Sony Z5 Compact: Root without losing TA partition (DRM features) on Marshmallow

I've spent too long on Android without root access and it really bothers me. I need it!

1046
Feeling imprisoned by my own Android OS... I did not sign up for iOS!

Overview

  • In order to back up the TA partition (where the DRM keys are stored) we need temporary root access via the iovyroot exploit, which is only available on a Lollipop build. This part is optional if you don't care about that functionality
  • Once that's done, you can unlock the bootloader. Doing so wipes the TA partition.
  • Upgrade to Marshmallow
  • We then trick the kernel into thinking it's still locked, giving us both root access and access to DRM-locked features.
  • Optionally, for completion we can also partially restore DRM keys from the TA backup.
  • Having your TA backed up correctly prevents any issues if you want to keep your DRM features such as camera optimisations.

Before starting, make sure you have:

  • enabled USB debugging via Developer mode
  • backed everything up. It's going to get wiped!

Before starting

We have to make sure that this process is actually possible with your device.

  • Open the dialler and enter *#*#7378423#*#* to access the service menu.
  • Go to Service info > Configuration > Rooting Status
  • If "Bootloader unlock allowed" says Yes, then you can continue with this tutorial.
  • If it says No or if the status is missing, then your device cannot be unlocked. Good luck.

Note: If it says "allowed" it means you CAN unlock your device. It does NOT mean your device IS unlocked.

While we're here, make a note of your IMEI number. You'll need it later.

Screenshot_2016-04-16-17-47-40

Downloads

Downgrade to Lollipop

(Optional if you don't care about the DRM keys)

If you're already on Marshmallow, then I'm afraid you need to downgrade back to Lollipop (and in the process wipe everything). Make a backup using the Sony PC Companion before doing so.

  • Download Flashtool and install it
  • Download firmware (It's Aussie firmware, but we only need it for a short amount of time so it'll do) and put it into %USERPROFILE%\.flashTool\firmwares
  • Start Flashtool
  • Click on the lightning bolt icon
  • Select "Flashmode"
  • Select the Lollipop firmware (32.0.A.6.200) and select the wipe options APPS_LOG, DIAG and USERDATA. Otherwise things will crash a lot and you won't get into the phone properly. Trust me, I've tried.
  • Turn off the phone.
  • Wait for Flashtool to finish preparing the files.
  • When prompted, hold "volume DOWN" button while plugging in the USB.
  • Wait for it to finish. Don't trust the progress bar! Make sure it's finished by reading the text. It will tell you when to disconnect and restart.

Backing up the TA partitions

(Optional if you didn't bother downgrading to Lollipop)

Now that you're on Lollipop, you can use iovyroot. With this we can gain temporary root access and dump the TA partition to a file. This file is what we use to restore the DRM keys to your device after it's been wiped by unlocking the bootloader.

Extract iovyroot_v0.4.zip and run "tabackup.bat"

Once it's done, you should have a TA-####.img file which sorta looks like "TA-16042016.img" and is approximately 2mb in size. That's your TA backup done and dusted!

Keep it safe somewhere.

Unlocking your bootloader

  • Go to Settings > Developer options
  • Tick "Enable OEM unlock"
  • Open up a browser on your computer and follow the instructions at Sony's developer website. You'll need to provide your email in order to continue. Mine got caught in junk mail so be sure to check that.
  • After receiving your email, entering your IMEI number and accepting some user conditions will provide you with an unlock code.
  • This is the point where I remind you again...

BACK UP WHAT YOU NEED NOW. There's no turning back after this!

  • Turn off your phone.
  • In Flashtool, click on "BLU"
  • Hold "volume DOWN" on your phone and plug it into the computer.
  • When prompted, release volume down and unplug.
  • Hold volume UP and plug it back in.
  • You should now get a dialog which lets you enter an unlock code.
  • Paste in the unlock code and click "Unlock".
  • Wait for the phone to finish doing it's thing and restart.
  • Your phone is now wiped clean so you'll need to go through an initial setup again.
  • Checking the service status again should now say "Bootloader unlocked: Yes".

Upgrading to Marshmallow

(optional if you're already on Marshmallow)

At this point you can either download the firmware I provided (if you're Australian) or download the right one for your region.

If you're not an awesome Australian, then you'll need to download your own firmware.

  • Using FlashTool, click on the "XF" icon to launch "XperiFirm"
  • This lets you search for firmware files for your device.
  • Look for "Xperia Z5 Compact" and then your model. In my case E5823 (check your phone under Settings > About > Model)
  • Select the region you want (Customised AU means generic unbranded firmware for Australia)
  • Select the firmware on the right, shown as highlighted.
  • Click download.

image

  • Close the downloader when it's done unpacking.
  • It will take some time to repackage the firmware files into an FTF file. This is what we use to re-flash your phone with stock firmware. It also contains the kernel file you need for the next part of the tutorial.
  • Now turn off your phone.
  • In Flashtool > Lightning bolt icon > Flashmode
  • Select the Marshmallow upgrade (32.1.A.1.185)
  • Wait for it to prepare the files.
  • When prompted, hold volume DOWN on phone, plug it in.
  • Wait until it's done. Restart and ensure the phone is working.

Rooting your Z5 Compact

Now for the main course. This is why you're here.

  • Open your Marshmallow FTF file using Winrar or 7-zip and extract out "kernel.sin".
  • In FlashTool > Tools > Sin Editor, open up "kernel.sin" and click "Extract"
  • This will give you "kernel.elf"
  • Extract the files from "rootkernel_v4.22_Windows_Linux.zip" into a folder without spaces (ie. not your desktop or program files)
  • Copy "UPDATE-SuperSU-v2.65-####.zip" into the rootkernel folder and rename so it becomes "SuperSU-v2.65-####.zip"
  • Open a command prompt to the rootkernel folder and type in "rootkernel kernel.elf kernel_patched.elf". This process deactivates SONY-RIC, removes DM-VERITY, adds TWRP bootloader as well as the DRM FIX.
  • Ensure that the SuperSU service was added by scanning the output for "Adding service entry for SuperSU".
  • If you come across this error, it means you did it on a Lollipop kernel.

- Found SuperSU-v2.65-20151226141550.zip
  Adding service entry for SuperSU
source type fsck does not exist
Could not add rule for perm: dac_override
source type fsck does not exist
Could not add rule for perm: write
source type fsck does not exist
Could not add rule for perm: create

I don't know how to fix it, but I'm pretty sure the author of rootkernel isn't bothered to fix it either.

  • Now that you have your patched kernel, it's time to flash it using Flashtool!
  • Turn off your phone.
  • Flashtool > Lightning bolt icon > Fastboot
  • Now we've got a lot of options! Click "Select kernel to Flash"

image

  • Hold the volume UP button and plug in your phone.
  • When the Kernel Chooser dialog appears, click on the "*.sin" dropdown to change it to "*.elf", then select "kernel_patched.elf".

image

  • It should finish pretty quickly with something like "Please check the log before rebooting into system".
  • If everything went well, unplug and turn on your phone.
  • The device should now have the SuperSU app installed.
  • Checking unlock status should now say "Bootloader unlock allowed: Yes" again.
  • Download and test Titanium Backup. You should be prompted to give root access on start.
  • Turn your phone off completely and then on again to make sure root status persists.
  • Now you can enjoy your... well, EVERYTHING!

Restoring the DRM keys

(optional, I guess?)

This is for the perfectionists and completionists. If you can't stand the thought of being at 99% and absolutely NEED to have that 100% completion then follow me.

  • Copy your TA partition backup to the rootkernel folder.
  • Open up a command prompt to the rootkernel folder and type in the following:

flash_dk TA-####.img restore-drm-keys.ftf

  • The script will spit out a new file called "restore-drm-keys.ftf".
  • Put this into "%USERPROFILE/.flashTool/firmwares/"
  • In Flashtool, click on the lightning bolt icon
  • Select flashmode
  • Select "DeviceKey" and click Flash
  • Hold "volume DOWN" and plug in USB cable.
  • Unplug and restart phone when instructed (read the activity log)

This new restored TA partition should persist across device wipes and Android upgrades.

Well, that's the end of that! We sure showed Sony who's boss!

View post on imgur.com

Donations

Big props go to zxz0O0 for making the TA backup easy to use and tobias.waldvogel for the DRM restoration patch. I've linked to their donation pages so please donate for their amazing work.

If you thought this guide was helpful then please feel free to donate to me too! (link is on the right)

Sources

 
Copyright © Twig's Tech Tips
Theme by BloggerThemes & TopWPThemes Sponsored by iBlogtoBlog