Introduction
The first reason I am making this post is because I fully expected this rooting to be a lot harder : it took me only 3 hours to go from the first command I typed to a phone booting into the stock rom with Magisk installed for root access. My personal gold standard of “having difficulties in the text-only world” is the 2 all-nighters I had to pull in high school trying to install Gentoo as my first non-windows OS. It feels good sometimes to remember all the progress I’ve done. The other reason is that 3 hours is still a pretty long time, because I missed a little tips and tricks and I want to store here what I found and learnt while doing this.
I had already rooted android devices multiple times before, and one of the reasons I chose Sony as my preferred phone constructor is their pioneering in making AOSP and bootloader available for everyone to tamper with (even if we still need to use dirty tricks here and there, especially concerning DRM keys). This time it was a little special because Oreo is a lot more secure than the last OS I tried to “crack” (which was probably Kit Kat).
Procedure
This procedure is basically a “long, annotated” version of this very good XDA Developers forum post, with a few personal additions.
Also, you will need of course to verify that the phone has a unlockable bootloader, and that you have enable usb debugging (tap 7 times on your version number in the details page of the settings, and access developer options to enable usb debugging).
Note that I started from the 34.4.A.2.107 france customized oem rom on my device (Oreo 8.0). And that you’ll probably need 4/5 GB of disk space.
Importanter notes
I am not responsible if you brick any device using this operation log.
Also, keep the original DRM keys of a Sony phone used to exploit the Dirty COW CVE in order to backup a special partition on the phone that we could flash back before sending the phone to Sony in order to keep the warranty. This exploit only works up to Android Marshmallow as far as I understand, and I was not able to backup my TA partition this time. So you’ll definitely void your warranty if you do this.
Dependencies
Install software
Install all the dependencies you will need for the process.
- For
fastbootandadb, on Fedora I could just install theandroid-toolspackage. - Install FlashTool and download the DRM fix on the XDA forum page
- Search Magisk and TWRP images to flash later.
- In Oreo, there’s also an option to actually allow the bootloader to be unlocked on top of the usb debugging. Do not forget to switch that one too
Backup data
This is also the time to backup all your data. I had no issue putting everything on my SD card (and leaving the sdcard inside during the whole process), but unlocking the bootloader will clean all the device memory, so be careful.
Not totally relevant here, but also note your IMEI/MEID/IDID on a paper so you can just turn off your phone and never turn it on system mode until it is rooted.
Important : now, all operations you do should not be done with your phone
on, trying to boot into system mode, nor recovery mode for a while. This
means each time I touched the power button or plugged the phone from here, I
either hold the volume up or the volume down button at the same time to boot the
phone into flashmode or fastboot. FlashTool is nice enough to always tell
you how to access the relevant mode and waits for you to do the manipulation,
Sony also has a quick
cheatsheet
(Optional) add udev rule so you don’t need privileges to run operations
There is a special group id on linux which has the permissions to run the
commands we want to run on our device (especially concerning fastboot). In order
to run these without having to go through sudo, I followed the advice of this
Stack Overflow answer, which boils down to pushing the following file into
/etc/udev/rules.d/51-android.rules :
# Sony Xperia X Compact
SUBSYSTEM=="usb", ATTR{idVendor}=="0fce", MODE="0666", GROUP="plugdev"
Then you can restart the udev service and fastboot should not be an issue anymore :
sudo udevadm control --reload-rules
sudo udevadm trigger
Download and preprocess the lastest official firmware
Flashtool comes bundled with XperiFirm which is a fetcher/downloader of images. Browsing this I was able to download the latest ROM for my device.
Here we need to do some preprocessing which will be useful later. We need to patch the bootloader part of this ROM to use it later in the process. To do so :
- in FlashTool use
tools -> sin extractor -> kernel**.sinto obtain akernel[...].elffile. - Use the rootkernel tool to create a
boot.img(all yes at all questions was what I did) and keep thisboot.imgin a safe place (basically the same place where thetwrp.imgfile is kept)
This is also when you can prepare the phone for its later recovery mode : the DRM_fix zip file and the Magisk zip file should be pushed on the SD card which will be in the phone later, since we will flash these 2 files first thing in recovery.
