Develop Bugs

cnc-bootloader: Bootloader access on any phone!

cnc-bootloader
When you need fastboot but just can't get to it
So I was working with my phone trying to see what I can do with it. I got it rooted (via towelroot) installed busybox, SuperSu, the usual. Then I installed custom recovery and then installed a script to enter recovery via VolDown+Power. It softbricked the phone gave me a LG Security Error. I fixed it and thought hey? Why not create an exploit that forces the phone into bootloader mode.
There sadly is no common access to bootloader mode and so unless you softbrick there is no bl mode. Until cnc-bootloader (command and conquer bootloader) is released (now lol). This exploit creates a backup of the boot partition then erases it. I am also developing a computer gui to make it easier and safer. It uses a slightly different method of doing it and it can be a lot safer too, so if you aren't comfortable with this then I'll post a link when I release it. (NOTE: This gui is released by Trident-Dev. It is not open source.) So heres how it works
Download the cnc-bootloader exploit and run with root permission on your device.
It will then make a backup called boot.img and erase your boot partition.
WARNING: Make sure to backup boot.img to your computer before you reboot. This is the only way to exit bootloader mode
Then just reboot your phone like n0rmal and it should be in a bootloader loop!
(This can be fixed by reflashing the backed up boot.img)
The exploit is available on GitHub at (Give me some time to get these 10 posts down and I will post the link. I have it up on Androidforums.com so yea. Just search for rpgslayer redtelko there and it will be one of the only threads you will see
More information is available in the README.md file and stay tuned for the release of our GUI version!

I would like to try this on my Sprint LG G4 to unlock bootloader. Please provide the link.

https://www.codeaurora.org/projects...unds-checking-when-flashing-sparse-images-cve
Based of this?

your account on github doesn't exist.

[Tool] dd Flasher Minimal - Update your device without losing root access

Update: unfortunately the Marshmallow firmware for Xperia M5 enabled verified boot (dm-verity) so the phone will refuse to boot if you use dd Flasher Minimal to root. If you want root on Marshmallow firmware and also have an unlockable bootloader, I recommend flashing the stock Marshmallow firmware then using this kernel to get root access again...
This tool is a fork of the main dd Flasher made especially for Xperia M5 family, which allows updating to latest firmware version while maintaining root access, assuming your device is currently rooted...
How it works?
Sony updates are packed in .sin files, generally stored in FTF packages. Using Androxyde's FlashTool, you can get an image of the system partition (system.ext4) of the latest firmware available, which is sideloaded into your device by this tool. Next, it'll mount the update image (system.ext4) in a loop device, place SuperSU binaries and after that, stop all running processes and "flash" the modified image back into your device by using dd binary.
After using dd Flasher Minimal, all you need to do is rebooting your device into flash mode in order to flash the rest of the FTF file (excluding system partition, of course) with FlashTool. In the end, your device will be running the firmware from the FTF file you used with full root access, which makes dd Flasher Minimal extremely useful (especially to locked bootloader users) to update to the latest firmware where there's generally no root exploit available.
Requirements
• Your device must already have root access. You can downgrade to an older firmware and root it with iovySU, if needed.
• You will need Androxyde's FlashTool and an FTF file of the firmware version you want to upgrade your device to. Also, if you crossflashed your device to another firmware region/variant in order to get root (e.g. E5653 HK crossflashed with E5603 CE1 firmware or E5633 FR crossflashed with E5643 BR), it's your chance to return to your original variant/region by using a matching FTF file.
• Your device should have enough free space to store system partition image of the update temporarily (around 2.6 GB, depending of the firmware). You can store the image either on its Internal Storage or in external SD Card (if available).
• If storing the system image into SD Card, make sure your phone is connected in MTP mode (in Mass Storage mode only Internal Storage is accessible on device side and dd Flasher Minimal will fail)
• USB Debugging must be enabled on the phone (available in Settings => Developer Settings -- if you can't see it, go to Settings => About Phone and tap 7 times on Android Build).
• ADB drivers should be installed on the computer, otherwise this tool won't see it (you can install Xperia Companion to get the drivers or use any ADB installer you prefer).
• Your computer should be running Windows or Linux (you can probably use the Linux script on Mac, but that's completely untested and not guaranteed to work at all).
Instructions
I've splitted the instructions into three smaller sections. Follow all of them:
Getting system partition image
FTF files are just normal .zip files with a different extension and lots of .sin files inside, format commonly used by Sony in their firmwares for Xperia devices. We are interested in system.sin (it's the one with the partition image), to use it with dd Flasher Minimal, so:
• Open the FTF file with WinRAR or 7-Zip (or any other program compatible with .zip files);
• Extract system.sin somewhere you have easy access;
• Open FlashTool and go to Tools => SIN editor;
• A new window will open. Locate system.sin you extracted before, click in "Extract Data" and wait until FlashTool finishes extracting it;
• If everything went well, now you should have a system.ext4 file in the same place you extracted system.sin before (you can also delete system.sin -- it's not needed anymore at this step).
Using dd Flasher Minimal
Now that you got the system partition image, we can move on to dd Flasher Minimal:
• Download the attached ZIP and unzip its contents somewhere (make sure FlashTool is closed as well -- it's known to hijack ADB interface in order to provide some of its features and thus may cause issues with dd Flasher Minimal if it's running at the same time);
• Copy system.ext4 extracted previously to the root of the Internal Storage or SD Card of your phone;
• Open ddf_min.bat (or start ddf_min.sh from Terminal if you're on Linux) and select the same location where you've copied system.ext4 (Intenal Storage/SD Card) and wait while dd Flasher Minimal do its work;
• Please note that it'll take a while to finish and your device will look like it's dead or completely frozen during the process. Don't worry, it's normal;
• If everything went well, dd Flasher Minimal will notify you. Press any key and dd Flasher Minimal will reboot your phone into fastboot mode. When the LED becomes blue, disconnect the USB cable. Your phone should power off now, don't turn it on yet;
• On some cases, it may not be possible to reboot into fastboot or the phone may not automatically turn off after unplugging the USB cable, if that occurs, make sure the USB cable is disconnected and power off your phone manually by pressing the "OFF" microswitch present next to the microSD card slot. Remember, don't turn your device on yet.
Flashing the remaining FTF contents with FlashTool
At this stage, your device have the system partition with full root access of the firmware from the FTF you used but still have the kernel, baseband, etc., from the previous firmware you were running on your phone, so, trying to start your device now will probably result in a boot loop. To correct this:
• Open FlashTool again and flash the same FTF you used to extract system.ext4 through flash mode, however, make sure you exclude SYSTEM partition. If you forget to do so, you'll lose root access and you'll need to restart from the beginning.
• Make sure that you're using FlashTool 0.9.20 or newer and answer Yes when it asks if you want to use the .fsc script! Using an older version or not using the provided .fsc script will hard brick your Xperia M5 and only Service Center will be able to repair it.
• After flashing ends, disconnect the USB cable and start your phone. The first boot may take several minutes but if everything went well you should be now running the same firmware from the FTF file you used, with full root access!
Frequently Asked Questions
Q: Help! I've enabled USB Debugging on my phone but dd Flasher Minimal keeps stuck at "Waiting for device" message!
A: This means ADB isn't "seeing" your phone, either because you didn't install ADB drivers (you can use this stand-alone driver) or because you didn't authorize the connection on your phone. If dd Flasher Minimal still can't see your phone, make sure you don't have another Android device with USB Debugging enabled plugged on your computer at the same time or emulators like BlueStacks or Genymotion running.
Q: This whole thread looks familiar. Why?
A: Most of this is copy/paste from the dd Flasher thread. I made this version aimed directly at Xperia M5 because the main dd Flasher needs to take other details in consideration like devices of different architectures, different Android versions, different write protections and so on. In fact, my plans are rewriting the next version of the main dd Flasher in a more robust language than a simple Windows/UNIX script, that's also why it's pretty much abandoned and why I haven't updated the main tool besides the current beta release yet.
Q: Why should I do this complicated procedure to update my phone instead of using KingRoot which is a one-click tool?
A: Because there's no guarantees that KingRoot will work on later firmwares. With this tool, if you currently have root access or an older firmware version which is exploitable, you can update to any new firmware version*, even if there's no exploit available. Also, this tool uses SuperSU instead of the dubious root managing app with bloat stuff built-in that KingRoot provides.
* as long as the newer firmwares don't include protections at kernel level, like dm-verity. On those cases you'll need an unlocked bootloader
Q: Is there any difference between dd Flasher Minimal and PRFCreator?
A: The concept behind both tools are exactly the same (modify the system partition image in order to include SuperSU on it). The main difference is that PRFCreator produces flashable ZIPs to be used in custom recovery and also has more features, while dd Flasher Minimal do the same but through ADB brigde, which means it can also work on devices without custom recovery available.
Q: Can I use dd Flasher Minimal with <insert device here>?
A: You can try, but there's no guarantees. Also, the target firmware should be an ARM64 version of Lollipop or newer, otherwise don't even bother trying as it'll probably result in a bootloop.
Credits
I'm the author of this script, which is based on dd Flasher (which I'm the author too). This tool uses some pieces of code written originally by @zxz0O0 and @Chainfire, so, credits (and thanks) to them.

