Linux software development
Permanently rooting Android PIE without bootloader unlock - SONY XPERIA XZ1 Compact Verified Boot Bypass
Work in progress at xda - preview recordings of features implemented for xz1c:
- LOS16 with locked BL
short preview of Lineage OS 16.0 booting instead of stock fw with still locked bootloader including magisk root
announcing post on xda
- verified boot bypass:
- fastboot-ing twrp
- permanently flashing twrp as recovery
- permanently rooting stock fw with magisk without unlocking bootloader
- LOS16 from sd card
installing LOS16 as an alternate OS to sdcard for multiboot via recovery
- LOS16 instead of stock fw with locked BL
dual booting two LOS16 installations, one replacing stock fw, the other from sd card
replacing the 2nd LOS16 with twrp recovery being happy with just one LOS16 replacing stock fw with still locked bootloader
Playlist of all the above available here.
Vulnerability impact
This could be used to inject any software into a xperia phone, like remote root backdoor or some eavesdropping spyware.
An exploit may be implemented in a way that it could survive full firmware re-flash from computer or even system fota upgrade, including factory reset, making it very powerful.
If used with another temp (or remote) root exploit, this vulnerability may be leveraged without user noticing anything, so an attacker may do persistent changes even when bootloader is still locked with verified boot active.
Vulnerability scope
The proof of concept exploit is working with sony xperia xz1 compact phone.
It can be extended to support entire range of xperia phones running YOSHINO platform (qualcomm snapdragon 835) - XZ Premium, XZ1, XZ1 Compact (any of single/dual sim variants), including those that do not allow bootloader unlock as that is not needed.
First stage of the exploit has also been adapted for SONY XPERIA XZ2, as documented here and in following posts. That means the exploit could be extended to support entire TAMA platform, i.e. sony xperia XZ2/XZ3 (Compact/Dual/Premium) phones.
There is a chance that the exploit could be adapted to any recent xperia phone released since yoshino platform. It has not been checked/proved either way though.
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Even though this exploit is very powerful, my ultimate goal is TrustZone code execution hopefully allowing to inject custom verified boot keys and bootloader re-lock.
Unfortunately I can spend less and less time working on this stuff, so I would appreciate help from other developers, particularly experienced with reverse engineering to help me find a hole to get into TrustZone / Qualcomm Secure Execution Environment (QSEE).
I have already some ideas for very promising TZ attack vectors.
Please contact me if you would like to help me with TrustZone exploit development.
Thank you.
https://github.com/j4nn/
xda-developers profile
Tools to backup Trim Area of xperia XZ1 compact
thread on xda with the tools development
Please note: I had to invest enormously lot of time to develop these tools,
the code is extremely complex (more than 9000 lines of source code)
and it was unbelievable hard to debug and get the timing usable.
It would be kind of you if you could consider donating here please:
Donate to Me
I would be happy to accept any donation to me as a form of gratitude
in case the software helped you to backup your TA (drm keys) before
bootloader unlocking.
Thanks.
About the tools
- renosploit - rename/notify exploit to get kernelspace read/write, uses multiple vulnerabilities to overcome kaslr, pxn and pan mitigations of android oreo
- renotrap - helper application (rename/notify temp root app)
- renoshell - get temp root shell by use of kernel space read/write primitives provided by renosploit
- renoroot - a shell script to be started from adb, it starts the above tools to get temp root shell
Acknowledgements to following xda users:
- moofesr - for testing initial kernel builds until proper build procedure had been found, special thanks for his patience when all tests resulted with bootloop
- Raz0Rfail and moofesr - for testing timing of rename/notify vulnerability with patched kernel
- dosomder - for his iovyroot
- tramtrist - for initial testing of TA backup, unlock and restore, special thanks for exposing to risk of loosing drm if it did not work
- ThomasKing (not a user on xda) - for his black hat ksma presentation
- few other users in the thread on xda - for some other cve possibilities and ideas