[XZ2/XZ2c/XZ2p/XZ3] temp root exploit via CVE-2020-0041 including magisk setup
- Thread starter j4nn
- Start date
i am very happy with this root method. but is it possible to have tama-mroot updated to the new version? because when i tried to update the root myself with the magisk app, it always broke my phone. the new magisk root version has zygisk and i really need it. and i would very thankful if the tama-mroot could be updated.
Hi rdhany, can you show me how to replace the firmware list? Iam using xz3 softbank.
Hello u can find this rom if u using Xperia Companion. They have option for repair and u get a rom after they downloaded for repairing ur device.
Hi everyone, I need some help here with my XZ3 SOV39 variant. I've downgraded from the latest SOV39 ROM to the global ROM mentioned in the top post using newflasher tool. I've successfully installed the Oneplus launcher into the oem folder and enabled the gesture navigation using the temp root method. However, my phone has lost the VoLTE function in the meantime after flashing the global FW.
So my questions are,
1. What are the steps to upgrade the firmware to the latest version without modifying the oem folder and losing the launcher?
2. Is the availability of VoLTE strictly tied to the OEM version or the firmware version?
3. Is there anyway to fix the VoLTE using the temp root method, for example Magisk modules? If not, would VoLTE work again if I flash the latest global firmware with the original Japan OEM partition?
So my questions are,
1. What are the steps to upgrade the firmware to the latest version without modifying the oem folder and losing the launcher?
2. Is the availability of VoLTE strictly tied to the OEM version or the firmware version?
3. Is there anyway to fix the VoLTE using the temp root method, for example Magisk modules? If not, would VoLTE work again if I flash the latest global firmware with the original Japan OEM partition?
Last edited:
just uploaded the fw version you have requested:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C.zip
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C.zip
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C.zip
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C.zip
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
and added to the first post too
Hello, I know from someone that version 52.1.B.0.188
sony xz2compact docomo (SO-05K)
can be temprooted.
I already got
boot /kernel,abl,aop,bloototh a10 version 52.1.B.0.188 (SO-05K).
can someone develop and build an exploit for xz2c ( SO-05K) please help me
sony xz2compact docomo (SO-05K)
can be temprooted.
I already got
boot /kernel,abl,aop,bloototh a10 version 52.1.B.0.188 (SO-05K).
can someone develop and build an exploit for xz2c ( SO-05K) please help me
Last edited:
Hey
Its finally possible to update magisk on temprooted xz3 and other devices.
I will publish a post
Why not you just crossflash to target version of xz2c and get temproot .Hello, I know from someone that version 52.1.B.0.188
sony xz2compact docomo (SO-05K)
can be temprooted.
I already got
boot /kernel,abl,aop,bloototh a10 version 52.1.B.0.188 (SO-05K).
can someone develop and build an exploit for xz2c ( SO-05K) please help me
It's simply as easy as pie
No that's not possible
It wil surely break system
You have to sacrifice and lose VoLTE if you want temproot
It is onlly possible for global version
You have to crossflash to targeted global version fw if you want temproot
And you will lose VoLTE
You can try with this app if you have xbl partition backed up from bootloader unlocked device
It have partition manager and it is working
I dont know if it will work or not
Nope I'm already using temproot for XZ3 AU SOV39 without using rom Global
it's ok, maybe at soon I'm make tutorial use for docomo, softbank and au temproot in xda. Btw for volte it's not lose for my country can be used since IMS not registered so I need time for fix thisAttachments
Glad to know thatNope I'm already using temproot for XZ3 AU SOV39 without using rom Global
Btw is there any possibility to unlock bootloader without s1unlock tool
And how can we boot into edl mode.
it was possible for lg v50 i think by flashing xbl partition backed up from unlocked device
Having non unlockable bootloader device is headache.
