Database Users

[Guide] Safe bootloader unlock, restore DRM, custom recovery, root, bootloader relock - Xperia Z4 Tablet General

** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​The following is tested on model SGP-771. For Wifi-only model the procedure is the same but you should use the files and kernels for the Wifi model. Do not flash the ftf and kernel files intended for the cellular model on a Wifi-only tablet.​I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
Credits: @zxz0O0, @AndroPlus, @tobias.waldvogel
0- Prerequisites
You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your tablet when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.
1- How to unlock your bootloader without losing the DRM keys
Sony has designed this tablet such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each tablet and cannot be copied over from another tablet) unlocking the bootloader results in an irreversible loss of some of your tablet's features. Relocking the bootloader will not bring them back.
A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
1.1- Start by clean flashing any 28.0.A.8.260 firmware, For this tutorial I used SGP771_Customized HK_1296-4830_28.0.A.8.260_R10A. You can download it from https://mega.nz/#!YsUWwY5Y!0775_vLpjV9-UkoGjMWP6-Yu8L31LkJVHEyUwA7X9NA. For the wifi only model SGP712 use
https://mega.nz/#!wlIl0JDa!DR0lRL6dDn5Y-K_4768oJnLGWQyrxNV0xLHgKVVesFw (thanks to @kuroneko007)
1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable. (To access service menu on SGP712 (Wi-Fi only model) see: http://forum.xda-developers.com/showpost.php?p=66164176&postcount=5) Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
1.3- Turn on usb debugging mode on your tablet.
1.4- Download iovyroot zip v0.4 or higher from here.
1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
1.6- Connect the tablet which is now in USB debugging mode to your PC and answer yes when it asks to authorize the PC to access the tablet in USB debugging mode. You can check that the PC indeed sees the tablet by running this command
Code:
adb devices
1.7- Run the following command:
Code:
tabackup
1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-07102015.img (the name may be different for you) with a size of 2MB in your folder.
1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
1.10- Reboot the device.
1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
1.12- Reboot the device and it will briefly enter recovery and then start the tablet initial setup.
1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
Code:
fastboot boot boot.img
1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 SGP771_Customized DE_1295-6955_32.1.A.1.185_R4C (the latest firmware at the time of this writing.)
2- How to emulate DRM keys and/or root after unlocking the bootloader.
A hack exists that can emulate the DRM keys:
2.1- Obtain a kernel boot image. If you want to stick with the stock kernel you need to extract kernel.elf from the ftf that you flashed in step 1.15. If you want a custom kernel you can download one from https://kernel.andro.plus/kitakami.html Note that whatever kernel you are using in this step must match the firmware version currently installed on your system. For this example I downloaded Z4T_SGP771_AndroPlusKernel_v27.zip and extracted the boot.img file from the zip, which matches Marshmallow 32.1.A.1.185.
2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
2.3- Copy the kernel (e.g. boot.img) to this folder. If you want root, place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
Code:
rootkernel.cmd boot.img boot-patched.img
When prompted, answer as follows:
- Sony RIC is enabled. Disable? [Y/n] Y
- Install TWRP recovery? [Y/n] N
- Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
- Install DRM fix? [Y/n] Y (if you want DRM emulation)​This will create a new kernel image called boot-patched.img which you will now flash on your tablet.
2.5- Boot the tablet in the fastboot mode and flash your patched image using the following fastboot command:
Code:
fastboot flash boot boot-patched.img
2.6- (Optional) You can reboot the tablet and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is succesfull you will see this but if it hasn't been successful you will see this.
3- How to flash a custom or stock kernel
3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash it on your tablet you need to restart the tablet in fastboot mode.
3.2- To flash the kernel use this command:
Code:
fastboot flash boot [I]name_of_your_kernel[/I]
You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)
4- How to flash recovery
4.0- To install TWRP recovery you need to flash AndroPlus kernel first (see sections 2.1 and 3).
4.1- Download a TWRP image from the same webpage. For this tutorial I used TWRP-3.0.2-0-20160417.img.
4.2- Reboot into fastboot mode and run this command:
Code:
fastboot flash recovery TWRP-3.0.2-0-20160417.img
4.3- Reboot the tablet. To enter recovery touch the volume keys when the LED turns yellow during the boot splash screen.
5- How to relock bootloader and return it to original factory state
5.0- To relock the bootloader along with restoring the DRM keys the tablet must have unmodified stock firmware.
5.1- Repeat step 1.1
5.2- Repeat steps 1.3, 1.4, and 1.5
5.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the tablet. The command will look similar to this:
Code:
tarestore TA-07102015.img
Make sure the command completes with no error. If it fails the first time try again. Reboot the tablet. Your bootloader is now locked and your DRM keys restored.
5.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.

Reserved
For FAQ, etc.

Thanks for this great guide.
My question is this. Since it would be easier to avoid all this, can this tool help us do it without having to downgrade?
http://www.xda-developers.com/chainfires-flashfire-can-now-create-fastboot-flashable-backups/
I mean would it also backup the DRM keys? Has anyone tried (preferably with a TA backup already in place so that he may not lose the keys in case that this won't work)...

Stevethegreat said:
Thanks for this great guide.
My question is this. Since it would be easier to avoid all this, can this tool help us do it without having to downgrade?
http://www.xda-developers.com/chainfires-flashfire-can-now-create-fastboot-flashable-backups/
I mean would it also backup the DRM keys? Has anyone tried (preferably with a TA backup already in place so that he may not lose the keys in case that this won't work)...
Click to expand...
Click to collapse
No. This tool cannot help you and trust me there is no shortcut to avoid all of this.
Flashfire (the tool you mentioned) only works if you already have root access. There is no root available for this tablet without unlocking the bootloader, and unlocking the bootloader means you lose the TA partition immediately. So by the time you get this tool to work your TA partition will have been long erased.

Hi. Does this solution suit only for people who have not erased drm keys yet and are be able to backup it? For those who lost, no up-to-date solution except for that http://forum.xda-developers.com/xperia-z5/development/sony-credentials-restore-unlocking-t3296383 ?

Correct.

Not understand step:
1.1- Start by clean flashing any 28.0.A.8.260 firmware
without this step temporary root not work...
But how flash firmware if device has still locked bootloader? What tool using for this step?

mrdarek said:
Not understand step:
1.1- Start by clean flashing any 28.0.A.8.260 firmware
without this step temporary root not work...
But how flash firmware if device has still locked bootloader? What tool using for this step?
Click to expand...
Click to collapse
You can download a tool called flashtool from http://www.flashtool.net/index.php and flash an unmodified ftf firmware. Because the firmware is unmodified the bootloader doesn't have to be unlocked. Many tutorials are available on xda and elsewhere about using this tool, which you can find by doing a Google search. As I said in the prerequisite section, "You should be able to flash an ftf file using flashtool. "

anybody successfully tried this guide?

I learned how flash and succesfully do my first flash.
Currently I have problem with iovyroot
It always say
Error: Device not supported
rm: /data/local/tmp/tabackup/TA-*.img: No such file or directory
My current software is:
SGP771_28.0.A.8.251_R15A_UK Generic_1295-4697
and it earlier then december 2015 like need iovyroot
I can't find software *.260 like in guide, I don't know if this created that problem...
Maybe najoor version work because it was "customized" - it mean - with patched kernel. But if locked bootloader allow me flash customized firmware?

mrdarek said:
I learned how flash and succesfully do my first flash.
Currently I have problem with iovyroot
It always say
Error: Device not supported
rm: /data/local/tmp/tabackup/TA-*.img: No such file or directory
My current software is:
SGP771_28.0.A.8.251_R15A_UK Generic_1295-4697
and it earlier then december 2015 like need iovyroot
I can't find software *.260 like in guide, I don't know if this created that problem...
Maybe najoor version work because it was "customized" - it mean - with patched kernel. But if locked bootloader allow me flash customized firmware?
Click to expand...
Click to collapse
As you said it, the problem was that you didn't flash the 260 version, not that it wasn't customized.
If you can't find the right version I upload it and post a link in the OP. It takes a little time so check this thread again in about 5 hours.

I found "260" firmware and magically all start work . I finished all job and have now root and recovery .
It worth add tips about fastboot - you can check connection by command but also you can see - if LED on device is blue - connection in fastboot work (if not - try again)
My last question is about how check that DRM emulation work - under security after phone code is still errors. I 100% patched kernel and flash it properly.
Thanks for tutorial and support
Something just not work... Someone can check sizes ?:
boot.img - original kernel androplus 2.5: 17 756 160
andropatched.img - patched with my drm keys: 17 760 256
keys: 2 097 152

mrdarek said:
I found "260" firmware and magically all start work . I finished all job and have now root and recovery .
It worth add tips about fastboot - you can check connection by command but also you can see - if LED on device is blue - connection in fastboot work (if not - try again)
My last question is about how check that DRM emulation work - under security after phone code is still errors. I 100% patched kernel and flash it properly.
Thanks for tutorial and support
Something just not work... Someone can check sizes ?:
boot.img - original kernel androplus 2.5: 17 756 160
andropatched.img - patched with my drm keys: 17 760 256
keys: 2 097 152
Click to expand...
Click to collapse
The sizes sound about right. What errors are you getting?
You can try to relock the bootloader using the instructions and see if your TA backup works. If that works then we can see why the kernel is patched correctly.

Hi - I succesfully restored bootloader (=locked it, and no errors in service) - so I'm sure - my keys are OK. It was very hard - 3x flash, 3 x try use restore (still was errors), and at last success!!!
Now all procedure again, almost from start - but I also more try if need - I send info tomorrow
---------------------------------------
Hmmm not work... Tested original marsmallow germany kernel and androkernel 2.4. Image test described in step 2.6 fail
Under security is: Blobs : generic error!
HUK: generic error!
Flashed kernels names are properly recognized under settings. root work. I not have idea where is bug. It must be during creating andropatched image - but no errors here:
C:\rootkit>drmonly boot.img andropatched.img TA-07102015.img
- Unpacking kernel
Found android boot image
Kernel version: 3.10.84
- Detected vendor: somc (Sony), device: karin, variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 6.0
- Skipping drmfix. Unsuppported/untested for model karin
- Creating new initramfs
- Creating boot image
- Cleaning up
Done
C:\rootkit>
--------------------Maybe that line is wrong!!!!!!!!
Skipping drmfix. Unsuppported/untested for model karin
but how fix it?

mrdarek said:
Hi - I succesfully restored bootloader (=locked it, and no errors in service) - so I'm sure - my keys are OK. It was very hard - 3x flash, 3 x try use restore (still was errors), and at last success!!!
Now all procedure again, almost from start - but I also more try if need - I send info tomorrow
---------------------------------------
Hmmm not work... Tested original marsmallow germany kernel and androkernel 2.4. Image test described in step 2.6 fail
Under security is: Blobs : generic error!
HUK: generic error!
Flashed kernels names are properly recognized under settings. root work. I not have idea where is bug. It must be during creating andropatched image - but no errors here:
C:\rootkit>drmonly boot.img andropatched.img TA-07102015.img
- Unpacking kernel
Found android boot image
Kernel version: 3.10.84
- Detected vendor: somc (Sony), device: karin, variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 6.0
- Skipping drmfix. Unsuppported/untested for model karin
- Creating new initramfs
- Creating boot image
- Cleaning up
Done
C:\rootkit>
--------------------Maybe that line is wrong!!!!!!!!
Skipping drmfix. Unsuppported/untested for model karin
but how fix it?
Click to expand...
Click to collapse
You need to follow the instructions to the letter:
1- flash the esaxt same firmware that you made the TA backup with.
2- Restore TA backup.
I guarantee you it will work or l will help you debug it.

Not very understand. It was done. TA backup was done with "260" firmware. I'm able lock that firmware again, so it work. but it only lollipop, can't go into marshmallow from it.
Goal is: marshmallow with root twrp and drm. How achieve it?
I see - I have new device version (karin) so (hopefully) temporary this solution not work for me. I can have only marshmallow with root and twrp (no DRM) or marshmallow with DRM (no root and twrp). I must wait as developers support my device, and keep my keys in safe place to that time.

mrdarek said:
Goal is: marshmallow with root twrp and drm. How achieve it?
Click to expand...
Click to collapse
mrdarek said:
Tested original marsmallow germany kernel and androkernel 2.4. Image test described in step 2.6 fail
...
Flashed kernels names are properly recognized under settings. root work. I not have idea where is bug. It must be during creating andropatched image - but no errors here:
...
C:\rootkit>drmonly boot.img andropatched.img TA-07102015.img
...
- Skipping drmfix. Unsuppported/untested for model karin
...
Click to expand...
Click to collapse
OK, I see what is going on.
When I use drmonly script version 4.24 I get the following:
Code:
C:\Users\najoor\Desktop\rootkernel_v4.24_Windows_Linux>drmonly.cmd boot.img test.img TA-07102015.img
- Unpacking kernel
Found android boot image
- Unpacking initramfs
- 64-bit platfrom detected
- Configuring secd
- Configuring wvkbd
- Configuring drmserver
- Creating new initramfs
- Creating boot image
- Cleaning up
Done
But if I use version 4.31:
Code:
C:\Users\shervin\Desktop\working\Download\rootkernel_v4.31_Windows_Linux>drmonly
.cmd boot.img x.img TA-07102015.img
- Unpacking kernel
Found android boot image
Kernel version: 3.10.84
- Detected vendor: somc (Sony), device: karin, variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 6.0
- Skipping drmfix. Unsuppported/untested for model karin
- Creating new initramfs
- Creating boot image
- Cleaning up
Done
I have no idea why @tobias.waldvogel decided to remove the support for Tablet Z4 in the latest version of the drmonly script, but I can see that the DRM works fine with the old version.
I do not have persmission from @tobias.waldvogel to post the older version of his script here so you have to ask him to either add support in the new version or give you the older version.

Thanks - so now I see where is problem. I try contact with author.
Heh - I send PM him but it was my fault [added: it not totally fault - Tobias work on new version and soon we should have new working utility for all ]
I'm enough clever to modify script in 5 minutes (it txt ), and enough stupid to flash it immediately. Now I have....
rooted marshmallow with DRM KEY and TWRP - job finished
To finish job I disabled in settings auto-update, because now it start possible

FAILED <remote dtb not found>
Unlocked the bootloader and successfully retrieved TA partion with SGP771_28.0.A.8.260 , installed stock 32.1.A.1.185, tablet runs fine without problems.
Retrieving the boot.img from Z4T_SGP771_AndroPlusKernel_v27 for my SGP771 device and running
Code:
fastboot boot boot.img
gives
downloading 'boot.img' ...
OKAY [ 0.347s]
booting ....
FAILED <remote: dtb not found>
Click to expand...
Click to collapse
This happens even with the 32.1.A.1.185 stock boot.img. Tried on Kubuntu 16.04 and WIN7. Same result. When I flash
the AndroPlusKernel_v27 boot.img,
Code:
fastboot flash boot boot.img
finishes without errors and tablet does not boot any more but -thanks God- fastboot mode still functioning.
I am lost. Can not root my tablet . Any clues?
---------- Post added at 04:14 PM ---------- Previous post was at 03:41 PM ----------
Sorry, correction:
first retrieved TA partion, then unlocked bootloader.

Hybel1507 said:
Unlocked the bootloader and successfully retrieved TA partion with SGP771_28.0.A.8.260 , installed stock 32.1.A.1.185, tablet runs fine without problems.
Retrieving the boot.img from Z4T_SGP771_AndroPlusKernel_v27 for my SGP771 device and running
Code:
fastboot boot boot.img
gives
This happens even with the 32.1.A.1.185 stock boot.img. Tried on Kubuntu 16.04 and WIN7. Same result. When I flash
the AndroPlusKernel_v27 boot.img,
Code:
fastboot flash boot boot.img
finishes without errors and tablet does not boot any more but -thanks God- fastboot mode still functioning.
I am lost. Can not root my tablet . Any clues?
---------- Post added at 04:14 PM ---------- Previous post was at 03:41 PM ----------
Sorry, correction:
first retrieved TA partion, then unlocked bootloader.
Click to expand...
Click to collapse
Please follow the following steps exactly and let me know in what step things fail. If you do not provide detailed information I will not be able to help you.
1- Clean flash a 185 ftf and make sure system boots fine.
2- extract the kernel.elf from the ftf and I use fastboot to see if you can boot using fastboot with this kernel.
3- extract boot.img from AndroPlusKernel_v27 and see if you can use fastboot to boot with this image.
4- use the procedure in the OP to patch AndroPlus kernel and see if you can use fastboot to boot with this image.
5- flash this image using fastboot to see if the system boots fine.

