[Tutorial] A comprehensive rooting guide (for devices with locked bootloader) topic
Introduction
With every new release in Xperia lineup, the story repeats: device ships with latest security fixes, locked system partition, without root access. If you bought it from a retail store or without a contract, your device's bootloader can be unlocked and you can start messing with it (getting a custom recovery, gaining root access, etc) but as a trade off, your DRM keys are gone and some stock apps/features stops working. Even worse, if you bought your device from a carrier or with a contract it probably came with a permanently locked bootloader and there's nothing you can do about.
However, there's no software free of bugs, sooner or later an exploitable security bug appears and some talented developers may use that to get root access in locked devices. And time has come to Xperia E3, now the community have working exploits capable of getting root access on locked bootloaders and this tutorial will help you achieving that. Let's get started!
Overview
First off, Xperia E3 was released in several variants across the globe and the process differs a bit between them. Starting now, we'll group the variants in two groups:
• If you have D2202 or D2212, I'll refer to your device as HSPA variant
• If you have D2203, D2206 or D2243, I'll refer to them as LTE variant
This guide is mainly aimed at HSPA variants where the process involves downgrading to a initial firmware, running a modded version of giefroot and then using another tool (dd Flasher) to update to the latest firmware version without losing root access.
If you have a LTE variant, unfortunately, the modded version of giefroot we'll use to get root won't work but thanks to
@nortonex
you still can get root with a slight different process, involving cross flashing an exploitable version of Xperia M2 kernel to get root access and then reverting to the stock kernel and applying a patch to disable RIC protection (it's a Sony "feature" that prevents writing to system partition, even with root, similar to HTC's S-ON/S-OFF flags). So, if you have one of the LTE variants, follow his guide...
Requirements
To get root:
• Exploitable firmware (must be 18.4.B.1.20 -- region/market doesn't matter)
• FlashTool (0.9.18.4 or newer)
• Modded giefroot v3 (attached below)
To update to latest firmware after getting root:
• dd Flasher
• XperiFirm (optional)
Preparing the device
To start, we need to downgrade your device to the old 18.4.B.1.20 firmware, the only one exploitable by giefroot, so, if you need, make a backup of your device's data first, your content will be wiped during the downgrade. You can also use any other FTF that matches your region/market as long as it's 18.4.B.1.20...
• If your device is powered on, turn it off and disconnect USB cable (if connected) now. Now, start FlashTool and click in the Thunderbolt icon, then choose Flash Mode and press OK
• If needed, click on the "..." button and point FlashTool to the folder where you've downloaded the FTF linked in the Requirements section of this Tutorial. Then, choose the firmware in the list, mark "No final verification" and "Reset customizations" and press Flash
• Wait until FlashTool prepare the FTF to flash. When it's done, the screen below will appear. Now, with your device turned off, hold Volume Down button and plug the USB cable while you're holding the button. If you did right, the notification LED will briefly flash in green/red and FlashTool should start flashing the firmware
• After the flashing process finishes, close FlashTool, disconnect your device and turn it on. Remember that the first boot will take longer (5-10 minutes), that's normal.
Running the exploit
Now your device is running the exploitable firmware version, let's set up it to run the exploit and get root access
On phone side:
• We need to "unlock" developer settings. You can do that by going to Settings => About phone and then tapping "Build Number" 7 times
• Now we can go to Settings => Developer Options. Here you should enable "Stay awake", "USB debugging" and "Allow mock locations". Then, disable "Verify apps over USB"
Now on computer side:
• Plug your device in the computer
• Extract the modded giefroot somewhere (it's attached in the end of this thread) and launch it by opening "install.bat" (or, if you're using Linux/Mac, start "install.sh" from Terminal)
• In your device, a small popup about ADB connection will appear, make sure you mark "always allow connection from this computer" and press OK
• From here, just wait until giefroot finishes. Your phone will reboot automatically, that's normal
Note: Sometimes you may not get root in the first attempt, that's normal, just run giefroot more two or three times and it'll eventually work
And that's it. Your device is now fully rooted, however, we are stuck in an older firmware version.
Update procedure
There's more than one way to upgrade to the latest firmware without losing root access and I'll try to explain all methods I know. Before continuing we'll regroup devices accordingly to the bootloader unlockability (you can check your device's bootloader state by entering *#*#7378423#*#* in the Dialer then going to Service info => Configuration)
If your device's bootloader is permanently locked (Bootloader Unlock Allowed: No), your only known option will be using dd Flasher (explained in the next chapter). If your device's bootloader is unlockable (Bootloader Unlock Allowed: Yes) then you can also use the unlock/root/relock procedure which involves backing up your TA partition with Backup TA, unlocking your bootloader, updating to the latest firmware normally (either with FlashTool or Sony PC Companion), flashing a custom recovery, installing SuperSU through it and then relocking your bootloader (restoring your DRM keys too) with the TA backup you took earlier.
I won't explain the unlock/root/relock procedure in details since it's a little trickier and won't work for devices with permanently locked bootloader, which is the main purpose of this tutorial. However, I attached a stripped down version of giefroot which only installs the wp_mod kernel module, in order to disable write protection to system partition. If you updated to the latest firmware with dd Flasher, there's no need to apply this patch, dd Flasher will automatically handle that for you, I posted that focused more on advanced users that opt to use unlock/root/relock procedure and are getting trouble when trying to write to system partition...
Using dd Flasher
This chapter is a little longer and sometimes you need to jump into different routes, because of that, it's splitted in smaller sections and jump notes in the start of each section...
Downloading latest firmware
Note: if you already have a FTF of the latest firmware for your device or if you prefer using XperiFirm to get latest firmware, skip this section and go directly to "Preparing system image"
First off, we need to get a FTF of the latest available firmware for your device/market. Below I explain how we get it using FlashTool, you can do that with XperiFirm or just download a FTF someone else have uploaded too. I'm focusing on FlashTool heresince it's the only option for people using Linux/Mac (forget it, apparently XperiFirm also works on Linux/Mac now)
• Open FlashTool and go to Devices => Check Updates. Then, locate Xperia E3 in the list and double click on it
• Here, a small window with tabs for each variant will show. Go to the tab that corresponds to your device's variant, then double click the matching region/market of your device to check latest firmware version available in that region. After that, double click it again so it starts downloading the firmware from Sony servers
• After download and decrypt is finished, bundle creator will open automatically (you can also open it manually through Tools => Bundle creator). Most of the info here will be already entered, we only need to choose all files present in the panel from the left and click the little arrow to move all of them to the right panel. After that, press "Create" and wait until bundle creation (FTF) is finished. After that we're gonna extract system.ext4 (dd Flasher will need it), it's explained in the next section...
Preparing system image
Note: I'm assuming that you already have access to system.sin (and you have if you followed the instructions from previous section to get your FTF). If you don't have access to system.sin, you can extract it directly from the FTF file by opening it with WinRAR/7-Zip or anything capable of extracting ZIP files (yes, FTFs are just regular ZIP files with different extension)
At that point, we have a FTF of the latest firmware, however, dd Flasher doesn't work with FTF files directly, just with raw partition dumps, and we'll extract it from the update now
• Open FlashTool and go to Tools => Sin Editor. In the small window that will appear, click on "..." and point it to system.sin, then, press "Extract Data" (if you downloaded your firmware following the instructions from previous section, a copy of system.sin will be located in C:\Users\<username>\.flashtool\firmwares\Downloads \D22xx_xxxxxxxxx_xxxxxx\decrypted)
• After extraction finishes, a new file named system.ext4 will be created in the same folder where system.sin is. Extract dd Flasher somewhere and move system.ext4 to the same folder, it must be named system.ext4 (rename it if necessary, otherwise dd Flasher will fail) and should be next to dd_flasher.bat/dd_flasher.sh
Flashing new system image
Here's where the magic occurs. First off, make sure FlashTool is closed, otherwise it'll interfere with ADB connection and dd Flasher may fail. Then, follow the procedure:
• Start dd Flasher by opening dd_flasher.bat (or if you're on Linux, launch dd_flasher.sh from a Terminal -- sorry Mac users, dd Flasher isn't compatible with your OS yet)
• If everything is right, dd Flasher should ask you where the system image should be pushed. Remember that the selected location should have enough space to store system.ext4 before (and if you're pushing to SD Card, make sure phone's connection mode is MTP, otherwise dd Flasher will fail)
• After you selected the storage device, dd Flasher will do its work. Just wait until it's done, it'll take a while (about 10 minutes)
• After the process finishes, you should unplug your phone and turn it off through the Off switch found in the back, next to the SIM card (this step is very important!) and don't turn it on yet
Flashing the remaining components from the FTF
That's the last step, in current state your device has the system partition of the latest firmware version with su binaries (to get root access) but kernel, modem, baseband, etc. still are from the old firmware version and because of that it won't boot properly. Let's fix that:
• Start FlashTool and click in the Thunderbolt icon, then choose Flash Mode and press OK
• If needed, click on the "..." button and point FlashTool to the folder where you've downloaded the FTF of the latest update. Then, choose the firmware in the list, mark "Reset customizations" and make absolutely sure you mark "SYSTEM" in the Exclude panel too (if you forget to mark it, root will be lost and you'll need to start the whole tutorial again from beginning). After double checking, press Flash
• Wait until FlashTool prepare the FTF to flash. When it's done, the screen below will appear. Now, with your device turned off, hold Volume Down button and plug the USB cable while you're holding the button. If you did right, the notification LED will briefly flash in green/red and FlashTool should start flashing the firmware
• After the flashing process finishes, close FlashTool, disconnect your device and turn it on. Remember that the first boot will take longer (5-10 minutes), that's normal.
And this is the end of tutorial, your device will now be running the latest firmware version with full root access. Congratulations!
Credits, FAQ, etc
Kudos to
@zxz0O0
for giefroot and its promptly and helpful collaboration to get Xperia E3 working with it. Kudos also to
@MohammadAG
for its modded wp_mod kernel module which is used in giefroot and into the stripped down RIC disabler attached below. I would also like to thanks everyone from [Q] Root with locked bootloader? who helped directly or indirectly into this. And here you get your FAQ:
• Images are broken. Fix it. NOW!
Yes, I know. Had some minor issues with them, gonna upload the fixed versions soon (and also get more images for some sections)
• The thread is messy. Clean it up ASAP!!!
Yes, I also know that. I should have posted this guide at least one week ago but got several personal problems that didn't allow me to post it earlier. So, survive with this incomplete-but-somewhat-noob-friendly tutorial until I manage to properly finish it :p
With every new release in Xperia lineup, the story repeats: device ships with latest security fixes, locked system partition, without root access. If you bought it from a retail store or without a contract, your device's bootloader can be unlocked and you can start messing with it (getting a custom recovery, gaining root access, etc) but as a trade off, your DRM keys are gone and some stock apps/features stops working. Even worse, if you bought your device from a carrier or with a contract it probably came with a permanently locked bootloader and there's nothing you can do about.
However, there's no software free of bugs, sooner or later an exploitable security bug appears and some talented developers may use that to get root access in locked devices. And time has come to Xperia E3, now the community have working exploits capable of getting root access on locked bootloaders and this tutorial will help you achieving that. Let's get started!
Overview
First off, Xperia E3 was released in several variants across the globe and the process differs a bit between them. Starting now, we'll group the variants in two groups:
• If you have D2202 or D2212, I'll refer to your device as HSPA variant
• If you have D2203, D2206 or D2243, I'll refer to them as LTE variant
This guide is mainly aimed at HSPA variants where the process involves downgrading to a initial firmware, running a modded version of giefroot and then using another tool (dd Flasher) to update to the latest firmware version without losing root access.
If you have a LTE variant, unfortunately, the modded version of giefroot we'll use to get root won't work but thanks to
@nortonex
you still can get root with a slight different process, involving cross flashing an exploitable version of Xperia M2 kernel to get root access and then reverting to the stock kernel and applying a patch to disable RIC protection (it's a Sony "feature" that prevents writing to system partition, even with root, similar to HTC's S-ON/S-OFF flags). So, if you have one of the LTE variants, follow his guide...
Requirements
To get root:
• Exploitable firmware (must be 18.4.B.1.20 -- region/market doesn't matter)
• FlashTool (0.9.18.4 or newer)
• Modded giefroot v3 (attached below)
To update to latest firmware after getting root:
• dd Flasher
• XperiFirm (optional)
Preparing the device
To start, we need to downgrade your device to the old 18.4.B.1.20 firmware, the only one exploitable by giefroot, so, if you need, make a backup of your device's data first, your content will be wiped during the downgrade. You can also use any other FTF that matches your region/market as long as it's 18.4.B.1.20...
