[Tutorial] Backup You TA Partition To Keep Your Drm Keys before unlocking

Status
Not open for further replies.
Search This thread

rickwyatt

Senior Member
Feb 7, 2007
1,222
447
38
london
Backup Your TA Partition Before You Unlock Your Bootloader



please read this

This wont work if you Unlocked your bootloader already because
you have already changed you TA partition. also don't flash
someone elses TA it will hard brick your phone




what i found out

I backed up my TA partition before unlocking my bootloader
after unlocking my bootloader with flash tools and lost my drm keys and ba2
so i thought to myself what would happen if i flashed my locked TA image
i then reflashed it with adb and rebooted my sony z was
locked and drm and ba2 was working again it was like i never unlocked it sweet


heres a video as proof

https://www.youtube.com/watch?v=j7JWa7Y6jUU

Too backup TA do this

(1) Root your phone from here
(2) extract Backup-TA.rar to c:/
(3) click and run Backup-TA
(4) select 1 to backup
(5) Make sure the md5 match
(6) make sure ta.img is in C:\Backup-TA\tools\backup

Too restore TA.img do this


(1) click and run Backup-TA
(2) select 2 to restore
(3) select 3



please hit the thanks button or donate my tool helped you

Version
we are on v4
 

Attachments

  • Backup-TA.rar
    1.3 MB · Views: 29,750
  • History.txt
    362 bytes · Views: 5,812
Last edited:

Egan

Senior Member
May 29, 2010
596
107
Also with photos through Album? Can you show screenshots of it when be2 is on and off?

Sent from my C6603 using xda premium
 

rickwyatt

Senior Member
Feb 7, 2007
1,222
447
38
london
it works just tryed again

also once iv flash the TA image i can't flash boot.img anymore

C:\adb>fastboot flash boot C:\Users\Smokey's\Desktop\boot.img
sending 'boot' (11890 KB)...
OKAY [ 0.748s]
writing 'boot'...
FAILED (remote: Command not allowed)
finished. total time: 0.753s


and flash tool asks for the unlock key again
 
Last edited:

rickwyatt

Senior Member
Feb 7, 2007
1,222
447
38
london
5laj405y3
iv got 4 Certificates

5laj405y3
 
Last edited:
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 145
    Backup Your TA Partition Before You Unlock Your Bootloader



    please read this

    This wont work if you Unlocked your bootloader already because
    you have already changed you TA partition. also don't flash
    someone elses TA it will hard brick your phone




    what i found out

    I backed up my TA partition before unlocking my bootloader
    after unlocking my bootloader with flash tools and lost my drm keys and ba2
    so i thought to myself what would happen if i flashed my locked TA image
    i then reflashed it with adb and rebooted my sony z was
    locked and drm and ba2 was working again it was like i never unlocked it sweet


    heres a video as proof

    https://www.youtube.com/watch?v=j7JWa7Y6jUU

    Too backup TA do this

    (1) Root your phone from here
    (2) extract Backup-TA.rar to c:/
    (3) click and run Backup-TA
    (4) select 1 to backup
    (5) Make sure the md5 match
    (6) make sure ta.img is in C:\Backup-TA\tools\backup

    Too restore TA.img do this


    (1) click and run Backup-TA
    (2) select 2 to restore
    (3) select 3



    please hit the thanks button or donate my tool helped you

    Version
    we are on v4
    10
    please download the new tool it now has md5 check for both
    dev/block/mmcblk0p1 and the backup make sure thay match

    please hit the thanks button or donate my tool helped you
    10
    @Tungstwenty:

    unit 2:66667 is unique device key, which used to crypt sensitive data, like DRM keys.
    during official "bootloader unlock" it is erased, thus rendering DRM keys useless.

    unit 2:2226 is device unlock key.
    If this unit present and allowed by ROOTING_ALLOWED value in hwconfig, then it is checked by semcboot via some weirdo-hash-etc things against RCK_H value in hardware config - one of 3 core security units.

    hwconfig is signed unit, so it's modification not possible.

    i have strong feeling that DRM keys are NOT tied to anything other, than device key unit.
    i will try to copy DRM keys + device key from one phone to other later today and report my results.

    beware :
    if trim area image will be modified externally without proper checksum calculation, phone will be hard brick and it can only be fixed by writing proper trim area image by means of external programmer, like jtag ( if jtag not disabled permanently and can't be bypassed )

    same goes to damaged hwconfig unit.
    ergo - do not play with trim area on sony phones.