Related

Allright, final ICS is out, but the stock bootloader still doesn't have fastboot oem unlock working. So, it's either HC bootloader or patched ICS bootloader. Please note that installing custom kernel / recovery on unpatched ICS bootloader will require recovering your device only with nvflash!
This bootloader can only be flashed using nvflash. You can use the guide here http://forum.xda-developers.com/showthread.php?t=1622425. There is also a post explaining nvflash in here: http://forum.xda-developers.com/showpost.php?p=22923662&postcount=9
YOU DO EVERYTHING AT YOUR OWN RISK!!!
Patched Bootloader V9 (V9-gbc410d4): (19/07/2013)
- based on latest Acer BL 0.03.14-ICS, it will pass 0.03.14-EXT to command line, along with V9-ga81f36b for revision
- booting from ext4 filesystem (see further for howto)
- grub style selection screen if multiple images are installed
- added font outline & kerning, uses updated skin application (by yaworski)
- GUI improvements
- haptic feedback
- OpenSuse 12.3 theme
- expanded fastboot commands
- fixed debug mode cmdline
Patched Bootloader V8: (07/06/2012)
- based on latest Acer BL 0.03.14-ICS, it will pass 0.03.14-MUL to command line
- fastboot handler is completely build from source code
- fastboot:
- A) download command will no longer write downloaded data to cache,
this means that on using flash and boot command, cache won't be wiped
- B) more convenient bootloader flashing (reboots right away to new BL)
- C) you won't have to have cache partition sized larger than other partitions,
in order to flash them
- D) maximum data size that can be send with fastboot is 700 MiB
- revamped GUI, now with fullscreen bootsplash and custom font, and themable
- added fastboot oem sbk command, which will print sbk on the tablet
- several small changes
Patched Bootloader V7: (31/05/2012)
- based on latest Acer BL 0.03.14-ICS, it will pass 0.03.14-MUL to command line
- one bootloader for both A500 / A501
- expanded bootmenu application (built from source) with handling several fastboot commands
- fastboot getvar serialno will return real serial number
- bootmenu has options to boot primary / secondary image on current boot
- attempting to boot invalid kernel image will result in being stuck in bootmenu
Patched Bootloader V6: (20/05/2012)
- based on latest Acer BL 0.03.14-ICS, it will pass 0.03.14-MUL to command line
- added simple boot menu (built from source)
Patched Bootloader V5: (18/05/2012)
- based on latest Acer BL 0.03.14-ICS, it will pass 0.03.14-MUL to command line
- dualboot (read lower for more information)
- added "fastboot flash bootloader bootloader.blob" command
Patched Bootloader V4: (13/05/2012)
- based on latest Acer BL 0.03.14-ICS, it will pass 0.03.14-UNL to command line
- allow bootlogo change (scroll down)
- allow unsigned update via bootloader.blob using CWM
- fixed: AKB partition is no longer used
- fixed: debug on / off works correctly
- fixed: bootloader will now boot to recovery if you erase boot (LNX) partition
- change: bootloader won't pass vmalloc parameter to cmdline
Patched Bootloader V3: (26/04/2012)
- no signature checks
- no "itsmagic" check
- based on latest Acer BL 0.03.12-ICS, it will pass 0.03.12-UNL to command line
- enabled fastboot (details lower)
- replaced bootlogo (moreover just testing that, need to allow bigger image)
FASTBOOT & BOOTMENU (since V6):
POWER + VOLUME DOWN will boot to recovery (won't erase cache).
POWER + VOLUME UP will boot to bootmenu.
In bootmenu, you can do:
A) Reboot
B) Go to fastboot mode
C) Toggle boot mode and set default kernel image on the selection screen
D) Toggle debug mode (modifies cmdline), forbid EXT4 boot in case of a bug in fs
E) Make selection screen include recovery and fastboot
E) Wipe cache (in case you get bad bootloader update and tablet won't boot)
To check for fastboot commands, see the README on the Github.
Here is CWM for ICS bootloader: http://forum.xda-developers.com/showthread.php?t=1654476 , you can flash it from fastboot after you flash the bootloader.
Do NOT run itsmagic on V5+ if you use dualboot, it will corrupt the secondary boot image.
BOOTLOGO CHANGE:
Changelog:
1.06 (19/07/2013)
- updated for V9
1.05 (07/06/2012)
- new application for V8
- customizes bootsplash and the colors
1.04 (31/05/2012)
- updated to support V7
1.03 (19/05/2012)
- updated to support coming V6
1.02 (18/05/2012)
- updated to support V5 as well
1.01 (14/05/2012)
- fixed blob loading & generation
- fix: require only .NET 2.0
1.00 (13/05/2012)
- Initial release
Download the tool from here:
Windows: http://skrilax.droid-developers.org/a500/nvflash/tools/A500BootLogo_106_v9_win.zip
Other OS (Mono): http://skrilax.droid-developers.org/a500/nvflash/tools/A500BootLogo_106_v9_mono.zip
Steps to change bootlogo:
(V4 - V7, applcation version 1.00 - 1.04)
A) Open the bootloader using File menu.
B) Open the image you want using Image menu (the image size must be 268x72)
C) Save the bootloader as *.blob
D) Flash it with a fastboot
(V8, applcation version 1.05)
(V9, applcation version 1.06)
A) Open the bootloader using File menu.
B) Open the image you want using Image menu (the image size must be 1280x800), note file limit max is 200 kB
C) If you wish, tick the checkbox for color customization and set the colors at your wish
D) Save the bootloader as *.blob
E) Flash it with a fastboot
Stock bootlogo is in attachment.
If you want to flash as *.blob, you have to create an update.zip for CWM and flash using this update script:
Code:
mount("ext4", "EMMC", "/dev/block/mmcblk0p3", "/system");
package_extract_file("bootloader.blob","/tmp/bootloader.blob");
unmount("/cache");
format("ext4","EMMC","/dev/block/mmcblk0p4","0");
run_program("/system/bin/dd","if=/tmp/bootloader.blob","of=/dev/block/mmcblk0p4");
unmount("/system");
mmcblk0p4 is cache partition. Please note that flashing a nonworking bootloader via *.blob will require recovery using nvflash.
MULTILBOOT:
Before I start, the bootloader will work correctly if you just use single kernel image as you were used to on previous versions. You can just use it the very same as the older versions.
In other words, you can just install it and not have to bother about this at all.
Allright, new feature of V5 is dualboot, i.e toggling to boot two different images and keeping the recovery intact, it is primarily intended to run both Android & Native Linux ported by sp3dev. In V9 this was extended with booting from EXT4 filesytem.
First, basic information:
Multiboot sets the booting partition with "permament effect" (i.e not like holding down a button to boot secondary partition, nothing like that). It is the parition that is highlighted by default on the selection screen.
Primary kernel image is LNX partition (/dev/block/mmcblk0p2, size 8 MB), or "boot" when using fastboot flash / erase command. This is the default partition, used by older bootloaders as well.
Secondary kernel image is AKB partition (/dev/block/mmcblk0p7, size 10 MB), or "secboot" when using fastboot flash / erase command. This parition used for storing checksums on HC bootloader. If this partition doesn't contain Android boot image, it will not show.
Further kernel images can be specified in the menu file for the bootloader.
Now, how to toggle between booting images:
A) Using bootloaderctl
B) Using fastboot:
- "fastboot oem set-boot-image 0" - sets to boot first kernel image
- "fastboot oem set-boot-image 1" - sets to boot second kernel image
- etc.
C) Using bootmenu GUI
Now, how to flash the secondary kernel image:
Either use "dd if=secboot.img of=/dev/block/mmcblk0p7" from within android or recovery, or in fastboot, you can use:
Code:
fastboot flash secboot secboot.img <- to flash
fastboot erase secboot <- to erase
DEV:
A) Dualboot
bootloaderctl can be used to modify bootloader settings. Source is in github, or use precompiled version for Android: http://skrilax.droid-developers.org/a500/nvflash/images/bootloaderctl
B) EXT4 FS boot
Since V9, there is also support for EXT4FS boot. Here is example menu.skrilax file for setting it up:
Code:
================================================================================
Example menu.skrilax file:
================================================================================
; commentary is prefixed with ';'
; .ini file structure
; First, three possibilities to boot from partitions
; LNX - primary image (always present, can specify title only)
[LNX]
title=Android
; AKB - secondary image (will not show if property AKB partition doesn't hold android image)
[AKB]
title=LUbuntu
; SOS - recovery image (will show if it's set by user)
title=CWM
; Properties for EXTFS booting
;
; title - text to show in menu
; cmdline - override cmdline (prefixing with @ will make the bootloader append the cmdline to the default one)
;
; Then there are two possibilities:
;
; A) boot android image
; android - path to android image (will be used if present)
;
; B) boot zImage with ramdisk (optional)
; zImage - path to zImage
; ramdisk - path to ramdisk (optional)
; First entry
[BOOT1]
title=EXT4FS Boot 1
android=APP:/boot/boot.img
; Second entry
[BOOT2]
title=EXT4FS Boot 2
zImage=APP:/boot/zImage
ramdisk=APP:/boot/ramdisk
Important to note is that path is in bootloader format i.e PARTITION:file_path_in_partition. For instance APP:/boot/boot.img would be for /system/boot/boot.img when mounted in Android. To see the partition list, see the readme on github.
Lastly you have to tell the bootloader the location of the file. Either boot to android and use bootloaderctl under root user (assuming that the file is under /system/boot/menu.skrilax):
Code:
bootloaderctl --set-boot-file APP:/boot/menu.skrilax
or use fastboot
Code:
fastboot oem set-boot-file APP:/boot/menu.skrilax
If you have problems with booting (stuck on BL screen w/o text showing anything) and have EXT4 FS boot setup, reboot to bootmenu and forbid EXT4 FS boot (it may get stuck if FS is corrupted).
C) Bootmenu
Bootmenu part of the bootloader is open source, with basic functions of the bootloader map. This includes full framebuffer access (hacked a bit as of V9), some standard library functions (you can use your own of course), partition handling, gpio (key handling), fastboot, reboot. Bootmenu currently acts as sub-bootloader, as it passes control back to the bootloader for booting the actual image.
Bootmenu is licensed GPL V3, you can find repository here: https://github.com/SkrilaxCZ/a500_bootmenu
Compile it by making "make", with CROSS_COMPILE set. You can also use "O=../obj" if you prefer obj folder like I do. Also for bootloaderctl either set NO_BOOTLOADERCTL=1 or LINUX_COMPILE and ANDROID_COMPILE for cross-compilers for Linux or Android.
FAQ:
Q: What are the main advantages over HC bootloader?
A: Mainly fastboot. Then more comfort, but for running a custom ROM, HC bootloader is just as fine. And since V5, the possibility of dualboot.
Q: Can I unbrick my A500 with nvflash?
A: Provided, that you saved CPUID to generate SBK and have mmcblk0_start backup, yes. You can recover by installing this bootloader over HC bootloader should you have SOS and LNX image checksum failure.
Q: What is the best way to install ICS bootloader?
A: First install the bootloader with nvflash. Then using fastboot (POWER + VOLUME UP) flash recovery. From there flash ROM for ICS bootloader. You can however install the recovery with nvflash too.
Q: How do I use fastboot?
A: Fastboot is part of Android SDK, you get it just as you get adb. To recover with fastboot, reset the tablet and hold POWER + VOLUME_UP, the tablet will say "Fastboot Mode". Open up command line in the directory where you have fastboot, and use:
Code:
fastboot flash boot boot.img <- flashes boot.img (to kernel partition - LNX)
fastboot flash recovery recovery.img <- flashes recovery.img (to recovery partition - SOS)
Basically, to unbrick it, use the one to flash recovery. Then boot to the recovery, and flash working backup / ROM, whatever you like.
Q: Fastboot oem debug on / off:
A: This has use only for kernel developers. Fastboot oem debug on / off will only change the cmdline to serial console (on) or null console (off). The console parameter can be edited on offset 0x87638, by default it is "console=ttyS0,115200n8".
Q: Updating BL via recovery:
A: Since V4 supports flashing custom bootloader.blobs. Trying to flash custom bootloader.blob on any other bootloader will result in update failed and bootloader not modified (so this part is safe). Flashing a bad bootloader via bootloader.blob will require recovering with nvflash.
Q: Factory reset:
A: Factory reset (Vol UP and switching the rot. lock) is not supported on patched bootloader, use recovery or "fastboot erase userdata".
Q: The tablet won't boot secondary kernel image, but I have working kernel image. What should I do?
Toggle boot partition in boot menu back to primary.
Q: The tablet doesn't boot after bootloader install.
Boot to bootmenu and wipe cache.
INSTALL:
There are four methods of installing:
A) Flashing the *.bin file using nvflash manually, providing as the bootloader_apx.bin to "-bl" argument
B) Using blackthund3r's tool, see guide here: (guide here: http://forum.xda-developers.com/showthread.php?t=1622425
C) If you have V4+ installed (or newer), you can flash the update.zip for CWM
D) If you have V5+ installed, then you can also use fastboot: "fastboot flash bootloader bootloader.blob". Please note that if you supply invalid block image, then you have to use "fastboot erase cache".
CREDITS:
Bootmenu uses code from following applications:
GRUB: jpg loading
SUSE: V8, V9 Splash screen image
yaworski: font outline / kerning
DOWNLOAD:
There are zip files with bootloaders for a500 / a501 - containing three files:
bootloader_apx.bin - this is bootloader binary to be booted when flashing via nvflash (use with -bl argument)
bootloader_hc.bin - this is HC bootloader, w/o signature and itsmagic checks
bootloader_ics_vx.bin - this is the ICS bootloader file
Please note that using old bootloader_apx.bin (from pre-V5 package) when updating manually will corrupt your secondary kernel image.
Alternatively, you can find there a500apx images for blackthund3r's tool (http://d-h.st/Fkt), there is also repository for the tool on this URL "http://skrilax.droid-developers.org/a500/nvflash", contains only bootloaders. They can be downloaded manually as well.
Download page: http://skrilax.droid-developers.org/a500/nvflash/images/
A500 / A501 ICS V9 BL:
Zip: http://skrilax.droid-developers.org/a500/nvflash/images/a500_a501_bootloaders_apx_ics_v9.zip
blackthund3r's tool package: http://skrilax.droid-developers.org/a500/nvflash/images/A500_A501_ICS_V9_bootloader.a500apx
Update.zip for CWM: http://skrilax.droid-developers.org/a500/nvflash/images/a500_a501_cwm_update_v9.zip

Wow, you found a way to boot into fastboot directly . Thank you. As for bigger logo I think that it would require to extend the space where the logo resides in bootloader file and that would require to recalculate all addresses after that area. I don't have sufficient knowledge in this area to even guess if this is possible .

This with strra , bat makes it so easy .
Thanks !!!!!!!!!!!
EDIT:
Maybe and I think it is a stupid question but anyway gonnan ask it.
I installed this and it runs fine , I can go into recovery and all but not into to fastboot ,( it says fastboot starting..............) = STUPID me need to type commands so it does sommething
And if I check my bootloader it still shows 3.01 HC ?
Do I need to flash the official leak first and then run this unlocked patch ?
I will try some different stuff , new to this nvflashing things on a tab , did it 100+ times on GPU's but never on my tab.
It pass the flash thing but then I get in red : secure boot : image LNX checksum fail !
EDIT2:
After flashing some more all is well , but still want to know what the following line means after I installed the V3 bootloader : secure boot : image LNX checksum fail !
If I check my bootloader version now it is 0.03.12-UNL and I got the Thor 1.7 recovery for ICS bootloader users running.
I can flash custom roms and all so no problems here.
Again thanks for the work !! Just a nvflash noob asking some side info !
EDIT3: Question
If I make a update .zip with only bootloader.blob and then the user runs this with the strra packages will that do the trick to make it easy to update to unlocked bootloader and custom recovery?
What I did:
See attachment ; you find what I used and your V3 is in the package , I followed the guide and links by jm77 but I used the stuff in the attachments.
Make sure you got your uid (CPUuid) so you can get your SBK. (you find this in your cwm backup folder or follow instructions from jm77 guide)
Going back to HC roms is not possible just so you know.

yaworski said:
Wow, you found a way to boot into fastboot directly . Thank you. As for bigger logo I think that it would require to extend the space where the logo resides in bootloader file and that would require to recalculate all addresses after that area. I don't have sufficient knowledge in this area to even guess if this is possible .
Click to expand...
Click to collapse
Yeah, I rewrote the fuction setting the boot mode. Well, I wasn't thinking of full screen bootlogo, just purging the other unused images and using the space for a single logo. Full logo is over 4 M.
civato said:
Do I need to flash the official leak first and then run this unlocked patch ?
I will try some different stuff , new to this nvflashing things on a tab , did it 100+ times on GPU's but never on my tab.
It pass the flash thing but then I get in red : secure boot : image LNX checksum fail !
Click to expand...
Click to collapse
We're using the HC bootloader when you communicate with nvflash (for some reason, ICS will not work). This means that after flashing, don't continue booting, just power off the tablet (as HC bootloader will fail booting on the checksums) and then power it back on.
To upgrade:
1) flash the bootloader with nvflash
2) boot to fastboot (POWER + VOLUME UP), flash CWM via fastboot
3) flash ROM via CWM
civato said:
If I make a update .zip with only bootloader.blob and then the user runs this with the strra packages will that do the trick to make it easy to update to unlocked bootloader and custom recovery?
Click to expand...
Click to collapse
No, that can't be used to install unlocked bootloader. The bootloader is checked for signature that way. Only nvflash.

Ignore this post. Quoted myself by accident.

Skrilax_CZ said:
We're using the HC bootloader when you communicate with nvflash (for some reason, ICS will not work). This means that after flashing, don't continue booting, just power off the tablet (as HC bootloader will fail booting on the checksums) and then power it back on.
To upgrade:
1) flash the bootloader with nvflash
2) boot to fastboot (POWER + VOLUME UP), flash CWM via fastboot
3) flash ROM via CWM
No, that can't be used to install unlocked bootloader. The bootloader is checked for signature that way.
Click to expand...
Click to collapse
Thanks , m8 , all went OK and works so no problems , got your V3 running and I got custom cwm .
Was just looking if it was possible to make the steps even more simple to the new users.

Can't we flash the bootloader ànd the cwm through nvflash anymore? I use a modified script from strra to flash back and forward between hc bootloader icw twrp and bootloader V2 icw the corresponding cwm.
Taptalked u see

Zatta said:
Can't we flash the bootloader ànd the cwm through nvflash anymore? I use a modified script from strra to flash back and forward between hc bootloader icw twrp and bootloader V2 icw the corresponding cwm.
Taptalked u see
Click to expand...
Click to collapse
Yes you can , I did it that way with the package I uploaded , it is strra package with this V3 in it.
Can you upload the HC bootloader for me so I can go back and fort if I want.

Skrilax_CZ said:
We're using the HC bootloader when you communicate with nvflash (for some reason, ICS will not work).
No, that can't be used to install unlocked bootloader. The bootloader is checked for signature that way. Only nvflash.
Click to expand...
Click to collapse
Could it be if we use the USB driver from the a200 ICS from Acer that is will work , communication with nvflash.
And not asking if it is possible to flash the patched bootloader with cwm.
Just a update zip with the original bootloader.blob flash it with cwm and then run nvflash to install the patched boot loader and custom recovery.
That way user won't have to download and install the whole original rom .

No, the error is in the nvflash interface in ICS bootloader itself. However it's pretty much irrelevant which bootloader you use to communicate with nvflash, if they all were working.
civato said:
And not asking if it is possible to flash the patched bootloader with cwm.
Just a update zip with the original bootloader.blob flash it with cwm and then run nvflash to install the patched boot loader and custom recovery.
That way user won't have to download and install the whole original rom .
Click to expand...
Click to collapse
Not entirely sure if I understand what you mean. If you flash original bootloader.blob with ICS, you have to have signed kernel / recovery flashed on the device. Otherwise the only way to recover from that is using nvflash. Easiest way is as I said in 1st post:
1) patched BL using nvflash
2) custom recovery with fastboot
3) ROM (or fixed boot.img for ICS bootloader)
Keep in mind, that in V2, you could only boot to fastboot via "adb reboot bootloader", POWER + VOL_UP to boot to fastboot is new in V3.

I wonder why they didn't enable OEM UNLOCK in this? Even he A510 has that capability. oh well. I'll be flashing this tonight.
THANKS!
PS. Good call on the 0.03.12-UNL version#. Thanks again!

civato said:
Yes you can , I did it that way with the package I uploaded , it is strra package with this V3 in it.
Can you upload the HC bootloader for me so I can go back and fort if I want.
Click to expand...
Click to collapse
See this post, I was looking for the same a week ago :http://forum.xda-developers.com/showthread.php?p=25175512
But I believe the bootloader.bin that is in strra's package is also the 3.01 bootloader, at least the size of the same.
Taptalked u see

Skrilax, did you check the BL in A501 latest leaks ?
Version is more recent than A500's (0.03.14-ICS), wondering what might have changed.

Oh didn't know. Rough checking by hex editor: don't see that oem unlock is enabled, and sending it through nvflash is still throwing error (just an annoyance moreless).

Skrilax_CZ said:
No, the error is in the nvflash interface in ICS bootloader itself. However it's pretty much irrelevant which bootloader you use to communicate with nvflash, if they all were working.
Not entirely sure if I understand what you mean. If you flash original bootloader.blob with ICS, you have to have signed kernel / recovery flashed on the device. Otherwise the only way to recover from that is using nvflash. Easiest way is as I said in 1st post:
1) patched BL using nvflash
2) custom recovery with fastboot
3) ROM (or fixed boot.img for ICS bootloader)
Keep in mind, that in V2, you could only boot to fastboot via "adb reboot bootloader", POWER + VOL_UP to boot to fastboot is new in V3.
Click to expand...
Click to collapse
OK thanks , didn't know about v2 as I never flashed that one.
V3 is running and doing his thing just fine .
And flashing with nvflash isn't that hard.

What I did wrong? I followed instruction and got new ICS boot v3 with fastboot, but when i try to enter into fastboot i only get text "fastboot starting ..." and nothing else.

Kh_Shad said:
What I did wrong? I followed instruction and got new ICS boot v3 with fastboot, but when i try to enter into fastboot i only get text "fastboot starting ..." and nothing else.
Click to expand...
Click to collapse
You gotta type in commands in cmd. First type fasboot devices, you will get a number or a "?" That is fine. Then you type in the commands.

Kh_Shad said:
What I did wrong? I followed instruction and got new ICS boot v3 with fastboot, but when i try to enter into fastboot i only get text "fastboot starting ..." and nothing else.
Click to expand...
Click to collapse
It doesn't print anything else (in the morning I revised it to rather say "Fastboot Mode"). Just connect it to PC and use fastboot.

civato said:
You gotta type in commands in cmd. First type fasboot devices, you will get a number or a "?" That is fine. Then you type in the commands.
Click to expand...
Click to collapse
OK so I'm pretty tech say. Lol but I'm kinda confused as to how to get to is bootloader. I don't know what nvflash is or where to find it as I have been through the links and can't find it. And just confusing with all the links and such. Could anyone PLEASE pm what I need to do exactly and links to exactly what I need. I would be forever greatful. Thank you one and all for whatever help you give me
Sent from my A500 using Tapatalk 2

warfenix said:
OK so I'm pretty tech say. Lol but I'm kinda confused as to how to get to is bootloader. I don't know what nvflash is or where to find it as I have been through the links and can't find it. And just confusing with all the links and such. Could anyone PLEASE pm what I need to do exactly and links to exactly what I need. I would be forever greatful. Thank you one and all for whatever help you give me
Sent from my A500 using Tapatalk 2
Click to expand...
Click to collapse
If I got time I do a wright up on the steps how I did it and with the test rom I used .
Only tip I want to give is ,if you flash the full leaked rom 1.031.00 ( same as what Acer is rolling out as ICS release now so it seems ) is to open it with winrar or 7 zip ( don't unpack ) and delete the recovery folder in it. Makes it easier on the recovery part.
And that is how I did I it.
But again I will do wright up as I understand that for some it is kinda scary to do this.

** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​
The following is tested on model E6553. This may work for the dual sim model too but I have not verified it. Do not flash the ftf and kernel files intended for one model onto another.​
I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
Credits: @zxz0O0, @tobias.waldvogel
0- Prerequisites
You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your phone when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.
1- How to unlock your bootloader without losing the DRM keys
Sony has designed this phone such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each device and cannot be copied over from another) unlocking the bootloader results in an irreversible loss of some of your phone's features. Relocking the bootloader will not bring them back.
A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the Customized NL ftf that you can get from here.
1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable.
Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
1.3- Turn on usb debugging mode on your phone.
1.4- Download iovyroot zip v0.4 or higher from here.
1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
1.6- Connect the phone which is now in USB debugging mode to your PC and answer yes when the phone asks to authorize the PC to access it in USB debugging mode. You can check that the PC indeed sees the phone by running this command
Code:
adb devices
1.7- Run the following command:
Code:
tabackup
1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-05052016.img (the name may be different for you) with a size of 2MB in your folder.
1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
1.10- Reboot the device.
1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
1.12- Reboot the device and it will briefly enter recovery and then start the phone initial setup.
1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
Code:
fastboot boot boot.img
1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 E6553_Customized HK_1294-9654_32.1.A.1.185_R7C (the latest firmware at the time of this writing.)
2- How to emulate DRM keys and/or root and/or add recovery after unlocking the bootloader.
A hack exists that can emulate the DRM keys:
2.1- Extract the boot image from the 32.1.A.1.185 marshmallow ftf that you installed in step 1.15. Here are the steps to take:Open the ftf file with 7-zip or any zip program that you have at your disposal
Look for a file called kernel.sin and extract it.
Start flashtool and from Tools menu choose Sin Editor.
Select the kernel.sin that you extracted in the previous step and hit Extract data.
Flashtool will create a file called kernel.elf which you will use in the next step.​2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
2.3- Copy the kernel.elf that you got in step 2.1 to this folder. If you want root, follow this guide through to section 5 place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133 (The rootkernel tool has a bug in its built-in SuperSU integration. See: http://forum.xda-developers.com/showpost.php?p=67485478&postcount=838)
2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
Code:
rootkernel.cmd kernel.elf boot-patched.img
When prompted, answer as follows:- Sony RIC is enabled. Disable? [Y/n] Y (if you want root plus write access)
- Install TWRP recovery? [Y/n] Y (if you want to have recovery)
- Install busybox? [Y/n] Y (if you want busybox. It is very useful)
- Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
- Install DRM fix? [Y/n] Y (if you want DRM emulation)​This will create a new kernel image called boot-patched.img which you will now flash on your phone.
2.5- Boot the phone in the fastboot mode and flash your patched image using the following fastboot command:
Code:
fastboot flash boot boot-patched.img
2.6- (Optional) You can reboot the phone and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is successful you will see this.
3- How to flash a custom or stock kernel
3.0- If you have already flashed the patched kernel in part 2 you will skip this part.
3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash a boot image (i.e. kernel) on your phone you need to restart the tablet in fastboot mode.
3.2- To flash the kernel use this command:
Code:
fastboot flash boot [I]name_of_your_kernel[/I]
You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)
4- How to add and use recovery
4.1- Recovery is added to your kernel in step 2.4.
4.2- To enter recovery reboot the phone and touch the volume up key when the LED turns yellow during the boot splash screen.
5- How to root
5.1- Place SuperSU 2.71 zip (or higher) on the phone's sdcard. The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
5.2- Reboot to recovery and flash the zip file.
6- How to relock bootloader and return it to original factory state
6.0- To relock the bootloader along with restoring the DRM keys the phone must have unmodified stock firmware.
6.1- Repeat step 1.1
6.2- Repeat steps 1.3, 1.4, and 1.5
6.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the phone. The command will look similar to this:
Code:
tarestore TA-05052016.img
Make sure the command completes with no error. If it fails the first time try again. Reboot the phone. Your bootloader is now locked and your DRM keys restored.
6.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.

Whoa Great
---------- Post added at 01:32 AM ---------- Previous post was at 12:50 AM ----------
najoor said:
** DISCLAIMER: I AM NOT A DEV AND THIS IS MY HOBBY. I ASSUME NO RESPONSIBILITY IF THIS BREAKS YOUR DEVICE **​The following is tested on model E6553. This may work for the dual sim model too but I have not verified it. Do not flash the ftf and kernel files intended for one model onto another.​I am not taking credit for any of the tools and kernels here. They are all developed by others. I am only telling you how to use them.
Credits: @zxz0O0, @tobias.waldvogel
0- Prerequisites
You need to have a functioning installation of adb and fastboot tools. You need to have proper Sony drivers installed on your PC to detect your phone when it is connected to the PC. You should be able to flash an ftf file using flashtool. If any of these sound unfamiliar to you, stop reading, go learn about them, and then come back.
1- How to unlock your bootloader without losing the DRM keys
Sony has designed this phone such that if you unlock your bootloader you lose your TA partition PERMANENTLY which includes some of the Xperia features and licenses that have to do with image processing etc. forever. You will also no longer receive OTAs. So in theory, without a copy of this TA partition (which is unique to each device and cannot be copied over from another) unlocking the bootloader results in an irreversible loss of some of your phone's features. Relocking the bootloader will not bring them back.
A hack exists that allows you to backup the TA partition before you unlock the bootloader. This backup will make the process completely reversible so if you ever need to send the tablet to Sony for repair or just want to return it to its original state you have a way. Follow these instructions carefully:
1.0- Before you begin keep in mind that this procedure, especially the unlocking step, completely erases your tablet. Disable myXperia and remove your google account before proceeding. The following will likely not work well with encryption.
1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the UK Generic ftf that you can get from here.
1.2- Enter service Mode by dialing *#*#7378423#*#* -> Service info -> configuration, and make sure the device is unlockable.
Also check -> Service Tests -> Security and you will see a bunch of "active" and "OK" attributes. You can take screenshots for your reference.
1.3- Turn on usb debugging mode on your phone.
1.4- Download iovyroot zip v0.4 or higher from here.
1.5- Unzip this zip file into a folder of your choice and open a command terminal there.
1.6- Connect the phone which is now in USB debugging mode to your PC and answer yes when the phone asks to authorize the PC to access it in USB debugging mode. You can check that the PC indeed sees the phone by running this command
Code:
adb devices
1.7- Run the following command:
Code:
tabackup
1.8- VERY IMPORTANT: Make sure the command completes with no errors. If all goes well you will have a file with a name like TA-05052016.img (the name may be different for you) with a size of 2MB in your folder.
1.9- Save this file in a very safe place. Save it on your hard disk, AND email it to yourself, AND put it on your google drive. If you lose this file you can never reverse the bootloader unlocking process.
1.10- Reboot the device.
1.11- Now you can unlock the bootloader. Follow the instructions at Sony's official website at http://developer.sonymobile.com/unlockbootloader Also save your unlock code that you obtain in this step somewhere. You may need it some day.
1.12- Reboot the device and it will briefly enter recovery and then start the phone initial setup.
1.13- (Optional) you can easily verify that your bootloader is unlocked by entering the fastboot mode, obtaining any boot image, and running the following command to boot your tablet with that image:
Code:
fastboot boot boot.img
1.14- (Optional) you can see that the DRM keys are erased from your tablet by repeating step 1.2 but this time you will see a bunch of errors under Service Tests -> Security.
1.15- As a side effect of unlocking the bootloader you lose the ability to receive OTA updates. Clean flash a Marshmallow ftf to continue. For this tutorial I used Marshmallow 6.0 E6553_Customized HK_1294-9654_32.1.A.1.185_R7C (the latest firmware at the time of this writing.)
2- How to emulate DRM keys and/or root and/or add recovery after unlocking the bootloader.
A hack exists that can emulate the DRM keys:
2.1- Extract the boot image from the 32.1.A.1.185 marshmallow ftf that you installed in step 1.15. Here are the steps to take:
Open the ftf file with 7-zip or any zip program that you have at your disposal
Look for a file called kernel.sin and extract it.
Start flashtool and from Tools menu choose Sin Editor.
Select the kernel.sin that you extracted in the previous step and hit Extract data.
Flashtool will create a file called kernel.elf which you will use in the next step.​2.2- Download rootkernel_v4.42_Windows_Linux.zip (or a higher version) from http://forum.xda-developers.com/xperia-z5/development/root-automatic-repack-stock-kernel-dm-t3301605 and unzip it in a folder of your choice.
2.3- Copy the kernel.elf that you got in step 2.1 to this folder. If you want root, place SuperSU 2.71 (or higher) in this folder as well. Make sure the name of the SuperSU zip starts with letters "SuperSU". The latest SuperSU can be obtained from: http://forum.xda-developers.com/apps/supersu/2014-09-02-supersu-v2-05-t2868133
2.4- Open a command terminal in this folder and run the rootkernel script. Your command should look similar to this:
Code:
rootkernel.cmd kernel.elf boot-patched.img
When prompted, answer as follows:
- Sony RIC is enabled. Disable? [Y/n] Y (if you want root plus write access)
- Install TWRP recovery? [Y/n] Y (if you want to have recovery)
- Install busybox? [Y/n] Y (if you want busybox. It is very useful)
- Found SuperSU-v2.71-20160331103524.zip. Install? [Y/n] Y (if you want root)
- Install DRM fix? [Y/n] Y (if you want DRM emulation)​This will create a new kernel image called boot-patched.img which you will now flash on your phone.
2.5- Boot the phone in the fastboot mode and flash your patched image using the following fastboot command:
Code:
fastboot flash boot boot-patched.img
2.6- (Optional) You can reboot the phone and see that the DRM keys are indeed retrieved by repeating step 1.2. You can also open settings -> display, and look under Image Enhancement. If the DRM emulation is successful you will see this.
3- How to flash a custom or stock kernel
3.0- If you have already flashed the patched kernel in part 2 you will skip this part.
3.1- Whether you want to use a custom kernel or stock, and whether you have done the DRM patch described above or not, to flash a boot image (i.e. kernel) on your phone you need to restart the tablet in fastboot mode.
3.2- To flash the kernel use this command:
Code:
fastboot flash boot [I]name_of_your_kernel[/I]
You will replace name_of_your_kernel with whatever your kernel is called (e.g. boot.img, kernel.elf, etc.)
4- How to add and use recovery
4.1- Recovery is added to your kernel in step 2.4.
4.2- To enter recovery reboot the phone and touch the volume up key when the LED turns yellow during the boot splash screen.
5- How to relock bootloader and return it to original factory state
5.0- To relock the bootloader along with restoring the DRM keys the phone must have unmodified stock firmware.
5.1- Repeat step 1.1
5.2- Repeat steps 1.3, 1.4, and 1.5
5.3- Copy the TA backup image that you had obtained in section 1 in the iovyroot folder and use the tarestore command to flash the TA partition back onto the phone. The command will look similar to this:
Code:
tarestore TA-05052016.img
Make sure the command completes with no error. If it fails the first time try again. Reboot the phone. Your bootloader is now locked and your DRM keys restored.
5.4- (Optional) You can verify that you are back to the original locked state by repeating step 1.2.
Click to expand...
Click to collapse
Very usefull step by step guide.. But is there is any method to root phone without unlocking Bl? Quite curious to know from you.

arokososoo said:
Whoa Great
---------- Post added at 01:32 AM ---------- Previous post was at 12:50 AM ----------
Very usefull step by step guide.. But is there is any method to root phone without unlocking Bl? Quite curious to know from you.
Click to expand...
Click to collapse
Not yet, atleast for my Dual SIM Version.

njaya95 said:
Not yet, atleast for my Dual SIM Version.
Click to expand...
Click to collapse
So you mean there is a way to root single sim version without unlocking BL?

Thanks ú so much! this is well writen, i will try this when i get the time to do a fresh install. Cheers mate

@arokososoo
Please, in the future never quote long OP and any other long posts. This is very annoying for mobile and desktop users to scroll to the next post. Thanks.
Sent from my Sony E6553 using XDA Labs

I wonder if E6533 can use this guide

Got as far as going to the sony website, there's no mention of phones that can be unlocked there and for some reason Ive got bootloader unlock allowed no, even with a sim free phone and my xperia turned off.....bummer

Stoneybridge said:
Got as far as going to the sony website, there's no mention of phones that can be unlocked there and for some reason Ive got bootloader unlock allowed no, even with a sim free phone and my xperia turned off.....bummer
Click to expand...
Click to collapse
I also unlocked my Z3+, although it wasn't supported. I just picked Z4 Tablet since it is the "nearest" one. Worked Got MM rooted now.

How long did that take on your devices? 1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the UK Generic ftf that you can get from here.
I am waiting for half an hour now...
Spoiler

Trilliard said:
How long did that take on your devices? 1.1- Start by clean flashing any 28.0.A.8.266 firmware, For this tutorial I used the UK Generic ftf that you can get from here.
I am waiting for half an hour now...
Spoiler
Click to expand...
Click to collapse
I can't see your picture, but I assume you have that stucking at modem/system ?
If so, downgrade Flashtool to 0.9.19

Well i got a soft brick, but was able to restore it trough Sony Companion. Here is the picture on another hoster http://fs5.directupload.net/images/160529/gr5fpf8t.png dont know on what point it stuck.
Funfact that two germans writting in english
Edit, big thanks version 0.9.19 worked perfect. Cant understand why the newest one doesnt work
Edit 2: System boots up, but when the setup start the process com.android.phone stops instant and if i hit ok the message comes instantly again after about ten times the phone reboot, i cant do anything else... next repair through sony companion and back to stock german 6.0. I´ll stop try it for today.

