Universal (Dirtycow-based) TA Backup v2

Search This thread

Fukel

Member
May 25, 2016
18
11
I guess so. Never done that myself.

Couldn't do it in twrp it said there was no such path for /dev/block/bootdevice/by-name/TA. I decided to flash stock first then root it and restore TA from Android. That worked fine just had to change "adb shell" command to "adb shell su -c" or I would get permission denied error.
 

memphis77

Senior Member
Nov 3, 2012
246
62
cologne
Solved

okay managed to download the file.
downgraded to mm run backup ta but it always says device not found. i tried it in fastboot, flashmode and in just regular on.
usb debugging is on and also unknown sources. whats the catch?
error: device not found
error: device not found
error: device not found
Running on on 32-bit platform
Pushing files
Pushing files/dirtycow32 to /data/local/tmp/dirtycow
error: device not found
error: device not found
Pushing files/run-as32 to /data/local/tmp/run-as
error: device not found
error: device not found
Pushing files/exploitta32 to /data/local/tmp/exploitta
error: device not found
error: device not found
Pushing files/dumpta32 to /data/local/tmp/dumpta
error: device not found
error: device not found
Pushing files/checkta32 to /data/local/tmp/checkta
error: device not found
error: device not found
pushing push files/backupTA.sh /data/local/tmp/backupTA.sh
error: device not found
error: device not found
Running scripts to dump ta to "TA___12102017-1033.img" on device
error: device not found
Pulling image
error: device not found
Cleaning up
error: device not found
TA Backup Failed!! Please reboot and try again.
NOTE: If you are running Android Nougat, you need to downgrade to use this tool.

Drücken Sie eine beliebige Taste . . .
 
Last edited:

Macsek

Senior Member
Apr 29, 2007
85
24
Budapest
Thanks, since I restore TA through TWRP does that mean I need to flash stock ROM after I restore TA?

Of course you need to flash a stock ROM, losing root.
Restoring TA would re-lock your bootloader, locked BL can only load signed sony kernels, all of which contain RIC and dm-verity.

---------- Post added at 03:58 PM ---------- Previous post was at 03:48 PM ----------

Thanks for this tool for @rayman .
It works for my Xperia Z, but does not work for my previous nor current Z5c running stock Lollipop 5.1.1 (32.0.A.6.200 Australia).
However iovyroot 0.4 does work.
 
  • Like
Reactions: mirhl
Jun 3, 2016
24
0
CONFIRMATION OF TA RESTORE!
- Ran tool on Xperia X
- Unlocked bootloader
- Flashed TWRP
- Booted to system
- Got nag about being unsafe due to unlocked bootloader and wanted password. I don't have a pasword?? (nevermind)
- Booted back to TWRP (Also wants a password due to encrypted data - ignored!)
- Pushed TAbackup.img (I renamed it) to /data/local/tmp and verified md5sum is same as original backup.
- Did
Code:
adb shell dd if=/data/local/tmp/TAbackup.img of=/dev/block/bootdevice/by-name/TA
- Rebooted
- Everything back as it was. Original TA restored and DRM keys all active:victory:

NOTE/EDIT: Due to dm-verity, you cannot restore TA on a rooted phone (Z3+ onwards). It won't boot up. Boot and system have to be pure untouched stock.

That what i ment.
I got nothing about this guide.
Push Ta backup to Where?Via what?(I mean file manager included in Twrp?)
And the next step
What should i do about Adb shell?
Enter the code in Terminal in twrp or something?
And terminal says:No adb shell
???
 

FallenSp

Senior Member
Sep 23, 2012
92
14
São Paulo
I followed these topic tool to backup my Z3(D6633) DRM Keys backup, and I received this, my phone not is rooted and genered a file with 2048kb(2MB), a long time ago, I made a backup in my old Z1 and the requeriment to use that tool is the phone have to be rooted first and a file more smaller, that is not my case now, that worked fine? I attached a screenshot of the process, Thanks for all.

I know that is out of subject, but, if someday I want restore my backup, how I do that?
I saw something like run some adb commands, I need to be in the stock to run or can I run in a custom rom, turn off my phone, and flash the Stock?
I am using a ukrainian version of Marshmallow, because Sony roll out a Brazilian version too late, can I restore this in any stock rom?

D6633 - Android 6.0.1 - 23.5.A.1.291
Sorry for my bad english
 
Last edited:

shoey63

Recognized Contributor
Jun 5, 2012
4,004
3,987
Somewhere in Oz...
@shoey63
I had an unlocked bootloader which I locked with my TA-back up.the question is if I reunlock my bootloader can I use the same TA-back up to relock or I need a new back up file?

You can restore the TA backup anywhere, anytime, any firmware if you have root. Just flash any pure stock firmware afterwards.

Sent from my [device_name] using XDA-Developers Legacy app
 
  • Like
Reactions: josephnero

josephnero

Senior Member
Mar 23, 2011
2,174
720
Sanford NC
It changes over time due to the logging area, but the original can always be reflashed.
You can safely restore on N or O, even if backed up on MM if that's what you are worried about.

Thanks a ton. I'm mashing the thanks button but getting unfortunately can't have more than eight thanks per day which is weird. Haven't thanked anyone recently. Will try again tomorrow. Thanks again
 
  • Like
Reactions: shoey63

Top Liked Posts

  • There are no posts matching your filters.
  • 185
    Dirtycow-based TA Dumper for Sony Xperia Devices. (v2.0)

    Author:
    Jens Andersen
    Xda: rayman
    Twitter: https://twitter.com/EnJens
    GitHub: EnJens

    Source can be found on https://github.com/EnJens/backupTA.
    Must be built within AOSP (e.g. checkout to external/backupTA)

    Changelog:
    • More devices supported. The dreaded "Permission denied" should be long gone
    • Stability improved
    • TA dump is now verified before pulling
    • An error message is correctly shown when the process fails.

    Requirements:
    Phone running a dirtycow capable OS (E.g. recent N builds won't work).
    If you have already upgraded, downgrading (temporarily) should be possible.
    It should work on all recent xperia phones, but there might be exceptions.

    It works on Linux, Windows and Mac (OS X)

    Instructions:
    1. Ensure you have adb access (e.g. drivers installed, enabled etc)
    2. Run backupTA.sh (linux) or backupTA.cmd (windows) in the root directory.
    3. TA will be saved as TA-ModelNumber-Serial-Timestamp.img in
      the backupTA.sh directory.
    4. On failure, the TA file should be missing, but please check that the file is 2.097.152 bytes

    Download:

    Credits:
    • rayman
    • Bumble-Bee (Testing)
    • Myself5 (Testing and some scripts)
    • oshmoun (Testing)
    • Androxyde (Testing)
    • munjeni (checkta source)

    Tested on:
    • Xperia Z1
    • Xperia ZL
    • Xperia Z2
    • Xperia Z3
    • Xperia Z5
    • Xperia Z5 Compact
    • Xperia E5
    • Xperia M5
    • Xperia M4 Aqua
    • Xperia C5
    • Xperia X
    • Xperia XA
    • Xperia XA Ultra
    • Xperia X Performance
    • Xperia X Compact
    • Xperia XZ

    XDA:DevDB Information
    Universal (Dirtycow-based) TA Backup, Tool/Utility for the OEM Cross Device Development

    Contributors
    rayman, rayman
    Source Code: https://github.com/EnJens/backupTA


    Version Information
    Status: Stable

    Created 2016-12-07
    Last Updated 2020-07-27
    36
    CONFIRMATION OF TA RESTORE!
    - Ran tool on Xperia X
    - Unlocked bootloader
    - Flashed TWRP
    - Booted to system
    - Got nag about being unsafe due to unlocked bootloader and wanted password. I don't have a pasword?? (nevermind)
    - Booted back to TWRP (Also wants a password due to encrypted data - ignored!)
    - Pushed TAbackup.img (I renamed it) to /data/local/tmp and verified md5sum is same as original backup.
    - Did
    Code:
    adb shell dd if=/data/local/tmp/TAbackup.img of=/dev/block/bootdevice/by-name/TA
    - Rebooted
    - Everything back as it was. Original TA restored and DRM keys all active:victory:

    NOTE/EDIT: Due to dm-verity, you cannot restore TA on a rooted phone (Z3+ onwards). It won't boot up. Boot and system have to be pure untouched stock.
    19
    How it works

    A very quick primer on how backupTA works now the source is out:
    Sony's devices are extremely locked down with SELinux, and even getting root (with dirtycow) leaves you with very little access to the system.
    Other than true root (which is rather difficult to get, although not impossible), only the Sony TA daemon has access to the partition required. But the TA daemon has no access to write any files anywhere on the device where we can pull them...

    The basic approach is:
    * Overwrite run-as binary with a custom binary
    * When executed it switches to root and sets platform_app permissions, which for some bizarre reason is allowed from run-as explicitly. (See note 1)
    * Once it has these privileges, it has access to dirtycow /sbin/tad_static
    * It overwrites tad_static with a special daemon that allows reading the entire TA partition over the tad socket already used by the system. (See note 2)
    * The run-as replacement reads the TA dump over the tad socket and pipes it to stdout to write to a file. (See note 3)

    Note 1:
    Dirtycow cannot increase the size of any binaries on the system, so to make things actually work, this solution also overwrites screenrecord binary (which is significantly bigger). run-as then executes this after setting up root and does all the fancy things. On some devices the platform-app context with root does not allow reading or writing files anywhere. To get around this, it reads the replacement tad_static from stdin and writes the dump to stdout. The script that runs run-as handles the piping.

    Note 2:
    When tad_static is first executes during boot, it's cached by linux. For efficiency reasons and because it's on a read-only filesystem, it's executed from this cache in memory. When dirtycow replaces the binary on /sbin, it actually replaces the running binary's code in memory, forcing it to crash. Init automatically restarts it, but now it's the replaced binary running which allows us to dump what we need.

    Note 3:
    The tad socket is actually quite limited permission-wise too. Only a limited subset of selinux contexts are allowed to read/write to it and the same goes for users. Luckily, root user with some supplementary groups, and the platform_app selinux context does have access to it, so we abuse that fact to talk to the replaced TA daemon.
    16
    FAQ:
    • Q: Why is the backup different between reboots?
    • A: There is other data stored in the TA partition than just the TA Units. On some devices, the bootloader bootlog is stored there along with other pieces of data.
    15
    Version 2 Released

    Version 2 is now released.
    Changelog:
    • More devices supported. The dreaded "Permission denied" should be long gone
    • Stability improved
    • TA dump is now verified before pulling
    • An error message is correctly shown when the process fails.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone