FORUMS

Amazing Temp Root for MediaTek ARMv8 [2020-05-08]

1,334 posts
Thanks Meter: 1,765
 
By diplomatic, XDA Ad-Free Senior Member on 17th April 2019, 12:51 PM
Post Reply Email Thread


Software root method for MediaTek MT67xx, MT816x, and MT817x!

So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I created, MTK-SU, was originally aimed at helping Amazon Fire HD owners to easily root and unlock their tablets. (Without it, most models need a hardware mod to achieve root & unlock. This tool made rooting accessible to many times the number of owners. It also made possible to root the Fire TV gen 2.) But funny story: this method actually works on virtually all of MediaTek's 64-bit chips. Many devices of various vendors have already been confirmed.

So in case it's not clear, what mtk-su does is give you a root shell to do with as you please. It's like running 'su', but without the need to have su installed. That may be a holy grail for locked devices. On some devices, it may be possible to install a root manager for permanent root using mtk-su as a springboard.

The original thread is here: Rapid Temporary Root for HD 8 & HD 10. It's a great resource for info. But please avoid posting there about non-Amazon devices. This new thread is a catchall topic for other devices and vendors.

DISCLAIMER
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software. There is a nonzero chance of any of these events happening as a result of using the tools or methods here.

REQUIREMENTS
Mastery of the Thanks button under XDA posts
A phone, tablet or TV box based on Mediatek MT67xx, MT816x or MT817x chipsets
Either:
  • A PC with ADB installed to interact with your device, or
  • A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
You agree to post the model name of any unconfirmed device which ran mtk-su successfully

INSTRUCTIONS FOR ADB
  1. Make sure you meet all the requirements listed above, especially the first and last ones.
  2. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
    arm64: 64-bit kernel and userspace
    arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
  3. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
    Code:
    adb push path/to/mtk-su /data/local/tmp/
  4. Open an adb shell
    Code:
    adb shell
  5. Change to your tmp directory
    Code:
    cd /data/local/tmp
  6. Add executable permissions to the binary
    Code:
    chmod 755 mtk-su
  7. At this point keep your device screen on and don't let it go to sleep. Run the command
    Code:
    ./mtk-su
    It should only take a second or two. If the program gets stuck for more than a few seconds and your device is awake, press Ctrl+C to close it.
    The -v option turns on verbose printing, which is necessary for me to debug any problems.
    The output of ./mtk-su -v is similar to this:
    Code:
    $ ./mtk-su -v
    param1: 0x3000, param2: 0x18040, type: 2
    Building symbol table
    kallsyms_addresses pa 0x40bdd500
    kallsyms_num_syms 70337, addr_count 70337
    kallsyms_names pa 0x40c66d00, size 862960
    kallsyms_markers pa 0x40d39800
    kallsyms_token_table pa 0x40d3a100
    kallsyms_token_index pa 0x40d3a500
    Patching credentials
    Parsing current_is_single_threaded
    ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
    ffffffc000354868+54: ADD xd, x0, 2592
    init_task VA: 0xffffffc000fa2a20
    Potential list_head tasks at offset 0x340
    comm swapper/0 at offset 0x5c0
    Found own task_struct at node 1
    cred VA: 0xffffffc0358ac0c0
    Parsing avc_denied
    ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
    ffffffc0002f13bc+28: LDR [x0, 404]
    selinux_enforcing VA: 0xffffffc001113194
    Setting selinux_enforcing
    Switched selinux to permissive
    starting /system/bin/sh
    UID: 0  cap: 3fffffffff  selinux: permissive
    #

    Some other options:
    mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.
    mtk-su -s: Prints the kernel symbol table
    mtk-su -Z <context>: Runs shell in a new selinux context. Example: ./mtk-su -Z u:r:logd:s0
    If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here. When reporting a problem with a device, please post a link to the firmware and/or the kernel sources.

    Please post the model of any device that works with mtk-su that's not already confirmed.

    Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.

WARNING If you have a device with Android 6 or higher, it likely has dm-verity enabled. On such a device one does not simply remount the system partition as read/write. The remount command will probably fail. But if you succeed in forcing it somehow it will trigger dm-verity, which will result in a very bad day. Your device will become inoperable until you restore the stock system partition.