Trilliard said:
Well i got a soft brick, but was able to restore it trough Sony Companion. Here is the picture on another hoster http://fs5.directupload.net/images/160529/gr5fpf8t.png dont know on what point it stuck.
Funfact that two germans writting in english
Edit, big thanks version 0.9.19 worked perfect. Cant understand why the newest one doesnt work
Edit 2: System boots up, but when the setup start the process com.android.phone stops instant and if i hit ok the message comes instantly again after about ten times the phone reboot, i cant do anything else... next repair through sony companion and back to stock german 6.0. I´ll stop try it for today.
Click to expand...
Click to collapse
Did you forget to wipe?

In a thread i opened in Q&A a user said that even though service info reported bl unlock allowed NO, he managed to unlock it anyways using standard procedure, what do you think?

it seems like Sony RIC is not fully disabled with this patch.

Finally ! Works like a charm in my E6533 (Dual sim) !!! Thanks a lot !!!

Hi thiefxhunter,
How you do this? could you explain us step by step. I like to root my dual sim model.
Thanks.

Hi.. I am stuck in 2.5
My device is unlocked, It is connected in fastboot mode (blue led).
error msg
'Fastboot is not recognised as an internal or external command, operable program or batch file'
Please help me in this.
Solved..
Thanks for this post..

Thanks for this guide, it worked like a charm on my E6553 with 32.2.A.0.224

CorzCorry said:
I also unlocked my Z3+, although it wasn't supported. I just picked Z4 Tablet since it is the "nearest" one. Worked Got MM rooted now.
Click to expand...
Click to collapse
Can you please explain how did you do that? Thanks

E5803/E5823
Android Nougat 7.1.2+ Bootable Recovery
(TWRP) Android Bootable Recovery v3.1.1-0
NB:14OCT17 - I will be rebuilding the base Recovery Image, as it was using a mix of 7.1.2 for Omnirom and TWRP, and 7.1.1 r17, while I'm still technically ahead of the Sony AOSP, they are now using 7.1.1 r55
13 OCTOBER 2017
Step 1 - Get correct files
Step 2 - Read & know to use exact same process, without going back to Lollipop to relock the bootloader.
Step 3 - Flash correct recovery to recovery partition 'fastboot flash recovery CRC#######v-###.img'
A OR B, NOT BOTH
Step 4a - Rootkernel the 324A0160Kernel Elf and patch it for DM Verity & Sony RIC Disable, and 'Fastboot flash boot 324A0160KernelElf.img'
Step 4b - Rootkernel the 324A154 Kernel Elf and patch it for DM Verity & Sony RIC Disable, and 'Fastboot flash boot 324A154KernelElf.img'
Step 5 - Install Magisk v14 via TWRP Recovery.
Done.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
See you all next Patch
13OCTOBER2017
Recovery Build v2.1.54 is complete for FTF 32.4.A.1.54 - currently untested by me, but should be ok - I'll be testing 2 versions, there'll be another coming up in a few days - it's related to Device Encryption & Location for Blocks. This version is basically the updated recovery build, with all the same settings, but correct partitions. The next release will test the Device Encryption Location, from /dev/block/data (what it is currently), to /dev/block/dm-0
I'll be testing Flashing and Installing of Magisk with both of my devices and using different methods to test flexibility in capturing the boot image and hash.
Got other things to do currently and my laptop is still in bits and pieces - this was just done to get something out of the way and working.
There's new partitions you should be able to see in Recovery, in addition to the extra ones I had originally.
The 'Misc' partition from Lollipop is back, and FOTAKernel has been renamed to 'recovery'. Everything else is labelled overthetop style.
Back everything up. Once you get a good recovery and successful restore, then you can skimp out and just backup the 'userdata' partition which is now called 'data'..
Expect another update if Sony are nice, and decide to patch the Bluetooth security flaws... While I was building, the bluetooth directories compiled with no errors - and I was getting most faults with QCOM stuff because I had quad and tri merges happening (just the way I set up my mirrors)- but it means that Bluetooth wasn't really touched . CVE-2017-0781 ... CVE-2017-0785.
I could be wrong, and patches could have been included.
Initial Tests:
Installing Magisk.zip in Recovery without disabling Sony RIC or DM Verity will cause the device to become unstable.
Currently - it's looking like a similar process to lock boot loader, for clean install, and patch of boot image to disable RIC and Verity.
I have access to all functions in TWRP and have done a successful restore and backup.
CRCD0FF4662-recovery-v2.1.54.img is attached to the post.
====================​Device Targets
FTF 32.4.A.0.160 ONLY
CRC81D43A45-recovery-v1.1
Magisk: v14.0
Magisk Manager: v5.3.0
====================
====================​Device Targets
FTF 32.4.A.1.54 ONLY - Magisk Requires RIC & Verity Disabled Prior to Installing in Recovery
CRCD0FF4662-recovery-v2.1.54
Magisk: v14.0
Magisk Manager: v5.3.0
====================​
12OCTOBER2017
Don't go updating to 32.4.A.1.54 and trying to use the recovery here... much breakage... much change... (actually - the changes I saw I actually added a while ago in FSTAB which is probably why things weren't breaking compared to other recovery with Magisk.... busy making the recovery at the moment but the repo has shifted things so I'll do it over the weekend because I'm busy doing Windows PE programming) Recap. Don't upgrade to 32.4.A.1.54 and use this recovery -- read the rainbow colour device targets above... don't mix and match
13OCT2017: Recovery is compiling for 32.4.A.1.54 ... I screwed up my laptop and I accidentally Raided my storage drive, so my build disk is not on a SSD.. it should be done in an hour or so
MINI ANNOUNCEMENT: 04 OCTOBER 2017
NOTE: Decryption may fail during boot to recovery - currently investigating - Reinstallation of Magisk or Google FOTA Updates may trigger a crash and password properties may be lost somewhere
MINI ANNOUNCEMENT: 26 SEPTEMBER 2017
Device and SD Card Encryption is fully functional.
CURRENT ANNOUNCEMENT: 8 SEPTEMBER 2017
Magisk Manager 5.3.0 and Magisk v14.0 is out.
New feature for Magisk Manager Hide and Unhide.
Load for this is different to previous.
Use Magisk 5.1.1 In-App Auto Download and Install zip package v14.0
Take a Backup beforehand.
The intrinsic nature will make future ad-lib/on the go Root/CTS pass more complex, but perhaps easier to Complete Uninstall in Recovery, Reboot Cycle, and Install v14.0 in Recovery - with less errors to previous versions. (I haven't completely zeroed all errors on my other device that I purposely broke beyond broken.. doing some extreme hide/unhide testing).
Leaving APK 5.1.1 attached for users to leapfrog
Here's a sample of the broken device getting back to Root Access + CTS
PREVIOUS ANNOUNCEMENT LOG
ANNOUNCEMENT: 28 JULY 2017
Added temperature example in TWRP.
CTS Pass. All MMC blocks are R/W. may cause bugs - to revert permissions, Magisk Manager must set "Mount namespace mode":
All root sessions use the global mount namespace
Following the procedure with Magisk Manager 4.3.3 and Magisk v12.0 installed:
Install 5.1.1 APK.
Launch Magisk Manager and accept 13.3 download and install.
Users experiencing problems with adaptive brightness must use Magisk hide for com.qualcomm.cabl, and an example of temperature difference with Global R/W on eMMC blocks
ANNOUNCEMENT: 13 JULY 2017 Regarding Magisk eMMC Global R/W changes to v13.1
Magisk Manager 5.0.4 is able to be installed via APK attachment & Magisk v12.0 Only with 81D43A45-recovery-v1.1
I'm working on getting v13.1+(E5823) on to the device without problems. Further reading may be done further in the thread regarding the issue below.
topjohnwu said:
- [General] Unlock all block devices for read-write support instead of emmc only (just figured not all devices uses emmc lol)
Click to expand...
Click to collapse
One of the distinct behaviours; Qualcomm Adaptive Brightness - sensitivity & lag - The gradient isn't smooth as it should be, and is erratic (AND EXCESSIVE HEAT)
This is a preview for the short debrief - and there are video examples to view. Read more here: https://forum.xda-developers.com/z5...at-7-0-android-bootable-t3609358/post73005789
NeoBeum said:
POST VIDEOS
Click to expand...
Click to collapse
====================​
PREVIOUS ANNOUNCEMENT LOG
17 JULY 2017
CTS Failure. All versions
There's some changes to NFC stack that I'll be adding later this week
ANNOUNCEMENT: 11 JULY 2017 - 20:00 ACST UTC+09:30
Do not flash or install Magisk 13.1 - Manager 5.0.4
I noticed my device acting strange - so I ran through everything on my phone - and I'm retracting the announcement earlier as a recommendation.
I'll try and iron out what exactly is at fault - but for now - just stay at MagiskSU 12.0 and MManager 4.4.3
Appologies to anyone who managed to get 5.0.4 working.
I might head over to the Magisk thread and see if there are any others encountering the problems I see.
I'm going to leave the APK and previous annoucement recorded, for users who aren't bothered by things not really being exactly as they should be.
NB: I found exactly what I was looking for written in the Change Log, after I briefly skimmed through 10 pages of problems today @ the Magisk Board.
This will cause conflicts for future changes in TWRP and Sony Firmware - so it's up to you, how you proceed - but the result will be a repeat of Marshmallow to Nougat problems.
topjohnwu said:
- [General] Unlock all block devices for read-write support instead of emmc only (just figured not all devices uses emmc lol)
Click to expand...
Click to collapse
One of the distinct behaviours; Qualcomm Adaptive Brightness - sensitivity & lag - The gradient isn't smooth as it should be, and is erratic
Device heat
Security & Play Services background updates - sometimes causes the phone to suddenly reboot
WLAN/BT/NFC - RFCOMM - UID errors
Possible errors during restore and backup function in TWRP - possible that file permissions and attributes are or aren't transferred inheritance R/W
ANNOUNCEMENT - 08 JULY 2017
Sony made some changes to Init and Sec Pol for Audio. Now included in build CRC81D43A45-recovery-v1.1
If you've already followed this guide to flash v1.0, there's no need to repeat everything - just use:
Code:
fastboot flash recovery recovery.img
I've also started on the Omnirom port, so my GitHub will be updated soon.
ANNOUNCEMENT - 11 JULY 2017 - See also 08JUL17 Announcement
Magisk 13.1 is out - with Manager 5.0.4.
For experienced users, you can manually update. APK attached. Turn off core mode, and hide and modules before install. I don't use modules, but that's probably the best option.
I will update guide soon. If you don't upgrade correctly, you will lose CTS and Root. I did this live, without a PC.
NB: I've now done both of my devices, and can confirm that an improper installation by Initiating the 13.1 Install from within Magisk Manager 4.3.3 will cause overheating. Modules and Core Only must be unloaded and Off, and APK installation must be done first after confirming modules are disabled. 13.1 zip file may then be installed in Recovery, to update SU binary, and Installation from inside Manager 5.0.4 needs to be initiated and will require 2 powercycles to load in to Magisk Hide with Core Only Disabled, for CTS Pass.
Update 4/7/2016 - Happy 4th of July to the Yanks... Here's a present from Down Under.
TWRP 3.1.1 on Android 7.1.1 Firmware 32.4.A.0.160 - I'm using the source for Android 7.1.2 R17
I'll update the build later this week and upload an image - as I'm cleaning up the process and making sure everything is working properly. I started again from scratch on 32.0.A.6.200 going all the way to 32.4.A.0.160. My GitHub doesn't have the source at the moment, because I'm rebuilding my Build Environment, so I can switch between Omnirom and AOSP using the same Repo. I'm just working out the best way to sync without fetch errors.
====================
______________________________
Users on Android Nougat 7.0 (32.3.A.X.XXX)
Upgrading to 7.1.1 will cause you to lose root if you have FOTA-Kernel Recovery and flash 32.4.A.0.160 and exclude FOTA Kernel in Flashtool
This has now been tested on both of my Devices.
______________________________​
REQUIREMENTS:
Flashtool
IOVYroot
Rootkernel
Recovery Image - Find Attachment CRC32 81D43A45 for 32.4.A.0.160 Find Attachment CRC32 D0FF4662 for 32.4.A.1.54
TA Image
Bootloader Unlock Code
USER INSTRUCTIONS
Downgrading to 32.0.A.6.200 to restore keys and lock bootloader
Ensure that you have signed out of any Google Accounts prior to flashing to prevent a Reset Lock
Use Flashtool to downgrade to Android 5.1.1 Lollipop
Use IOVYroot to backup or restore your TA Partition
If you previously have lost your original Device Keys, you may be able to use Rootkernel to patch a DRM fix on the 32.0.A.6.200 Kernel.ELF, and then have IOVYroot backup the key
Enable USB Debugging in Developers Options and connect your device to the PC
Use IOVYroot to restore the TA to your device and there will be a message to flash stock firmware
Restart the device as there is no need to flash again and confirm that the device keys are restored
Preparing to flash 32.4.A.0.160
Before starting the Flash process, navigate to the 'prepared' directory in Flashtool's firmware directories and find copy 'kernel.sin' to the Rootkernel directory
Use Flashtool's 'Sin Editor' found in the 'Tools' to extract a 'kernel.elf' from 'kernel.sin'
Use Rootkernel to create a DRM fix patched Boot image
Flashing 32.4.A.0.160​
Flash Android Nougat 7.1.1 and boot the device and confirm that DRM keys are present
Enable Developers Option and Enable 'Enable OEM Unlock' then turn off the device
Connect the device to the PC and prepare the Bootloader unlock
Unlocking 7.1.1 Bootloader, Catching the Device Key & Flashing the Recovery
Confirm that device is in USB Debugging Mode
Then send the reboot command via 'adb reboot-bootloader'
fastboot flash boot 'patched-kernel.img'
fastboot flash recovery 'fotakernel-recovery.img'
Disconnect the device and do not power on
Use Flashtool to flash your Device Key
Once done, Power On
Andy the Android should briefly display with his guts spilled open upgrading himself (If he doesn't something isn't right)
Complete the Android Welcome Setup
Congratulations
Recovery instructions below.
Flash Magisk v12.0 zip with Sony Fix, in TWRP Recovery
Flash or install using current announcement instructions, or your own preferred Superuser App
====================​
XpeRicoverE5823 History
The Original Project intended to have the Z5 Compact an official device tree for TWRP. This project is still on going as the completed AOSP Recovery is currently not supported by Team Win as there is no room for new devices using AOSP build base on the Gerrit Build Server. As a result, the project has two branches; OmniROM and AOSP. Assuming everything runs smoothly, these projects using Android Bootable Recovery source, should almost be "plug and play" with source of other ROM, so if time permits, I'll get the LineageOS Build environment and build the recovery image.
https://github.com/NeoBeum/android_device_sony_suzuran
====================​
TWRP AOSP Recovery
Recovery Source:
Device Tree: Prototype Completed
Recovery Build:
Recovery Image Upload:
Target Kernel: LA.1.2.3_45, 3.10.84 - Sony Stock 32.4.A.0.160
Flash Instructions for device:
Code:
fastboot flash recovery recovery.img
Entry: Power + Volume Down (Until vibration) after 10 seconds, Magenta LED indicates recovery boot process.
Additional notes:
Previous Builds:
CRC665582E7-Recovery-v1.0.zip - [Click for QR Code] (14.18 MB, 104 views) - v1.1 @08JUL2017
Stock AOSP Recovery
Recovery Source:
Recovery Build: Complete
Recovery Image Upload:
Target Kernel: LA.BR.1.3.3_rb2.14
OmniROM Recovery
Recovery Source:
Recovery Build: In Progress
Recovery Image Upload: N/A
Target Kernel: OmniROM 7.1
Time Permits
LineageOS Recovery
Recovery Source: N/A
Recovery Build: Planning Stage/Not Started
Recovery Image Upload: N/A
Target Kernel: LineageOS 7.X.X
====================​ORIGINAL POST
Android Bootable Recovery (TWRP) 3.1.1-0
The TWRP port and device tree is almost done.
Just got it working after about 16 hours straight of trying to get bionic to spew out overflow.
The short and sweet guide is:
Get the Recovery Image and Fastboot flash to Recovery
Have your TA-Partition.img or DK.ftf
Flash 32.3.A.2.33 with Flashtool and Select All for Wipe, and Exclude FOTA Partition
Boot to recovery, Zip install Magisk 12.0
Power Cycle for the default Freakout-Google-Recovery-Refresh
Fastboot flash PatchKernel.img to Boot
Boot to recovery, Restore TA partition from image.
If you have your original DRM Key, I have the TA partition backup to restore the DRM Key once the Kernel gets patched.
You'll still need the TA if you want complete key signature - but the patch will still fix DRM loss when you initially flash TWRP to the recovery partition. (Because that action requires an unlocked bootloader)
I'll post a guide up soon, I'm just off for errands.
Once I fix up the device tree, and TeamWin's gerrit recovers from it's heartattack, you will be using all your own resources to do this, and won't need a prebuilt recovery. You can use your own stock kernel extracted with Flashtool. Everything should run smoothly because of less handover with prebuilt images and have the DRM fix patch the kernel that you actually have, and not for some other region..

Esperando esto con ansias para poder ser root

Just an update: TWRP Build server doesn't have enough room for new devices using the AOSP Build Base, so I have to make an OmniROM port to get the device supported officially. However, there are also changes being made to the Kitakami Platform (Z5 Family), which is the parent of the Suzuran device, so I need to wait to find out what's happening there. Should be in the next few weeks - as I was told sometime in June.

Wait, seriously? We will see OmniROM ported to our device?

MakeHav0 said:
Wait, seriously? We will see OmniROM ported to our device?
Click to expand...
Click to collapse
Yeah, I'm getting there... hopefully They're changing the Kitakami platform base, so I'm waiting for humberos or someone that knows what's happening to finish doing what they're doing.
They told me to not use the Kitakami tree for now.
You probably haven't read my other posts, I'm new to this, and this is my first android project.
But I will still be able to get the recovery supported without a complete OmniROM System build.
I updated the main post too

The Recovery for Android 7.1 was a bi-product of testing a Android 7.1 build base for the Z5C, before I start working on the OmniROM 7.1, so I've added it to the list of Recovery images.
darito30 said:
Esperando esto con ansias para poder ser root
Click to expand...
Click to collapse
root is working, it was at the beginning, I just assumed everyone would think Magisk set root, I added root to the title to make it clear

Can you please provide guide step-by-step to stock firmware + root, recovery, drm fix, RIC and all other sony stuffs,
so we can easily root our z5 compact phones ?
Really I can't understand when to flash, what to flash.
When I do
fastboot flash recovery recovery.img
and boot to recovery I cannot install anything, (Magisk) it is "read only"

netaccs said:
Can you please provide guide step-by-step to stock firmware + root, recovery, drm fix, RIC and all other sony stuffs,
so we can easily root our z5 compact phones ?
Really I can't understand when to flash, what to flash.
When I do
fastboot flash recovery recovery.img
and boot to recovery I cannot install anything, (Magisk) it is "read only"
Click to expand...
Click to collapse
ill need to get on my pc to reply
if you still have the recovery image I compiled flashed to recovery, you can leave it there.
Now what you need to do is use Flashtool and Flash 32.3.A.2.33, with normal settings, with the addition of Exclude FOTAKERNEL
While you're checking everything is set correctly, go in to the Flashtool prepared directory, %USER%/.flashTool/firmwares/prepared
Find the Kernel.sin, (not FotaKernel) - You need Kernel.sin because this is where the boot image is, and use flashtool to extract to Kernel.ELF.
Use the Rootkernel tool, Disable DM-Verity, Disable RIC, do not install TWRP, do not install SuperSU, do not install Busybox.
Flash the resulting Kernel.img using
Code:
fastboot flash boot Kernel.img
Now, if you boot to recovery and install Magisk, and then in usermode you still receive a fail for CTS/SafetyNet. The reason is because Magisk captured the modified Boot we just flashed.
To get around this (if you encounter this problem)- is to flash 32.3.A.2.33 again with the same settings as before, remembering to check Exclude FOTAKERNEL.
This time, when you go in to recovery, or boot, magisk will capture the correct Hash for a "virgin" System.
Done. This process is identical to @mhaha 's guide https://forum.xda-developers.com/z5-compact/general/guide-how-to-root-z5c-painful-using-t3549388, it just uses the recovery, instead of boot. I'm trying to get in contact with Tobias & Androxyde, as I'm going to try and make a windows gui that does all of this together. I need a C# project for an assignment.

I choose options you described. From "prepared" folder, copy kernel.sin, extract it
using Flashtool and now I have kernel.img
Starting rootkernel like this:
rootkernel kernel.elf kernel.img
Rootkernel V5.23
- Unpacking kernel
Found elf boot image
Kernel version: 3.10.84-perf-g1016077
Found appended DTB
- Detected vendor: somc (Sony), device: suzuran (Xperia Z5 compact), variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 7.0
- dm-verity is enabled. Disable? (Say yes if you modify /system) [Y/n] Y
Disabling dm-verity
- Sony RIC is enabled. Disable? [Y/n] Y
Disabling Sony RIC
- Skipping TWRP recovery. No kernel modules for 3.10.84-perf-g1016077 available
- Install DRM fix? [Y/n] Y
- Install busybox? [Y/n] N
- Creating new initramfs
- Creating boot image
- Cleaning up
Done
Now flash firmware E5823_32.3.A.2.33_R2D_MobilTel EAD BG.ftf
When it is complited, unplug the phone, but not power on yet
Connect via fastboot (volume up while powering) and run
fastboot flash boot Kernel.img
boot into recovery (power + volume down) - it is read only
reflash again ftf with Flashtool (wipe all, exclude FOTA),
enter to recovery and trying to flash the Magisk
When I install Magisk same errors: failed to mount, unable to mount.
I will wayt for full guide step by step.

netaccs said:
When I install Magisk same errors: failed to mount, unable to mount.
I will wayt for full guide step by step.
Click to expand...
Click to collapse
You grabbed the correct Magiskv12 with Sony Fix?
what link did you use for Magisk
I'm going to download and try to get your error.

NeoBeum said:
You grabbed the correct Magiskv12 with Sony Fix?
what link did you use for Magisk
I'm going to download and try to get your error.
Click to expand...
Click to collapse
I use this Magisk https://forum.xda-developers.com/attachment.php?attachmentid=4096169&d=1490995590

What if I don't want Magisk, just SuperSU?

I try several ways to root + recovery + nougat. Other recovery example are working in different way.
Here it doesn't show the size of partitions when I select storage and other unusual things.
I will try with supersu instead of Magisk, but I din't the problem is in the recovery, not the Magisk.
pp. what is the difference between both, only the way of root, or Magisk has something more ?
This is the first phone I was unable to root :/

NeoBeum said:
I'm trying to get in contact with Tobias & Androxyde, as I'm going to try and make a windows gui that does all of this together. I need a C# project for an assignment.
Click to expand...
Click to collapse
I am 100% certain that a lot of people would be super thankful for that. Thanks in advance from my side!

I get the same errors unfortunately:
"Failed to mount '/system' (Operation not permitted)
Failed to mount '/data' (Operation not permitted)
Failed to mount '/cache' (Operation not permitted)
Failed to mount '/oem' (Operation not permitted)
Failed to mount '/lta-label' (Operation not permitted)"
netaccs said:
I choose options you described. From "prepared" folder, copy kernel.sin, extract it
using Flashtool and now I have kernel.img
Starting rootkernel like this:
rootkernel kernel.elf kernel.img
Rootkernel V5.23
- Unpacking kernel
Found elf boot image
Kernel version: 3.10.84-perf-g1016077
Found appended DTB
- Detected vendor: somc (Sony), device: suzuran (Xperia Z5 compact), variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 7.0
- dm-verity is enabled. Disable? (Say yes if you modify /system) [Y/n] Y
Disabling dm-verity
- Sony RIC is enabled. Disable? [Y/n] Y
Disabling Sony RIC
- Skipping TWRP recovery. No kernel modules for 3.10.84-perf-g1016077 available
- Install DRM fix? [Y/n] Y
- Install busybox? [Y/n] N
- Creating new initramfs
- Creating boot image
- Cleaning up
Done
Now flash firmware E5823_32.3.A.2.33_R2D_MobilTel EAD BG.ftf
When it is complited, unplug the phone, but not power on yet
Connect via fastboot (volume up while powering) and run
fastboot flash boot Kernel.img
boot into recovery (power + volume down) - it is read only
reflash again ftf with Flashtool (wipe all, exclude FOTA),
enter to recovery and trying to flash the Magisk
When I install Magisk same errors: failed to mount, unable to mount.
I will wayt for full guide step by step.
Click to expand...
Click to collapse

netaccs said:
I choose options you described. From "prepared" folder, copy kernel.sin, extract it
using Flashtool and now I have kernel.img
Starting rootkernel like this:
rootkernel kernel.elf kernel.img
Rootkernel V5.23
- Unpacking kernel
Found elf boot image
Kernel version: 3.10.84-perf-g1016077
Found appended DTB
- Detected vendor: somc (Sony), device: suzuran (Xperia Z5 compact), variant: row
- Unpacking initramfs
- Detected platform: 64-bit
- Detected Android version: 7.0
- dm-verity is enabled. Disable? (Say yes if you modify /system) [Y/n] Y
Disabling dm-verity
- Sony RIC is enabled. Disable? [Y/n] Y
Disabling Sony RIC
- Skipping TWRP recovery. No kernel modules for 3.10.84-perf-g1016077 available
- Install DRM fix? [Y/n] Y
- Install busybox? [Y/n] N
- Creating new initramfs
- Creating boot image
- Cleaning up
Done
Now flash firmware E5823_32.3.A.2.33_R2D_MobilTel EAD BG.ftf
When it is complited, unplug the phone, but not power on yet
Connect via fastboot (volume up while powering) and run
fastboot flash boot Kernel.img
boot into recovery (power + volume down) - it is read only
reflash again ftf with Flashtool (wipe all, exclude FOTA),
enter to recovery and trying to flash the Magisk
When I install Magisk same errors: failed to mount, unable to mount.
I will wayt for full guide step by step.
Click to expand...
Click to collapse
Merkur9 said:
I get the same errors unfortunately:
"Failed to mount '/system' (Operation not permitted)
Failed to mount '/data' (Operation not permitted)
Failed to mount '/cache' (Operation not permitted)
Failed to mount '/oem' (Operation not permitted)
Failed to mount '/lta-label' (Operation not permitted)"
Click to expand...
Click to collapse
I made exactly the same & got the same error until I tried another recovery...... THIS HERE
No more mount errors and finally root work for me, but it will not pass SafetyNet check on my phone.
EDIT: after enabe Magisk Hide it pass SafetyNet check!

Would I be able to use this Magisk dl with Android 7 rooted with the PoC method (https://forum.xda-developers.com/crossdevice-dev/sony/poc-real-trim-instead-drm-fix-t3552893)?

Cerhio said:
Would I be able to use this Magisk dl with Android 7 rooted with the PoC method (https://forum.xda-developers.com/crossdevice-dev/sony/poc-real-trim-instead-drm-fix-t3552893)?
Click to expand...
Click to collapse
Hi, just wait for me to fix some stuff because Magisk has been removed from Play Store... and also because I've only just come back after my router died

NeoBeum said:
Hi, just wait for me to fix some stuff because Magisk has been removed from Play Store... and also because I've only just come back after my router died
Click to expand...
Click to collapse
Magisk V13 is out in unofficial state. I would also like to know the step by step instructions to make it work. Thanks in advance for sorting things out NeoBeum

I have a working build for 7.1.1, I'm going to write up a proper guide this time, so I've removed the old one, and I should have it up later this week.

