[Tutorial] Backup You TA Partition To Keep Your Drm Keys before unlocking

Status
Not open for further replies.
Search This thread
By:
Advanced…
rickwyatt

rickwyatt

Senior Member
Feb 7, 2007
1,227
448
41
london
Backup Your TA Partition Before You Unlock Your Bootloader



please read this

This wont work if you Unlocked your bootloader already because
you have already changed you TA partition. also don't flash
someone elses TA it will hard brick your phone



what i found out

I backed up my TA partition before unlocking my bootloader
after unlocking my bootloader with flash tools and lost my drm keys and ba2
so i thought to myself what would happen if i flashed my locked TA image
i then reflashed it with adb and rebooted my sony z was
locked and drm and ba2 was working again it was like i never unlocked it sweet

heres a video as proof

https://www.youtube.com/watch?v=j7JWa7Y6jUU

Too backup TA do this

(1) Root your phone from here
(2) extract Backup-TA.rar to c:/
(3) click and run Backup-TA
(4) select 1 to backup
(5) Make sure the md5 match
(6) make sure ta.img is in C:\Backup-TA\tools\backup

Too restore TA.img do this


(1) click and run Backup-TA
(2) select 2 to restore
(3) select 3



please hit the thanks button or donate my tool helped you

Version
we are on v4
 

Attachments

  • Backup-TA.rar
    1.3 MB · Views: 30,187
  • History.txt
    362 bytes · Views: 5,862
Last edited:
  • Like
Reactions: DMRtech, anuarbin, myself379 and 142 others
E

Egan

Senior Member
May 29, 2010
596
107
Also with photos through Album? Can you show screenshots of it when be2 is on and off?

Sent from my C6603 using xda premium
 
gm007

gm007

Senior Member
May 29, 2011
7,867
4,513
Maybe you can upload your ta backup,so we can test ;)

Sent from my C6602 using xda premium
 
rickwyatt

rickwyatt

Senior Member
Feb 7, 2007
1,227
448
41
london
it works just tryed again

also once iv flash the TA image i can't flash boot.img anymore

C:\adb>fastboot flash boot C:\Users\Smokey's\Desktop\boot.img
sending 'boot' (11890 KB)...
OKAY [ 0.748s]
writing 'boot'...
FAILED (remote: Command not allowed)
finished. total time: 0.753s


and flash tool asks for the unlock key again
 
Last edited:
D

djselbeck

Senior Member
Jun 28, 2011
129
76
I don't have stock rom installed at the moment but I know there are 2 Tests one is for Certificates and one for drm keys.
 
rickwyatt

rickwyatt

Senior Member
Feb 7, 2007
1,227
448
41
london
5laj405y3
iv got 4 Certificates

5laj405y3
 
Last edited:
gm007

gm007

Senior Member
May 29, 2011
7,867
4,513
Do you want share the backup?

Sent from my C6602 using xda premium
 
Status
Not open for further replies.

Similar threads

DooMLoRD
[KERNEL][Z] DooMKernel (v22)[20140413]
Replies
3K
Views
688K
O
oh fuuu
A
[AROMA][Stock Kernel 4.2/4.3/4.4] XzKernel-26 [LTS]
Replies
3K
Views
380K
langeveld024
langeveld024
jeroenqui
[Z] MEOW-kernel v2.07.14 (For CM10.2/CM11-based ROMS)
Replies
1K
Views
255K
U
unrealRage
DooMLoRD
[ROOT] Xperia Z (C660x) for unlocked bootloaders ONLY! (RELEASED)
Replies
219
Views
260K
D
dieukep
A
[TOOL/Z] [UPDATE 06/04/2013] Flashtool version 0.9.11.0 - Windows / Linux / Mac
Replies
672
Views
871K
B
boldguy

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 145
    rickwyatt
    rickwyatt
    Backup Your TA Partition Before You Unlock Your Bootloader



    please read this

    This wont work if you Unlocked your bootloader already because
    you have already changed you TA partition. also don't flash
    someone elses TA it will hard brick your phone



    what i found out

    I backed up my TA partition before unlocking my bootloader
    after unlocking my bootloader with flash tools and lost my drm keys and ba2
    so i thought to myself what would happen if i flashed my locked TA image
    i then reflashed it with adb and rebooted my sony z was
    locked and drm and ba2 was working again it was like i never unlocked it sweet

    heres a video as proof

    https://www.youtube.com/watch?v=j7JWa7Y6jUU

    Too backup TA do this

    (1) Root your phone from here
    (2) extract Backup-TA.rar to c:/
    (3) click and run Backup-TA
    (4) select 1 to backup
    (5) Make sure the md5 match
    (6) make sure ta.img is in C:\Backup-TA\tools\backup

