Linux Software Development Projects by j4nn
Xperia ABL fastboot Exploit via CVE-2021-1931
The xperable fastboot exploit supporting Yoshino (Snapdragon 835) and Tama (Snapdragon SDM845) platforms allows bootloader unlock and re-lock freely even with phones with rooting not allowed.
Supported phones are Sony Xperia XZ1c/XZ1/XZp and XZ2/XZ2c/XZ2p/XZ3 with many region specific variants.
With yoshino it is possible to "fastboot boot twrp.img" with locked bootloader and working userdata decryption. Many other features supported.
https://github.com/j4nn/xperable
xperable xda thread for yoshino, xperable xda thread for tama
video demonstrating xperable exploit use with XZ1c and with XZ2
TWRP for Sony Xperia XZ2/XZ2c/XZ2p/XZ3
twrp-3.7.1_12 for Sony Tama (SDM845) platform devices, supporting userdata decryption of recent android versions.
xda thread
https://github.com/j4nn/android_device_sony_tama
https://sourceforge.net/projects/tama-testbuilds/
TWRP for Sony Xperia XZ1c/XZ1
twrp-3.7.1_12 for lilac and poplar_dsds devices.
This is a fork of whatawurst's twrp, adding a fix for userdata decryption with recent android versions.
Thank you and credits to @derf elot and @modpunk at xda.
xda forums post
https://github.com/whatawurst/android_device_sony_lilac/pull/64
https://github.com/j4nn/android_device_sony_lilac/tree/android-12.1
https://sourceforge.net/projects/yoshino-testbuilds
Temp Root Exploit via CVE-2020-0041 Including Temporal Magisk Setup
Temp Root Exploit via CVE-2019-2215 for Sony Xperia XZ1c/XZ1/XZp
Thread on xda with the exploit and scripts to setup temporal magisk:
[XZ1c/XZ1/XZp] temp root exploit via CVE-2019-2215 including magisk setup [Locked BL]
Source code for the exploit (bindershell) is available here:
https://github.com/j4nn/renoshell/tree/CVE-2019-2215
Permanently rooting Android PIE without bootloader unlock - Xperia XZ1c
Work in progress at xda - preview recordings of features implemented for xz1c:
- LOS16 with locked BL
short preview of Lineage OS 16.0 booting instead of stock fw with still locked bootloader including magisk root
announcing post on xda
- verified boot bypass:
- fastboot-ing twrp
- permanently flashing twrp as recovery
- permanently rooting stock fw with magisk without unlocking bootloader
- LOS16 from sd card
installing LOS16 as an alternate OS to sdcard for multiboot via recovery
- LOS16 instead of stock fw with locked BL
dual booting two LOS16 installations, one replacing stock fw, the other from sd card
replacing the 2nd LOS16 with twrp recovery being happy with just one LOS16 replacing stock fw with still locked bootloader
Playlist of all the above available here.
more details about the vulnerability
Vulnerability impact
This could be used to inject any software into a xperia phone, like remote root backdoor or some eavesdropping spyware.
An exploit may be implemented in a way that it could survive full firmware re-flash from computer or even system fota upgrade, including factory reset, making it very powerful.
If used with another temp (or remote) root exploit, this vulnerability may be leveraged without user noticing anything, so an attacker may do persistent changes even when bootloader is still locked with verified boot active.
Vulnerability scope
The proof of concept exploit is working with sony xperia xz1 compact phone.
It can be extended to support entire range of xperia phones running YOSHINO platform (qualcomm snapdragon 835) - XZ Premium, XZ1, XZ1 Compact (any of single/dual sim variants), including those that do not allow bootloader unlock as that is not needed.
First stage of the exploit has also been adapted for SONY XPERIA XZ2, as documented here and in following posts. That means the exploit could be extended to support entire TAMA platform, i.e. sony xperia XZ2/XZ3 (Compact/Dual/Premium) phones.
There is a chance that the exploit could be adapted to any recent xperia phone released since yoshino platform. It has not been checked/proved either way though.
What to do next
I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.
Even though this exploit is very powerful, my ultimate goal is TrustZone code execution hopefully allowing to inject custom verified boot keys and bootloader re-lock.
Unfortunately I can spend less and less time working on this stuff, so I would appreciate help from other developers, particularly experienced with reverse engineering to help me find a hole to get into TrustZone / Qualcomm Secure Execution Environment (QSEE).
I have already some ideas for very promising TZ attack vectors.
Please contact me if you would like to help me with TrustZone exploit development.
Thank you.
https://github.com/j4nn/
xda-developers profile
Tools to Backup Trim Area of Sony Xperia XZ1c/XZ1/XZp
thread on xda with the tools development
The tools include my implementation of temp root exploit leveraging CVE-2017-7533.
more details about the tools
About the tools
- renosploit - rename/notify exploit to get kernelspace read/write, uses multiple vulnerabilities to overcome kaslr, pxn and pan mitigations of android oreo
- renotrap - helper application (rename/notify temp root app)
- renoshell - get temp root shell by use of kernel space read/write primitives provided by renosploit
- renoroot - a shell script to be started from adb, it starts the above tools to get temp root shell
Acknowledgements to following xda users:
- moofesr - for testing initial kernel builds until proper build procedure had been found, special thanks for his patience when all tests resulted with bootloop
- Raz0Rfail and moofesr - for testing timing of rename/notify vulnerability with patched kernel
- dosomder - for his iovyroot
- tramtrist - for initial testing of TA backup, unlock and restore, special thanks for exposing to risk of loosing drm if it did not work
- ThomasKing (not a user on xda) - for his black hat ksma presentation
- few other users in the thread on xda - for some other cve possibilities and ideas
Donations
If you like my work, maybe consider supporting me with a donation here:
https://j4nn.github.io/donate/
Thank you.