Nice work

Thanks for you hard work, look forward to trying this soon.

Thank you very much for this amazing work. I tried it yesterday and worked perfect!!!

I tried and it works good! But I have one question: will it be possible update to android 6 by using this tool?

As long as the newer firmwares don't include protections at kernel level, like dm-verity, yes, you can use this tool with any future upate...

got my phone back from Sony, they did not change anything, even though it appears the front camera has a fixed focus. When you are at that distance the picture is razor sharp, else it is poor.
So anyway, given I have to live with it, I thought I would finally get around to rooting and getting a more up-to-date firmware than available in the UK. So used this and now on .55 on generic Spain.

Perfect!! Only we need recovery

Some good (and bad) news: first the good news, Sony started rolling out 30.2.A.0.100 firmware for single SIM variants, the long-awaited Marshmallow update, and it should come soon to dual SIM variants too (probably under 30.2.B.0.100 if Sony keeps the same naming scheme of previous updates). And now the bad news, from a preliminary look I did in the boot image of the update, it now have dm-verity enabled on the kernel, and so, by using dd Flasher Minimal to update to a Marshmallow-based firmware while maintaining root access, the phone will refuse to boot unless you unlock the boot loader and flash a modified kernel with dm-verity disabled...

mbc07 said:
Some good (and bad) news: first the good news, Sony started rolling out 30.2.A.0.100 firmware for single SIM variants, the long-awaited Marshmallow update, and it should come soon to dual SIM variants too (probably under 30.2.B.0.100 if Sony keeps the same naming scheme of previous updates). And now the bad news, from a preliminary look I did in the boot image of the update, it now have dm-verity enabled on the kernel, and so, by using dd Flasher Minimal to update to a Marshmallow-based firmware while maintaining root access, the phone will refuse to boot unless you unlock the boot loader and flash a modified kernel with dm-verity disabled...
Click to expand...
Click to collapse
That really is bad news that dm-verity is enabled on the kernel. Have you actually tested it yet? I don't suppose there's a chance that Sony complies with Google's requirement that the user must be notified of verification failure and given the option of continuing to boot despite the failure?

I haven't actually flashed the update because it's not available yet for my variant (E5643) and at the moment I want to avoid cross flashing because it's my main phone (and I had issues with cross flashing it on the past).
What I did was downloading the update for E5603 and then taking a look on the RAM Disk of the kernel image; the verity keystore is present and it's also present in the fstab, so, dm-verity is definitely enabled. Also, from the dm-verity issues in recent Xperia flagships regarding root (Z3+/Z4, Z5, Z5c, Z5p) I really don't believe Sony just set dm-verity in "warning" mode rather than enforcing it, making the phone refuse to boot if the system partition was tampered...
In other words, permanently locked bootloader owners are currently screwed if they want root in Marshmallow update for Xperia M5 series

mbc07 said:
I haven't actually flashed the update because it's not available yet for my variant (E5643) and at the moment I want to avoid cross flashing because it's my main phone (and I had issues with cross flashing it on the past).
What I did was downloading the update for E5603 and then taking a look on the RAM Disk of the kernel image; the verity keystore is present and it's also present in the fstab, so, dm-verity is definitely enabled. Also, from the dm-verity issues in recent Xperia flagships regarding root (Z3+/Z4, Z5, Z5c, Z5p) I really don't believe Sony just set dm-verity in "warning" mode rather than enforcing it, making the phone refuse to boot if the system partition was tampered...
In other words, permanently locked bootloader owners are currently screwed if they want root in Marshmallow update for Xperia M5 series
Click to expand...
Click to collapse
Do you have UB your M5?

Rootability news for marshmallow?

Silly idea : just disable the dm-verity?
Else have to unlock bootloader... Is that even work?

knight84 said:
Silly idea : just disable the dm-verity?
Click to expand...
Click to collapse
You need an unlocked bootloader to do that.

Just curiosity, i know that it will not work but i don't know why...
What prevent unzip ftf and to change boot.img with one dm_verity off ?

Nothing. But locked bootloader devices only accepts kernels signed by Sony, modify a single byte on the boot image and the signature is not valid anymore. In other words, a bootloader locked phone would refuse to boot with a modified boot image.

mbc07 said:
Nothing. But locked bootloader devices only accepts kernels signed by Sony, modify a single byte on the boot image and the signature is not valid anymore. In other words, a bootloader locked phone would refuse to boot with a modified boot image.
Click to expand...
Click to collapse
Clear! I read something now in Wikipedia.

I have an idea. But I am not an expert, so I am not sure about this.
I think, we can downgrade the firmware with Flash Tools. Then, we can gain root access with kingroot. We can get a backup of TA partition and drm keys and then we will unlock the bootloader, change the dm-verity thing and use this dd flasher to keep root access with mm update. So If we have root again, we can lock the bootloader and restore the drm keys.
Am I correct about this idea. Can it be successful?

As soon as you restore your TA backup (thus relocking the bootloader) the phone would refuse to boot the modified image. Like I said before, only signed boot images can be loaded with a locked bootloader (modify the image to disable dm-verity => its signature is not valid anymore). Also, even if it worked, it would be of no use for users with permanently locked bootloader (e.g. devices bought through carriers)...

