Android Pay (Safety Net) on Rooted/Unlocked phone

[itandy]

This guide is to help anyone who wants to use Android Pay but his XC phone is unlocked and rooted. It begins with an unlocked phone with a valid backup of the TA partition as well as an unrooted /system partition.

Prerequisites:
1. A backup of TA partition (https://xdaforums.com/crossdevice-dev/sony/universal-dirtycow-based-ta-backup-t3514236)
2. Unlocked bootloader
3. Working fastboot driver and command
4. Clean /system partition without any trace of su. Systemless root is fine because it will be overwritten by the new kernel. If needed, flash the stock system partition again.
5. TWRP image for XC (https://drive.google.com/open?id=0B0j3VJ1Xp5N8M1ZGbzBBMTdyRnM)
6. Stock kernel image (Extract kernel.sin from official FTF)
7. Trim Area Proof Of Concept (https://xdaforums.com/crossdevice-dev/sony/poc-real-trim-instead-drm-fix-t3552893)
8. Tobias kernel repack tool (https://xdaforums.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605)
9. Magisk v12.0 flashable zip, not Manager app (https://xdaforums.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445)

Procedures:
1. Run TA PoC (DOUBLECLICKME.bat). You'll be asked to select your kernel image (kernel.sin) and TA backup (your TA backup file). Choose also to disable DM-Verity, Sony RIC but keep Force-encrypt (my data partition is encrypted, your choice). At the end a new file new_boot.img will be created.
2. Copy the new_boot.img in step 1 to Tobias tool folder. In the same folder, execute the following command. Again, disable Sony RIC, don't install TWRP, don't install DRM fix and don't install Busybox. At the end, another file boot.img will be created.

rootkernel.cmd new_boot.img boot.img

3. Power off your phone. Power on again while holding volume up rocker to enter fast boot mode. Execute the following command to flash the new boot image. Replace boot.img with your new image in step 2 with full path.

fastboot.exe flash boot [I]boot.img[/I]

4. Reboot your phone. No root or SuperSU app should be found.
5. Copy Magisk zip file into phone internal storage.
6. Dial *#*#7378423#*#*, followed by Service Test > Security to check if DRM is detected properly. At this point of time, your phone should be su free and DRM working properly.
7. Power off your phone. Power on again while holding volume up rocker to enter fast boot mode. Execute the following command to boot TWRP. Replace twrp.img with your TWRP image with full path.

fastboot.exe boot [I]TWRP.img[/I]

8. In TWRP, flash Magisk zip
9. Reboot your phone. Install Magisk Manager app (no long available in Play Store) (http://tiny.cc/latestmanager)
10. Run Magisk Manager and turn on Magisk Hide. You should see Magisk installed successfully and properly rooted with MagiskSU. Tap SafetyNet button to check if it can be passed.
11. (optional) Install Xposed using Magisk app, not official method. Xposed will break Safety Net again. But you can always disable it in Magisk Manager easily.

Remarks:
1. Trim Area Proof Of Concept is required to restore full DRM functionality so that Safety Net thinks the phone is still locked.
2. /system partition must be clean and free of any trace of previous su installation.
3. Magisk Manager app cannot be used to install Magisk because it requires root in the first place. Even with systemless root, after Magisk is installed this way, trace of su can be found in /vendor partition.
4. Tobias tool has to be used to repack the boot image because I found that if PoC image is used directly, phone will reboot unexpectedly after Magisk is installed.

 

[trewelu]

This is the clearest guide I found so far for rooting x compact :good: (Your old guide also help me understand some of the concept)
I get most of the steps but want to confirm whether I understand it correctly

1. Run TA PoC (DOUBLECLICKME.bat). You'll be asked to select your kernel image (kernel.sin) and TA backup (your TA backup file). Choose also to disable DM-Verity, Sony RIC but keep Force-encrypt (my data partition is encrypted, your choice). At the end a new file new_boot.img will be created.

TA PoC modify the boot image and the modified boot image will mount the TA backup image during boot and "trick" the system/kernel into thinking that is the original TA Partition, and it is untouched.

2. Copy the new_boot.img in step 1 to Tobias tool folder. In the same folder, execute the following command. Again, disable Sony RIC, don't install TWRP, don't install DRM fix and don't install Busybox. At the end, another file boot.img will be created.

- Drm fix is not needed because of the trick in step 1. This step is only needed because of incompatibility of boot image generated from step 1 with magisk (mentioned in the remarks section.).
- TWRP is not needed because in this guide TWRP will be booted by fastboot through PC without actually installing it on the phone (Step 7)
- Busybox is now included in magisk I think?

6. Dial *#*#7378423#*#*, followed by Service Test > Security to check if DRM is detected properly. At this point of time, your phone should be su free and DRM working properly.

- This is to prove the TA PoC mount trick above is working. No kernel fix is done.

The advantage of this method instead of kernel drm fix is that you can have completely stock kernel/system and only have modified boot image (and some extra data in data partition). Can you theoretically update the system and exclude the boot and data partition and still have the root intact? Or is that not recommended as new update might have some change in the boot partition as well?

I still need to do more reading about magisk and why the manager need to be installed manually (and what does it do)

 

[itandy]

This is the clearest guide I found so far for rooting x compact :good: (Your old guide also help me understand some of the concept)
I get most of the steps but want to confirm whether I understand it correctly


TA PoC modify the boot image and the modified boot image will mount the TA backup image during boot and "trick" the system/kernel into thinking that is the original TA Partition, and it is untouched.


- Drm fix is not needed because of the trick in step 1. This step is only needed because of incompatibility of boot image generated from step 1 with magisk (mentioned in the remarks section.).
- TWRP is not needed because in this guide TWRP will be booted by fastboot through PC without actually installing it on the phone (Step 7)
- Busybox is now included in magisk I think?


- This is to prove the TA PoC mount trick above is working. No kernel fix is done.

The advantage of this method instead of kernel drm fix is that you can have completely stock kernel/system and only have modified boot image (and some extra data in data partition). Can you theoretically update the system and exclude the boot and data partition and still have the root intact? Or is that not recommended as new update might have some change in the boot partition as well?

I still need to do more reading about magisk and why the manager need to be installed manually (and what does it do)

Your understanding is correct. As for busybox, I didn't install it because I don't use it. You can try and see if it affects Safety Net detection.

Yes, system partition can be updated without losing root.

 

[itandy]

This is the clearest guide I found so far for rooting x compact :good: (Your old guide also help me understand some of the concept)
I get most of the steps but want to confirm whether I understand it correctly


TA PoC modify the boot image and the modified boot image will mount the TA backup image during boot and "trick" the system/kernel into thinking that is the original TA Partition, and it is untouched.


- Drm fix is not needed because of the trick in step 1. This step is only needed because of incompatibility of boot image generated from step 1 with magisk (mentioned in the remarks section.).
- TWRP is not needed because in this guide TWRP will be booted by fastboot through PC without actually installing it on the phone (Step 7)
- Busybox is now included in magisk I think?


- This is to prove the TA PoC mount trick above is working. No kernel fix is done.

The advantage of this method instead of kernel drm fix is that you can have completely stock kernel/system and only have modified boot image (and some extra data in data partition). Can you theoretically update the system and exclude the boot and data partition and still have the root intact? Or is that not recommended as new update might have some change in the boot partition as well?

I still need to do more reading about magisk and why the manager need to be installed manually (and what does it do)

Just found that you can actually enable busybox in Magisk Manager so you don't have to pack it into the boot image.

Sent from my F5321 using Tapatalk

 

[trewelu]

Done the step above and gained root and pass safety check in magisk.

Is there a way to disable the bootloader unlocked message during boot? I don't mind the message but it delay booting process I

 

[itandy]

Done the step above and gained root and pass safety check in magisk.

Is there a way to disable the bootloader unlocked message during boot? I don't mind the message but it delay booting process I

I'm not aware anyone is able to do that so far.

 

[ondrejvaroscak]

I'm not aware anyone is able to do that so far.

You would need to alter bootloader....

 

[ondrejvaroscak]

Remark for Android 7.0 Users

If you will use this guide on Nougat, you will need to DISABLE force-encrypt, because data partition is encrypted by default on Nougat. On top of that, you will need to first boot to TWRP, wipe DATA partition without decrypting / mounting it and then reboot system to re-create unencrypted data partition. Only then you can flash Magisk..

 

[itandy]

If you will use this guide on Nougat, you will need to DISABLE force-encrypt, because data partition is encrypted by default on Nougat. On top of that, you will need to first boot to TWRP, wipe DATA partition without decrypting / mounting it and then reboot system to re-create unencrypted data partition. Only then you can flash Magisk..

Just curious, I'm on MM and my data partition is encrypted. But I didn't have to decrypt it first before installing Magisk. Is there anything on Nougat that makes it different?

 

[ondrejvaroscak]

Just curious, I'm on MM and my data partition is encrypted. But I didn't have to decrypt it first before installing Magisk. Is there anything on Nougat that makes it different?

Yes, quite substantially .... the TWRP does NOT support /data decryption on Nougat. On MM it works, on Nougat there is no way, until someone compiles TWRP with support for Nougat encrypted /data. The workaround is to DISABLE force-encrypt, wipe /data to force re-create unencrypted /data, install anything you need and then encrypt in Settings/Security. Once you do it, there is no way to get into /data in recovery...

 

[itandy]

Yes, quite substantially .... the TWRP does NOT support /data decryption on Nougat. On MM it works, on Nougat there is no way, until someone compiles TWRP with support for Nougat encrypted /data. The workaround is to DISABLE force-encrypt, wipe /data to force re-create unencrypted /data, install anything you need and then encrypt in Settings/Security. Once you do it, there is no way to get into /data in recovery...

And why is data partition decryption support needed in TWRP in this case? Flashing Magisk requires modification on data partition?

 

[trewelu]

And why is data partition decryption support needed in TWRP in this case? Flashing Magisk requires modification on data partition?

I don't think so. I just re-did the step (accidentally locked back my bootloader when trying to remove the unlocked message). On twrp, it ask for password which I don't even know as after BL unlock wipe, I haven't set my screen lock yet. I skip that part, mount the sd card and flash magisk. Magisk modify the boot image and I can have root and safety net working.

Ps: You might need to update the step, the magisk manager stub will force you to download the app from play store, but it is already pulled. I need to download the app directly from magisk thread and side load it.

Edit: I was wrong. Magisk do use /data for magisk.img, but it have workaround instalation in case it is inaccessible during flashing install script. See #15

 

[itandy]

Ps: You might need to update the step, the magisk manager stub will force you to download the app from play store, but it is already pulled. I need to download the app directly from magisk thread and side load it.

Updated. Thanks!

 

[ondrejvaroscak]

And why is data partition decryption support needed in TWRP in this case? Flashing Magisk requires modification on data partition?

Magisk installs file magisk.img into /data. This file is than mounted as /magisk. I am not sure, how Magisk handles installation if /data is not accesible/mountable during flashing, did not try it.

 

[trewelu]

Magisk installs file magisk.img into /data. This file is than mounted as /magisk. I am not sure, how Magisk handles installation if /data is not accesible/mountable during flashing, did not try it.

I'm not good with script, but here is my understanding,

In case of inaccessible data during flash, magisk will flash magisk.img temporarily in cache partition. During booting (after data is unencrypted), magisk check if the workaround image in cache exist and move it to data

scripts/flash_script.sh

if (is_mounted /data); then
  IMG=/data/magisk.img
else
  IMG=/cache/magisk.img
  ui_print "- Data unavailable, use cache workaround"
fi

jni/daemon/bootstages.c

// Merge images
if (merge_img("/cache/magisk.img", MAINIMG))
	goto unblock;
if (merge_img("/data/magisk_merge.img", MAINIMG))
	goto unblock;

jni/magisk.h

#define MAINIMG "/data/magisk.img"

 

[ondrejvaroscak]

I'm not good with script, but here is my understanding,

In case of inaccessible data during flash, magisk will flash magisk.img temporarily in cache partition. During booting (after data is unencrypted), magisk check if the workaround image in cache exist and move it to data

Cool, very clever. I did not make the effort to study in in depth, but expected some sort of solution to exist when users succesfully installed Magisk even when they can not mount /data in TWRP. This temporary /cache mount is just nice example of clever programming

 

[voilsb]

Hey, I think I pseudo-bricked my device while following these steps. I used fastboot to boot into TWRP, without disabling encryption, on Nougat 7.1. I didn't notice the requirement to disable encryption in Post #8 until afterwards.

Now the device appears to be on (my computer detects an unknown device when I plug it in), but it doesn't show any LEDs or react to any buttons. Is my only recourse to wait till the battery dies in a few days and try again, or is there another way?

HAHA, I found if I hold EVERY button (power, vol up, vol dn, and camera), the phone restarts and I have access again. w00t!

 

[baz1]

Just wondering if somebody tried this with Nougat 7.1? I can't get TA_POC to work, security test displays error and sim card is not detected.

 

[ypnos42]

Just wondering if somebody tried this with Nougat 7.1? I can't get TA_POC to work, security test displays error and sim card is not detected.

Yes this works with 7.1 the same as with 7.0. How did you perform the update to 7.1?

 

[gabed90]

I followed the guide to perfection, and everything works perfectly...but...If I want to turn a user app into system apps, link2sd gives me this error: mount: '/dev/block/bootdevice/by-name/system'->'/system': Device or resource busy" and system app mover gives me this error : "could not remount /system".
is system read only? why? I've already tried to enable "rw" "ro" through the command line without success...
Can anyone help me?
p.s. I have granted root permissions to the applications mentioned above at their opening