Created by munted v3, 2018-11-26.

Please read the first post of j4nn’s [XZ1c/XZ1/XZp] temp root exploit to backup drm keys
implemented thread on XDA. You also need to read the first post to understand what this process
does and doesn’t do and what you can backup and what won’t be. Some changes are permanent
and you need to be ok with this first.

This document is designed to provide more detailed, step by step instructions with screenshots on
how to backup your DRM keys using j4nn’s temporary root exploit. If you want to make a donation
to j4nn for all the work he’s put into development, you can do so here:
https://j4nn.github.io/donate/

Another thing to note, I haven’t done Step 11 of j4nn’s thread which is optional. This step may cause
your phone to try to install OTA (over the air) updates which may fail and cause issues. The advice
currently is to skip this step and for that reason it hasn’t been included in this document.

Finally these Instructions are for Window 7, if you have a different Windows version things may look
a little different.

Firstly back up all your stuff, the Sony Xperia Transfer Mobile app isn't bad for this.

Lots of apps also allow you to backup within the app using your Google account like: Whatsapp,
Soundhound, Swiftkey, Nova Launcher etc.

I also take a screenshot of a few other things:

 My internet usage for the month

 My list of bluetooth devices

 My home screens and app drawer

 My alarms

 My ringtones

 My Steam authenticator code

 I also make a note of any Chrome tabs I have open

Finally I also make a second backup of all my messages with a second app like Super Backup and
Restore or SMS Backup and Restore just for peace of mind

I also check in my settings that all my Google calendars, contacts etc. have all recently synced.
Also you should take a screenshot of your service menus before you start. To do this:

 Go to your dialler

 Then go to phone and dial *#*#7378423#*#* which will open the Service Menu

 Then go to Service Tests and choose Security and take a screenshot or photo of that with
another phone

 Go back to the main service menu, go to service info and take a photo/screenshot of
Configuration and Software Info

Now remember to copy any backups you make or screenshot you take off your internal storage onto
your micro SD card. (Including your Service Test screenshots.)

I also have a check if there's anything else stored on my internal SD card I want to backup.

There's lots of things you need to download for this process, the first is Newflasher from here:
https://forum.xda-developers.com/crossdevice-dev/sony/progress-newflasher-xperia-command-
line-t3619426

Extract the zip to a folder and run newflasher.exe

Choose y

This creates a file call GordonGate.7z. You can use 7 Zip or Winrar or Peazip to extract
GordonGate.7z to a folder.
Turn your phone off, plug the phone into the computer with a USB cable and at the same time hold
down vol key on until light goes green
If you haven't installed the phone drivers in the past, Windows will unsuccessfully look for a driver
Go to Device manager and you’ll see a device called Android with an exclamation mark on the icon
Double click on the Android device and Click Update driver then Browse my Computer for driver
Point to the GordonGate folder
Then the driver will install as a SOMC Flash Device
So j4nn has some firmware files in the instructions: https://forum.xda-developers.com/xperia-xz1-
compact/development/devonly-exploits-temp-root-to-backup-t3795510

I used 47.1.A.2.324_CE1

Once downloaded, extract the .rar firmware file to the newflasher directory so it looks like this
Then delete the persist_xxxx.sin file
Newflasher should not flash any dangerous ta files however if you may want to delete any *.ta files
anyway to be sure.

To do this sort the files by type then choose all the files with a “ta” extension and delete them
Delete the persist*.* file if you haven’t already.
Run newflash.exe again, choose ‘n’ and ‘n’
It'll start copying files

After a couple of minutes it'll finish flashing

Press a key then unplug the USB cable from the phone

I chose connect via mobile network and wifi and set up a new account. If you can skip adding a
Google account then do this.

Skip add fingerprint etc.

Then as soon as you can go to Settings and Network & Internet and turn Airplane mode on

Also in Settings go to System then Software Update then scroll across to System updates then click
the dots at the top right, and change:
Auto download system updates to off. Also change Auto-update apps to off.

Then go to phone and dial *#*#7378423#*#* which will open the Service Menu
Go to Service Tests then scroll down and choose Security and take a photo of that with another
phone.
Or take a screenshot and move the file from the pictures\screenshots folder on the Internal storage
to your SD card using the Files app which is installed on the phone already

Now open Settings again go to System then About Phone then click on Build Number 7x times. It'll
say "You are a developer"
Then go back to the System menu in Settings and go to Developer options and enable USB
Debugging. Turn off Verify apps over USB and finally enable Stay awake.