[Guide][Tutorial] Root TWRP LG G5 using Autorecowvery[H830 & V20A only][Noobfriendly]

[Guide][Tutorial] Root TWRP LG G5 using Autorecowvery[H830 & V20A only][Noobfriendly]
This is guide to root and install twrp on lg g5 T-Mobile using recowvery method.
Read 4th post before proceeding​This method is to root & install TWRP on only T-Mobile LG G5 running Nougat 20a software. If your phone isn't on 20a then first downgrade/upgrade to 20a software.
Before asking a question, first, see FAQ in 3rd post. In that way you can save a lot of time.
For Video Guide refer to 5th Post
You need to disable antivirus before extracting files. Because we are using DirtyCow vulnerability here. Which is technically a virus (It's not dangerous for pc but for exploiting android to get root access). If you can't disable AV then don't proceed because process will not work
Download:​1: Recowvery (2nd post)
2: Minimal adb (2nd post)
3: TWRP
A: H830 | For H850 (Refer to this Post and read carefully)
[Download TWRP 3.0.2 as 3.1.0 is having some little issues with flashing with autorecowvery] Always download latest TWRP available for your device to avoid most issues.
(rename it to recovery.img)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Procedure:​Drivers should be installed. Also install minimal ADB and fastboot.
1: Make sure to unlock bootloader. Backup internal data because it will be erased.
A: First enable developer options and toggle “Enable OEM unlock” to ON. Also enable “USB Debugging”.
B: Run Minimal ADB and Fastboot. Enter Command
Code:
adb devices
C: You will see permission dialogue on phone. Tick “Always allow” and ok.
D: Now enter.
Code:
adb reboot bootloader
E: Now phone be in fastboot mode. Enter
Code:
fastboot oem unlock
F: This will wipe all data on internal storage. Now Enter
Code:
fastboot reboot
G: Now OS will get booted. Bootloader will be unlocked but phone should be in factory reset condition. So again enable “USB Debugging”.
THEN​
2: Connect phone with pc in MTP mode and copy recovery.img to phone’s internal storage (Make sure to select MTP as always to avoid problem during procedure). Extract recowvery software. (If it causes permission problems extract it to USB device and perform process from there)
3: Run “EasyRecowvery.cmd”. Press “5” -->Enter then press “7” -->Enter to disable integrity check. Then enter “0” to go back. Skip it if you are using Recowvery G5 modified.
4: Now press “2” and wait until it says warning. Press “y” -->Enter. (It won't say warning in Recowvery G5 modified)
5: It will do rest process. After Flashing TWRP it will flash “no-opt-encrypt” (This is most important to save twrp from being removed by OS)
6: Phone will boot into TWRP. Here on phone it will ask for decrypt code. Cancel it. Swipe to allow modification.
7: On pc press any key, the flashing process on phone will automatically get started. Then it will reboot into OS.
8: To flash supersu, select option 3 from recowvery windows and phone will boot into twrp. Same as step 5-6 it will automatically flash supersu.
Now Your rooted and have twrp install.
Note: For removing Encryption.
To flash a custom rom and remove encryption in twrp, you need to once format data in twrp else you won’t be able to wipe and install any custom rom in your phone.

Attachments
Recowvery G5 modified is fully working, so you can try it.
I'm still keeping easyrecowvery 1.3 in this thread as a backup plan.
Read Read Read Before using This
Test Version --> Ricksy-Recowvery | Mirror
(Ricksy Recowvery is streamlined, checks free version of EasyRecowvery. It has no unlock checks, no model verification so use it only if you're fully sured about what you're doing. It includes but isn't limited to unlocked bootloader, USB Debugging Enabled, Being on V20a firmware, LG Drivers installed, PC allowed as Trusted in USB Debugging as always)
Remember to copy latest TWRP to root of internal storage as recovery.img before proceeding.
Old Test
There is also Addition of Recowvery G5 modified 2.0 Test version as well (This script has some additional features)
(I have also turned off most security checks, so you should have an more easy rooting experience. However, this increase risk of bricking device if you do not read things properly). If you can provide your experience of using this script please share your knowledge.
Download Test version either from here or here or through attachments

FAQ​
Recowvery tool is causing permission errors when I run it through computer's internal HDD storage. What shall I do?
Ans: There are possibly 2 workarounds for that.
A: Extract the zip to external USB storage and Run the tool.
B: Change the name of folder, in which recowvery tool is, to "1" and copy to root of storage e.g. "Computer:\D:\1".
Can I re-lock my bootloader after rooting and TWRP flashing?
Ans: No, as recovery partition modified now, this will brick your device.
Can I use V20C or later on my phone after rooting and flashing TWRP?
And: You can't take OTA after rooting as this might create a brick but fortunately @autoprime created TWRP flashable zips of firmwares e.g 20c,20f,20i and he might create newer builds too. Anyways here's the Auto Prime's thread, Go to "LG G5 Files" link and download file as per your variant and choice.
I bricked my phone after following this guide and now I can access only download mode, what shall I do now?
I'm on other version than 20a, What shall I do?
Ans: Really? It seems like you're kidding because this guide can never harm your device, It can either do it's work or not but there is no way for it to brick a device (Unless you don't read carefully).
Ans: You can take your phone back to v20a by using the following guide.
Anyways​You can always bring your phone back to life by following this Back to Life thread.
How to remove encryption in TWRP? or I'm unable to access my phone's internal storage from TWRP, What shall I do?
Ans: So for this process.
a: Boot into twrp.
(you can boot to TWRP by any app or by vol- and power button combination or from option “5” --> “5” in recowvery toolkit (command window).
b: In TWRP, cancel code Windows, Swipe to allow modification then
Click -->Wipe-->Format Data-->type “yes”-->enter.
You need to do this only once. After that you can flash roms and zips unlimited times.
Will this root method work on 20c/d/e/f or others?
Well, it shouldn't. Because I tried this on 20c and it never worked, so I believe it will not work on any software other than 20a because LG removed that exploit to root after 20a. But you can try your luck and tell me if you succeed.
a: Thanks a lot i have one lg g5 h830 and i have some fear to lose the unlocking and i want to modify the phone.
b: Same i have anyone please answer it will i lost the UNLOCKING (Modified by shopkeeper) if i FLASH another ROM?
What are you people trying to ask here?
Bootloader Unlock:
Bootloader can be locked and unlocked anytime you can to do so just by typing commands in fastboot mode. In T-Mobile G5 the fastboot mode do not accept flash command that's why we can only lock and unlock bootloader.
TWRP:
As commands are limited in fastboot mode of T-Mobile G5, we are unable to flash twrp through fastboot mode. So, for this process we rely vulnerability found in G5 firmware. The only currently found method for doing so is by using dirtycow exploit to flash TWRP on H830. Only V20a contains this vulnerability to do so.
Summary:
So to flash TWRP and enjoy freedom of using custom rom (Which I suppose you refer as Unlock to) you need to be on V20a. Which can be flashed easily through LGUP with Uppercut or use my LG FlashTool method (Link in FAQ section). When on V20a firmware simply use this or your preferred method for flashing TWRP.
If you want to go back to stock, simply flash any stock KDZ and lock bootloader. If you want to get TWRP again, simply unlock bootloader and flash V20a kdz (or flash V20a kdz and unlock bootloader) then instal TWRP by using the process.
Important:
Currently our stock firmwares are running Anti-Rollback (ARB 01), LG can increment this whenever they want, whenever LG increase ARB to 02 or upper then you won't be able to get back to ARB 01 firmwares (e.g V20a ) again. Which means you can unlock bootloader but won't be able to flash TWRP as dirtycow is patched after 20a. So you will lose the ability to flash TWRP which means unlocked bootloader is useless unless someone finds another method of flashing TWRP.
So, if you want to stay unlocked, then make sure to install TWRP as described above and flash latest TWRP flashable stock base zips or use other roms like Fulmics or AOSP based. It's very simple and easy .

