[TOOL] Xflasher (xperia command line flasher for pre 2017 devices)

[munjeni]

Disclaimer:

Xflasher tool was made for testing and educational purposes, ME is not responsible for what you do on/with your device using xflasher, you must agree that you using xflasher on your own risk, I am not responsible if you brick your device or anything!

How to use:

(2017 phones like xz premium which have usb vid : pid = 0fce : b00b is not supported since use new flashing protocol! Use newflasher tool if your device usb pid is B00B!!)
1. (this step only for windows version!) install usb drivers the same like one which you using with flashtool
2. simple put xflasher.XXX in firmware dir which is created by great @IgorEisberg tool caled XperiFirm, double click xflasher.exe (or execute xflasher.XXXX in case non windows version) it will create xflasher.bat (or xflasher.sh in case non windows version)
3. modify xflasher.bat (or xflasher.sh in case non windows version) for your needs
4. put your phone into flashing mode (do in mind its not fastboot mode, must be in flash mode!)
5. make sure your battery is enought charged at least 30 percent charged!!!
6. double click xflasher.bat (or run xflasher.sh in case non windows version) and wait until xflasher flash your rom
7. done
8. enjoy

Supported platforms:

- there is 3 versions, one is for Linux, one is for Windows, and one for Android! You can now flash phone trought another phone, so no more needs for PC!!!

Credits:

- @shoey63 for helping me deeply testing xflasher, thanks a lot man!

Source code:

- https://github.com/munjeni/xflasher

 

[inunxelex]

is it support for zeus mode xperia m ?
MOD EDIT @gregbradley
Quote removed, not needed and had large images

 

[ayuready1989]

sorry if im wrong, but this will eventually be able to unlock bootloader?

 

[munjeni]

is it support for zeus mode xperia m ?

No, this tool use s1 protocol so all phones which use s1 protocol can use this tool!

 

[munjeni]

sorry if im wrong, but this will eventually be able to unlock bootloader?

Only on bootloader unlock allowed phones!

 

[munjeni]

New version is out!

Changelog (v2):
- support for safety unlocking device bootloader (sha256 key check + check rooting alowed yes or no before unlocking)
- support for flashing all sin files from bundle but NOT BOOT BOOTBUNDLE! I will implement boot boondle soon (boot bondle mean: boot delivery from boot folder aka sbl1, s1sbl, dbi, aboot... so please do not flash them since if you flash wrong file you will hard brick your device!)!
- you can change usb VID and PID parameter (but in usb driver do it manualy by self)

Log about success in flashing some sin files is in attachment

 

[mirhl]

After the experience you acquired writing this tool and with the previous research , do you think it would be possible to make backups of TA partition (or at least that area of TA partition that stores DRM keys) even from an unrooted phone?

I mean, personally I have an Xperia S, but I was especially thinking to our friends with a Z3 that aren't able to preserve them atm.

 

[munjeni]

Good question! I thinked the same like you, but there is some problems, for example I have analysed ta and found 4 partitions inside ta, first one is 0100 (aka 01) and seccond one is 0200 (aka 02), booth 1 and 2 can be dumped trought special command to bootloader (flash tool dumping only partition 2 and not all units). But there is other two partitions which is 0101 and another one 0201, I have no idea how to send command to bootloader in order to dump them, for example for dumping first two partitions I need to send command OPEN_TA with partition number as parameter before sending command READ_TA unit, have tried many combinations for opening parrition 0101 but getting error reaply from bootloader which mean parameter error It will be a great having possibility dumping ta in full form without a needs having root, but seems its not possible by now, maybe in future we can do it.

Allso found something interesting. Dump.ta maded by our tool dumping partition 1 and 2, but flashing ta file only partition 1 data is writen since fitst parameter in file is 01 which mean "open partition 1", but to open seccond partition and write seccond partition data we must separate one file into two files since each partition and partition data must be separated since flashtool or s1tool can't see seccond partition parameter, so one file must be cut into 2 files before flashing! In any way you can not brick your phone by not separated files, but only partition 1 will be flashed.

Edit:
Drm keys and all things lives in partition 2 (on rooting allowed devices), I will need to compare s1 dump with ta dump and see what was not dumped from ta. Drm keys for sure missing, probably can not be dumped with reason since it will be easy way tricking Sony bootloader unlocking policy He have designed unlocking procedure to delete drm and probably his bootloader is designed to skip drm dumping Some units magic bytes is masked with ffffffff00000000, have no defined size in header...etc, which probably is with reason hiden to unit dumper command

 

[zxz0O0]

munjeni, nice work. As fas as I researched, DRM keys are located in Unit 0x1046B. At least this is the unit which the bootloader deletes when it recognizes the device as rooted. I was not able to dump this unit via flashtool. Trying to flash it resulted in:

ERROR - ERR_SEVERITY="MINOR";ERR_CODE="0026";ERR_DYNAMIC="Not authenticated";

So I guess it's somehow special protected.

I was able to dump the unit with miscta_read_unit (you need atleast system privilegues) but not write to via miscta_write_unit (resulted in error code 3).
We should be able to dump all TA units with system user (in regards to the recent exploit which theoretically allows privilegue escalation to system user).

Problem is we can not simply restore them unless we find a way to generate a TA.img (with correct unit layout) out of unit data.

 

[munjeni]

. .

 

[zxz0O0]

Check TA.img from locked phone Unit 0x1046B is there with size 0x10. You can also check appsboot loader, if the device is rooted it deletes this unit.

