Linux software development

Permanently rooting Android PIE without bootloader unlock - SONY XPERIA XZ1 Compact Verified Boot Bypass

Work in progress at xda - preview recordings of features implemented for xz1c:
  1. LOS16 with locked BL
    short preview of Lineage OS 16.0 booting instead of stock fw with still locked bootloader including magisk root
    announcing post on xda
  2. verified boot bypass:
    - fastboot-ing twrp
    - permanently flashing twrp as recovery
    - permanently rooting stock fw with magisk without unlocking bootloader
  3. LOS16 from sd card
    installing LOS16 as an alternate OS to sdcard for multiboot via recovery
  4. LOS16 instead of stock fw with locked BL
    dual booting two LOS16 installations, one replacing stock fw, the other from sd card
    replacing the 2nd LOS16 with twrp recovery being happy with just one LOS16 replacing stock fw with still locked bootloader
Playlist of all the above available here.

Vulnerability impact

This could be used to inject any software into a xperia phone, like remote root backdoor or some eavesdropping spyware.
An exploit may be implemented in a way that it could survive full firmware re-flash from computer or even system fota upgrade, including factory reset, making it very powerful.
If used with another temp (or remote) root exploit, this vulnerability may be leveraged without user noticing anything, so an attacker may do persistent changes even when bootloader is still locked with verified boot active.

Vulnerability scope

The proof of concept exploit is working with sony xperia xz1 compact phone.
It can be extended to support entire range of xperia phones running YOSHINO platform (qualcomm snapdragon 835) - XZ Premium, XZ1, XZ1 Compact (any of single/dual sim variants), including those that do not allow bootloader unlock as that is not needed.
First stage of the exploit has also been adapted for SONY XPERIA XZ2, as documented here and in following posts. That means the exploit could be extended to support entire TAMA platform, i.e. sony xperia XZ2/XZ3 (Compact/Dual/Premium) phones.
There is a chance that the exploit could be adapted to any recent xperia phone released since yoshino platform. It has not been checked/proved either way though.

What to do next

I am not sure if the exploit should be publicly released to allow rooting without bootloader unlock or if this should go the responsible disclosure way, considering the misuse risks.

Even though this exploit is very powerful, my ultimate goal is TrustZone code execution hopefully allowing to inject custom verified boot keys and bootloader re-lock.
Unfortunately I can spend less and less time working on this stuff, so I would appreciate help from other developers, particularly experienced with reverse engineering to help me find a hole to get into TrustZone / Qualcomm Secure Execution Environment (QSEE).
I have already some ideas for very promising TZ attack vectors.
Please contact me if you would like to help me with TrustZone exploit development.
Thank you.


https://github.com/j4nn/
xda-developers profile

Tools to backup Trim Area of xperia XZ1 compact

thread on xda with the tools development

Please note: I had to invest enormously lot of time to develop these tools, the code is extremely complex (more than 9000 lines of source code) and it was unbelievable hard to debug and get the timing usable.
It would be kind of you if you could consider donating here please:

Donate to Me

I would be happy to accept any donation to me as a form of gratitude in case the software helped you to backup your TA (drm keys) before bootloader unlocking.
Thanks.

About the tools

Acknowledgements to following xda users: