WARNING
I have no responsibility whatsoever if this guideline causes any harm to your device. The intention of these posts are solely as personal notes for myself. Follow them at your own risk.
WARNING
Through these steps I will unlock the phone’s bootloader, erasing all data. This includes the DRM keys stored in the Trim Area (TA) partition. I’ll attempt backing them up but, as of today, there is no way of restoring them to the previous state nor knowing if the actual backup is usable at all.
Without these DRM keys, several audio and video proprietary functionality provided by Sony won’t be available including some camera post-processing features, color gamut profiles, white balance, noise reduction, X-Reality Video Enhancement, DSEE HX, ClearAudio+, and Widevine L1 support for HD Netflix.
Why
I want to have a phone running Free Software with the possibility of using all the major apps out there. That means, unfortunately, some kind of Android flavor. I also want a small phone and, since I’m a Spaniard living in Finland, I’d like that my phone has dual SIM capability. Until now I was using a Xiaomi Redmi 2 but, after years of usage, I cannot squeeze it any more. I’d also love to have a decent camera, if possible.
After quite some research, my conclusion is that the only real alternative that ticks (most of) the boxes is the Sony Xperia XZ2 Compact Dual.
Preconditions
I’ll be doing all the stems in a Debian Buster GNU/Linux distribution on a x86_64 platform.
Downgrading the stock firmware
If you have read the warning above, you now know that installing LineageOS implies unlocking the bootloader. In turn, this means wiping the TA partition and losing the DRM keys, which will cause several advanced audio and video features to get lost forever.
We want to keep the hope that, at least, we would be able to restore this functionality. This means that we want to backup the TA partition. Doing that without actually unlocking the bootloader is not really possible … unless you exploit a security bug.
The Sony firmwares build 52.1.A.0.618 contains one such kernel bug. Therefore, first thing, downgrading the current firmware in the device to use the one affected.
As a previous step, I downloaded the firmware that was running in my device at the time: 8324_Customized NOBA_1313-6167_52.1.A.3.49_R4C
For downloading the up to date firmware I used the XperiFirm program:
root$ apt install mono-complete root$ cert-sync /etc/ssl/certs/ca-certificates.crt root$ certmgr -ssl -m https://software.sonymobile.com (Entered Y twice when asked) $ mono XperiFirm.exe
Then, I selected the Xperia XZ2 Compact Apollo: H8324 dual phone and downloaded the Nordic Combined available firmware.
Now, I downloaded and extracted the exploitable H8324-52.1.A.0.618 firmware for the Xperia XZ2 Compact Dual and followed this guide to install it into the phone without unlocking the bootloader.
We want to use the Flashtool to create a bundle with the parts of the firmware we are going to use.
I downloaded the latest version of the tool (0.9.29.0 at the time) and tried to launch it:
root$ DISPLAY=:0.0 ./FlashTool Running as root. Error: dl failure on line 603 Error: failed /home/tanty/personal/sony_xperia_xz2c/flashtool/FlashTool/x10flasher_native/jre/lib/server/libjvm.so, because /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.29' not found (required by /home/tant y/personal/sony_xperia_xz2c/flashtool/FlashTool/x10flasher_native/jre/lib/server/libjvm.so)
Bad news … it seems this version was compiled against a different C toolchain? Let’s use an older version then. 0.9.27.0 it is.
root$ DISPLAY=:0.0 ./FlashTool Running as root. Used java home : /usr 03/057/2020 16:57:14 - INFO - <- This level is successfully initialized (Flashtool:8027): GLib-CRITICAL **: 16:57:14.971: g_base64_encode_step: assertion 'in != NULL' failed (Flashtool:8027): GLib-CRITICAL **: 16:57:14.971: g_base64_encode_step: assertion 'in != NULL' failed ...
Voilá!
In the UI, we select Tools -> Bundles -> FILESET Decrypt. In the popping up Window we browse to the folder containing the exploitable firmware: H8324_Customized FR_1313-2469_52.1.A.0.618_R2C. There, we choose the 3 zip files that it contains and move it from the left side to the right side in the window and click Convert.
Once it has finished, we want to skip creating the bundle by just pressing Cancel in the next window. We have finished using flastool.
In the exploitable firmware directory we now have a new folder called decrypted. We want to delete some files there:
root$ rm decrypted/*ta root$ rm decrypted/boot/*ta
Before we proceed to flash, we need to add some rules to the udev system in our computer so it can identify the Xperia phone:
root$ echo 'SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="0fce", ATTRS{idProduct}=="*", MODE="0777"' > /etc/udev/rules.d/51-sony.rules root$ service udev restart
Now, we want to use another tool to flash these files into the phone: newflasher. I downloaded the latest v36 version, extracted, placed the executable in the decrypted folder from the previous step:
root$ mv newflasher.x64 decrypted root$ cd decrypted root$ chmod +x newflasher.x64
Last thing is setting the phone into flashmode.
First, let’s enable developer mode in the phone: Settings -> About phone, and hit several times the Build number field until it states that you have become a developer. Then, go to Settings -> System -> Advanced -> Developer options and switch on the USB debugging option.
Now, power down the phone. Once off, press and hold Volume Down and connect the USB cable that is connected to the computer in the other end. The led of the phone turns on and stays on. It is now into flashmode. Let’s flash:
root$ ./newflasher.x64 [...] Reboot mode at the end of flashing: typa 'a' for reboot to android, type 'f' for reboot to fastboot, type 's' for reboot to same mode, type 'p' for poweroff, and press ENTER. a [...] Optional step! Type 'y' and press ENTER if you want dump trim area, or type 'n' and press ENTER to skip. Do in mind this doesn't dump drm key since sake authentifiction is need for that! But it is recommend to have dump in case hard brick! n [...] Recommended step to skip this! Type 'y' and press ENTER if you want flash persist partition, or type 'n' and press ENTER to skip. More info https://forum.xda-developers.com/xperia-xz1-compact/help/android-attest-key-lost-bootloader-t3829945 n [...] Device is put now out of flash mode. Sent command: Sync Waiting sync to finish… ……………… done Sent command: continue. Done. Closing device.
Notice the questions and the answers. After a while, the phone will complete its reboot and we will be able to verify that the running firmware is the one flashed.
That all by now, next step: backing up the TA partition!
Pingback: Installing LineageOS in the Sony Xperia XZ2 Compact Dual (in GNU/Linux) 2/5: Backing up the Trim Area (TA) partition | frozen mumblings
Pingback: Installing LineageOS in the Sony Xperia XZ2 Compact Dual (in GNU/Linux) 3/5: Installing LineageOS | frozen mumblings
Pingback: Installing LineageOS in the Sony Xperia XZ2 Compact Dual (in GNU/Linux) 4/5: Bringing back Sony’s stock camera app | frozen mumblings
Pingback: Installing LineageOS in the Sony Xperia XZ2 Compact Dual (in GNU/Linux) 5/5: Appendixes | frozen mumblings