Disclaimer: Maybe this problem is solved, maybe not. I’m watching it and try to keep it updated if something follows. The solution is in the end of this post and my tambourine dancing with all this crap is after this disclaimer.
About my phone
- Xperia X Performance Dual
- Model for Russian market, purchased in Russian Federation
- Android 8.0
- Firmware: 41.3.A.2.107
- Magisk 19.3
- TA partition backed up before bootloader unlocked
- Stock kernel with injected copy of the TA partition and newer Magisk via Rootkernel V5.23 (this manual)
Good f*cking morning
My phone surprised me with empty battery in the morning. It didn’t even turn on the screen – it was just flashing with red LED on attempt to turn it on.
That was strange to me because it woke me up a half of an our ago. It was charged at 25%. The battery itself is relatively healthy. With 25% I can go from town to town through a place with moderate network coverage when listening music through Bluetooth. Phone counts battery percentage correctly – OS shuts down when 1% has reached. No sudden jumps from 8% to 1% for example.
It got colder than before at home recently, but still it’s not 0 degrees, so the phone can’t just turn off from cold.
Charging didn’t help at first glance. For 10 minutes it was flashing red LED and not even showing the charging screen.
After a while I tried to reboot with Power+Vol Up and it started to boot! A charging screen has appeared with 1%.
I was glad that it works. But when I booted to Android I noticed that my phone prepared a little surprise for me…
My phone stopped to pick up any network. It just showed Emergency calls only while I explored settings.
I’ve opened battery statistics and discovered there that my battery was eaten by cellular activity.
I’ve tried to reboot, airplane mode switch, cleaning up SIM card, switching to another SIM slot – everything is the same.
My guess was that it was Yota outage and network discovery have drained battery to 0%. But there is a catch…
First thing is that my other phone is on MegaFon network and it works. Yota as a subsidiary of MegaFon works as MVNO on MegaFon network (according to some sources, they have their own LTE network, but everything other than that is MegaFon’s).
Then I discovered that SIM card was renamed from YOTA to CARD 1. I started to suspect that the problem is in SIM card or the device itself.
The phone picks up all information like IMEI, IMEI SV, IMSI correctly.
Manual network search is not available. It shows “Searching for networks” for a moment, but then this message disappears and nothing happens.
“Bloody hell! Time to repair!” – I thought. While I think about that repair service hell that I soon will have, I thought that I might find the truth about this mess…
I downloaded Netmonitor and started it. And it shows all base stations nearby! So, radio part is working…
In the other window I’ve opened logcat in terminal and tried to manually search networks from Settings.apk. There was this interesting message…
09-24 12:10:42.638 24974 24974 I tad : Trim Area daemon starting. 09-24 12:10:42.638 24974 24974 I tad : Using trim area info (0,16) from arguments. 09-24 12:10:42.638 24974 24974 E tad : Failed to open /data/local/tmp/TA.img (No such file or directory) 09-24 12:10:42.638 24974 24974 E tad : Failed to configure TA library.
So, this is the TA partition that causes all this mess. To verify that I went to the X-Reality settings. Yep, it doesn’t work.
If device wasn’t unlocked, you will notice there that if you switch modes there you will have more or less saturation on screen. On unlocked devices switches just don’t affect image saturation.
I’ve had a second scenario where this switches didn’t have any effect. But the problem is that I have a TA backup before unlock and it was patched into boot.img, so X-Reality should work. But it didn’t.
Diving deep
On my workplace I started with that directory that I saw in logcat early:
F8132:/ # ls -la /data/local/tmp/ total 16 drwxrwx--x 2 shell shell 4096 2019-09-24 12:15 . drwxr-x--x 5 root root 4096 2019-08-30 11:40 .. -rw-rw---- 1 root root 834 2019-09-24 17:10 cmdline -rw-rw---- 1 root root 311 2019-09-24 17:10 init.ta_poc-log.txt
Ok, TA.img is not there. But there is a logfile – init.ta_poc-log.txt:
F8132:/ # cat /data/local/tmp/init.ta_poc-log.txt Executing init.ta_poc.sh: - /data/local/tmp/TA.img not found! - Copying /sbin/TA.img to /data/local/tmp/TA.img cp: bad '/sbin/TA.img': Permission denied - Wiping drm folders (credmgr, drm and mediadrm) All done! Executing init.ua_modem_switcher.sh: - Removing old modem_switcher_status file - Running /sbin/ua-modem-switcher binary - ua-modem-switcher finished with status 255 All done!