    Too restore TA.img do this


    (1) click and run Backup-TA
    (2) select 2 to restore
    (3) select 3



    please hit the thanks button or donate my tool helped you

    Version
    we are on v4
    View
    10
    rickwyatt
    rickwyatt
    please download the new tool it now has md5 check for both
    dev/block/mmcblk0p1 and the backup make sure thay match

    please hit the thanks button or donate my tool helped you
    View
    10
    D
    Deleted member 3665957
    @Tungstwenty:

    unit 2:66667 is unique device key, which used to crypt sensitive data, like DRM keys.
    during official "bootloader unlock" it is erased, thus rendering DRM keys useless.

    unit 2:2226 is device unlock key.
    If this unit present and allowed by ROOTING_ALLOWED value in hwconfig, then it is checked by semcboot via some weirdo-hash-etc things against RCK_H value in hardware config - one of 3 core security units.

    hwconfig is signed unit, so it's modification not possible.

    i have strong feeling that DRM keys are NOT tied to anything other, than device key unit.
    i will try to copy DRM keys + device key from one phone to other later today and report my results.

    beware :
    if trim area image will be modified externally without proper checksum calculation, phone will be hard brick and it can only be fixed by writing proper trim area image by means of external programmer, like jtag ( if jtag not disabled permanently and can't be bypassed )

    same goes to damaged hwconfig unit.
    ergo - do not play with trim area on sony phones.

    @Egan:
    so, writing 0002:08B2 unit is enough to have unlocked bootloader with DRM keys intact.
    as for "bravia engine", i'm sure it just checks "bootloader unlocked" status - so it can be bypassed by patching some system libraries.

    lib_get_rooting_status.so is root of evil ;)
    View
    9
    Tungstwenty
    Tungstwenty
    the_laser said:
    to be honest, i'm never checked if unlock code written in "plain hex" into 0002:08b2 unit
    ( cause i'm just patched semcboot ;) ),
    only checked actual 0x08b2 validation procedure.

    it can be easily checked, if someone will provide ta dump after bootloader unlock and unlock code itself.
    Click to expand...
    Click to collapse
    Following some partition dumps shared by @Egan and in line with the information above about unit 08b2 (whatever that is :)), here's a summary of some findings I did on the TA dumps before and after unlocking.

    I deduced the structure of the TA partition and here's the breakdown of its contents with the differences marked in red/green:
    Code: 
    Found block header 0x3BF8E9C1, 0x166BCC11, 0x2E020002

Token 0x000007D3, Len = 0x00000816
Value: ...

Token 0x0000084F, Len = 0x00000060
Value: ...

Token 0x00001324, Len = 0x0000000A
Value: (masked) - This is the MSN, or serialno

Token 0x00001325, Len = 0x00000009
Value: (masked) - This is the PBA ID

[COLOR="Red"]Token 0x0001046B, Len = 0x00000010
Value: 0x91FD...[/COLOR]

...

[COLOR="Red"]Token 0x00000A2A, Len = 0x00000004
Value: 0x50450000 (PE..)[/COLOR]

...

[COLOR="Green"]Token 0x000008B2, Len = 0x00000010
Value: 0x4238... (B8...)[/COLOR] - This is the plain text hex value of the unlock code


[COLOR="Green"]Token 0x00000A2A, Len = 0x00000001
Value: 0x00[/COLOR]

Skipping padding 0xFFFFFFFF

Found block header 0x3BF8E9C1, 0x03F6AD86, 0x11020102

Token 0x00002718, Len = 0x0000106A
Value: ...

Token 0x00000802, Len = 0x0000040F
Value:
S1 BOOT (1264-2309 S1_Boot_Lagan_1.0_4)
GPIO HW_ID[4:0]: [00000]
...
Leaving S1 BOOT


Skipping padding 0xFFFFFFFF

Found block header 0x3BF8E9C1, 0x025CC9EC, 0x1D010002

Token 0x0000EB2B, Len = 0x00000002
Value: 0x540B (T.)

...

Token 0x0000EB3D, Len = 0x00000001
Value: A

Token 0x000001BF, Len = 0x00000006
Value: .Q`-..