• If your device is powered on, turn it off and disconnect USB cable (if connected) now. Now, start FlashTool and click in the Thunderbolt icon, then choose Flash Mode and press OK
• If needed, click on the "..." button and point FlashTool to the folder where you've downloaded the FTF linked in the Requirements section of this Tutorial. Then, choose the firmware in the list, mark "No final verification" and "Reset customizations" and press Flash
• Wait until FlashTool prepare the FTF to flash. When it's done, the screen below will appear. Now, with your device turned off, hold Volume Down button and plug the USB cable while you're holding the button. If you did right, the notification LED will briefly flash in green/red and FlashTool should start flashing the firmware
• After the flashing process finishes, close FlashTool, disconnect your device and turn it on. Remember that the first boot will take longer (5-10 minutes), that's normal.
Running the exploit
Now your device is running the exploitable firmware version, let's set up it to run the exploit and get root access
On phone side:
• We need to "unlock" developer settings. You can do that by going to Settings => About phone and then tapping "Build Number" 7 times
• Now we can go to Settings => Developer Options. Here you should enable "Stay awake", "USB debugging" and "Allow mock locations". Then, disable "Verify apps over USB"
Now on computer side:
• Plug your device in the computer
• Extract the modded giefroot somewhere (it's attached in the end of this thread) and launch it by opening "install.bat" (or, if you're using Linux/Mac, start "install.sh" from Terminal)
• In your device, a small popup about ADB connection will appear, make sure you mark "always allow connection from this computer" and press OK
• From here, just wait until giefroot finishes. Your phone will reboot automatically, that's normal
Note: Sometimes you may not get root in the first attempt, that's normal, just run giefroot more two or three times and it'll eventually work
And that's it. Your device is now fully rooted, however, we are stuck in an older firmware version.
Update procedure
There's more than one way to upgrade to the latest firmware without losing root access and I'll try to explain all methods I know. Before continuing we'll regroup devices accordingly to the bootloader unlockability (you can check your device's bootloader state by entering *#*#7378423#*#* in the Dialer then going to Service info => Configuration)
If your device's bootloader is permanently locked (Bootloader Unlock Allowed: No), your only known option will be using dd Flasher (explained in the next chapter). If your device's bootloader is unlockable (Bootloader Unlock Allowed: Yes) then you can also use the unlock/root/relock procedure which involves backing up your TA partition with Backup TA, unlocking your bootloader, updating to the latest firmware normally (either with FlashTool or Sony PC Companion), flashing a custom recovery, installing SuperSU through it and then relocking your bootloader (restoring your DRM keys too) with the TA backup you took earlier.
I won't explain the unlock/root/relock procedure in details since it's a little trickier and won't work for devices with permanently locked bootloader, which is the main purpose of this tutorial. However, I attached a stripped down version of giefroot which only installs the wp_mod kernel module, in order to disable write protection to system partition. If you updated to the latest firmware with dd Flasher, there's no need to apply this patch, dd Flasher will automatically handle that for you, I posted that focused more on advanced users that opt to use unlock/root/relock procedure and are getting trouble when trying to write to system partition...
Using dd Flasher
This chapter is a little longer and sometimes you need to jump into different routes, because of that, it's splitted in smaller sections and jump notes in the start of each section...
Downloading latest firmware
Note: if you already have a FTF of the latest firmware for your device or if you prefer using XperiFirm to get latest firmware, skip this section and go directly to "Preparing system image"
First off, we need to get a FTF of the latest available firmware for your device/market. Below I explain how we get it using FlashTool, you can do that with XperiFirm or just download a FTF someone else have uploaded too. I'm focusing on FlashTool here
• Open FlashTool and go to Devices => Check Updates. Then, locate Xperia E3 in the list and double click on it
• Here, a small window with tabs for each variant will show. Go to the tab that corresponds to your device's variant, then double click the matching region/market of your device to check latest firmware version available in that region. After that, double click it again so it starts downloading the firmware from Sony servers
• After download and decrypt is finished, bundle creator will open automatically (you can also open it manually through Tools => Bundle creator). Most of the info here will be already entered, we only need to choose all files present in the panel from the left and click the little arrow to move all of them to the right panel. After that, press "Create" and wait until bundle creation (FTF) is finished. After that we're gonna extract system.ext4 (dd Flasher will need it), it's explained in the next section...