Now plug the phone to your PC while it is still on, skip Install Xperia Companion and choose Transfer
Files

Go to j4nn's page: https://forum.xda-developers.com/xperia-xz1-compact/development/devonly-

exploits-temp-root-to-backup-t3795510

Download renoroot.zip and extract to a folder

Now go to https://forum.xda-developers.com/showthread.php?t=2317790
and download the portable version of ADB and put all the files in your renoroot folder
Now go to https://developer.sony.com/file/download/xperia-xz1-compact-driver/
Then download the Xperia_XZ1_Compact_driver.zip and extract to a folder
Go to Device manager, look for ADB Interface
Double click and update driver
Then on your phone clock ok to allow USB debugging and trust that computer

Then open a command prompt window and run the commands from your renoroot folder:
To open a command window in the renoroot folder, browse to the renoroot folder (yours will have
more files in it) and hold down shift and right lick then click on Open command window here.
Then copy and paste these commands in (it’s better to copy and paste one line at a time).

adb push renoroot /data/local/tmp

adb push renoshell /data/local/tmp
adb push renosploit /data/local/tmp
adb install -r renotrap.apk
Now type:

adb shell

Finally enter these commands:

cd /data/local/tmp
chmod 755 reno*
./renoroot
On your phone a renotap screen will come up
This took me around 15 mins, I had 15638 events and 2 overwrites
The phone looks something like this:
If the phone reboots, give it a few minutes then repeat the process of starting renoroot again, scroll
back up in this document and go from this bit:

adb push renoroot /data/local/tmp

adb push renoshell /data/local/tmp
adb push renosploit /data/local/tmp
adb install -r renotrap.apk

Ok once you have temp root, run the following commands

cd /data/local/tmp
dd if=/dev/block/bootdevice/by-name/TA of=TA-locked.img
chown shell:shell TA-locked.img
sync
sync
Open a new Command Prompt window in the renoroot folder and don't exit the existing root
window, leave it open. In the screenshot below you can see the temp root command window at the
top and at the bottom is a new Command window.
Run this command

adb pull /data/local/tmp/TA-locked.img

You'll now see a file called TA-locked.img in your renoroot folder
You should make another backup of this file. Put it on your desktop or email it to yourself or put it
on your Google Drive, do all three, whatever! But make sure you create at least a second copy
somewhere safe.

Next we're going to unlock the bootloader

Go to this page: https://developer.sony.com/develop/open-devices/get-started/unlock-

bootloader/how-to-unlock-bootloader/

Do Step 1 on that page, check the bootloader can be unlocked

Do Step 2, first enable USB debugging and OEM unlocking in Settings then Developer Options
Then unplug the USB cable and turned off the phone.
Then plug the USB cable back in while holding the volume up key and the notification light goes blue
and left it like that

Then I downloaded Flashtool from https://androidfilehost.com/?fid=746163614322275179 then

installed flashtool then ran Flashtool-drivers.exe

I only installed the Fastboot Drivers

Then Install this Driver anyway

Success
Then open a command prompt window and run the following command

fastboot devices

If nothing appears after you type fastboot devices then you didn't successfully enter
Fastboot mode. Turn the phone off, then plug the USB cable in while holding volume up again.
Then go to https://developer.sony.com/develop/open-devices/get-started/unlock-
bootloader/#unlock-code to get your unlock code
Then type

fastboot -i 0x0fce oem unlock 0x<insert your unlock code>

Once it's finished it'll say OKAY

Reboot the phone and like before as soon as you can go to settings and Network & Internet and turn
Airplane mode on

Now open Settings again go to System then About Phone then click on Build Number 7x times. It'll
say "You are a developer"
Then go back to the System menu in Settings and go to Developer options and enable USB
Debugging. Turn off Verify apps over USB and finally enable Stay awake.

Now plug the phone to your PC while it is still on, skip Install Xperia Companion and you can leave it
in charging mode

Then on your phone clock ok to allow USB debugging and trust that computer

We're going to run Renoroot again so in the Renoroot folder open a command prompt window and
run the commands:

adb push renoroot /data/local/tmp

adb push renoshell /data/local/tmp
adb push renosploit /data/local/tmp
adb install -r renotrap.apk

Type

adb shell
Enter these commands:

cd /data/local/tmp
chmod 755 reno*
./renoroot
On your phone a renotap screen will come up
This took me around 30 mins the second time, I had 51370 events and 1 overwrites, took me 2 goes,
it reset once.

Ok open a second command prompt window like before but this time the commands we run are:

adb pull /data/local/tmp/TA-unlocked.img

adb push TA-locked.img /data/local/tmp
Then finally put the original TA-locked.img back on your phone. Run these commands back in the
original temp root window.

cd /data/local/tmp
dd if=TA-locked.img of=/dev/block/bootdevice/by-name/TA
sync
sync
Now reboot the phone

Then go to phone and dial *#*#7378423#*#* which will open the Service Menu
Go to Service Tests then scroll down and choose Security and take a photo of that with another
phone.
Or take a screenshot and move the file from the pictures\screenshots folder on the Internal storage
to your SD card using the Files app which is installed on the phone already
Open the camera, if everything has worked correctly the camera will work. If it shows a black screen
when you open the camera something hasn't worked.

Ok our next step is to download TWRP and Magisk. We'll download the files we need now.

For Magisk, download these two files:

https://github.com/topjohnwu/Magisk/releases/download/v17.3/Magisk-uninstaller-20181022.zip
https://github.com/topjohnwu/Magisk/releases/download/v17.3/Magisk-v17.3.zip
On your phone change the USB connection to Copy Files then copy both files onto the SD card.

We can get TWRP for the Sony Xperia XZ1 Compact(G8441), by modpunk from
https://androidfilehost.com/?fid=5862345805528061872

Copy twrp-3.2.3-0-lilac-1.img into your renoroot folder then unplug the USB cable and turn off the
phone.
Then plug the USB cable back in while holding the volume up key and the notification light goes blue

Open a command prompt window in the renoroot folder and run the commands

fastboot devices
fastboot flash recovery twrp-3.2.3-0-lilac-1.img
TWRP should be installed.

Next we download XperiFirm, I downloaded ver 5.3.7

Go to https://forum.xda-developers.com/crossdevice-dev/sony/pc-xperifirm-xperia-firmware-
downloader-t2834142
and download XperiFirm 5.3.7 (by Igor Eisberg).zip
Extract the zip to a folder and run XperiFirm.exe
Click on Check All, it'll look like the screenshot below.
I downloaded G8441_Customized DE_1310-4373_47.1.A.16.20_R6B, you select the firmware then
on the right click 47.1.A.16.20 / R6B on the right and click download.
Once it has finished downloading, extract another copy of newflasher to a new folder, I called mine
newflasher_v13-DE

Then copy all the flash files to a new newflasher folder

j4nn has advised to:
Try to flash full 47.1.A.16.20 fw with newflasher - remove *.ta, keep boot subdirectory (including the
one .ta there), remove persist (and optionally Qnovo, amss*, ssd) sin files.
Although I didn't, j4nn probably knows better than me though!

Once you've deleted the files as instructed above, run newflasher.exe then press n and n
Phone will flash the ROM

Turn on the phone skip logging into an account if you can then enable USB debugging and OEM
unlocking in Settings then Developer Options

Then unplug the phone and then hold the volume down key and press the power button.
The phone should boot into TWRP, the TWRP logo will flash on for a sec, press the power button to
bring up the screen.
Then swipe to allow modifications
Then go to Install
Select Storage Micro SDcard
Select Magisk-v17.3.zip
Swipe to flash
Select Wipe Cache and Delvik
Then press Reboot button
I ticketed both Prompt to Install TWRP app if not installed as well as Install as System App.

Once you phone reboots you should have Magisk installed and root. You can download Root Checker
from the Play Store if you want to confirm root is working.
Again check your camera is still working and you can check your Service Menus again if you like.

When I first boot up, I like put the phone in airplane mode, test the camera, check the Service
Menus and if everything looks good, run Sony Xperia Transfer Mobile and let it restore my backup
then turn airplane mode off, connect to the Internet and then let Google do its sync/restore, I find
this works much better than the other way around.

Finally if you haven’t installed TWRP in the past, one great thing about it is you can make a Nandroid
backup. This can back up everything, all your data so for example it doesn’t just backup an app then
you have to configure the settings again it backs up the app and the data. It’s a bit like a
Ghost/Acronis/Macrium Reflect backup for your phone instead of a PC. You can choose what you
want to backup which is beyond the scope of this guide (and there’s plenty of other Nandriod
backup guides out there already).

Created by munted v3, 2018-11-26.