Database Users

[Knowledge Base] Introduction to the Sony (-Ericsson) Xperia Galaxy

But... why?
Well, many people like and buy the Xperia line of devices currently on the market who previously owned a Samsung, LG or HTC. There are many differences in hardware, but most certainly in how Sony perceives the Android ecosystem and how it differs from the other major brands. This (noob) guide is meant to help people on the path to the Sony side I'm sure it contains lots of info which is even useful for the old timers
Things which differ a LOT from the other brands:
First and foremost: no recovery partition;
Second but not least: no download mode.
Sony has replaced the Android recovery partition with the FOTA kernel, which is meant to aid the device in rolling out OTA updates, which allow kernel updates without the risk of bricking the device. I hear you scream: "But wait, what about the recovery partition announcement by Sony themselves!?", well the answer is simple: that is meant for unlocked bootloader devices ONLY, as a part of their "Open Devices" program.
What is Flashmode, Flashtool and what are these FTF and SIN files I am reading about?
I'm going to quote @Androxyde here (it's a straight copy of his index page), as he is the maintainer of the tool:
Flashtool is a S1 flashing software that works for all Sony phones from X10 to Xperia Z Ultra. They all use the S1 protocol for flashing firmwares.
This program was originally made to flash sin files downloaded by SEUS/SUS or PC Companion.
Based on a command line tool written by @Bin4ry (Andreas Makris), I brought a user interface to sin files flashing.
We worked together to add more features to the tool such as rooting methods implementation or TA backup / restore.
Then I took the lead and got some advice and help from him occasionally on some features like rom cleaner or bootloader unlocking.
From time to time, sin files have been bundled into what is now well known FTF (Flash Tool Firmwares) and more features have been implemented.
But flashing firmwares is still the core of Flashtool (that is updated at least to follow Sony improvements around sin files) and the reason of its name.
Flashtool can also easily unlock the bootloader of the phone using the BLU icon as far as the bootloader of your phone is unlockable
The flashing feature as well as bootloader unlock feature are available whatever the phone is recognized or not by the application. What is only mandatory for flashing is to own the FTF file according to the device you want to flash it on.
Why should I use Flashtool?
Once bootloader unlocked, official sony tools do not work anymore.
Using official sony tools, you can only upgrade. No downgrade possible.
Using flashtool, you can choose what to flash and what not to flash. This said, many rooting scenarios are available implying kernel only downgrade to retrieve a patched rooting exploit and then flash back the right kernel.
You said unlocking bootloader?
This process gives you the opportunity to flash custom roms such as CyanogenMod ROMs.
I invite you to visit the FXP Project that brings CM and AOSP to xperia devices.
Click to expand...
Click to collapse
To complete this explanation, Sony devices know 2 bootloader based flash modes:
Flashmode (This is the S1 flash protocol @Androxyde wrote about)
Fastboot (This is the original, unmodified fastboot mode from Google)
In the past there was the Sony-Ericsson Update Software/Service (SEUS, later named SUS because Ericsson got removed from the name) which could update your device to the latest software or recover it from an inoperable state. PC Companion was less of a tool for updating and more of making backups, installing applications and managing the device storage. Sometime the past 3-4 years Sony merged the 2 programs, so if people on XDA or anywhere on the web talk about using PC Companion to restore their device, they are not wrong, they are simply using the latest version
Sony recently released their own package called 'flash tool' (to add to the confusion of noobs in the community), which deep down is a little easier to use and stripped down version of EMMA, which is a tool we mere mortals will probably never use as EMMA is the flash tool for Sony's repair shops and tech support. It's primary function is to allow owners of an unlocked bootloader device (or, 'open device' as Sony named it) to still use Sony firmwares and update their device, because as soon as you unlock the bootloader, the OTA updates will stop.
Things to remember on the files used by these tools:
An FTF file is basically not more then a ZIP archive containing multiple SIN files, you can open the FTF using 7z/WinZip/WinRar and look inside it.
A SIN file is a disk/partition image, which is encrypted by Sony. S1 (the bootloader) will check this encryption to make sure the image was not tampered with before it accepts it for flashing.
Fastboot flashing will always fail when the device is still in a locked bootloader state. For some models it is even disabled entirely or non-functional until you unlock the bootloader.
I am reading about the TA, what is it, why should I make a backup?
The TA partition (Trim Area) is a signed partition which holds various things which are unique to your device, like the device's IMEI, DRM keys and bootloader settings and configuration options. This partition can not be exchanged between devices, because it really is unique. If you would flash the TA backup from someone else it will cause a hard-brick rendering your device only useful as a paperweight...
When you unlock your bootloader you will lose all the DRM features on your device, this makes it valuable to have a backup of the unmodified version stowed away somewhere safe. You will need root level access to create that backup before unlocking. There is a tool called Backup TA which is widely used to create and restore backups of the TA partition. TWRP in XZDualRecovery can do the same.
When you restore the backup TA partition you made before unlocking the bootloader you will essentially re-lock the bootloader and restores the DRM keys. This process is (as far as we know up to now) undetectable by Sony's support staff, which makes it easy to restore the phone to stock for warranty driven support issues as unlocking your bootloader will void your warranty on the device (it is subject to local law though). That is why, for a lot of owners of a Sony device at least, it is considered to be the "Holy Grail" and is usually the reason for a lot of users to wait for a root exploit to be found before unlocking their bootloader.
Okay, I get it now. I would like to unlock my bootloader, how to proceed?
I'm not here to rewrite everything other people or Sony themselves can write just as well or even better, so I have a link for you:
http://developer.sonymobile.com/unlockbootloader/
Read it, it will teach you just about everything you need to know.
Once your bootloader is unlocked, your device will be much like a Nexus device when it comes to rooting, excluding the recovery partition, so that's why we flash or hotboot a custom kernel with a recovery, by using fastboot. If you are afraid of a terminal and typing commands, you can use a tool like QuickIMG or Flashtool to make your life easier.
Right, now I want root!
Well, if you have an 'open device', this is a lot easier then you think. Just remember that using root exploit kits is unnecessary and in some cases even risky as some packages do funky things or jeopardize your privacy.
Try to find a 'stock based' custom kernel. These are custom kernels built by the community to add features to the kernel but are meant to work with Sony's stock firmwares. I'm the maintainer of XZDualRecovery myself and created the Kernel Builder for the supported devices.
These custom kernels will NOT root your device (unless otherwise stated by the creator), but introduce a recovery to the boot process and with that you will be able to flash SuperSU to root your ROM.
But you just said Sony devices don't have a recovery partition, please... UN-confuse me!!
Yes, I did, and I'm right: there have been bright minds in the community who included a recovery in the boot image (the kernel partition) in the past and that way included a recovery on our Sony devices.
With the current 'open devices' policy from Sony, we now have:
Recovery stored inside the system partition, which is meant for locked bootloader devices (closed devices) because they can not run custom kernels;
Recovery stored in the boot image (for open devices);
Recovery stored on the FOTA partition, but with a trigger from the regular boot image at boot (also for open devices);
Recovery stored on the FOTA partition -renamed to recovery- together with an updated bootloader (for open devices, of course).
Hmm, okay... it's still confusing, but OK. My service menu says I'm rooted, but none of the root apps work properly, what gives?!
If you open the phone dialer app and on the keys see the letters below the digits, you can spell the word SERVICE. Type *#*#SERVICE#*#* and a service menu will pop up. Tap 'Service Info' and then 'Configuration'. Then you will see one of these lines there almost on the bottom of the list:
"Rooting status: unknown": it's probably unlocked, but it was unable to verify that;
"Rooting status: rooted": you have unlocked the bootloader;
"Unlock bootloader allowed: YES/NO": this tells you if the bootloader is (vendor-) locked or not, if it says NO, you're out of luck.
The rooting status there is not telling your system is rooted, it tells you your bootloader is and will allow custom rom/kernel flashing. Don't confuse these two.
I'm not allowed to unlock my bootloader But I still want root, can I?
In some cases you can. It depends on the bugs found in specific firmware versions which allow a root exploit to be developed.
From the 2015 range of Xperia devices Sony started using dm-verity, which causes a bootloop once the system partition is modified. This modification of the system partition will be required to include a SU binary in the system to obtain root, so until a dm-verity defeating option is found, locked bootloader root or recovery will not be possible.
For older models, check the device forums and the cross device development forums to check out the community rootkits available. Usually it will tell you what ROM version it is intended for. Be careful with rootkits/roottools though, some are also found to be introducing malware to your device or sending privacy sensitive data to the creators. Use common sense, if you have no valid use for the root user level, keep it off your phone. If you already have recovery, you can use that to modify or clean your device instead.
I have rooted my phone, but whenever I try to modify something on it it spontaneously reboots or I get a message 'Permission denied" when trying to remount the system partition R/W! Why is that?
Like all manufacturers, Sony tries to make it difficult (or downright impossible) to modify the Android base system they created. Because if you can, anyone or anything which obtains root access can. This is a serious security risk, because if it's malware which puts itself on the system partition and locks up your phone, the only way around this is to wipe your entire device and restore a stock ROM using PC Companion or Flashtool. Of course, they have their own proprietary software to protect as well, but security is the main objective here. The really sensitive bits are stored in the TA partition as I explained earlier.
Sony (-Ericsson) had a service called RIC, which in time moved partially in to a kernel feature. What it does is monitor if system is remounted writeable. This usually is a situation you want to avoid at all costs so RIC will deny you permission, cause a kernel panic OR simply reboots your device to get out of that state.
"Remount-Reboot fix", RICKiller, RICDefeat, and XZDualRecovery all (attempt to) disable this service or stop the kernel from acting on a remount of system.
Hard-bricks, Soft-bricks, bootloops??
They are simple to understand, really:
Hard-brick, TYPICALLY NOT RECOVERABLE: The bootloader stopped functioning, this can be caused by a bad flash/update or by restoring the wrong TA backup.
Soft-Brick, ALWAYS RECOVERABLE: the system partition is corrupted or just simply empty, this causes the device to stall at boot. A soft-brick can also make the screen remain off, because of a bad or missing kernel image.
Bootloops, ALWAYS RECOVERABLE: If the system gets powered up and then reboots during the start. This can be at the kernel splash screen or during the boot animation.
In case of a Soft-brick or Bootloop:
Use the installed recovery (if it still works), PC Companion, QuickIMG or Flashtool to restore your device to working order.
In case of a Hard-brick:
You can never recover from that state without physically opening your device and do some heavy duty engineering (JTagging) on it to flash back the correct bootloader/TA (read that link to see what it would take!). This is way too difficult for 98% of the community, which means that hard-bricking your device is typically the creation of a very expensive paper weight.
Please, be extremely careful when dealing with the TA partition.
*********************************************
I will be updating the above text for sure, if you feel anything is missing, please write a post in this thread with the text you wish to include. I want this to be a community driven guide and I know a lot, but I can't know everything
*********************************************
Extended the text some more to include ideas from:
@Klaos3000
@Yenkazu
Thanks for the suggestions/additions guys! :highfive:

