[discussion][root] with [locked bl], vulnerabilities Snapdragon on <March2016 Android - Xperia Z5 General

[discussion][root] with [locked bl], vulnerabilities Snapdragon on <March2016 Android
There's an interesting article that got me thinking:
http://buysoft.greatsoftline.com/vu...m-snapdragon-chip-allow-for-easy-root-access/
CVE-2016-0819 vulnerability
Click to expand...
Click to collapse
We discovered this particular vulnerability, which is described as a logic bug when an object within the kernel is freed. A node is deleted twice before it is freed. This causes an information leakage and a Use After Free issue in Android. (UAF issues are well-known for being at the heart of exploits, particularly in Internet Explorer.)
CVE-2016-0805 vulnerability
This particular vulnerability lies in the function get_krait_evtinfo. (Krait refers to the processor core used by several Snapdragon processors). The function returns an index for an array; however, the validation of the inputs of this function are not sufficient. As a result, when the array krait_functions is accessed by the functions krait_clearpmu and krait_evt_setup, an out-of-bounds access results. This can be useful as part of a multiple exploit attack.
Gaining root access
Using these two exploits, one can gain root access on a Snapdragon-powered Android device. This can be done via a malicious app on the device. To prevent further attacks that may target either the patched vulnerabilities or similar ones that have yet to be discovered, security experts are not disclosing the full details of this attack.
Trend Micro researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.
Click to expand...
Click to collapse
Once updates got applied,
flashing back via XperiFirm, exploit that vulnerability and gain root
What do you think ?
langeveld024 said:
It was already found.
.11 fw is vulnerable at several points, however, rooting is not possible due to dm-verity and Sony ric which prevents modify system.
If u search this thread you'll find more about it.
Click to expand...
Click to collapse
bummer
Pandemic said:
We are genius in Z3 forum !!!!
http://forum.xda-developers.com/showthread.php?p=65856403
“Sent From MWE V9.5.0 On My Z3”
Click to expand...
Click to collapse
There's progress on the Z3 front

Poor Sony's fan waiting root for locked BL so long, many 6.0 phone have got root already,

Gaining root with locked BL is actually great security risk, not something one should be proud of.

Saw this?
http://forum.xda-developers.com/showthread.php?p=65861217
Post 1677 by Pandemic
It looks promising, the Z3 just got Root on LB
Thx. Wolfbreak the developer since the X10i
Sent from my E6653 @ XDA Portal

Duvel999 said:
Saw this?
http://forum.xda-developers.com/showthread.php?p=65861217
Post 1677 by Pandemic
It looks promising, the Z3 just got Root on LB
Thx. Wolfbreak the developer since the X10i
Sent from my E6653 @ XDA Portal
Click to expand...
Click to collapse
Is it possible to port this root method on M with LB for z3 ????? They have the same problem with DRM keys like us.... But they win.
http://forum.xda-developers.com/z3/...oid-6-0-mm-t3337357/post65856403#post65856403
thanx.

I don't think there will be a way to root z5 with LB unfortunatelly.

The method there needs a custom recovery installed which is possible on Z3 due to an exploit used on an early firmware. Since there's no such achievement yet on the Z5 you will already fail with the first task and any other following.
Since they've made their success public before the final firmware is out Sony has enough time to fix everything else.

some people say the z5 and z3 use the same hardware and could technically use the z3 rom to root the z5.
however, the heading of this post should change. i thought we finally have root on the z5 family only to find out that it's just a post talking about root on the z3.....

zacharias.maladroit said:
There's an interesting article that got me thinking:
http://buysoft.greatsoftline.com/vu...m-snapdragon-chip-allow-for-easy-root-access/
Click to expand...
Click to collapse
I didn't know those information were to be disclosed in May, instead of being kept secret. Good news from our point of view...
I think that, if the vulnerabilities could be exploited also on the Z5 line (every exploit needs to be verified practically), then we could gain temporary shell root/system priviledge to backup the TA partition. If i remember well, we cannot achieve permanent root on locked bootloader, as the /system protection SONYric is embedded in the stock kernel image.
We would need some mobile flashing tool like this: http://forum.xda-developers.com/showthread.php?t=2334554

I think i misunderstood. The problem is the Verified Boot ("dm-verity") check introduced in Z3+/Z4 and Z5 line.
We cannot get permanent root because this would involve modified kernel (to write on /system partition), which would not boot using a Locked bootloader because of Verified boot process that uses an OEM key.
The whole process is described here: https://source.android.com/security/verifiedboot/verified-boot.html
Google intention is (or was) to allow the boot process, after a red warning, if the verification of the kernel image didn't succeed on a locked bootloader... But Sony devices bootloop without showing any warning and so the user is not allowed to continue (source: https://androplus.org/Entry/843/ thanks to the developer).
So, on locked bootloaders, it's impossible to have permanent root apps, xposed ,.... unless someone finds a hole in the bootloader (someone found a hole in Motorola's bootloader) or the OEM key gets copied and is used to sign modified firmwares...just exciting dreams.
Anyone, correct me if i'm wrong.

ninestarkoko said:
I think i misunderstood. The problem is the Verified Boot ("dm-verity") check introduced in Z3+/Z4 and Z5 line.
We cannot get permanent root because this would involve modified kernel (to write on /system partition), which would not boot using a Locked bootloader because of Verified boot process that uses an OEM key.
The whole process is described here: https://source.android.com/security/verifiedboot/verified-boot.html
Google intention is (or was) to allow the boot process, after a red warning, if the verification of the kernel image didn't succeed on a locked bootloader... But Sony devices bootloop without showing any warning and so the user is not allowed to continue (source: https://androplus.org/Entry/843/ thanks to the developer).
So, on locked bootloaders, it's impossible to have permanent root apps, xposed ,.... unless someone finds a hole in the bootloader (someone found a hole in Motorola's bootloader) or the OEM key gets copied and is used to sign modified firmwares...just exciting dreams.
Anyone, correct me if i'm wrong.
Click to expand...
Click to collapse
Personally, not having permanent root on a locked bootloader is fine with me. I just need temp root to back up TA partition.
I am pretty sure the rest of the Z5 owners who are not yet unlock are waiting to backup TA partition before doing anything else.
there already is a way to restore credentials to use the bravia engine and the sony goodies. but ultimately, people would like to keep their TA keys (something which they paid for) instead of losing them once they unlock bootloader.

frostmore said:
Personally, not having permanent root on a locked bootloader is fine with me. I just need temp root to back up TA partition.
Click to expand...
Click to collapse
Me too

ninestarkoko said:
I think i misunderstood. The problem is the Verified Boot ("dm-verity") check introduced in Z3+/Z4 and Z5 line.
We cannot get permanent root because this would involve modified kernel (to write on /system partition), which would not boot using a Locked bootloader because of Verified boot process that uses an OEM key.
The whole process is described here: https://source.android.com/security/verifiedboot/verified-boot.html
Google intention is (or was) to allow the boot process, after a red warning, if the verification of the kernel image didn't succeed on a locked bootloader... But Sony devices bootloop without showing any warning and so the user is not allowed to continue (source: https://androplus.org/Entry/843/ thanks to the developer).
So, on locked bootloaders, it's impossible to have permanent root apps, xposed ,.... unless someone finds a hole in the bootloader (someone found a hole in Motorola's bootloader) or the OEM key gets copied and is used to sign modified firmwares...just exciting dreams.
Anyone, correct me if i'm wrong.
Click to expand...
Click to collapse
I remember few month ago... Chainfire was working with a new form of root, it doesn't modifies system partition. This solution doesn't help us???? We don't want lose our sony's features. :silly:

uripiruli said:
I remember few month ago... Chainfire was working with a new form of root, it doesn't modifies system partition. This solution doesn't help us???? We don't want lose our sony's features. :silly:
Click to expand...
Click to collapse
That's the systemless root, where root is achieve without changing the system file.
but this kind of root requires modified boot image, which cannot be done without unlocked bootloader....
root is becoming harder to achieve as the years pass. with samdung introducing their crap knox and sony with dm-verify etc etc.. android is fast becoming another apple where everything is being locked up and end users are forced to adhere to the way their phones are "supposed" to be used.

F U C K U P Sony. Why we couldn't own our phone features we paid for. Give our freedom to use our own phone

devilmaycry2020 said:
F U C K U P Sony. Why we couldn't own our phone features we paid for. Give our freedom to use our own phone
Click to expand...
Click to collapse
here's an article on the subject http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/
explaining your and my feelings (i really understand you).
If you want, you can comment there but please stay in topic here.

ninestarkoko said:
here's an article on the subject http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/
explaining your and my feelings (i really understand you).
If you want, you can comment there but please stay in topic here.
Click to expand...
Click to collapse
ok,thanks for told me about that. i'll be more attention about my words next times

Maybe developer Wolfbreak from the Z3 forum can help us?
Sent from my E6653 @ XDA Portal

Samsung Galaxy s7 and the edge exynos version just got root, wtf Sony --'.

I think the main thing about Samsung phones is they have a recovery partition where as sony do not.
Sent from my Xperia™ Z5 using Tapatalk

Related

[Request] Root for Z3C (D5803) -> Solved

HI @all,
now that we have a FW for the device - is root possible?
All known root methods are not working.
BR
UserX10
Edit:
Solved -> Thanks you DooMLoRD
http://forum.xda-developers.com/z3-...58xx-cwm-based-recovery-6-0-4-7-root-t2890231
Delete.
Jeez.
People haven't even got their hands on the phone yet...
Be patient
Anyone wanna try Framaroot?
http://framaroot.net/index.html
framaroot does not work ...
Ok because I saw it posted on this blog and thought it would work. Strange!
plisk3n said:
Ok because I saw it posted on this blog and thought it would work. Strange!
Click to expand...
Click to collapse
Well, it says "tested on device" and is from 9/4, before the device was even unavailable. I'd be careful that apk isn't something more.
CollinsJ said:
Well, it says "tested on device" and is from 9/4, before the device was even unavailable. I'd be careful that apk isn't something more.
Click to expand...
Click to collapse
Yeah that's also the reason why I decided not to download it, I'll just wait till someone @ XDA finds a way to root the device. It's not like we'll die because our device isn't rooted for x weeks/months.
Weeks/months?! I would die! It's been a day and the amount of things I can't do is driving me nuts!
If you have an unlocked boot loader see what I say at http://forum.xda-developers.com/showthread.php?p=55709585. If you don't I think you'll be waiting for a while - someone needs to find an exploit and write the app/code needed to exploit it. This has become increasingly hard as Android has become more secure - before Towelroot AFAIK the Z1/Z2 was not rootable for a long time. You'd probably be waiting a similar length of time for the next big root exploit.
tilal6991 said:
If you have an unlocked boot loader see what I say at http://forum.xda-developers.com/showthread.php?p=55709585. If you don't I think you'll be waiting for a while - someone needs to find an exploit and write the app/code needed to exploit it. This has become increasingly hard as Android has become more secure - before Towelroot AFAIK the Z1/Z2 was not rootable for a long time. You'd probably be waiting a similar length of time for the next big root exploit.
Click to expand...
Click to collapse
Would it not be helpful to contact Sony themselves? They're increasingly developer friendly, these days. Maybe they'd be willing to offer pointers to root app developers?
mudnightoil said:
Would it not be helpful to contact Sony themselves? They're increasingly developer friendly, these days. Maybe they'd be willing to offer pointers to root app developers?
Click to expand...
Click to collapse
Well I know people at Sony and long story short: if you want root unlock the boot loader. Its as simple as that. You have to understand that while a root exploit looks nice to tinkerers its also a serious security issue which must be fixed - that is why many root solutions also patch the exploit they use after using it.
Does unlocking the bootloader require wiping the phone? I know this is required on the nexus phones. If it requires wipe then its the very first thing I'm doing once I get the phone out of the box.
Sent from my Nexus 5 using Tapatalk
tilal6991 said:
Well I know people at Sony and long story short: if you want root unlock the boot loader. Its as simple as that. You have to understand that while a root exploit looks nice to tinkerers its also a serious security issue which must be fixed - that is why many root solutions also patch the exploit they use after using it.
Click to expand...
Click to collapse
I'm aware of this ... but on the one hand being one of the few if only manufacturers to provide official unlocking for the bootloaders (with the obvious intention of spurring development etc), but on the other actively closing non-simple (i.e. ones requiring a dedicated program) root 'exploits' would seem a little at odds. Is it really that black and white? You'd think it might be in their interests to provide an official complex / secure rooting method.
sublimnl said:
Does unlocking the bootloader require wiping the phone? I know this is required on the nexus phones. If it requires wipe then its the very first thing I'm doing once I get the phone out of the box.
Sent from my Nexus 5 using Tapatalk
Click to expand...
Click to collapse
Yes. It will wipe everything AFAIK - double check with the website.
mudnightoil said:
I'm aware of this ... but on the one hand being one of the few if only manufacturers to provide official unlocking for the bootloaders (with the obvious intention of spurring development etc), but on the other actively closing non-simple (i.e. ones requiring a dedicated program) root 'exploits' would seem a little at odds. Is it really that black and white? You'd think it might be in their interests to provide an official complex / secure rooting method.
Click to expand...
Click to collapse
Your statements contradict themselves. Rooting without unlocking the bootloader needs a security flaw. How can any method which leaves a security hole be secure?
Bootloader unlocking gets around this by letting you control the boot partition of the device so you can disable the "security barrier" that android provides. This is a choice you are explicitly making which is why it is the only "secure" way to root.
Does towelroot work?
MrOeyta said:
Does towelroot work?
Click to expand...
Click to collapse
Unfortunately Towelroot does not work.
I've read some people saying that unlocking the bootloader causes you to lose your DRM keys which apparently would affect software/ camera issues?
Can anyone verify this?
tacocats said:
I've read some people saying that unlocking the bootloader causes you to lose your DRM keys which apparently would affect software/ camera issues?
Can anyone verify this?
Click to expand...
Click to collapse
This is very true. On the z1c I neglected to back up the TA partition. And apparently lost native mirror cast and some camera features when I rolled the device back to stock.
Back up your TA partition before unlocking BL.
dillalade said:
This is very true. On the z1c I neglected to back up the TA partition. And apparently lost native mirror cast and some camera features when I rolled the device back to stock.
Back up your TA partition before unlocking BL.
Click to expand...
Click to collapse
Any idea how this could be done?

Xperia Z4/Z3+ Root Discussion

There appears to be no discussion thread about root for the Z4/Z3+, so I thought one was in order.
I'm currently about as useful as a snooze button on a smoke alarm in terms of obtaining root. I'm curious - is there any development going on to root our devices? I'd love to donate and what not to possibly speed it up.
Let's talk!
BL unlock is not listing this device on Sony open devices
Flashtool from androxyde doesn't have the device listed as well, so I doubt BL could be unlocked.
Regarding development
I managed to unpack the blog_fs FILE'S from Emma so there we have the kernel.sin maybe we could unpack it with Android image kitchen, but I didn't succeed, Android magic was missing or something like that!?
If that could be possible, then we could repack twrp radish with zimage of the kernel.sin and perhaps have a working recovery maybe as FOTAkernel.
But that's just wishful thinking
First we need unlocked BL
And then we also have all the loss of DRM keys. TA partition and all that also needs to be in place, unless we're willing sacrifice a bit hehe...
Sent from my E6553 using XDA Free mobile app
I'm also interested in Rooting my device, but the question is; would the dual Sim (E6533) be different than the single Sim device (in terms of rooting of course)?
Sent from my E6533 using XDA Free mobile app
I unlocked my Z4T SGP712 (WiFi)
Could it work as well?
You can unlock your device by chosing Z3... No need for Z4/Z3+ on Sony Unlock page.
GhostLeader said:
I unlocked my Z4T SGP712 (WiFi)
Could it work as well?
You can unlock your device by chosing Z3... No need for Z4/Z3+ on Sony Unlock page.
Click to expand...
Click to collapse
Even with a bootloader unlock, is there any custom recovery for the Z3+?
Sent from my Xperia Z3+ E6553
Did any one try to unlock their Sony Xperia Z+ yet? Or any one try to see if it is unlockable by following steps.
You can check if it is possible to unlock the boot loader of your device in the service menu by following the steps below:In your device, open the dialler and enter*#*#7378423#*#**to access the service menu.Tap Service info > Configuration > Rooting Status. If Bootloader unlock allowed says Yes, then you can continue with the next step. If it says No, or if the status is missing, your device cannot be unlocked.
I am going to build a custom recovery incase the bootloader unlock allow says Yes..
Update: Yes it is allow to unlock the bootloader. I am waiting for my device then start working
Sent from my LG-H815 using Tapatalk 2
janjan said:
Did any one try to unlock their Sony Xperia Z+ yet? Or any one try to see if it is unlockable by following steps.
You can check if it is possible to unlock the boot loader of your device in the service menu by following the steps below:In your device, open the dialler and enter*#*#7378423#*#**to access the service menu.Tap Service info > Configuration > Rooting Status. If Bootloader unlock allowed says Yes, then you can continue with the next step. If it says No, or if the status is missing, your device cannot be unlocked.
I am going to build a custom recovery incase the bootloader unlock allow says Yes..
Update: Yes it is allow to unlock the bootloader. I am waiting for my device then start working
Sent from my LG-H815 using Tapatalk 2
Click to expand...
Click to collapse
Yup, mine allows the bootloader to be unlocked too. I would think that the international version should allow for that
Look forward to your custom recovery then!
boo85 said:
Yup, mine allows the bootloader to be unlocked too. I would think that the international version should allow for that
Look forward to your custom recovery then!
Click to expand...
Click to collapse
I'm quite looking forward to it as well. If we can get a custom recovery going, then we'll be able to get root right? It's just a matter of being able to flash SuperSU through the custom recovery? Pardon my ignorance.
AhsanU said:
I'm quite looking forward to it as well. If we can get a custom recovery going, then we'll be able to get root right? It's just a matter of being able to flash SuperSU through the custom recovery? Pardon my ignorance.
Click to expand...
Click to collapse
Its a step but we need to find a root exploit too
Sent from my E6553 using Tapatalk
Ok, got mine a few days ago. Tranfer of apps and data was sh**** as hell without titatnium backup!
I don't have any usable knoledge in programming, but if there's something to test or try, I'm volunteering
If some of the devs for other xperias has any idea, I'll test it.
Hoping to get root, very soon.
the_brad said:
Ok, got mine a few days ago. Tranfer of apps and data was sh**** as hell without titatnium backup!
I don't have any usable knoledge in programming, but if there's something to test or try, I'm volunteering
If some of the devs for other xperias has any idea, I'll test it.
Hoping to get root, very soon.
Click to expand...
Click to collapse
Yup, same here. I'll test if needed =)
xDope said:
Yup, same here. I'll test if needed =)
Click to expand...
Click to collapse
Me too! Single SIM Z3+.
my Dual Sims E6533 says that bootloader unlock is not allowed. Does that mean my phone cannot be rooted? I think its the HK version, I got it on Amazon in the USA. Any tips or advices would be greatly appreciated. Thanks!
projectseahorse said:
my Dual Sims E6533 says that bootloader unlock is not allowed. Does that mean my phone cannot be rooted? I think its the HK version, I got it on Amazon in the USA. Any tips or advices would be greatly appreciated. Thanks!
Click to expand...
Click to collapse
By right if the bootloader unlock is stated as not allowed, you can only root your phone through an exploit. Other xperia phones exploits have been found (like my previous z2, i rooted it without unlocking the bootloader), I most certainly do hope one can be found for z3+ as it would allow all the DRM stuff to be backed up and its "neater" imo.
Otherwise, if no exploit is found, then no, you would not be able to root without unlocked the bootloader to install a custom rom.
However please check if you signed in to myXperia service. If you did, you just need to sign out and reboot, then your status would be back to allowed. That is only if originally the bootloader is allowed to be unlocked.
boo85 said:
By right if the bootloader unlock is stated as not allowed, you can only root your phone through an exploit. Other xperia phones exploits have been found (like my previous z2, i rooted it without unlocking the bootloader), I most certainly do hope one can be found for z3+ as it would allow all the DRM stuff to be backed up and its "neater" imo.
Otherwise, if no exploit is found, then no, you would not be able to root without unlocked the bootloader to install a custom rom.
However please check if you signed in to myXperia service. If you did, you just need to sign out and reboot, then your status would be back to allowed. That is only if originally the bootloader is allowed to be unlocked.
Click to expand...
Click to collapse
Thanks! My dual E6533 is not allow unlock too. Than I sign out myXperia and reboot, It becomes to Yes.
boo85 said:
By right if the bootloader unlock is stated as not allowed, you can only root your phone through an exploit. Other xperia phones exploits have been found (like my previous z2, i rooted it without unlocking the bootloader), I most certainly do hope one can be found for z3+ as it would allow all the DRM stuff to be backed up and its "neater" imo.
Otherwise, if no exploit is found, then no, you would not be able to root without unlocked the bootloader to install a custom rom.
Click to expand...
Click to collapse
At this point, I see no mention of anyone working on any sort of exploit for the Z3+, this is a bit disheartening! I'm considering the new OnePlus device at this point since I'm sure root will not be an issue for that phone. It'd be a shame if it came to that since I love the feel of the Z3+
Sent from my Xperia Z3+ E6553
mine said no. Does that mean I can never install a custom recovery and custom ROMS?
boo85 said:
Yup, mine allows the bootloader to be unlocked too. I would think that the international version should allow for that
Look forward to your custom recovery then!
Click to expand...
Click to collapse
GCbard said:
mine said no. Does that mean I can never install a custom recovery and custom ROMS?
Click to expand...
Click to collapse
Did you activate your MyXperia app? If so, this could result in your phone indicating that the bootloader is not unlockable, even though it actually is. If you didn't activate this app and it still says no, then yes, it's not unlockable and you will not be able to install custom kernels / ROMs. Note that custom recovery can still work on rooted phones with locked bootloaders.
hush66 said:
Did you activate your MyXperia app? If so, this could result in your phone indicating that the bootloader is not unlockable, even though it actually is. If you didn't activate this app and it still says no, then yes, it's not unlockable and you will not be able to install custom kernels / ROMs. Note that custom recovery can still work on rooted phones with locked bootloaders.
Click to expand...
Click to collapse
i looked into my applications and did not see a myxperia app. Just xperia lounge. I did install the current firmware using sony pc companion.
I am new to xperia. I had htc one and google nexus phones prior to this that I have rooted and such. I am experience but not in xperia. Any suggestions for rooting that you know works>
uhm where is this myXperia app you guys are talking about? I searched the app store and the phone and cannot find it. Under settings, there is a "Xperia Connectivity" section, but no option to sing out.
Googling the app did give some results and I did land on this page, which I was logged into. I logged out and rebooted the phone, still says "No" to unlock bootloader.

[WIP] [LB] [TEMP ROOT] Z5/Z5C Backup of TA Partition / DRM Keys

Hello to everybody!
::::: A FEW WORDS BEFORE YOU ASK 100 TIMES THE SAME ;-P :::::
It has been told widely in these forums that permanent root on LB is impossible due to Verified Boot process implemented by Sony (and now by other vendors. Future for LB devices seems to be "Live root" approach). What we would like to achieve is temporary root privileges using some exploit in order to backup the TA partion, for warranty purposes and for complete stock DRM restore.
THIS ARTICLE IS A WONDERFUL ENTRY POINT IF YOU WANT MORE INFORMATION[/B]
Guys, i am very proud that we could win user zxz0O0 for trying out abilities to use the CVE-2015-1805 security vulnerability to get temporary privileges for i. e. backup of TA Partition of our Xperia Z5/Z5C/Z5P.....
For those who want to know a little bit more of what about we are discussing/ testing here:
Android Security Advisory — 2016-03-18: https://source.android.com/security/advisory/2016-03-18.html
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805
German article from t3n.de: http://t3n.de/news/google-android-sicherheitsluecke-691418/
CURRENT STATUS:
- ZXZ0O0 HAS FINISHED HIS WORK +++ Release for Z5/ Z5C/ Z5P coming soon!
You will need to flash build 32.0.A.6.200 kernel or lower!
LET US THANK:
- ZXZ0O0 FOR HIS AMAZING EFFORTS AND HIS PASSION INTO THIS
- IDLER1984 FOR HIS TESTCODE
- FOR TESTING ZXZ0O0's BUILDS: NINESTARKOKO, RIMMEDA, NILEZON AND ALL OTHERS IF I FORGOT SOMEONE
Greets and Cheers, Your Flummi.FFM
Well, we got Linux Kernel 3.10, which is affected by this exploit. This could make root possible, but we have to know how the root app is called ?
i will look as soon as i have time here
Lurking
old news mate.
http://forum.xda-developers.com/xperia-z5/general/root-using-vulnerabilities-snapdragon-t3338173
another forummer already pinted this out.
unless you know how to roll back old linux kernel and over come SElinux
Flummi.FFM said:
Good morning to everyone!
Just a few minutes ago on the way to my workplace i just found an article about the CVE-2015-1805 security issue.
Sources:
Android Security Advisory — 2016-03-18: https://source.android.com/security/advisory/2016-03-18.html
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805
German article from t3n.de: http://t3n.de/news/google-android-sicherheitsluecke-691418/
Is THIS what we all waited for to get root on Locked Bootloader? Is here maybe someone who is able to say something about these articles?
Or maybe it is even worth to be evaluated in other device's threads to get people in knowledge of this "security issue"?
Full of hope that someone here is able to workout something on this base, Greets and cheers....
Click to expand...
Click to collapse
Sony released MM firmware with this CVE already being fixed.
frostmore said:
old news mate.
http://forum.xda-developers.com/xperia-z5/general/root-using-vulnerabilities-snapdragon-t3338173
another forummer already pinted this out.
unless you know how to roll back old linux kernel and over come SElinux
Click to expand...
Click to collapse
In the other thread they Talk about CVE-2016-0819 and CVE-2016-0805 which affects specially snapdragon soc's......
The articles which i found are talking about CVE-2015-1805......
I dont think that we are talking about the same. CVE-2015-1805 affects possibly every Kernel Version 3.4, 3.10 and 3.14.....
If Sony already has fixed the 2015-1805 even while Google itself "forgot", could you tell me where i can find Information about a fix By Sony?
Tommy-Geenexus said:
Sony released MM firmware with this CVE already being fixed.
Click to expand...
Click to collapse
Flummi.FFM said:
If Sony already has fixed the 2015-1805 even while Google itself "forgot", could you tell me where i can find Information about a fix By Sony?
Click to expand...
Click to collapse
Simple: I just tried to patch the kernel, and found it has already included the fix.
The patch exists since mid-2015, it's just that devices were recently exploitet using this regression, and Google reacted.
Thx then for your reply......
Tommy-Geenexus said:
Simple: I just tried to patch the kernel, and found it has already included the fix.
The patch exists since mid-2015, it's just that devices were recently exploitet using this regression, and Google reacted.
Click to expand...
Click to collapse
I found out that in the source of Release 32.0.a.4.11 the issue IS NOT fixed.......
Maybe a Base for a root solution after downgrade?
Flummi.FFM said:
I found out that in the source of Release 32.0.a.4.11 the issue IS NOT fixed.......
Maybe a Base for a root solution after downgrade?
Click to expand...
Click to collapse
Hi man!!
How did you see it?
I asked about it. Maybe zxz0o0 a dev of z3 will help us. I hope he see it
Crossfingers
Enviado desde mi E6653 mediante Tapatalk
uripiruli said:
Hi man!!
How did you see it?
I asked about it. Maybe zxz0o0 a dev of z3 will help us. I hope he see it
Crossfingers
Enviado desde mi E6653 mediante Tapatalk
Click to expand...
Click to collapse
I downloaded the source Code of the 32.0.a.4.11 build and compared the pipe.c File with the fix commit and the fixed version in the 32.1.a.1.163 build.
The result was that the older Version is Not fixed.
I also thought one hour ago of asking zxz000 Team.....
If we can win them it would be great!!!
I asked few minutes ago in two z3 threads for help.....
I hope so much that someone will be able to make something finally.....
How about dm-verity? How can you pass this?
You can probably get "root" using this exploit but it will only be temporarily and you can't write /system because of dm-verity. So the only usecase I see is to backup TA partition.
anno2070 said:
How about dm-verity? How can you pass this?
Click to expand...
Click to collapse
zxz0O0 said:
You can probably get "root" using this exploit but it will only be temporarily and you can't write /system because of dm-verity. So the only usecase I see is to backup TA partition.
Click to expand...
Click to collapse
Unfortunally i dont have the knowledge to make something by myself.....
In my opinion ta Backup is more than nothing for the Moment.....
Maybe if all of you professionals like Tobias.waldvogel and monx and you of the z3 community are working and thinking together about it then it will happen one Day?
You see i spend all my free time on searching for abilities and holes to use......
But due to my very basically knowledge of programming i am not able to implement something on my own.
Edit: my idea was to achieve root By this hole, then get a prerooted and DM verity disabled kernel before Reboot..... Isnt that possible?
Flummi.FFM said:
Unfortunally i dont have the knowledge to make something by myself.....
In my opinion ta Backup is more than nothing for the Moment.....
Maybe if all of you professionals like Tobias.waldvogel and monx and you of the z3 community are working and thinking together about it then it will happen one Day?
You see i spend all my free time on searching for abilities and holes to use......
But due to my very basically knowledge of programming i am not able to implement something on my own.
Edit: my idea was to achieve root By this hole, then get a prerooted and DM verity disabled kernel before Reboot..... Isnt that possible?
Click to expand...
Click to collapse
You cant flash any other Kernel beside Sony Original Kernel on Locked Bootloader and with dm-verity enabled its nothing you can do to root LB Z5. The only possible way is to unlock your Bootloader but with locked Bootloader you have no Chance as you cant flash any modified Kernel. We only archieved Root on Z3 because it has dm-verity disabled in Original Sony Kernel.
zxz0O0 said:
You can probably get "root" using this exploit but it will only be temporarily and you can't write /system because of dm-verity. So the only usecase I see is to backup TA partition.
Click to expand...
Click to collapse
Thanks for your answer.
If we rooted our Phone with a temporaly root with this xploit, then we do ta backup. Finally unlock de bootloader, root with the actually tools that we have... And then restore our ta backup with our Sony features. Is this possible??? Or i am dreamming????[emoji16]
Enviado desde mi E6653 mediante Tapatalk
uripiruli said:
Thanks for your answer.
If we rooted our Phone with a temporaly root with this xploit, then we do ta backup. Finally unlock de bootloader, root with the actually tools that we have... And then restore our ta backup with our Sony features. Is this possible??? Or i am dreamming????[emoji16]
Enviado desde mi E6653 mediante Tapatalk
Click to expand...
Click to collapse
you cant restore your ta backup on unlocked bootloader. So you are in the start point. Unless you get something to disable dm-verity you can not get root on lock bootloader
You can "restore" drm keys on unlocked bootloader now. I dont get it why do you want to backup them so much? You can have all drm features working on UB.