First of All:
​After Flashing let me know about your experience by answering the poll, this will help me in updating this post.
POLL is ended, so let me know about your experience with toolkit and thread readability in comments.
Disclaimer:
​Before proceeding, remember I’m not responsible for anything bad happened to your device by following this or any of my guide. I’m just trying to help. So always do it on your own risk…
Don’t blame me or Any other developer.
All tools here are developed by different personalities. I’m just providing a guide on using these tool. Always say thanks to me and them. And If possible, donate them. They really deserve it.
Thanks be to:
@jcadduono For Recowvery tool
Source thread [V20 originated]

Due to some issue YouTube video aren't being played directly on XDA. So, you need to watch it here (Maybe some resistance on XDA side because things are good on my blog)
https://www.youtube.com/watch?v=F5PdTW8QHcA&t
Video Tutorial:
<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/F5PdTW8QHcA" width="480"></iframe>
https://youtu.be/G_4ayiZbSkM<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/G_4ayiZbSkM/0.jpg" src="https://www.youtube.com/embed/G_4ayiZbSkM?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<br />
[YOUTUBE]<object width="445" height="364"><param name="movie"
value="http://www.youtube.com/v/AK9aZyJJNIo&hl=en_US&fs=1&rel=0&color1=0x234900&color2=0x4e9e00&border=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/AK9aZyJJNIo&hl=en_US&fs=1&rel=0&color1=0x234900&color2=0x4e9e00&border=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="445" height="364"></embed></object>[/YOUTUBE]

For which software version is this applicable?

arjunking said:
For which software version is this applicable?
Click to expand...
Click to collapse
Nougat v20a only as the thread title says.

I had to extract to a USB device to get recowvery to work but it went smoothly from there, until I got to TWRP to flash the no verity zip. It hung on hit any key to continue, it didn't dawn on me till later I should have mounted USB storage (derp), but I already had the no verity zip and SuperSU on my external SD so I just flashed them manually, booted, and had root. Then I formatted data, lost root, and flashed SuperSU again to get it back. I later flashed @autoprime 20c zip with SuperSU and now I'm rooted with TWRP on 20c, tyvm for the tutorial

Char_G said:
I had to extract to a USB device to get recowvery to work but it went smoothly from there, until I got to TWRP to flash the no verity zip. It hung on hit any key to continue, it didn't dawn on me till later I should have mounted USB storage (derp), but I already had the no verity zip and SuperSU on my external SD so I just flashed them manually, booted, and had root. Then I formatted data, lost root, and flashed SuperSU again to get it back. I later flashed @autoprime 20c zip with SuperSU and now I'm rooted with TWRP on 20c, tyvm for the tutorial
Click to expand...
Click to collapse
First of all you welcome, 2nd thanks for writing about your experience.
I am not completely assured but to make recowvery work in internal hard drive you need to change the name of recowvery folder to "1". Next time whenever you root try this method and let me know wether it worked...
And as you mentioned about having difficulty in flashing no verity. I think this issue is happening only on TWRP 3.1.0, on TWRP 3.0.1 it works fine, i think .

Does this method work with the latest update to 20f? Can I just try it without bricking my phone?
Sent from my LG-H830 using Tapatalk

dksoni411 said:
First of all you welcome, 2nd thanks for writing about your experience.
I am not completely assured but to make recowvery work in internal hard drive you need to change the name of recowvery folder to "1". Next time whenevee you root try this method and let me know wether it worked...
And as you mentioned about having difficulty in flashing no verity. I think this issue is happening only on TWRP 3.1.0, on TWRP 3.0.1 it works fine, i think .
Click to expand...
Click to collapse
Thanks, I'll try that next time. I did use TWRP 3.0.1 though, but I'm thinking that without mounting USB storage, perhaps the verity zip couldn't be found to be flashed.

This worked perfectly!! Thank you so much again! I had to extract the recowvery to a usb stick and run it from there (it wouldn't run properly from the computer hd) and at first I got an error as I had put the recovery.img on the external phone sd. My bad. Anyway... I just copied it over to the phone sd and started over, and it worked exactly as explained in the OP.
AWESOME effort by everyone involved. XDA rules!
Btw... can I relock the bootloader now? And one more thing... I turned off "automatic system updates" in developer mode. I assume if I update to v20c or newer I will lose root? And I guess I should not update the supersu either?
Thanks again! You rock!!

d3th.m0nk3y said:
This worked perfectly!! Thank you so much again! I had to extract the recowvery to a usb stick and run it from there (it wouldn't run properly from the computer hd) and at first I got an error as I had put the recovery.img on the external phone sd. My bad. Anyway... I just copied it over to the phone sd and started over, and it worked exactly as explained in the OP.
AWESOME effort by everyone involved. XDA rules!
Btw... can I relock the bootloader now? And one more thing... I turned off "automatic system updates" in developer mode. I assume if I update to v20c or newer I will lose root? And I guess I should not update the supersu either?
Thanks again! You rock!!
Click to expand...
Click to collapse
As you installed TWRP, so recovery partition is modified which means if you relock bootloader, you will brick your device.
Also if you want to use V20c check @autoprime's thread for the TWRP flashable zip of V20c or later (if there any).
And if you want to update supersu you can do it either by newest supersu zip to flash it through TWRP or by updating it through playstore then update binary through supersu it self, but I think updating supersu mostly changes nothing.

dksoni411 said:
As you installed TWRP, so recovery partition is modified which means if you relock bootloader, you will brick your device.
Also if you want to use V20c check @autoprime's thread for the TWRP flashable zip of V20c or later (if there any).
And if you want to update supersu you can do it either by newest supersu zip to flash it through TWRP or by updating it through playstore then update binary through supersu it self, but I think updating supersu mostly changes nothing.
Click to expand...
Click to collapse
Ok. Thanks for all the info. I think I will keep the v20a with the current supersu. It works perfectly! Hopefully it will not "automatically update between 23:00 and 04:00" as it says in "about phone/update center/system updates". From what I understand, it shouldn't as long as I have the "automatic system updates" set to OFF in developer options.
How can I boot into TWRP? When I reboot and try to enter TWRP I always end up in the hard reset menu where it asks if I want to wipe the phone... Do I have to boot into TWRP through ADB fastboot?

d3th.m0nk3y said:
Ok. Thanks for all the info. I think I will keep the v20a with the current supersu. It works perfectly! Hopefully it will not "automatically update between 23:00 and 04:00" as it says in "about phone/update center/system updates". From what I understand, it shouldn't as long as I have the "automatic system updates" set to OFF in developer options.
How can I boot into TWRP? When I reboot and try to enter TWRP I always end up in the hard reset menu where it asks if I want to wipe the phone... Do I have to boot into TWRP through ADB fastboot?
Click to expand...
Click to collapse
When you boot to recovery through hardware key combination, say yes through hardware keys twice (as you want to reset), it will take you to TWRP, thats the logic from lg g2

dksoni411 said:
When you boot to recovery through hardware key combination, say yes through hardware keys twice (as you want to reset), it will take you to TWRP, thats the logic from lg g2
Click to expand...
Click to collapse
He is absolutely correct. That's exactly what I did on my H830 yesterday.
Keep up the great work people......

Got it after a few attempts
Thanks for the step by step. It is a good walkthrough for a tough device. With all the previous complicated, and sometimes confusing/conflicting, instructions in other (older) threads for the H830 I was nervous to try.
I struggled a little getting it to work; 1) .cmd returned "don't have permission to create log or backup files..." when running from my "documents" directory, had to run it in a root folder. 2) I got the wrong TWRP version at first and the process said success, but never made it to TWRP.
It was the most challenging of any device I have owned to get root, but happy to crack it. Thanks!

root 20f?
does this root method work on 20f?

hp786 said:
does this root method work on 20f?
Click to expand...
Click to collapse
Well, it shouldn't. Because I tried this on 20c and it never worked, so I believe it will not work on any software other than 20a. But you can try your luck and tell me if you succeed.

Salam bro,I followed your method and rooted the phone,after rooting I wiped system, data and cache so I could flash fulmics 2(based on v20c) which I had already downloaded,it flashed successfully but after booting on startup screen there's this popup error"settings keep closing " because of which I can't do anything so can u please tell me where did I go wrong,should I have wiped the system or not?

