Related
As their doesn't seem to be a place where developers can put there heads together working on a root exploit, I shall start one.
An exploit that gives system level privileges (not root) was released earlier today http://seclists.org/fulldisclosure/2014/Nov/51 so I decided to look into how sony's apps access the DRM on Z3. I looked into the androidmanifest.xml of the ServiceMenu.apk and found this permission
<uses-permission android:name="com.sonymobile.permission.ACCESS_DRM"/>
I am pretty sure this is only allowed for system apps as: ServiceMenu is listed as
android:sharedUserId="android.uid.system"
and is located in /system/app/
I am interested in what this permission actually gives access to. If it gives access to the DRM keys themselves, backing them up would not be to much of a problem and they could most likely be restored fairly easily after unlocking. This permission could also simply give access to a check if the DRM keys are valid (much less useful for us). I would be interested in having someone with root debugging the service menu and determining what actually gets called when checking the status.
I hope this belongs here and I hope some other developers who actually have access to a device right now (RMA ) could help and work together. If this doesn't belong here let me know.
backup TA
what does this method please: download a correct firmware with pc companion, decrypt these with Flashtool and start then a backup with these files.
then i have a backup from my org. rom inkluding ta partition.
is that correct?
konsolen said:
what does this method please: download a correct firmware with pc companion, decrypt these with Flashtool and start then a backup with these files.
then i have a backup from my org. rom inkluding ta partition.
is that correct?
Click to expand...
Click to collapse
not as i understood it: in order to backup ta partition you need root, but the only way to gain root access currently is by unlocking bootloader, which wipes ta partition -> you need a backup done before unlocking bl, so we need a exploit which grants us root acces or acces to install supersu without unlocking bl first, then you can backup ta and all is fine
yes, i also thinked so.
but then i tried to download a firmware for my plugged device with sonys pc companion.
Then after the decrypt i see there is a ta partition.
i write to sony if every sgp621 can youse this downloadet furnware blobs.
i get the answer that this is only for this tab which was plugged in at the beginning.
so my mind was that this is a complete backup of my device with the device specidic ta partition. because like can this unbrick a totaly bricked device.
How can i locate if this ta partition is the correct one?
My produced ta backup has the folowing inside:
shinano r2 boit config data
author: akio yoshikawa,
Format: TA Partition <HEX8>
UnitID<hex32> UnitSize<hex32> data<hex32>
and here then codes
^^ drm keys arent in the ftf, they are device specific, so to save you some time, there's not likely anything of interest to be found in any decryption of ftf ta partition. (the ta partition is used for more than just drm btw..)
iBuzman said:
^^ drm keys arent in the ftf, they are device specific, so to save you some time, there's not likely anything of interest to be found in any decryption of ftf ta partition. (the ta partition is used for more than just drm btw..)
Click to expand...
Click to collapse
Yes sir i know. But thats no normal firmware file. Thats firm is only for the device id that startet the repair process.
Thats a copy of the Firmware thats on this device. If you flash this on your device with a Phyton Box it will fullbrick.
I found in the ta backup tool:
Searching for S1 Boot..." < nul
tools\adb.exe shell su -c "%BB% cat /dev/block/%1 | %BB% grep -s -m 1 -c -i 'S1_Boot'">tmpbak\backup_matchS1_Boot
set /p backup_matchS1_Boot=<tmpbak\backup_matchS1_Boot
if "!backup_matchS1_Boot!" == "1" (
echo +
) else (
echo -
)
set /p "=Searching for S1 Loader..." < nul
tools\adb.exe shell su -c "%BB% cat /dev/block/%1 | %BB% grep -s -m 1 -c -i 'S1_Loader'">tmpbak\backup_matchS1_Loader
set /p backup_matchS1_Loader=<tmpbak\backup_matchS1_Loader
if "!backup_matchS1_Loader!" == "1"
Exactly that S1 Loader Boot i get after the uncrypt.
Maybe it could help in some way http://seclists.org/fulldisclosure/2014/Nov/81
Xani.e said:
Bounty thread
The link with the exploit seems very interesting.
Click to expand...
Click to collapse
I just put together a POC of the exploit. I was able to launch a few apps, including Root Explorer, from the Add Account dialog. Unfortunately, I couldn't get anything to modify any contents of /system. After looking at the permissions, /system is still under root ownership, so that makes sense. I'm not sure what elevated access file-wise the system user has, if any, beyond a normal user. Sending spoof SMS and doing factory reset isn't going to get us very far lol.
elkay said:
I just put together a POC of the exploit. I was able to launch a few apps, including Root Explorer, from the Add Account dialog. Unfortunately, I couldn't get anything to modify any contents of /system. After looking at the permissions, /system is still under root ownership, so that makes sense. I'm not sure what elevated access file-wise the system user has, if any, beyond a normal user. Sending spoof SMS and doing factory reset isn't going to get us very far lol.
Click to expand...
Click to collapse
Lol, thanks for your work with the POC. Now, I'm sure I'm just stating the obvious, but the way I understand it is that we don't really need to modify any files. As long as we can just read the TA partition to make a backup, that's good enough. Guessing that wasn't possible, though? Right?
elkay said:
I'm not sure what elevated access file-wise the system user has, if any, beyond a normal user. Sending spoof SMS and doing factory reset isn't going to get us very far lol.
Click to expand...
Click to collapse
It seems that system apps have the permission to use "com.sonymobile.permission.ACCESS_DRM" :
minijaws said:
I looked into the androidmanifest.xml of the ServiceMenu.apk and found this permission
<uses-permission android:name="com.sonymobile.permission.ACCESS_DRM"/>
I am pretty sure this is only allowed for system apps as: ServiceMenu is listed as
android:sharedUserId="android.uid.system"
and is located in /system/app/.
Click to expand...
Click to collapse
Xani.e said:
It seems that system apps have the permission to use "com.sonymobile.permission.ACCESS_DRM" :
Click to expand...
Click to collapse
I'll look into this later tonight or tomorrow. Have to head out for the day now.
EDIT - Nm, found the info I needed. Will continue this tonight.
---------- Post added at 01:55 PM ---------- Previous post was at 01:30 PM ----------
Xani.e said:
It seems that system apps have the permission to use "com.sonymobile.permission.ACCESS_DRM" :
Click to expand...
Click to collapse
Got antsy and tried it real quick since I have it set up already to do so. From launching Better Terminal Emulator via the exploit, I tried issuing:
dd if=/dev/block/platform/msm_sdcc.1/by-name/TA of=TA.img
But I still got permission denied. I'll do some more debugging later to ensure that I'm actually getting BTE running as System user.
elkay said:
I'll look into this later tonight or tomorrow. Have to head out for the day now.
EDIT - Nm, found the info I needed. Will continue this tonight.
---------- Post added at 01:55 PM ---------- Previous post was at 01:30 PM ----------
Got antsy and tried it real quick since I have it set up already to do so. From launching Better Terminal Emulator via the exploit, I tried issuing:
dd if=/dev/block/platform/msm_sdcc.1/by-name/TA of=TA.img
But I still got permission denied. I'll do some more debugging later to ensure that I'm actually getting BTE running as System user.
Click to expand...
Click to collapse
Some more digging has shown that BTE is still running as the app user, not System, when issuing the 'id' command. Looks like native code will need to be executed from the intent rather than launching another app. I'm not sure how to go about executing the 'dd' command from busybox manually from an intent.
elkay said:
Some more digging has shown that BTE is still running as the app user, not System, when issuing the 'id' command. Looks like native code will need to be executed from the intent rather than launching another app. I'm not sure how to go about executing the 'dd' command from busybox manually from an intent.
Click to expand...
Click to collapse
Don't think it'll be useful since TA partition has permission 600 and the owner is root [emoji29]
eskamhl said:
Don't think it'll be useful since TA partition has permission 600 and the owner is root [emoji29]
Click to expand...
Click to collapse
Yeah I just noticed that, too. Don't think this exploit is going to do much of anything for us. Looks like System isn't much more privileged than a normal user, from a filesystem perspective.
Instead of trying to backup ta wouldn't it be more useful to try and push supersu binary and app? Once we get this we have access to ta anyways + root seems to be the bigger advantage
EricCartmanez said:
Instead of trying to backup ta wouldn't it be more useful to try and push supersu binary and app? Once we get this we have access to ta anyways + root seems to be the bigger advantage
Click to expand...
Click to collapse
That would be ideal, but System isn't enough to write to anywhere that I'm aware of that we can push the binaries somewhere usable.
iBuzman said:
coz no delete option.....
Click to expand...
Click to collapse
I read your original post. What theme apks were you talking about? Wouldn't modifying the apk code require a resign anyway? I'm just curious which apks you meant because I wasn't aware of those.
Is it possible?
Anyone with root on the Z3 makes a Backup from Root with this -----(play.google.com/store/apps/details?id=com.Supersu_Root_Copy_2) App??? and all Otter Users can restore the Backup of this one Person?
If the root or supersu Binary needs specific Hardware IDs to restore can i these rip if i use gnu root (whezzyx) to read the specific id and Hardware Tags of mm Original Rom? Ort is it possible only with gnu-root Backup the TA-Partition with help from ADB -TOOLZ???
elkay said:
I read your original post. What theme apks were you talking about? Wouldn't modifying the apk code require a resign anyway? I'm just curious which apks you meant because I wasn't aware of those.
Click to expand...
Click to collapse
I was under the impression (probably incorrectly) we actually get away with not resigning, and checking permissions for theme apps suggests system write access - I'll find my original notes on this (from a hangout I had with [NUT] on the topic). my idea was to use a modified theme apk to inject su binary (and I have no idea how to do that)
edit (notes on themes copy/paste from hangout)
just looking into com.android.systemui - and yes looks like it is whitelisted for get "MODE_ALLOWED" default access. Sony signatures seem to remain when making themes so maybe something can be "snuck" into the app to allow root?
I think we got it in in unified xperia section.
Hello,
I want to remove Vodafone's boot animation but don't want to root my device. To do that, I must either edit /system/customize/CID/VODAP**.xml or push proper VF_bootanimation.zip into /system/customize/resource. I am not able to do it neither from adb nor from adb shell - there is read-only warning or "permission denied".
Is there a way I can access this XML file, like:
a) registering on HTCDev as a developer
b) mount phone internal memory (/dev/block/mmcblk0p43) to a PC as a mounted drive while phone is switched off and then change its content (is this called 'fastboot'?)
BR
Plodozhor
plodozhor said:
Hello,
I want to remove Vodafone's boot animation but don't want to root my device. To do that, I must either edit /system/customize/CID/VODAP**.xml or push proper VF_bootanimation.zip into /system/customize/resource. I am not able to do it neither from adb nor from adb shell - there is read-only warning or "permission denied".
Is there a way I can access this XML file, like:
a) registering on HTCDev as a developer
b) mount phone internal memory (/dev/block/mmcblk0p43) to a PC as a mounted drive while phone is switched off and then change its content (is this called 'fastboot'?)
BR
Plodozhor
Click to expand...
Click to collapse
I think you need S-OFF to edit system files. At the moment not possible
plodozhor said:
Hello,
I want to remove Vodafone's boot animation but don't want to root my device. To do that, I must either edit /system/customize/CID/VODAP**.xml or push proper VF_bootanimation.zip into /system/customize/resource. I am not able to do it neither from adb nor from adb shell - there is read-only warning or "permission denied".
Is there a way I can access this XML file, like:
a) registering on HTCDev as a developer
b) mount phone internal memory (/dev/block/mmcblk0p43) to a PC as a mounted drive while phone is switched off and then change its content (is this called 'fastboot'?)
BR
Plodozhor
Click to expand...
Click to collapse
kativiti said:
I think you need S-OFF to edit system files. At the moment not possible
Click to expand...
Click to collapse
You will have to flash a custom kernel on your phone that removes the write protection. So only unlocking the bootloader and flashing the kernel is sufficient. If you haven't unlocked you bootloader yet, backup all the data from the internal memory because it gets wiped
Thanks for answers everybody. I am little bit afraid of flashing foreign ROM because it replaces phone's existing ROM and warranty might be void. What I want to do is to keep the existing ROM, and alter one XML file in the customize folder.
I would like to rather have a scenario of mounting the phone memory as 'external removable drive' to some other system. For example, couple of years ago I played around with my home router - I was able to mount my home router's memory to PC running Linux and change some tweaks in the resulting /mount directory. Can I do something similar with mini 2? What is fastboot tool from ADB suite?
Maybe there is another, easier way for eradicating ad bootanimation? Currently I see 3 options: change CID so VODAP102.xml is not triggered; post fixed VF_bootanimation.zip; or change VODAR102.xml.
I am a programmer, however I never worked with writing apps for Android. Is there a way HTCDev-enabled developer can access /customize folder? Like remounting /mmcblk0p43 with RW permission etc.
Thanks in advance and sorry for 'noobism'
plodozhor said:
Thanks for answers everybody. I am little bit afraid of flashing foreign ROM because it replaces phone's existing ROM and warranty might be void. What I want to do is to keep the existing ROM, and alter one XML file in the customize folder.
I would like to rather have a scenario of mounting the phone memory as 'external removable drive' to some other system. For example, couple of years ago I played around with my home router - I was able to mount my home router's memory to PC running Linux and change some tweaks in the resulting /mount directory. Can I do something similar with mini 2? What is fastboot tool from ADB suite?
Maybe there is another, easier way for eradicating ad bootanimation? Currently I see 3 options: change CID so VODAP102.xml is not triggered; post fixed VF_bootanimation.zip; or change VODAR102.xml.
I am a programmer, however I never worked with writing apps for Android. Is there a way HTCDev-enabled developer can access /customize folder? Like remounting /mmcblk0p43 with RW permission etc.
Thanks in advance and sorry for 'noobism'
Click to expand...
Click to collapse
I'm not talking about flash a rom, but only just a kernel. Flash the Liberty Sense kernel and then got can customise the boot animation
csoulr666 said:
I'm not talking about flash a rom, but only just a kernel. Flash the Liberty Sense kernel and then got can customise the boot animation
Click to expand...
Click to collapse
Will I be able to flash original kernel back?
Also, the phone will lose warranty?
plodozhor said:
Will I be able to flash original kernel back?
Also, the phone will lose warranty?
Click to expand...
Click to collapse
If you make a backup of your rom via a custom recovery, then yes. And unfortunately unlocking the bootloader and flashing a custom kernel will void the warranty
Hi all!
I'm happy to say that, thanks to iovyroot, and with a lot of help from zxz0O0, we managed to create a new root tool for the Xperia M2, EagleRootTool, meaning we don't actually need to use Kingroot anymore to root LBL devices under latest Lollipop firmware :victory:
However, since this root binary is compatible with (probably) any kernel built before December 2015, I thought of making the tool compatible with some other devices, like your ZR, since it's actually very similar to my device.
Unfortunately, since this tool's based on some kernel-specific addresses, to make it compatible with other devices like the ZR, I need them from every single variant.
I'm going to take for reference all models and firmware build numbers from XperiFirm.