    @Egan:
    so, writing 0002:08B2 unit is enough to have unlocked bootloader with DRM keys intact.
    as for "bravia engine", i'm sure it just checks "bootloader unlocked" status - so it can be bypassed by patching some system libraries.

    lib_get_rooting_status.so is root of evil ;)
    9
    to be honest, i'm never checked if unlock code written in "plain hex" into 0002:08b2 unit
    ( cause i'm just patched semcboot ;) ),
    only checked actual 0x08b2 validation procedure.

    it can be easily checked, if someone will provide ta dump after bootloader unlock and unlock code itself.
    Following some partition dumps shared by @Egan and in line with the information above about unit 08b2 (whatever that is :)), here's a summary of some findings I did on the TA dumps before and after unlocking.

    I deduced the structure of the TA partition and here's the breakdown of its contents with the differences marked in red/green:
    Code:
    Found block header 0x3BF8E9C1, 0x166BCC11, 0x2E020002
    
    Token 0x000007D3, Len = 0x00000816
    Value: ...
    
    Token 0x0000084F, Len = 0x00000060
    Value: ...
    
    Token 0x00001324, Len = 0x0000000A
    Value: (masked) - This is the MSN, or serialno
    
    Token 0x00001325, Len = 0x00000009
    Value: (masked) - This is the PBA ID
    
    [COLOR="Red"]Token 0x0001046B, Len = 0x00000010
    Value: 0x91FD...[/COLOR]
    
    ...
    
    [COLOR="Red"]Token 0x00000A2A, Len = 0x00000004
    Value: 0x50450000 (PE..)[/COLOR]
    
    ...
    
    [COLOR="Green"]Token 0x000008B2, Len = 0x00000010
    Value: 0x4238... (B8...)[/COLOR] - This is the plain text hex value of the unlock code
    
    
    [COLOR="Green"]Token 0x00000A2A, Len = 0x00000001
    Value: 0x00[/COLOR]
    
    Skipping padding 0xFFFFFFFF
    
    Found block header 0x3BF8E9C1, 0x03F6AD86, 0x11020102
    
    Token 0x00002718, Len = 0x0000106A
    Value: ...
    
    Token 0x00000802, Len = 0x0000040F
    Value:
    S1 BOOT (1264-2309 S1_Boot_Lagan_1.0_4)
    GPIO HW_ID[4:0]: [00000]
    ...
    Leaving S1 BOOT
    
    
    Skipping padding 0xFFFFFFFF
    
    Found block header 0x3BF8E9C1, 0x025CC9EC, 0x1D010002
    
    Token 0x0000EB2B, Len = 0x00000002
    Value: 0x540B (T.)
    
    ...
    
    Token 0x0000EB3D, Len = 0x00000001
    Value: A
    
    Token 0x000001BF, Len = 0x00000006
    Value: .Q`-..
    
    Skipping padding 0xFFFFFFFF

    After unlocking, the token 1046B is removed and the 8B2 one is inserted.
    Also the 0A2A is changed from 0x50450000 to 0x00 (and changes place, but that should be irrelevant)

    The unlock token is processed by the code from aboot partition (mmcblk0p6) at address 0x88F09704, oroffset 0x972C of the raw partition contents.
    I couldn't find any code referencing the A2A token, though.