Update BLN-L22C675 from EMUI 5.X.X to EMUI 8.0 (with VOLTE)- Noob Friendly

Hi Guys,
Note- if you are on BLN-L22C675 Nougat you can do this easily but if you are on other variants, you need to debrand first as per this guide- https://forum.xda-developers.com/honor-6x/how-to/guide-debranding-to-india-variant-bln-t3679402
Some background-
So what I heard earlier that post China Oreo beta, other regions may not get it (via various unofficial channels and on XDA) its finally here, even though via firmware finder but it gives us a glimpse that beta or stable would be coming soon.
I had given my Honor 6X to my brother 6 months back and was using V10 since then but he came yesterday and I tried to enable VOLTE on that phone but was not working. Even though I debranded my Honor 6X from AL10 to BLN-L22 Indian version very easily (guide in my signature) but somehow I was not able to get VOLTE working. Yesterday I tried all the known methods till 2.30 AM My time but VOLTE was not working and I gave up but today morning again I tried and updated my phone to EMUI 8.0 (already kept one phone for my brother so that if something goes wrong, I will give a new one to him so that he can use atleast as he is leaving today)
As VOLTE was not working and I decided to update to Android 8.0 Indian version, I saw a screenshot in my Honor 6X Oreo update discussion thread and downloaded and flashed via HuRUpdater but failed last night and I recovered back to B340 and then updated to B365.
Click to expand...
Click to collapse
In this guide, I will provide detailed instruction on how to update your Nougat BLN-L22C675 Indian version of Honor 6X to Oreo. Process is simple and you just need patience while updating and post updating I verified, Jio, Vodafone VOLTE working (seems iDEA would work but no 4G in Delhi/NCR).
Prerequisites-
Unlocked bootloader.
HiSuite backup/TWRP backup.
Downloads-
TWRP for BLN - https://mega.nz/#!bY9hRazT!I9kqA3a9i1tAc3tQSnDGpqMPc_cEKR4JAYe6rDQqvdE
All the Oreo files (downloaded from Firmware finder or below URLs)- you need to put your device as BLN-L22HNC675 and it will show these files under B510 firmware version.
Main zip- http://update.hicloud.com:8180/TDS/data/files/p3/s15/G3196/g1699/v154301/f1/full/update.zip
Data File- http://update.hicloud.com:8180/TDS/...channel_in/update_full_BLN-L22_channel_in.zip
Public Zip- http://update.hicloud.com:8180/TDS/...01/f1/full/public/update_data_full_public.zip
HwOTA zip from https://mega.nz/#!CXRnEaAb!XYodFoS9CDqJkHx0Uv2fdFmzycCvTrexcvYzrwnjfGI given in thread Thanks to @vovan1982
If you have not unlocked your your bootloader, please do so. You can refer this guide if not aware of the method-
Unlocking the bootloader-
Backup all your data as unlocking the bootloader will reset the device and all your data will be erased.
On windows machine, go to folder C:\adb or wherever you installed the adb drivers.
Press shift+right click together and select Open command prompt here (it will be open PowerShell here on Windows 8 and Windows 10 machine)
Run - adb reboot bootloader (this command may prompt for acceptance of RSA key if not already accepted)
This will boot the phone into bootloader mode.
Run - fastboot oem unlock <16 digit unlock code- Put your actual code you obtained from Huawei site > (This step will unlock the bootloader and will erase all your data)
Phone will restart automatically.
Installing TWRP
Once on the system, open the PowerShell or command prompt again in ADB folder (can use the previous instance as well)
Run -
Code:
adb reboot bootloader
Once in bootloader, Run
Code:
fastboot flash recovery twrp-3.1.1-0-berlin.img
(This will install the TWRP recovery for EMUI 5.0 on your phone)
Once done with the flashing the TWRP, Run
Code:
fastboot reboot
Actual Oreo update procedure
Once you have unlocked the bootloader, and installed TWRP recovery via command
Download the Oreo firmware given above in download link.
Download the HWOTA_BLN_Eng.zip from the link given above.
Unzip the HWOTA_BLN_Eng.zip file and move the extracted content (HWOTA_BLN_Eng folder) to adb folder of your PC.
Copy the downloaded Oreo firmware to C:\adb\HWOTA_BLN_Eng\HWOTA8_BLN\update\ folder.
Rename update_data_full_public.zip file to update_data_public.zip and update_full_BLN-L22_channel_in.zip to update_all_hw.zip, do not rename the update.zip.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Boot to bootloader or fastboot mode. Keep your phone connected with PC.
Go to C:\adb\HWOTA_BLN_Eng\HWOTA8_BLN folder and run the update_eng.bat file and follow the on screen instructions.
The update_eng.bat will install the TWRP recovery and boot to TWRP (if not, you can remove USB and press power and volume up key and it will boot to TWRP, connect the USB again)
You will get prompt for update via SD card or script, select via script
You will get prompt for change region or change firmware, select change firmware.
It will automatically copy the content of C:\adb\HWOTA_BLN_Eng\HWOTA8_BLN\update, mainly those 3 zips and it will flash automatically.
You may see the update.zip file flashed as successful with no error but may see Error result [] for other 2 zips, dont worry that is expected.
Once flashed, it will automatically boot to Oreo without any issue and also it will ask if you want to relock your bootloader or keep this unlocked, this is your wish, I kept it unlocked and will be locked in future updates.
Your Nougat data may remain the same as it was in my case but I would advise to go with Hisuite backup and TWRP backup.
If phone unable to boot, flash the stock recovery and make factory reset and boot normally, it should boot fine. (haven't encountered this issue though)
I did factory reset after booting and verifying to system. Everything was working fine but still I did just to avoid any issue or lag (even though no lags were seen)
About Phone info and VOLTE for Jio and Vodafone. iDEA VOLTE would work as well but there is no 4G in NCR.
Enjoy Oreo.
Update- anyone having issues with call recorder, turn off Google voice typing and recording will work fine.

Changelog for - BLN-L22HN 8.0.0.510(C675CUSTC675D1)
Code:
[PHP][PHP]ANDROID 8.0[Oreo] upgrade with EMUI 8.0 is available for your device. This will upgrade your system BLN-L22HN 8.0.0.510(C675CUSTC675D1).
● VOLTE calls enabled for Vodafone,Idea and JIO.
● Call Recording feature has been added, and it has an ability to Records all your phone calls.
● EMUI 8.0 not only brings you the latest version of Android (8.0), it's also boosted with a lot of great features and improvements to make your device more intuitive, faster and safer. We highly recommend updating now.
● A new floating Navigation dock lets you perform frequently-used operations from anywhere on the screen. Newly added home screen shortcuts let you quickly access the app features you use most frequently. Simply touch and hold an app icon to display a shortcut menu.
● You can drag your navigation to any where of screen once you enabled this brand-new feature.
● How to set:Go to Setting > System > System navigation > Navigation dock Or drop down status bar > Navigation dock.
● Long-tap on parts of apps launcher icons, a shortcut menu will display.
● You can Tap and drag a shortcut to pin it to the device's launcher.
● Play Store, Settings, Gallery, Dialler, Contacts, Messaging, Camera, Email, Themes, Clock, Calendar, Notepad, Sound Recorder, Downloads etc. support the feature.
● Improved false touch protection functionality reduces unintended operations on the touch screen in a wider range of scenarios.
● Smart tips recommend you faster and smarter ways to operate your phone, appearing in specific usage scenarios and responding to your usage habits.
● Contacts and Email now let you sync the career details of your LinkedIn contacts.
● Settings has been redesigned for clearer and more intuitive organization.
● Gallery new features a recycle bin that retains deleted photos for up to 30 days. Accidentally deleted photos can be restored with a single touch.
● Phone Manager has been simplified to make managing your device easier. Standard cleanups are faster and deep cleanups more thorough.
● Google security patches are merged to make your device more secure.
● Downloading over WiFi is recommended. and make sure that the remaining power is greater than 50%.
● This update will not erase your personal data, but it's recommended to backup all of your personal data, including phone book, text messages, emails etc. before updating.
● Some third-party apps that are not compatible with Android 8.0 may function incorrectly after the update. It is recommended that you update these apps to their latest versions in the Google Play Store.
● Before upgrading, please ensure there is sufficient storage space for the update package on either the microSD card or the internal storage prior to proceeding with the update. Free storage space can be checked under system settings -> storage.
● During downloading upgrade package, the operation of the device will not be impacted. Please note, upgrade procedure need have some minutes to let device reboot and flashing. During flashing, the device is not available to be used.
● If you encounter any problems during the update, please contact the customer service hotline or visit an authorized Huawei service center for assistance which you can find.
● Your home screen layout may be rearranged slightly.
● This system version can be rolled back to the official version of EMUI 5.0 in Phone Manager. Rolling back the system version will erase your personal data. For more information, please contact the customer service hotline.

Stock Boot file for BLN-L22C675 OREO.

Bro which oreo recovery that support mtp and access to OTG

rojanjoy01 said:
Bro which oreo recovery that support mtp and access to OTG
Click to expand...
Click to collapse
did you mean during TWRP or in general. Mine supports OTG by default all the time.

Which TWRP ar you using on oreo ?

sreekantt said:
Which TWRP ar you using on oreo ?
Click to expand...
Click to collapse
None. I flashed without it. same as given in guide. you may use this post update-
https://mega.nz/#!a81EDZAR!2-9yPFh3reghkGcfSl3nRIJhHGkP8fqDsgUG66ewjkk

amazing work Shashank...

shashank1320 said:
None. I flashed without it. same as given in guide. you may use this post update-
https://mega.nz/#!a81EDZAR!2-9yPFh3reghkGcfSl3nRIJhHGkP8fqDsgUG66ewjkk
Click to expand...
Click to collapse
Internal storage shows as 0Mb. If I format data, Rom won't boot. I had to flash back stock recovery to factory reset and make it boot.
Flashing TWRP again shows 0Mb. Looks like a decryption issue.

sreekantt said:
Internal storage shows as 0Mb. If I format data, Rom won't boot. I had to flash back stock recovery to factory reset and make it boot.
Flashing TWRP again shows 0Mb. Looks like a decryption issue.
Click to expand...
Click to collapse
May be TWRP is not compatible with Oreo yet. Have seen similar issues on V10. BTW given back the phone to bro and he left for Mumbai so I couldnt test and explore much but somehow I updated his phone to Oreo and then got VOLTE working as was struggling since long and even yesterday for around 8-10 hours.
Which stock recovery you used (extracted from update.zip or else)?

shashank1320 said:
did you mean during TWRP or in general. Mine supports OTG by default all the time.
Click to expand...
Click to collapse
which twrp u use ,plz give the link
bro viper4fx not working on oreo emui 8,plz help me for solving this

rojanjoy01 said:
which twrp u use ,plz give the link
bro viper4fx not working on oreo emui 8,plz help me for solving this
Click to expand...
Click to collapse
hwota will take care of twrp if you want twrp for oreo then flash twrp from elemental rom on development section.
don't flash viper or dolbyatmos they will corrupt system files and you have to install stock again via hwota8

rojanjoy01 said:
which twrp u use ,plz give the link
bro viper4fx not working on oreo emui 8,plz help me for solving this
Click to expand...
Click to collapse
These will evolve with time. we just got Oreo. may be some developer can port these. for TWRP, Ramesh answered your query above. I have not flash any TWRP or stock recovery. HWOTA Will do the needful and install TWRP during the process and flash the update.zips one by one without issue. Once all done, your phone will boot and you will have stock recovery.

Ramesh006 said:
hwota will take care of twrp if you want twrp for oreo then flash twrp from elemental rom on development section.
don't flash viper or dolbyatmos they will corrupt system files and you have to install stock again via hwota8
Click to expand...
Click to collapse
bro now i use elemental twrp which will not support mtp and tpg
---------- Post added at 02:12 PM ---------- Previous post was at 02:12 PM ----------
Ramesh006 said:
hwota will take care of twrp if you want twrp for oreo then flash twrp from elemental rom on development section.
don't flash viper or dolbyatmos they will corrupt system files and you have to install stock again via hwota8
Click to expand...
Click to collapse
bro now i use elemental twrp which will not support mtp and otg

shashank1320 said:
Hi Guys,
Some background-
In this guide, I will provide detailed instruction on how to update your Nougat BLN-L22C675 Indian version of Honor 6X to Oreo. Process is simple and you just need patience while updating and post updating I verified, Jio, Vodafone VOLTE working (seems iDEA would work but no 4G in Delhi/NCR).
Prerequisites-
Unlocked bootloader.
HiSuite backup/TWRP backup.
Downloads-
All the Oreo files (downloaded from Firmware finder or below URLs)- you need to put your device as BLN-L22HNC675 and it will show these files under B510 firmware version.
Main zip- http://update.hicloud.com:8180/TDS/data/files/p3/s15/G3196/g1699/v154301/f1/full/update.zip
Data File- http://update.hicloud.com:8180/TDS/...channel_in/update_full_BLN-L22_channel_in.zip
Public Zip- http://update.hicloud.com:8180/TDS/...01/f1/full/public/update_data_full_public.zip
HwOTA zip from https://mega.nz/#!CXRnEaAb!XYodFoS9CDqJkHx0Uv2fdFmzycCvTrexcvYzrwnjfGI given in thread Thanks to @vovan1982
If you have not unlocked your your bootloader, please do so. You can refer this guide if not aware of the method-
Unlocking the bootloader-
Backup all your data as unlocking the bootloader will reset the device and all your data will be erased.
On windows machine, go to folder C:\adb or wherever you installed the adb drivers.
Press shift+right click together and select Open command prompt here (it will be open PowerShell here on Windows 8 and Windows 10 machine)
Run - adb reboot bootloader (this command may prompt for acceptance of RSA key if not already accepted)
This will boot the phone into bootloader mode.
Run - fastboot oem unlock <16 digit unlock code- Put your actual code you obtained from Huawei site > (This step will unlock the bootloader and will erase all your data)
Phone will restart automatically.
Once you have unlocked the bootloader, download the Oreo firmware given above in download link.
Download the HWOTA_BLN_Eng.zip from the link given above.
Unzip the HWOTA_BLN_Eng.zip file and move the extracted content (HWOTA_BLN_Eng folder) to adb folder of your PC.
Copy the downloaded Oreo firmware to C:\adb\HWOTA_BLN_Eng\HWOTA8_BLN\update\ folder.
Rename update_data_full_public.zip file to update_data_public.zip and update_full_BLN-L22_channel_in.zip to update_all_hw.zip, do not rename the update.zip.
Boot to bootloader or fastboot mode. Keep your phone connected with PC.
Go to C:\adb\HWOTA_BLN_Eng\HWOTA8_BLN folder and run the update_eng.bat file and follow the on screen instructions.
The update_eng.bat will install the TWRP recovery and boot to TWRP (if not, you can remove USB and press power and volume up key and it will boot to TWRP, connect the USB again)
You will get prompt for update via SD card or script, select via script
You will get prompt for change region or change firmware, select change firmware.
It will automatically copy the content of C:\adb\HWOTA_BLN_Eng\HWOTA8_BLN\update, mainly those 3 zips and it will flash automatically.
You may see the update.zip file flashed as successful with no error but may see Error result [] for other 2 zips, dont worry that is expected.
Once flashed, it will automatically boot to Oreo without any issue and also it will ask if you want to relock your bootloader or keep this unlocked, this is your wish, I kept it unlocked and will be locked in future updates.
Your Nougat data may remain the same as it was in my case but I would advise to go with Hisuite backup and TWRP backup.
If phone unable to boot, flash the stock recovery and make factory reset and boot normally, it should boot fine. (haven't encountered this issue though)
I did factory reset after booting and verifying to system. Everything was working fine but still I did just to avoid any issue or lag (even though no lags were seen)
About Phone info and VOLTE for Jio and Vodafone. iDEA VOLTE would work as well but there is no 4G in NCR.
Enjoy Oreo.
Click to expand...
Click to collapse
Do not need to renam the firmware files. HwOTA will renam firmware files automatically.

vovan1982 said:
Do not need to renam the firmware files. HwOTA will renam firmware files automatically.
Click to expand...
Click to collapse
Cool. Was not aware of this. Coz with HurUpdate, got error that file doesn't exist so rename them their and thought that is applicable here as well. Thanks for correcting this.

@shashank1320
While unlocking bootloader I took the complete backup with Hisuite but after restoring it everything's there except my safe files.
I am unable to find any of those files(safe box) in file manager too.
Is there any way to recover those files?

Mr. Ajay said:
@shashank1320
While unlocking bootloader I took the complete backup with Hisuite but after restoring it everything's there except my safe files.
I am unable to find any of those files(safe box) in file manager too.
Is there any way to recover those files?
Click to expand...
Click to collapse
not sure how did you backup so cant comment bro. backup doesnt copy any folder.

rojanjoy01 said:
bro now i use elemental twrp which will not support mtp and tpg
---------- Post added at 02:12 PM ---------- Previous post was at 02:12 PM ----------
bro now i use elemental twrp which will not support mtp and otg
Click to expand...
Click to collapse
currently twrp not supporting mtp or otg only way is via sd card.
I saw a TWRP thread for another honor varient that supports mtp and adb push files.

Thank you very much for such a detailed guide.. successfully installed Oreo on my Device ?
Just wanted to mention that faced issue with existing process when it ask to boot in TWRP recovery... It was booting to stock recovery only. So disconnected mobile, switched on , flash TWRP seperately, directly booted to TWRP and connected again to the computer and continued process.
Thak you very much for detailed guide.
Cheers:good:

[XZ1c] rooted kernel hiding bootloader unlock with working fota

rooted kernel hiding bootloader unlock
with working sony stock fw fota updates
for Sony Xperia XZ1 Compact​
Firmware Over the Air system updates have been disabled/not working with sony xperia phones with unlocked bootloader.
Also many sony drm functions are disabled if fw detects unlocked bootloader even if device master key was recovered.
I've implemented a kernel patch for xperia XZ1 Compact / XZ1 / XZ Premium phones that properly masks bootloader unlock status so it appears as still locked for sony stock firmwares.
This allows FOTA updates to be installed if running completely unmodified stock firmware. This is possible if this kernel is just booted from usb via fastboot instead of flashing it.
The kernel is pre-rooted, so you can have root as usual with magisk when running this kernel (you can use magisk system less patching to make changes to system/vendor partitions without actually modifying them).
For oreo fw the boot process is patched to hide magisk from sony ric daemon that stops the boot in case it thinks the bootloader is still locked. This special patch allows to pass safetynet including cts while having properly working magisk.
This kernel may be used (flashed) just to properly enable sony drm features, like video image enhancements, if device master key was recovered via locked state TA restore.
The bellow described way to install FOTA system update works with both - phone with TA restored and phone with drm keys lost. Both variants have been tested with xz1c.
How to use this kernel while planning to do FOTA system update eventually
Update: please see here for the latest usage instructions for kernels in flashable zip archive.
Please see screenshots bellow for this kernel in action doing fota system update from oreo to pie and from pie to next pie version. There is also a video documenting this here. Few longer waiting parts have been cut out to fit the video under 15 minutes of youtube limit for not verified accounts.
if your bootloader is still locked
Use renoroot exploit to backup your TA, unlock your bootloader and restore TA-locked to recover device master key as described in
[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented thread.
select one of the prepared kernels and download it
make sure you are running unmodified stock firmware
You need the version corresponding to the selected kernel - reflash the firmware to make sure it is unmodified.
Please note: any mount of /system or /vendor partitions in write mode would result with modifications even if nothing is copied there.
Be aware that some zip packages flashed from twrp may mount the partitions for write access even when that is not needed.
reboot the phone to fastboot mode
Use either "adb reboot bootloader" or
enter fastboot by holding powered off phone's volume up key while connecting it to PC via usb cable and use 'fastboot reboot bootloader' command.
boot the downloaded kernel via fastboot
For example:
Code:
fastboot boot boot-G8441-47.1.A.16.20-hideunlock-rooted.img
enjoy your rooted phone which thinks it is still locked
Sony apps will be offered to install/update. System FOTA update may come.
Magisk will provide your root when magisk manager app is installed (offered on the first boot).
if you need to use a custom recovery, like TWRP
Do not flash it. If you do, FOTA update verification will fail.
Instead use 'fastboot boot' the same way as with the kernel above, but instead of the kernel, boot the twrp image without flashing it.
to install a FOTA system update
just start the update as usual
let it run until it finishes the installation
try to catch the restart then and hold volume up that time to enter fastboot
you need to use following command to make next boot working
Code:
fastboot reboot bootloader
use 'fastboot boot' to boot kernel for fw to which fota updating to,
for example:
Code:
fastboot boot boot-G8441-47.2.A.4.45-hideunlock-rooted.img
if you miss the restart (or do not have the right kernel version),
it does not matter, the installation will finish even when bootloader unlock is detected with the last reboot to updated system,
so just 'fastboot boot' the corresponding 'hideunlock-rooted' kernel then
Alternative use of this kernel
If you do not like booting from usb via fastboot to startup your phone, you can flash the kernel and boot normally.
But if you like to install FOTA system update then, you would need to flash the stock kernel first in order to make the fw untouched again (assuming no other changes to the fw, like system or vendor partitions, have been done) and boot the patched kernel via 'fastboot boot' as described above.
You can backup stock kernel (and recovery) to avoid need to download full stock fw when you need to restore stock kernel & recovery when you decide to install fota system update - see here and following post for more details please.
If you do not care about FOTA, just do not install it.
And use this kernel just to enable all sony drm features that are available on a locked phone (assuming locked state TA has been restored).
In case you like to make some modifications to system or vendor partitions (as you do not care about fota), you would need to disable verity in the kernel - please see post#3 for noverity variants of oreo kernels and linked post describing howto switch verity off via magisk in all pie kernels.
Downloads
See the post#2 please.
Source code
patched kernel sources to hide bootloader unlock (my-bluhide/* branches)
https://github.com/j4nn/sonyxperiadev-kernel-copyleft
patched magisk sources to hide magisk from sony ric daemon on early boot phase (v19.1-manager-v7.1.2-ric branch)
https://github.com/j4nn/Magisk/tree/v19.1-manager-v7.1.2-ric
The patches are provided under GPL (that means you may include them in your builds, but you need to provide buildable source of released binaries /true for any kernel change btw/).
Credits
Thanks to @tonsofquestions for lot of initial testing of this concept when I did not have a phone with unlocked bootloader and for discovering the need to reboot to fastboot by a command to make the 'fastboot boot' command properly boot the supplied kernel image.
Thanks to @topjohnwu for his excelent magisk tool.
If you find my work useful, consider donating here please:
https://j4nn.github.io/donate/
Thank you.
XDA:DevDB Information
kernel_bluhide_lilac, Kernel for the Sony Xperia XZ1 Compact
Contributors
j4nn
Source Code: https://github.com/j4nn/sonyxperiadev-kernel-copyleft
Kernel Special Features: proper hiding of bootloader unlock, sony ric with magisk hack
Version Information
Status: Stable
Stable Release Date: 2019-02-10
Created 2019-02-10
Last Updated 2019-08-07

