- V5.23 Fix for Android 6 (Freeze on boot logo)
Installation of kcal kernel module for supported kernels. Get the app from https://forum.xda-developers.com/and...ntrol-t3032080
- V5.22 Bug in the vendor overlay creation. Existing directories (like /vendor/bin) have not been replicated correctly
- V5.21 Fix issue when running on Linux (some CR/LF)
Patch libsepol in bootimg for backwards compatibility with Android 6
- V5.20 Support for superuser as an alternative to SuperSU (https://github.com/phhusson/Superuser)
Fix for the missing internal storage link in TWRP
- V5.11 Support for Android 7.0
Fix in the overlay layout which could prevent some libraries from loading and cause battery drain
- V5.1 Support for Android 7.0
Updated bootimg to deal with Android 7.0 policies
New tool inside bootimg for adding new contexts to binary file contexts
New system overlay layout due to a more restrictive linker in Android 7
- V5.0 New system overlay method using the /vendor directory. As this directory is also in the library search path even libraries can be easily replaced without modifying the system partition
System-less SuperSU integration improved (Version 2.76 or higher recommended)
System-less xposed integration (using the standard distribution)
Support for 32.A.0.253
- V4.51 Fix for awk script for Linux kernel version detection when running on Linux
- V4.5 Fixed adb and mtp file access in TWRP for 32.2.A.0.224
- V4.42 Added support for Z2 (Sirius) and TWRP fstab fix for leo and aries (thanks to waleedsq81)
- V4.41 Fixed issue with Y/N choice on non-english Windows. Added support for Z3 (leo)
- V4.4 Support for Z3+/Z4, Tablet Z2, Tablet Z3 and Tablet Z4 added (Z4 still has an issue with TWRP, but DRM fix works)
SuperSU integration reworked in order to need less SELinux exceptions and to be more secure
All tasks can now be individually selected. Therefore there is no separate DRM only script required
- V4.31 Renabled Z5P (satsuki) and Z5C (suzuran) for TWRP and drmfix
- V4.3 Support for older Lollipop added
Script execution for Linux fixed
- V4.24 Fix for for a bug in SuperSU integration in V4.23
- V4.23 Fix for repacking 3rd party kernel (Some permissions were on custom directories were lost)
- V4.22 Bugfix for readta (flash_dk reported unit not)
- V4.21 Fix for the Linux binary of bootimg
- V4.2 Updated TWRP to 3.0.2
Fix for WideWine (if you have your device key) Thanks a lot to goofnorf101 for testing
unpackinitfs and makeinitfs in my bootimg tool now maintain date/time of files correctly
Automatic SuperSU installation
Fix for older kernels (Lollipop)
Binary for Linux (The older version had the ARM version packaged)
Device is not stored in the kernel image anymore
TWRP updated to version 3.0.1
FAQ - Please read
- Is is possible to have root with locked bootloader?
Short answer: no
Long answer: The locked bootloader only boots unmodified kernel packages signed by Sony. The stock kernel only mounts unmodified /system partitions (dm-veritiy) -> No modification without unlocking
So any change to the kernel (like this script) or system partition requires unlocked bootloader
- What is dm-verity?
A hash checksum on all blocks of a filesystem in order to verify the integrity
- What is Sony RIC?
A protection to avoid mounting the root filesystem or system read/write
- What happens if I unlock my bootloader
The device key (TA unit 0x1046b) will be wiped, which deactives everything DRM related. In addition a full wipe of your phone will be perfomed.
So extract your TA partition before with this great tool http://forum.xda-developers.com/cros...-tool-t3349597 from zxz0O0
If you already unlocked the bootloader before, then at least the credentials will be restored, which will reactivate stuff like x-reality and camera de-noise
- Why do I need to flash my device key?
Without your device only some functions can be reactivated, like x-reality. Other functions like widevine do not work with out your device key.
- How do I enter TWRP recovery?
Restart your phone and press the volume key up as soon as the LED switches to yellow
- I want to use a custom kernel with the DRM fix
Just say "N" to all other options. Nevertheless be prepared for problems if the custom kernel does not match your Android version.
- What should I do if there is an update to this script?
First check if you really need to run this update by checking the changelog. E.g. if it says binary for Linux fixed and you are using Windows then probably you don't care. If you did not change your Android version then all you have to do is to update the kernel package with fastboot flash boot. If you do not use the automatic SuperSU integration then you have to reinstall SuperSU in TWRP.
This tool repacks an existing kernel package (usually the stock kernel) in order to make it rootable and adds TWRP recovery as well. Version 4 has been succesfully tested with LP and MM.
In particular it adresses the following issues:
- DM-Verity: Android is now using dm-verity to verfy the integrity of the system partition. Until you switch it off your phone won't boot after modifying /system
- SONY RIC: RIC is blocking the write access to the system partition
- DRM Keys: After unlocking the bootloader your device key is wiped, which deactivates some functionaliy. E.g. x-reality, denoise in camera aso.
Recompiling the kernel is not required as only the init ramdisk needs to be modified. You can run these scripts either in Windows or Linux.
Thanks to the excellent work of zxz0O0 you can now backup the TA partition before unlocking the bootloader with this tool http://forum.xda-developers.com/cros...-tool-t3349597
If you managed to backup your TA partition before you unlocked the bootloader then this version will fully reactivate your keys as well. (many thanks to addicted1900 for helping me with the testing)
As there has been some confusion I would like to point out one more time that you cannot run any kernel package which is not signed by Sony without unlocking the bootloader. So this works only with unlocked bootloader.
As it seems that it is not clear to everyone I also want to mention that <...> is a placeholder. E.g. <extracted kernel> means that you should replace it with then name of your extracted kernel, which could be kernel.elf
There was a report that having SuperSU in the system partition installed may lead to a bootloop. Therfore you shoud first install the bootimage created by this script and then install SuperSU afterwards, as it will then use the system-less strategy.
In order to use these scripts you need the kernel boot image of your current version. There two different ways to obtain it:
If you have a .ftf image then open it with zip application (7Zip, WinZip, Windows Compressed Folder) and extract kernel.sin. Afterwards use Flashtool -> Tools -> SIN Editor to extract the kernel. You should end up with the boot image with extension .elf.
Run your favourite recovery and connect via
adb -d shell
find /dev -name boot dd if=<output of the find command before> of=/sdcard/kernel.img
The newest version support superuser as an alternative to SuperSU. This is available open source and can be verified. In order to integrated you need the current superuser.zip from http://superuser.phh.me/superuser.zip and to be install the app afterwards from Google Play (look for superuser phh) or build it yourself from github.
To integrate the kernel part just place superuser.zip in the rootkernel directory.
You can also still use SuperSU, although it is causing a huge battery draining on my Z5 with Android 7.0 If you place SuperSU in the same directory (SuperSU*.zip, case sensitive) then it will be also installed automatically . It did all the tests with 2.76, but newer versions should work as well. Please be aware that you can not update SuperSU within the application. For a newer SuperSU version you need to rerun the script.
If you want to integrate xposed as well just place the distribution for you device and Android version in the same directory. (e.g. xposed-v86-sdk23-arm64.zip). Only support with Android 6.0 (sdk 23) and higher.
xPosed for Android 7.0+ is still not available.
rootkernel <extracted kernel> boot.img
- Sony RIC is enabled. Disable?
I prefer not to disable it in order to keep my phone more secure. Unfortunately there are a lot of bad guys in this world and SELinux and RIC still can save us if someone discovers a new kernel exploit.
Sony RIC basically prevents mounting the /system partition for write. You can still modify it in recovery of of course, but if you require write access to /system without entering recovery then you need to disable it.
- Install TWRP recovery? Here you should say yes unless you are trying to patch a non-stock kernel, which comes already with a recovery
- Install busybox? For security reasons I prefer not to install. In recovery you have it anyway. This choice is only available if you chose install TWRP
- Found SuperSU-v....zip. Install? Integrates SuperSU. For this option to show up you have to place the SuperSU package into the same directory with the name SuperSU*.zip (case sensitive)
- Found superuser.zip. Install? Integrates superuser. For this option to show up you have to place superuser.zip into the same directory (case sensitive)
- # Make su permissive (Permits any action as su)? This only appears if you install superuser. Permissive means you can anything as root, without it is restricted mainly to file operations (sufficient for e.g. Titanium Backup)
- Found xposed-v....zip. Install? Integrates xposed system-less. For this option to show up you have to place the xposed for your device and Android version into the same directory. (e.g. xposed-v86-sdk23-arm64.zip)
- Install DRM fix? Installs the DRM fix. First it tries to use the device key which you flashed with flash_dk. If it does not exist it uses an alternative method which cannot fix everything (e.g. Widevine will not work, but X-reality, Camera denoise etc. will work)
Now put your phone into fastboot mode (Volume Up + connect USB) and then run:
To test it without actually flashing it:
fastboot boot boot.img
fastboot flash boot boot.img
flash_dk <ta backup image> DK.ftf
This is a one-time task. It will survive a complete reset of the phone or Android system upgrade. The device key has a length of just 16 bytes, so it is correct that the resulting DK.ftf has a size of only aprox. 500 bytes.
If you like my work you can buy me a coffee
Some background information:
There are two main tools involved (for both Android and Windows)
Probably everyone knows it
A multicall binary with several tools for unpacking and packing the boot image as well as adapting the SELinux policy. Part of the code is written by me from scratch, some other parts are cherry picked from other projects. I will also provide the source for it. As Windows doesn't have softlinks I modified the tools for unpacking and packing the init ramdisk to write text files with __lnk__ at the end instead.