Preparing system image
Note: I'm assuming that you already have access to system.sin (and you have if you followed the instructions from previous section to get your FTF). If you don't have access to system.sin, you can extract it directly from the FTF file by opening it with WinRAR/7-Zip or anything capable of extracting ZIP files (yes, FTFs are just regular ZIP files with different extension)
At that point, we have a FTF of the latest firmware, however, dd Flasher doesn't work with FTF files directly, just with raw partition dumps, and we'll extract it from the update now
• Open FlashTool and go to Tools => Sin Editor. In the small window that will appear, click on "..." and point it to system.sin, then, press "Extract Data" (if you downloaded your firmware following the instructions from previous section, a copy of system.sin will be located in C:\Users\<username>\.flashtool\firmwares\Downloads \D22xx_xxxxxxxxx_xxxxxx\decrypted)
• After extraction finishes, a new file named system.ext4 will be created in the same folder where system.sin is. Extract dd Flasher somewhere and move system.ext4 to the same folder, it must be named system.ext4 (rename it if necessary, otherwise dd Flasher will fail) and should be next to dd_flasher.bat/dd_flasher.sh
Flashing new system image
Here's where the magic occurs. First off, make sure FlashTool is closed, otherwise it'll interfere with ADB connection and dd Flasher may fail. Then, follow the procedure:
• Start dd Flasher by opening dd_flasher.bat (or if you're on Linux, launch dd_flasher.sh from a Terminal -- sorry Mac users, dd Flasher isn't compatible with your OS yet)
• If everything is right, dd Flasher should ask you where the system image should be pushed. Remember that the selected location should have enough space to store system.ext4 before (and if you're pushing to SD Card, make sure phone's connection mode is MTP, otherwise dd Flasher will fail)
• After you selected the storage device, dd Flasher will do its work. Just wait until it's done, it'll take a while (about 10 minutes)
• After the process finishes, you should unplug your phone and turn it off through the Off switch found in the back, next to the SIM card (this step is very important!) and don't turn it on yet
Flashing the remaining components from the FTF
That's the last step, in current state your device has the system partition of the latest firmware version with su binaries (to get root access) but kernel, modem, baseband, etc. still are from the old firmware version and because of that it won't boot properly. Let's fix that:
• Start FlashTool and click in the Thunderbolt icon, then choose Flash Mode and press OK
• If needed, click on the "..." button and point FlashTool to the folder where you've downloaded the FTF of the latest update. Then, choose the firmware in the list, mark "Reset customizations" and make absolutely sure you mark "SYSTEM" in the Exclude panel too (if you forget to mark it, root will be lost and you'll need to start the whole tutorial again from beginning). After double checking, press Flash
• Wait until FlashTool prepare the FTF to flash. When it's done, the screen below will appear. Now, with your device turned off, hold Volume Down button and plug the USB cable while you're holding the button. If you did right, the notification LED will briefly flash in green/red and FlashTool should start flashing the firmware
• After the flashing process finishes, close FlashTool, disconnect your device and turn it on. Remember that the first boot will take longer (5-10 minutes), that's normal.
And this is the end of tutorial, your device will now be running the latest firmware version with full root access. Congratulations!
Credits, FAQ, etc
Kudos to
@zxz0O0
for giefroot and its promptly and helpful collaboration to get Xperia E3 working with it. Kudos also to
@MohammadAG
for its modded wp_mod kernel module which is used in giefroot and into the stripped down RIC disabler attached below. I would also like to thanks everyone from [Q] Root with locked bootloader? who helped directly or indirectly into this. And here you get your FAQ:
• Images are broken. Fix it. NOW!
Yes, I know. Had some minor issues with them, gonna upload the fixed versions soon (and also get more images for some sections)
• The thread is messy. Clean it up ASAP!!!
Yes, I also know that. I should have posted this guide at least one week ago but got several personal problems that didn't allow me to post it earlier. So, survive with this incomplete-but-somewhat-noob-friendly tutorial until I manage to properly finish it :p
xda-developers
0 commentaires:
Enregistrer un commentaire