[xperia 1/5] temp root exploit via CVE-2020-0041 including magisk setup

[j4nn]

temp root exploit for sony XPERIA 1 and XPERIA 5 with android 10 firmware
including temporal magisk setup from the exploit
​

The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
This is a modification of the Pixel 3 specific exploit to be compatible with kernel 4.14 that is used with xperia 1/5 phones.
This work has been done in collaboration with @bb-qq, who has implemented support of JP model of xperia 1.
The exploit is extended in a way allowing setup of magisk v20.4 from the temp root, including working su permission asking notification support.
It uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as android service.
There are also many extensions implemented to make the exploit stable with kernel 4.14.

SUPPORTED TARGETS

• 802SO-55.1.B.0.202 (xperia 1 Japan model)
• J8110-55.1.A.0.748 (xperia 1 single sim)
• J8170-55.1.A.0.748 (xperia 1 US model)
• J9110-55.1.A.0.748 (xperia 1 dual sim)
• J9110-55.1.A.3.107 (xperia 1 dual sim)
• J9150-55.1.A.3.107 (xperia 1 Japan dual sim)
• J9180-55.1.A.0.748 (xperia 1 China model)
• J9180-55.1.A.3.107 (xperia 1 China model)

• J8210-55.1.A.0.748 (xperia 5 single sim)
• J9210-55.1.A.0.748 (xperia 5 dual sim)
• J9210-55.1.A.3.112 (xperia 5 dual sim)

The exploit has been tested only with the JP model of xperia 1 (the 802SO-55.1.B.0.202 target), but support for other targets have been implemented based on static analysis of each kernel image from target firmware.
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

USAGE HOWTO INCLUDING MAGISK SETUP

• be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
• enable developer mode options and in there adb debugging (eventually install adb drivers)
• download the x1x5-mroot.zip with the exploit attached in this post
• download Magisk-v20.4.zip from magisk releases page on github here
• use 'adb push x1x5-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
• unzip and prepare magisk setup with following commands in 'adb shell'
  

  cd /data/local/tmp
  unzip x1x5-mroot.zip
  chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
  ./magisk-setup.sh

• get temp root and start magisk up with following commands in 'adb shell' - do not copy paste them all at once, but enter (or copy&paste) each line separately one by one:
  

  cd /data/local/tmp
  ./x1x5-mroot
  ./magisk-start.sh -1
  ./magisk-start.sh -2
  ./magisk-start.sh -3

If it worked, you should see something like this:

802SO:/ $ cd /data/local/tmp
802SO:/data/local/tmp $ ./x1x5-mroot
[+] factoryversion = '802SO-55.1.B.0.202'
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffe5cd6e3b00
[+] file epitem at ffffffe54d87eb00
[+] Reallocating content of 'write8_inode' with controlled data..[DONE]
[+] Overwriting 0xffffffe5cd6e3b20 with 0xffffffe54d87eb50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff90392212d0
[+] kernel base: ffffff9037e80000
[+] init_cred: ffffff903a02d808
[+] memstart_addr: 0xffffffdbc0000000
[+] First level entry: 145437003 -> next table at ffffffe585437000
[+] Second level entry: 1e6b41003 -> next table at ffffffe626b41000
[+] sysctl_table_root = ffffff903a05d380
[+] Reallocating content of 'write8_sysctl' with controlled data.[DONE]
[+] Overwriting 0xffffffe6352bcb68 with 0xffffffe54b8a3000...[DONE]
[+] Injected sysctl node!
[+] Reallocating content of 'write8_selinux' with controlled data.[DONE]
[+] Overwriting 0xffffff903a772ffc with 0x0...[DONE]
[+] Node write8_inode, pid 10824, kaddr ffffffe4e3d18c00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 11452, kaddr ffffffe58324c400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 11338, kaddr ffffffe4e3c05980
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffe5cd6e3b20
[+] epitem.prev = ffffffe5cd6e3bd0
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ true
+ rm -rf /data/adb/magisk.db /data/adb/magisk
+ mkdir -p /data/adb/magisk
+ chmod 700 /data/adb
+ cp -a busybox /data/adb/magisk
+ cp -a magisk /data/adb/magisk
+ cp -a magiskboot /data/adb/magisk
+ cp -a magiskinit /data/adb/magisk
+ cp -a util_functions.sh /data/adb/magisk
+ cp -a boot_patch.sh /data/adb/magisk
+ chmod -R 755 /data/adb/magisk
+ chown -R root:root /data/adb/magisk
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14100
+ '[' -z 14100 ']'
+ >/sbin/.magisk/escalate
+ echo 14100
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
+ FRESH=false
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC=''
+ timeout=10
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14131
+ '[' -n 14131 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.14.117-perf+ #1 SMP PREEMPT Wed Jan 15 23:36:28 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive

Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.

Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

DRM KEY / TA PARTITION BACKUP POSSIBILITY
Please note, this exploit will get you a root shell with still locked xperia 1 and 5 phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there.
Even though xperia 1 and 5 allows to relock bootloader after unlock, possibly returning drm functionalities, it is very probable that a device key (device specific drm key residing in 66667 ta unit) is still erased on bootloader unlock (and re-lock), so backing up and restoring TA with the key present may actually be useful.
This is something to be tested - anybody considering bootloader unlock of xperia 1 or 5, please be sure to backup TA from still locked state via this exploit and also TA after unlock for comparison.
For more details see here and following post.