QuadRooter vulnerability

I guess most of you have learned of the recently discovered vulnerability affecting over 900m Qualcomm devices. Apparently even after Google's latest July patches, the vulnerability persists, allowing root access to affected handsets. Pretty much the entire Xperia line using Qualcomm SOCs is affected.
My question is: will we see a rooting method based on this exploit? I know that unlocking the BL is the most straight forward way to root, however me and others I believe, would like to have a backup of their TA partition first. Ivyroot apparently works on older firmwares (not with .253), but as with BackupTA there's always some risk involved when restoring.
Perhaps a bounty is the proper way to go?
expecting security patch by Google!
meanwhile i have installed zonealarm...
Though if we could get a temp root on LB we could always refine the method for a permanent root on LB. Then, on the post from whichever genius makes the permanent root, have a damn neon flashing sign saying "OKAY, GO PATCH THIS NOW" via another kernel or a software fix as part of the "tutorial" post that would eventually be made.
pattmyn said:
Though if we could get a temp root on LB we could always refine the method for a permanent root on LB. Then, on the post from whichever genius makes the permanent root, have a damn neon flashing sign saying "OKAY, GO PATCH THIS NOW" via another kernel or a software fix as part of the "tutorial" post that would eventually be made.
Click to expand...
Click to collapse
permanent root on LB cannot be done post 5.1.1 (android). it will be same as finding loop wholes in system and vulnerabilities of MM. atleast SONY don't support such methods where SONY RIC protects device to the level of putting it in to bootloops rather than allowing root access (when tried rooting on LB and DM-VARIETY+SONYRIC on).
the permanent solution ? either
1. switch to devices which allow PREROOTED O/S
2. UB and flash Kernal /ROMS as your own
YasuHamed said:
permanent root on LB cannot be done post 5.1.1 (android). it will be same as finding loop wholes in system and vulnerabilities of MM. atleast SONY don't support such methods where SONY RIC protects device to the level of putting it in to bootloops rather than allowing root access (when tried rooting on LB and DM-VARIETY+SONYRIC on).
the permanent solution ? either
1. switch to devices which allow PREROOTED O/S
2. UB and flash Kernal /ROMS as your own
Click to expand...
Click to collapse
Well that's a depressing way to start my day lol. I love this damn phone but there's some rooted apps I miss dearly.
pattmyn said:
Well that's a depressing way to start my day lol. I love this damn phone but there's some rooted apps I miss dearly.
Click to expand...
Click to collapse
i know what you mean! Xperias are my personal addiction!
i made deal with devil and lost drm keys and took security risks over my Z5 in exchange of rooted device.
in my opinion its matter of time, sooner or later you will also root your device!
YasuHamed said:
i know what you mean! Xperias are my personal addiction!
i made deal with devil and lost drm keys and took security risks over my Z5 in exchange of rooted device.
in my opinion its matter of time, sooner or later you will also root your device!
Click to expand...
Click to collapse
Not with a locked bootloader that can't be unlocked, I ain't. Unless you know some magical people at Sony that could override that lol
pattmyn said:
Not with a locked bootloader that can't be unlocked, I ain't. Unless you know some magical people at Sony that could override that lol
Click to expand...
Click to collapse
well one LONG workaround for you will be
via flashtool, (xperifirm) select z5p , select "INTERNAL" in the country list and download .170 version (android 5.0.2) the version at which it left sony factory.
flash it, Root it via kingroot (where kingroot is considered unsafe) , extract DRM KEYS
https://github.com/DevShaft/Backup-TA/releases
once u have those, upgrade to 6.0.1 and unlock the bootloader, flash it with custom kernal and relock the boot loader.
this way atleast you will have your ORIGINAL z5p KEYS with you for any future times
However relocking the BL with root will result in bootloop, since file system hash won't match the bootup check. However, with a TA partition backup, running an unlocked BL is much safer, for when you need to relock BL, and send the phone in for repairs etc.
YasuHamed said:
well one LONG workaround for you will be
via flashtool, (xperifirm) select z5p , select "INTERNAL" in the country list and download .170 version (android 5.0.2) the version at which it left sony factory.
flash it, Root it via kingroot (where kingroot is considered unsafe) , extract DRM KEYS
https://github.com/DevShaft/Backup-TA/releases
once u have those, upgrade to 6.0.1 and unlock the bootloader, flash it with custom kernal and relock the boot loader.
this way atleast you will have your ORIGINAL z5p KEYS with you for any future times
Click to expand...
Click to collapse
Not all bootloaders can be unlocked. Some specifically can't be because Sony made them that way because the carriers wanted it that way...
Sent from my SGP311 using XDA Free mobile app
guhvanoh said:
Not all bootloaders can be unlocked. Some specifically can't be because Sony made them that way because the carriers wanted it that way...
Sent from my SGP311 using XDA Free mobile app
Click to expand...
Click to collapse
agree, i believe z1 and z tablets in USA (versions) were falling in the catagory you mentioned.
if the bootloader cannot be locked then.... betty buy blackberry
---------- Post added at 11:30 AM ---------- Previous post was at 11:29 AM ----------
guhvanoh said:
Not all bootloaders can be unlocked. Some specifically can't be because Sony made them that way because the carriers wanted it that way...
Sent from my SGP311 using XDA Free mobile app
Click to expand...
Click to collapse
agree, i believe z1 and z tablets in USA (versions) were falling in the catagory you mentioned.
if the bootloader cannot be locked then.... betty buy blackberry
guhvanoh said:
Not all bootloaders can be unlocked. Some specifically can't be because Sony made them that way because the carriers wanted it that way...
Sent from my SGP311 using XDA Free mobile app
Click to expand...
Click to collapse
What he said.
pattmyn said:
What he said.
Click to expand...
Click to collapse
he is referring to some sony devices who's bootloader was denied unlocking.
but don't worry, most of the devices (outside USA) has bootunlocking ALLOWED
Per-purchase question .....
YasuHamed said:
he is referring to some Sony devices who's bootloader was denied unlocking.
but don't worry, most of the devices (outside USA) has boot unlocking ALLOWED
Click to expand...
Click to collapse
My GF's M4 Aqua had the option to unlock the bootloader in the dev settings. It still couldn't have the BL unlocked (E2306), but the other 2 variations could, the E2303 and the E2353.
The E2306 was subsidized and discounted by Sony and mass distributed by lower end carriers here in Canada, hence the unlockable BL.
This model has the E6833 and the E6883, which one has the BL that can be/is unlocked?
UnableToResetOldProfile said:
My GF's M4 Aqua had the option to unlock the bootloader in the dev settings. It still couldn't have the BL unlocked (E2306), but the other 2 variations could, the E2303 and the E2353.
The E2306 was subsidized and discounted by Sony and mass distributed by lower end carriers here in Canada, hence the unlockable BL.
This model has the E6833 and the E6883, which one has the BL that can be/is unlocked?
Click to expand...
Click to collapse
the OEM UNLOCKING allowed in Developer options is just an extra step.
my z5dual was giving one IMEI however with flashtool i was getting TWO IMEI numbers, both different and with the second imei i was able to unlock.
is yours M4aqua Dual

Searching For Root..

I've had this phone a little while now and I'm itching to root it. There's nothing wrong with it, I just really want to get into the code and do some modding. But there doesn't seem to be any root solution available right now.
So I thought I'd start this thread so we could discuss any rooting tips and ideas you all might have.
First I should probably mention all the potentially dodgy rooting solutions out there. Google "root xa1" and you get many results that offer methods to gain root access on our phone.
I confess I haven't tried any of them but that's because they all look suspicious. Some were written before the phone launched, some require you to download unknown software (I'll keep my PC virus-free, thanks), some even go so far as to feature a fake comment section with people saying it works.
I have no desire to stick malware on either my PC or my phone so I'm steering well clear of those.
The XZs launched at the same time as the XA1 and there seems to be a solution available for that. This is a thread by @zlRampageSlz with details: https://forum.xda-developers.com/xzs/how-to/tutorial-step-step-guide-to-gain-root-t3612624
It looks like the best solution is to unlock the bootloader (making sure to back up your TA partition first!), flash a modified kernel (otherwise the camera takes green pictures), flash a recovery image and then flash Magisk.
Where do we get this modified kernel? Where do we get the recovery image?
I have no idea, sadly. This is all way beyond my area of expertise. I'm a themer, not a developer.
But if anybody knows better than me, please post here.
This is a great phone, let's work together so we can get it modded!
Ticklefish said:
I've had this phone a little while now and I'm itching to root it. There's nothing wrong with it, I just really want to get into the code and do some modding. But there doesn't seem to be any root solution available right now.
So I thought I'd start this thread so we could discuss any rooting tips and ideas you all might have.
First I should probably mention all the potentially dodgy rooting solutions out there. Google "root xa1" and you get many results that offer methods to gain root access on our phone.
I confess I haven't tried any of them but that's because they all look suspicious. Some were written before the phone launched, some require you to download unknown software (I'll keep my PC virus-free, thanks), some even go so far as to feature a fake comment section with people saying it works.
I have no desire to stick malware on either my PC or my phone so I'm steering well clear of those.
The XZs launched at the same time as the XA1 and there seems to be a solution available for that. This is a thread by @zlRampageSlz with details: https://forum.xda-developers.com/xzs/how-to/tutorial-step-step-guide-to-gain-root-t3612624
It looks like the best solution is to unlock the bootloader (making sure to back up your TA partition first!), flash a modified kernel (otherwise the camera takes green pictures), flash a recovery image and then flash Magisk.
Where do we get this modified kernel? Where do we get the recovery image?
I have no idea, sadly. This is all way beyond my area of expertise. I'm a themer, not a developer.
But if anybody knows better than me, please post here.
This is a great phone, let's work together so we can get it modded!
Click to expand...
Click to collapse
First of all thank you so much for your awesome tool "Tickle My Android" which i really like it (Y).
i'm about to get XA1 Ultra so sure i'm so curious about root also but i'll try to make it clear,
simply, don't waste your time searching for a root tool because it's impossible to have root without modifying kernel, so, 100% all of these tools are just malware !
in the new devices there's something calls DM-Verity which is a check tool and that means any modification to /system will leads to bootloop,
so DM-Verity must be disabled ( through kernel of course ) & any mess with kernel means you have to unlock bootloader.
another thing, Sony ric which is prevent mounting system, so, any modification must be through recovery or it will leads to bootloop also, so we must also disable it.
fortunately on my xperia z2 there is no DM-Verity and there's a module to disable sony ric through recovery so root was possible without unlocking bootloader but starting from xperia z3+ DM-Verity appeared !
so now root is impossible without unlocking bootloader ( which means losing drm keys forever if you didn't back it up ).
i downloaded the firmware for xa1 ultra through xperiafirm and i unpacked the kernel and tried with these tools to see how its going on:
https://forum.xda-developers.com/xp...oot-automatic-repack-stock-kernel-dm-t3301605
&
https://forum.xda-developers.com/crossdevice-dev/sony/poc-real-trim-instead-drm-fix-t3552893
the first one was hanging and i didn't get any information & the second one to be able to use it then you must put your ta.img ( your ta backup ) inside the folder,
i used my z2 ta.img as a test to see the process and the result was pretty good !
i successful disabled DM-Verity and there's no sony ric !!!!! but it's also still not safe and needs to be confirmed because maybe there's a bad surprise which is not clear yet, maybe something like sony ric but new !
so, if it's only the ****ty DM-Verity it's easy to disable it even away from this tool because we can't use it without ta.img, maybe by any script or unpacking kernel and modify it then repacking it this is not a problem at all & after that MAYBE we can flash supersu or magisk via ADB since there's no recovery yet ( completely not sure about this so it needs to be confirmed ) & in this case the choice is between root or drm features but at least root has been achieved.
so now, we need something like this to be able to backup ta without root and after that no problem of unlocking bootloader:
https://forum.xda-developers.com/crossdevice-dev/sony/universal-dirtycow-based-ta-backup-t3514236
or
https://forum.xda-developers.com/crossdevice-dev/sony/iovyroot-temp-root-tool-t3349597
or if it's not possible at this moment to backup ta without root then at least we need something like this to be able to to reactivate drm features such as camera denoise and x-reality...etc:
https://forum.xda-developers.com/crossdevice-dev/sony/xperia-z1-z2-z3-series-devices-drm-t2930672
or
https://forum.xda-developers.com/xperia-z5/development/sony-credentials-restore-unlocking-t3296383
or the worst choice...root without drm & waiting for a fix like those above !
anyway, root is not easy like before but it's still possible after all, i tried to clarify everything as much as i can and i hope there's a solution soon !
@munjeni we need your help bro, please if you have free time have a look, i uploaded the kernel for xa1 ultra so try to tell us how it's going on & what is new !
https://www.mediafire.com/?bc63fgjw99r785d
good luck for everyone .
As my Z5 compact was broken, I bought the XA1. I didn't remember, how awful an unrooted phone is - So I am also waiting and would be very interested to be informed.
BR
Sopur
Did anyone tried this?
https://www.oneclickroot.com/sony/sony-xperia-xa1/
chauhanjayc said:
Did anyone tried this?
https://www.oneclickroot.com/sony/sony-xperia-xa1/
Click to expand...
Click to collapse
I haven't, personally. Every mention of it I can find just looks like an advert. And I'm not paying for something that might not work and might do something horrible to my phone.
Sent from my Sony Xperia XA1 using XDA Labs
Ticklefish said:
I haven't, personally. Every mention of it I can find just looks like an advert. And I'm not paying for something that might not work and might do something horrible to my phone.
Click to expand...
Click to collapse
Its free
chauhanjayc said:
Its free
Click to expand...
Click to collapse
One Click Root does not work at the moment :crying:
kpfreak said:
One Click Root does not work at the moment :crying:
Click to expand...
Click to collapse
Uffffd
Let wait till next exploit.
chauhanjayc said:
Uffffd
Let wait till next exploit.
Click to expand...
Click to collapse
I'm sure it's only a matter of time.
Sent from my Sony Xperia XA1 using XDA Labs
bought this phone to replace my oppo. i can't wait for root abilities to be made
Bought this phone to replace my old Xiaomi. It's a good, powerful phone. Hope to see root appear for it soon. Personally for me, I'm one of those people who will only root a phone once it gets slow (the warranty expires). So as much as I'm reluctant to root my phone now, I'll hold out and see what wonderful developments appear on this thread.
Given the XA1 (I have the XA1 not the XA1 Ultra, I believe they are different) runs a Mediatek processor, I'm inclined to see something along the lines of a MT Flash Tool being used. Correct me if I'm wrong but I've only had successful flashes and roots with Qualcomm processors. The last device I had with a Mediatek processor (Lenovo A8-50 A5500H, MT8382) bricked on me horribly and I had to throw it away :crying:.
Meh. Hope we'll see awesomeness come soon from here. I'm still pretty new to XDA, looks like an awesome community
MINGXXIE said:
Bought this phone to replace my old Xiaomi. It's a good, powerful phone. Hope to see root appear for it soon. Personally for me, I'm one of those people who will only root a phone once it gets slow (the warranty expires). So as much as I'm reluctant to root my phone now, I'll hold out and see what wonderful developments appear on this thread.
Given the XA1 (I have the XA1 not the XA1 Ultra, I believe they are different) runs a Mediatek processor, I'm inclined to see something along the lines of a MT Flash Tool being used. Correct me if I'm wrong but I've only had successful flashes and roots with Qualcomm processors. The last device I had with a Mediatek processor (Lenovo A8-50 A5500H, MT8382) bricked on me horribly and I had to throw it away :crying:.
Meh. Hope we'll see awesomeness come soon from here. I'm still pretty new to XDA, looks like an awesome community
Click to expand...
Click to collapse
from what i've seen on sony's support page, they've made their own flash tool to flash stock roms to your phone with in case of events like bricking
diosdetiempo said:
from what i've seen on sony's support page, they've made their own flash tool to flash stock roms to your phone with in case of events like bricking
Click to expand...
Click to collapse
Is it? That's wonderful, shall go check it out
Seems like the ultra version has gotten it.
https://forum.xda-developers.com/xa1-ultra/development/g3221-built-sources-t3622886
diosdetiempo said:
Seems like the ultra version has gotten it.
https://forum.xda-developers.com/xa1-ultra/development/g3221-built-sources-t3622886
Click to expand...
Click to collapse
Cool. I wonder if they can help with our device..
Sent from my Sony Xperia XA1 using XDA Labs
Hi. Wondered if I could ask advice. When trying to unlock bootloader using Sony website via a code. After entering the command with the code it says command not allowed, any ideas?
arienwalsall72 said:
Hi. Wondered if I could ask advice. When trying to unlock bootloader using Sony website via a code. After entering the command with the code it says command not allowed, any ideas?
Click to expand...
Click to collapse
I don't know, sorry. Did you definitely enter the right code?
Sent from my Sony Xperia XA1 using XDA Labs
Ticklefish said:
I don't know, sorry. Did you definitely enter the right code?
Click to expand...
Click to collapse
Yes. It gives the full command with the code on the Sony website. So I copied and pasted it from there. It does say on the phone in the service menu under bootloader unlock able = no. But says yes on the Sony website so not sure
arienwalsall72 said:
Yes. It gives the full command with the code on the Sony website. So I copied and pasted it from there. It does say on the phone in the service menu under bootloader unlock able = no. But says yes on the Sony website so not sure
Click to expand...
Click to collapse
if it says no on your phone then you're not able to
arienwalsall72 said:
Yes. It gives the full command with the code on the Sony website. So I copied and pasted it from there. It does say on the phone in the service menu under bootloader unlock able = no. But says yes on the Sony website so not sure
Click to expand...
Click to collapse
Go to Settings > About Phone.
Tap on Build Number until you get a toast notification that says you're a developer.
You should now be able to access Developer Options in Settings.
Go inside Developer Options then toggle OEM unlocking. Make sure it's on.
The code you get from the website should work now.

Categories

Resources