ROOT TWRP repack of the stock kernel with dm-verity and SONY Z5

Changelog:

• V4.42 Added support for Z2 (Sirius) and TWRP fstab fix for leo and aries (thanks to waleedsq81)
• V4.41 Fixed issue with Y/N choice on non-english Windows. Added support for Z3 (leo)
• V4.4 Support for Z3+/Z4, Tablet Z2, Tablet Z3 and Tablet Z4 added (Z4 still has an issue with TWRP, but DRM fix works)
  SuperSU integration reworked in order to need less SELinux exceptions and to be more secure
  All tasks can now be individually selected. Therefore there is no separate DRM only script required
• V4.31 Renabled Z5P (satsuki) and Z5C (suzuran) for TWRP and drmfix
• V4.3 Support for older Lollipop added
  Script execution for Linux fixed
• V4.24 Fix for for a bug in SuperSU integration in V4.23
• V4.23 Fix for repacking 3rd party kernel (Some permissions were on custom directories were lost)
• V4.22 Bugfix for readta (flash_dk reported unit not)
• V4.21 Fix for the Linux binary of bootimg
• V4.2 Updated TWRP to 3.0.2
• V4.1
  Fix for WideWine (if you have your device key) Thanks a lot to goofnorf101 for testing
  unpackinitfs and makeinitfs in my bootimg tool now maintain date/time of files correctly
  Automatic SuperSU installation
• V4.0
  Fix for older kernels (Lollipop)
  Binary for Linux (The older version had the ARM version packaged)
  Device is not stored in the kernel image anymore
  TWRP updated to version 3.0.1

FAQ - Please read

• Is is possible to have root with locked bootloader?
  Short answer: no
  Long answer: The locked bootloader only boots unmodified kernel packages signed by Sony. The stock kernel only mounts unmodified /system partitions (dm-veritiy) -> No modification without unlocking
  So any change to the kernel (like this script) or system partition requires unlocked bootloader
• What is dm-verity?
  A hash checksum on all blocks of a filesystem in order to verify the integrity
• What is Sony RIC?
  A protection to avoid mounting the root filesystem or system read/wri
• If you already unlocked the bootloader before, then at least the credentials will be restored, which will reactivate stuff like x-reality and camera de-noise
• Why do I need to flash my device key?
  Without your device only some functions can be reactivated, like x-reality. Other functions like widevine do not work with out your device key.
• How do I enter TWRP recovery?
  Restart your phone and press the volume key up as soon as the LED switches to yellow
• I want to use a custom kernel with the DRM fix
  Just say "N" to all other options. Nevertheless be prepared for problems if the custom kernel does not match your Android version.
• What should I do if there is an update to this script?
  First check if you really need to run this update by checking the changelog. E.g. if it says binary for Linux fixed and you are using Windows then probably you don't care. If you did not change your Android version then all you have to do is to update the kernel package with fastboot flash boot. If you do not use the automatic SuperSU integration then you have to reinstall SuperSU in TWRP.

This tool repacks an existing kernel package (usually the stock kernel) in order to make it rootable and adds TWRP recovery as well. Version 4 has been succesfully tested with LP and MM.

In particular it adresses the following issues:

• DM-Verity: Android is now using dm-verity to verfy the integrity of the system partition. Until you switch it off your phone won't boot after modifying /system
• SONY RIC: RIC is blocking the write access to the system partition
• DRM Keys: After unlocking the bootloader your device key is wiped, which deactivates some functionaliy. E.g. x-reality, denoise in camera aso.

As there has been some confusion I would like to point out one more time that you cannot run any kernel package which is not signed by Sony without unlocking the bootloader. So this works only with unlocked bootloader.
There was a report that having SuperSU in the system partition installed may lead to a bootloop. Therfore you shoud first install the bootimage created by this script and then install SuperSU afterwards, as it will then use the system-less strategy.

In order to use these scripts you need the kernel boot image of your current version. There two different ways to obtain it:

Method1:
If you have a .ftf image then open it with zip application (7Zip, WinZip, Windows Compressed Folder) and extract kernel.sin. Afterwards use Flashtool -> Tools -> SIN Editor to extract the kernel. You should end up with the boot image with extension .elf.

Method2:
Run your favourite recovery and connect via

Code:

adb -d shell

Now run

Code:

find /dev -name boot
dd if= of=/sdcard/kernel.img

Once you have the kernel image you are ready to use the script.
If you place SuperSU in the same directory (SuperSU*.zip, case sensitive) then it will be also installed automatically . It did all the tests with 2.71, but newer versions should work as well. Please be aware that you can not update SuperSU within the application. For a newer SuperSU version you need to rerun the script.

Code:

rootkernel <extracted kernel> boot.img

You are prompted for several choices:

• Sony RIC is enabled. Disable?
  I prefer not to disable it in order to keep my phone more secure. Unfortunately there are a lot of bad guys in this world and SELinux and RIC still can save us if someone discovers a new kernel exploit.
  Sony RIC basically prevents mounting the /system partition for write. You can still modify it in recovery of of course, but if you require write access to /system without entering recovery then you need to disable it.
• Install TWRP recovery? Here you should say yes unless you are trying to patch a non-stock kernel, which comes already with a recovery
• Install busybox? For security reasons I prefer not to install. In recovery you have it anyway. This choice is only available if you chose install TWRP
• Found SuperSU-v....zip. Install? Integrates SuperSU. For this option to show up you have to place the SuperSU package into the same directory with the name SuperSU*.zip (case sensitive)
• Install DRM fix? Installs the DRM fix. First it tries to use the device key which you flashed with flash_dk. If it does not exist it uses an alternative method which cannot fix everything (e.g. Widevine will not work, but X-reality, Camera denoise etc. will work)

Now put your phone into fastboot mode (Volume Up + connect USB) and then run:
To test it without actually flashing it:

Code:

fastboot boot boot.img

For flashing it:

Code:

fastboot flash boot boot.img

If you managed to backup for TA partition before then you can reactivate your original device key as follows:

Code:

flash_dk <ta backup image>  DK.ftf

Flashing this file with flashtool will write your device key to an alternative unit, from where the drmfix library will pick it up.
This is a one-time task. It will survive a complete reset of the phone or Android system upgrade. The device key has a length of just 16 bytes, so it is correct that the resulting DK.ftf has a size of only aprox. 500 bytes.

Some background information:
There are two main tools involved (for both Android and Windows)
- busybox
Probably everyone knows it

- bootimg
A multicall binary with several tools for unpacking and packing the boot image as well as adapting the SELinux policy. Part of the code is written by me from scratch, some other parts are cherry picked from other projects. I will also provide the source for it. As Windows doesn't have softlinks I modified the tools for unpacking and packing the init ramdisk to write text files with __lnk__ at the end instead.

Attached Files

	rootkernel_v4.31_Windows_Linux.zip
	rootkernel_v4.42_Windows_Linux.zip

Share on Google Plus

About Unknown

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.