Tambourine dancing with rooted Sony device in the morning November 10, 2019
AndroidEnglishMagiskSony
1 Comment

Этот пост на русском языке

Disclaimer: Maybe this problem is solved, maybe not. I’m watching it and try to keep it updated if something follows. The solution is in the end of this post and my tambourine dancing with all this crap is after this disclaimer.

About my phone

  • Xperia X Performance Dual
  • Model for Russian market, purchased in Russian Federation
  • Android 8.0
  • Firmware: 41.3.A.2.107
  • Magisk 19.3
  • TA partition backed up before bootloader unlocked
  • Stock kernel with injected copy of the TA partition and newer Magisk via Rootkernel V5.23 (this manual)

Good f*cking morning

My phone surprised me with empty battery in the morning. It didn’t even turn on the screen – it was just flashing with red LED on attempt to turn it on.

That was strange to me because it woke me up a half of an our ago. It was charged at 25%. The battery itself is relatively healthy. With 25% I can go from town to town through a place with moderate network coverage when listening music through Bluetooth. Phone counts battery percentage correctly – OS shuts down when 1% has reached. No sudden jumps from 8% to 1% for example.

It got colder than before at home recently, but still it’s not 0 degrees, so the phone can’t just turn off from cold.

Charging didn’t help at first glance. For 10 minutes it was flashing red LED and not even showing the charging screen.

After a while I tried to reboot with Power+Vol Up and it started to boot! A charging screen has appeared with 1%.

I was glad that it works. But when I booted to Android I noticed that my phone prepared a little surprise for me…

No SIM card on the first slot. The second has one, but registration was failed

My phone stopped to pick up any network. It just showed Emergency calls only while I explored settings.

I’ve opened battery statistics and discovered there that my battery was eaten by cellular activity.

I’ve tried to reboot, airplane mode switch, cleaning up SIM card, switching to another SIM slot – everything is the same.

My guess was that it was Yota outage and network discovery have drained battery to 0%. But there is a catch…

First thing is that my other phone is on MegaFon network and it works. Yota as a subsidiary of MegaFon works as MVNO on MegaFon network (according to some sources, they have their own LTE network, but everything other than that is MegaFon’s).

Then I discovered that SIM card was renamed from YOTA to CARD 1. I started to suspect that the problem is in SIM card or the device itself.

The phone picks up all information like IMEI, IMEI SV, IMSI correctly.

Manual network search is not available. It shows “Searching for networks” for a moment, but then this message disappears and nothing happens.

“Bloody hell! Time to repair!” – I thought. While I think about that repair service hell that I soon will have, I thought that I might find the truth about this mess…

I downloaded Netmonitor and started it. And it shows all base stations nearby! So, radio part is working…

In the other window I’ve opened logcat in terminal and tried to manually search networks from Settings.apk. There was this interesting message…

09-24 12:10:42.638 24974 24974 I tad     : Trim Area daemon starting.
09-24 12:10:42.638 24974 24974 I tad     : Using trim area info (0,16) from arguments.
09-24 12:10:42.638 24974 24974 E tad     : Failed to open /data/local/tmp/TA.img (No such file or directory)
09-24 12:10:42.638 24974 24974 E tad     : Failed to configure TA library.

So, this is the TA partition that causes all this mess. To verify that I went to the X-Reality settings. Yep, it doesn’t work.

If device wasn’t unlocked, you will notice there that if you switch modes there you will have more or less saturation on screen. On unlocked devices switches just don’t affect image saturation.

I’ve had a second scenario where this switches didn’t have any effect. But the problem is that I have a TA backup before unlock and it was patched into boot.img, so X-Reality should work. But it didn’t.

Diving deep

On my workplace I started with that directory that I saw in logcat early:

F8132:/ # ls -la /data/local/tmp/                                                                                                                                                                                                                                             
 total 16
 drwxrwx--x 2 shell shell    4096 2019-09-24 12:15 .
 drwxr-x--x 5 root  root     4096 2019-08-30 11:40 ..
 -rw-rw---- 1 root  root      834 2019-09-24 17:10 cmdline
 -rw-rw---- 1 root  root      311 2019-09-24 17:10 init.ta_poc-log.txt

Ok, TA.img is not there. But there is a logfile – init.ta_poc-log.txt:

F8132:/ # cat /data/local/tmp/init.ta_poc-log.txt                                                                                                                                                                                                                             
Executing init.ta_poc.sh:
- /data/local/tmp/TA.img not found!
- Copying /sbin/TA.img to /data/local/tmp/TA.img
cp: bad '/sbin/TA.img': Permission denied
- Wiping drm folders (credmgr, drm and mediadrm)
All done!
Executing init.ua_modem_switcher.sh:
- Removing old modem_switcher_status file
- Running /sbin/ua-modem-switcher binary
- ua-modem-switcher finished with status 255
All done!