DOWNLOAD
Current Version
Release 22

Changelog

Release 22 - May 8, 2020
  • Expand kernel support
  • Enable seccomp handling for Android 8

Release 21 - March 14, 2020
  • Add support for more devices
  • Fix seccomp on 3.18 arm kernels

Release 20 - Dec 28, 2019
  • Add support for MT6580
  • Add support for some MT8183 versions
  • Fix handling of some 32-bit 4.x kernels with stack protection
  • Move to NDK build

Release 19 - October 20, 2019
  • Add -Z option for setting custom selinux context
  • Fix seccomp on armv7
  • Fix seccomp handling on late-revision 3.18 kernels
  • Improve error printing for critical failures
  • Strip supplementary groups in root shell
  • Do not spawn root shell on critical failures

Release 18 - July 29, 2019
  • Add support for kernel address space layout randomization (KASLR)
  • Change status output format

Release 17 - July 13, 2019
  • Fix missing capabilities under adb shell in Android 9.x
  • Disable seccomp in app mode of Android 9.x
  • Add support for MT6771 on Android 8.x
  • Reliability improvements

Release 16 - June 9, 2019
  • Add support for 32 & 64-bit kernels compiled with CONFIG_KALLSYMS_BASE_RELATIVE
  • Add support for MT676x on Android 7.x
  • Speedups

Release 15 - May 29, 2019
  • Run shell/command in global mount namespace -- mounting from apps is now visible to the whole system

Release 14 - May 22, 2019
  • Remove restriction for adb shell initial run on Android 8.0+
  • Add support for 32-bit kernels compiled under Android 8.0+
  • Add initial support for MT6771 on Android 9+
  • Minor bug fixes

Release 13 - May 16, 2019
  • Improve stack protection detection -- add support for some armv7-kernel 3.x phones

Release 12 - April 26, 2019
  • Unify the arm and armv7-kernel binaries into one
  • Support Linux 4.9.x
  • Improve speed and possibly reliability
  • Fix arm64 support for phones on kernel 3.10.65
  • Fix stack protection workaround for armv7 kernels
  • Update readme file

Release 11 - April 10, 2019
  • Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
  • Improve criteria for detecting strong stack protection

Release 10 - April 7, 2019
  • Fix support for the latest Oreo devices
  • Add compatibility for kernels with stack protection (Nokia phones)
  • Improve reliability
  • Initial support for 32-bit (armv7) kernels -- needs testing

Release 9 - April 1, 2019
  • Confirmed support for at least some Oreo devices
  • Fix bugs with R8

Release 8 - March 30, 2019 (REMOVED)
  • Lay the groundwork for Oreo devices
  • Improve performance
  • Improve reliability

Release 7 - March 17, 2019
  • Add/fix support for many Linux ver. ≤ 3.18.22 devices
  • Fix arm binary on Fire HD 10

Release 6 - March 13, 2019
  • Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
  • Minor bug fixes

Release 5 - March 7, 2019
  • Support kernels with CONFIG_KALLSYMS_ALL disabled
  • Improve reliability

Release 4 - March 4, 2019
  • Improve compatibility with phones
  • Support Fire TV 2 new FW
  • Minor bug fixes
  • Improve reliability

Release 3 - March 1, 2019
  • Add support for HD 10 7th gen
  • Add support for 3.10 kernel layout
  • Add possible support for MT67xx phones
  • Improve reliability

Release 2 - Feb. 27, 2019
  • Add support for HD 8 8th gen and 32-bit only user stacks

FAQ
I got the error, "This firmware (platform) cannot be supported". What do I do?
This means that your device's firmware is not prone to the mechanism used by mtk-su. It may be a new device or it may have started from a firmware update. It will not be feasible to add root support for the current or future firmware versions. Check the last supported firmware version in post 4. If the last working FW is not listed and your device used to work with mtk-su, please report the last working version and/or your current version. In those cases, it may be possible to get mtk-su support by downgrading the firmware.

Will this work on my phone?
Yes, it will work on your phone, unless it doesn't. But to be serious, there is no point in asking this question. If you have the device in hand, it is much quicker to just try out the above procedure than to wait for a response. You are usually the best person to answer that question. If your device is listed among the confirmed models or, to a lesser extent, your chipset is supported, that's a good indication that mtk-su will succeed, but that is not guaranteed. You should report your success or failure in this thread, along with the requested materials if it fails.

Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
  • It has already been answered in the FAQ or multiple times in the thread.
  • Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
  • Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled somehow ends up being more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

Will this work on an MT65xx or MT8127?
There is no support for most 32-bit chips. But there may be a couple where it's possible.

Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader.