About
UsU = Unofficial secureboot-off/steadfasterX Unlock
*works with any G4 model. Even though the h818 can be unlocked as well the touch display does not work anymore (should be possible to resolve but.. read on).
so I decided to remove it from the UsU unlock. Read the details and process here: h818 topic
This will "unlock" your bootloader and so enables you to install TWRP and custom ROMS as you like.
To be honest unlock is not the correct wording but I will still refer to it as unlock as the result is the same:
UsU will disable "Secure Boot" which verifies signatures on several partitions like: boot and recovery. Disabling secureboot means it will still verify and give you a secure boot error on boot BUT it will ignore and just boot afterwards (similar to a regular unlock).
This is the outcome of a loooooooong finding process. long? I started with the first attempt in this over 1 year ago. yes.. (think about my nickname heh?!)
A lot of stuff happend since then which all together helped me to accomplish UsU at the very end (yes all these links are my work including some brave testers ofc! ).
You wanna know how this big puzzle fits together?
UsU is not just an unlock! Its a combination of massive changes in TWRP, the G4 kernel and providing all the tools around like FWUL or SALT!
It was really my biggest project in android development and its not just providing the actual unlock files
Hijacking the boot process via EFIdroid, TWRP in FIsH and FIsH in general
AntiRollback and firehose(!) findings
Partition tables for any G4
mAid (fka FWUL) because I needed a valid base for all my testers (one of the reasons why I started FWUL)
The LG-Up replacement and now unlocking tool SALT ! Without SALT this all would be absolutely crazy risky and absolutely nothing for the average user!
many many unlock methods/theories (and millions of times soft and hard bricked) in my PoC thread
while unbricking I found a way to unbrick even when QFIl fails with my sdcard unbrick method
hard-hard bricked (no other recovery then by LG / chip replacement) for 4 times.. (thanks ILAPO!)
many TWRP tests and changes to detect UsU devices properly
HINT:
OPEN THIS THREAD IN A BROWSER!
NOT IN AN APP!
THATS THE ONLY WAY TO FULLY SEE EVERYTHING AS IT SHOULD BE
REQUIREMENTS
UsU does not care about a country version of a model (e.g. H815 TWN and H815 TUR are all referring to as H815).
So you will find only the main part of your model listed which means it will work for any of them!
1) Your device should be one of these (SALT will detect your device and only allows to flash for these variants):
LS991
F500
H810
H811 (wth? yes that works but.. you can unlock OFFICIALLY! its just a fastboot command!)
H812 (NOTE: firmware: v20x or higher is strictly required before flashing!)
H815 - any non EUR
H815 EUR (wth? yes that works but.. you can unlock OFFICIALLY! its just a login on the LG website)
disabled: H818 (KNOWN ISSUE: TOUCH STOPS WORKING! current state)
H819
US991
VS986
Note: SALT will tell you which ROM type is compatible with your device within the main screen: GPT compatibility
Yes there is a way to flash also H815 ROMs on those who do not support it out-of-the-box but this is very risky and requires either a change of the partition table or the ROM build developer need to change the fstab (riskless for you)
2) ARB less or equal 2
So ARB 3,4,5,........ WILL NOT WORK!!
Details:
Just use SALT to identify your current ARB and read here how to identify and verify: G4 AntiRollback
* Reason:
UsU is based on an ARB 2 based aboot (part of the bootloader stack - see FAQ #27) and so ARB > 2 will hard-hard brick your device if you would flash UsU on it. Hard-Hard brick means no way to recover other then sending for repair.
3) Your device firmware must be MM(keep Requirement #2 in your mind when upgrading to MM)
which one? I highly recommend the latest MM version for your model --> but again beware of the ARB (not greater then 2)!
H812 devices need special attention though: v20x or higher is strictly required before flashing!
Details:
Yes you can flash and use UsU even when on LP but believe me: you don't want to. You will encounter issues sooner or later when runnin LP so take your time and upgrade your device to MM before proceeding here.
LIMITATIONS / KNOWN ISSUES
(bootloader stack is explained and described in FAQ 27)
1) Do not use QFIL or flash any KDZ / TOTs or any ROM containing a bootloader stack (like v29a pure does) ! You WILL loose unlock and may hard-hard-brick your device (at least HARD BRICK)!
2) Do not use QFIL or flash any KDZ / TOTs or any ROM containing a bootloader stack (like v29a pure does) ! You WILL loose unlock and may hard-hard-brick your device (at least HARD BRICK)!
3) Do not flash any MM or N bootloader stack containing the file named: aboot. This will immediately lock your device and so definitively HARD BRICK!
4) If you want to flash a MM or N modem partition (aka firmware) you need to re-flash <model>_UsU_basebands_flash-in-twrp.zip otherwise you will bootloop, stuck on boot or see a blue screen with a modem crash (this may change if I ever get my kernel module working...)
5) If a ROM has no active developer or the developer has not made it UsU compatible you may need to open the ROM zip file on your PC and change the update-script within (just remove the assert line(s) at the top is enough)
6) The fastboot mode coming with UsU will enable fastboot flash but the command fastboot boot will not work (like on the semi-official N bootloader stack)
7) Most important: Once you go this way - there is (maybe) no way back! SERIOUSLY. The only way to make the device exactly like before is replacing the mainboard. If you're scared: good.
Read the new findings on that part here - some models may be able to revert UsU!
Think twice and don't complain later if you go on!
8) Do not use QFIL or flash any KDZ / TOTs or any ROM containing a bootloader stack (like v29a pure does) ! You WILL loose unlock and may hard-hard-brick your device (at least HARD BRICK)!
9) video framerates are lowered after flashing UsU. This is due to the fact that required files for high performance video will not load properly anymore and so must be replaced. Replacing those firmware files is a risk and as it is working ok enough for the most users that patch will not be included in any ROM. If you really think you need this patched ensure you read the instructions here thoroughly and understand them 100% before proceeding to apply it: G4-VideoLag-Fix
YES I REPEATED MYSELF 3 (THREE) TIMES (... for a reason)!
Code:
#include <std_disclaimer.h>
/*
* Your warranty is now (maybe) void (well not really but just for the case...)
*
* I'am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about this howto/unlock method
* before using it! ---> YOU <--- are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*
*/
Downloads
YES. ALL of them:
Latest unlock package by steadfasterX (download the one for your device model only) --> <model>_UsU_unlock.zip (mirror)
Latest baseband package (download the one for your device model only) --> <model>_UsU_baseband_flash-in-twrp.zip (mirror)
Latest TWRP (PREVIEW-103 or higher!) by steadfasterX
- Nougat TWRP (if you plan to use + flash Nougat ROMs)
- Oreo TWRP (if you plan to use + flash Oreo ROMs)
- Pie TWRP (if you plan to use + flash Pie ROMs)
A custom ROM of your choice (see Requirements topic to find a compatible one!) --> e.g. all newer builds here: http://leech.binbash.rocks:8008/
Linux: I highly recommend to use mAid . This is an android lovers live ISO which can be booted from an USB stick which has everything needed on board - including SALT!
Latest mAid *persistent* by steadfasterX (HAVE TO be version 2.6 or later!): maid.binbash.rocks
only if NOT using mAid:
Latest SALT version (minimum version: v3.19!) by steadfasterX: SALT
Important note about bootloader/modem stuff!
You will find on several ROM threads the hint that you must have a specific bootloader stack (FAQ #27) in order to make the ROM working properly.
What in reality is needed on these ROMs is just the MODEM (aka firmware) partition nothing else. Believe me I know this for sure
1) Flash required modem partition in TWRP or fastboot mode
2) if using a ROM which is NOT specific an UsU ROM: Flash your baseband package (<model>_UsU_baseband_flash-in-twrp.zip) in TWRP again!! If you don't you will get bootloops, android hanging on boot or modem SoC crashes (blue demigod screen)
Flash UsU with SALT
(requires SALT v3.21 / mAid v3.2 or higher)
Before proceeding ensure that you have read and understood the "Limitations" topic and the "Changes in behavior" topic in this thread!
If you have a Windows PC the easiest way to get SALT is by flashing mAid v3.2 or higher on an USB stick (if you had read the "Downloads" topic above you should know that already).
Before you ask if there is a Windows version of SALT: read the FAQ in the SALT thread.
UsU can be flashed in 3 different ways! Every way will unlock your device the only difference is where you place the UsU files. Choose the one which fits best for you:
by an external sdcard (must be VFAT formatted)
by using your internal storage
by direct flashing (only when available - SALT will show this option only when possible for your device)
OK enough about all this: LETS UNLEASH YOUR DEVICE!
At very first: ensure you are using the LATEST version of SALT!
SALT contains an internal updater and when a new version has been detected online it will display an upgrade hint. DO THAT if you see any. It doesn't hurt to also trigger the update process even if you see no popup just to be sure that you have the latest version. You can also check the SALT release notes and compare the version with yours (title of the SALT window displays your version).
That step is really easy but incredible important. Do not miss that!
Just to say it again as its crucial important: USE THE SALT UPDATER to ensure you have the latest version!
Extract <model>_UsU_unlock.zip and copy the aboot_UsU.img, laf_UsU.img and rawres_UsU.img to either:
a) your external SDcard (directly on the external sdcard - not in any folder!). The sdcard must be formatted as VFAT.
or
b) connect your running Android device with your PC, select MTP mode in Android and copy it to the:
- "Internal Storage" and folder "Download" (exactly there!)
Start SALT
If you have not done already: DO A BACKUP NOW I'm serious this is your last chance to grab the important files and it just takes some minutes (in basic mode) but you have all in place if needed!
If you skip this step no one may can help you later!
Notice and WRITE DOWN the "GPT compatibility" info! DO NOT PROCEED IF IT STATES "unknown"
This part will become crucial important when it comes to which ROM you can flash!
The only valid information about that can be found in SALT!
If you see a "H811" there you have to flash H811 ROMs later (if no specific ROM is available for your model)
If you see a "H815" there you have to flash H815 ROMs later (if no specific ROM is available for your model)
If you see a "unknown" there you have to STOP and provide the SALT debug log (advanced menu)
Open the Advanced Menu
Click the "Unlock G4 (UsU)" button and read carefully the popup. Click Unlock, choose your unlock way and follow the instructions
If the UsU flashing fails for any reason (SALT will do important pre-checks and validiations before actually flashing):
If you see a popup about UsU flashing has partially failed do not be scared - just read and follow the instructions!
If you see a different error: do not reboot or power off the device! Ask for support and provide the debug log in SALT (in Advanced Menu -> Debug Logfile button -> Upload button and share the link)!
If the UsU flashing was successful (SALT will validate the flashing) continue:
Boot your device into fastboot mode (yes UsU has enabled an unlockedfastboot access for you!):
take out the battery
unplug the usb cable from the PC (not from the device)
Insert the battery again
wait 2 sec
press volume DOWN and while keeping it pressed: plug the USB cable to the device
keep volume DOWN pressed until you see the fastboot screen
Flash TWRP (yes you can do that now... because of UsU!):
fastboot flash recovery <twrp.img> (replace <twrp.img> with the real filename)
YOU MUST boot to TWRP now (you will notice a secure boot error but TWRP will load!):
disconnect USB cable
take out battery
put battery back in
press volume down AND the power button and keep both pressed until.. you see TWRP!
Gotcha! Try that with a locked phone and you will fail!
If you do not boot to TWRP after flashing it it will get OVERWRITTEN and you have to do all the steps for flashing TWRP again!
Optional (not needed when you flash an UsU compatible ROM later) Flash the baseband package now: <model>_UsU_baseband_flash-in-twrp.zip
While still in TWRP choose REBOOT menu and reboot to RECOVERY (yes again!)
Notice: TWRP will show your REAL device model when connected to the PC now.
If not: SHARE THE recovery LOG (how-to for grabbing the recovery log is written in FAQ #4A)!
I would say: its a good time to create a TWRP backup isn't it (ensure you also select "Bootloader" in TWRP backup)?
I HIGHLY RECOMMEND to do nothing else now. Just boot into your ROM as it is! Check if everything is working and proceed only if it boots fine and works fine!
Optional: just root now. Use Magisk or SuperSU to root your current installed stock ROM to see that it works
Done. Do not miss to read the Changes in behavior topic!
Whats next? Lol you are FREE! Flash SuperSu, Magisk or a custom ROM. Up to you. Flashing issues? Read the LIMITATIONS/KNOWN ISSUES topic (especially #1, #2, #3).
Changes in behavior
Booting to recovery, custom ROM booting (or stock but rooted), booting into download mode
You will notice a secure boot error ... and it will boot!!
... and NO: THIS MESSAGE CAN NOT BE REMOVED! If you can't live with that do not unlock
Fastboot
After you unlocked your device with this method you will also have an unlocked fastboot mode which can be accessed by a key combo:
take out the battery
unplug the usb cable from the PC (not from the device)
Insert the battery again
wait 2 sec
press volume DOWN and while keeping it pressed: plug the USB cable to the device
keep volume DOWN pressed until you see the fastboot screen
Now what? You can flash whatever you want here with: fastboot flash <partition> <filename>
you can NOT: fastboot boot .. as this is blocked like in the semi-official N bootloader stack.
TWRP/Recovery hardware key combo
Flashing UsU changes the way the regular factory reset screen key combo is working.
After flashing UsU we can boot directly into TWRP!
power off device
unplug the usb cable from the device (if any)
press volume DOWN + power button and KEEP THEM BOTH pressed the WHOLE TIME until you see "Recovery loading" or TWRP
Factory reset hardware key combo
As written above the regular key combo to get into the LG factory reset screen changes a bit:
power off device
disconnect any usb cable from the device
press volume UP + power button and KEEP THEM BOTH pressed until you see the LG logo the first time! THEN you have to immediately release the power button (ONLY that) and press and keep holding the power button directly again! Keep them pressed until you see the white LG factory reset screen
Proofs
Keep in mind: UsU will work for ANY LG G4 model and does not care about country specific ones, too! When I say: ANY, I MEAN any!
The only device which is a real special one because of different hardware (2 SIM slots) is the H818 which can be unlocked but has issues (see above)
confirmed:
check the current poll results: https://forum.xda-developers.com/poll.php?do=showresults&pollid=26680
LS991 (confirmed) --> https://forum.xda-developers.com/poll.php?do=showresults&pollid=26680
F500 (confirmed) --> https://forum.xda-developers.com/poll.php?do=showresults&pollid=26680
H810 (confirmed) --> https://forum.xda-developers.com/showpost.php?p=75126190&postcount=298 and https://forum.xda-developers.com/showpost.php?p=75736723&postcount=456
H812 (confirmed) --> https://forum.xda-developers.com/showpost.php?p=75126190&postcount=298
H815 (confirmed) --> My own one! and https://forum.xda-developers.com/showpost.php?p=75086602&postcount=276 and https://forum.xda-developers.com/showpost.php?p=75737617&postcount=458
H818 (confirmed)* --> https://forum.xda-developers.com/showpost.php?p=75133410&postcount=307 * SEE ABOVE REGARDING THE CURRENT ISSUES
H819 (confirmed) --> https://forum.xda-developers.com/poll.php?do=showresults&pollid=26680
US991 (confirmed) --> https://forum.xda-developers.com/poll.php?do=showresults&pollid=26680
VS986 (confirmed) --> https://forum.xda-developers.com/showpost.php?p=75109841&postcount=293
Support / Telegram
Of course in this thread but also by Telegram. I have created a generic group for all stuff around Android : here
and another one if you want to keep up2date whenever I build something (TWRP, SHRP, LOS, /e/, ...): here
Model specific ROM threads
H810:
- AOSCP Nougat
- LineageOS Oreo - general LOS all-in-one thread
- LineageOS Pie - all-in-one thread
- /e/ OS Pie - all-in-one-thread
H812:
- AOSCP Nougat
- LineageOS Oreo (deprecated) new: general LOS all-in-one thread
- AtomicOS
- LineageOS Pie - all-in-one thread
- /e/ OS Pie - all-in-one-thread
H815:
- AOSCP Nougat
- LineageOS Oreo (deprecated) new: general LOS all-in-one thread
- LineageOS Pie - all-in-one thread
- /e/ OS Pie - all-in-one-thread
VS986:
- AOSCP Nougat
- LineageOS Oreo (deprecated) new: general LOS all-in-one thread
- LineageOS Pie - all-in-one thread
- /e/ OS Pie - all-in-one-thread
any other model:
- LineageOS Oreo - all-in-one thread
- LineageOS Pie - all-in-one thread
- /e/ OS Pie - all-in-one-thread
Making the baseband flashing obsolete
Well time goes by and so things change in the meantime. I have found a way to make the baseband flashing obsolete but that requires to flash either a device model specific ROM or kernel.
That means:
When you flash a full UsU compatible ROM (like those linked above) there is no need anymore to flash the baseband package.
When you flash another ROM which is not fully UsU compatible you can flash a kernel with UsU patches and so can avoid flashing the baseband package as well.
The UsU kernels can be found here.
When the ROM is neither fully UsU compatible nor there is no kernel with UsU patches you can or better must flash the baseband package.
Credits
Mohd Saqib for the ls991 userdebug bootloader (https://forum.gsmdevelopers.com/lg-g-series-unified/32523-lg-g4-h811-boot-repair-qfil.html) stack. Without him.. no "unlock"
LG for making a faulty mainboard which allowed me to replace it without an issue several times after hard-hard bricking
Me - steadfasterX bc I have done all this almost alone (besides the brave testers ofc) AND: just for FUN ! (I *CAN* UNLOCK OFFICIALLY!) and as the the whole guide and method is the result of many many days ... lol noooo *MONTHS* (!!!) of spending my free time on this topic!
neutrondev (details about technical understanding + support)
uio88 (donator), jasonlindholm (recurring unteachable donator!), pablo103 (donator), britx (donator), ReeS86 (donator), ling751am (donator), 01189998819991197253 (donator), Korpse (donator), decibel_nv (donator), bdasmith (donator), hteles (donator), Leg0V0geL (donator), britx (donator), doop (donator), street_android (donator), ErismaSS (donator), ingcolchado (donator), fauxmight (donator), NwOg1984 (donator), pablogrs (donator), romanofski(donator), nenich78 (donator)
The overall sum (just for UsU) of donations (as of 2023-04-03): $252 !
While donations are accepted and appreciated there is NO need for it. I have done all this for fun and I like thx clicks more then money LOL
XDA:DevDB Information
Unofficial secureboot-off/steadfasterX Unlock, Tool/Utility for the LG G4
Contributors
steadfasterX, the_naxhoo (tester), SePhIrOtX (tester), Chebhou (tester), fawadshah33 (tester), DoughMucker (tester), shane87 (tester), Guy Noir (tester), networkkid (tester), ling751am (tester), jmfecon (tester), r3pwn (tester)
Version Information
Status: Stable
Stable Release Date: 2018-03-08
Alpha Release Date (PoC): 2017-07-28
Created 2018-03-08

