[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented

Search This thread

Dematen

Member
Nov 27, 2017
30
0
anche se ho visto che tu non ci sei riuscito
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

even though I saw that you didn't succeed

Si, ero fiducioso in questo metodo perché consentirebbe di fare il root senza sbloccare il telefono.
Come avrai letto, sono riuscito così a fare il backup del TA, ma, anche se non me lo aspettassi per quanto letto in questo thread, la cam faceva solo foto verdi e non funzionavano cose tipo il qrcode.
Per fortuna aggiornando il telefonino la cam si è ripristinata mentre i video non mai avuto modo di testarli ma confido per il bene.
Intanto ti ringrazio per la risposta visto che negli ultimi non è ho ricevute altre ;)
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

Yes, I was confident in this method because it would allow you to root without unlocking the phone.
As you will have read, I was able to backup the TA, but, even if I did not expect it from what I read in this thread, the cam only took green photos and things like the qrcode did not work.
Fortunately, updating the phone the cam has been restored while the videos have never had the opportunity to test them but I trust for the good.
In the meantime, thank you for your reply since I haven't received any others in the last few years;)

 
Last edited by a moderator:
Jun 3, 2016
23
9
Ciao compatriota, ti sarei grato se mi avvisassi qualora riuscissi a fare il root di questo telefono senza perde cam, video, googlepay e simili.
Di solito io non ottengo mai risposte scrivo su questo forum.
Ciao.
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

Hi compatriot, I would be grateful if you let me know if I manage to root this phone without losing cams, videos, googlepay and the like.
Usually I never get answers I write on this forum.
Hi.


Io avevo il root sulla stock Pie senza problemi di sorta! Rimettendo le chiavi TA funzionava tutto, app di banche, fotocamera, etc. Non ti so dire per Google Pay perché non lo uso.
Ho seguito le varie istruzioni qui e non ho avuto particolari difficoltà.
Al momento ho la Lineage 17.1 da circa 6 mesi e va più che bene.

Se posso aiutare, scrivimi che lo faccio volentieri!

[Edit: sorry for non-english writing!]
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:


I had the root on the stock Pie with no problems whatsoever! Putting the TA keys back, everything worked, bank apps, camera, etc. I can't tell you for Google Pay because I don't use it.
I followed the various instructions here and had no particular difficulties.
I have currently had Lineage 17.1 for about 6 months and it's just fine.

If I can help, write me that I gladly do it!
 
Last edited by a moderator:

Dematen

Member
Nov 27, 2017
30
0
Avevi fatto il root con questo metodo senza sblocco?
Mi fai venire il dubbio che forse io non abbia ricaricato le TA pensando che il telefono comunque non era sbloccato.
Sarebbe stato determinante ricaricare le TA anche senza sbloccare il telefono?
In caso ci riprovo.
p.s. se avete il telefono sottomano potreste solo di quando premete in quicktools l'air mode oltre wifi diventa grigio anche il mobile data rimane illuminato anche se inattivo? ty.
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

Avevi fatto il root con questo metodo senza sblocco?
Mi fai venire il dubbio che forse io non abbia ricaricato le TA pensando che il telefono comunque non era sbloccato.
Sarebbe stato determinante ricaricare le TA anche senza sbloccare il telefono?
In caso ci riprovo.
p.s. se avete il telefono sottomano potreste solo di quando premete in quicktools l'air mode oltre wifi diventa grigio anche il mobile data rimane illuminato anche se inattivo? ty.

 
Last edited by a moderator:
Jun 3, 2016
23
9
Avevi fatto il root con questo metodo senza sblocco?
Mi fai venire il dubbio che forse io non abbia ricaricato le TA pensando che il telefono comunque non era sbloccato.
Sarebbe stato determinante ricaricare le TA anche senza sbloccare il telefono?
In caso ci riprovo.
p.s. se avete il telefono sottomano potreste solo di quando premete in quicktools l'air mode oltre wifi diventa grigio anche il mobile data rimane illuminato anche se inattivo? ty.
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

Did you root with this method without unlocking?
You make me doubt that perhaps I have not recharged the TA thinking that the phone was not unlocked anyway.
Would it have been crucial to recharge the TA even without unlocking the phone?
In case I try again.
p.s. if you have the phone at your fingertips could you just by pressing in quicktools the air mode over wifi becomes gray also the mobile data remains lit even if inactive? ty.


No, senza sbloccare il bootloader ho solo fatto una copia delle TA, poi ho sbloccato il bootloader, ri-flashato le chiavi TA, TWRP e Magisk per il root.

[Edit: sulla Lienage non c'è l'errore dell'icona dei dati mobili che dici]
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

No, without unlocking the bootloader I just made a copy of the TA, then I unlocked the bootloader, re-flashed the TA, TWRP and Magisk keys for root.

[Edit: on Lienage there is no mobile data icon error you say]

 
Last edited by a moderator:

Dematen

Member
Nov 27, 2017
30
0
No, senza sbloccare il bootloader ho solo fatto una copia delle TA, poi ho sbloccato il bootloader, ri-flashato le chiavi TA, TWRP e Magisk per il root.

[Edit: sulla Lienage non c'è l'errore dell'icona dei dati mobili che dici]
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

No, without unlocking the bootloader I just made a copy of the TA, then I unlocked the bootloader, re-flashed the TA, TWRP and Magisk keys for root.

[Edit: on Lienage there is no mobile data icon error you say]

Capisco, io invece ho fatto il backup del TA senza sblocco, poi ho visto che comunque il root funzionava, e seguendo quanto ho capito da questo thread, non ho sbloccato il bootloader.
Solo che la cam non funzionava e allora son corso subito ai ripari leggendo che si poteva aggiornare il sistema per recuperarla.
Tu hai fatto lo sblocco del bootloader ma in questo thread non è scritto che apposta per affermare che il root funziona anche senza sblocco?
Io ho fatto il backup del TA ma mi è rimasto il dubbio che l'abbia fatto in modo scorretto.
Si può verificare la congruità del TA?
O comunque un backup del TA è sempre genuino finché non si sblocca il bootloader?
ty.
MOD EDIT: Please post only in English according to the FORUM RULES,translation added below:

I understand, I instead made the backup of the TA without unlocking, then I saw that the root worked anyway, and following what I understood from this thread, I did not unlock the bootloader.
Except that the cam didn't work and then I immediately ran for cover reading that the system could be updated to recover it.
You have unlocked the bootloader but in this thread is not written that on purpose to say that the root works even without unlocking?
I made the backup of the TA but I was left with the doubt that he did it incorrectly.
Can the adequacy of the TA be verified?
Or is a TA backup always genuine until the bootloader is unlocked?
ty.

 
Last edited by a moderator:

raziel7893

New member
Oct 20, 2010
4
1
Hello, I've tried to skip through the last pages to find an answer, but i didn't find one.

First: i have a SOV36, downgraded it via the great tutorial in the first post, gained root via renoroot, and saved the TA partition. While unlocking i get "Command not allowed"
As i understand, when root-status is unknown and Unlock fails with Command not allowed there is no posibility to unlock the bootloader, right?

Is it possible to simply dd the twrp image to the recovery-partition and start with installing a custom rom regardless?

Or is this partion read-only without unlock?

thanks in advance
Greets Alex
 

raziel7893

New member
Oct 20, 2010
4
1
Hmm ist there no edit-function?

I found the answer myself. No it seems I'm out of luck :(.
But thanks for your great tutorial. At least i've got an international Rom now :)

Best regards
 

Shahnewaz

Member
Sep 16, 2012
45
24
Vaughan
HTC Desire C
Nexus 7 (2013)
Alright, I'm in a weird position now.
I've finally decided to unlock and root my XZ1c, and I've done it as explained in #1029. TA is restored after unlock.

However, I still get the bootloader unlocked screen, but my device is certified in the Play Store and all security features seem to be functional. Everything works... but the unlocked screen remains. :unsure:
Did I do something wrong? I've attached my security service info screenshot.
 

Attachments

  • Screenshot_20201205-001327.png
    Screenshot_20201205-001327.png
    105.3 KB · Views: 198
Dec 12, 2020
1
0
I want to unlock the bootloader on my XZ1c and backup the TA partition before.
Android Pie (47.2.A.11.228) is installed and because Renoroot only works under Oreo, I have downgraded to Android Oreo (47.1.A.8.49). Under Android Pie, the service menu shows me: **Bootloader unlock allowed: Yes** and after downgrade under Oreo: **Bootloader unlock allowed: unknown**.

Hence my question what did I do wrong?


I use Windows 10 x64 and the following programs:
- Xperia Companion 2.10.3.0 (https://www.sony.com)
- Android SDK Platform-Tools 30.0.5 (https://developer.android.com/studio/releases/platform-tools)
- newflasher_v38 (https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/)

Image:
- oreo 47.1.A.8.49_CE1 (https://www.androidfilehost.com/?fid=11410932744536993396)

Preparation for downgrade:
- unpack image (Directory: G8441_47.1.A.8.49_CE1)
- unpack the file **partition.zip** in **G8441_47.1.A.8.49_CE1\partition**
- delete the *.ta files

boot\Lilac_XBootConfig_MiscTA.ta
auto-boot.ta
cust-reset.ta
fota-reset.ta
master-reset.ta
osv-restriction.ta
reset-kernel-cmd-debug.ta
reset-non-secure-adb.ta
reset-wipe-reason.ta
simlock.ta

- copy program files from newflasher_v38 to directory G8441_47.1.A.8.49_CE1\

Perform downgrade:
- start G8441_47.1.A.8.49_CE1\newflasher.exe
Rebootmode after flashing: poweroff
Gordongate flash driver: skip
Dump trim area: skip
.
.
.
End. You can disconnect your device when you close newflasher.exe
Press any key to continue...

