Sony Xperia 1 and Xperia 5 get temp root access on a locked bootloader with an exploit
When it comes to bootloader unlocking and custom development, Sony is undeniably one of the most developer-friendly OEMs out there. The company maintains an initiative called the Open Devices program through which they provide tools and guides to the development community to help them compile Android Open Source Project (AOSP) builds on select Xperia devices. Moreover, Sony offers a dedicated online portal for bootloader unlocking, but there is a catch.
Unlocking the bootloader of any Sony Xperia device simultaneously wipes out a certain portion of a partition named the “trim area” (TA). That particular segment holds a bunch of DRM keys that are used by Sony’s proprietary audio and video features (e.g. X-Reality Video Enhancement, DSEE HX, ClearAudio+, etc.) on the stock ROM. Those unique keys can only be backed up before unlocking the bootloader when you already have root access. (You normally need an unlocked bootloader to be able to get root access in the first place.) Now, finding a privilege escalation exploit that can give you stable root access without unlocking the bootloader can be tricky, but XDA Recognized Developer j4nn is here to help. Together with XDA Junior Member bb-qq, he has worked on using an existing exploit that is capable of spawning a root shell—albeit temporary—on the Sony Xperia 1 and the Xperia 5.
The developer duo decided to reuse CVE-2020-0041, which was originally discovered on the Google Pixel 3 running Linux kernel 4.9. As a matter of interest, j4nn did utilize the same exploit to achieve temporary root access on bootloader locked LG V50 ThinQ units. All the modifications needed to make the exploit compatible with the LG V50 ThinQ are more-or-less useful to port it to the Sony Xperia 1 and Xperia 5 as well, partly because these phones are based on the same Qualcomm Snapdragon 855 chipset and run on Linux kernel 4.14.
The newest iteration of the exploit also supports calling Magisk Manager from the temporary root shell, which is a big plus for inexperienced users. For those of you interested in how to get root on your Sony Xperia 1 or Xperia 5 without unlocking the bootloader, head on over to the thread linked below. Read everything carefully, make sure you are running a compatible version of the stock ROM, and execute the scripts as detailed.
It is worth mentioning that access to a root shell using this exploit does give you the ability to make a full dump of the TA partition on the Xperia 1 and Xperia 5. However, we have yet to see a confirmed report of getting all the DRM keys back by restoring such a dump on these phones. For the more technically interested people, there is an ongoing discussion on this topic you may like to take a look at and participate in.