WHAT YOU NEED:
- An already rooted device in 10.7.A.0.228 (10.7.A.0.222 might be compatible too) (it doesn't matter if it was rooted by Kingroot, or via UBL methods).
- A little of Android general knowledge: Usage of ADB (mainly).
- Patience.
DEVICES:
- C5503 ✓
- C5502
HOW TO DO IT?:
Just open an ADB prompt and run a shell in it. Then, run the following commands, replacing the *location with storage/sdcard1 if you want to use your SD Card, or with data/media/0 if you want to use the internal memory.
Code:
su
cat /proc/version > /[COLOR="Purple"]*[/COLOR][COLOR="red"]location[/COLOR]/version.txt
echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms > /[COLOR="Purple"]*[/COLOR][COLOR="red"]location[/COLOR]/kallsyms.txt
(remember to hit enter after each line of the above :silly
Now upload those two files (version.txt & kallsyms.txt) wherever you want, or attach them in your comment, saying which model they're from, and I'll add the required offsets to support your device manually!
________________________
DISCLAIMER: This is NOT a placeholder NOR Spam thread. I just want to help this device users to get them supported in a common Lollipop Xperia rooting toolkit, since this device won't get Marshmallow, and has a compatible kernel. If you, moderator or user, decide to close/report this thread, I may understand it, but think it twice before doing it.
Definitely interesting.
In case no one is quicker I'll give the commands a go and revert when I'm home during the week.
Another note, any possibility for getting this on another complete different device? (I am looking for my daily one, a vk6050s which has a kernel date of Nov 6)
Sent from my vk6050s using Tapatalk
rufy93 said:
Definitely interesting.
In case no one is quicker I'll give the commands a go and revert when I'm home during the week.
Another note, any possibility for getting this on another complete different device? (I am looking for my daily one, a vk6050s which has a kernel date of Nov 6)
Sent from my vk6050s using Tapatalk
Click to expand...
Click to collapse
I see no problem (apart from being 64bits, it might be harder to get the offsets) on adding compatibility for it, however the mentioned root tool is only prepared for XPERIA devices, since it disables RIC and does some other things that'd probably mess something up in a almost "AOSP" device. Once you run the binary, you get as a result an elevated shell, as root, so you can now mount the system as rw and add the supersu files in there (from lines 44 to 146, and from 169 to 181 in the install_tool.sh provided with EagleRootTool).
It's worth a try for the vk if you are up for it (anyways, we can move that discussion over to PM)
For the C5503 i have included the two requested files in the attached 7z. (XDA won't let me upload kallsyms.txt unless i zip it, tooo big)
rufy93 said:
It's worth a try for the vk if you are up for it (anyways, we can move that discussion over to PM)
For the C5503 i have included the two requested files in the attached 7z. (XDA won't let me upload kallsyms.txt unless i zip it, tooo big)
Click to expand...
Click to collapse
Added https://github.com/sergiocastell/iovyroot/blob/patch-1/jni/offsets.c#L285
C5502 is still remaining.
Check your PM.
Here I have c5502 (10.7.A.0.222)
Regards!
YOU MUST HAVE ROOT ACCESS TO PROCEED
THIS WILL NOT WORK IF YOU DON'T HAVE ROOT
A MINIMUM TEMPORARY SPACE OF 400MB ON YOUR INTERNAL STORAGE IS REQUIRE FOR THIS BACKUP PROCEDURE
THIS PROGRAM IS FOR PARTITIONS BACKUP PURPOSES AND NOTHING ELSE
Hello everyone,
After trial and error and keep trying with lot of errors finally got this puppy working, backups 19 Partitions from your device, i don't know if the A2017 (chinese variant) have the same partition table but as far as i know and have seen the A2017U and A2017G does have the same partition table which is awesome for any Rom developers to work on things or any dev.
Steps:
1- Download the zip file from here 1CLick_Partition_Backup_v0.1
2- Decompress anywhere you want (i prefer in the root of drive C: )
3- Make sure you have enable USB-Debbuging
4- Plug your Device
4- Double Click 1click_PartitionBackup_by_DrakenFX.exe and watch the program run
5- When Done your Partition Back-up will be in you C:/a2017u_partitions_backup folder
6- DONE
This is just the beginning i may be adding more Options like Single backup or group backup.
NOTE 01 : I didn't add the system partition backup for the sole reason of been huge file 6gb at least and I can add system in future update as separate option.
NOTE 02 : I'm not a savvy when comes to dev. but if i can do something that can help other do things a little easier , i'll be around
Reserve 01
Reserve 02
Do we have any way to restore these backups after?
XblackdemonX said:
Do we have any way to restore these backups after?
Click to expand...
Click to collapse
There is a way using flashable zip via TWRP, but I'll look into for something else... I'm new to all this so still learning , fastboot is another way but I'll look into it
I had to disable windows defender in order to download this. It kept flagging it as malware. Just a heads up.
CandyFoxJ said:
I had to disable windows defender in order to download this. It kept flagging it as malware. Just a heads up.
Click to expand...
Click to collapse
really? i'm ensure you there's no malware or anything malicious in this file.... i have downloaded and my windows doesn't detect anything. (Win10 Latest Update)
I've seen it throw false positives before, I'm not worried about it. Probably the packer used in your app. This is what it picked up.
Since this is XDA after all, you should probably either post your source and/or release it as a script/command list. It's not really security friendly to release a .exe that runs root commands. It could probably be run all as a batch command.
CandyFoxJ said:
I've seen it throw false positives before, I'm not worried about it. Probably the packer used in your app. This is what it picked up.
Click to expand...
Click to collapse
Could be cuz the commands it runs?
the zip file contains the following...
-adb.exe
-adbWinApi.dll
-adbWinUsbApi.dll
-1click_PartitionBackup_by_DrakenFX.exe
adb files needed just in case the user doesn't have adb install and these 3 files will do the job, Why sees it as Malware i really don't know but for command it have to Pull the Partitions out of the device.
---------- Post added at 09:06 PM ---------- Previous post was at 09:04 PM ----------
[/COLOR]
DrakenFX said:
YOU MUST HAVE ROOT ACCESS TO PROCEED
THIS WILL NOT WORK IF YOU DON'T HAVE ROOT
A MINIMUM TEMPORARY SPACE OF 400MB ON YOUR INTERNAL STORAGE IS REQUIRE FOR THIS BACKUP PROCEDURE
THIS PROGRAM IS FOR PARTITIONS BACKUP PURPOSES AND NOTHING ELSE
Hello everyone,
After trial and error and keep trying with lot of errors finally got this puppy working, backups 19 Partitions from your device, i don't know if the A2017 (chinese variant) have the same partition table but as far as i know and have seen the A2017U and A2017G does have the same partition table which is awesome for any Rom developers to work on things or any dev.
Steps:
1- Download the zip file from here 1CLick_Partition_Backup_v0.1
2- Decompress anywhere you want (i prefer in the root of drive C: )
3- Make sure you have enable USB-Debbuging
4- Plug your Device
4- Double Click 1click_PartitionBackup_by_DrakenFX.exe and watch the program run
5- When Done your Partition Back-up will be in you C:/a2017u_partitions_backup folder
6- DONE
This is just the beginning i may be adding more Options like Single backup or group backup.
NOTE 01 : I didn't add the system partition backup for the sole reason of been huge file 6gb at least and I can add system in future update as separate option.
NOTE 02 : I'm not a savvy when comes to dev. but if i can do something that can help other do things a little easier , i'll be around
Click to expand...
Click to collapse
OMG!
This is nice!
But I'm running linux!
You make the script universal please.
Or I could write one myself...
manu7irl said:
OMG!
This is nice!
But I'm running linux!
You make the script universal please.
Or I could write one myself...
Click to expand...
Click to collapse
if i only knew how to this in java (Universal) i'll do it in a flash, but i have no clue....i'm creating a new file and may by i'll do it as .bat (you can look it up if i release it this way with some choices and adding probably more partition if i have miss any + separate choice for system dumb (is way to big of a file),
P.S. if you know java PM
DrakenFX said:
if i only knew how to this in java (Universal) i'll do it in a flash, but i have no clue....i'm creating a new file and may by i'll do it as .bat (you can look it up if i release it this way with some choices and adding probably more partition if i have miss any + separate choice for system dumb (is way to big of a file),
P.S. if you know java PM
Click to expand...
Click to collapse
Bat file is good for me...
You can check the partition list under
Code:
ls -al /dev/block/....
manu7irl said:
Bat file is good for me...
You can check the partition list under
Code:
ls -al /dev/block/....
Click to expand...
Click to collapse
Yeah I have the partition table by-name , just don't see the need of adding every single one but just the necessary ones (modem, Bluetooth, aboot, few more) and I'll add system in the next release.....
DrakenFX said:
There is a way using flashable zip via TWRP, but I'll look into for something else... I'm new to all this so still learning , fastboot is another way but I'll look into it
Click to expand...
Click to collapse
you could fire up twrp or any terminal app.
In twrp mode:
Just comnect your device to your PC with adb installed.
Push the partition image you want to flash in /sdcard/ folder.
Code:
adb push [IMAGE.IMG] /sdcard/
then do:
From your PC, run first:
Code:
adb shell
Then do,
Code:
su
dd if=/sdcard/[IMAGE.IMG] of=/dev/block/bootdevice/by-name/[NAME OF IMAGE]
Example:
Code:
dd if=/sdcard/modem.bin of=/dev/block/bootdevice/by-name/modem
This will overwrite the chosen partition as dd works at a very low command level.
Do not try to flash recovery or boot or aboot through this if you are on locked bootloader. this will brick your device.
Do not try this at home if you don't know what you are doing, you may kill your neighbor's dog or worse the cat.
I made a script to backup any partition in our A7:
YOU HAVE TO BE ROOT, TO USE IT.
To run it simply push to the sdcard fire up adb shell to launch the script.
from the computer while connected to the A7 with usb debugging turned on
Code:
adb push PATH_to_the_script/full-backup.sh /sdcard
and
Code:
adb shell
su
cd /sdcard/
sh full-backup.sh
you will see a menu to choose which partition to backup.
As in the attachment.
enjoy, and please hit the thanks button.
Hi all..
I've been reading the forum here for a few days , trying to follow the instructions to install modpunk's LINEAGE 17.1 for my Sony Xperia compact XZ 1. I' ve recently switched for IOS, I'm a quite total noob in programming and Android, but not totally bad at understanding and following instructions Thank for your help.
For what I've read here i need to fulfill some operations : (I'm on mac OC 10.11 and latest build 47.2.A.11.228
- Put the latest xperia stock firmware on my phone (DONE)
- Unlock Developers mode , USB debug and OEM unlock ) ( DONE)
- Unlock the Bootloader , via the Sony.developers instructions ( HARDLY DONE but not sure)
- Save / Backup DRM keys ( UNDONE)
-Install ADB and Fastboot tools ( DONE but unable to get ADB DEVICES command functioning, event with the phone connected in fastboot mode (blue led / black screen)
-use Terminal and ADB / Fastboot to flash TRWP ( Problems getting Terminal to work; I get "-bash: adb: command not found" or Fastboot ("-bash: fastboot: command not found") (UNDONE , big problems using ADB and Fastboot, trying to learn TERMINAL commands)
- use TWRP recovery for make a full backup of my device "in case of" (UNDONE)
- Flash the Lineage OS and workaround the possible DRM, camera and gps issues
Am I on a good To-Do list ? Can i have more detailed informations here for a step by step starting ( how to get ADB / Fastboot tools working / back up DRM) Thanks a lot for your help, I know it's a shame but I've really tryed to follow the instructions here an there, and stay blocked at the FASTBOOT "adb devices " " fastboot" command not working
Thx and have a nice day
EDIT : https://forum.xda-developers.com/showpost.php?p=78255334&postcount=382 I'l begin with this full pdf guide but is this ok to start with the .228 last firmware or do i have to downgrade ? Tx
seven hole said:
Hi all..
Am I on a good To-Do list ? Can i have more detailed informations here for a step by step starting ( how to get ADB / Fastboot tools working / back up DRM) Thanks a lot for your help, I know it's a shame but I've really tryed to follow the instructions here an there, and stay blocked at the FASTBOOT "adb devices " " fastboot" command not working
Thx and have a nice day
Click to expand...
Click to collapse
You need to start here first if you wish to backup your DRM keys - https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
This should help you with ADB and Fastboot on a Mac - https://forum.xda-developers.com/showthread.php?t=1917237
Everything else then should fall into place.
Thx a lot i 'm gonna investigate this !
SXUsr said:
You need to start here first if you wish to backup your DRM keys - https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
This should help you with ADB and Fastboot on a Mac - https://forum.xda-developers.com/showthread.php?t=1917237
Everything else then should fall into place.
Click to expand...
Click to collapse
SXUsr said:
/showthread.php?t=1917237[/url]
Everything else then should fall into place.
Click to expand...
Click to collapse
Tx Mister the Adb fastboot part seems to work !!! I can now talk with my phone thx a lot
I'm know trying to get the DRM with the thread you mention.. Do I need another tool to backup the DRM or it's all with adb ?
Thanks a lot
seven hole said:
Do I need another tool to backup the DRM or it's all with adb ?
Click to expand...
Click to collapse
All ADB.
SXUsr said:
You need to start here first if you wish to backup your DRM keys - https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510
This should help you with ADB and Fastboot on a Mac - https://forum.xda-developers.com/showthread.php?t=1917237
Everything else then should fall into place.
Click to expand...
Click to collapse
Sorry again it seems that I need to flash an older firmware on my phone to save DRM keys... But the newsflasher procedure is'nt available on MAc os... I' guess I would try to flash it manually ?
seven hole said:
Sorry again it seems that I need to flash an older firmware on my phone to save DRM keys... But the newsflasher procedure is'nt available on MAc os... I' guess I would try to flash it manually ?
Click to expand...
Click to collapse
Use the Flashtool instead.
SXUsr said:
Use the Flashtool instead.
Click to expand...
Click to collapse
Unfortunately the latest version of Flashtool (Androxyde) from flashtool.net doesnt work .. The .dmg file doesn't mount. Looks like a corrupted download .... Gonna find a pc and newsflasher Thanks for your help SxUser.
seven hole said:
Thanks for your help SxUser.
Click to expand...
Click to collapse
No problem. :good:
EDIT : Downgrade succesful with other firmware (47.1.A.8.49_CE1 ) proposed by @j4nn
Continuing the process.
Hello all :8) I'm still trying to save Drm keys of the XZ1c .. i got a windows 7 working, all drivers and flashing drivers installed... Adb commands responding . I try to downgrade to get the renotools working and save the DRM keys
- Debug mode and OEM unlock allowed on the phone with the ultimate .228 firmware.
But Newsflasher 20 stop installing the 47.1.A.2324_CE1 firmware (from the link in the @j4nn 's detailed instructions in the thread
https://forum.xda-developers.com/xp...devonly-exploits-temp-root-to-backup-t3795510 )
- I've put the newsflasher app and tools in the root dir of the Firmware as said in the newsflasher instructions.
- I've unzipped the" partition.zip" , getting a "partition" folder in the same dir
Then start newsflasher (after installing Gordon Gate flashing drivers) with phone on "flash" mode (green light after volume down button + usb cable plug
Skipping all optional options as i read in the "newsflasher thread". i copy the log down there/
Ii can' succeed to flash the firmware ... With luck, the phone continue booting on .228 firmware after this...
-OTHER ASPECT then the @j4nn thread says i should remove the "persist" files from folder to keep attestation keys
But i don't have exactly that file in the firmware folder, but a persist X-FLASH-ALL-C93B.sin file . does it mean i should let it in the folder, or is this an equivalent ?
Thanks for your help and sorry for being such a noob at every step
I put the newsflasher log down here
--------------------------------------------------------
newflasher.exe v20 by Munjeni @ 2017/2019
--------------------------------------------------------
Determining available free space by GetDiskFreeSpaceEx:
Available space to caller = 175778 MB
Total space on current drive = 238372 MB
Free space on drive = 175778 MB
Optional step! Type 'y' and press ENTER if you need GordonGate flash driver, or
type 'n' to skip.
This creates GordonGate.7z archive in the same dir with newflasher.exe!
n
Device path: \\?\usb#vid_0fce&pid_b00b#5&9bdca0a&0&4#{a5dcbf10-6530-11d2-901f-00
c04fb951ed}
Class Description: Contr¶leurs de bus USB
Device Instance Id: USB\VID_0FCE&PID_B00B\5&9BDCA0A&0&4
Optional step! Type 'y' and press ENTER if you want dump trim area, or type 'n'
and press ENTER to skip.
Do in mind this doesn't dump drm key since sake authentifiction is need for that
!
n
Optional step! Type 'y' and press ENTER if you need to flash bootloader,bluetoot
h,dsp,modem,rdimage to booth a,b slots, or type 'n' to skip.
By default it is NOT flashed to booth slots, do on your own risk!
n
Product: G8441
Version: 0.4-SONY-0.31
Bootloader version: 1306-5035_X_Boot_MSM8998_LA2.0_P_114
Baseband version: 1307-7511_47.2.A.11.228
Serialno: BH906JGU9E
Secure: yes
Loader version: XFL-MSM8998-N-47
Phone ID: 0000:35835408206189
Device ID: 97CEE2D2
Platform ID: 2005E0E1
Max download size: 104857600
Sector size: 4096
Rooting status: ROOTABLE
Ufs info: SKhynix,H28U62301AMR,D003
Emmc info: FAILEmmc-info not supported
Default security: ON
Keystore counter: 2
Security state: 162509AE6B4B54D487F2496DDC4D4B6C6747A73B
Sake root: D159
S1 root: S1_Root_e69c
Root key hash: C30DEC2471CEA311E6918657367B51068A39583BBF89FD68B379BCD5A709AB1B
Slot count: 0
Current slot: F
Device is put now in flash mode.
Repartitioning...
partition_delivery.xml not exist in partition folder or no partition folder.
Processing partition-image-LUN0_X-FLASH-ALL-C93B.sin
- setting up infflate...
- infflating, please wait...
- infflate returned: 0
- gzpipe: ok.
- gunziped ok.
- Extracting from partition-image-LUN0_X-FLASH-ALL-C93B.sin
- Extracting signature 0.cms
- Uploading signature C:\Users\moi\Desktop\xperia\G8441_47.1.A.2.324_CE1\partit
ion\0.cms
signature:0000053e
OKAY.
- Extracting sparse chunk 0.000
- Uploading sparse chunk C:\Users\moi\Desktop\xperia\G8441_47.1.A.2.324_CE1\par
tition\0.000
download:00006000
OKAY.
Repartition:0
OKAY.
- End of partition-image-LUN0_X-FLASH-ALL-C93B.sin
Processing partition-image-LUN1_X-FLASH-ALL-C93B.sin
- setting up infflate...
- infflating, please wait...
- infflate returned: 0
- gzpipe: ok.
- gunziped ok.
- Extracting from partition-image-LUN1_X-FLASH-ALL-C93B.sin
- Extracting signature 1.cms
- Uploading signature C:\Users\moi\Desktop\xperia\G8441_47.1.A.2.324_CE1\partit
ion\1.cms
signature:0000053e
OKAY.
- Extracting sparse chunk 1.000
- Uploading sparse chunk C:\Users\moi\Desktop\xperia\G8441_47.1.A.2.324_CE1\par
tition\1.000
download:00006000
OKAY.
Repartition:1
OKAY.
- End of partition-image-LUN1_X-FLASH-ALL-C93B.sin
Processing partition-image-LUN2_X-FLASH-ALL-C93B.sin
- setting up infflate...
- infflating, please wait...
- infflate returned: 0
- gzpipe: ok.
- gunziped ok.
- Extracting from partition-image-LUN2_X-FLASH-ALL-C93B.sin
- Extracting signature 2.cms
- Uploading signature C:\Users\moi\Desktop\xperia\G8441_47.1.A.2.324_CE1\partit
ion\2.cms
signature:0000053e
OKAY.
- Extracting sparse chunk 2.000
- Uploading sparse chunk C:\Users\moi\Desktop\xperia\G8441_47.1.A.2.324_CE1\par
tition\2.000
download:00006000
OKAY.
Repartition:2
OKAY.
- End of partition-image-LUN2_X-FLASH-ALL-C93B.sin
Processing .sin files...
Using existing folder flash_session
Processing ._adspso_X-FLASH-ALL-C93B.sin
- Extracting from ._adspso_X-FLASH-ALL-C93B.sin
- Checksum failure
Device is put now out of flash mode.
Sent command: Sync
End. You can disconnect your device when you close newflasher.exe
seven hole said:
But i don't have exactly that file in the firmware folder, but a persist X-FLASH-ALL-C93B.sin file . does it mean i should let it in the folder, or is this an equivalent ?
....
I put the newsflasher log down here
....
Processing partition-image-LUN0_X-FLASH-ALL-C93B.sin
Click to expand...
Click to collapse
If you're using newflasher, then you need to remove the persist.sin file, as you don't have one, along with the above underlined, I'm guessing you've downloaded XZ1 FW and not XZ1C, as I've never seen LUN0_ whenever I've flashed FW.
After saving DRm, unlock bootloader, restore TA partition, I have two problems :
- Battery charge indicator says 20 % , even if I fully charged the battery...
- Battery health test says I have to change battery ( beforee downgrading it said good state)
And I have two unprovsioned keys , but the Android key that says "provisioned" ( screenshot1 ) ,
the three keys l provisioned before bootloader unlock and drm restore ( screenshot 2) .
now i'll try to fix this. thanx for all the support i got or any hint.
SXUsr said:
If you're using newflasher, then you need to remove the persist.sin file, as you don't have one, along with the above underlined, I'm guessing you've downloaded XZ1 FW and not XZ1C, as I've never seen LUN0_ whenever I've flashed FW.
Click to expand...
Click to collapse
Thanx SxUser, sorry i did'nt see your answer until now it should be the good reason , it got it better with flashing other firmware (8.49) .
Now I'm askingt me if I need to hide bootloader if I want to put Lineage 17.1 on it
Thanks for your support, c u soon
seven hole said:
Thanx SxUser, sorry i did'nt see your answer until now it should be the good reason , it got it better with flashing other firmware (8.49) .
Click to expand...
Click to collapse
Was going to say, I've never encountered that issue before.
seven hole said:
Now I'm askingt me if I need to hide bootloader if I want to put Lineage 17.1 on it
Click to expand...
Click to collapse
No, hide bootloader kernels are for stock, Lineage has it's own kernel.
SXUsr said:
Was going to say, I've never encountered that issue before.
No, hide bootloader kernels are for stock, Lineage has it's own kernel.
Click to expand...
Click to collapse
For the battery issue it's look like it happend this night, I let it charge after downgrade successful, and this morning, it was with camera on , black screen cause lens on a table, and battery indicator to 20 % ... hope the lineage flash will make it better.
Cheers and thanks again and again SxUsr !! now let's move to the TWRP / LOS struggle
Battery problem fixed by several reboots . fine !
Succeed to install LINEAGE 17 !! Wonderful OS ... 3 days of hard learning to manage it Would like to say big big thanks to @SXUsr for his help @j4nn @modpunk for their precious release and detailed instructions , !! Glad to join this community ... now I can stop spamming this pro forum with my beginnings. Bye (until next question, maybe
This is exactly what I want to do, too. However I am more keen on Lineage 16 which should be more stable than 17. What do you think?
I would like to have a fully functional secondary phone without google services.
And bu the way why do I need to backup the DRM keys if I heard that with Android 9 or above the camera still works on custom roms? Sorry if it is not true, I not always visit the forums.
TheArt. said:
This is exactly what I want to do, too. However I am more keen on Lineage 16 which should be more stable than 17. What do you think?
I would like to have a fully functional secondary phone without google services.
And bu the way why do I need to backup the DRM keys if I heard that with Android 9 or above the camera still works on custom roms? Sorry if it is not true, I not always visit the forums.
Click to expand...
Click to collapse
I am rocking Lineage OS 17.1 and it is quite stable, but 16 still had up to date security patches so it's really up to your preference in Android flavors. Although I believe GPS is better in 16.
About the DRM, that is correct. It is not needed for Lineage OS as it is fixed by the ROM. It is just in case you ever want to switch back to the stock rom and want a working camera. The process is not hard and only takes a couple minutes.
I personally followed the PDF guide in this post:
https://forum.xda-developers.com/showpost.php?p=78255334&postcount=382
It had screenshots and all the steps written down so it's quite easy to follow.
Hope this helps!
TheArt. said:
This is exactly what I want to do, too. However I am more keen on Lineage 16 which should be more stable than 17. What do you think?
I would like to have a fully functional secondary phone without google services.
And bu the way why do I need to backup the DRM keys if I heard that with Android 9 or above the camera still works on custom roms? Sorry if it is not true, I not always visit the forums.
Click to expand...
Click to collapse
While LOS 17 has come a far way and is quite stable, I still prefer LOS 16, which seems to perform better for me. I also prefer Pie over Android 10.