I ran mtk-su successfully, but my apps still don't have root permissions.
Mtk-su does not give apps root permissions. It is not a permanent root solution in and of itself. It opens a command shell that has root and administrative capabilities within the context of that shell. It's up to you what you want to do with it. But also, there is a way to load Magisk using this tool without the need to unlock your bootloader. Just follow this guide.

How does this tool work?
It overwrites the process credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, the tool involves making use of the vulnerability known as CVE-2020-0069.

Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.

CREDITS
  • Thank you to everyone who has tested and provided feedback to help me add support for the large variety of MTK-based devices out there. There are simply too many people to list.
  • MediaTek, Inc., who leave holes and backdoors in their OS to make software like this possible
  • Thank you to everyone who has donated. You're the best!
Attached Files
File Type: zip mtk-su_r21.zip - [Click for QR Code] (81.8 KB, 19010 views)
File Type: zip mtk-su_r22.zip - [Click for QR Code] (79.6 KB, 7368 views)
The Following 97 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 12:52 PM |#2  
OP Senior Member
Thanks Meter: 1,765
 
Donate to Me
More
INSTRUCTIONS FOR TERMINAL APP
You can optionally run mtk-su on a terminal emulator such as Terminal Emulator for Android (recommended) or Termux. The basic idea is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
  1. Make sure you meet all the requirements from the first post, especially the first and last ones.
  2. Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
  3. Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
    General idea: cp path/to/mtk-su ./
    For example,
    Code:
    cp /sdcard/mtk-su_r14/arm64/mtk-su ./
    For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
  4. Make file executable
    Code:
    chmod 700 mtk-su
  5. Run the program
    Code:
    ./mtk-su

If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and/or kernel sources, if possible.

Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cd
cp path/to/mtk-su ./
chmod 700 mtk-su
./mtk-su
The Following 19 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 12:52 PM |#3  
OP Senior Member
Thanks Meter: 1,765
 
Donate to Me
More
PROJECTS USING THIS TEMP ROOT
The Following 18 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 12:52 PM |#4  
OP Senior Member
Thanks Meter: 1,765
 
Donate to Me
More
Status
NOTE: Any firmware update released after March, 2020 is bound to block this temp root. Think twice before updating your device if you would like to keep using mtk-su.

Confirmed Devices
Acer Iconia One 10 B3-A30/B3-A40/B3-A50 series
Acer Iconia One 8 B1-860 series
Acer Iconia Talk S
Alba tablet series
Alcatel 1 5033 series
Alcatel 1C
Alcatel 3L (2018) 5034 series
Alcatel 3T 8
Alcatel A5 LED 5085 series
Alcatel A30 5049 series
Alcatel Idol 5
Alcatel/TCL A1 A501DL
Alcatel/TCL LX A502DL
Alcatel Tetra 5041C
Alldocube iPlay8
Amazon Fire 7 2019 -- up to Fire OS 6.3.1.2 build 0002517050244 only
Amazon Fire HD 8 2016 -- up to Fire OS 5.3.6.4 build 626533320
Amazon Fire HD 8 2017 -- up to Fire OS 5.6.4.0 build 636558520 only
Amazon Fire HD 8 2018 -- up to Fire OS 6.3.0.1 only
Amazon Fire HD 10 2017 -- up to Fire OS 5.6.4.0 build 636558520 only
Amazon Fire HD 10 2019 -- up to Fire OS 7.3.1.0 only
Amazon Fire TV 2 -- up to Fire OS 5.2.6.9 only
ANRY S20
ASUS ZenFone 3 Max ZC520TL
ASUS ZenFone Max Plus X018D
ASUS ZenPad 3s 10 Z500M
ASUS ZenPad Z3xxM(F) MT8163-based series
Barnes & Noble NOOK Tablet 7" BNTV450 & BNTV460
Barnes & Noble NOOK Tablet 10.1" BNTV650
Blackview A8 Max
Blackview BV9600 Pro (Helio P60)
BLU Life Max
BLU Life One X
BLU R1 series
BLU R2 LTE
BLU S1
BLU Tank Xtreme Pro
BLU Vivo 8L
BLU Vivo XI
BLU Vivo XL4
Bluboo S8
BQ Aquaris M4.5
BQ Aquaris M8
CAT S41
Coolpad Cool Play 8 Lite
Cubot Power
Dragon Touch K10
Echo Feeling
Gionee M7
Gionee S9
HiSense Infinity H12 Lite
Huawei GR3 series
Huawei Y5II
Huawei Y6II MT6735 series
Lava Iris 88S
Lenovo A5
Lenovo C2 series
Lenovo Tab E7
Lenovo Tab E8
Lenovo Tab2 A10-70F
Lenovo Tab3 10
Lenovo Vibe K5 Note
LG K8+ (2018) X210ULMA (MTK)
LG K10--K430 series
LG K10 (2017)
LG K50
LG Stylo 4 (MTK) -- up to Q710AL11k
LG Tribute Dynasty
LG X power 2/M320 series (MTK)
LG Xpression Plus 2/K40 LMX420 series
Lumigon T3
Meizu M5c
Meizu M6
Meizu Pro 7 Plus
Motorola Moto E3 series (MTK)
Motorola Moto E4 series (MTK)
Nokia 1
Nokia 1 Plus
Nokia 3
Nokia 3.1
Nokia 3.1 Plus
Nokia 5.1
Nokia 5.1 Plus/X5
Odys PACE 10 (MT8163)
Onn 7" Android tablet
Onn 8" & 10" tablet series (MT8163) -- up to 10/2019 FW only
Oppo A59 series
Oppo A5s
Oppo A7x -- up to Android 8.x
Oppo F5 series/A73 -- up to A.39
Oppo F7 series -- Android 8.x only
Oppo F9 series -- Android 8.x only
Oppo R9xm series
Oukitel K6
Oukitel K9
Oukitel K12
Oukitel U18
Protruly D7
RCA Voyager III - RCT6973W43MDN
Realme 1
Realme 3
Sony Xperia C4
Sony Xperia C5 series
Sony Xperia L1
Sony Xperia L3
Sony Xperia M5 series
Sony Xperia XA series
Sony Xperia XA1 series
Southern Telecom Smartab ST1009X (MT8167)
TECNO Spark 3 series
Umidigi F1 series
Umidigi Power
Vernee Mix 2
Wiko Ride
Wiko Sunny
Wiko View3
Xiaomi Redmi 6/6A series
ZTE Blade 10 Prime
ZTE Blade A530
ZTE Blade A7 Prime
ZTE Blade D6/V6
ZTE Blade V8 Lite
ZTE Quest 5 Z3351S
ZTE Voyage 4S/Blade A611

Support Problematic*
Most/all Vivo phones
Most/all Huawei/Honor models with Android 8+
Most Oppo phones in app mode
Oppo F11 -- up to CPH1911EX_11_A.22 only
Most/all Samsung MTK-based phones

Supported Chipsets
Including, but not limited to: MT6735, MT6737, MT6738, MT6739, MT6750, MT6752, MT6753, MT6755, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6771, MT6779, MT6795, MT6797, MT6799, MT8163, MT8167, MT8173, MT8176, MT8183, MT6580, MT6595

* These devices typically use kernel modifications to deter root access via exploits. But this temp root method can still attain root on most of these models in theory. However, I will not be adding support for such non-standard kernels in the main release versions. A tailored version of mtk-su can be made to handle a protected kernel in a specific firmware. This is not something I'm usually motivated to do. But it's possible to make such a version if you can somehow encourage me.
The Following 15 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 12:53 PM |#5  
OP Senior Member
Thanks Meter: 1,765
 
Donate to Me
More
Re-re-reserved
The Following 4 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 02:26 PM |#6  
bigrammy's Avatar
Senior Member
Flag huddersfield
Thanks Meter: 2,513
 
More
Great work mate!! I would liked to of kept secret till I got myself a new Sony L3 and backup the ta thought.


The Following 2 Users Say Thank You to bigrammy For This Useful Post: [ View ] Gift bigrammy Ad-Free
17th April 2019, 02:43 PM |#7  
OP Senior Member
Thanks Meter: 1,765
 
Donate to Me
More
LOL... thanks!

Don't worry man, no one reads this forum
The Following 2 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 04:42 PM |#8  
Senior Member
Thanks Meter: 180
 
More
Great work. Having used both a hardware root method and this method on a pair of devices I have, mtk-su was waaaaaaay easier to work with. Big thanks!
The Following User Says Thank You to NFSP G35 For This Useful Post: [ View ] Gift NFSP G35 Ad-Free
17th April 2019, 09:50 PM |#9  
KevMetal's Avatar
Senior Member
Thanks Meter: 551
 
More
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...

ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img

what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...

reason being that bootloader is locked and this device is on marshmallow ...

*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..

* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?

or installing mixplorer with root privileges for examle ..
18th April 2019, 12:54 AM |#10  
mrmazak's Avatar
Senior Member
Thanks Meter: 1,277
 
More
Quote:
Originally Posted by KevMetal

looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...

ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img

what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...

reason being that bootloader is locked and this device is on marshmallow ...

*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..

* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?

or installing mixplorer with root privileges for examle ..

@diplomatic made a good outline of the the steps to "jump" into full root. At least until rebooted.


I will add the link to the post, but keep the discussion that follows , here in this thread

*Copied from post https://forum.xda-developers.com/sho...&postcount=569
Quote:
Originally Posted by diplomatic

For advanced users or devs: here's a general overview for a method to get root with Magisk without having to modify your boot image.

  1. Get a Magisk zip file and extract the magiskinit binary. Push magiskinit to your device.
  2. Extract the magisk binary from magiskinit with ./magiskinit -x magisk
  3. Make a symbolic link to (or a copy of) magiskinit and call it magiskpolicy.
  4. Make a symbolic link to (or a copy of) magisk and call it su.
  5. Make a small ext4 image of about 2 to 4MB (using something like make_ext4fs -J -l 2MB). In it, place Magisk's magisk and su binaries. The su binary could be either a link to magisk or a copy of it. (Idea borrowed from @k4y0z's unlock method.)
  6. Get a root shell with mtk-su
  7. Patch the running sepolicy with a magisk context using ./magiskpolicy --live --magisk 'allow magisk * * *' .
  8. Start a temporary Magisk daemon with ./magisk --daemon
  9. Start a temporary Magisk root shell with ./su. This may involve prompts from Magisk Manager.
  10. Check to make sure the new root shell has the context u:r:magisk:s0. Don't proceed if it's not that context.
  11. From the magisk context shell, mount the ext4 image to /system/xbin with
    losetup /dev/block/loop0 magisk.img
    mount /dev/block/loop0 /system/xbin
    You may be able to combine those 2 commands into one, but I wasn't able to on my device.
  12. Kill the temporary magisk daemon with killall magiskd. The point of this is to launch a new daemon from within the magisk se-context. Otherwise there will be problems with selinux.
  13. Start a new daemon with magisk --daemon. Notice that there's no ./ at the start. This is to test the loopback img.
  14. Exit the temporary ./su shell. You may get an error message, but that's fine. At this point you should be back to the mtk-su shell.
  15. Exit the mtk-su shell.
  16. Check if su works. You should get a prompt from Magisk Manager.
  17. At this point, if you get a normal root shell, you can do setenforce 1.
  18. Now all apps that want su access will have it with proper prompting.
  19. Have some app execute steps 6 through 17 at every startup.

Steps 1-5 are done once. Step 6 onward are done at every boot session. A script would probably help. I'm sure this is missing some details, but I just wanted to convey the general idea.

EDIT: If you get this system up and running, you of course want to avoid updating Magisk binaries through MM. That's pretty important because doing so will probably stop your device from booting.

The Following 6 Users Say Thank You to mrmazak For This Useful Post: [ View ] Gift mrmazak Ad-Free
18th April 2019, 10:35 AM |#11  
OP Senior Member
Thanks Meter: 1,765
 
Donate to Me
More
Quote:
Originally Posted by KevMetal

looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...

ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img

what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...

reason being that bootloader is locked and this device is on marshmallow ...

*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..

* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?

or installing mixplorer with root privileges for examle ..

Cool... let us know the results of running mtk-su on that phone, as well as the full model name so I can list it.

So you're on the right track about installing permanent root. I was pretty vague about it in the OP because it's a complex topic and it's pretty risky territory. Before trying to mod your boot image with systemless root and/or verity disabled, you have to check how restrictive your BL is. It's very possible that it can accept self-signed or unsigned images without needing to unlock. You can check this in a minesweeper fashion by flashing your stock recovery with the OEM signature removed and see if it boots. If not, Android will restore the stock recovery automatically, no harm done.

If you want to flash partitions from a root shell, you can use the dd command. FlashFire is a glorified dd flasher. For example, to flash a recovery image you would do
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery
The exact path of the dev node varies by device. You should do more research about it if you're interested. To dump partitions, essentially do the reverse of if= and of=.

If you want, you can post your stock recovery image and I can modify it so you can test how restrictive your BL is. There's no need to jump ahead to TWRP yet.
The Following User Says Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
Post Reply Subscribe to Thread

Tags
mediatek, mt67xx, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes