Xperable
Xperia ABL fastboot Exploit
Install / Use
/learn @j4nn/XperableREADME
xperable - Xperia ABL fastboot Exploit
The xperable tool is an exploit leveraging CVE-2021-1931 Android Boot Loader vulnerability of fastboot usb interface on Sony Yoshino and Tama platforms, based on Qualcomm Snapdragon 835 (MSM8998) and SDM845 chipsets. That includes Sony Xperia XZ Premium, Xperia XZ1 and Xperia XZ1 Compact mobile phones with many region specific models for Yoshino platform. And Sony Xperia XZ2 / XZ2 Compact / XZ2 Premium / XZ3 with region specific models for Tama platform.
The exploit achieves arbitrary code execution in fastboot providing arbitrary memory access via fastboot usb interface to non-secure world RAM regions in Qualcomm Secondary Bootloader, i.e. XBL (eXtensible Boot Loader) with ABL (Android Boot Loader), including ability to write to read-only sections.
Features
Currently working features:
- bootloader unlock without Sony unlock code even for devices with bootloader unlock not allowed, like the Japanese models
- re-lock bootloader to get back into original stock firmware state
- unlock/re-lock this way does not erase Sony DRM device key
- fastboot boot of not signed kernel in bootloader locked state (Tama is wip)
- flexible command line options for experimenting with bootloader runtime patching that can be scripted
Android userdata erase is also skipped with unlock/re-lock, but that seems not to be that useful as the data is not accessible most likely because decryption fails due to flipped bootloader unlock status - android does not boot, needing the erase.
Still it is possible for example to do an unlock, boot any android recovery kernel via ‘fastboot boot’ from usb and then re-lock BL back with following android boot working with the original userdata content.
Possibility to boot not signed kernel in bootloader locked state from fastboot can allow for example to boot a rooted stock kernel or boot android recovery kernel with userdata access after authentication for decryption or even boot full custom ROM with locked BL.
Limitations
Using the exploit to re-lock bootloader would not magically restore Sony DRM device key, i.e. DRM protected functionality would not work with stock firmware even after bootloader re-lock if the key had been already lost.
Hardware based attestation will get working with stock firmware after re-lock
only if persist partition is still intact, i.e. it did not get accidentaly
flashed with it's "empty" content from Sony stock firmware, loosing the attest
key this way.
Compilation
The xperable tool is primarily designed for Linux but it can be compiled for
Windows too. It depends on libusb-1.0 and uses pe-parse_ library which comes
as a git submodule with this project.
.. _pe-parse: https://github.com/trailofbits/pe-parse
Clone this repository recursively
::
$ git clone --recursive https://github.com/j4nn/xperable.git
and use make to build the tool in Linux. You also need cmake which
is called from this project's Makefile to build pe-parse library.
The Makefile contains additional targets for cross compilation that can be
selected via CROSS_BUILD variable setting on make command line, expecting
a cross compilation toolchain as specified in the Makefile.
The exploit needs yoshino LinuxLoader UEFI module as fastboot runtime patch
base. It can be exctracted from ABL of Sony stock firmware bootloader -
uefi-firmware-parser_ tool is needed for this. Exctraction is invoked
from the Makefile if needed, reporting what stock firmware files to get
and where to place them.
.. _uefi-firmware-parser: https://github.com/theopolis/uefi-firmware-parser
Yoshino Device Setup
The exploit is targetting LA2_0_P_114 bootloader, but it needs XFL
from LA1_1_O_77 version in order to work. While XFL is not directly
used in fastboot mode, ABL customized by Sony verifies XFL integrity
for some reason, influencing bootloader memory layout.
XFL is a linux kernel that provides Sony flash mode (green LED light)
functionality for flashing stock firmware files.
With any newer XFL version the exploit is not able to overflow fastboot
usb buffer into ABL code region, most likely because of bigger XFL size
in all newer bootloader versions. Therefore you need to flash the old XFL
manually from a root shell via dd command to xfl partition.
In case bootloader is still locked, you can get a temporal root shell using
bindershell_ exploit available for Sony stock Android Oreo firmware.
If running a newer firmware, downgrade would be needed requiring userdata
erase, so you may need to backup the phone first.
Please check what firmware versions are supported by bindershell here_.
.. _bindershell: https://github.com/j4nn/renoshell/tree/CVE-2019-2215 .. _here: https://github.com/j4nn/renoshell/blob/CVE-2019-2215/jni/offsets.c#L36
After making sure you can get a root shell, flash the LA2_0_P_114
bootloader version using only the boot subdirectory of the latest
stock firmware available for your phone skipping flash of everything else.
Prepare the old XFL image using make boot/xfl-o77.mbn command
in this project's directory, following shown instructions to get
required files if missing.
Upload the boot/xfl-o77.mbn file to the phone using adb or sdcard
and use following command in a root shell to flash it to xfl partition:
::
dd if=/sdcard/xfl-o77.mbn of=/dev/block/bootdevice/by-name/xfl
You may need to adjust the location of xfl-o77.mbn in the if= option
depending on where the file has been copied to. It may be also safer
to use sync command in addition before rebooting the phone.
Tama Device Setup
The exploit is targetting LA2_0_P_118 bootloader of XZ2 / XZ3 devices.
This version of bootloader is present in the newest stock firmware versions
of Japan specific models.
International Tama devices have newer version of bootloader in the latest
firmware versions, so you may need to downgrade in order to use the exploit.
Flash only the boot subdirectory of 52.0.A.8.50 stock fw version skipping
flash of everything else.
Command Line Options
The xperable tool interprets command line options shown bellow, immediately executing each of them as they appear, allowing to craft bootloader runtime patching scripts.
::
$ ./xperable -h
xperable - Xperia ABL fastboot Exploit ( https://github.com/j4nn/xperable )
usage: ./xperable [-h] [-v] [-q] [-V] [-Q] [-A] [-B] [-U] [-b maxsize] [-t timeout] [-o offset] [-s size] [-c command] [-x] [-0] [-1] [-2] [-3] [-4] [-5] [-6] [-7] [-8] [-9] [-C cmdline] [-l] [-m] [-a addr] [-M module] [-r] [-O file] [-I file] [-w] [-P file] [-p patch]
-h show this help and exit
-v increase fastboot usb communication verbosity
-q lower fastboot usb communication verbosity
-V increase verbosity of the exploit itself
-Q lower verbosity of the exploit
-A do 'fastboot getvar all' with filtered output
-B do 'fastboot getvar version-bootloader' command
-U do 'fastboot getvar unknown' command
-b maxsize set usb chunk max size to use with all transfers
-t timeout set usb transfer timeout in ms, 5000 by default
-o offset set offset parameter used in exploit test cases
-s size set size parameter used with other options
-c command set fastboot command string
-x use extended version of abl patch
-0 basic test case to try to crash ABL LinuxLoader
-1 do previously set fastboot command
-2 try to return buffer offset distance to code hit
-3 similar as -2 option but using alternative method
-4 do full ABL LinuxLoader patching exploit
-5 similar as -4 option but using alternative method
-6 patch signature verification in VerifiedBootDxe
-7 fake unlock via 'green' -> 'orange' in kcmdline
-8 patch boot command to use two kernel images
-9 experimental stuff to test patch level override
-l read out bootloader log from RAM, needs -4/-5 first
-m list XBL UEFI modules with their base addresses
-a addr set address used with BL RAM read and write options
-M module set address for RAM r/w to base addr of UEFI module
-r read 'size' block of bytes from 'addr' base in BL
-O file write 'size' of bytes from tool's buffer to 'file'
-I file read 'file' into tool's buffer setting 'size' too
-w write 'size' block of bytes to 'addr' base in BL
-P file load PE file to tool's buffer doing relocation
to 'addr' base, setting 'size' to code boundary,
applying -4/-5 patch in case of LinuxLoader fname
-p patch apply specified 'patch' sequence to tool's buffer
'patch' is one or more 'subpatch' delimited by comma character 'subpatch' is 'hexoffs' 'patchseq' pair delimited by one of ':/%@' characters specifying size or form of each element of 'patchseq' 'patchseq' is list of hex values delimited by comma character
There is following meaning of 'hexoffs' and 'patchseq' delimiter: : 'patchseq' hex values are byte values / 'patchseq' hex values are 32 bit values % 'patchseq' hex values are 32 bit to be byte swapped @ 'patchseq' hex values are 64 bit values
Usage Examples
It may be possible to use defaults preset in the exploit when testing with Xperia XZ1 Compact (G8441), like this:
::
$ ./xperable -B -U -4 version-bootloader: 1306-5035_X_Boot_MSM8998_LA2.0_P_114 [+] Starting test4 size = 0
Related Skills
node-connect
354.5kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
112.4kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
354.5kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
354.5kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