Oops! The TA image has disappeared from there and I don’t know why. It should be copied from /sbin/TA.img on boot, but this script was unable to do that for some reason. Then ua-modem-switcher failed. I guess it was because of the TA.img wasn’t found.
Googling didn’t help, so I started to sort this mess up myself.
Well, /sbin/TA.img is a symlink to /root/TA.img.
F8132:/ $ ls -la /sbin/ total 472 drwxr-xr-x 3 root root 520 1971-10-13 23:02 . drwxr-xr-x 26 root root 1340 1971-10-13 23:02 .. lrwxrwxrwx 1 root root 13 1971-10-13 23:02 .core -> /sbin/.magisk drwxr-xr-x 6 root root 160 1971-10-13 23:02 .magisk lrwxrwxrwx 1 root root 12 1971-10-13 23:02 TA.img -> /root/TA.img lrwxrwxrwx 1 root root 10 1971-10-13 23:02 adbd -> /root/adbd lrwxrwxrwx 1 root root 13 1971-10-13 23:02 charger -> /root/charger lrwxrwxrwx 1 root root 23 1971-10-13 23:02 checkabortedflash -> /root/checkabortedflash lrwxrwxrwx 1 root root 13 1971-10-13 23:02 fota-ua -> /root/fota-ua lrwxrwxrwx 1 root root 14 1971-10-13 23:02 fsckwait -> /root/fsckwait -rwxr-xr-x 1 root root 141664 1971-10-13 23:02 magisk lrwxrwxrwx 1 root root 12 1971-10-13 23:02 magiskhide -> /sbin/magisk -rwxr-xr-x 1 root root 337056 1971-10-13 23:02 magiskinit lrwxrwxrwx 1 root root 16 1971-10-13 23:02 magiskpolicy -> /sbin/magiskinit lrwxrwxrwx 1 root root 8 1971-10-13 23:02 mr -> /root/mr lrwxrwxrwx 1 root root 12 1971-10-13 23:02 resetprop -> /sbin/magisk lrwxrwxrwx 1 root root 9 1971-10-13 23:02 ric -> /root/ric lrwxrwxrwx 1 root root 15 1971-10-13 23:02 slideshow -> /root/slideshow lrwxrwxrwx 1 root root 12 1971-10-13 23:02 su -> /sbin/magisk lrwxrwxrwx 1 root root 16 1971-10-13 23:02 supolicy -> /sbin/magiskinit lrwxrwxrwx 1 root root 16 1971-10-13 23:02 tad_static -> /root/tad_static lrwxrwxrwx 1 root root 23 1971-10-13 23:02 ua-modem-switcher -> /root/ua-modem-switcher lrwxrwxrwx 1 root root 13 1971-10-13 23:02 ueventd -> /root/ueventd lrwxrwxrwx 1 root root 21 1971-10-13 23:02 wait4tad_static -> /root/wait4tad_static lrwxrwxrwx 1 root root 15 1971-10-13 23:02 watchdogd -> /root/watchdogd lrwxrwxrwx 1 root root 14 1971-10-13 23:02 wipedata -> /root/wipedata
Permission denied? Why? It has 644 permissions!
F8132:/ # ls -la /root/ total 14288 drwxr-x--- 2 root root 340 1971-10-13 20:31 . drwxr-xr-x 26 root root 1340 1971-10-13 20:31 .. -rw-r--r-- 2 root root 2097152 2019-06-13 14:27 TA.img -rwxr-x--- 2 root root 1800120 2019-06-13 14:27 adbd -rwxr-x--- 2 root root 838552 2019-06-13 14:27 charger -rwxr-x--- 2 root root 820216 2019-06-13 14:27 checkabortedflash -rwxr-x--- 2 root root 2261616 2019-06-13 14:27 fota-ua -rwxr-x--- 2 root root 925904 2019-06-13 14:27 fsckwait -rwxr-x--- 2 root root 1570360 2019-06-13 14:27 mr -rwxr-x--- 2 root root 649800 2019-06-13 14:27 ric -rwxr-x--- 2 root root 706728 2019-06-13 14:27 slideshow -rwxr-x--- 2 root root 633128 2019-06-13 14:27 tad_static -rwxr-x--- 2 root root 649784 2019-06-13 14:27 ua-modem-switcher lrwxrwxrwx 2 root root 7 2019-06-13 14:27 ueventd -> ../init -rwxr-x--- 2 root root 607856 2019-06-13 14:27 wait4tad_static lrwxrwxrwx 2 root root 7 2019-06-13 14:27 watchdogd -> ../init -rwxr-x--- 2 root root 1043032 2019-06-13 14:27 wipedata
ACLs? Wrong SELinux context? I don’t know.
Vanga Mode (UPDATE: see below)
I installed two things on my phone lask week:
- FDE.AI
- Magisk Manager 7.3.4 update
I think that FDE.AI does nothing wrong here, there is nothing wrong in it’s log file. And it was installed several days ago before that happens. I did multiple reboots with it and everythng was fine. On the other hand Magisk Manager was installed 1-2 days ago. I don’t know why Permission denied started to happen. Maybe starting from Magisk Manager 7.3.4 some scripts started to run with non-root uid/gid?
But there are no commits related to that for Magisk Manager.
(UPDATE) FDE.AI
I discovered that it’s FDE.AI that causes the problem. Multiple reboots with that causes this problem somehow. I’ve tried to turn it on again and got this problem.
Why does network becomes unavailable?
TA partition contains unique settings for every phone (not model, but phone). Most devices have similar space for this unique settings. For example: TP-Link routers have ART partition, Siemens phones had a EEPROM space for that.
Same settings cannot be used on two Xperia X Performance even if they are got out from factory at the same time. If someone tries to flash that settings from one device to another, that device becomes unstable or even unbootable. AFAIK Sony devices bricks permanently if different TA flashed. Even service center can’t help you with that: they just replace motherboard in this situation.
I guess that TA contains carrier SIM lock status. OS was unable to read them and in result it can’t initialize cellular module correctly.
In this situation we have a correct (just without DRM keys) TA partition on flash, but OS doesn’t use that. It uses it’s copy (with DRM keys) from image. Because of all that bootloader starts correctly, Android starts correctly, but then the special daemon called tad starts. It tries to mount TA partition from file, but it fails and some services fail to start correctly because of unavailable TA at this point, cellular daemon for example.
Strang thing is that Bluetooth and Wi-Fi worked correctly and I even wrote part of this post with that. Probably they have configured from real TA.
The (possible) solution
Warning:
- All of this related ONLY to Sony devices! Other devices doesn’t contain TA partitions! If you have similar problem on non-Sony devices – this solution is not for you!
- All of this is related to the situation when you’ve patched boot.img through Rootkernel utility with TA.img copy. If you’ve installed drm-fix or you’ve restored TA image directly on flash via recovery/fastboot – this solution is not for you too!
- All of this was tested only on one device: Xperia X Performance on Android 8.0 (41.3.A.2.107). You can see different results on other devices or firmwares.
- If you did everything correctly, nothing wrong should happen, but still you can fuck up your device! I warned you! PROCEED ON YOUR OWN RISK!
- Please, do not forget about backups that you can restore if anything goes wrong!
- If your device doesn’t boot, you can boot up recovery and remove /data/local/tmp/TA.img to revert everything back. If you can’t boot even after this, your only option is wipe userdata or flash everything from scratch.
Why solution is possible?
Because:
- Why is this file removed? Should it be removed?
- Why Permission denied, if I can do this manually? All permissions are correct.
What to do?
- Remove FDE.AI.
- You need to manually copy /root/TA.img into /data/local/tmp/TA.img.
If you have any other valid TA copy, you can use that instead of /root/TA.img.
First Way: Any file manager, ES File Explorer or Root Explorer for example.
In this example ES File Explorer is used
Turn on Root mode and grant superuser permissions.
Go to the /root directory.
Copy TA.img.
Go to the /data/local/tmp directory.
Paste copied file.
Reboot.
Alternative Way: Terminal
Open terminal or connect via adb.
Enter su and grant superuser permissions.
Enter:
cp /root/TA.img /data/local/tmp/TA.img reboot
Device reboots.
What should happen after that?
Your phone should register on network correctly. X-Reality should work again. After screen unlock NFC was updated. init.ta_poc-log.txt should be like that:
F8132:/ $ cat /data/local/tmp/init.ta_poc-log.txt Executing init.ta_poc.sh: - Found /data/local/tmp/TA.img - Chown-ing /data/local/tmp/TA.img - Chmod-ing /data/local/tmp/TA.img All done! Executing init.ua_modem_switcher.sh: - Removing old modem_switcher_status file - Running /sbin/ua-modem-switcher binary - ua-modem-switcher finished with status 0 All done!
Script should not copy TA from boot.img because it exists and ua-modem-switcher should exit correctly with 0.
What a journey that was!