 32.4.A.1.54 has already been patched the dirtycow exploit. Not sure about that now.
Maybe need to downgrade firmware for backup TA as well.

I may still have a 32.2.A.0.305 firmware somewhere, if you need it.

Hhhhmmmm... When browsing into the forum, I read about this information if I'm not wrong, can't remember where I read it.
I'd rather do the right thing. Don't wan tto brick my phone heh ;)
 

DuncanV

Member
Feb 21, 2017
10
1
0
I finally purchased an XZ1 Compact. Didn't feel to have the guts for these manipulations. Hopefully the XZ1 compact would have a better Sony's long term and community support.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 53
    Hi everybody,

    None of the following is my own novel work, I just took some time to go through the process step by step and document how to root the Z5 compact while preserving both the DRM keys (in a backup) and the functionality normally lost by unlocking the bootloader (using the DRM credentials patch). This post may serve as a tutorial for people starting to root their Z5 compact for the first time.

    The device I tested it with is an E5823 with German firmware (originally shipped with CDA 1298-1220_R1C) that was already updated to build 32.1.A.1.163 (Android 6.0, patch level 2016-02-01) via OTA. For devices with other CDA regions, please adapt accordingly by using the respective firmware files.

    1. Backup settings and apps
    This will be required for restoring after unlocking the bootloader (which wipes the user data partition). For some reason, including the "-shared" option (i.e. contents of the internal emulated SD card, aka media storage) did not work, so make sure to save any media files (pictures takes with the camera, downloads, etc.) separately, e.g. via MTP.
    • Use Sony backup to SDcard functionality
    • adb backup -apk -all -f sony-xperia-z5c-noshared.ab

    2. Backup TA partition (DRM keys)
    1. Downgrade to exploitable firmware release (LP). Note that downgrading without wiping will make the phone unstable and may cause an automatic reboot after 1-2 min. Therefore either manually wipe the phone during flashing (ticking the checkbox in Flashtool) or be quick with the second (root/backup TA) step.
      • Download XperiFirm from http://forum.xda-developers.com/cro...xperifirm-xperia-firmware-downloader-t2834142 (I use it under Linux with mono) - UPDATE: For downloading the .185 MM firmware, I had to update to XperiFirm 4.9.1. For downloading 32.2.A.0.253, I used XperiFirm 5.0.0.
      • Download firmware build 32.0.A.6.200 for the root exploit based on CVE 2015-1805. I used E5823_StoreFront_1299-6910_32.0.A.6.200_R2B downloaded with XperiFirm 4.8.2 (or newer) on 2016-04-01
      • Download flashtool from http://www.flashtool.net/index.php, I used flashtool-0.9.20.0-linux.tar.7z (or newer version)
      • Create FTF file in Flashtool with menu Tools->Bundles->Create
      • Flash in flashmode (flashing system.sln takes 8-10 minutes, be patient...)
    2. Use temporary root exploit to backup TA partition (http://forum.xda-developers.com/crossdevice-dev/sony/iovyroot-temp-root-tool-t3349597)
      • I used iovyroot_v0.3.zip as of 2016-04-02
      • Connect USB in ADB mode
        • adb push "root/iovyroot" "/data/local/tmp/iovyroot"
        • adb push "root/backup.sh" "/data/local/tmp/backup.sh"
        • open shell: adb shell
          • chmod 777 /data/local/tmp/iovyroot
          • chmod 777 /data/local/tmp/backup.sh
          • mkdir /data/local/tmp/tabackup
          • /data/local/tmp/iovyroot /data/local/tmp/backup.sh
          • exit
        • adb pull "/data/local/tmp/tabackup/" .

    3. Upgrade again to MM and unlock bootloader with official method
    1. Create FTF from E5823_Customized DE_1298-1220_32.1.A.1.163_R1C with Flashtool and flash in flashmode.
    2. Optional: Verify that DRM keys are still OK: In dialer enter "*#*#service#*#*", then "Service tests" --> "Security" and it should look like this:
      MARLIN [Key OK] [Active]
      WIDEVINE [Key OK] [Active]
      CKB [Key OK] [Active]
      HUK: <device specific hex representation of key>
      PROPID_AID: 004
      OTP_LOCK_CONFIG: 0155
      OTP_LOCK_STATUS: LOCKED
      AUTH_ENABLE: 07
      DEVICE_ID: <your device ID>
      FIDO_KEYS: Provisioned
      Factory Reset Reason: No device reset information found.
    3. Allow bootloader unlock in developer settings
    4. Follow steps from http://developer.sonymobile.com/unlockbootloader/unlock-yourboot-loader/ . There is not much to add here, as Sony describes the process well and in sufficient detail. Please note that this WILL WIPE YOUR DATA PARTITION, INCLUDING SHARED FILES. Make sure that you have a backup before executing this step (and best do it before downgrading to LP, because some parts will not work after the downgrade without a wipe, and may make the phone reboot after 1-2 min).
      • Reboot in fastboot mode: hold volume-up and connect USB cable to turn on
      • fastboot -i 0x0fce oem unlock <your unlock code>
    5. After unlock: check key status
      Blobs: generic error!
      HUK: generic error!
      PROPID_AID: 004
      OTP_LOCK_CONFIG: 0155
      OTP_LOCK_STATUS: LOCKED
      AUTH_ENABLE: 07
      DEVICE_ID: <your device ID>
      FIDO_KEYS: Not provisioned, SUNTORY error
      Factory Reset Reason: No device reset information found.
    6. Optional: Try restoring TA partition (will lock bootloader again if successful!). This can be skipped entirely if you trust the tools used in this tutorial, but I chose to verify that restoring the DRM keys works as expected (not that you can do anything about it at that step if it doesn't work...).
      • Flash E5823_StoreFront_1299-6910_32.0.A.6.200_R2B again with Flashtool
      • Enable developer mode, connect USB in ADB mode
        • adb push "root/iovyroot" "/data/local/tmp/iovyroot"
        • adb push "root/restore.sh" "/data/local/tmp/restore.sh"
        • adb push TA-02042016.img "/data/local/tmp/TA.img"
        • open shell
          • chmod 777 /data/local/tmp/iovyroot
          • chmod 777 /data/local/tmp/restore.sh
          • /data/local/tmp/iovyroot /data/local/tmp/restore.sh
      • Flash E5823_Customized DE_1298-1220_32.1.A.1.163_R1C again with Flashtool
      • Check key status --> exactly the same as before, so successfully restored
      • Unlock again in fastboot mode (will wipe data again...)
        • fastboot -i 0x0fce oem unlock <your unlock code>

    UPDATE: Updating to newer MM releases
    After the first version of this post, Sony has already released an updated MM firmware (.253 at the time of this writing). If at any point in time you wish to update to a newer release, start at this point of the tutorial. Theoretically, this should be possible without wiping. However, I would not try it without a backup.
    1. Create a backup, e.g. with adb backup or Sony backup.
    2. Download new firmware with XperiFirm. At the time of this writing, I used "E5823_Customized DE_1298-1220_32.2.A.0.253_R2C", downloaded with XperiFirm 5.0.0.
    3. Create FTF file in Flashtool with menu Tools->Bundles->Create
    4. Flash in flashmode (flashing system.sln takes 8-10 minutes, be patient...)

    4. Root MM
    This will also give you TWRP recovery (which can be entered by pressing the volume up or down button a few seconds after power-on, as soon as the LED starts to change color).
    UPDATED: Thanks to ninestarkoko for pointing out that also the AndroPlus kernel disables dm-verity to enable more flexibility for root-using apps. Originally I assumed that dm-verity would still be intact with alternative 1, which in fact it is not. As of 2016-05-11, I used alternative 3 instead of alternative 1.
    Now that Xposed can be installed system-less (http://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268), it should be possible to use with dm-verity intact. However, I have not tried this so far.

    5. [Optional] Install Xposed

    6. Restore functionality relying on DRM credentials
    Note: This is not necessary if you used alternative 3 for rooting above - that one already includes the DRM fix in the patched kernel image.
    Using TWRP flashed in the step before, flash the ZIP to patch Sony credentials checks from http://forum.xda-developers.com/xperia-z5/development/sony-credentials-restore-unlocking-t3296383 .
    • Copy drmrestore.zip from above link to internal storage and install via TWRP

    That's it!
    2
    Hey , anyone know where i can get 5.1.1 firmware (that i can backup DRM?)
    and it meters if its AU ROM or UK ROM for example?
    via XperiaFirm i can find only the newest ROMS (6.0.1)

    (ive tried download old XperiaFirm like it said in the 1st page but its still shows only new ROMS

    thanks for help

    Hi, here you can find the 5.1.1, 6.0.1, and already the 7.0 ftf. But I have not tested those images, so I have no idea whether they are harmless or not.
    1
    I would like to make some observations to this useful post, because it seems there's a bit of confusion:
    About point 2)
    to backup TA partition, just connect the phone and run tabackup.bat from iovyroot zip .
    It will execute adb commands automatically.
    About point 3)
    i would stick with Lollipop and unlock directly on Lollipop, there's no need to flash MM before. You need to flash a firmware using flashtool if you have already unlocked. Temporary root exploit does not alter in any way the current system.
    About point 4)
    All the modded kernels on xda seems to have dm-verity and sony ric disabled. Androplus kernel too ( https://kernel.andro.plus/kitakami_r2.html from the first changelog ). /system partition modification is also necessary for DRM restore functions.
    I think that root priviledges for apps with DM-verity enabled on /system would be quite "dangerous". As soon as an app edit the system partition (just a simple mod), the phone would go in bootloop.
    It's been one or two weeks since Tobias released a more advanced and updated technique to restore DRM functions, and just flashing a .zip is no more sufficient (now .zip flashing + .ftf flashing with flashtool)

    The gold standard regarding the kernel part is:
    -use a modded stock kernel (TWRP recovery and advanced DRM restore function included) following this guide:
    http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
    -or use custom kernels like Androplus,... (TWRP might or might not be included) and then restore DRM functions following the instructions from the same post above (drmonly command from the package)
    http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605

    Thank you for making a guide on Z5c forums. I've seen one only on z5 forums

    Sorry, I have never been totally clear on the relationship of firmware and kernels. If I install .163 and go through all the root steps here, if I then install .185 will I no longer have root or will the kernel still be rooted? Or after I upgrade will I be required to go through the root process again? Or by chance is there just no root available for the .185 release yet? Thanks

    If you are on Lollipop, i suggest flashing directly MM .185 . If you are on MM .163 then flashing the whole firmware package will/could wipe everything, kernel included. I don't know exactly if the kernel from .163 is exactly the same as the one in .185. If your kernel gets wiped then root, DRM restore, TWRP would go away.
    Let me explain: You need a modded kernel in order to install SuperSU, which gives root access to apps. SuperSU runs fine on many phones, Z5C MM included. If you upgrade using a .ftf file flashing, then the chance is high that you need to mod/install a custom kernel again, restore DRM functions and install SuperSU again.
    1
    I would like to make some observations to this useful post, because it seems there's a bit of confusion:
    About point 2)
    to backup TA partition, just connect the phone and run tabackup.bat from iovyroot zip .
    It will execute adb commands automatically.

    As I used Linux, the .bat script won't be directly applicable. The commands listed in my post will work with all host OS. (This is in addition to my personal disinclination to execute downloaded scripts directly on my development host ;) .)

    About point 3)
    i would stick with Lollipop and unlock directly on Lollipop, there's no need to flash MM before. You need to flash a firmware using flashtool if you have already unlocked. Temporary root exploit does not alter in any way the current system.

    Fully correct. I was already on MM before starting the whole process, so I had to go back to LL first.

    About point 4)
    All the modded kernels on xda seems to have dm-verity and sony ric disabled. Androplus kernel too ( https://kernel.andro.plus/kitakami_r2.html from the first changelog ). /system partition modification is also necessary for DRM restore functions.
    I think that root priviledges for apps with DM-verity enabled on /system would be quite "dangerous". As soon as an app edit the system partition (just a simple mod), the phone would go in bootloop.
    It's been one or two weeks since Tobias released a more advanced and updated technique to restore DRM functions, and just flashing a .zip is no more sufficient (now .zip flashing + .ftf flashing with flashtool)

    The gold standard regarding the kernel part is:
    -use a modded stock kernel (TWRP recovery and advanced DRM restore function included) following this guide:
    http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
    -or use custom kernels like Androplus,... (TWRP might or might not be included) and then restore DRM functions following the instructions from the same post above (drmonly command from the package)
    http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605

    Many thanks for that correction - I was wrong to assume that dm-verity would still be intact with Androplus kernel. I have updated my post accordingly.
    1
    Heya,

    I'm a bit noob for rooting / flashing on Sony's devices. Before I had a Moto G 2013, and the rooting / flashing procedure was piece of cake...
    Hence, my wonder regarding my Z5C which is in stock ROM (32.4.A.1.54), non rooted, and thus no TA partition backup. As it will no longer receive any support, I have been thinking about flashing it to get the latest security patches.

    Is this procedure suitable for me if I'd like to backup the TA partition root my Z5C and install LineageOS or any other custom ROMS ?
    Thanks.

    Enable "USB debugging" on "developer options" first.
    If you dont have developer options, Go to "settings" -> "about phone" -> tap "build number"

    You can use the Dirtycow tool to backup TA now.
    No need to downgrade firmware and temp root.

    After backup TA done, then unlock bootloader here.

    If you dont have adb & fastboot from SDK manager, you can download my copy of platform tools here... also included some frequent used .bat

    After bootloader unlocked, then you can do the rooting procedures above.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone