Sony Xperia 1 and Xperia 5 get temp root access on a locked bootloader with an exploit

Sony Xperia 1 and Xperia 5 get temp root access on a locked bootloader with an exploit

When it comes to bootloader unlocking and custom development, Sony is undeniably one of the most developer-friendly OEMs out there. The company maintains an initiative called the Open Devices program through which they provide tools and guides to the development community to help them compile Android Open Source Project (AOSP) builds on select Xperia devices. Moreover, Sony offers a dedicated online portal for bootloader unlocking, but there is a catch.

Unlocking the bootloader of any Sony Xperia device simultaneously wipes out a certain portion of a partition named the “trim area” (TA). That particular segment holds a bunch of DRM keys that are used by Sony’s proprietary audio and video features (e.g. X-Reality Video Enhancement, DSEE HX, ClearAudio+, etc.) on the stock ROM. Those unique keys can only be backed up before unlocking the bootloader when you already have root access. (You normally need an unlocked bootloader to be able to get root access in the first place.) Now, finding a privilege escalation exploit that can give you stable root access without unlocking the bootloader can be tricky, but XDA Recognized Developer j4nn is here to help. Together with XDA Junior Member bb-qq, he has worked on using an existing exploit that is capable of spawning a root shell—albeit temporary—on the Sony Xperia 1 and the Xperia 5.


Sony Xperia 1 XDA Forums ||| Sony Xperia 5 XDA Forums

The developer duo decided to reuse CVE-2020-0041, which was originally discovered on the Google Pixel 3 running Linux kernel 4.9. As a matter of interest, j4nn did utilize the same exploit to achieve temporary root access on bootloader locked LG V50 ThinQ units. All the modifications needed to make the exploit compatible with the LG V50 ThinQ are more-or-less useful to port it to the Sony Xperia 1 and Xperia 5 as well, partly because these phones are based on the same Qualcomm Snapdragon 855 chipset and run on Linux kernel 4.14.

The newest iteration of the exploit also supports calling Magisk Manager from the temporary root shell, which is a big plus for inexperienced users. For those of you interested in how to get root on your Sony Xperia 1 or Xperia 5 without unlocking the bootloader, head on over to the thread linked below. Read everything carefully, make sure you are running a compatible version of the stock ROM, and execute the scripts as detailed.

Sony Xperia 1/5 Temp Root Exploit — XDA Download and Discussion Thread

It is worth mentioning that access to a root shell using this exploit does give you the ability to make a full dump of the TA partition on the Xperia 1 and Xperia 5. However, we have yet to see a confirmed report of getting all the DRM keys back by restoring such a dump on these phones. For the more technically interested people, there is an ongoing discussion on this topic you may like to take a look at and participate in.

About author

Skanda Hazarika
Skanda Hazarika

DIY enthusiast (i.e. salvager of old PC parts). An avid user of Android since the Eclair days, Skanda also likes to follow the recent development trends in the world of single-board computing.

We are reader supported. External links may earn us a commission.