Im gonna never buy sony mobiles again
Hmmm someone ppl the last time try open unlock bootloader from backup boot.img from root device but this person get hardbrick and someday this person back again and said the device already unlock bootloader. Idk this possible or not since this person not said the detail how be can possible about that. For XBL partion someone wanna try this. But my problem is sim lock. AU provider give locked for network subset. I need know how be possible open this without s1unlocktool if do.Glad to know that
Btw is there any possibility to unlock bootloader without s1unlock tool
And how can we boot into edl mode.
it was possible for lg v50 i think by flashing xbl partition backed up from unlocked device
Having non unlockable bootloader device is headache.
Im gonna never buy sony mobiles again
Similar threads
- Poll
Top Liked Posts
-
There are no posts matching your filters.
-
35temp root exploit for sony xperia XZ2/XZ2c/XZ2p/XZ3 with android 10 firmware
including temporal magisk setup from the exploit
The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
I have adapted the Pixel 3 specific exploit for kernel 4.9 that is used with sony TAMA platform phones running Android 10 with February 2020 security patch level.
SUPPORTED TARGETS
- H8116-52.1.A.0.618 - xperia XZ2 Premium
- H8166-52.1.A.0.618 - xperia XZ2 Premium dual
- H8216-52.1.A.0.618 - xperia XZ2
- H8266-52.1.A.0.618 - xperia XZ2 dual
- H8296-52.1.A.0.618 - xperia XZ2 dual
- H8314-52.1.A.0.618 - xperia XZ2 Compact
- H8324-52.1.A.0.618 - xperia XZ2 Compact dual
- H8416-52.1.A.0.618 - xperia XZ3
- H9436-52.1.A.0.618 - xperia XZ3 dual
- H9493-52.1.A.0.532 - xperia XZ3 dual
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.
USAGE HOWTO INCLUDING MAGISK SETUP
- be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
- enable developer mode options and in there adb debugging (eventually install adb drivers)
- download the tama-mroot.zip with the exploit attached in this post
- download Magisk-v20.4.zip from magisk releases page on github here
- use 'adb push tama-mroot.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
- unzip and prepare magisk setup with following commands in 'adb shell'
Code:cd /data/local/tmp unzip tama-mroot.zip chmod 755 tama-mroot magisk-setup.sh magisk-start.sh ./magisk-setup.sh - get temp root and start magisk up with following commands in 'adb shell':
Code:cd /data/local/tmp ./tama-mroot ./magisk-start.sh -1 ./magisk-start.sh -2 ./magisk-start.sh -3
If it worked, you should see something like this:
Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.
Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot image, can result with a not anymore booting phone.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions - you would need to unlock bootloader for that.
Some partitions might still be possible to modify - for example in case of sony xperia xz1 phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.
Please note, this exploit will get you a root shell with still locked TAMA platform phones that could allow to backup TA partition in still locked state, having drm keys (the device key) still there. Backup of TA partition now works with tama-mroot avoiding 'Required key not available' you could experience with previously released tama-root.
There is currently no known method though how to restore drm functionalities after bootloader unlock even after restoring TA partition from the locked state backup.
For details please check exploiting xperia XZ2 - good and bad news post and following discussion there.
SOURCES
Exploit sources for all releases are available at my github here.
CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.
Thank you very much to all who donate.
DOWNLOAD5As it seems .618 fw versions get missing from xperifirm, please let me know if you need some - I still have following:
H8116_Customized IBE_1313-3189_52.1.A.0.618_R3C
H8166_Customized FR_1313-2540_52.1.A.0.618_R4C
H8216_Customized UK_1313-4679_52.1.A.0.618_R5C
H8266_Customized FR_1313-2481_52.1.A.0.618_R4C
H8296_Customized TW_1313-6119_52.1.A.0.618_R4C
H8314_Customized FR_1313-2468_52.1.A.0.618_R4C
H8324_Customized FR_1313-2469_52.1.A.0.618_R2C
H8416_Customized IBE_1316-6423_52.1.A.0.618_R5C
H9436_Customized FR_1316-3076_52.1.A.0.618_R6C
H9493_Customized HK_1316-2331_52.1.A.0.532_R2C
so I may upload it on request.