SOURCES
Exploit sources are available at my github here.

CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
Thanks to @bb-qq for initial xperia 1 support and testing.

DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.
Thank you very much to all who donate.

DOWNLOAD

 

[j4nn]

reserved

 

[Coolty]

factoryversion = '802SO-55.1.B.0.300'
target is not supported.

 

[nos1609]

Testr=ed yesterday on J9210-55.1.A.0.748
But had to enter these

cd /data/local/tmp
./x1x5-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3

with an interval of several seconds to avoid reboot

 

[j4nn]

@Coolty, you need to run one of the listed firmware versions in order for the exploit to work. You may need to downgrade.
@nos1609, yes, it may be like that. You should enter (or copy&paste) each line separatelly one by one, not all of them at once to have it more stable. It does not work from a script or pasted as a block of commands.
Also be sure to use 'exit' command to end the temp root shell. Do not just close the adb shell window without using the 'exit' command. The 'exit' command is needed to finish proper cleanup after the exploit.
You can disconnect from usb after terminating adb shell with 'exit' command, do not disconnect before exiting it.

 

[nitrams]

@j4nn boss xperia 10 please it is the only new model of xperia that hasn't had temp root yet

 

[j4nn]

@nitrams, xperia 10 kernel is not vulnerable to CVE-2019-2215, at least the two kernel source packages (53.1.A.2.2 and 53.0.A.2.139) released by sony contain the fix for it.
These two kernels are not vulnerable to CVE-2020-0041 either.

 

[nitrams]

@nitrams, xperia 10 kernel is not vulnerable to CVE-2019-2215, at least the two kernel source packages (53.1.A.2.2 and 53.0.A.2.139) released by sony contain the fix for it.
These two kernels are not vulnerable to CVE-2020-0041 either.

If i can flash back to older build like android 9 53.0.A.14.47 is there a possibility?

 

[j4nn]

@nitrams, I have no idea how it is with other fw versions or other possible vulnerabilities. Sources are released only for the two I have mentioned above (and one of them is even corrupted, so it cannot be fully unpacked). I would assume that 53.0.A.2.139 is android 9.

 

[AndroPlus]

Thank you for publishing this!
Here is all FTFs for Japanese models:
https://ftf.andro.plus/

 

[aolaol]

any possible use CVE-2020-0041 exploit temp root for mi10pro?

 

[j4nn]

@aolaol, you need to check kernel source to see if or which kernel is vulnerable first.
See The patch overview here:
https://www.synacktiv.com/en/publications/binder-analysis-and-exploitation-of-cve-2020-0041.html

 

[TrustAugustus]

This is great. But a functional twrp would be amazing

 

[j4nn]

@TrustAugustus, with a functional twrp it would not be a temp root any more, would be?
Just backup TA partition and then unlock the bootloader.
You can re-lock with xperia 1/5 if you need.
After re-lock, use the temp root again and restore the locked state TA backup.

 

[aolaol]

@aolaol, you need to check kernel source to see if or which kernel is vulnerable first.
See The patch overview here:
https://www.synacktiv.com/en/publications/binder-analysis-and-exploitation-of-cve-2020-0041.html

Do you want to develop it for mi10pro

 

[madshark2009]

can anyone report this as 100% working and when relocking the bootloader and restoring the TA, does the phone go back completely to manufacturer state?

 

[RickyVaughn99]

Just backup TA partition and then unlock the bootloader.
You can re-lock with xperia 1/5 if you need.
After re-lock, use the temp root again and restore the locked state TA backup.

Could you please give me a hint how to backup the TA area, preferably from the command line ?
Regards,

RV.

 

[RickyVaughn99]

Dear folks,

lack of some precise details of using this method ...
Can somebody please tell me the exact procedure to do after the

cd /data/local/tmp
unzip x1x5-mroot.zip
chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
./magisk-setup.sh

just to avoid painfil errors ...?

I have all my prerequisites together and I'm on J9210-55.1.A.3.112 stock, bootloader locked.

1. After the magisk-setup.sh has finished, can/should I directly proceed in the same adb shell with

./x1x5-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3

?
2. Where to enter the "su" ?

3. I want to install some apps that require root (titanium backup, greenify, afwall+ ...). Using the proposed method, at what point and in which way am I able to do so?

4. I want to backup the TA with the script by devshaft. Can I do this when the temp root shell is still open ?

The section od Post 1 that confuses me most is

Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.

Best regards,

RV.

 

[RickyVaughn99]

Okay, Update:

I followed the steps from post 1 an am stuck now.
Everything went okay regarding the run of the scripts, then I typed "exit" in tthe adb shell. Now my phone is dead after getting slower and slower over a minute.
Some hints what to do ?

Edit: After hard reset (volume up + power few seconds) and a second run now all works fine.
Thanks for support.

 

[RickyVaughn99]

Okay, a few last questions:

I was able to install apps that need root. What to do if an app needs permanent root ? Is there a way with the magisk manager ?