No turning back past this point - Unlock your bootloader.
As stated earlier in the importanter notes, unlocking the bootloader voids your warranty, and marks to phone for a full data wipe too, so on many aspects this is the point where you cannot really go back.
Sony goes as far as to have a FAQ on their site where they precise that this is not a reversible operation. Once you go for Freedom, you can never go back.
Their website is pretty good though, following the instructions there will give you the correct key to give to fastboot. 2 important remarks :
- For some reason, the command they provide is only working up to a certain
version of the android-tools package, to make it work I just used
fastboot oem unlock 0x<key>. I was not afraid of targeting the wrong device because only one was plugged. - The key is case sensitive, and after one failed code, the bootloader setting in the “developer settings” or Android locks up again. This is the only situation where I powered up my phone in “normal mode” to double check the IMEI and to change back and forth the bootloader unlocking setting
The output for the fastboot oem unlock command is very clear about its
success, so you should not continue past this until you have your success.
Note that if the oem unlock command did not succeed, basically you did nothing to your phone, not even a tickle.
Flash the latest stock ROM
Once this preprocessing is done, you can use flashtool to flash the
vanilla stock ROM to your phone. This is when FlashTool calls the
super-strong move Tabula Rasa on your phone.
Overwrite bootloader and recovery
This should be pretty self explanatory, for these operations, the phone should be plugged in fastboot mode :
# Here the boot.img is the artifact from root_kernel with the kernel.elf file
# we extracted earlier
fastboot flash boot boot.img
fastboot flash recovery twrp[...].img
Boot into recovery
Normally now everything is set up so TWRP (or any recovery of your choice) will boot and work if you boot the phone in recovery mode.
It worked the first time for me (which was very surprising) so I could direcly go to the next step.
DO NOT BOOT INTO SYSTEM MODE YET : the DRM are currently in a borked state, I did not do the mistake so I don’t know what would happen. I just continued on my way :
- Flash the DRM_fix file. I had a lot of scary warnings I chose to ignore
- Flash the Magisk file. I had a lot of scary warnings I chose to ignore
The scary warnings were about partitions the recovery did not have the right to mount. But at this point I was really engaged (and ready to spend at least 5/6 more hours to get a working phone)
Reboot into System mode and pray
I was stuck in a bootloop when I started my phone again from TWRP. I sadly hold the power button to shut it down and try to reflash everything from stock rom (to test that the phone was working with only the stock ROM without modified bootloader). But when I did the phone just booted normally and greeted me with the “new phone” dance.
Since then I was able to :
- sync all the applications I wanted back from my Google account. So no weird warning from google not being happy with me rooting my phone,
- install and launch my bank application, which was my prime suspect in the list of applications which would not work anymore on a rooted system,
- and give Titanium Backup the privileged authorizations it needs to work properly.
So it looks like I got exactly what I needed (at least it was the 3 objectives I fixed myself when starting). I chose to install Magisk instead SuperSU especially because it apparently tries to not mess up too liberally with the /system partition, which is a big nono (rightly so, in my opinion), for applications like bank account management or (less rightly so) Pokemon Go.
And I have the latest version of Sony AOSP on my phone, which is pretty nice (just a bump from 8.0 to 8.1 for the moment).
Conclusion
It was a fun experience, I’m happy to have done it and documented it a little to
find it later ; but I definitely did not plan for the article being this long,
so I did not really proofread myself this time, since this log is at least as
much for me than it is for the internet. Sorry for the inconvenience if any. My
next article should be shorter and cleaner, #vim@freenode.net community is
trying to organize a little event for the month of december, I wrote a little
article and it should be clearer and cleaner !
Have fun with your stuff,
Gerry