I have used your ta_gen and it had unit 0x1046B inside resulted custreset.ta. You can flash this unit in emergency mode, but not normal mode (see previous post).

 

[munjeni]

Check TA.img from locked phone Unit 0x1046B is there with size 0x10. You can also check appsboot loader, if the device is rooted it deletes this unit.

I have used your ta_gen and it had unit 0x1046B inside resulted custreset.ta. You can flash this unit in emergency mode, but not normal mode (see previous post).

You are right, its on partition 1! Will try something now related to our tool (seems I have s1 dump of unlocked ta since I can not see these unit by now in dump). But if my tool can dump these unit than probably we can reconstruct ta img from s1 dump, see my previous post (explained everything related to partitions and units)!

 

[munjeni]

Tool can not read these unit

Log:

Want read ta unit 0001046B...

Sending command...
Command raw[13]:

00000000 00 00 00 0C 00 00 00 03 00 00 00 04 12 .............

Sending command...
Want unit raw[4]:

00000000 00 01 04 6B ...k

CRC32[4]:

00000000 BF CE 17 E3 ....

Writing crc32 for want read ta unit...
Verifying crc32...
Error: device reported that wanted ta unit is not found or can not be read!

Success: bulk read 4 bytes
Raw reply[4]:

00000000 00 00 00 00 ....


Error reading unit 0001046B!

So non rooted device have no chance having full ta dump since unit 1046B will be missed in s1 dump Maybe we can generate these unit? And how? Its probably MD5??? Or probably 3 x crc32 of the MARLIN+CKB+WMLA + 1 x crc32 of the crc32+crc32+crc32 ??

 

[munjeni]

I was able to dump the unit with miscta_read_unit (you need atleast system privilegues) but not write to via miscta_write_unit (resulted in error code 3).
We should be able to dump all TA units with system user (in regards to the recent exploit which theoretically allows privilegue escalation to system user).
.

Ahh I see, how you dump these unit trought system user?

 

[munjeni]

Tool can not read these unit

Log:


So non rooted device have no chance having full ta dump since unit 1046B will be missed in s1 dump Maybe we can generate these unit? And how? Its probably MD5??? Or probably 3 x crc32 of the MARLIN+CKB+WMLA + 1 x crc32 of the crc32+crc32+crc32 ??

There is a command 0x19 (hook), I will try with hooking first and see whats happening!

 

[munjeni]

Check TA.img from locked phone Unit 0x1046B is there with size 0x10. You can also check appsboot loader, if the device is rooted it deletes this unit.

I have used your ta_gen and it had unit 0x1046B inside resulted custreset.ta. You can flash this unit in emergency mode, but not normal mode (see previous post).

You need to change first argument in ta "02" to "01" since these unit is in partition 01 but be carefull since I do not know if some units from partition 02 exist in partition 01 since if you flash wrong data you can get brick! My tool was helper tool only for unbricking devices, I need to modify my tool a bit for that since I was not know about partitions in ta!

 

[zxz0O0]

You can use miscta_read_unit from libmiscta.so to read this unit.

static int (*_miscta_read_unit)(int TAUnit, void* buf, int* size)

But you need system or root privileges.

Hopefully you can update your ta_gen tool since it could not unbrick my device. There should be a command to format TA (maybe 0x0B?). Maybe we can send this command before restoring TA backup for successful unbrick.

 

[munjeni]

You can use miscta_read_unit from libmiscta.so to read this unit.

static int (*_miscta_read_unit)(int TAUnit, void* buf, int* size)

But you need system or root privileges.

Hopefully you can update your ta_gen tool since it could not unbrick my device. There should be a command to format TA (maybe 0x0B?). Maybe we can send this command before restoring TA backup for successful unbrick.

Which device you have? If your ta partition is bricked or formated you will have chance to unbrick only by emmc tool or by jtag tool!

Commands in s1 protocol:

#define CMD_LOADER_INFO		"\x00\x00\x00\x01"            /* loader info (hook phone in flashmode) */
#define CMD_FLASHMODE_OFF		"\x00\x00\x00\x04"            /* Kick device off flashmode */
#define CMD_WRITE_SIN_HEADER	"\x00\x00\x00\x05"            /* write SIN header */
#define CMD_WRITE_SIN		"\x00\x00\x00\x06"            /* write SIN */
#define CMD_GET_LAST_ERROR		"\x00\x00\x00\x07"            /* Get last error */
#define CMD_OPEN_TA			"\x00\x00\x00\x09"            /* open TA (takes the partition number as parameter) */
#define CMD_CLOSE_TA			"\x00\x00\x00\x0A"            /* close TA */
#define CMD_READ_TA			"\x00\x00\x00\x0C"            /* read TA */
#define CMD_WRITE_TA			"\x00\x00\x00\x0D"            /* write TA */
#define CMD_DISABLE_VERIFICATION	"\x00\x00\x00\x19"            /* Disable Final Verification check ? */

Not sure about 0B and allso not going to try them since I allready changed my mainboard after bricking ta partition

 

[munjeni]

Tried to read unit 1046B after writing coomand hook but stil no chance dumping them trought s1. In next few days I will focus on generating ta.img from s1 dump and will analyse things more

 

[zxz0O0]

I have Z1 Compact and tried to recover using your ta_gen and s1tool. But still dead I don't own a jtag device nor have any experience using it.