After the basic setup, switch to the service menu (dial *#*#7378423#*#*):
Configuration - > Bootloader unlock allowed: unknown

I successfully backed up the TA-Partition with Renoroot and saved it to my PC.


I stopped my attempts at this point and gradually updated Android Oreo to Pie using Xperia Companion. I am now back to version 47.2.A.11.228 and the service menu again says: **Bootloader unlock allowed: Yes**.
The entries in the service menu have changed in one place: Security -> Args (Before: 0x000000, 0x00000001; After: 0x6f656d50, 0x00008000).
I did not notice any other changes.
 

BBComputerBwoy

New member
Jan 2, 2021
1
0
Hi, I am using an XZ1 Japanese model running Docomo, firmware number 47.2.B.5.38 (locked bootloader) Is it possible to flash this device using the methods mentioned here...or do I need to downgrade my firmware?
 

J.M.Siyath

Senior Member
Jul 22, 2015
329
125
27
Trincomalee
Sony Xperia SP
Sony Xperia Z2
Is this forum still active?
I like to use custom roms; before unlock bootloader I want to confirm that is DRM keys backup worthy?
if yes how to backup in simply? there are lot of things in first post I cant understand those all things.
please anyone reply me.
 
I have a SOV36 JP
flashed the target 8341 with newflasher
renoroot success, copied TA-locked
and then impossible to unlock bootloader.... fastboot command not allowed... rooting status says: NO

blocked here. I will try the biondershell now but my level of hope is very low after one full day on this with no success.

thanks anyway, I learnt a lot on xperia and I think it's the first time I'm running an exploit lol ;-)
 

hupengwei

Member
Aug 4, 2018
25
3
Let's say we could gain code execution in the xfl/loader (the .sin flasher aka sony service/flash mode, green led light).
Could that allow us to re-lock bootloader?
In my opinion XFL mode may have higher permissions with regard to TrustZone calls vs general android kernel code execution.
In fact that i don't approve you opinion.last week i used your ways to get a temp root shell.and i believe that only if i extract the x-flash-boot.sin and get the abl.mbn from the test-version firmware that i could use the dd command to get the rights to unlock my bootloader of my xz1c(so-02K,the docomo japanese version).
To confirm my thought i used dd command to back up the abl partition,abl.img got.
i compared the abl.img back-uped from my device & the abl.mbn (extracted from the same version firmware) in hex mode using Ultra Compare,it's EXACTLY THE SAME,which indicates the signature is also flashed into my device.

edit: by the way,DO NOT TRY WHAT I'VE DONE,my phone is now a hard brick in EDL mode,and recognized as a somc flash device with vid ADE2,can't be repaired by Flashtool,emma,newflash. sad about it,how silly i am.
 
Last edited:

j4nn

Senior Member
Jan 4, 2012
1,232
2,444
...
Hence my question what did I do wrong?
...
- delete the *.ta files:
boot\Lilac_XBootConfig_MiscTA.ta
This ^^ - by deleling the .ta file under boot directory your bootloader has not been downgraded with the rest of the firmware, that makes the security stuff not working. Upgrading back made it functional again.
I believe no difference for your TA backup, no need to do it again.
 

j4nn

Senior Member
Jan 4, 2012
1,232
2,444
In fact that i don't approve you opinion.last week i used your ways to get a temp root shell.and i believe that only if i extract the x-flash-boot.sin and get the abl.mbn from the test-version firmware that i could use the dd command to get the rights to unlock my bootloader of my xz1c(so-02K,the docomo japanese version).
To confirm my thought i used dd command to back up the abl partition,abl.img got.
i compared the abl.img back-uped from my device & the abl.mbn (extracted from the same version firmware) in hex mode using Ultra Compare,it's EXACTLY THE SAME,which indicates the signature is also flashed into my device.

edit: by the way,DO NOT TRY WHAT I'VE DONE,my phone is now a hard brick in EDL mode,and recognized as a somc flash device with vid ADE2,can't be repaired by Flashtool,emma,newflash. sad about it,how silly i am.

Did you use dd command to write different abl.img into abl partition?
Where did you get that abl.img - you mentioning some test firmware?
Sorry to hear you get a brick now.
I have managed to obtain sony firehose/edl boot image (very difficult to get, not free), but it would not help you - it is basically useless, because all commands are protected by sony sake authentication (rsa2048). Tested boot into EDL, the loader is accepted then, but no use after that:-(
We would need a service providing sony sake auth to be able to use it for bricks recovery.
 
  • Like
Reactions: Charlestai1225

j4nn

Senior Member
Jan 4, 2012
1,232
2,444
Hi, I am using an XZ1 Japanese model running Docomo, firmware number 47.2.B.5.38 (locked bootloader) Is it possible to flash this device using the methods mentioned here...or do I need to downgrade my firmware?
I have a SOV36 JP
flashed the target 8341 with newflasher
renoroot success, copied TA-locked
and then impossible to unlock bootloader.... fastboot command not allowed... rooting status says: NO
blocked here.
Hello.. can you actually root xz1c docomo and install custom roms?
There are some possibilities for these Japanese XZ1 phones, could be very interesting to test.
Please pm me. Thanks.
 

hupengwei

Member
Aug 4, 2018
25
3
Did you use dd command to write different abl.img into abl partition?
Where did you get that abl.img - you mentioning some test firmware?
Sorry to hear you get a brick now.
I have managed to obtain sony firehose/edl boot image (very difficult to get, not free), but it would not help you - it is basically useless, because all commands are protected by sony sake authentication (rsa2048). Tested boot into EDL, the loader is accepted then, but no use after that:-(
We would need a service providing sony sake auth to be able to use it for bricks recovery.
first of all , i've downloaded firmware SO-02K_47.1.F.1.105_1311-8845_R14B,in ftf format from google drive and successfully downgraded to oreo with newflasher,and got root with your ways.
you need extract the ftf firmware for newflasher,from boot folder,i found boot_delivery.xml.and 3 boot.sin:
bootloader_X_Boot_MSM8998_LA1_1_O_82_X-FLASH-ALL-5ADA
bootloader_X_BOOT_MSM8998_LA1_1_O_82_X-FLASH-ALL-99C3
bootloader_X_BOOT_MSM8998_LA1_1_O_82_X-FLASH-ALL-110F
i noticed this in boot_delivery.xml :
<CONFIGURATION NAME="DEVELOPMENT">
<BOOT_CONFIG>
<FILE PATH="Lilac_Docomo_XBootConfig_MiscTA.ta"/>
</BOOT_CONFIG>
<BOOT_IMAGES>
<FILE PATH="bootloader_X_Boot_MSM8998_LA1_1_O_82_X-FLASH-ALL-5ADA.sin"/>
</BOOT_IMAGES>
<ATTRIBUTES VALUE="DEFAULT_SECURITY=&quot;OFF&quot;"/>
<HWCONFIG CERTIFICATE="S1_HWConf_Test_b316_0001" REVISION="HWC_Yoshino_Dev_001" VERSION="7"/>
<KEYSTORE CERTIFICATE="x_keystore_e28f" REVISION="DKS_Yoshino_Dev_004"/>
<SECURITY_PROPERTIES REVISION="SP_GenTEST_001"/>
<SECURITY_STATE VALUE="F9E333216BD5DDEF30B81943FF4B3D7C3D73682B"/>
</CONFIGURATION>
and the " <CONFIGURATION NAME="DEVELOPMENT"> " makes wonder wheather it's a test version for developers and enables the bootloader-unlock function.what's more attractive,it says "<ATTRIBUTES VALUE="DEFAULT_SECURITY=&quot;OFF&quot;"/>".
so i unsin the "bootloader_X_Boot_MSM8998_LA1_1_O_82_X-FLASH-ALL-5ADA.sin" and got a lot of mbn files,like abl.mbn,Xbl.mbn,etc.
so i just use dd command to override the abl partition,xbl partition,etc with the mbn files.
which makes me a hard-bricked phone.
before these actions,i decided to confirm that whether the abl partition in my phone is the same from the abl.mbn in "bootloader_X_BOOT_MSM8998_LA1_1_O_82_X-FLASH-ALL-99C3",since the log of newflasher says i've flashed this file and only this file into my phone during the downgrade-process.
if they're the same,i think i can just use dd command,if not,maybe some information was disposed,just like signature.
i compared the abl.img back-uped from my device & the abl.mbn (extracted from the same version firmware) in hex mode using Ultra Compare,it's EXACTLY THE SAME,i believe this indicates the signature is also flashed into my device.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 137
    Tools to backup TA partition (drm keys) of Xperia XZ1 Compact
    renotrap-xda-icon.png
    by j4nn
    https://j4nn.github.io/

    As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera (outputting only solid green pictures in case of oreo fw).
    I've implemented tools that allow to backup the whole TA partition, which contains device master key needed to access sony drm keys and restore the TA after bootloader unlock in order to make the camera (among other things) working again on any sony stock firmware.
    In order to be able to use the tools, you need to flash one of the supported firmwares (or be lucky to have the phone already running it).
    In case you need to downgrade, please check this thread first.

    Anybody who is about to unlock your phone, could you please do so with additional test included?
    See post#500 and post#502 for more details.
    Additional details in post#515, post#516, post#517 and post#527.
    Instructions for the test that I kindly ask anybody who is about to unlock to do are described in the post#520 -- tested already.
    Thank you.


    ABOUT THE TOOLS
    • renosploit - rename/notify exploit to get kernelspace read/write, uses multiple vulnerabilities to overcome kaslr, pxn and pan mitigations of android oreo
    • renotrap - helper application (rename/notify temp root app)
    • renoshell - get temp root shell by use of kernel space read/write primitives provided by renosploit (sources available here)
    • renoroot - a shell script to be started from adb, it starts the above tools to get temp root shell
    A preview video of the tools in action can be downloaded here: renoroot-preview.zip or watched online here.

    As an alternative to renoroot you may use 'bindershell' to get a temp root shell for TA backup - it is available here /added on 2020-02-08/

    SUPPORTED TARGETS
    (with downloadable firmware links)
    • Sony Xperia XZ1 Compact (G8441)
      47.1.A.2.324_CE1 (initial tested by @tramtrist, this release tested by @tanapoom1234 post#212)
      47.1.A.8.49_CE1 (tested by @notaz post#224 and @orsonmmz post#232)
    • Sony Xperia XZ1 (G8341/G8343)
      47.1.A.2.324_CE1 (tested by @HandyMenny post#228)
    • Sony Xperia XZ1 Dual (G8342)
      47.1.A.2.281_CE1 (tested by @Vildanoff post#230)
    • Sony Xperia XZ1 (SOV36) /added on 2019-08-22/
      this Japan version can be flashed with fw for G8431 making it exploitable as standard XZ1 (the possibility to use G8431 fw is confirmed here and also here)
      /this confirms there might be a possibility of TA backup for few yoshino platform phone models that are possible to flash with one of the above firmwares (and boot ok even though designed for other phone variant)/

    • Sony Xperia XZ Premium (G8141)
      47.1.A.3.254_CE1 (tested by @DocLM post#227, by @LinFan post#242 and by @steso90 xzp forum post#45)
    • Sony Xperia XZ Premium Dual (G8142)
      47.1.A.3.254_RU (tested by @greatpatel007 xzp forum post#31 and #39)
    • Sony Xperia XZ Premium (G8188) /added on 2019-04-24/
      this Japan version can be flashed with fw for G8141 making it exploitable as standard XZp (tested by zatsune as documented here)
      /this confirms there might be a possibility of TA backup for few yoshino platform phone models that are possible to flash with one of the above firmwares (and boot ok even though designed for other phone variant)/

    An advice: before flashing anything, enable 'OEM Unlocking' in android developer menu and if flashing a fw for different phone model, skip flashing bootloader (i.e. remove boot/ subdirectory completely before using newflasher). /added on 2019-08-27/

    Please note: the temp root exploit (all renoroot tools) are designed only for the above firmware versions (binary kernels builds in them) - there is no chance it would work on other phones or other kernel builds - do not try it, it would not work.
    Concerning portability to other targets, the exploit itself needs several vulnerabilities not fixed in a kernel, the primary one is CVE-2017-7533 (race between inotify and rename).
    This was patched by google with 2017-12-05 security patch level. That means unless you can flash a firmware with older security patch level, it would not make sense to try to adapt the exploit for a new target (like it is a case with XZ2 Compact device for example).

    USING THE TOOLS
    Please follow the steps bellow for a official and up to date guide. If something was not clear enough, you may also check post#382 from @munted for a pdf guide with screenshots possibly containing more details and windows specific hints.
    1. backup everything you need from your phone
    2. flash compatible firmware
      Before flashing, you may take a screenshot of service menu -> service tests -> security possibly together with current sw version screen for reference and copy them from the phone to your PC.
      You can use newflasher tool from @munjeni and use instructions there to flash the firmware.
      The tool should skip dangerous .ta files automatically. You may consider removing Just remove the persist_X-FLASH-ALL-42E5.sin file, which is discussed here to avoid flashing it - as tested by @tanapoom1234, not flashing the persist partition allows to keep the Android Attest Key - check his post#212. /Added on 2019-04-06: The key is not part of TA obviously, it is present in the persist partition, so never flash persist even after TA backup./
      /Added on 2019-04-09: When flashing a firmware, be sure to flash it's bootloader too (i.e. the whole 'boot' directory needs to be present with all files in it including the .ta there). You might skip appslog, diag, Qnovo and ssd./
      In case of downgrade it is needed to flash userdata (and possibly also cache) otherwise you get a boot loop.
      Just backup your stuff before downgrade as with downgrade comes a factory reset. In fact I would recommend to do a factory reset just before the downgrade in order to remove the binding to your google account. This way you can avoid going online after the downgrade if used without sim and skipping wifi configuration.
    3. prepare your phone
      When the phone boots up, try to avoid connecting to internet by selecting only wifi and not configuring any, skipping accounts setup for later.
      This may not always be possible - if persist is not flashed, android insists on setup of google account online, also starting downloads for upgrade.
      Cancel everything as soon as possible and disable wifi. You may be better not using a data enabled sim card - we try to avoid any updates.
      Disable auto updates of both apps and system. Change the theme from animated backgroud to a static one.
      Enable developer menu, enable adb and "Stay awake" option. An youtube video showing the initial setup to prepare for renoroot is available here.
      Take a screenshot of service menu -> service tests -> security for reference and copy it from the phone.
      Again be sure both wifi and mobile data connection are disabled to avoid any background internet access.
    4. install the tools
      Unzip renoroot.zip (download it bellow). Use following adb commands to get the tools to the phone:
      Code:
      adb push renoroot /data/local/tmp
      adb push renoshell /data/local/tmp
      adb push renosploit /data/local/tmp
      adb install -r renotrap.apk
    5. start the tools to get a temp root shell
      Use adb shell to get a command line terminal to the phone and use following commands:
      Code:
      cd /data/local/tmp
      chmod 755 reno*
      ./renoroot
      The last command above will start the exploit eventually resulting with a temp root shell (that should be indicated by # char before the cursor).
      It may get the phone to reboot in case an overwrite does not hit the wanted shaped heap object.
      You may wait few minutes after the phone boots to allow startup processes to settle down in order to avoid timing influence for next trial.
      There is a video for example of this step available here.
    6. backup your TA partition
      When renoroot is successful, you may use following commands in the root shell to backup the trim area partition:
      Code:
      cd /data/local/tmp
      dd if=/dev/block/bootdevice/by-name/TA of=TA-locked.img
      chown shell:shell TA-locked.img
      sync
      sync
      And then try to read it out from the phone to your PC - use another command prompt window, do not exit the root one:
      Code:
      adb pull /data/local/tmp/TA-locked.img
    7. unlock phone's bootloader using a code from sony
      When you have the TA-locked.img on your PC including screenshots, you may start the official Sony unlock procedure - follow instructions on sony website please.
      Added on 2019-04-16: please note, bootloader unlocking is not reversible - it is not possible to re-lock back (restore of TA-locked does not relock the bootloader).
      So be prepared to live with the boot up warning screen (can be seen for example in this video).

      Again be sure you have the TA-locked.img on your PC before you start unlocking the bootloader - unlock will erase you phone, so it would get lost from /data/local/tmp if not backed up.
      In case oem unlocking is grayed out (so you cannot enable it) you need to go online at least once and the option would be accessible then - video here.
      After you unlock the bootloader, do not flash anything - just boot the same unmodified fw we used for the temp root.
    8. get temp root again to restore TA
      Use the same instructions to avoid internet access and updates as described above, configure the few above mentioned options and start renoroot as before.
      With the temp root shell, backup the unlocked TA (for future comparisons) and then restore the state from the locked one. You may need to adb push the TA-locked.img back to /data/local/tmp as the unlock erased everything.
      Code:
      cd /data/local/tmp
      dd if=/dev/block/bootdevice/by-name/TA of=TA-unlocked.img
      chown shell:shell TA-unlocked.img
      sync
      sync
      And then try to read it out from the phone to your PC (and transfer the locked TA back to the phone) - use another command prompt window, do not exit the root one:
      Code:
      adb pull /data/local/tmp/TA-unlocked.img
      adb push TA-locked.img /data/local/tmp
      And using the window with renoshell temp root shell, restore the TA:
      Code:
      cd /data/local/tmp
      dd if=TA-locked.img of=/dev/block/bootdevice/by-name/TA
      sync
      sync
    9. boot up the phone with the current fw and see about the camera if it works on not
      You may also document the security screen state by taking a screenshot. Do not forget to transfer it from the phone to PC.
    10. flash twrp recovery
      Updated on 2019-08-08: please see post#1029 for the latest workflow with the kernels hiding bootloader unlock status.
      Updated on 2019-02-10:
      Instead of flashing twrp, you may just 'fastboot boot' it if you need it.
      Instead of the steps 10. to 13., you may use patched and rooted kernel hiding bootloader unlock available in following forum threads in order to be able to even install FOTA system update
      giving you back sony drm functionality that fw disables when it detects unlocked bootloader status. For more details see also post#645 of this thread.
    11. OPTIONAL step (only for XZ1c maybe XZ1)
      This step is optional and only lightly tested. The idea is that secd detects unlocked bootloader and switches to limited mode even though drm keys are available. This can be seen in the adb logcat with following message:
      Code:
      E secd    : secd_backend_credential_manager.cpp:77    the bootloader is unlocked, use limited functionality
      To workaround that, we may use a secd ripped from secd extension by modpunk - just flash attached secd-ignore-unlock.zip at bottom of this post via twrp recovery (do not flash the 'secd extension by modpunk' which is linked here only for reference).
      I've analysed, what changes were done in the secd. Also the lib which fixes the missing device key in TA is not needed from the modpunk's package as we have the real valid key there, so I've removed the lib (and the script which would preload it). Therefore it is just about making secd think that bootloader was not unlocked. Thanks to @modpunk for the patched secd and @russel5 for the flashable zip on which the secd-ignore-unlock.zip is based on.
      With this, sony updates may start to arrive.
      Please note, this would make sony think the phone runs unmodified and still locked fw. OTA updates may restore original secd or fail altogether (due to modified system/vendor/... partitions).
      You may boot the phone to see what happens (OTA updates?) - edit: OTA updates did come, but install to be done on reboot failed - tested by @Unbounded, see post#43 and #44 of the attest key thread please - this may confirm the availability of the SOMC Attest Key which may be the key needed to get sony ota updates (just a guess, not sure what exactly this key is used for).
      Again, this step is optional and very experimental, maybe better not to apply it (camera works without this step on any stock fw without any change /until sony changes that in some update/).
      Update: see post#395 for secd_ignore_unlock for XZ1c for pie from @S-trace - thank you. It works with XZ1 too (see post#396). The patch port for XZp pie is here: attest key thread post#67.
      In my opinion all these secd patch variants are hiding the unlocked state only partially. There are other components in the fw that ask about the unlock state. A proper solution for this is the unlock hiding patched kernel linked in the step 10. of this howto.
    12. flash a recent stock firmware
      In case you wanted the patched secd, flash it again over the flashed fw.
      Boot the phone, check functionality, take screenshots.
    13. install magisk if rooted phone is what you need; -)
      Follow instructions of latest magisk, it should work without any special actions.

    AUTOMATED FULL BACKUP
    These are experimental tools (and actually seem not to work in some cases getting truncated files that are useless) to extract most of the partitions from the phone after getting a temp root. It can be used for comparisons/analysis of what unlock changes (download backup-tools.zip at bottom of this post).
    You would run backup-setup.bat in windows command prompt first (you may need to adjust the PATH setting to find adb properly) to copy the tools to the phone and setup tcp forwarding for netcat based copying.
    Then using adb shell you would do:
    Code:
    cd /data/local/tmp
    ./backup-send.sh
    and in windows command prompt you would start:
    Code:
    backup-recv.bat bk-unlocked
    and partitions images would be extracted from the phone (for larger ones sparse android image format is used).
    Full depth comparison could be achieved by use of these backup tools (obviously needs to be done twice - before and after unlock, changing the target directory name argument of backup-recv.bat).

    WHAT WORKS
    Here is a quote of post#185 from @tramtrist in this thread describing the results of the initial tests - special thanks to him!
    I'd like to report in real quick on what's working.
    After following @j4nn very clear instructions and backing up/restoring my TA keys I was left with the NOT PROVISIONED messages he mentioned earlier. However this seems to be no problem as after TA-restore my camera works as it did before. I'm also able to use WIDEVINE sites which require that key as well.
    After restoring TA I went ahead and flashed the latest UK customized firmware
    I then flashed TWRP latest version 3.2.3
    I wanted to have root so I flashed Magisk 1.73 and safety net worked without me having to do anything special.
    Google Pay could be set up and seems to be using my credit cards just fine.
    I didn't flash any custom kernel as stock is just fine for me.
    Adaway is working with root without issue.
    All-in-all if you follow @j4nn instructions when he's ready to fully release them to the public then I'd say you will be in good shape.
    I'd like to thank @j4nn for giving me the chance to finally contribute something concrete to this community. If you're gonna use this you should drop him some cash.
    Update: if you follow the links added in step 10. and use "rooted kernel hiding bootloader unlock", it seems you can have all functionality restored including fota system updates while having magisk root with passed safetynet cts. Verified by @notaz in post#14 of the "[XZ1c] rooted kernel hiding bootloader unlock" thread. Thanks.

    ACKNOWLEDGEMENTS
    Many thanks to following users:
    • @moofesr - for testing initial kernel builds until proper build procedure had been found, special thanks for his patience when all tests resulted with bootloop
    • @Raz0Rfail and @moofesr - for testing timing of rename/notify vulnerability with patched kernel
    • @dosomder (aka zxz0O0) - for his iovyroot
    • @tramtrist - for initial testing of TA backup, unlock and restore, special thanks for exposing to risk of loosing drm if it did not work
    • @tonsofquestions - for a lot of testing with unlocked-ta-restored phone when I did not have an unlocked phone yet
    • ThomasKing (not a user on xda) - for his black hat ksma presentation
    • few other users in this and attest key lost thread here on xda - for some other cve possibilities, ideas and specific tests

    DONATIONS
    Please note: I had to invest enormously lot of time (as you can see throughout this thread and also summarized in progress/change log in post#2) to develop these tools, the code is extremely complex (more than 9000 lines of source code) and it was unbelievable hard to debug and get the timing usable.
    It would be kind of you if you could consider donating here please:
    https://j4nn.github.io/donate/
    I would be happy to accept any donation to me as a form of gratitude in case the software helped you to backup your TA (drm keys) before bootloader unlocking.
    Thanks.

    DOWNLOAD THE TOOLS
    See the attached renoroot.zip at bottom of this post.
    Please post your experience with using the tools, if it worked and on which phone model (and fw in case of xz1c).
    You may include info about how long it took to get a root shell, how many reboots, how many events in the last trial which succeeded with how many overwrites (just one with success is the best, more means previous overwrites did not hit wanted object in shaped heap resulting with possibly unstable system). This info is interesting for statistics, so we all know, how fast can we get a temp root on each device/firmware.
    Thanks.
    32
    permanent root with still locked xz1c preview

    Here a preview video of my current work: still locked xperia xz1c with permanent root on latest fw
    Phone since power up, no unlocked bootloader warning screen, i.e. still locked, with root / magisk right after boot, even auditor app passes the hardware attestation confirming locked state.
    fw version 47.2.A.10.107 (July 1, 2019 security patch level)
    28
    Try to flash full 47.1.A.16.20 fw with newflasher - remove *.ta, keep boot subdirectory (including the one .ta there), remove persist (and optionally Qnovo, amss*, ssd) sin files.
    Try to boot it, check camera and video enhancements. At least camera should work if TA was previously restored.
    Flash the latest twrp. Then magisk. As far as reported by other guys, these two steps were straightforward...

    Does it matter if you don't remove *.ta files or the remove persist (and optionally Qnovo, amss*, ssd) sin files??? (My Android Attest Key was NOT PROVISIONED anyway when I started.) I err just left all the files and flashed them, camera is working though and I have working root and TWRP.

    I've also attached a guide, have a look, honestly because I was fumbling around this whole process took me many hours over 3 days and I'm really glad to get responses to my questions. I hadn't done a lot of this stuff for over a year so I basically had to research from scratch on how to install TWRP etc. But I think the guide should change the degree of difficultly from, "this is quite an involved process, you need to have prior experience with installing multiple tools like TWRP, magisk etc. and know where to find the right Google and Sony drivers from as well as have some UNIX knowledge" to more like, "doable for intermediate users who can download and unzip files and can put commands into Command Prompt." It's a small contribution but I'm hoping it should make your work more accessible and more people will use it. :laugh:

    Again thanks for making this tool j4nn and thanks to tonsofquestions and j4nn for all your help and answering questions, no guarantee I won't ask more questions though! Again hopefully this guide will mean less questions from others! :D

    If anyone has tried to follow this guide and has any suggestions or found it useful let me know :)
    25
    @SXUsr, you know, my work definitely was not about making a profit.
    As mentioned in this post (my answer for a help request to exploit google pixel 2 xl locked down by verizon), just counting the time spent, I could make a better profit taking any low paid job than any bounty promised here.
    If I wanted everybody to pay, it would be a heavily protected commercial app with online license providing private keys to obtain key parts to exploit particular target.
    As already mentioned, if I did not want to get it done for myself, I would not do it, regardless possible reward.

    So thank you to all who donate.

    And so you know, there was an exceptionally generous donation recently - a person who donated even 100$ (not making any comment or any link to a nickname here).
    Thank you very much. That shows there are few who really understand how it was difficult and what value it brings.

    And so you know, your money did not get wasted - I've ordered a brand new XZ1 Compact just for testing and development work.
    This will allow me finally to use my phone for daily driver while I can develop or test anything on another one.
    I believe this phone is great, possibly one of last with such small/acceptable size, now temp-rootable to get it under full control - not sure this repeats anytime soon.
    Working on the exploit and testing downgrades and such, I did not have even a contact list in my phone for something like 9 months!
    Think about it, having such phone and instead of using it, working so long on an exploit...

    Thanks again to all who appreciate the effort, the value it brings and donate/donated something.
    23
    Tools to backup TA partition (drm keys) are released - see the first post of this thread!