    The second thing is related with the 802 token - it appears to contain a log of the latest boot (or at least the latest "maintenance" boot?).
    The differences from before/after were:
    Code:
    S1 BOOT (1264-2309 S1_Boot_Lagan_1.0_4)
    GPIO HW_ID[4:0]: [00000]
    PBA ID: (masked) (3)
    Startup flags: [ONKEY PRESSED]
    [COLOR="Red"]Warmboot reason: [COLDBOOT][/COLOR]
    [COLOR="Green"]Warmboot reason: [UNKNOWN TO S1 BOOT (0x776655AA)]
    [WARNING IN FAC 0x7 CODE 0x6 @ S1/boot/src/s1boot_lib_api.c:700]:
      Device key handling failed!
    [WARNING IN FAC 0x8 CODE 0xA @ S1/boot/src/s1boot_lib_api.c:200]:
      MiscTA data not accepted by security manager![/COLOR]
    [COLOR="Red"]Rooting status is: Not done[/COLOR]
    [COLOR="Green"]Rooting status is: Done[/COLOR]
    [ERROR @ S1/boot/src/s1boot_config_parser.c:586]:
      MiscTA unit 2473 could not be read!
    Service mode detected: [NONE]
    ATAGs will be placed at 0x80200100
    cmdline: androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 vmalloc=400M androidboot.emmc=true androidboot.bootloader=s1 oemandroidboot.s1boot=S1_Boot_Lagan_1.0_4 androidboot.serialno=(masked) ta_info=1,16,256 startup=0x00000001 warmboot=[COLOR="Red"]0x00000000[/COLOR]/[COLOR="Green"]0x776655aa[/COLOR] oemandroidboot.imei=(masked) oemandroidboot.babe1325=(masked) oemandroidboot.babe1326=33 androidboot.baseband=mdm
    booting linux @ 0x80208000, ramdisk @ 0x82200000 (1650358)
    Leaving S1 BOOT
    The warmboot reason code was different, although this could be not related with the locked/unlocked state.
    The Rooting status line is changed, obviously, but the most important change is the 2 new warnings about "Device key handling failed" and "MiscTA data not accepted by security manager".
    These are also handled by aboot, at addresses 0x88f0969c (after attempting to check the 1046b token) and 0x88f09f44 (as a consequence of the 1st error).


    Finally, in addition to the lost contents of the 1046b token (it's 16 bytes wide), there's an additional blob at offset 0x60200 of the TA which is gone after unlocking. The beginning of that blob isn't exactly the same as the previous data, but starting with the 2nd token (84F) it seems to match. I'll try to decode those tokens later on and will post any relevant conclusions. It might be a temporary area used when changing tokens on the list and that ends up being written to the partition, although it's too well aligned. mmm

    Oh, and the 2nd token in the header of each block looks like a checksum. I'm assuming that manually patching the TA contents to insert the 8b2 is not exactly advised :D. I'm glad you guys are talking about existing commands to write these tokens individually in a safe(ish) way.

    If anyone wants to discuss any of this, feel free to PM me if you want.

    I'm very skeptical that the DRM keys (or whatever you want to call them) can be recovered after unlocking the bootloader and not having a TA backup.
    The 1046b token, which is certainly related with that, is completely absent from the "after" image - both in the top of the file and the "backup" block, which doesn't exist on the TA after unlocking.



    PS: Disclaimer - I don't have an Xperia Z yet, but since I'll likely get one in the near future I've been curious for a couple of weeks about the unlocking process without losing the BE2 features ;)
    8
    @Egan

    Here is Beta6 of Flashtool (first install beta5 then update x10flasher.jar with this attached one).
    Place RootMe.tar into custom/root/ServiceMenu (or Root feature will not work) ;)

    This version has TA backup and restore from Advanced menu (Raw mode)

    Take care this is really basic. I mean no backup history and backup stored right into Flashtool Folder :)

    I will place it somewhere else in the final release and there will be an history and a choose from this history for restoring.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone