[XZp] rooted kernel hiding bootloader unlock with working fota - Sony Xperia XZ Premium ROMs, Kernels, Recoveries,
rooted kernel hiding bootloader unlock
with working sony stock fw fota updates
for Sony Xperia XZ Premium
Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader.
Also many sony drm functions are disabled if fw detects unlocked bootloader even if device master key was recovered.
I've implemented a kernel patch for xperia XZ1 Compact / XZ1 / XZ Premium phones that properly masks bootloader unlock status so it appears as still locked for sony stock firmwares.
This allows FOTA updates to be installed if running completely unmodified stock firmware. This is possible if this kernel is just booted from usb via fastboot instead of flashing it.
The kernel is pre-rooted, so you can have root as usual with magisk when running this kernel (you can use magisk system less patching to make changes to system/vendor partitions without actually modifying them).
For oreo fw the boot process is patched to hide magisk from sony ric daemon that stops the boot in case it thinks the bootloader is still locked. This special patch allows to pass safetynet including cts while having properly working magisk.
This kernel may be used (flashed) just to properly enable sony drm features, like video image enhancements, if device master key was recovered via locked state TA restore.
The bellow described way to install FOTA system update works with both - phone with TA restored and phone with drm keys lost. Both variants have been tested with xz1c.
How to use this kernel while planning to do FOTA system update eventually
Update: please see here for the latest usage instructions for kernels in flashable zip archive.
Please see screenshots bellow for this kernel in action (with xz1c) doing fota system update from oreo to pie and from pie to next pie version. There is also a video documenting this here. Few longer waiting parts have been cut out to fit the video under 15 minutes of youtube limit for not verified accounts.
if your bootloader is still locked
Use renoroot exploit to backup your TA, unlock your bootloader and restore TA-locked to recover device master key as described in
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented thread.
select one of the prepared kernels and download it
make sure you are running unmodified stock firmware
You need the version corresponding to the selected kernel - reflash the firmware to make sure it is unmodified.
Please note: any mount of /system or /vendor partitions in write mode would result with modifications even if nothing is copied there.
Be aware that some zip packages flashed from twrp may mount the partitions for write access even when that is not needed.
reboot the phone to fastboot mode
Use either "adb reboot bootloader" or
enter fastboot by holding powered off phone's volume up key while connecting it to PC via usb cable and use 'fastboot reboot bootloader' command.
boot the downloaded kernel via fastboot
For example (xz1c):
Code:
fastboot boot boot-G8441-47.1.A.16.20-hideunlock-rooted.img
enjoy your rooted phone which thinks it is still locked
Sony apps will be offered to install/update. System FOTA update may come.
Magisk will provide your root when magisk manager app is installed (offered on the first boot).
if you need to use a custom recovery, like TWRP
Do not flash it. If you do, FOTA update verification will fail.
Instead use 'fastboot boot' the same way as with the kernel above, but instead of the kernel, boot the twrp image without flashing it.
to install a FOTA system update
just start the update as usual
let it run until it finishes the installation
try to catch the restart then and hold volume up that time to enter fastboot
you need to use following command to make next boot working
Code:
fastboot reboot bootloader
use 'fastboot boot' to boot kernel for fw to which fota updating to,
for example (xz1c):
Code:
fastboot boot boot-G8441-47.2.A.4.45-hideunlock-rooted.img
if you miss the restart (or do not have the right kernel version),
it does not matter, the installation will finish even when bootloader unlock is detected with the last reboot to updated system,
so just 'fastboot boot' the corresponding 'hideunlock-rooted' kernel then
Alternative use of this kernel
If you do not like booting from usb via fastboot to startup your phone, you can flash the kernel and boot normally.
But if you like to install FOTA system update then, you would need to flash the stock kernel first in order to make the fw untouched again (assuming no other changes to the fw, like system or vendor partitions, have been done) and boot the patched kernel via 'fastboot boot' as described above.
You can backup stock kernel (and recovery) to avoid need to download full stock fw when you need to restore stock kernel & recovery when you decide to install fota system update - see here and following post for more details please.
If you do not care about FOTA, just do not install it.
And use this kernel just to enable all sony drm features that are available on a locked phone (assuming locked state TA has been restored).
In case you like to make some modifications to system or vendor partitions (as you do not care about fota), you would need to disable verity in the kernel - please see post#3 for noverity variants of oreo kernels and linked post describing howto switch verity off via magisk in all pie kernels.
Downloads
See the post#2 please.
Source code
patched kernel sources to hide bootloader unlock (my-bluhide/* branches)
https://github.com/j4nn/sonyxperiadev-kernel-copyleft
patched magisk sources to hide magisk from sony ric daemon on early boot phase (v19.1-manager-v7.1.2-ric branch)
https://github.com/j4nn/Magisk/tree/v19.1-manager-v7.1.2-ric
The patches are provided under GPL (that means you may include them in your builds, but you need to provide buildable source of released binaries /true for any kernel change btw/).
Credits
Thanks to @tonsofquestions for lot of initial testing of this concept when I did not have a phone with unlocked bootloader and for discovering the need to reboot to fastboot by a command to make the 'fastboot boot' command properly boot the supplied kernel image.
Thanks to @topjohnwu for his excelent magisk tool.
If you find my work useful, consider donating here please:
https://j4nn.github.io/donate/
Thank you.
XDA:DevDB Information
kernel_bluhide_maple, Kernel for the Sony Xperia XZ Premium
Contributors
j4nn
Source Code: https://github.com/j4nn/sonyxperiadev-kernel-copyleft
Kernel Special Features: proper hiding of bootloader unlock, sony ric with magisk hack
Version Information
Status: Stable
Stable Release Date: 2019-02-10
Created 2019-02-10
Last Updated 2019-08-07
Downloads
- hideunlock kernel pre-rooted boot images:
Xperia XZ Premium (G8141)
boot-G8141-47.1.A.16.20-hideunlock-magisk-19.1.img
boot-G8141-47.2.A.4.41-hideunlock-rooted.img
boot-G8141-47.2.A.6.30-hideunlock-rooted.img
boot-G8141-47.2.A.8.24-hideunlock-rooted.img
boot-G8141-47.2.A.10.28-hideunlock-rooted.img
boot-G8141-47.2.A.10.45-hideunlock-rooted.img
boot-G8141-47.2.A.10.62-hideunlock-magisk-19.3.img
Xperia XZ Premium Dual (G8142)
boot-G8142-47.1.A.16.20-hideunlock-magisk-19.1.img
boot-G8142-47.2.A.4.41-hideunlock-rooted.img
boot-G8142-47.2.A.6.30-hideunlock-rooted.img
boot-G8142-47.2.A.8.24-hideunlock-rooted.img
boot-G8142-47.2.A.10.28-hideunlock-rooted.img
boot-G8142-47.2.A.10.45-hideunlock-rooted.img
boot-G8142-47.2.A.10.62-hideunlock-magisk-19.3.img
- hideunlock kernels flashable to multi fw versions (see here for usage howto):
Xperia XZ Premium (G8141)
kernel-G8141-47.1.A.16.20-hideunlock.zip
kernel-G8141-47.2.A.10.62-hideunlock.zip
kernel-G8141-47.2.A.10.80-hideunlock.zip
kernel-G8141-47.2.A.10.107-hideunlock.zip
kernel-G8141-47.2.A.11.228-hideunlock.zip
Xperia XZ Premium Dual (G8142)
kernel-G8142-47.1.A.16.20-hideunlock.zip
kernel-G8142-47.2.A.10.62-hideunlock.zip
kernel-G8142-47.2.A.10.80-hideunlock.zip
kernel-G8142-47.2.A.10.107-hideunlock.zip
kernel-G8142-47.2.A.11.228-hideunlock.zip
Screenshots of XZ1c FOTA system update from oreo 47.1.A.16.20 to pie 47.2.A.4.45
(video available here)
Downloads
This is for alternative use only - please see post#10 of XZ1 thread for more details.
boot-G8141-47.1.A.16.20-hideunlock-magisk-19.1-noverity.img
boot-G8142-47.1.A.16.20-hideunlock-magisk-19.1-noverity.img
Screenshots of XZ1c FOTA system update from pie 47.2.A.4.45 to pie 47.2.A.6.30 version
(video available here since 08:10 time)
I am 47.2.A.2.33,can I use 47.2.A.6.30?
So this doesn't work at all with unlocked devices that doesn't have a backup
@j4nn
If the bootloader is unlocked???
And flashing this kernel, nothing happen
nonokirton said:
I am 47.2.A.2.33,can I use 47.2.A.6.30?
Click to expand...
Click to collapse
If you have 47.2.A.4.41 fw, flash that and then you can try FOTA to 47.2.A.6.30.
Let me know, if you need a build of 47.2.A.2.33 kernel, which variant of xzp, if you want to test fota and cannot find the appropriate older fw.
SilverGamer_YT said:
So this doesn't work at all with unlocked devices that doesn't have a backup
Click to expand...
Click to collapse
Actually FOTA works even with devices where "drm keys" have been lost.
I've just tested that (restoring TA-unlocked to get the lost keys state) and I was able to fully install fota from 47.2.A.4.45 to 47.2.A.6.30 using my patched kernel with XZ1c.
So for FOTA it is working. And with pie, camera works without device master key (both with stock and with this unlock hiding kernel).
You would not get video image enhancements obviously, but currently there is no drmfix available with pie that would make it work, is it?
So I guess this is quite good actually (in pie case) even for devices without TA restored.
@karrouma, I am not sure what you mean.
j4nn said:
If you have 47.2.A.4.41 fw, flash that and then you can try FOTA to 47.2.A.6.30.
Let me know, if you need a build of 47.2.A.2.33 kernel, which variant of xzp, if you want to test fota and cannot find the appropriate older fw.
Actually FOTA works even with devices where "drm keys" have been lost.
I've just tested that (restoring TA-unlocked to get the lost keys state) and I was able to fully install fota from 47.2.A.4.45 to 47.2.A.6.30 using my patched kernel with XZ1c.
So for FOTA it is working. And with pie, camera works without device master key (both with stock and with this unlock hiding kernel).
You would not get video image enhancements obviously, but currently there is no drmfix available with pie that would make it work, is it?
So I guess this is quite good actually (in pie case) even for devices without TA restored.
@karrouma, I am not sure what you mean.
Click to expand...
Click to collapse
If you unlocked your bootloader
And you are in pie,
This patch is not working
You want a brand new device to backup the drm from oreo
And it is ok after
karrouma said:
If you unlocked your bootloader
And you are in pie,
This patch is not working
You want a brand new device to backup the drm from oreo
And it is ok after
Click to expand...
Click to collapse
The kernel can be used on UB, just for updates though.
Beetle84 said:
The kernel can be used on UB, just for updates though.
Click to expand...
Click to collapse
Yes i know
But if you don't backup your ta partion
The message when booting still appearing
karrouma said:
If you unlocked your bootloader
And you are in pie,
This patch is not working
You want a brand new device to backup the drm from oreo
And it is ok after
Click to expand...
Click to collapse
As described above, the patched kernel enables fota system update even in case of unlocked phone with drm keys lost and the update can be installed as described.
So it is working even in the case which I originally assumed it would not work.
karrouma said:
Yes i know
But if you don't backup your ta partion
The message when booting still appearing
Click to expand...
Click to collapse
If you mean the "Your device software cannot be checked for corruption. Please lock the bootloader." message displayed right at the beginning of boot - that has nothing to do with (patched or not) kernel or not even with the state of phone's TA (if it was restored after unlock with from locked state backup or if "drm keys" got lost because TA was not backed up before unlock).
That message will be there just from the fact that the bootloader had been unlocked. It is displayed by bootloader even before kernel is loaded.
Restore of TA does not re-lock the bootloader (like it has been the case with some previous xperia generations), so we cannot get rid of that message ever after unlock of a phone.
But with that message Sony suggests to (re)lock the bootloader - maybe someone could claim it to make sony tell us how we should do the re-lock of the bootloader.
Great work I'll implement this into my kernel with credit to you!
@LazerL0rd, thanks for letting me know.
Just wondering, do you plan to support fota system update of stock fw as I did or is your goal just to mask that bootloader had been unlocked?
Anyway, it's good to see that my work is useful.
j4nn said:
As described above, the patched kernel enables fota system update even in case of unlocked phone with drm keys lost and the update can be installed as described.
So it is working even in the case which I originally assumed it would not work.
If you mean the "Your device software cannot be checked for corruption. Please lock the bootloader." message displayed right at the beginning of boot - that has nothing to do with (patched or not) kernel or not even with the state of phone's TA (if it was restored after unlock with from locked state backup or if "drm keys" got lost because TA was not backed up before unlock).
That message will be there just from the fact that the bootloader had been unlocked. It is displayed by bootloader even before kernel is loaded.
Restore of TA does not re-lock the bootloader (like it has been the case with some previous xperia generations), so we cannot get rid of that message ever after unlock of a phone.
But with that message Sony suggests to (re)lock the bootloader - maybe someone could claim it to make sony tell us how we should do the re-lock of the bootloader.
Click to expand...
Click to collapse
So if I use this kernel will I just have the same device as if it were locked but with root and that message? I'm currently having some issues with root at the moment. I'm using existenz ROM and the kernels in the thread and Snapchat keeps detecting that I'm not using legit software even though I don't even have magisk. Another thing is that if I uninstall magisk right now then my safetynet checks all fail without magisk which gives me issues with Google pay and these two problems are what make me wanna relock my bootloader. But after reading this apparently I can't even with the ta backup. So I'm mainly more concerned on a way to be able to use those applications right now and what the best possible way would be to go for it because I'm finding it difficult to find a method with or without magisk where I wouldn't get banned from Snapchat and where I would be able to use Google pay. Thanks for any suggestions it would be highly and greatly appreciated!
@RJASSI21, if you restored locked state TA and run unmodified stock fw with this kernel booted from usb via 'fastboot boot' command, you would get very close to still locked phone, but with fully working root (magisk), obviously with the unlocked warning message on boot.
I believe if you run the setup as just described, you would not have problems with apps detecting root, easily passing safetynet cts check.
The problem is when you install something like the mentioned existenz - that patches stock fw files directly and there may be processes (either in sony fw or downloaded with safetynet stuff from google or even in some apps) that discover these changes and therefore detect rooted system.
If you installed only proper magisk modules that comply with magisk system less rooting (i.e. no modifications in system nor vendor partitions) - such modules may be made hidden with magiskhide to certain apps or google's safety net check. If something simply is flashed into system or vendor partitions, it cannot be made hidden for picky processes.
That means if using only proper magisk systemless modules, you could have root and customizations, still run stock fw with verity enabled kernel booted from usb 'fastboot boot' and even allow fota system update and get it successfully installed (assuming that twrp is not flashed either, instead it is also booted from usb if needed).
j4nn said:
@RJASSI21, if you restored locked state TA and run unmodified stock fw with this kernel booted from usb via 'fastboot boot' command, you would get very close to still locked phone, but with fully working root (magisk), obviously with the unlocked warning message on boot.
I believe if you run the setup as just described, you would not have problems with apps detecting root, easily passing safetynet cts check.
The problem is when you install something like the mentioned existenz - that patches stock fw files directly and there may be processes (either in sony fw or downloaded with safetynet stuff from google or even in some apps) that discover these changes and therefore detect rooted system.
If you installed only proper magisk modules that comply with magisk system less rooting (i.e. no modifications in system nor vendor partitions) - such modules may be made hidden with magiskhide to certain apps or google's safety net check. If something simply is flashed into system or vendor partitions, it cannot be made hidden for picky processes.
That means if using only proper magisk systemless modules, you could have root and customizations, still run stock fw with verity enabled kernel booted from usb 'fastboot boot' and even allow fota system update and get it successfully installed (assuming that twrp is not flashed either, instead it is also booted from usb if needed).
Click to expand...
Click to collapse
Ok thank you for this information. So if I return to stock fw and use this kernel will I no longer get banned from things like snapchat?
https://forum.xda-developers.com/oneplus-6/help/snapchat-locking-magisk-hide-t3895685/page4
ive read in this link that its possible they detect root not magisk or the app. Also would i have to boot the kernel everytime i reboot the device? Also will i have 960fps recording back as an option and 4k in youtube?
@RJASSI21, sorry, I have no experience with snapchat or whatever that is.
As mentioned in my post above, you can get very close to locked stock particularly if locked TA was restored, including fota system update possibility.
But to keep fota system update, you would need to usb boot the kernel instead of flashing it. Or flash it and revert it before starting fota update. Same thing for twrp.
Everything is mentioned in the first and second post.
j4nn said:
@RJASSI21, sorry, I have no experience with snapchat or whatever that is.
As mentioned in my post above, you can get very close to locked stock particularly if locked TA was restored, including fota system update possibility.
But to keep fota system update, you would need to usb boot the kernel instead of flashing it. Or flash it and revert it before starting fota update. Same thing for twrp.
Everything is mentioned in the first and second post.
Click to expand...
Click to collapse
Ok so flashing this kernel would be like having a locked bootloader with root? This includes all the same features as a locked bootloader so 960fps recording and things like that. It would make it seem like it's locked and that if you put an XZP with a locked bootloader next to one with an unlocked bootloader you wouldn't be able to tell the difference?
Is that correct? Like is there anything at all that makes it noticeable at all that it's unlocked? Sorry for all the questions I just don't want to do this and then still have the same results after.
@RJASSI21, I would say so, at least in case of XZp.
With XZ1 / XZ1c you can tell the difference with use of Android Attest Key - but if I am not mistaken, that has never been present with XZp.
See "Android Attest Key lost" xz1c thread, post#98 and following posts up to post#103.
btw, could you please avoid full quoting of just last post you are replying to?
I do not think it is that useful, if the post that has been replied to is just above it, is it?
Sure thing sorry about that but everything should be answered for me now. I was unaware when unlocking the bootloader that having a ta backup wouldn't allow me to relock it so I'm just going to relock it on my z4 tablet instead since I wanted to anyway. Thanks for all the help.
Related
[Guide] Noob on Getting Started! Flashing CWM and more!
Right Seeing In Multiple Forums on devices More people who have purchased their Xperia Want to know How to.. and Where to get this.. How do I. FAQ: How do I enter Fastboot? *Below How do I enter Recovery mode? Below How do I Know when My device is In Fastboot or Recovery? Fastboot Blue LED lights upRecovery Green LED lights Up What's Recovery mode? Its basically a Recovery Such as Your device Wont Boot or has a Soft brick You can Flash a FTF (Factory Firmwares). Whats Fastboot? When You your device is In a mode that enables Custom Images to enter the device that are not signed by the manufacturer. Can also Flash CWM images and Userdata, Kernels, also The System Partition. FAQ end Whats A bootloader? A Software Which runs before the system is loaded telling the phone what to do. How do I unlock a Bootloader? There have been or always been a Soloution for Xperia Phones to be unlocked those being : Paid SETOOL/OMNIUS *This Maintains your DRM (Digital rights management keys) Basically To stop Things Like Track ID musci unlimited to be runned on other Phones. *Unlocks SIM network and Bootloader and Unlocks Fastboot. *You get a Backup of your system Files (Notice Only with Jinx13 or Aljeandrissimo) *Allows OTA updates to not brick the device. Sony's Unlock Bootloader Service: The Standard method for Unlocking removes DRM keys and OTA updates can Brick the device. Only for generic Sim Unlocked Phones! Which Can enter fastboot. S1tool: For generic Phones SIM unlocked. Maintains DRM and OTA dont brick. But No System Backup. Root? Superuser? What the... These Just allow Applications that require special levels of Security To function such as TB and Rootexplorer. SuperUser is what Gives you the Choice to Allow these apps run, And also Updates the SU binary files. Warranty? Can I keep 'em If I do it? No Most likely is the answer only a few areas allow Unlocked or rooted Phones (I think) But SETOOL and S1tool are non-reversable. Root can be reversed and Updating Via OTA wont harm it. But OTA maintains root. Flashtool. What is this X4L?.... Flashtool Is a Open source Tool lettting Xperia Users Flash FTF i mentioned earlier on, In more advance details You can maintain stuff like this ; I have baseband -56 and I want to keep it when I flash to Latest 4.0.A.0.62 So with options Just check Exclude Baseband Baym You got a Older Baseband On a New FW! First Time Enetering Recovery to Flash a FTF which Debrands the Phone!: Guide: Step 1) Power the device off and remove any USB in the Socket. Step 2)Hold The Back button arrow going this way "<--" and Plug the USB in to the Phone. Step 3)Let go when You see a Green LED appear. Im Bootloader Unlocked How do I enter Fastboot? Like Before Follow the Guide: Step 1) Power off the device remove any USB in the Port. Step2) Hold the Search Button "The magnifiying Scope" and Plug the USB in. Step 3) Let go when you see a Blue LED. Pre-Rooted Kernels and CWM? Kernels Such as Darkforest kernel & DoomLords Kernel Have a Pre-Root feature means you can root any FW you want. CWM what da?... CWM stands for Clock work mod ; Enables you to flash packages to add to your FW or Installing a ROM using a Edify Script. ClockWorkMod?Ya mentioned it before what's that? Its basically a Like "Recovery but Flashes .zip files with Scripts It reads to tell it what to do, This is still a Pain in my Hole "Edify" After Gingerbread It was vital to switch from Amend To Edify Because of major flaws.
[APP][Testing]Kernel/Zip/Recovery Flasher [flashify]
Hello guys, Whilst searching on google for some kernel flashing methods I saw an app named flashify... Since I can't use flashtool on my pc for flashing stuff, luckily got my bootloader unlocked via fastboot and half root turned into full root... Well, cutting the crap... Test this app... Flashify on both locked and unlocked bootloaders.... Get it from here - http://forum.xda-developers.com/showthread.php?t=2349847 Bugs-- Locked bootloaders-- None yet Unlocked Bootloaders -- Recovery image can't be flashed... Warning -- Half/Full root is needed in order to use this app.. Test and report back.. I will contact the developer to add support for our device too... So people without pc can have custom kernels with recoveries.. Thanks.
kaustubh.rockstar said: Hello guys, Whilst searching on google for some kernel flashing methods I saw an app named flashify... Since I can't use flashtool on my pc for flashing stuff, luckily got my bootloader unlocked via fastboot and half root turned into full root... Well, cutting the crap... Test this app... Flashify on both locked and unlocked bootloaders.... Get it from here - http://forum.xda-developers.com/showthread.php?t=2349847 Bugs-- Locked bootloaders-- None yet Unlocked Bootloaders -- Recovery image can't be flashed... Warning -- Half/Full root is needed in order to use this app.. Test and report back.. I will contact the developer to add support for our device too... So people without pc can have custom kernels with recoveries.. Thanks. Click to expand... Click to collapse "Your device didn't pass the compatibility test, therefore it isn't fully supported yet. Flashing boot/recovery will not work. I'll work to try to support as many devices as possible."
kaustubh.rockstar said: Hello guys, Whilst searching on google for some kernel flashing methods I saw an app named flashify... Since I can't use flashtool on my pc for flashing stuff, luckily got my bootloader unlocked via fastboot and half root turned into full root... Well, cutting the crap... Test this app... Flashify on both locked and unlocked bootloaders.... Get it from here - http://forum.xda-developers.com/showthread.php?t=2349847 Bugs-- Locked bootloaders-- None yet Unlocked Bootloaders -- Recovery image can't be flashed... Warning -- Half/Full root is needed in order to use this app.. Test and report back.. I will contact the developer to add support for our device too... So people without pc can have custom kernels with recoveries.. Thanks. Click to expand... Click to collapse Hey people I thinks this app is good but the negative you need custom recovery to flash zip files "then what's the point", I suggest you use this app Flash Gordon you don't need a custom recovery to flash zip file meaning those with locked bl can use this app to flash mode etc.
In the current release of Flashify and with my XM dual (locked bootloader) I can only backup the Kernel... none of the flashing options work, gives the "Your device didn't pass the compatibility test, therefore it isn't fully supported yet. Flashing boot/recovery will not work. I'll work to try to support as many devices as possible." message =/
Unlocking Bootloader and root
YES, I have read as much as I can in the forums (all day today, rather nice way to spend a holiday though). I have a Xperia Z1 Compact D5503 handset (FR SFR version, from eBay). I have recently updated it to Android 5.0.2 via XperiFirm tool. I flashed the Customized_IN version (D5503_Customized IN_1281-0184_14.5.A.0.242_R3D). It WAS NOT rooted and I don't remember if I had unlocked the bootloader. [I have a laptop running Windows 8.1 x64, with latest versions of XperiFirm, FlashTool x64, Android Studio (with Google USB driver), PC Companion. My laptop detects my phone as MTP (or MSC when I choose so), but in the Device Manager, it never shows as android adb device (always MTP, or USB stick). I tried Update Driver option but to no avail, it says the Google USB driver or the downloaded Z1 Compact driver (from Sony site) is not supported (either by the phone or the PC). But the phone shows debugging connected, even prompts my authorization (first time only). Flashmode and Fastboot modes are detected well enough.] Now, it says I am not allowed to unlock bootloader (via "*#*#7378423#*#* > Service Info > Configuration" menu). It shows the following: ------------------------------------------------------ Rooting Status: Bootloader unlock allowed: No ------------------------------------------------------ I am unable to unlock the bootloader (or root, yeah, that's the ultimate goal) via the following methods: 1. Official Sony Method, 2. ZergRush 3. TowelRoot, 4. Easy Root Tool, 5. Newroot (by Doomlord), 6. Flashtool (that BLU option), 7. Fastboot via cmd.exe, 8. Flashing pre rooted zip files (cannot open stock recovery option, does this have any? I used the stock recovery a lot on my old Samsung). Flashtool, cmd and Newroot showed variants of this same error: "only position independent executables (PIE) are supported." Sony gave me a code, but that also yielded another variant of the same. Now, as far as I have understood, what I need is one or more of the following: 1. a pre-rooted ftf file (someone said that is impossible as for Sony's encryption, is that right?) 2. some way to root without unlocking bootloader (Newroot does that, but did not work) 3. some way to override that crazy arrogance of Sony and unlock the bootloader and be my white knight... Can anyone provide me with a guide or some example? It is not at all fair of Sony to create these non-allowance nonsense. P.S. Please do not mind my tone, I am usually very docile but a whole day (literally; 6 AM to 6 AM next day!!!) in front of my PC without any result have mutated me a bit. BTW, I am fairly proficient in following complex instructions only if they are conclusive (I don't want to spend another day figuring out how to follow them)
i cannot contribute in any way, i just wanted to tell you you´re not the only one with the problem. if i find a solution i will get back to you
Flash .108 firmware, root with "rootkitxperia", install dualrecovery, use prf creator to make a flashable rooted zip of lollipop (if that's what you want) and flash in recovery. Job done
I'm actually relieved to see someone else experiencing the exact same problems, I've already spent several days figuring out how to unlock the bootloader and get my phone rooted, but to no avail. However my device does state that the bootloader can be unlocked, but can't be found through cmd prompt when connected in fastboot mode and get's the same error: 'only PIE (position independent executables) are supported when trying to unlock the bootloader with flash tool. White knights on problem solving horses would be greatly appreciated indeed!
I got a Z1C recently from eBay but have also done this on a Z Ultra and Z2, because of the cross development Sony stuff this is very similar for all of them. You only need to unlock the boot loader if you want to flash a custom kernel or ROM. You don't need to unlock it to get root access, however to get root access you'll have to flash an old version of Android. You're flashing an old version from before they patched the exploits you want to use to get root. So the steps are: 1. Get an old version of the official Sony ROM. 2. Flash the old ROM. 3. Exploit it to obtain root access. 4. Install a custom recovery. 5. Make a custom flashable zip of the firmware you want to use with root included. 6. Enter custom recovery and flash the zip you created in step five. The files I used to do this are: From XperiFirm I download "1280-5440 Netherlands T-Mobile NL 14.4.A.0.108 / R9C". Using Flashtool I made an FTF from it and flashed it. Then I used "EasyRootTool v12.4" to get root access. I installed "Z1C-lockeddualrecovery2.8.21-RELEASE.installer.zip" from Nut's site. Then you go back to XperiFirm and grab the version of Android you want to use. I used the 5.0.2 Customised AU one as I'm in Australia, you probably want the Indian one. Use PRFCreator to make a flashable zip with a custom recovery and SuperSU, for that you need the "Z1C-lockeddualrecovery2.8.21-RELEASE.flashable.zip" not the installer. There are posts with this info around, it's almost 5am for me so I'm not going to go looking for the links to the posts, you'll have to do that yourself. If you read for the day you've probably found them already.
First of all, I would advise against unlocking your bootloader unless you have a backup of your TA partition. Otherwise you risk losing your DRM keys and might criple your camera. This is irreversible damage without a backup. Second, on the official Sony unlock page it states specifically that not all devices are allowed to unlock the bootloader. If it doesn't, though luck then I guess but I could be wrong. Now to backup the TA partition you need to be rooted which is not possible up to now with Lollipop unless your bootloader is unlocked. So this is a bit of a problem. Luckily flashtool (make sure to use the older 0.9.18.6 version at the bottom of the download page) allows you to flash a previous version without unlocked bootloader or being rooted. Choose one from the list at the bottom of this link but make sure to use a .108 one from the "KitKat [Old]" section (I chose Generic UK unbranded => link points to UA version, UK FTF here). Then root it through one of your preffered methods, backup TA partition and install a recovery. Then create your own stock FTF with flashtool. Use this method with PC Companion or just download it through flashtool's built-in Xperifirm with this method. Then create your own pre-rooted flashable zip with PRFCreator with part 2 from this guide. Continue with part 3 from the same guide (maybe skip the 3 big cups of coffee), exhale and get on with your life. Maybe check out this one and this one (basically the same process) too. It's the same procedure as written above but with some links I used to gather the information. I just went through this myself so still had all the tabs open. These were most of the useful ones I believe. It really is a PITA to gather all the bits and pieces from miscellaneous posts scattered all over this forum.
Why flash a 108 kk and then root? Just create lollipop rom with prf creator and flash that.
spudata said: Why flash a 108 kk and then root? Just create lollipop rom with prf creator and flash that. Click to expand... Click to collapse PRFCreator doesn't make FTF's but flashable zips. From the PRFCreator thread: To flash a pre-rooted firmware, you need a recovery menu Click to expand... Click to collapse To install a recovery you need to be rooted (at least as far as I know) or have an unlocked bootloader. The point is not to unlock the bootloader at all (like when it is not possible) or maybe only after taking a backup of TA partition if not already done so (which again needs root access).
You're absolutely right, my mistake. Think i had a memory lapse
Imaging and rooting
Hi XDA I have a son with Asperger syndrome and that give parents sometimes unusual task to solve. He got a Sony xz2 compact, but he refuses to use a phone until the camera and google services are disabled, do to security lags. He wants to remove the system camera software to make sure no one can exploit the camera. In other words, he wants to be so anonymous and hacker free as possible - and the camera is a big issue for him. And yes, I know is possible to disable the camera in Sony configuration (and it's done) but that is not enough. I hope getting some help to find a solution this two tasks: 1) How to get or make an image of the phone to store/save in my pc so it can be restored if needed. 2) How to root the xz2 compact and uninstall the camera I will really appreciate some help in this issue. (sorry my English) Regards.
1. There is not much you can do, backup related on a Sony phone with locked bootloader. You can use google backup, if you want, but even Sony's solution won't work on a phone with Android Pie, after bootloader is unlocked (it would, if you are on Oreo and you would apply drm-fix after unlocking). Almost all other solutions need root, which you don't have on a locked phone. 2. In this thread you will find a step-by-step guide to install twrp recovery and root (by flashing Magisk) and the download for twrp recovery, made by @MartinX3 I won't link the recovery file itself, because it depends on the way you want to proceed. You can use Sonys stock rom or you can install aosp/omnirom. In your case i would use aosp or omnirom, because it comes without google crap and it is pure Android. You only need to delete/rename the camera with a root explorer and you are good to go. But i'm sure, @MartinX3 can tell you more about aosp or omnirom and how to flash it, because i have not used it yet. Anyway, camera is not finished on aosp/omni, so you won't loose very much.
old.splatterhand said: 1. There is not much you can do, backup related on a Sony phone with locked bootloader. You can use google backup, if you want, but even Sony's solution won't work on a phone with Android Pie, after bootloader is unlocked (it would, if you are on Oreo and you would apply drm-fix after unlocking). Almost all other solutions need root, which you don't have on a locked phone. 2. In this thread you will find a step-by-step guide to install twrp recovery and root (by flashing Magisk) and the download for twrp recovery, made by @MartinX3 I won't link the recovery file itself, because it depends on the way you want to proceed. You can use Sonys stock rom or you can install aosp/omnirom. In your case i would use aosp or omnirom, because it comes without google crap and it is pure Android. You only need to delete/rename the camera with a root explorer and you are good to go. But i'm sure, @MartinX3 can tell you more about aosp or omnirom and how to flash it, because i have not used it yet. Anyway, camera is not finished on aosp/omni, so you won't loose very much. Click to expand... Click to collapse Thanks for the useful information. I'm not very firm at the Android version (oreo or pie) - but the phone is a Sony Experia xz2 model H8324 and Android ver. 8.0.0 (patch level april 1, 2018). Hope this make sense
This is my first sony, so i'm not the "most helpful hand", i think. Backup related, if you use sony backup before unlock on oreo, you can flash drmfix after unlock and then you should be able to use sony backup to restore your data. If this is successful, you are rooted and you should be able to use Titanium Backup. But as sony newbie i don't know how far sonys backup solution goes. Anyway, i'll recommend in your case a rom like aosp or omni, because there are no Google things in it.
Why not cover the cameras with stickers if that's the biggest issue? You'll have to root the phone to completely disable all the G Apps, some of the firmware versions allow you to completely disable the G services - if you trust it.
You can use pm uninstall command thru adb shell. This way the app gets removed for the user, and thus seems totally removed. The apk itself do still remain in the system folder, and can be reinstalled if wanted, but can't be launched. This method do not need rooting either. You can't make and image of the phone, at least not without rooting it first. But that will break some stuff, like camera, and that can NOT be restored in ANY way (drm keys are lost forever). For most (all?) Xperia devices there are images available for flashing with FlashTool/Xperifirm, but note that this will not recover the lost drm keys if you unlocked the bootloader in the first place.
Question [CLOSED] Read this before rooting your Raven ***OBSOLETE***
Update 12-16-21: As of Magisk 23016, the below is no longer relevant; verity/verification need not be disabled for root.
For instructions on rooting your Pixel 6 Pro, see this guide.
This thread will be closed.
Spoiler: Obsolete information
For those of you who are planning on rooting:
Be aware that Android 12 changed the way boot images are loaded, at least on the Pixel 4, 4a, and 5. We have no reason to believe the Pixel 6/Pro will be any different.
V0latyle said:
Two new Verified Boot features implemented in Android 12 will interfere with attempts to root.
Dm-verity (device-mapper-verity) is a method by which an image on block devices (the underlying storage layer of the file system) can be checked to determine if it matches an expected configuration, using a cryptographic hash tree. If the hash doesn't match, dm-verity prevents the stored code from loading.
Vbmeta verification is the other half of this - it provides a cryptographically signed reference hash which is used to verify the integrity of /boot, /system, and /vendor partitions. The vbmeta image is only used to verify /boot, while vbmeta-system is used to verify /system.
This was implemented to prevent persistent rootkits by means of a hardware level security check, to prevent "potentially harmful applications" such as Magisk from evading detection, as such applications residing within the kernel will have higher privileges than the detection applications.
What this means is that with these two enabled, a modified boot image will cause a verification error when flashed to the device, preventing boot. Interestingly, this check is not performed against "live" boot images loaded via ADB, so with dm-verity and vbmeta verification enabled, a modified image can be booted as long as the image in /boot is intact.
Click to expand...
Click to collapse
Dm-verity and vbmeta verification will need to be disabled in order to flash a rooted boot image. Unfortunately, this means that you will have to wait for the factory firmware to be released.
fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
We also discovered that a data wipe is required in order to get permanent root; flashing /vbmeta with the disable flags gets you stuck in recovery with "Unable to load Android system, your data may be corrupted" error if you didn't wipe /data when you upgraded. To be clear, this only happens in a specific circumstance:
* You updated to Android 12 without a wipe, AND
* You reflash vbmeta with the disable flags
Here are some threads in the Pixel 5 forum on the matter:
[Guide] Root Pixel 5 with Magisk + Unlock Bootloader + Pass SafetyNet + More
[Guide] Root Pixel 5 with Magisk + Unlock Bootloader + Pass SafetyNet + More Android Security Bulletin—June 2023 Pixel Update Bulletin—June 2023 Introduction This Guide is for Pixel 5 owners that want to Root their phone, and enjoy the benefits...
forum.xda-developers.com
[Guide] Flash Magisk on Android 12
Trying to root the Pixel 5 running Android 12 by flashing a magisk-patched boot image results in the phone only booting to fastboot mode ("failed to load/verify boot images") Some users have reported that booting (instead of flashing) the patched...
forum.xda-developers.com
[GUIDE] Upgrade Beta to Android 12, *keep* root and data (no wipe!)
It seems the trick is to manually sideload OTA upgrade, then flash vbmeta and patched boot image, all without rebooting in between. Important Notes: DO NOT take the OTA directly from your phone's System Upgrade settings item. This assumes you...
forum.xda-developers.com
[Closed] Android 12 Update and Root ***Obsolete***
Update 12-16: I am closing this thread as it is no longer relevant. Please refer to this guide.
forum.xda-developers.com
[CLOSED] Android 12 Upgrade Discussion
I am closing this thread as it is no longer relevant. For rooting instructions or further discussion, please go here.
forum.xda-developers.com
The loss of "Hide Magisk" in the lastest release means a few of my apps (banking and work expense) are not going to work if I root my Pixel 6 P. So disappointing. I will miss GravityBox the most, but will learn to live without it.
swieder711 said: The loss of "Hide Magisk" in the lastest release means a few of my apps (banking and work expense) are not going to work if I root my Pixel 6 P. So disappointing. I will miss GravityBox the most, but will learn to live without it. Click to expand... Click to collapse Magisk 23010 has DenyList, which works exactly like MagiskHide. However, getting Safetynet to pass is more complicated, as Riru is not compatible with 23010, so you can't use Universal SafetyNet Fix 2.0.0 or newer. So, I went back to Magisk 23001.
That was only for Android 12 beta. Since official build has been released you no longer need to disable DM verify etc. But still need boot.img to be patched which requires download of factory image which we can't do atm.
V0latyle said: Magisk 23010 has DenyList, which works exactly like MagiskHide. However, getting Safetynet to pass is more complicated, as Riru is not compatible with 23010, so you can't use Universal SafetyNet Fix 2.0.0 or newer. So, I went back to Magisk 23001. Click to expand... Click to collapse Thanks for pointing out that Riru is not compatible. I thought I was doing something wrong. In order to roll back to an earlier version of Magisk, do I need to uninstall Magisk 23010 and unroot, reflash the original boot.img, install Magisk 23001, use it to patch the original boot.img, and then reflash?
Nekromantik said: That was only for Android 12 beta. Since official build has been released you no longer need to disable DM verify etc. But still need boot.img to be patched which requires download of factory image which we can't do atm. Click to expand... Click to collapse Incorrect. DM verity and vbmeta verification MUST be disabled to run a patched boot image. This is true regardless of whether it's the 12 Beta or the public release. diesteldorf said: Thanks for pointing out that Riru is not compatible. I thought I was doing something wrong. In order to roll back to an earlier version of Magisk, do I need to uninstall Magisk 23010 and unroot, reflash the original boot.img, install Magisk 23001, use it to patch the original boot.img, and then reflash? Click to expand... Click to collapse Remove Magisk via the Uninstall option within the app; first use Restore Images, then use Complete Uninstall. This will restore the boot image, so you don't have to. It will then reboot the phone. At that point, yes, you would install the older version of Magisk, then root as usual by patching the boot image.
V0latyle said: Incorrect. DM verity and vbmeta verification MUST be disabled to run a patched boot image. This is true regardless of whether it's the 12 Beta or the public release. Click to expand... Click to collapse Will we be able to flash the OTA every month without wiping now? Just add the DM verity and vbmeta stuff before flashing the patched boot image?
Ghisy said: Will we be able to flash the OTA every month without wiping now? Just add the DM verity and vbmeta stuff before flashing the patched boot image? Click to expand... Click to collapse Had the updates changed at some point? On the Pixel 1 we were able to remove the -w from the update script to flash without wiping.
Ghisy said: Will we be able to flash the OTA every month without wiping now? Just add the DM verity and vbmeta stuff before flashing the patched boot image? Click to expand... Click to collapse One of our users, @HumorBaby was able to upgrade from the 12 Beta via OTA. See his guide here. This should, in theory, work for the monthly updates as well. What is currently unknown is whether a data wipe will be required prior to root if updated via other methods (factory image or automatic OTA).
V0latyle said: One of our users, @HumorBaby was able to upgrade from the 12 Beta via OTA. See his guide here. This should, in theory, work for the monthly updates as well. What is currently unknown is whether a data wipe will be required prior to root if updated via other methods (factory image or automatic OTA). Click to expand... Click to collapse Oh good, thanks. I always sideload the OTA via ADB. So I guess that's fine!
roirraW edor ehT said: Had the updates changed at some point? On the Pixel 1 we were able to remove the -w from the update script to flash without wiping. Click to expand... Click to collapse It sounds like you may update the same way I do. Each month flash the factory image without the -w, patch the boot image and flash the patched boot image? It sounds like (of course we don't know for sure yet) that we will still be able to do it this way each month except before flashing the patched boot image we'll have to disable DM verity and vbmeta verification first, reboot into bootloader, flash vbmeta.img (or just flash vbmeta with those flags disabled-easier), reboot to bootloader and then flash the patched boot image. Is this the way you're seeing it?
Lughnasadh said: It sounds like you may update the same way I do. Each month flash the factory image without the -w, patch the boot image and flash the patched boot image? It sounds like (of course we don't know for sure yet) that we will still be able to do it this way each month except before flashing the patched boot image we'll have to disable DM verity and vbmeta verification first, reboot into bootloader and then flash the patched boot image. Is this the way you're seeing it? Click to expand... Click to collapse Yes, exactly, I use the full image and flash everything else that's necessary afterwards to stay rooted / have my custom kernel (when applicable). And yes, that sounds right too for what we're likely going to need to do.
V0latyle said: Incorrect. DM verity and vbmeta verification MUST be disabled to run a patched boot image. This is true regardless of whether it's the 12 Beta or the public release. Remove Magisk via the Uninstall option within the app; first use Restore Images, then use Complete Uninstall. This will restore the boot image, so you don't have to. It will then reboot the phone. At that point, yes, you would install the older version of Magisk, then root as usual by patching the boot image. Click to expand... Click to collapse https://forum.xda-developers.com/t/guide-root-pixel-5-android-12.4187609/ Read Index 4, Point 2 Its only for people upgrading to Android 12.
Nekromantik said: That was only for Android 12 beta. Since official build has been released you no longer need to disable DM verify etc. But still need boot.img to be patched which requires download of factory image which we can't do atm. Click to expand... Click to collapse Again, incorrect. This issue is -not- limited to the beta and has been present for users upgrading to the public release. Nekromantik said: https://forum.xda-developers.com/t/guide-root-pixel-5-android-12.4187609/ Read Index 4, Point 2 Its only for people upgrading to Android 12. Click to expand... Click to collapse The Pixel 6 is launching with Android 12, is it not? Disabling Android Verified Boot is not specific to the upgrade; rather, it's required for root on Android 12. If AVB is implemented on the Pixel 6 in any similarity to the Pixel 4 and 5 series - which there is an extremely good chance it is - then disabling it will be REQUIRED to use a patched boot image. Note who is in the credits for that post. roirraW edor ehT said: Yes, exactly, I use the full image and flash everything else that's necessary afterwards to stay rooted / have my custom kernel (when applicable). And yes, that sounds right too for what we're likely going to need to do. Click to expand... Click to collapse As I'm sure you're aware, you can either update using the OTA, or you can dirty flash the factory image. DM-Verity and vbmeta verification will have to be disabled every time /vbmeta is flashed. Thus, the easiest way to update, and disable AVB at the same time, would be to dirty flash the system update: Code: fastboot update --disable-verity --disable-verification raven-image.zip
V0latyle said: Again, incorrect. This issue is -not- limited to the beta and has been present for users upgrading to the public release. The Pixel 6 is launching with Android 12, is it not? Disabling Android Verified Boot is not specific to the upgrade; rather, it's required for root on Android 12. If AVB is implemented on the Pixel 6 in any similarity to the Pixel 4 and 5 series - which there is an extremely good chance it is - then disabling it will be REQUIRED to use a patched boot image. Note who is in the credits for that post. As I'm sure you're aware, you can either update using the OTA, or you can dirty flash the factory image. DM-Verity and vbmeta verification will have to be disabled every time /vbmeta is flashed. Thus, the easiest way to update, and disable AVB at the same time, would be to dirty flash the system update: Code: fastboot update --disable-verity --disable-verification raven-image.zip Click to expand... Click to collapse hmm ok this sucks hope devs aint put off and then we get zero development. My OP8 Pro at least has Havoc and AICP
Nekromantik said: hmm ok this sucks hope devs aint put off and then we get zero development. My OP8 Pro at least has Havoc and AICP Click to expand... Click to collapse I wouldn't worry too much. Getting past roadblocks has always been part of the fun. I've always loved making technology do what it's not supposed to do.
Nekromantik said: hmm ok this sucks hope devs aint put off and then we get zero development. My OP8 Pro at least has Havoc and AICP Click to expand... Click to collapse roirraW edor ehT said: I wouldn't worry too much. Getting past roadblocks has always been part of the fun. I've always loved making technology do what it's not supposed to do. Click to expand... Click to collapse I don't think this was necessarily intentional; I believe Google is just trying to make Android more secure, and in so doing, may have inadvertently made things harder for us. The whole point of Android Verified Boot is to prevent malicious code from being loaded at boot time - such as persistent rootkits. Unfortunately, things like Magisk fall into that category. What's a bit confusing to many of us was that we were under the impression that unlocking the bootloader should have been sufficient to disable AVB, and there shouldn't be extra steps. One would think that there would be a discernable difference between malicious attempts at compromising device and system security, vs deliberate. We all understand that running a rooted device has risk, including a potential attack vector, so why wouldn't Google just let us assume that risk and do whatever we want with the hardware?
V0latyle said: We all understand that running a rooted device has risk, including a potential attack vector, so why wouldn't Google just let us assume that risk and do whatever we want with the hardware? Click to expand... Click to collapse You bring up some good points. One of the reasons I buy directly from Google is they don't typically invalidate legitimate warranty issues because the bootloader was unlocked. However, maybe they are concerned about someone rooting their phone, overclocking the processor. blowing the speakers, and then trying to claim a warranty replacement. However, most people that root won't be so careless and most warranty issues are completely unrelated to whether the bootloader was unlocked.
@Nekromantik I think I misunderstood the point you may have been trying to make. Yes, we discovered that a data wipe is required to root after upgrading to Android 12. We do not yet know if a data wipe will be required to root on a device that had an original CLEAN install of Android 12. It's definitely an excellent question, and something us Pixel 4/5 guys can test while you wait for your firmware drop.
V0latyle said: @Nekromantik I think I misunderstood the point you may have been trying to make. Yes, we discovered that a data wipe is required to root after upgrading to Android 12. We do not yet know if a data wipe will be required to root on a device that had an original CLEAN install of Android 12. It's definitely an excellent question, and something us Pixel 4/5 guys can test while you wait for your firmware drop. Click to expand... Click to collapse Yes thats what I was referring to on first point As long as you dont need to wipe after every update then its all good