Skipping padding 0xFFFFFFFF

    After unlocking, the token 1046B is removed and the 8B2 one is inserted.
    Also the 0A2A is changed from 0x50450000 to 0x00 (and changes place, but that should be irrelevant)

    The unlock token is processed by the code from aboot partition (mmcblk0p6) at address 0x88F09704, oroffset 0x972C of the raw partition contents.
    I couldn't find any code referencing the A2A token, though.


    The second thing is related with the 802 token - it appears to contain a log of the latest boot (or at least the latest "maintenance" boot?).
    The differences from before/after were:
    Code: 
    S1 BOOT (1264-2309 S1_Boot_Lagan_1.0_4)
GPIO HW_ID[4:0]: [00000]
PBA ID: (masked) (3)
Startup flags: [ONKEY PRESSED]
[COLOR="Red"]Warmboot reason: [COLDBOOT][/COLOR]
[COLOR="Green"]Warmboot reason: [UNKNOWN TO S1 BOOT (0x776655AA)]
[WARNING IN FAC 0x7 CODE 0x6 @ S1/boot/src/s1boot_lib_api.c:700]:
  Device key handling failed!
[WARNING IN FAC 0x8 CODE 0xA @ S1/boot/src/s1boot_lib_api.c:200]:
  MiscTA data not accepted by security manager![/COLOR]
[COLOR="Red"]Rooting status is: Not done[/COLOR]
[COLOR="Green"]Rooting status is: Done[/COLOR]
[ERROR @ S1/boot/src/s1boot_config_parser.c:586]:
  MiscTA unit 2473 could not be read!
Service mode detected: [NONE]
ATAGs will be placed at 0x80200100
cmdline: androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 vmalloc=400M androidboot.emmc=true androidboot.bootloader=s1 oemandroidboot.s1boot=S1_Boot_Lagan_1.0_4 androidboot.serialno=(masked) ta_info=1,16,256 startup=0x00000001 warmboot=[COLOR="Red"]0x00000000[/COLOR]/[COLOR="Green"]0x776655aa[/COLOR] oemandroidboot.imei=(masked) oemandroidboot.babe1325=(masked) oemandroidboot.babe1326=33 androidboot.baseband=mdm
booting linux @ 0x80208000, ramdisk @ 0x82200000 (1650358)
Leaving S1 BOOT
    The warmboot reason code was different, although this could be not related with the locked/unlocked state.
    The Rooting status line is changed, obviously, but the most important change is the 2 new warnings about "Device key handling failed" and "MiscTA data not accepted by security manager".
    These are also handled by aboot, at addresses 0x88f0969c (after attempting to check the 1046b token) and 0x88f09f44 (as a consequence of the 1st error).


    Finally, in addition to the lost contents of the 1046b token (it's 16 bytes wide), there's an additional blob at offset 0x60200 of the TA which is gone after unlocking. The beginning of that blob isn't exactly the same as the previous data, but starting with the 2nd token (84F) it seems to match. I'll try to decode those tokens later on and will post any relevant conclusions. It might be a temporary area used when changing tokens on the list and that ends up being written to the partition, although it's too well aligned. mmm

    Oh, and the 2nd token in the header of each block looks like a checksum. I'm assuming that manually patching the TA contents to insert the 8b2 is not exactly advised :D. I'm glad you guys are talking about existing commands to write these tokens individually in a safe(ish) way.

    If anyone wants to discuss any of this, feel free to PM me if you want.

    I'm very skeptical that the DRM keys (or whatever you want to call them) can be recovered after unlocking the bootloader and not having a TA backup.
    The 1046b token, which is certainly related with that, is completely absent from the "after" image - both in the top of the file and the "backup" block, which doesn't exist on the TA after unlocking.



    PS: Disclaimer - I don't have an Xperia Z yet, but since I'll likely get one in the near future I've been curious for a couple of weeks about the unlocking process without losing the BE2 features ;)
    View
    8
    A
    Androxyde
    @Egan

    Here is Beta6 of Flashtool (first install beta5 then update x10flasher.jar with this attached one).
    Place RootMe.tar into custom/root/ServiceMenu (or Root feature will not work) ;)

    This version has TA backup and restore from Advanced menu (Raw mode)

    Take care this is really basic. I mean no backup history and backup stored right into Flashtool Folder :)

    I will place it somewhere else in the final release and there will be an history and a choose from this history for restoring.
    View

New posts