As it concern the recovery, i think you can create a partition with EMMA.
Sent from Greece

kos25k said:
As it concern the recovery, i think you can create a partition with EMMA.
Sent from Greece
Click to expand...
Click to collapse
Please, re-read the first part...

Can I root my iPhone 6 with this guide?
That was a bad joke.
Very useful guide. We should probably educate people around here about what an unlocked bootloader actually means and what it let us do. I'm shocked by the number of people using Kingroot and other risky closed-sourced tools, especially the ones with an unlocked bootloader.
People of earth, if your bootloader is unlocked, it means that your device will be much like a Nexus device when it comes to rooting, sans the recovery partition, so that's why we flash or hotboot a custom kernel with a recovery, by using fastboot. If you're afraid of a terminal and commands, then you can use a tool like QuickIMG. After that, you simply flash SuperSU. That's it!

You can add something about TA Partition and RIC server. :3
Good thread btw

Yenkazu said:
You can add something about TA Partition and RIC server. :3
Good thread btw
Click to expand...
Click to collapse
I'd say, give me a piece of text on the subject for the OP and I'll include it :good:

[NUT] said:
I'd say, give me a piece of text on the subject for the OP and I'll include it :good:
Click to expand...
Click to collapse
RIC, from your thread :3
http://forum.xda-developers.com/xpe...b-definitive-root-remount-reboot-fix-t2317432
But, it's kinda useless if people already use your DualRec, since it's already integrated xD
But more info didn't hurt (?)
TA Partition
http://forum.xda-developers.com/xperia-z/help/ta-partition-t2451186
Not really details, but user should know the impact of unlocking bootloader

Updated the OP to include info on the TA partition and RIC protection. Also included a part of the post by @Klaos3000, because it contained some useful info
Thanks guys :highfive:

Very usefull! :good: But for me 2-3 Weeks to late. I'm still quite new on Z3C and I collect all those info the old style
Without this thread you would need days to catch all dependencies - With this you would need approx. 10 min!
Very helpfull and good to link new user to...
And yes - I came form the Sammy side (of the moon ) and was a bit shocked what sony did with "open source android".
Not because of SystemUI ( I love it...) but because of all this "anti modding" stuff they build in.
Sticky? Sure - must be!

Updated the OP to include info on Hard-bricks, Soft-bricks and bootloops.

Please people, if you have anything to add to the OP, let me know!
As I said, I know a lot, but I can't know everything there is to know about Sony devices...

Good work (...as usual from your side) :good:
Very useful tutorial.
No need to write long explanations to Sony beginners anymore - just add a link from here.

Really Helpful
Brilliant.....Really it deserves place at (Sticky Threads).I think if you add minimum One Custom Kernel(for stock firmware)
of every devices..That would b very helpful to recover from Soft bricks.Then this thread will be an "ALL IN 1" thread.Its my Opinion after all...Brilliant work.

Need a little advice.
Hi,
I have a ZL with Locked bootloader and your ZL-lockeddualrecovery2.8.22 installed
I am on stock 5.0.2 now Rooted thanks to your awesome recovery.
Question is now I have your dual recovery would I be able to simply flash crDroid CM zip Thread Here and others like it or would I still need to unlock the bootloader Edit OP of ROM says it is required
So if I flashed the above would it replace your recovery with the boot.img in the zip
Sorry for the noob questions but I am new to Sony devices and still taking baby steps with this phone
I can unlock the bootloader no problem but I am more concerned about your recovery been replaced.
Thanks in advance :good:

bigrammy said:
Hi,
I have a ZL with Locked bootloader and your ZL-lockeddualrecovery2.8.22 installed
I am on stock 5.0.2 now Rooted thanks to your awesome recovery.
Question is now I have your dual recovery would I be able to simply flash crDroid CM zip Thread Here and others like it or would I still need to unlock the bootloader Edit OP of ROM says it is required
So if I flashed the above would it replace your recovery with the boot.img in the zip
Sorry for the noob questions but I am new to Sony devices and still taking baby steps with this phone
I can unlock the bootloader no problem but I am more concerned about your recovery been replaced.
Thanks in advance :good:
Click to expand...
Click to collapse
As long as your phone is locked, you only can flash stockroms and stock-kernels.
You also have to use recovery for stockrom, because you kernel is "untouchable" and recovery have to put in /data and /system partition and can't be put in kernel.
All other roms/kernels will end in errors while flashing.
If you have unlocked your BL, you can flash any rom and kernel you want, as long as your phone is supporting it.
Yes, by flashing a zip, your kernel will be replaced and in most cases they have a recovery in it.
By flashing a rom from another version or changing from stock-based roms to i.e. CM-roms or Omni and vice versa, you have to unpack the kernel (boot.img) by hand and flash (fastboot) this first, before you flash (after a reboot in recovery) the whole zip.
Otherwise it could end in bootloop.
Because of (i most cases) wiping /system, /data while installation, your stock-recovery will deleted too. This depends of the work of the installer in the zip file.
Btw... before unlocking your phone, backup your TA ( with FlashTool). This TA is unique and you may use it to lock your phone again later.
And... if your phone is unlocked - no fear of losing recovery. You always can flash another one with fastboot again.
Someone correct me, if i was wrong or forgot something.

@bigrammi, you can always try yo repack the CM kernel using my kernel builder, that way you will still have XZDualRecovery but then included in the boot image, so no risk of losing it...

akkufix said:
As long as your phone is locked, you only can flash stockroms and stock-kernels.
You also have to use recovery for stockrom, because you kernel is "untouchable" and recovery have to put in /data and /system partition and can't be put in kernel.
All other roms/kernels will end in errors while flashing.
If you have unlocked your BL, you can flash any rom and kernel you want, as long as your phone is supporting it.
Yes, by flashing a zip, your kernel will be replaced and in most cases they have a recovery in it.
By flashing a rom from another version or changing from stock-based roms to i.e. CM-roms or Omni and vice versa, you have to unpack the kernel (boot.img) by hand and flash (fastboot) this first, before you flash (after a reboot in recovery) the whole zip.
Otherwise it could end in bootloop.
Because of (i most cases) wiping /system, /data while installation, your stock-recovery will deleted too. This depends of the work of the installer in the zip file.
Btw... before unlocking your phone, backup your TA ( with FlashTool). This TA is unique and you may use it to lock your phone again later.
And... if your phone is unlocked - no fear of losing recovery. You always can flash another one with fastboot again.
Someone correct me, if i was wrong or forgot something.
Click to expand...
Click to collapse
Thanks yet again bro :highfive:
Wow these Sony Xperia's take some figuring out :laugh:
I think I have just about got my head around it all now
I have managed to get the TA backed up with TWRP and Flashtool so I should be safe now
I will have to unlock the bootloader just to stop it nagging me to upgrade :laugh:
@Nut Thanks bro I will take a look at your suggestion it's a little more complicated than what I am used to or should I say different.

bigrammy said:
[...]
@Nut Thanks bro I will take a look at your suggestion it's a little more complicated than what I am used to or should I say different.
Click to expand...
Click to collapse
Well, i saw HTC M7 in your signature. If you were able to unlocked, s-off-ed, re-flashed firmware and rooted this beast - you don't need to have any fear about a Sony device.

[NUT] said:
@bigrammymi, you can always try yo repack the CM kernel using my kernel builder, that way you will still have XZDualRecovery but then included in the boot image, so no risk of losing it...
Click to expand...
Click to collapse
Hi @Nut,
I thought I would take your advice and expected to download a tool to unpack everything and pick through the files and start editing init.rc etc etc :silly:
I had no idea this was a fully automated Online tool
I still can't quite believe it you're a genius!! :angel:
A BIG THANKS to All the Xperia dev's helpful community members and especially the tool creators XZDualRecovery, Flashtool, XperiFirm and PRFCreator etc you're all Awesome :highfive:
I fear I will become lazy with such great dev's :laugh:

bigrammy said:
Hi @Nut,
I thought I would take your advice and expected to download a tool to unpack everything and pick through the files and start editing init.rc etc etc :silly:
I had no idea this was a fully automated Online tool
I still can't quite believe it you're a genius!! :angel:
A BIG THANKS to All the Xperia dev's helpful community members and especially the tool creators XZDualRecovery, Flashtool, XperiFirm and PRFCreator etc you're all Awesome :highfive:
I fear I will become lazy with such great dev's :laugh:
Click to expand...
Click to collapse
Thanks, glad to have been of help to you

Summary/tutorial: Root on Sony Xperia Z5 Compact (E5823) with DRM keys backup

Hi everybody,
None of the following is my own novel work, I just took some time to go through the process step by step and document how to root the Z5 compact while preserving both the DRM keys (in a backup) and the functionality normally lost by unlocking the bootloader (using the DRM credentials patch). This post may serve as a tutorial for people starting to root their Z5 compact for the first time.
The device I tested it with is an E5823 with German firmware (originally shipped with CDA 1298-1220_R1C) that was already updated to build 32.1.A.1.163 (Android 6.0, patch level 2016-02-01) via OTA. For devices with other CDA regions, please adapt accordingly by using the respective firmware files.
1. Backup settings and apps
This will be required for restoring after unlocking the bootloader (which wipes the user data partition). For some reason, including the "-shared" option (i.e. contents of the internal emulated SD card, aka media storage) did not work, so make sure to save any media files (pictures takes with the camera, downloads, etc.) separately, e.g. via MTP.
Use Sony backup to SDcard functionality
adb backup -apk -all -f sony-xperia-z5c-noshared.ab
2. Backup TA partition (DRM keys)
Downgrade to exploitable firmware release (LP). Note that downgrading without wiping will make the phone unstable and may cause an automatic reboot after 1-2 min. Therefore either manually wipe the phone during flashing (ticking the checkbox in Flashtool) or be quick with the second (root/backup TA) step.
Download XperiFirm from http://forum.xda-developers.com/cro...xperifirm-xperia-firmware-downloader-t2834142 (I use it under Linux with mono) - UPDATE: For downloading the .185 MM firmware, I had to update to XperiFirm 4.9.1. For downloading 32.2.A.0.253, I used XperiFirm 5.0.0.
Download firmware build 32.0.A.6.200 for the root exploit based on CVE 2015-1805. I used E5823_StoreFront_1299-6910_32.0.A.6.200_R2B downloaded with XperiFirm 4.8.2 (or newer) on 2016-04-01
Download flashtool from http://www.flashtool.net/index.php, I used flashtool-0.9.20.0-linux.tar.7z (or newer version)
Create FTF file in Flashtool with menu Tools->Bundles->Create
Flash in flashmode (flashing system.sln takes 8-10 minutes, be patient...)
Use temporary root exploit to backup TA partition (http://forum.xda-developers.com/crossdevice-dev/sony/iovyroot-temp-root-tool-t3349597)
I used iovyroot_v0.3.zip as of 2016-04-02
Connect USB in ADB mode
adb push "root/iovyroot" "/data/local/tmp/iovyroot"
adb push "root/backup.sh" "/data/local/tmp/backup.sh"
open shell: adb shell
chmod 777 /data/local/tmp/iovyroot
chmod 777 /data/local/tmp/backup.sh
mkdir /data/local/tmp/tabackup
/data/local/tmp/iovyroot /data/local/tmp/backup.sh
exit
adb pull "/data/local/tmp/tabackup/" .
3. Upgrade again to MM and unlock bootloader with official method
Create FTF from E5823_Customized DE_1298-1220_32.1.A.1.163_R1C with Flashtool and flash in flashmode.
Optional: Verify that DRM keys are still OK: In dialer enter "*#*#service#*#*", then "Service tests" --> "Security" and it should look like this:
MARLIN [Key OK] [Active]
WIDEVINE [Key OK] [Active]
CKB [Key OK] [Active]
HUK: <device specific hex representation of key>
PROPID_AID: 004
OTP_LOCK_CONFIG: 0155
OTP_LOCK_STATUS: LOCKED
AUTH_ENABLE: 07
DEVICE_ID: <your device ID>
FIDO_KEYS: Provisioned
Factory Reset Reason: No device reset information found.
Click to expand...
Click to collapse
Allow bootloader unlock in developer settings
Follow steps from http://developer.sonymobile.com/unlockbootloader/unlock-yourboot-loader/ . There is not much to add here, as Sony describes the process well and in sufficient detail. Please note that this WILL WIPE YOUR DATA PARTITION, INCLUDING SHARED FILES. Make sure that you have a backup before executing this step (and best do it before downgrading to LP, because some parts will not work after the downgrade without a wipe, and may make the phone reboot after 1-2 min).
Reboot in fastboot mode: hold volume-up and connect USB cable to turn on
fastboot -i 0x0fce oem unlock <your unlock code>
After unlock: check key status
Blobs: generic error!
HUK: generic error!
PROPID_AID: 004
OTP_LOCK_CONFIG: 0155
OTP_LOCK_STATUS: LOCKED
AUTH_ENABLE: 07
DEVICE_ID: <your device ID>
FIDO_KEYS: Not provisioned, SUNTORY error
Factory Reset Reason: No device reset information found.
Click to expand...
Click to collapse
Optional: Try restoring TA partition (will lock bootloader again if successful!). This can be skipped entirely if you trust the tools used in this tutorial, but I chose to verify that restoring the DRM keys works as expected (not that you can do anything about it at that step if it doesn't work...).
Flash E5823_StoreFront_1299-6910_32.0.A.6.200_R2B again with Flashtool
Enable developer mode, connect USB in ADB mode
adb push "root/iovyroot" "/data/local/tmp/iovyroot"
adb push "root/restore.sh" "/data/local/tmp/restore.sh"
adb push TA-02042016.img "/data/local/tmp/TA.img"
open shell
chmod 777 /data/local/tmp/iovyroot
chmod 777 /data/local/tmp/restore.sh
/data/local/tmp/iovyroot /data/local/tmp/restore.sh
Flash E5823_Customized DE_1298-1220_32.1.A.1.163_R1C again with Flashtool
Check key status --> exactly the same as before, so successfully restored
Unlock again in fastboot mode (will wipe data again...)
fastboot -i 0x0fce oem unlock <your unlock code>
UPDATE: Updating to newer MM releases
After the first version of this post, Sony has already released an updated MM firmware (.253 at the time of this writing). If at any point in time you wish to update to a newer release, start at this point of the tutorial. Theoretically, this should be possible without wiping. However, I would not try it without a backup.
Create a backup, e.g. with adb backup or Sony backup.
Download new firmware with XperiFirm. At the time of this writing, I used "E5823_Customized DE_1298-1220_32.2.A.0.253_R2C", downloaded with XperiFirm 5.0.0.
Create FTF file in Flashtool with menu Tools->Bundles->Create
Flash in flashmode (flashing system.sln takes 8-10 minutes, be patient...)
4. Root MM
This will also give you TWRP recovery (which can be entered by pressing the volume up or down button a few seconds after power-on, as soon as the LED starts to change color).
DEPRECATED Alternative 1: with custom kernel but original system image: http://forum.xda-developers.com/z5-compact/general/root-e5823-marshmallow-t3336346
Download Androplus kernel from https://www.androidfilehost.com/?w=files&flid=52185 (I used v22c)
Download TWRP 3.0 from http://forum.xda-developers.com/z5-compact/orig-development/twrp-suzuran-twrp-3-0-t3334568 (I used "March 25, 2016 version") --> twrp-3.0-recovery.img
Download SuperSU v2.71 beta from https://download.chainfire.eu/932/SuperSU/BETA-SuperSU-v2.71-20160331103524.zip
With unlocked bootloader, you can now use fastboot mode. The easiest way is to do this from a running Android system:
adb reboot bootloader
Flash kernel:
unzip Z5C_AndroPlusKernel_v22c.zip
sudo fastboot flash boot boot.img
Flash recovery:
sudo fastboot flash recovery twrp-3.0-recovery.img
Install SuperSU:
boot into Android, copy BETA-SuperSU-v2.71-20160331103524.zip to internal storage (ADB sideload doesn't seem to work with this experimental TWRP at the moment...)
boot into TWRP by pressing volume-up when LED blinks immediately after turning on (and choose option "Keep Read Only" for the system partion)
Install SuperSU zip --> systemless mode
DEPRECATED Alternative 2: with modified system partition: http://forum.xda-developers.com/z5-...rnel-stock-kernel-dm-verity-sony-ric-t3350341
RECOMMENDED Alternative 3: with stock kernel patched for root and original system partition: http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
Download rootkernel_V4.51_Windows_Linux.zip from URL above (or the newest version available at that time) and unpack
Patch the kernel from your currently flashed Sony firmware release:
Flashtool -> Tools -> SIN Editor to extract the kernel from kernel.sin in the directory created by XperiFirm --> .elf file
Copy latest SuperSU*.zip (v2.76 at the time of this last update) to the folder where rootkernel*.zip was extracted to.
Note: if using the firmware 32.2.A.0.224, you will need the latest beta SuperSU.zip from https://download.chainfire.eu/964/SuperSU/BETA-SuperSU-v2.74-2-20160519174328.zip . For 32.2.A.0.253 (the latest at the time of this update), use SuperSU v2.76 (non-beta).
./rootkernel.sh kernel.elf kernel-patched.elf
My personal recommendation for the options: don't disable RIC, install TWRP, don't install busybox, install DRM fix
sudo fastboot flash boot kernel-patched.elf
./flash_dk TA-02042016.img DK.ftf
Flash DK.ftf with flashtool for a more complete restore of DRM-based functionality with the original TA partition backup
UPDATED: Thanks to ninestarkoko for pointing out that also the AndroPlus kernel disables dm-verity to enable more flexibility for root-using apps. Originally I assumed that dm-verity would still be intact with alternative 1, which in fact it is not. As of 2016-05-11, I used alternative 3 instead of alternative 1.
Now that Xposed can be installed system-less (http://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268), it should be possible to use with dm-verity intact. However, I have not tried this so far.
5. [Optional] Install Xposed
Sony MM firmware no longer seems to have the odex problem documented in http://forum.xda-developers.com/crossdevice-dev/sony/z4-z5-z5c-fix-camera-fc-installing-t3246962/, so no additional steps before/after "normally" installing Xposed are required
Download latest arm64 "sdk23" framework from http://dl-xda.xposed.info/framework/ (I used v81)
UPDATE: There is now a system-less version v86, which may even support OTA upgrades of the system image. At the time of this last update, I used the version linked from http://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268.
Download XposedInstaller_3.0-alpha4.apk from http://forum.xda-developers.com/showthread.php?t=3034811 and install
UPDATE: For the system-less Xposed version, instead use XposedInstaller_by_dvdandroid.apk from http://forum.xda-developers.com/xposed/unofficial-systemless-xposed-t3388268.
Install xposed-v86.1-sdk23-topjohnwu.zip via TWRP
6. Restore functionality relying on DRM credentials
Note: This is not necessary if you used alternative 3 for rooting above - that one already includes the DRM fix in the patched kernel image.
Using TWRP flashed in the step before, flash the ZIP to patch Sony credentials checks from http://forum.xda-developers.com/xperia-z5/development/sony-credentials-restore-unlocking-t3296383 .
Copy drmrestore.zip from above link to internal storage and install via TWRP
That's it!

Sorry, I have never been totally clear on the relationship of firmware and kernels. If I install .163 and go through all the root steps here, if I then install .185 will I no longer have root or will the kernel still be rooted? Or after I upgrade will I be required to go through the root process again? Or by chance is there just no root available for the .185 release yet? Thanks

I would like to make some observations to this useful post, because it seems there's a bit of confusion:
About point 2)
to backup TA partition, just connect the phone and run tabackup.bat from iovyroot zip .
It will execute adb commands automatically.
About point 3)
i would stick with Lollipop and unlock directly on Lollipop, there's no need to flash MM before. You need to flash a firmware using flashtool if you have already unlocked. Temporary root exploit does not alter in any way the current system.
About point 4)
All the modded kernels on xda seems to have dm-verity and sony ric disabled. Androplus kernel too ( https://kernel.andro.plus/kitakami_r2.html from the first changelog ). /system partition modification is also necessary for DRM restore functions.
I think that root priviledges for apps with DM-verity enabled on /system would be quite "dangerous". As soon as an app edit the system partition (just a simple mod), the phone would go in bootloop.
It's been one or two weeks since Tobias released a more advanced and updated technique to restore DRM functions, and just flashing a .zip is no more sufficient (now .zip flashing + .ftf flashing with flashtool)
The gold standard regarding the kernel part is:
-use a modded stock kernel (TWRP recovery and advanced DRM restore function included) following this guide:
http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
-or use custom kernels like Androplus,... (TWRP might or might not be included) and then restore DRM functions following the instructions from the same post above (drmonly command from the package)
http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
Thank you for making a guide on Z5c forums. I've seen one only on z5 forums
Frontier3 said:
Sorry, I have never been totally clear on the relationship of firmware and kernels. If I install .163 and go through all the root steps here, if I then install .185 will I no longer have root or will the kernel still be rooted? Or after I upgrade will I be required to go through the root process again? Or by chance is there just no root available for the .185 release yet? Thanks
Click to expand...
Click to collapse
If you are on Lollipop, i suggest flashing directly MM .185 . If you are on MM .163 then flashing the whole firmware package will/could wipe everything, kernel included. I don't know exactly if the kernel from .163 is exactly the same as the one in .185. If your kernel gets wiped then root, DRM restore, TWRP would go away.
Let me explain: You need a modded kernel in order to install SuperSU, which gives root access to apps. SuperSU runs fine on many phones, Z5C MM included. If you upgrade using a .ftf file flashing, then the chance is high that you need to mod/install a custom kernel again, restore DRM functions and install SuperSU again.

If I root my phone, and then I turn it off and then on will the root still be usable?
What I'm asking is if its like iPhone's tethered and untethered jailbreaks?

I have rooted (unlocked bootloader), TWRP installed. How can I update to MM?
Many thanks for any help!

damn_son said:
If I root my phone, and then I turn it off and then on will the root still be usable?
What I'm asking is if its like iPhone's tethered and untethered jailbreaks?
Click to expand...
Click to collapse
Yes, it will be rooted, until you unroot!

Thanks for the tutorial.
Which region firmware should I choose for Canada? There's not even USA firmware available. Does it matter at all?

You mentioned using E5823_StoreFront_1299-6910_32.0.A.6.200_R2B to downgrade.
I'm currently on MM .185 Customized UK.
Does it matter what region I use?

fisheyes1 said:
You mentioned using E5823_StoreFront_1299-6910_32.0.A.6.200_R2B to downgrade.
I'm currently on MM .185 Customized UK.
Does it matter what region I use?
Click to expand...
Click to collapse
You'd have to go back to an exploitable firmware. Version working are mentioned here: http://forum.xda-developers.com/crossdevice-dev/sony/iovyroot-temp-root-tool-t3349597
In the Z5c case E5823_StoreFront_1299-6910_32.0.A.6.200_R2B is the best solution IMO

ninestarkoko said:
I would like to make some observations to this useful post, because it seems there's a bit of confusion:
About point 2)
to backup TA partition, just connect the phone and run tabackup.bat from iovyroot zip .
It will execute adb commands automatically.
Click to expand...
Click to collapse
As I used Linux, the .bat script won't be directly applicable. The commands listed in my post will work with all host OS. (This is in addition to my personal disinclination to execute downloaded scripts directly on my development host .)
ninestarkoko said:
About point 3)
i would stick with Lollipop and unlock directly on Lollipop, there's no need to flash MM before. You need to flash a firmware using flashtool if you have already unlocked. Temporary root exploit does not alter in any way the current system.
Click to expand...
Click to collapse
Fully correct. I was already on MM before starting the whole process, so I had to go back to LL first.
ninestarkoko said:
About point 4)
All the modded kernels on xda seems to have dm-verity and sony ric disabled. Androplus kernel too ( https://kernel.andro.plus/kitakami_r2.html from the first changelog ). /system partition modification is also necessary for DRM restore functions.
I think that root priviledges for apps with DM-verity enabled on /system would be quite "dangerous". As soon as an app edit the system partition (just a simple mod), the phone would go in bootloop.
It's been one or two weeks since Tobias released a more advanced and updated technique to restore DRM functions, and just flashing a .zip is no more sufficient (now .zip flashing + .ftf flashing with flashtool)
The gold standard regarding the kernel part is:
-use a modded stock kernel (TWRP recovery and advanced DRM restore function included) following this guide:
http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
-or use custom kernels like Androplus,... (TWRP might or might not be included) and then restore DRM functions following the instructions from the same post above (drmonly command from the package)
http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605
Click to expand...
Click to collapse
Many thanks for that correction - I was wrong to assume that dm-verity would still be intact with Androplus kernel. I have updated my post accordingly.

Would have been good for me, to have boot and recovery bold. Just recalled the fastboot flash boot command to flash the recovery over
besides that: *****
sudo fastboot flash boot boot.img
Flash recovery:
sudo fastboot flash recovery twrp-3.0-recovery.img
Click to expand...
Click to collapse

smartphone-tester said:
As I used Linux, the .bat script won't be directly applicable. The commands listed in my post will work with all host OS. (This is in addition to my personal disinclination to execute downloaded scripts directly on my development host .)
Fully correct. I was already on MM before starting the whole process, so I had to go back to LL first.
Many thanks for that correction - I was wrong to assume that dm-verity would still be intact with Androplus kernel. I have updated my post accordingly.
Click to expand...
Click to collapse
Great to see updates to the first post, it will be useful for many new Z5c users out there

hi, im new z5c user
just received it and ill take this tuto for the root
thank you

Hey quick question, what exactly is stored in the DRM keys? I heard it's no longer the low-light camera stuff, so what is? If it's not too relevant isn't it just much easier to OEM unlock on MM, flash twrp and supersu (do you need the custom kernel to do so, btw?) and be done with it?

ApplepieFTW said:
Hey quick question, what exactly is stored in the DRM keys? I heard it's no longer the low-light camera stuff, so what is? If it's not too relevant isn't it just much easier to OEM unlock on MM, flash twrp and supersu (do you need the custom kernel to do so, btw?) and be done with it?
Click to expand...
Click to collapse
Some Sony-proprietary functions are dependent on the keys (e.g. low-light algorithms in the stock camera, seemingly also some screen optimizations, or potentially also stuff like screen mirroring - although I have not tried myself what is missing without real/fake DRM keys) as well as DRM management via Widevine. With the restore patches, you get most of the Sony functionality back even when the keys themselves have been deleted. Widevine might not work without the original keys available.

I just have a question cause I seem to be getting 0 answers elsewhere.
I want the latest lollipop on my Z5C and NOT Marshmallow. I believe it's the 32.0.A.6.200 build.
Anyway, I thought I could update to it like OTA, only not all the way to MM but staying at LP. Do I have to unlockbootloader, root and then use flashtool with the 32.0.A.6.200 build (which I've founda few online)? Is there no way to just install it like a "normal" update as I am currently still on stock 32.0.A.4.11. Is my only salvation to unlock bootloader, root and install the update?

You shouldn't have to unlock or root to use flash tool to flash 32.0.A.6. 200

Ive tried multiple different versions now, but it always stop at "Processing modem.sin", even tried leaving it for 20min. No results.
Anyone with a solution?
Edit: Also tried it on my macbook, same problem!
To clarify: Talking about downgrading to .200

It is not clear to me to try it and I doesnt want to brick my handy. Any way to make a video tutorial, including all, unlocking BL, backuk and restore DRM and also a way to turn back the device to a stock rom, for a warannty purposes (my camera is very very bad).
Thank you.

Sorry guys, but just to confirm: if I manage to successfully back up my TA partition, I can always go back and re-lock the boot loader, right? I am also skeptical about voiding warranty Sony speaks about on their corresponding web site. Do you think they save a record whenever someone requests an unlock code from them? In other words, if I need to restore stock ROM and TA partition later on (e.g. due to RMA), would it be possible for my vendor (Telekom) to check with Sony if I have ever unlocked my boot loader?
Many thanks for your great work!

Recovery & Root for MM .575 & .291 LB

Hello my friends, i'm glad to present you utility for installing custom recovery & root to your phone, working on stock MM .575 LB
You don't need root on your phone to run this utility!
How-to:
* you need stock MM .575 or .291 firmware
* if you have .291 firmware, you need flash stock kernel.sin (575) via FlashTool and turn on your phone. After, when script done and you reboot in custom recovery, flash SuperSU, then turn off your phone and flash back kernel.sin (291)
* download zip and extract to your computer
* enable USB-debugging on your phone and plug phone to computer
* run install.bat as administrator
When all finished your phone reboot in custom recovery.
Then you can install any supersu.zip in custom recovery.
Now you have last TWRP, busybox and root :good:
Enjoy!
FOR ALL WHO WANTS INSTALL Slimm and other custom zips with UUID METHOD READ --> THIS
UPDATE_07.09.2016:
* added support D5833 and D6603
* added stock kernel for FlashTool (see attach). just change .zip to .ftf
* TWRP with new functions like adb backup and auto-reboot (check lastest commits)
* busybox with FULL Selinux support like setenforce, setsebool etc...
* added clean tmp files command
UPDATE_08.09.2016:
* fix error with daemon (adb) - please run this .bat as administrator
UPDATE_04.11.2016:
* add linux installer version HERE
UPDATE_23.01.17:
* twrp 3.0.3 (if you are already have recovery, just copy recovery.twrp.cpio.lzma from this zip to your phone /system/etc/mm_twrp_recovery/ and replace. Don't forget chmod 644)
* busybox 1.26.2 (to update copy busybox from this zip to your phone /system/xbin/ and replace. Don't forget chmod 755)
UPDATE_15.03.17:
* update TWRP to 3.1.0-0
* added vold decryptions --> READ
* added zip for update the current version. just flash it in recovery.
UPDATE_13.05.2017
* update TWRP to 3.1.1-0
Thanks:
@zxz0O0 for iovyroot
@Wolfbreak for idea with recroot
@shoey63 for show me HOW. Thanks again, bro
@Macsek for linux installer

Thanks for this!
Is there any chance that it will work on Concept FW also?

x_one said:
Thanks for this!
Is there any chance that it will work on Concept FW also?
Click to expand...
Click to collapse
I don't think that will

Device not supported
Did i do anything wrong?
I am using D5833 running software 23.5.A.0.575 but the error appears.
Can you please check it?
Code:
Device Detected!
Installing ...
mkdir: '/data/local/tmp/mm_twrp_recovery_install': File exists
[100%] /data/local/tmp/mm_twrp_recovery_install/boot_twrp_recovery.sh
[100%] /data/local/tmp/mm_twrp_recovery_install/busybox
[100%] /data/local/tmp/mm_twrp_recovery_install/byeselinux.ko
[100%] /data/local/tmp/mm_twrp_recovery_install/chargemon.sh
[100%] /data/local/tmp/mm_twrp_recovery_install/install_twrp_recovery.sh
[100%] /data/local/tmp/mm_twrp_recovery_install/iovyroot
[100%] /data/local/tmp/mm_twrp_recovery_install/modulecrcpatch
[100%] /data/local/tmp/mm_twrp_recovery_install/recovery.twrp.cpio.lzma
[100%] /data/local/tmp/mm_twrp_recovery_install/wp_mod.ko
iovyroot by zxz0O0
poc by idler1984
Error: Device not supported
Finished!
Rebooting into TWRP recovery ...
Thank you.

@nepo1992 sorry, but at this moment your device not supported, only D5803. May be in the future....

I've flashed my 5833 with 5803 and it works flawlessly. Nice jog bro.

Really? This is Root and stuff for MM 575 LB without going back to KK (or ugly Kingroot) ?
Outstanding stuff - Thanks to @zxz0O0 @Wolfbreak and of course you @russel5 - :good:

Thanks russel5. Could you tell me if this works on locked bootloader as well? And if the bootloader stays locked?
Gesendet von meinem D5803 mit Tapatalk

GeScha said:
Thanks russel5. Could you tell me if this works on locked bootloader as well? And if the bootloader stays locked?
Gesendet von meinem D5803 mit Tapatalk
Click to expand...
Click to collapse
Yes, it's for locked bootloader (LB in thread name) and yes, bootloader stays locked.

This is basically the "MM TWRP Recovery for Locked BL" I've created months ago for Z3C, Z3 and Z2, slightly modified with root solution already in the pack. Great edit!

Sooo... I can take my factory Sony Z3c, with nothing in system touched since production, run this, and get root, custom recovery, keep DRM keys and LB? Or I missed something?

i tried on z2 and i just replaced the twrp with z2 twrp but device is not supported so can you please support z2 ?
thank you.

rocker00 said:
i tried on z2 and i just replaced the twrp with z2 twrp but device is not supported so can you please support z2 ?
thank you.
Click to expand...
Click to collapse
From post page back:
serajr said:
This is basically the "MM TWRP Recovery for Locked BL" I've created months ago for Z3C, Z3 and Z2, slightly modified with root solution already in the pack. Great edit!
Click to expand...
Click to collapse
So @rocker00 please look in Z2 forums for @serajr's topic.

Hi,
Can I get another link to download the utility ? Seems like I cant get it through the forum.
Thanks !

AfroMetal said:
From post page back:
So @rocker00 please look in Z2 forums for @serajr's topic.
Click to expand...
Click to collapse
Serajr twrp works if you have root already but this one works without root that's why i asked for support.i hope that you got the point

Great job @russel5 for the solution and @serajr for the recovery !!

rocker00 said:
Serajr twrp works if you have root already but this one works without root that's why i asked for support.i hope that you got the point
Click to expand...
Click to collapse
Sure I got it, and that's what I wrote! Great addition to the original work!!

serajr said:
Sure I got it, and that's what I wrote! Great addition to the original work!!
Click to expand...
Click to collapse
sure i know that understand the point but i was talking to @AfroMetal
by the way it would be great if you modified recovery with this method and add support for z2.

Works like a charm. Finally could delete all that Sony's bloatware. Is there anywhere a list of things that can be safely removed from Sony's firmware to make it more vanilla without playing with DRM?

AfroMetal said:
Works like a charm. Finally could delete all that Sony's bloatware. Is there anywhere a list of things that can be safely removed from Sony's firmware to make it more vanilla without playing with DRM?
Click to expand...
Click to collapse
Here

[Auto ToolKit][BL Unlock][Magisk&SuperSU][Xposed] Zenfone 2 ToolKit [Z00A/Z008/Z00X]

Last update: 14.10.2017
Fantastic news
No more waiting for manually signed magisk, supersu or twrp versions from now on. Just install any new version and use the image signature fix action in the troubleshoot menu of the toolkit. :good:
Next level reached
No more waiting for special zenfone 2 patched xposed for magisk. Got my own zip to do some hex patching. You can either use one of the (already patched) xposed versions from the toolkit or download xposed for magisk and use the xposed patcher in the troubleshoot menu.
z00x users please read this post https://forum.xda-developers.com/showpost.php?p=72298931&postcount=214
Introduction
This is a windows batch toolkit for automated actions like bl unlock, flash, root, xposed, sideload tasks, ... for your ze551ml/ze550ml/zx551ml.
I hope you find it useful. Check the tabs above for more screenshots, downloads, review ...
Note:
This tookit works well for a lot of situations, but I need feedback especially for the new supported devices ze550ml and zx551ml. Please go on and try the toolkit, then leave a message on this thread, do a review or just vote.
Before you try any action in the menu, check that the device informations are shown.
Features
​
Supports ZE551ML, ZE550ML, ZX551ML
​
Device status and connection information
​
Automated actions
​
Bootloader unlock
​
Flash boot/recovery images (twrp, stock)
​
Fix wrong or missing image signatures!!
​
Root / unroot Magisk & SuperSU
​
Xposed for Magisk (install / uninstall)
​
Patching xposed for magisk for zenfone 2 (if installed the unpatched xposed for magisk by mistake)
​
Compatible with most current MM firmware versions from devices ZE551ML, ZE550ML, ZX551ML
Currently integrated Tools
​
v14.0 (default) and v14.2
​
SuperSU 2.79SR3 / 2.82 (default) / 2.82SR5
​
TWRP 3.0.3-M4 / 3.1.1 (default)
​
Xposed for Magisk v87.3 / v88.0 (default)
​
Stock boot/recovery support of most current MM firmware versions from devices ZE551ML, ZE550ML, ZX551ML
​
adb/fastboot 1.0.32 (optional: 1.0.36)
Installation instructions
Do a clean start:
​
Download the latest base package
​
Extract to your desired location. It will extract a "ze551ml toolkit" directory with all files.
​
(Optional / If the automatic download of the device specific files fails) Download the device specific packages and extract it directly to the "ressources" directory
To run the toolkit just execute "ze551ml toolkit.bat" (no admin rights are needed).
Usage instructions
Prerequisite:
​
Ensure that you have installed device usb drivers (e. g. see: https://www.asus.com/Phone/ZenFone_2_ZE551ML/HelpDesk_Download/ )
​
Ensure that you have one of the latest MM firmwares for your device installed.
​
Ensure that you have enabled USB Debugging in Developer Options
​
Even if only a few actions could be really harmful to your data: Get a backup!
Then:
​
Run ze551ml_toolkit.bat
​
Check device status information & see if toolkit really likes your device
​
If your bootloader is still locked: Unlock it first with menu B -> choice U
​
(Optional) Choose your desired versions of the integrated tools in menu O.
​
(Recommended) Flash twrp with menu F -> choice T. If you want to try a newer twrp version, change it first in menu O
​
Check all the other nice functions of the toolkit
Downloads
Main: xda devdb archive
Mirror 1: https://mega.nz/#F!u8JhhY7T!9PryiRdjVSFf-O4erijDWg
Mirror 2: https://drive.google.com/drive/folders/0B4r2bJ3AgndSRVl5djNPNV9Qbkk?resourcekey=0-i9dHUezdzckVemi93NlYLA&usp=sharing
File structure:
​
ze551ml-toolkit-<VERSION>-base.zip - contains the base toolkit package without any device specific files
​
z00a*.zip - contains all device specific files for Z00A (ZE551ML)
​
z008*.zip - contains all device specific files for Z008 (ZE550ML)
​
z00x*.zip - contains all device specific files for Z00X (ZX551ML)
Changelog
Code:
[B]v1.3[/B]
Current changelog: 14.10.2017
[added] xposed for magisk v88.0
[new] Patching xposed for magisk for zenfone 2 (if installed the unpatched version by mistake)
Code:
[B]v1.22[/B]
Current changelog: 08.10.2017
[added] magisk v14.2
[removed] magisk v13.3
[fixed] xposed for magisk v87.3
[new] Fix wrong or missing image signatures!!
[fixed] Better support for encrypted devices
Code:
[B]v1.1b9[/B]
Current changelog: 22.09.2017
[added] magisk v14.0
[removed] magisk <v13.3
[removed] twrp 3.0.2-M1
[updated] magisk uninstaller
Code:
[B]v1.1b8[/B]
Current changelog: 19.07.2017
[added] magisk v13.3
[updated] magisk uninstaller
[new] action to download latest mirror file which is used to get some stock files updates
Code:
[B]v1.1b6[/B]
Current changelog: 13.07.2017
[added] magisk v13.2
[removed] magisk v13.1
[fixed] twrp detection
[modified] magisk manager will now be extracted from zip and installation will be forced after sideload
Code:
[B]v1.1b5[/B]
Current changelog: 11.07.2017
[added] magisk v13.1
[removed] magisk v13 betas
[fixed] minor fixes in supersu actions
Code:
[B]v1.1b3[/B]
Current changelog: 02.07.2017
[added] 2 magisk v13 beta versions
[removed] magisk <v12
[updated] xposed installer
[added] 2 more twrp versions
[fixed] hardened detection of installed twrp version (still needs root or already booted twrp for that)
[fixed] changed the way the toolkit downloads files
Code:
[B]v1.0b10[/B]
Current changelog: 04.04.2017
[added] magisk v12.0
[updated] fixed some help messages
Code:
[B]v1.0b8[/B]
Current changelog: 21.03.2017
[added] support for more devices: z00a, z00d, z00x
[added] automatic download for device files if needed
[added] magisk v11.6
[added] twrp 3.0.3-M4 (for encrypted devices or android n installations
[added] backup efs function
[added] integrity check
[modified] menu structure
[updated] changed some help messages
Code:
[B]v1.0b2[/B]
Current changelog: 14.02.2017
[modified] menu order
[disabled] usage of system installed platform tools, internal are forced now
[fixed] boot2recovery could have been failed in some cases
[fixed] timing problems in wipe routine
[added] validations added to each boot states
[removed] twrp 3.0.3.2
[adjusted] code / function names
Code:
[B]v0.9[/B]
Current changelog: 07.02.2017
[added] new twrp 3.0.3.2
[added] new magisk v11.1
[disabled] second disclaimer
[disabled] bootloader status in device overview at the top as I haven't found a secure way to detect a locked/unlocked bootloader yet.
[removed] magisk v10.2
[removed] twrp 3.0.3-N
Code:
[B]v0.7[/B]
Current changelog: 02.02.2017
[added] boot to safe mode
[added] wipe menu
[added] new twrp 3.0.3-N and platform tools 1.0.3.6 (no default yet. versions can be switched in troubleshoot menu for testing)
Code:
[B]v0.5[/B]
Current changelog: 31.01.2017
[added] each action shows some information about what's going to happen now
[changed] each action must be confirmed to be executed. if you don't need that, enable auto-yes in troubleshoot menu
Code:
[B]v0.3p1[/B]
Changelog: 28.01.2017
[fixed] added missing magisk manager to installation procedure
Thanks to/Credits
Code:
:: > shakalaca
:: > chainfire
:: > topjohnwu
:: > twrp
:: > social-design-concepts
:: > phhusson
:: > say99
:: > Deathschythe33
:: > ggrandou
:: > gerasiov
You'll find more credits inside the source code.
I hope i didn't forget anyone. If so please report.
XDA:DevDB Information
Zenfone 2 ToolKit [Z00A/Z008/Z00X], Tool/Utility for the Asus ZenFone 2
Contributors
rummsbumms
Version Information
Status: Stable
Current Beta Version: 1.3
Beta Release Date: 2017-10-14
Created 2017-01-28
Last Updated 2018-07-31

Reserved

Reserved

What makes this different with @Giovix92's tool?

Yes, same question as above. What makes it different from ZE55xML_Modder by Giovix92

@krasCGQ @fred_gaou
i think that main difference is that this toolkit supports the last 3 MM firmware versions and works automatically for all tasks, so user interaction is reduced to wait & perhaps read

@rummsbumms
Question 1: would you suggest to run ze551ml_toolkit.bat as admin or not?
Question 2: did you personally test all root method provided by toolkit: SuperSU, Magisk+SuperSU, Magisk+phh superuser? Did you succeed to properly unroot all of them? Will you suggest one method rather than another?
Question 3: did you test custom ROM install via TWRP such as last LineageOS after unlock bootloader and install TWRP with your toolkit?
Question 4: What is "Auto Packages" supposed to mean? What does it do? According to script code, it seems to unroot and restore stock bootloader. That's why I don't understand the Auto Packages term.
====
To avoid having to get always the same questions like
How to root for the 1st time or safely upgrade firmware and root again…?
How to get back to a clean stock device?
What does this menu entry really do?
etc.
I would suggest some guide lines to help users in the 1st post as well as in a "how to.txt" file along the toolkit or in the batch itself as a menu entry named "Help" or "FAQ" or else.
====
FEATURES REQUEST
# Add FACTORY RESET DEVICE menu entry. This will imply:
Code:
fastboot erase userdata
fastboot erase cache
# Add Erase /system, /data and /cache menu entry, may be useful before installing a ROM. This will imply:
Code:
fastboot erase system (I guess it will work only if bootloader have been unlocked)
fastboot erase userdata
fastboot erase cache
or a complete wipe that will format the partitions too
Code:
fastboot -w
# Add a way to Back up and restore EFS, see this thread.
# And +1 to the post below about ifwi.
====
I would suggest also in the 1st post as well as in a "how to.txt" that the functions be more detailed. Example:
I see you chose to use adb/fastboot 1.0.32 version. Just to let you know that Minimal ADB and Fastboot v1.42 provide a more up to date adb and fastboot (the last 1.0.36). Why do you use this old 1.0.32 version?
====
I didn't test ZE55xML_Modder by Giovix92 or this toolkit yet, but just by reading the batch file, I can tell your code is way more elegant and skilled and should avoid the magisk root bug that ZE55xML_Modder users encounter.
====
And why checking if ADB is installed as system-wide since your toolkit already provides local adb/fasboot ? What's the point to add this "unnecessary" step ?
====
Great Work ! :good:
I will test your toolkit very soon and give feedback. I hope to get answers from you in the meantime.
Regards

What would be ideal , if possible to add
Is ..
An ifwi version detector
Because , there are a lot of people who flashed their phones who haven't a clue they have M version with LP bootloader.
They think they have M BL and brick their phones
If any help...
IFWI versions on 551 or Z00A
0094.0177 is locked LP bootloader
0094.0173 is unlocked.
0094.0183 is M BL
If your tool kit could detect these , it could flash back original stock recoveries and help many unaware people restore and upgrade stock LP to M
Then they could again use your tool to unlock once upgraded to stock M.
Where they then could make back ups of stock again before flashing custom ROMs

@fred_gaou
You gave some nice questions&suggestions!
About your questions:
You don't need the batch to run as admin as I don't use any function that needs admin rights.
Yes, I've tested all root functions and switched between single supersu, magisk with phh and magisk with supersu, but of course always with running the unroot task first. my personal favorite is magisk with phh b/c of the magisk hide. that's what i need for some banking apps :angel:
Not yet. I don't think i'm going to try that soon as I want to stay at stock rom atm. If you have any idea to implement that to this toolkit, i would be pleased to know.
The idea of the auto packages is to combine some single actions like unroot & root. So there is actually just one package, which I used the most time to get back to my favorite root solution.
The other points:
Giving more guidelines/hints in this thread&toolkit is a good point. I'll try to add this as soon as possible. :good:
Putting factory reset & backup on my todo list :good: Are there any installation procedure for roms that recommend to erase /system first? I've done that by mistake a few months ago and started to sweat. As this is a very dangerous command, I would only implement this if there is a need.
I know about the newer 1.0.36 version. That was the reason for the action "force internal platform toolkit" in the troubleshoot menu. But I had a LOT of problems running the new version on 2 different machines. The daemon didn't start with an error telling that the adb.log couldn't be opened. I'll put it on my todo list too, but with low priority.

timbernot said:
What would be ideal , if possible to add
Is ..
An ifwi version detector
Because , there are a lot of people who flashed their phones who haven't a clue they have M version with LP bootloader.
They think they have M BL and brick their phones
If any help...
IFWI versions on 551 or Z00A
0094.0177 is locked LP bootloader
0094.0173 is unlocked.
0094.0183 is M BL
If your tool kit could detect these , it could flash back original stock recoveries and help many unaware people restore and upgrade stock LP to M
Then they could again use your tool to unlock once upgraded to stock M.
Where they then could make back ups of stock again before flashing custom ROMs
Click to expand...
Click to collapse
Haven't thought about that scenario. Can you give me some more details? Users with bricked phones can only boot fastboot and nothing else?
I currently don't know a method to detect the ifwi version in fastboot state, so i would probably need twrp or a running system (almost certainly with root permission) to get ifwi information.

Hi,
I just want to verify. I have the ASUS Zenfone 2 Deluxe Special Edition that I have upgraded from the stock 5.0.0 Android Lollipop (I forgot the ASUS Firmware version number) to the the Official ASUS 6.0.1 Marshmallow (Version WW-4.21.40.223(andriod M)) I can use this?
I regret upgrading from the Official LP to the Official MM with all the bloatwares. I am looking for a way to get root just like with my Sony Xperia phones but I am learning that getting root on ASUS Zenfones on MM is difficult. Almost all solutions I am reading is advising to downgrade from MM to LP, root, then manually upgrade to MM

rummsbumms said:
Not yet. I don't think i'm going to try that soon as I want to stay at stock rom atm. If you have any idea to implement that to this toolkit, i would be pleased to know.
Click to expand...
Click to collapse
Well, I'm still on stock LP so I would not be a good adviser. I trust the experienced users that switch and update ROM weekly so they will give useful feedback soon. Since some guys on LineageOS used Giovix modder to unlock bootloader and install ROM via TWRP, I guess it's currently the way to go.
rummsbumms said:
The idea of the auto packages is to combine some single actions like unroot & root. So there is actually just one package, which I used the most time to get back to my favorite root solution.
Click to expand...
Click to collapse
I get it now. It could be a useful section in future to run sequential commands at once.
rummsbumms said:
Putting factory reset & backup on my todo list :good: Are there any installation procedure for roms that recommend to erase /system first? I've done that by mistake a few months ago and started to sweat. As this is a very dangerous command, I would only implement this if there is a need.
Click to expand...
Click to collapse
Yes it is wise. I just provided the command because it was implemented in Giovix Modder and often reported as a way to clean up before flash all stock in other device. Don't know for 551.
rummsbumms said:
I know about the newer 1.0.36 version. That was the reason for the action "force internal platform toolkit" in the troubleshoot menu. But I had a LOT of problems running the new version on 2 different machines. The daemon didn't start with an error telling that the adb.log couldn't be opened. I'll put it on my todo list too, but with low priority.
Click to expand...
Click to collapse
Detail is good to know. What OS do you use: 7, 8.1 or 10? If 1.0.32 works fine on every version, there is no point to risk to break anything using 1.0.36.
Thanks for your answers.

rummsbumms said:
Haven't thought about that scenario. Can you give me some more details? Users with bricked phones can only boot fastboot and nothing else?
I currently don't know a method to detect the ifwi version in fastboot state, so i would probably need twrp or a running system (almost certainly with root permission) to get ifwi information.
Click to expand...
Click to collapse
Thinking about it now a bit more , it maybe tail end for this problem .
The actual problem people were having was they thought they had cm13 with M BL , actually they had the LP bootloader cm13 . They would be in a working system then flash 14.1 / 7.1 builds then , brick their devices .
They forget they never upgraded bootloader and with having 6.0.1 M in build information in settings, presumed they had upgraded bootloader at some point but didn't .
Maybe , to prevent the tail enders from performing such tasks again , maybe a simple addition like a warning , like build date which in cm 13 , to check.. if before July 2016 and have IFWI version 0094.0173 unlocked . Then you could direct them to say a return to stock option , flashing back boot and recovery for say on 551 LP 2 20 40 .196 Version , then possibly install the full ROM from say a link or something like ...Then info to upgrade to stock M before returning back to tool to unlock updated to the latest M.
But like mentioned , we maybe at the tail end of this problem.
Probably related to 95% of the bricking threads here for zenfone.
Anyway thanks for taking interest

Deathschythe33 said:
Hi,
I just want to verify. I have the ASUS Zenfone 2 Deluxe Special Edition that I have upgraded from the stock 5.0.0 Android Lollipop (I forgot the ASUS Firmware version number) to the the Official ASUS 6.0.1 Marshmallow (Version WW-4.21.40.223(andriod M)) I can use this?
I regret upgrading from the Official LP to the Official MM with all the bloatwares. I am looking for a way to get root just like with my Sony Xperia phones but I am learning that getting root on ASUS Zenfones on MM is difficult. Almost all solutions I am reading is advising to downgrade from MM to LP, root, then manually upgrade to MM
Click to expand...
Click to collapse
As far as i can see from the asus page, the zf2 deluxe special edition uses the same firmware files and you already have the newest firmware (.223) installed, so i think it should work.
Is your bootloader still locked?

Thank you so much for your awesome ToolKit, works flawlessly !!
<3

v0.5 is out

rummsbumms said:
v0.5 is out
Click to expand...
Click to collapse
thanks, can you simply make 3 downloads complete for the 3 mm versions? now is a bit confusing with this updating/base files.
I don't think that 80mb would be a problem to download, everyone have at least a dsl line, we are not talking of gbs, thanks

v0.7 is out
@fred_gaou: I've tested with win10. 1.0.3.2 works fine and will be default, but I've added 1.0.3.6 too. perhaps someone could test on other machines as i still have problems using it and don't know whats the problem.
@holymoz: I've made a additional "full" package which contains all files. the "base" version still only contains the latest mm firmware files.
@timbernot: Still thinking about it. Maybe some kind of decision tree asking for the problem could lead the user to an action that could cure the problem. I'll keep it on my todo list.

V0.5 works okay on my device with win 10 . i will test later the new build thanks

rummsbumms said:
As far as i can see from the asus page, the zf2 deluxe special edition uses the same firmware files and you already have the newest firmware (.223) installed, so i think it should work.
Is your bootloader still locked?
Click to expand...
Click to collapse
Hello @rummsbumms,
Thank you for taking your time to respond. Yup, my phone's bootloader is still locked. Everything in this phone is "official" including the freaking official bloatwares. I love the HW specs of this phone, but the bloatwares are F***ing crazy!

Help me to twrp/root/xposed/kernel my XC

Hi,
I'll received my XC this week, and I'd like to root it.
I don't want a custom ROM, but just a stock one with xposed and remove some bloatwares.
Here are my needs:
keep DRM
latest stock rom
twrp
untouched system partition
easy OTA
XC Genesis kernel
xposed + module
Do you think it possible to achieve such a configuration?
How-to?
Thanks
EDIT: I'll update this post to make it an HOW-To for futures users with same questions.

Assuming you're unable to unlock your BL the steps are as follows...
Flash back to 198.
Backup your TA.
Unlock your BL
Update to 311
Extract kernel - ftf/sin/elf
Run elf through Rootkernel_v5.23 - (In cmd prompt window - rootkernel kernel.elf boot.img)
Create DK ftf with Rootkernel_v5.23 (In cmd prompt window - flash_dk TA-19022017.img DK.ftf)
Flash new boot.img
Flash TWRP.img
Flash Super User zip
Flash DK.ftf with Flashtool 9.22
...and that should be it.

Latest stock Rom + xposed will not be possible...

mika91 said:
Hi,
I'll received my XC this week, and I'd like to root it.
I don't want a custom ROM, but just a stock one with xposed and remove some bloatwares.
Here are my needs:
keep DRM
latest stock rom
twrp
untouched system partition
easy OTA
XC Genesis kernel
xposed + module
Do you think it possible to achieve such a configuration?
How-to?
Thanks
EDIT: I'll update this post to make it an HOW-To for futures users with same questions.
Click to expand...
Click to collapse
Forget about OTA when rooted...

I though that using xposed leave the system partition untouched, so OTA updates are possible...

mika91 said:
I though that using xposed leave the system partition untouched, so OTA updates are possible...
Click to expand...
Click to collapse
OTA is not possible once bootloader is unlocked. System partition touched or not played no role.

ok.
So if I want root the XC, I have to unlock the bootloader, loose DRM and ota?
How is the camera quality without the drm keys?
Thanks

mika91 said:
ok.
So if I want root the XC, I have to unlock the bootloader, loose DRM and ota?
Click to expand...
Click to collapse
See my post to get a rooted stock with DRM.

mika91 said:
ok.
So if I want root the XC, I have to unlock the bootloader, loose DRM and ota?
How is the camera quality without the drm keys?
Thanks
Click to expand...
Click to collapse
You HAVE to unlock. There is NO root on LOCKED bootloader.
Unlocking bootloader deletes TA partition, containing DRM keys. You should BACKUP your TA partition BEFORE unlocking using DirtyCow Backup tool from Sony Cross Devices forum.
After unlocking, you can either flash kernel that supports DRM patching either by using fake DRM libraries, or your real DRM keys, either flashed in alternative location (see RootKernel tool in Z5 forums, works on almost all modern Xperias) or PoC TA tool from Sony Cross devices, that mounts your TA backup as TA partition, therefore your phone looks as having DRM keys and locked.

XperienceD said:
Assuming you're unable to unlock your BL the steps are as follows...
Flash back to 198.
Backup your TA.
[*]Unlock your BL
[*]Update to 311
[*]Extract kernel - ftf/sin/elf
[*]Run elf through Rootkernel_v5.23 - (In cmd prompt window - rootkernel kernel.elf boot.img)
[*]Create DK ftf with Rootkernel_v5.23 (In cmd prompt window - flash_dk TA-19022017.img DK.ftf)
[*]Flash new boot.img
[*]Flash TWRP.img
[*]Flash Super User zip
[*]Flash DK.ftf with Flashtool 9.22
...and that should be it.
Click to expand...
Click to collapse
Would you mind detailing a bit more those steps, especially the first 2? Im coming from a really old phone so im still a bit lost. (where can i learn about ftf/sin/elf?)
How can we flash back to 198? Flashing doesnt require an unlocked BL, wich to be achieved deletes your TA?
im on a brand new X Compact, 7.0 (34.2.A.0.292), secure patch 01/01/17
managed to get flashtool, adb/fastboot and Universal TA Backup v2 on my pc but no dice on TA backup yet

fredsky2 said:
Would you mind detailing a bit more those steps, especially the first 2? Im coming from a really old phone so im still a bit lost. (where can i learn about ftf/sin/elf?)
Click to expand...
Click to collapse
Sure. You don't really need to learn about those stuff but is handy to know, you'll pick stuff up along the way. They are basically firmware files.
fredsky2 said:
How can we flash back to 198? Flashing doesnt require an unlocked BL, wich to be achieved deletes your TA?
Click to expand...
Click to collapse
Open the flashtool and run Xperifirm (icon with XI) on it, then browse to the XC, then click on F5321 and it will load up the different regions and available firmware. If you click on "check all" it will then show which FW is available to download, Central Europe 5 still shows as 198, so you need to select it on the right of the screen under the picture of the phone, it will then download and it's simply a matter of following the instructions to flash it.
fredsky2 said:
im on a brand new X Compact, 7.0 (34.2.A.0.292), secure patch 01/01/17
managed to get flashtool, adb/fastboot and Universal TA Backup v2 on my pc but no dice on TA backup yet
Click to expand...
Click to collapse
When you get 198 on your phone then you'll be able to back your TA. If you get stuck give us a shout.

XperienceD said:
Sure. You don't really need to learn about those stuff but is handy to know, you'll pick stuff up along the way. They are basically firmware files.
Open the flashtool and run Xperifirm (icon with XI) on it, then browse to the XC, then click on F5321 and it will load up the different regions and available firmware. If you click on "check all" it will then show which FW is available to download, Central Europe 5 still shows as 198, so you need to select it on the right of the screen under the picture of the phone, it will then download and it's simply a matter of following the instructions to flash it.
When you get 198 on your phone then you'll be able to back your TA. If you get stuck give us a shout.
Click to expand...
Click to collapse
Thank you, i was able to successfully backup my TA earlier yesterday. But now im struggling with how to restore it in MM 6.0.1 (34.1.A.1.198).
I've read that i'll need a custom kernel for that (and to get TWRP+supersu+magisk+xposed) but im unsure if i should use Genesis (probably unsuported but the only one that says it'll restore MY TA) or Advanced Stock Kernel from Androplus. Ive read that messing with TA can hardbrick my phone so im trying to be extra careful.
atm im following ondrejvaroscak's quickrecap to make sure everything goes smooth with my TA keys and then i plan to downgrade to 6.0, install Advanced Stock Kernel, supersu 2.79 and magisk and then pray for the best (without reflashing my own DK.ftf?)

fredsky2 said:
Thank you, i was able to successfully backup my TA earlier yesterday. But now im struggling with how to restore it in MM 6.0.1 (34.1.A.1.198).
Click to expand...
Click to collapse
Download Flashtool 9.22.3 and flash your DK.ftf, flashing with a newer version doesn't work, you should then be able to verify it's worked in the service menu.
fredsky2 said:
I've read that i'll need a custom kernel for that (and to get TWRP+supersu+magisk+xposed) but im unsure if i should use Genesis (probably unsuported but the only one that says it'll restore MY TA) or Advanced Stock Kernel from Androplus. Ive read that messing with TA can hardbrick my phone so im trying to be extra careful.
Click to expand...
Click to collapse
You can use the RootKernel tool to modify your own kernel, extract the kernel.sin from the ftf with a zip program, then use the flashtool to extract the kernel.elf, Tools-Sin Editor-Extract Data then run it through the RootKernel tool and flash the boot.img it creates, then flash TWRP separately to the recovery partition which will allow you then to flash SuperSU.
SuperSU and BusyBox are the only options I didn't include when creating my kernel. Others will have to help with the other two things you want as I refuse to use them.

XperienceD said:
Download Flashtool 9.22.3 and flash your DK.ftf, flashing with a newer version doesn't work, you should then be able to verify it's worked in the service menu.
You can use the RootKernel tool to modify your own kernel, extract the kernel.sin from the ftf with a zip program, then use the flashtool to extract the kernel.elf, Tools-Sin Editor-Extract Data then run it through the RootKernel tool and flash the boot.img it creates, then flash TWRP separately to the recovery partition which will allow you then to flash SuperSU.
SuperSU and BusyBox are the only options I didn't include when creating my kernel. Others will have to help with the other two things you want as I refuse to use them.
Click to expand...
Click to collapse
Thanks again. I was worried that the drm-fix from the kernel editing tool could corrupt my TA partition but thankfully i was wrong on that .
Im now at MM 6.0, original DRM keys, TWRP, xposed, rooted with magisk and im almost sure that with busybox. Why do you refuse to use them? Just curious!
Thanks a lot for your help, cheers

fredsky2 said:
Thanks again. I was worried that the drm-fix from the kernel editing tool could corrupt my TA partition but thankfully i was wrong on that .
Click to expand...
Click to collapse
I flashed a kernel I made with the Rootkernel tool without the drm fix but it showed some mumbo jumbo where it should say ok and provisioned, included the drm fix in the next one and it worked fine then.
fredsky2 said:
Im now at MM 6.0, original DRM keys, TWRP, xposed, rooted with magisk and im almost sure that with busybox. Why do you refuse to use them? Just curious!
Thanks a lot for your help, cheers
Click to expand...
Click to collapse
You're welcome. I refuse because I prefer to know how to mod apks directly and I found Xposed to be quite buggy. I can see the benefits, it's just not for me.