Downloads
This is for alternative use only - please see post#10 of XZ1 thread for more details.
boot-G8441-47.1.A.16.20-hideunlock-magisk-19.1-noverity.img
Screenshots of FOTA system update from pie 47.2.A.4.45 to pie 47.2.A.6.30 version
(video available here since 08:10 time)

Downloads
- hideunlock kernel pre-rooted boot images:
boot-G8441-47.1.A.8.49-hideunlock-magisk-19.1.img
boot-G8441-47.1.A.12.34-hideunlock-magisk-19.1.img
boot-G8441-47.1.A.16.20-hideunlock-magisk-19.1.img
boot-G8441-47.2.A.4.45-hideunlock-rooted.img
boot-G8441-47.2.A.6.30-hideunlock-rooted.img
boot-G8441-47.2.A.8.24-hideunlock-rooted.img
boot-G8441-47.2.A.10.28-hideunlock-rooted.img
boot-G8441-47.2.A.10.45-hideunlock-rooted.img
boot-G8441-47.2.A.10.62-hideunlock-magisk-19.3.img
- hideunlock kernels flashable to multi fw versions (see here for usage howto):
kernel-G8441-47.1.A.16.20-hideunlock.zip
kernel-G8441-47.2.A.10.62-hideunlock.zip
kernel-G8441-47.2.A.10.80-hideunlock.zip
kernel-G8441-47.2.A.10.107-hideunlock.zip
kernel-G8441-47.2.A.11.228-hideunlock.zip
Screenshots of FOTA system update from oreo 47.1.A.16.20 to pie 47.2.A.4.45
(video available here)

Hey j4. Can I use this? Haven't changed anything since we did the TA work

Hi @tramtrist, good to hear you again... sure, you can use this. If you want to try FOTA, just be sure, you have full fw flashed without any changes.
Or just use the kernel to enable all drm features having device master key recovered by TA-locked restore.
The FOTA update from oreo to pie 4.45, followed by fota update to pie 6.30 was done using DE customization. You need to flash oem partition too, to get the expected fota update.

@j4nn hey I am on Oreo .20 and my boot loader is unlocked and I didn't make any backups can I use the kernel

@danish0175, if you mean you have not backed up & restored TA - you might use the above howto with the kernel to possibly test a FOTA system update.
But if you like to stay on oreo with here posted kernel, you can, but camera would not work - if I remember correctly - it does not produce solid green pictures, it kind of hangs instead.
It cannot be quit with back button, you can switch to other app or kill camera via the square button though.

It seems I'm on 47.2.A.4.41 which there is no kernel for... And I'm pretty sure /system would have been modified by installing magisk/adaway ... Can't find an FTF for G8441-47.2.A.4.45 to do the test so...... Maybe I should just flash the latest FTF

j4nn said:
But if you like to stay on oreo with here posted kernel, you can, but camera would not work - if I remember correctly - it does not produce solid green pictures, it kind of hangs instead.
Click to expand...
Click to collapse
If I remember correctly, I observed this behavior running the last Oreo firmware (TA restored) with the default kernel. Should it be this way?! At startup, the user interface of the camera app looked normal, but when I tried to take a photo, some GUI elements were lost and no photo was saved.

wow..awesome!!

tramtrist said:
Maybe I should just flash the latest FTF
Click to expand...
Click to collapse
Just do it!
Didgesteve said:
You should be able to flash almost any firmware version, I don't think there are different modem drivers for each region any more. I have tried several regions of firmware here in the UK and none have effected signal reception or strength.
Start with Xperiafirm and download the most recent firmware build.
Download newflasher and unpack it into the same folder as the firmware.
Delete userdataXXX.sin. Deleting this file from the folder preserves your data patition in the rebuild.
Turn off phone, completely, plug it in while holding the volume down, you should see a green light come on the phone, start newflasher, type 'n' to the first two questions.
This should get you the latest build phone with your data intact
Edit: If you have issues with the Sony ADB driver, apparently answering 'y' to the first question on newflasher, gets you a zip file with the drivers you need and you just unpack them.
Click to expand...
Click to collapse
vofferz said:
I used the TA backup and restore tools by @j4nn (Thank you!), updated to Pie with newflasher by flashing all but persist.sin and .ta-files. This of course resets data, but I had a new, empty phone anyway.
[...] downloaded the new firmware with Xperifirm. Deleted persist*.sin, userdata*.sin, cache*.sin and all .ta files [but do not delete the one located in 'boot' sub folder] and flashed with newflasher. [...] Everything still works, data, apps and settings from previous Pie version remain [...]
Click to expand...
Click to collapse

tramtrist said:
It seems I'm on 47.2.A.4.41 which there is no kernel for... And I'm pretty sure /system would have been modified by installing magisk/adaway ... Can't find an FTF for G8441-47.2.A.4.45 to do the test so...... Maybe I should just flash the latest FTF
Click to expand...
Click to collapse
You can download Customized DE 47.2.A.4.45 for G8441 here:
https://www.xperiasite.pl/topic/28560-g8441-472a445-germany/
or even the oreo 47.1.A.16.20 here:
https://www.xperiasite.pl/topic/27985-g8441-471a1620-germany/
(but that would obviously involve a downgrade erasing all data in your case)
The DE customization offers fota system update from 47.1.A.16.20 right to 47.2.A.4.45 with next one being 47.2.A.6.30.
Concerning AdAway and changes to /system - it may not be the case.
Magisk contains support to simulate write access to system hosts file.
Magisk itself is flashed to kernel partition (i.e. partition named 'boot').
So your setup (if no other changes) may need to reflash just stock kernel (and recovery aka fotakernel.sin if flashed twrp) to make it untouched.
But surely if you used twrp to flash many things, most likely /system or /vendor got modified, so you would need to reflash them to make them original stock, if wanted to test fota.

This is awesome, j4nn! Fantastic work.
I'm glad to have had the small part I did in enabling this to move forward.
This almost makes me consider going back to stock, but if I end up needing more security upgrades, maybe I'll switch over....

Successfully updated 47.2.A.4.45 -> 47.2.A.6.30 via OTA with this (on unlocked bootloader + restored TA), and things are working well, including video enhancement. Not sure how reboot catching is supposed to be done as the OTA involves at least 3 reboots (I think?), it seems to be much simpler to just let it finish and after it's back in the OS "adb reboot bootloader" to load the patched kernel. Anyway thanks again for you work.

@notaz, thank you for the test.
Concerning reboot catching - it has been proved it does not matter if it is finished with stock kernel (so that updated fw detects unlocked state on it's first boot) - installation has been finished anyway.
But it is not that difficult to "catch the right reboot" - when fota progress says "Installing system update", that is there for quite a long time with progress bar moving to the right, then the "Restarting" is the one which boots back to main system, so that is the moment to catch and make it boot to fastboot.
The videos I've posted show all the reboots and what is displayed before them, so one may check how it looks in advance to be prepared...

Updated post#3 - for alternative use only - please see post#10 of XZ1 thread for more details.

How to backup the original boot.img
I successfully update my xz1c from 4.45 to 6.30.Thank you for your great job.:good:
But I want to flash your boot.img, rather than boot via the usb.
So, I use 'fastboot boot recovery.img' to go to recovery, and backup the boot Partition(64M).
Am I wrong?Is there any else method?
terrible english

You can take kernel.sin from your ftf firmware, use unsin tool and you will have stock kernel.img

@outline941, or flash simply kernel.sin via newflasher directly in flash mode.

Hello @j4nn!
Could you please patch a new released kernel 47.2.A.8.24 for G8441?
Thx.