FAQ
0) Is/will UsU be available for ARB 3 or higher?
no. never.
Reason:
UsU is based on an ARB 2 based aboot (part of the bootloader stack) and so any ARB > 2 will hard-hard brick your device if you would flash UsU on it.
(Hard-Hard brick means no way to recover other then sending for repair)
1) Is UsU reversible?
Yes and no.
Details: https://forum.xda-developers.com/showpost.php?p=76444983&postcount=968
2a) So I can't flash any KDZ/TOT anymore?
2b) So I can't upgrade my STOCK ROM with the LG updater anymore?
Have you really read the limitations topic? I guess no.
You can't! At least for the KDZ flashing part: not yet.
SALT will allow flashing of KDZ files with the upcoming version 4.0 but until then do not flash with lgup and do not use the LG Android internal updater --> You WILL 100% brick your device.
Why? Read the above FAQ.
3) Will UsU void my guarantee?
Sure.
4) I have flashed UsU and now in Android settings and/or in fastboot it shows up as a LG LS991 - WHY?
The aboot mentioned in FAQ 1) is from a specific device: the ls991. Usually this is nothing which you need to care about. What you see in the Android settings is just parsed from the commandline (means from what aboot is telling) and has no further impacts of nothing. Its just a wrong named "variable" thats it. I still work on a fix to adjust this on boot to your real model but atm of writing it would require a kernel for each model just for this cosmetic thing..
As the UsU fastboot IS ls991 as written in FAQ #1 you will see it there and this is unchangeable - but nothing you need to care about.
5a) I flashed UsU and now the ROM bootloops
5b) I flashed UsU and now the ROM does not start
5c) I flashed UsU and now Android crashes with a blue/purple demigod screen
5d) I flashed UsU and now I have no SOUND and/or CAMERA anymore
5e) I flashed UsU and now I have no cell service anymore
Well there could be 3 reasons why this can happen:
- Either you have not flashed the baseband package in TWRP
- you try to boot a ROM which is not compatible with your model (check the GPT compatibility in SALT!)
- or you have a very sensitive (or strict..) device model
The first thing you should try is flashing the UsU kernel for your installed ROM.
If there is no UsU kernel for your ROM install a supported ROM and flash the UsU kernel afterwards.
If the problem persists or if you still want to use the unsupported ROM: flash the baseband package and the GPT compatibility is ok with the ROM you trying to flash.
If the problem persists:
1 )Try to flash the modem partition of your SALT backup before flashing UsU (nothing else!)
if the problem persists:
2) Some devices require to flash the full modem partition of Lollipop (instead of flashing the baseband package) in order to work after UsU has been flashed so if you are sure that you flashed the baseband package go here and download the modem or the KDZ file of a 10 (Lollipop) modem.img/modem.bin: codefire if you cant find what you need try that one: storagecow
Flash the modem file in fastboot mode like this:
Code:
fastboot flash modem modem.img
or in TWRP like this:
Code:
adb push modem.bin /tmp
adb shell
dd if=/tmp/modem.bin of=/dev/block/bootdevice/by-name/modem
sync
reboot
6) Is there a windows version to flash UsU?
No and there will be never one. Why? For this FWUL exists. Flash FWUL on an USB stick and boot from it. It's as easy as it sounds.
7) I want to use a custom ROM based on Android Nougat or Oreo. In the ROM OP they say I need the v29a/N bootloader stack. Is this true?
No. You will find in several ROM threads the hint that you must have a specific bootloader stack in order to make the ROM working properly.
What in reality is needed on these ROMs is just the MODEM (aka firmware) partition nothing else. Believe me I know this for sure
If you later want to install custom ROMs based on N or O (any model! and any ARB) --> N modem
1) Flash G4_29a_N_modem_UsU.zip in TWRP
2) Flash your baseband package (<model>_UsU_baseband_flash-in-twrp.zip) in TWRP again!! If you don't you will get bootloops, android hanging on boot or modem SoC crashes (blue demigod screen)
When you have a H815(!!!!) device with ARB = 0 you COULD flash the complete bootloader stack though (if you wish - but as said it is NOT needed. READ MY LIPS: IT IS NOT NEEDED but its possible though ):
UsU bootloader stack for N / O
8a) I flashed a KDZ with LGUp / LG Flashtools (you really hexedited a kdz/tot just to brick your device? cooool)
8b) I flashed the non-UsU (see FAQ 7 for the UsU one) v29a bootloader stack on my device
8c) I have no idea why but i bricked my phone (actually you have but you don't wanna tell)
You will need an external sdcard or something like the infinity dongle. In theory there is also the way to unbrick by QFIL but this way is incredible dangerous if you use the wrong files (read FAQ #23!!). The external sdcard method will work only when your device is detected in 9008/QDL mode. If you connect your device to the PC and see nothing (Windows: device manager, Linux/FWUL: open a terminal and type: lsusb) then this guide will not work for you. The only chance is to use e.g. infinity or QFIL but there is no QFIL guide out there I would trust..
For the external sdcard unbrick read and follow the sdcard unbrick guide.
It is important that you know which bootloader stack you had on your device (in terms of ARB)
The only difference for UsU devices is that you need to flash:
the aboot_UsU.img to the aboot partition, the laf_UsU.img to the laf partition and the rawres_UsU.img to the raw_resources partition:
Code:
fastboot flash aboot aboot_UsU.img
fastboot flash laf laf_UsU.img
fastboot flash raw_resources rawres_UsU.img
9a) Will UsU work for my model?
Yes (h818 has been disabled though)
9b) Will UsU work for my country/region?
UsU has no restriction on a specific G4 model or country version.
9c) Will UsU work for any ARB?
UsU will work on ARB 0, 1 and 2 ONLY and you will need LP or MM to be able to actually flash UsU.
Again flashing UsU is a risk always. It happens on your own responsibility!
10a) Will UsU allow me to flash TWRP?
Yes.
10b) Will UsU allow me to flash stock ROMs?
Yes. You will be able to flash stock LP, MM, N
10c) Will UsU allow me to flash custom ROMs?
Yes. You will be able to flash any custom ROM of your choice (any android version)
10d) Will UsU allow me to root my device?
Yes. Ofc you can root with magisk as usual.
11) I follow your PoC thread since the beginning.. So UsU has no limitations regarding cell service/signal anymore?
Everything should work (cell service, mobile data, wifi, BT, call, sms, etc). UsU will not replace the complete bootloader stack as it was done in the early implementations.
By keeping your real bootloader stack the hardware like camera, modem / baseband can be initialized as it should and so no limitations are known (yet).
Again flashing an unofficial unlock is always a risk. Do not blame me when something is not working as it should.
You do this on your own responsibility
12) I want to flash a custom ROM but there is none for my model available what now?
SALT will show a field named GPT compatibility. Just flash a ROM which is compatible with your device. Thats it.
Read more about the compat check in SALT in the SALT FAQ #15.
13) I want to flash a custom ROM but it says "This ROM is for device xxxx but this device is >.< !! You told that I can flash any ROM so whats wrong here?
I wrote it in the LIMITATIONS/KNOWN ISSUES topic of the OP but here again:
Taken from the OP:
5) If a ROM has no active developer or the developer has not made it UsU compatible you may need to open the ROM zip file on your PC and change the update-script within (just remove the assert line at the top is enough)
Click to expand...
Click to collapse
Here a guide by @sdembiske https://forum.xda-developers.com/showpost.php?p=76405252&postcount=947
14) I have unlocked with UsU and all went fine. I flashed a ROM and it bootloops and now my phone died!! What have you done with my device? It never had this issue before in the last years!?
Unfortunately this is not UsU's fault. It's yours. Or better its LGs. The g4 is known to have faulty mainboard and when you boot a fresh flashed ROM this is very heavy cpu intensive and so can cause the ILAPO which means the hardware fault occurs. Yes it has not happened to you in the past but how often did you flashed a new ROM in the past? Ask LG for a mainboard replacement (yes even when out of guarantee) or check the bootloop fix it list : https://bit.do/ilapofixg4
15) I flashed the LP modem, but now it wont let me get past lockscreen. Do I need to factory reset?
background info: the modem partition contains decrypt parts so the screenlock may fail to decrypt.
Doing a factory reset is one option which will fix this.
If you dont want to loose your data reset just the password of the screen lock:
https://forum.xda-developers.com/android/software-hacking/remove-lockscreen-recovery-t3530008
16) I just wanna flash Nougat STOCK. Are there any worry free UsU downloads for it available?
Sure: here
After flashing ensure you flash your model baseband package!
After that and while still in TWRP: Choose Reboot -> RECOVERY ! This should ensure TWRP will not be overwritten on Android boot
17) What is the recommended way to backup with TWRP?
ONE/FIRST TIME backup. Do this just ONCE --> Select these partitions to backup:
Code:
- Firmware_Image
- EFS
- BL unlock state
- Bootloader
- Carrier
USUAL/DAILY BACKUP (e.g. to test other ROMs, before an upgrade, etc) --> Select these partitions to backup:
Code:
- Boot
- Recovery
- System
- Data
- Encryption metadata -> when your device is encrypted ONLY
- Firmware_Image
18) I have flashed the bootloader stack of N on my non-H815 device and now I have issues (no cell service, no bluetooth etc)
There could be 2 reasons why: Either you haven't read the OP guide properly and flashed the bootloader stack or you were one of the "early birds" flashed the full ROM which includes the Nougat bootloader stack.
H815-ONLY_ARB-0_29a_bootloader_UsU.zip (formerly named: G4_ARB-0_29a_bootloader_UsU.zip)
H815-ONLY_ARB-0_v29a_FULL-STOCK-ROM_UsU.zip (formerly named: G4_ARB-0_v29a_FULL-STOCK-ROM_UsU.zip)
The guide in the OP told you to do a SALT backup before flashing UsU.
If you have followed the guide properly you should have it and the above is one of the reasons why I said its required to do it.
( If you lost your backup there is still a way you can go: Follow FAQ #20 )
Open a terminal in the directory where you SALT backup before flashing UsU (or your extracted KDZ) is.
Then put your device in fastboot mode and type these commands:
Code:
fastboot flash factory factory.bin
fastboot flash hyp hyp.bin
fastboot flash modem modem.bin
fastboot flash pmic pmic.bin
fastboot flash rpm rpm.bin
fastboot flash sbl1 sbl1.bin
fastboot flash sdi sdi.bin
fastboot flash sec sec.bin
fastboot flash tz tz.bin
Read the output of the flashing on the screen and in your terminal. Do NOT flash anything else! Just the above - but ALL of the above! (if you miss a single file you will HARD BRICK)
If something is failing do NOT continue and try to re-do the above commands. if it still fails write in this thread or better come into IRC (when between Monday and Friday)!
If something failing here it WILL brick your phone.
19) I have flashed UsU but now I always see a secure boot error text at the top of my screen when booting (TWRP, Android, download and fastboot mode). Is it possible to remove that?
Really? I mean REALLY? Its clearly written in the OP - CHANGES IN BEHAVIOR !
20a)I have flashed UsU and now I want to downgrade/upgrade my bootloader stack. How?
20b)You were on LP or older MM firmware when you have flashed UsU and now having issues? -> Upgrade your bootloader to MM! Read here how:
Download a KDZ of your device model.
Keep in mind that there are frankenstein devices out there (means refurbished devices with mixed hardware inside so you think u have model XXX as it was shown in Android but the mainboard is NOT the same!).
How to identify a Frankenstein device? Read FAQ #21.
IMPORTANT: Check the ARB of that KDZ (SALT will show the ARB of a KDZ on extract!) - If you are unsure - DO NOT PROCEED. you can easily hard brick your device if!
Extract that KDZ with SALT - DO NOT USE ANY OTHER TOOL FOR EXTRACTING! The known windows tools like LG Firmware extract does not extract what we need here and not in the way we need it! So do not use that! You have been warned..
Open a terminal in the directory where you SALT backup before flashing UsU (or your extracted KDZ) is.
Then put your device in fastboot mode and type these commands (you have another file extension? read FAQ #24):
Code:
fastboot flash factory factory.bin
fastboot flash hyp hyp.bin
fastboot flash modem modem.bin
fastboot flash pmic pmic.bin
fastboot flash rpm rpm.bin
fastboot flash sbl1 sbl1.bin
fastboot flash sdi sdi.bin
fastboot flash sec sec.bin
fastboot flash tz tz.bin
Alternative with TWRP (if the above fastboot cmds work for you no need to do this!):
Code:
Boot TWRP
adb push factory.bin /tmp/
adb push hyp.bin /tmp/
adb push modem.bin /tmp/
adb push pmic.bin /tmp/
adb push rpm.bin /tmp/
adb push sbl1.bin /tmp/
adb push sdi.bin /tmp/
adb push sec.bin /tmp/
adb push tz.bin /tmp/
adb shell sync
adb shell "dd if=/tmp/factory.bin of=/dev/block/bootdevice/by-name/factory"
adb shell "dd if=/tmp/modem.bin of=/dev/block/bootdevice/by-name/modem"
adb shell "dd if=/tmp/hyp.bin of=/dev/block/bootdevice/by-name/hyp"
adb shell "dd if=/tmp/pmic.bin of=/dev/block/bootdevice/by-name/pmic"
adb shell "dd if=/tmp/rpm.bin of=/dev/block/bootdevice/by-name/rpm"
adb shell "dd if=/tmp/sbl1.bin of=/dev/block/bootdevice/by-name/sbl1"
adb shell "dd if=/tmp/sdi.bin of=/dev/block/bootdevice/by-name/sdi"
adb shell "dd if=/tmp/sec.bin of=/dev/block/bootdevice/by-name/sec"
adb shell "dd if=/tmp/tz.bin of=/dev/block/bootdevice/by-name/tz"
Download this verify tool to ensure the flashing was successful: [ATTACH]4687157[/ATTACH] ([URL="http://leech.binbash.it:8008/misc/verifyflash.zip"]mirror --> verifyflash.zip[/URL])
Usage:
extract verifyflash.zip
adb push verifyflash.sh /tmp/
adb shell chmod 755 /tmp/verifyflash.sh
adb shell /tmp/verifyflash.sh
Read the output of the flashing on the screen and in your terminal. Do NOT flash anything else! Just the above - but ALL of the above! (if you miss a single file you will HARD BRICK)
If something is failing do NOT continue and try to re-do the above commands. if it still fails write in this thread or better come into IRC (when between Monday and Friday)!
If something failing here it WILL brick your phone.
21)What is a frankenstein device and how can I identify if I have one?
A so called Frankenstein device shows up different in Android then it is in hardware.
Often happens on "refurbished" devices and almost everything you can buy on AliExpress is one.
The only way to identify your REAL model is by disassembling the device.
No there is NO other way. Everything else can be tricked by software.
Follow the guide here: https://www.ifixit.com/Guide/LG+G4+Motherboard+Replacement/51202
now you are able to see the REAL model printed on the front of your mainboard.
Is a Frankenstein bad? Hell yes. Can you live with one? Up to you. Technically there are good chances that it work as it should - especially when UsU'ing it.
Main problem here is that some stupid ppl out there take a board (often a h810 or h812 but there is no restriction) and flash a different PBL (primary boot loader) on it to load what they like to load. usually they flash h815 ROMs as that is best for selling as it can be unlocked officially (which NEVER works - as the IMEI and/or serial will never list a Frankenstein as a h815).
So actually it is not 100% clear what they did with your phone EXACTLY - and that leaves room for bricks when flashing stuff - or even worse: you might encounter partly not working stuff. In most of the Frankensteins I saw they work good when you flash the real models ROMs, bootloader stacks and modem partitions but well there is no guarantee for nothing here!
Other then that you can use SALT (part of mAid) to determine your model. This with the ARB shown gives you a 80 -90 % clue of your real device model.
E.g. when you bought a h815 (which is known to NEVER EVER have an ARB higher then 0) and it shows h810 in SALT then you can be 100% sure that it is not a h815 and 90% sure that it is the model shown in SALT instead.
22)I have a H812 and having issues after flashing the N stock ROM / AOSCP Nougat. What can I do?
Walk throughs:
Stock N report: https://forum.xda-developers.com/showpost.php?p=75913373&postcount=12 by user @grantdb (consider to show ur appreciation by clicking thx on that post)
AOSCP N report: https://forum.xda-developers.com/showpost.php?p=75890188&postcount=361 by user @sdembiske (consider to show ur appreciation by clicking thx on that post)
LineageOS O report: https://forum.xda-developers.com/showpost.php?p=76799406&postcount=1100 by user @sdembiske (consider to show ur appreciation by clicking thx on that post)
23)uhm I wanna / I have flashed with QFIL...
I wrote millions of times that using qfil is f*** dangerous and shouldn't be used.
The process of using QFIL with the wrong files can CONVERT your device or blow fuses! Never ever use qfil unless you REALLY understand what files you flash:
This requires to analyze the files (hexedit) you trying to flash with qfil. which is something 99% of the average user CAN'T.
Which means: do not use it unless you don't care about damaging your device ofc..
The only less-dangerous way is of unbricking from the 9008/QDL mode by my sdcard unbrick method but when you already used qfil you may have damaged your device already.
If you UsU'd your device there is even one more reason to NOT use qfil!
As said you shouldn't use qfil anyways but when you UsU'd your device it's even more important.
WHY I say using QFIL is evil?
Especially on devices which have no ARB >2 firmwares (like h812, h815, h818, h819 and F500) using QFIL is the worst idea you can have.
Just to be crystal clear: if you have UsU'd or not --> that doesn't matters!
QFIL is dangerous because:
some files you can find around will increase your ARB !
Increasing your ARB means you can never flash your original bootloader stack anymore (on devices having no ARB >2 firmwares)
If you can not flash your original bootloader stack anymore you can not load parts of the modem partition.
If you can not load these parts of the modem partitition you can not get any cell service - full stop. Yes here it ends. You can't go back and so you are stuck with like it is.
Well you can still go back by:
- replacing the mainboard
- replacing the cpu/whatever chip on the mainboard
There is ONE single exception to the above: If you have (still) a "nonfusing" device. Nonfusing devices may be able to flash any ARB but beware:
I had a nonfusing device which suddenly changed somewhen during my UsU hacking sessions.
I have one user who was able to flash a lower ARB then he had before because his device was stated as a nonfusing device. There is no guarantee but it is a chance for you.
Read more about the ARB background here: https://bit.do/unlockg4
24)I have a partition file with the extension: [ bin | image | img | mbn ]. How can I convert this?
The extension is not important. The way how you extract files - is. That's why I say all the time use SALT.
On Windows the file extension matters a lot which is not the case for Linux/Android.
There is no need to convert anything as they all are just raw image files.
25a)I have UsU'd but now in TWRP it does not show my model. Instead something like Chinese or strange characters.. How can I solve this?
25b)I have UsU'd but something went wrong while flashing..! I can still turn on the phone and I see the secure boot error.. What now?
25c)I have UsU'd but I cannot open the download mode anymore.. What now?
This can happen when you tried to flash UsU with a completely outdated version of SALT or using an unsupported version of FWUL (like using it in KVM, VMware ,..).
Ok how to fix this now?
Boot to fastboot mode.
Extract the UsU unlock zip file of your model.
Flash the following from that zip file:
Code:
fastboot flash raw_resources rawres_UsU.img
fastboot flash laf laf_UsU.img
That's it. TWRP will detect the model now correctly. If not share the TWRP log as described in the TWRP(!) thread FAQ 4a.
26a)How can I identify my bootloader stack from my backup files?
26b)How can I identify my current installed bootloader stack?
26a)
To find out which exact firmware version you had installed before UsU'd can be done easily when you have a backup (which you should have).
So to grab that info from your backup (requires Linux/FWUL):
Open a terminal in the directory where you have your SALT backup before UsU'd.
Then:
Code:
strings misc.bin | grep LG
It should display a long string containing your model name and the exact firmware version
26b)
There is no easy way atm for this. It is MUCH easier to just flash the newest bootloader stack like described in FAQ #20 in this post.
.. but if you really want something to start with:
a) do a SALT backup (basic)
b) extract sbl1 of any(!) KDZ files you can find for your model (you see now what a bad idea that is?)
c) do a md5sum on sbl1.img/bin (both: on your backup and the KDZ one) and compare. Once you have found a match you know the version.
27) a) What is the "bootloader stack" on the G4?
27) b) What is the boot process on a Qualcomm device like the G4?
The bootloader stack is a set of partitions (and optionally a partition table) which MUST be on the exact same firmware and ARB level.
There are exceptions to this but you really wanna risk a brick?
Keep the bootloader stack files together otherwise you will brick your device.
Why is explained in the following topic.
The LG G4's bootloader stack partitions are:
tz (Qualcomm Trust Zone. It performs low-level operations, including working with QFuses (rpmb secured mmc partition))
sbl1 (secondary bootloader)
sdi (trust zone storage partition. The data which is used by Trust Zone)
pmic (power management integrated circuit - related to rpm)
rpm (Resource and Power Manager firmware. Firmware for specialized SoC, responsible for resources and power)
aboot (<--- replaced by UsU ! so NEVER touch this again after UsU'ing) - Android boot, little kernel, lk, fastboot mode
hyp (Hypervisor - Virtual Machine Monitor, related to tz in order to protect the device/kernel - afaik)
Special partitions (NOT part of the bootloader stack - but either related, optional or as for the PBL - informative):
The following do not directly belongs to the above stack but it is related. You will never touch PBL, laf or raw_resources and the rest are optional ones.
PBL - Built-in ROM Qualcomm primary boot loader (read-only)
laf (download mode - can be anything on unlocked / UsU'd devices but for locked devices it MUST match the bootloader stack)
raw_resources - contains boot messages read by aboot. Examples: LG logo, bootloader has been unlocked warnings
recovery (recovery mode - can be anything on unlocked / UsU'd devices but for locked devices it MUST match the bootloader stack)
modem - hardware firmware (sound, baseband, camera, video, ...) accessed and loaded by rpm and Android (kernel, Android) - must STILL match the device's ARB of the bootloader! Otherwise those files cannot be read/loaded (most of them are signed so certificate protected!)
The boot process on a qualcomm device is as follows:
All of these partitions are signed by a certificate chain which starts in the PBL (which is read-only so cannot be altered - easily)
pbl  verifies and boots: sbl1 partition
sbl1 verifies and boots: tz, then: aboot
aboot verifies the next boot stage (boot / recovery / laf partition):
-> for locked devices: enforce verification result (so decline boot when failed)
-> for unlocked or UsU'd devices: print just a warning (so continue when failed)
For a graphical view: https://lineageos.org/engineering/Qualcomm-Firmware/ (G4 is: "2013-2016 Era")
28)a) I want STOCK - how can I revert back once I flashed a custom ROM?
28)b) how can I flash another version of any STOCK rom for my model?
for Nougat: FAQ #16
for any other:
extract with SALT system + boot + modem partition of the stock ROM kdz of your choice
(beware of the ARB!!! SALT will tell you on extracting the ARB and in the main window your device's ARB. do not flash anything higher then what the SALT main screen is showing or you might have a paperweight afterwards!!!! yes, even the system image can blow fuses!)
flash them in fastboot:
Code:
fastboot flash boot boot.img
fastboot flash system system.img
fastboot flash modem modem.img
boot TWRP (if you do not get into TWRP at the first try it gets overwritten. if that happens you must re-flash TWRP in fastboot)
flash the baseband package of your model
factory reset in TWRP (obviously all your data will be lost - so backup before)
if you encounter issues FORMAT data in TWRP (obviously all your data will be lost - so backup before)
29) I have a h810 and an ARB of 3 or higher. I heard there is a way to unlock this specific model somehow?! Is that true? If so how??
UsU will only work up to and including ARB 2 but the h810 is special as it turns out that its PBL (primary bootloader) SEEMS to be compatible with the h811.
There are 2 users reported that it worked for them but again this is EXTREMELY risky - especially on Frankensteins (i.e. refurbished models) !!!
I cannot guide you on that but check out my answer here: https://forum.xda-developers.com/showpost.php?p=80056484&postcount=1857
30) Video framerates are low(er) with UsU?
As mentioned in the OP above the video framerates might be lowered after flashing UsU.
This is due to the fact that the required files for high performance video will not load properly anymore and so must be replaced.
Replacing those firmware files is a risk and as it is working ok enough for the most users that patch will not be included in any ROM.
If you really think you need this patched ensure you read the instructions here thoroughly and understand them 100% before proceeding to apply it: G4-VideoLag-Fix
ZZZ) I have a problem / question not listed here. What should I do?
All known issues are either fixed or listed above but ofc it can happen that you find something which is not listed here and you want to report it.
The very first thing you have to do is:
Open TWRP
Choose the Wipe menu
Choose FORMAT DATA (not a factory reset!)
Test if your problem is gone
ATTENTION:
This will completely clean your internal storage - all pictures etc everything will be lost so ensure you have a backup!
HINT: TWRP will not save your internal storage in a backup (read here why) so you have to take care otherwise!

UsU background
UsU explained (in short words)
This is just for those want to understand what UsU is in detail and how it works.
If you are not interested in background information.. well its worth to read anyways
rawres_UsU.img -> raw_resources partition
when to be flashed:
once (part of the unlock ZIP), after flashing another raw_resources partition
what it is:
Contains logo for boot, download mode and recovery loading
laf_UsU.img -> laf partition
when to be flashed:
once (part of the unlock ZIP), after flashing another laf partition
what it is:
The laf partition holds your download mode. This one is optimized for UsU and SALT.
aboot_UsU.img -> aboot partition
when to be flashed:
once (part of the unlock ZIP), after flashing another aboot partition (which should NEVER happen as it would hard brick your phone)
what it is:
The debug/engineering/whatever aboot partition and the heart of UsU. The aboot partition is part of your bootloader stack and besides this it also holds the fastboot mode.
Its a leaked file originally coming from Mohd Saqib (see credits in the OP) who may even don't know what he provided in his unbrick guide.
Most important: If you ever flash a KDZ/TOT with one of the windows tools out there it will overwrite this partition and HARD-BRICK your device.
That's why I write this so explicit in the LIMITATIONS/KNOWN ISSUES topic of the OP!
For more details refer to the above FAQ #27!
<model>_UsU_baseband_flash-in-twrp.zip
when to be flashed:
once, after flashing another modem partition (e.g. H-ROM still containing the modem partition! which is incredible bad practice btw)
what it is:
model dependent baseband / radio / modem files (the stuff needed to make your cell service work).
I extracted for every model these files and provided a flashable ZIP as this ensures the modem will not crash when on MM or N firmwares.
To be specific these files are always the latest LP basebands I was able to find/extract for each model and yes its still a kind of hackish this way.
If I will be able to get the kernel module working this file will be obsolete on newer ROMs but will be necessary on all which do not have that kernel patch.

Thank you man! I've been waiting for this since last July! Will try it as soon as I get home

Thank you.
I`ve been USU`d!
9TP968739A2116456

I think I will take a 1 year vacation now...
.

Congrats
You worked very hard over the last year.

Glorious
Even though I own an h815 I want to thank you for your work. This is truly glorious and truly impressive!

steadfasterX said:
I think I will take a 1 year vacation now...
.
Click to expand...
Click to collapse
Hahah You deserve more than 1 year I'm so excited to try it as soon as possible. Downloading necessarily files right now. Thank you again !

Im not clear how you flash twrp. Do you use lglaf? adb? Please tell me

Congrats steadfaster!!!! Does anyone know if there are any working roms for VS986 yet?

TheLatios381 said:
Im not clear how you flash twrp. Do you use lglaf? adb? Please tell me
Click to expand...
Click to collapse
pls do not try to unlock bc the very first thing is it requires carefully reading.
I do not flash TWRP but you would when you follow the guide.
How? Its all described. Read or do not go further.
.

I finished the unlock processes but now i cannot connect to the mobile network on VS986. Tried to set up the APN settings but not working. I'm on stock 13B Lollipop rom.
Edit: Figured it out. Had to do the modem flash from FAQ: 5c) I flashed UsU and now Android crashes with a blue/purple demigod screen

I followed the instructions. It worked. I'm using lineageOS on my h812!!! Thanks steadfasterX.

I installed RR 7.1.2 (H811 ver) on my h812 but there are a few issues popping up, like sound not working, youtube videos barely able to play, and sensors not working. Is anyone else experiencing these issues?

How would I go about telling if a ROM has a bootloader stack in it? I am slightly confused. Which versions would cause problems? Is it just v29a? Or are there more that cause problems?
I have read the limitations 6 times and I don't understand.

LS991 roms
Are the H815 roms supposed to be in the LS991 Lineage 13 folder?

Lg g4 h812
For the H812, witch model should I take, H811 or H815?

TheLatios381 said:
I installed RR 7.1.2 (H811 ver) on my h812 but there are a few issues popping up, like sound not working and youtube videos barely playing, is anyone else experiencing these issues?
Click to expand...
Click to collapse
When sound is not working its very likely a modem partition issue. Read the FAQ regarding bootloop and flash the modem partition of your device
adam_s_459_ said:
How would I go about telling if a ROM has a bootloader stack in it? I am slightly confused. Which versions would cause problems? Is it just v29a? Or are there more that cause problems?
I have read the limitations 6 times and I don't understand.
Click to expand...
Click to collapse
A custom ROM will never include a bootloader stack unless it is a stock ROM. Like the v29a.
If you open the ROM zip and you find a file named aboot do not flash it.
Custom ROMs like aoscp or LOS will never contain the bootloader stack.
TheDerpyLlamas said:
Are the H815 roms supposed to be in the LS991 Lineage 13 folder?
Click to expand...
Click to collapse
Ah good one I have to remove that folder.
And regarding your question read FAQ 12
TJtheBLueDragon said:
For the H812, witch model should I take, H811 or H815?
Click to expand...
Click to collapse
read FAQ 12
Sent from my LG-H815 using XDA Labs

Since my H810 isn't my daily driver any more and after following this thread for a looong time I decided to take the plung and unlock. Salt said "Some parts of UsU couldn't be flashed!" and continued but when that was done I was unable to boot into fastboot mode. From there things mostly failed. I do have a full salt backup from a few days ago. Right now the phone won't boot into either download or fastboot mode. Happy be be a guinea pig. Logs below:
https://bpaste.net/show/6028668ee3a1

NOTE: DON'T HOLD ANYONE RESPONSIBLE IF SOMETHING GOES WRONG DURING THE PROCESS!
This thread contains full information you might need for rooting, backing up TA partition, unlocking bootloader, installing custom recovery, installing custom rom etc.
Some notes below, read them
-I try to keep this thread clean so people have easier time navigating. @derjango has ALOT of info and fixes on his THREAD which is related to this one, give it a read
-Read comments if you have problems. You may find answer and fix there by other users. I wrote this thread few months after I did these steps to my phone so I likely made mistakes (e.g. I forgot or got some steps wrong). If you do see those mistakes or have problems that nobody else has, feel free to ask in comments.
-We will use legit rooting methods and not those sketchy one click root apps
-These instructions may apply for other z line devices but you will have to find ftf files for your own device
-Written for 14.6.A.1.236 firmware but it will work on any version that you have currently.
0. PREPARATIONS
Backup all your data (photos, videos, contacts etc.)
Fully charge your battery
Enable USB debugging
Download the following:
Latest XperiaCompanion from HERE (for drivers mainly)
Sony flashtool from HERE
Follow THIS thread to install adb drivers
Navigate to your C:\Flashtool\drivers and run Flashtool-drivers
Select Flashmode drivers, Fastboot drivers and Xperia Z1 Compact drivers and click install
Now download THIS and THIS and put it in C:\Users\username\.flashTool\firmwares
(Windows 8/8.1/10 users can try - THIS fix if you can't install flashtool drivers)
1. FLASHING .108 FIRMWARE
1.1. Run Flashtool and click on lightning button, make sure flashmode is selected and hit Ok
1.2. In left window click on + symbol until you find 14.4.A.0.108
1.3. Under wipe check both options
1.4. Click Flash
1.5. Wait
1.6. Follow the on screen instructions
(You can release vol- when you see activity in flashtool window)
(If you get device disconnected just unplug phone and repeat all from step 1.1)
1.7. Don't touch anything until blue progress bar disappears. You should see Device disconnected> Device connected in flash mode.
(Don't worry if bar gets stuck near end just let it do it's thing)
1.8. Disconnect phone and reboot
1.9. Done!!!
(Do only basic setup, we won't be staying on this rom for long)
2. ROOTING .108 FIRMWARE
2.1. Make sure USB debugging is enabled
2.2. Download THIS Easy Root Tool by zxz0O0
2.3. Unzip and run install.bat
2.4. Download SuperSu apk form HERE put it in internal storage and install it.
2.5. Update binary normally.
2.6. Done!!! You should have root now.
(Download Root Checker to make sure you do)
3. TA PARTITION BACKUP
(NOTE: This is absolutely not necessary and is only needed if you plan to go back to stock firmware AND use BionZ, X-Reality and Music ID/Gracenote. TA partition and DRM keys stored inside get erased when you unlock bootloader.
3.1 Download THIS Backup TA v9.11 by DevShaft
3.2. Extract and run Backup-TA.bat. You should see backup>TA backup.zip in main folder where you extracted
3.3. Backup whole folder to cloud since you can't flash someone's else backup if you loose yours
3.4. Done!!!
(Read linked thread for useful information and FAQ)
4. UNLOCKING BOOTLOADER
4.1. Dial *#06# on your device. You will see your IMEI code
4.2. Go HERE and scroll to bottom
4.3. Under select device select Z1 Compact and enter your IMEI code
4.4. Check the 2 boxes and click on submit. You will get your unlock code. Copy it to clipboard
4.5. Run Flashtool again and click on "BLU" button
4.6. Connect phone in flashmode.
4.7. When prompted, enter your unlocking code that you copied form SONY website
4.8. Click unlock.
(Follow any instructions that flashtool gives you. I don't remember if there are any after this)
4.9. Done!!! Your bootloader is unlocked!
5. FLASHING RECOVERY
This is how I did it. You can try to skip step 5.2. If it doesn't work try again following all steps
5.1. Download THIS TWRP by 115ek and extract recovery image in new folder
5.2. Run Flashtool and flash 14.6.A.1.236 just like you did with .108 in first step (If you have problems here see THIS comment)
5.3. Now without rebooting or disconnecting your phone flash THIS open bootloader with flashtool just like you flashed system ftf-s.
5.4. Disconnect your phone and press volume up and connect your data cable. You should see blue led.
5.5. Now enter that folder where you extracted recovery image and press shift and right click in empty window area and select Open Command window here (Powershell for windows 10 users should work fine I think. Never used it)
5.6. Type "fastboot flash recovery recovery.img" and hit enter.
5.6 Done!!! You should have your recovery now.
To reboot to recovery first disconnect your phone and hold volume down and power button. Release power button when phone vibrates but keep holding volume down until you see twrp logo.
AND THAT IS IT
Now that you have your recovery and unlocked bootloader you can flash whatever roms, kernels, mods that you want for your phone.
Thanks to:
derjango for his thread mentioned above
munjeni For supplying open bootloader ftf and for giving me support with my problems
Androxyde For Flashtool
Snoop05 For ADB driver tool
zxz0O0 For Root tool And PRF Creator tool
DevShaft For Backup TA tool
115ek For TWRP
[NUT] For XZDualRecovery
kulvertti For SuperSu Dummy

Placeholder

I'm really struggling to get past unlocking the bootloader and starting to get quite confused.
Sony Companion is up to date.
Flashtool installed and used to flash .108 firmware.
Device is rooted using Easyroot tool.
Supersu installed and binary updated.
When I go to run BLU in Flashtool it prompts me to connect my device whilst holding the volume-down button (so flash mode). A couple of seconds after doing that it prompts me to re-connect the device whilst holding the volume-up button (so fastboot mode), but nothing happens. Blue LED is on the device, but Flashtool does absolutely nothing.
When I check Flashtool-driver it does fail to install the AndroidUsbDeviceClass driver, but when I run the 15-second ADB Installer it completes successfully - plus I was able to flash the firmware earlier so I don't see why I'd now have a driver issue.
Any ideas? It's starting to drive me crazy.

Here is what you can try.
Connect your phone to pc and in command prompt type adb reboot bootloader or hold vol+ and connect your phone
Your phone will be booted to fastboot now
Now type fastboot devices
You should see
XXXXXXXXXblabla fastboot
If you see this that means that your phone is recognized in fastboot by your pc.
If you see <waiting for device> or something else go to your device manager while still in fastboot
IIRC you should see under other devices something like saXXXX or something
You can tell me what exactly it says or you can fix it yourself by googling that number and adding fastboot driver and update it manually through device manager
If you decide to do it yourself make sure you link me website where you link me thread where you found driver and write down instructions so other people can see it
If you have any other problems feel free to reply
Also i just noticed that i didn't include that you lose ta partition when ubl and since you don't have ta backup make sure you make one. You never know when you might need it

Ok, thanks for that I definitely had a problem with driver installation so followed the steps in this video - https://www.youtube.com/watch?v=fcz4o6fpDGc
Now I am a bit stuck on flashing recovery.
5.2. Run Flashtool and flash 14.6.A.1.236 just like you did with .108 in first step --- do I also check both options under Wipe? will this not remove root?
5.3. Now without rebooting or disconnecting your phone flash THIS just like you did with system ftf-s. --- not sure what I'm meant to do here

Glad you fixed that problem
Flash that file through flashtool just like you flashed system ftf
Also yes that will remove root but we had that root only to backup ta and unlock bootloader. Since you unlocked bootloader and you install twrp you can easily root any rom

I get the "'fastboot' is not a recognised ..." error when trying to flash recovery - using Windows PowerShell as I'm on Win10.
EDIT: running CMD then moving to the location of where ADB was installed and contains Fastoot.exe worked.
Thanks for the guide!

scanz said:
I get the "'fastboot' is not a recognised ..." error when trying to flash recovery - using Windows PowerShell as I'm on Win10.
Click to expand...
Click to collapse
That means you don't have fastboot drivers installed. Here is temporary fix that got me out of frustrating situations when i can't install drivers systemwise
https://mega.nz/#F!aBoUXI5Q!RmxLAO638aHNJKLwo00Hew
If it downloads as zip first unzip it and run command prompt/powershell in that folder or in powershell type cd and drag that folder, that should do the same.
fastboot will now be recognised as command
this also includes adb drivers

Just wondering, I'm trying to get Magisk running after finishing the steps in your guide, but it does not pass any of the SafetyNet checks - even basicIntegrity check comes back false. Have you any ideas or experience with this? If so perhaps you could include it as part of the guide

If you get cts fasle that means you flashed rom that comes with supersu preinstalled. You could try installing rom without magisk and removing su then flashing mahgisk.
Not sure about integrity tho. I heard that xposed can cause problems with that.

colaigor said:
5.3. Now without rebooting or disconnecting your phone flash THIS with flashtool just like you flashed system ftf-s.
Click to expand...
Click to collapse
I get this:
23/015/2018 22:15:07 - INFO - Selected Bundle for Sony Xperia Z1 Compact(D5503). FW release : 1. Customization : openbootloader
23/015/2018 22:15:07 - INFO - Preparing files for flashing
23/015/2018 22:15:07 - INFO - Please connect your device into flashmode.
23/015/2018 22:15:08 - INFO - Opening device for R/W
23/015/2018 22:15:08 - INFO - Device ready for R/W.
23/015/2018 22:15:08 - INFO - Reading device information
23/015/2018 22:15:08 - INFO - Unable to read from phone after having opened it.
23/015/2018 22:15:08 - INFO - trying to continue anyway
23/015/2018 22:15:08 - INFO - Phone ready for flashmode operations.
23/015/2018 22:15:08 - INFO - Opening TA partition 2
23/015/2018 22:15:08 - INFO - Start Flashing
23/015/2018 22:15:08 - INFO - No loader in the bundle. Searching for one
23/015/2018 22:15:13 - INFO - Processing loader.sin
23/015/2018 22:15:13 - INFO - Checking header
23/015/2018 22:15:13 - ERROR - Processing of loader.sin finished with errors.
23/015/2018 22:15:13 - INFO - Ending flash session
23/015/2018 22:15:13 - ERROR - null
23/015/2018 22:15:13 - ERROR - Error flashing. Aborted
23/015/2018 22:15:14 - INFO - Device connected in flash mode
Click to expand...
Click to collapse

Are you sure you installed flashtool and other drivers? I can't think of any other cause for this problem right now

I flash 14.6.A.1.236 without problems using flashtool, so drivers should be ok; maybe why I'm using a Mac istead Windows?

_Pano_ said:
I flash 14.6.A.1.236 without problems using flashtool, so drivers should be ok; maybe why I'm using a Mac istead Windows?
Click to expand...
Click to collapse
Found this boot bridge for mac users. you may try it and see if it works. Can't really tell you anything about drivers on mac since i never touched one.
Also mega file may be corrupted. You can try downloading from this comment where i downloaded openbl from
Do you have windows machine to try flashing ?

yes, I try tomorrow using Windows 10, thanks

colaigor said:
Found this boot bridge for mac users. you may try it and see if it works. Can't really tell you anything about drivers on mac since i never touched one.
Also mega file may be corrupted. You can try downloading from this comment where i downloaded openbl from
Do you have windows machine to try flashing ?
Click to expand...
Click to collapse
ok, I flash .236 linked in your first post and then without rebooting or disconnecting the device I flash openbootloader and I see:
24/020/2018 09:20:14 - INFO - Closing TA partition
24/020/2018 09:20:14 - INFO - Ending flash session
24/020/2018 09:20:14 - INFO - Flashing finished.
24/020/2018 09:20:14 - INFO - Please unplug and start your phone
24/020/2018 09:20:14 - INFO - For flashtool, Unknown Sources and Debugging must be checked in phone settings
24/020/2018 09:20:16 - INFO - Device connected in flash mode
24/022/2018 09:22:15 - INFO - Selected Bundle for Sony Xperia Z1 Compact(D5503). FW release : 1. Customization : openbootloader
24/022/2018 09:22:15 - INFO - Preparing files for flashing
24/022/2018 09:22:15 - INFO - Please connect your device into flashmode.
24/022/2018 09:22:15 - INFO - Device connected in flash mode
24/022/2018 09:22:16 - INFO - Using Gordon gate drivers version 3.1.0.0
24/022/2018 09:22:16 - INFO - Opening device for R/W
24/022/2018 09:22:16 - INFO - Device connected in flash mode
Click to expand...
Click to collapse
that's all? 1 second flash?

_Pano_ said:
that's all? 1 second flash?
Click to expand...
Click to collapse
Sorry for late answer.
Does it work? I don't remember how much it took to flash tbh

colaigor said:
Sorry for late answer.
Does it work? I don't remember how much it took to flash tbh
Click to expand...
Click to collapse
yes, after various attempts: after flashing .236 I had to disconect and reconnect the phone in order to flash openbootloader; otherwise it doens't flash

thank you for these tutorials..I now have a rooted z1compact lollipop 5.11 locked bootloaders..My question is how can I debloat my phone..I want to uninstall other system apps that I don't need and I want to install xposed on my own..sorry I am newbie

xjhayar09 said:
thank you for these tutorials..I now have a rooted z1compact lollipop 5.11 locked bootloaders..My question is how can I debloat my phone..I want to uninstall other system apps that I don't need and I want to install xposed on my own..sorry I am newbie
Click to expand...
Click to collapse
You can download Titanium backup from playstore and delete all that you dont need and keep what you nees. Also you can find twrp flashable script that deletes all bloatware. Just sreach xperia lolipop debloat script on xda.