Oops! The TA image has disappeared from there and I don’t know why. It should be copied from /sbin/TA.img on boot, but this script was unable to do that for some reason. Then ua-modem-switcher failed. I guess it was because of the TA.img wasn’t found.

Googling didn’t help, so I started to sort this mess up myself.

Well, /sbin/TA.img is a symlink to /root/TA.img.

F8132:/ $ ls -la /sbin/                                                                                                                                                                                                                                                       
total 472
drwxr-xr-x  3 root root    520 1971-10-13 23:02 .
drwxr-xr-x 26 root root   1340 1971-10-13 23:02 ..
lrwxrwxrwx  1 root root     13 1971-10-13 23:02 .core -> /sbin/.magisk
drwxr-xr-x  6 root root    160 1971-10-13 23:02 .magisk
lrwxrwxrwx  1 root root     12 1971-10-13 23:02 TA.img -> /root/TA.img
lrwxrwxrwx  1 root root     10 1971-10-13 23:02 adbd -> /root/adbd
lrwxrwxrwx  1 root root     13 1971-10-13 23:02 charger -> /root/charger
lrwxrwxrwx  1 root root     23 1971-10-13 23:02 checkabortedflash -> /root/checkabortedflash
lrwxrwxrwx  1 root root     13 1971-10-13 23:02 fota-ua -> /root/fota-ua
lrwxrwxrwx  1 root root     14 1971-10-13 23:02 fsckwait -> /root/fsckwait
-rwxr-xr-x  1 root root 141664 1971-10-13 23:02 magisk
lrwxrwxrwx  1 root root     12 1971-10-13 23:02 magiskhide -> /sbin/magisk
-rwxr-xr-x  1 root root 337056 1971-10-13 23:02 magiskinit
lrwxrwxrwx  1 root root     16 1971-10-13 23:02 magiskpolicy -> /sbin/magiskinit
lrwxrwxrwx  1 root root      8 1971-10-13 23:02 mr -> /root/mr
lrwxrwxrwx  1 root root     12 1971-10-13 23:02 resetprop -> /sbin/magisk
lrwxrwxrwx  1 root root      9 1971-10-13 23:02 ric -> /root/ric
lrwxrwxrwx  1 root root     15 1971-10-13 23:02 slideshow -> /root/slideshow
lrwxrwxrwx  1 root root     12 1971-10-13 23:02 su -> /sbin/magisk
lrwxrwxrwx  1 root root     16 1971-10-13 23:02 supolicy -> /sbin/magiskinit
lrwxrwxrwx  1 root root     16 1971-10-13 23:02 tad_static -> /root/tad_static
lrwxrwxrwx  1 root root     23 1971-10-13 23:02 ua-modem-switcher -> /root/ua-modem-switcher
lrwxrwxrwx  1 root root     13 1971-10-13 23:02 ueventd -> /root/ueventd
lrwxrwxrwx  1 root root     21 1971-10-13 23:02 wait4tad_static -> /root/wait4tad_static
lrwxrwxrwx  1 root root     15 1971-10-13 23:02 watchdogd -> /root/watchdogd
lrwxrwxrwx  1 root root     14 1971-10-13 23:02 wipedata -> /root/wipedata

Permission denied? Why? It has 644 permissions!

F8132:/ # ls -la /root/                                                                                                                                                                                                                                                       
total 14288
drwxr-x---  2 root root     340 1971-10-13 20:31 .
drwxr-xr-x 26 root root    1340 1971-10-13 20:31 ..
-rw-r--r--  2 root root 2097152 2019-06-13 14:27 TA.img
-rwxr-x---  2 root root 1800120 2019-06-13 14:27 adbd
-rwxr-x---  2 root root  838552 2019-06-13 14:27 charger
-rwxr-x---  2 root root  820216 2019-06-13 14:27 checkabortedflash
-rwxr-x---  2 root root 2261616 2019-06-13 14:27 fota-ua
-rwxr-x---  2 root root  925904 2019-06-13 14:27 fsckwait
-rwxr-x---  2 root root 1570360 2019-06-13 14:27 mr
-rwxr-x---  2 root root  649800 2019-06-13 14:27 ric
-rwxr-x---  2 root root  706728 2019-06-13 14:27 slideshow
-rwxr-x---  2 root root  633128 2019-06-13 14:27 tad_static
-rwxr-x---  2 root root  649784 2019-06-13 14:27 ua-modem-switcher
lrwxrwxrwx  2 root root       7 2019-06-13 14:27 ueventd -> ../init
-rwxr-x---  2 root root  607856 2019-06-13 14:27 wait4tad_static
lrwxrwxrwx  2 root root       7 2019-06-13 14:27 watchdogd -> ../init
-rwxr-x---  2 root root 1043032 2019-06-13 14:27 wipedata

ACLs? Wrong SELinux context? I don’t know.

Vanga Mode (UPDATE: see below)

I installed two things on my phone lask week:

  • FDE.AI
  • Magisk Manager 7.3.4 update

I think that FDE.AI does nothing wrong here, there is nothing wrong in it’s log file. And it was installed several days ago before that happens. I did multiple reboots with it and everythng was fine. On the other hand Magisk Manager was installed 1-2 days ago. I don’t know why Permission denied started to happen. Maybe starting from Magisk Manager 7.3.4 some scripts started to run with non-root uid/gid?

But there are no commits related to that for Magisk Manager.

(UPDATE) FDE.AI

I discovered that it’s FDE.AI that causes the problem. Multiple reboots with that causes this problem somehow. I’ve tried to turn it on again and got this problem.

Why does network becomes unavailable?

TA partition contains unique settings for every phone (not model, but phone). Most devices have similar space for this unique settings. For example: TP-Link routers have ART partition, Siemens phones had a EEPROM space for that.

Same settings cannot be used on two Xperia X Performance even if they are got out from factory at the same time. If someone tries to flash that settings from one device to another, that device becomes unstable or even unbootable. AFAIK Sony devices bricks permanently if different TA flashed. Even service center can’t help you with that: they just replace motherboard in this situation.

I guess that TA contains carrier SIM lock status. OS was unable to read them and in result it can’t initialize cellular module correctly.

In this situation we have a correct (just without DRM keys) TA partition on flash, but OS doesn’t use that. It uses it’s copy (with DRM keys) from image. Because of all that bootloader starts correctly, Android starts correctly, but then the special daemon called tad starts. It tries to mount TA partition from file, but it fails and some services fail to start correctly because of unavailable TA at this point, cellular daemon for example.

Strang thing is that Bluetooth and Wi-Fi worked correctly and I even wrote part of this post with that. Probably they have configured from real TA.

The (possible) solution

Warning:

  • All of this related ONLY to Sony devices! Other devices doesn’t contain TA partitions! If you have similar problem on non-Sony devices – this solution is not for you!
  • All of this is related to the situation when you’ve patched boot.img through Rootkernel utility with TA.img copy. If you’ve installed drm-fix or you’ve restored TA image directly on flash via recovery/fastboot – this solution is not for you too!
  • All of this was tested only on one device: Xperia X Performance on Android 8.0 (41.3.A.2.107). You can see different results on other devices or firmwares.
  • If you did everything correctly, nothing wrong should happen, but still you can fuck up your device! I warned you! PROCEED ON YOUR OWN RISK!
  • Please, do not forget about backups that you can restore if anything goes wrong!
  • If your device doesn’t boot, you can boot up recovery and remove /data/local/tmp/TA.img to revert everything back. If you can’t boot even after this, your only option is wipe userdata or flash everything from scratch.

Why solution is possible?

Because:

  • Why is this file removed? Should it be removed?
  • Why Permission denied, if I can do this manually? All permissions are correct.

What to do?

  1. Remove FDE.AI.
  2. You need to manually copy /root/TA.img into /data/local/tmp/TA.img.

If you have any other valid TA copy, you can use that instead of /root/TA.img.

First Way: Any file manager, ES File Explorer or Root Explorer for example.

In this example ES File Explorer is used

Turn on Root mode and grant superuser permissions.

Go to the /root directory.

Copy TA.img.

Go to the /data/local/tmp directory.

Paste copied file.

Reboot.

Alternative Way: Terminal

Open terminal or connect via adb.

Enter su and grant superuser permissions.

Enter:

cp /root/TA.img /data/local/tmp/TA.img
reboot

Device reboots.

What should happen after that?

Your phone should register on network correctly. X-Reality should work again. After screen unlock NFC was updated. init.ta_poc-log.txt should be like that:

F8132:/ $ cat /data/local/tmp/init.ta_poc-log.txt
Executing init.ta_poc.sh:
- Found /data/local/tmp/TA.img
- Chown-ing /data/local/tmp/TA.img
- Chmod-ing /data/local/tmp/TA.img
All done!
Executing init.ua_modem_switcher.sh:
- Removing old modem_switcher_status file
- Running /sbin/ua-modem-switcher binary
- ua-modem-switcher finished with status 0
All done!

Script should not copy TA from boot.img because it exists and ua-modem-switcher should exit correctly with 0.