FORUMS
Remove All Ads from XDA

Amazing Temp Root for MediaTek ARMv8

835 posts
Thanks Meter: 1,030
 
By diplomatic, Senior Member on 17th April 2019, 12:51 PM
Post Reply Email Thread


Software root method found for MediaTek MT67xx, MT816x, and MT817x!

So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock needed. The tool I created, MTK-SU, takes advantage of a weakness in Mediatek's software design. It was originally aimed at helping Amazon Fire HD owners to easily root and unlock their tablets. (Without it, most models need a hardware mod to achieve root & unlock. This tool made rooting accessible to many times the number of owners. It also made possible to root the Fire TV gen 2.) But funny story: this method actually works on virtually all of MediaTek's 64-bit chips. Many devices of various vendors have already been confirmed.

So in case it's not clear, what mtk-su does is give you a root shell to do with as you please. It's like running 'su', but without the need to have su installed. That may be a holy grail for locked devices. On some devices, it may be possible to install a root manager for permanent root using mtk-su as a springboard.

The original thread is here: Experimental Software Root for HD 8 & HD 10. It's a great resource for info and past releases. But please avoid posting there about non-Amazon devices. This new thread is a catchall topic for other devices and vendors.

DISCLAIMER
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software. There is a nonzero chance of any of these events happening as a result of using the tools or methods here.

REQUIREMENTS
A phone, tablet or TV box based on Mediatek MT67xx, MT816x or MT817x chipsets
Either:
  • A PC with ADB installed to interact with your device (Android 7.x or below), or
  • A terminal emulator app (Any Android ver. including 8.x)
Familiarity with ADB (if using PC) and basic Linux shell commands
You are legally required to post the model name of any unconfirmed device on which mtk-su ran successfully
Familiarity with the Thanks button under XDA posts

INSTRUCTIONS FOR ADB
  1. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
    arm64: 64-bit kernel and userspace
    arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
  2. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
    Code:
    adb push path/to/mtk-su /data/local/tmp/
  3. Open an adb shell
    Code:
    adb shell
  4. Change to your tmp directory
    Code:
    cd /data/local/tmp
  5. Add executable permissions to the binary
    Code:
    chmod 755 mtk-su
  6. At this point keep your device screen on and don't let it go to sleep. Run the command
    Code:
    ./mtk-su
    It should only take a second or two. If the program gets stuck for more than a few seconds and your device is awake, press Ctrl+C to close it.
    The -v option turns on verbose printing, which is necessary for me to debug any problems.
    The output of ./mtk-su -v is similar to this:
    Code:
    $ ./mtk-su -v
    param1: 0x1000, param2: 0x8040, type: 13
    Building symbol table
    kallsyms_addresses pa 0x40e3cd00
    kallsyms_num_syms 53650, addr_count 53650
    kallsyms_names pa 0x40ea5b00, size 707322
    kallsyms_markers pa 0x40f52600
    kallsyms_token_table pa 0x40f52d00
    kallsyms_token_index pa 0x40f53100
    Patching credentials
    __ksymtab_init_task not found
    Parsing show_state_filter
    ffffff80080d8848+0c: ADRP x21, 0xffffff80096f5000
    ffffff80080d8848+10: ADD xd, x21, 2368
    init_task VA: 0xffffff80096f5940
    Potential list_head tasks at offset 0x4f0
    0xffffffc07f3724f0 0xffffffc02cd884f0 0x0000000000008c
    comm swapper/0 at offset 0x7c0
    Found own task_struct at node 0
    real_cred VA: 0xffffffc04c63ca80
    Parsing sel_read_enforce
    ffffff8008345228+04: ADRP x0, 0xffffff8009974000
    ffffff8008345228+14: LDR [x0, 652]
    selinux_enforce VA: 0xffffff800997428c
    Setting selinux_enforce
    Switching selinux to permissive
    New UID/GID: 0/0
    starting /system/bin/sh
    Some other options:
    mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.
    mtk-su -s: Prints the kernel symbol table
    If you see any errors or don't get a root shell, report it here. When reporting a problem with a device, please post a link to the firmware and/or the kernel sources.

    Please post the model of any device that works with mtk-su that's not already confirmed.

    Important: While it's generally reliable, it may be necessary to run mtk-su multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, it will say 'New UID/GID: 2000/2000" instead of "...0/0". getenforce may return Enforcing. In that case, simply type exit to close the subshell and try mtk-su again.

WARNING If you have a device with Android 6 or higher, it likely has dm-verity enabled. On such a device one does not simply remount the system partition as read/write. The remount command will probably fail. But if you succeed in forcing it somehow it will trigger dm-verity, which will result in a very bad day. Your device will become inoperable until you restore the stock system partition.

DOWNLOAD
Current Version
Release 13

Changelog

Release 13 - May 16, 2019
  • Improve stack protection detection -- add support for some armv7-kernel 3.x phones

Release 12 - April 26, 2019
  • Unify the arm and armv7-kernel binaries into one
  • Support Linux 4.9.x
  • Improve speed and possibly reliability
  • Fix arm64 support for phones on kernel 3.10.65
  • Fix stack protection workaround for armv7 kernels
  • Update readme file

Release 11 - April 10, 2019
  • Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
  • Improve criteria for detecting strong stack protection

Release 10 - April 7, 2019
  • Fix support for the latest Oreo devices
  • Add compatibility for kernels with stack protection (Nokia phones)
  • Improve reliability
  • Initial support for 32-bit (armv7) kernels -- needs testing

Release 9 - April 1, 2019
  • Confirmed support for at least some Oreo devices
  • Fix bugs with R8

Release 8 - March 30, 2019 (REMOVED)
  • Lay the groundwork for Oreo devices
  • Improve performance
  • Improve reliability

Release 7 - March 17, 2019
  • Add/fix support for many Linux ver. ≤ 3.18.22 devices
  • Fix arm binary on Fire HD 10

Release 6 - March 13, 2019
  • Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
  • Minor bug fixes

Release 5 - March 7, 2019
  • Support kernels with CONFIG_KALLSYMS_ALL disabled
  • Improve reliability

Release 4 - March 4, 2019
  • Improve compatibility with phones
  • Support Fire TV 2 new FW
  • Minor bug fixes
  • Improve reliability

Release 3 - March 1, 2019
  • Add support for HD 10 7th gen
  • Add support for 3.10 kernel layout
  • Add possible support for MT67xx phones
  • Improve reliability

Release 2 - Feb. 27, 2019
  • Add support for HD 8 8th gen and 32-bit only user stacks

FAQ
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled somehow ends up being more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

Will this work on an MT65xx or MT8127?
No, there is no support for 32-bit chips.

Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader.

I ran mtk-su successfully, but my apps still don't have root permissions.
Mtk-su does not give apps root permissions. It is not a permanent root solution in and of itself. It opens a command shell that has root and administrative capabilities for the life of that shell with selinux set to permissive (globally). It's up to you what you want to do with it. In some cases, it may be possible to flash a custom recovery or a rooted boot image. But the success of this depends entirely on the device. The approach to this is pretty diverse and complex and is beyond the scope of this post.

Will you release the source code?
Yes, but in due time. Like any software exploit, the associated vulnerability can be patched. There's a certain vendor (who may have been mentioned) that is keen on locking down its MTK devices. And I want this tool to be effective for as long as possible.

How does this exploit work?
It overwrites the process's credentials & capabilities in the kernel in order to escalate privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforce variable. As for how it accesses that memory, I don't think I should discuss that as of yet.

Will this work on the MT8695?
Unfortunately, no. While that is a 64-bit chip, the required vulnerabilities are not present in its OS.

CREDITS
  • Thank you to everyone who has tested and provided feedback to help me add support for the large variety of MTK-based devices out there. There are simply too many people to list.
  • MediaTek, Inc., who leave holes and backdoors in their OS to make software like this possible
Attached Files
File Type: zip mtk-su_r12.zip - [Click for QR Code] (35.8 KB, 2094 views)
File Type: zip mtk-su_r13.zip - [Click for QR Code] (35.8 KB, 354 views)
The Following 21 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
 
 
17th April 2019, 12:52 PM |#2  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
INSTRUCTIONS FOR TERMINAL APP
On Android 8.x and up, the first run of mtk-su has to be done through an app, not adb, due to security-related reasons. A terminal emulator such as Termux or Terminal Emulator for Android may be used for this purpose. The gist of the process is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
  1. Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
  2. Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
    General idea: cp path/to/mtk-su ./
    For example,
    Code:
    cp /sdcard/mtk-su_r12/arm64/mtk-su ./
    For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
  3. Make file executable
    Code:
    chmod 700 mtk-su
  4. Run the program
    Code:
    ./mtk-su

Now if this succeeds, from that point forward you will be able to run mtk-su in an adb shell according to ADB instructions (until next reboot). If this doesn't work, I will either have to adjust something to fix it, or in worst case, declare it not possible.

If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and/or kernel sources, if possible.

Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cp path/to/mtk-su $HOME/
cd $HOME
chmod 700 mtk-su
./mtk-su
The Following 5 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 12:52 PM |#3  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Status
Confirmed Devices
Acer Iconia B3-A40
Alcatel A5 LED 5085 series
Alcatel A30 5049 series
Alcatel Idol 5
Amazon Fire HD 8 (2016-2018)
Amazon Fire HD 10 2017
Amazon Fire TV 2
ASUS ZenPad MT8163-based series
Barnes & Noble NOOK Tablet 7" BNTV450
Barnes & Noble NOOK Tablet 10.1" BNTV650
BLU Life Max
BLU Life One X
BLU R1 series
BLU R2 LTE
BLU S1
BLU Tank Xtreme Pro
BLU Vivo 8L
BLU Vivo XL4
BQ Aquaris M8
Huawei TAG-L21
Huawei Y5II
LG Tribute Dynasty
Nokia 3
Nokia 3.1 Plus
Nokia 5.1
Sony Xperia XA1
Xiaomi Redmi 6/6A series
ZTE Blade D6/V6


Supported Chipsets
Including, but not limited to: MT6735, MT6737, MT6738, MT6739, MT6750, MT6753, MT6755, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6771, MT6779, MT6795, MT6797, MT8163, MT8167, MT8173, MT8176
The Following 3 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 12:52 PM |#4  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
PROJECTS USING THIS TEMP ROOT
Partition Backup Helper for Termux by @mrmazak
Creates a script that automatically backs up your device's partitions, which may come in handy for repairs or experimenting.
The Following User Says Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
17th April 2019, 12:53 PM |#5  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Re-re-reserved
17th April 2019, 02:26 PM |#6  
bigrammy's Avatar
Senior Member
Flag huddersfield
Thanks Meter: 2,305
 
More
Great work mate!! I would liked to of kept secret till I got myself a new Sony L3 and backup the ta thought.


17th April 2019, 02:43 PM |#7  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
LOL... thanks!

Don't worry man, no one reads this forum
17th April 2019, 04:42 PM |#8  
Senior Member
Thanks Meter: 76
 
More
Great work. Having used both a hardware root method and this method on a pair of devices I have, mtk-su was waaaaaaay easier to work with. Big thanks!
The Following User Says Thank You to NFSP G35 For This Useful Post: [ View ] Gift NFSP G35 Ad-Free
17th April 2019, 09:50 PM |#9  
KevMetal's Avatar
Senior Member
Flag Girona
Thanks Meter: 350
 
Donate to Me
More
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...

ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img

what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...

reason being that bootloader is locked and this device is on marshmallow ...

*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..

* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?

or installing mixplorer with root privileges for examle ..
18th April 2019, 12:54 AM |#10  
mrmazak's Avatar
Senior Member
Thanks Meter: 1,113
 
More
Quote:
Originally Posted by KevMetal

looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...

ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img

what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...

reason being that bootloader is locked and this device is on marshmallow ...

*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..

* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?

or installing mixplorer with root privileges for examle ..

@diplomatic made a good outline of the the steps to "jump" into full root. At least until rebooted.


I will add the link to the post, but keep the discussion that follows , here in this thread

*Copied from post https://forum.xda-developers.com/sho...&postcount=569
Quote:
Originally Posted by diplomatic

For advanced users or devs: here's a general overview for a method to get root with Magisk without having to modify your boot image.

  1. Get a Magisk zip file and extract the magiskinit binary. Push magiskinit to your device.
  2. Extract the magisk binary from magiskinit with ./magiskinit -x magisk
  3. Make a symbolic link to (or a copy of) magiskinit and call it magiskpolicy.
  4. Make a symbolic link to (or a copy of) magisk and call it su.
  5. Make a small ext4 image of about 2 to 4MB (using something like make_ext4fs -J -l 2MB). In it, place Magisk's magisk and su binaries. The su binary could be either a link to magisk or a copy of it. (Idea borrowed from @k4y0z's unlock method.)
  6. Get a root shell with mtk-su
  7. Patch the running sepolicy with a magisk context using ./magiskpolicy --live --magisk 'allow magisk * * *' .
  8. Start a temporary Magisk daemon with ./magisk --daemon
  9. Start a temporary Magisk root shell with ./su. This may involve prompts from Magisk Manager.
  10. Check to make sure the new root shell has the context u:r:magisk:s0. Don't proceed if it's not that context.
  11. From the magisk context shell, mount the ext4 image to /system/xbin with
    losetup /dev/block/loop0 magisk.img
    mount /dev/block/loop0 /system/xbin
    You may be able to combine those 2 commands into one, but I wasn't able to on my device.
  12. Kill the temporary magisk daemon with killall magiskd. The point of this is to launch a new daemon from within the magisk se-context. Otherwise there will be problems with selinux.
  13. Start a new daemon with magisk --daemon. Notice that there's no ./ at the start. This is to test the loopback img.
  14. Exit the temporary ./su shell. You may get an error message, but that's fine. At this point you should be back to the mtk-su shell.
  15. Exit the mtk-su shell.
  16. Check if su works. You should get a prompt from Magisk Manager.
  17. At this point, if you get a normal root shell, you can do setenforce 1.
  18. Now all apps that want su access will have it with proper prompting.
  19. Have some app execute steps 6 through 17 at every startup.

Steps 1-5 are done once. Step 6 onward are done at every boot session. A script would probably help. I'm sure this is missing some details, but I just wanted to convey the general idea.

EDIT: If you get this system up and running, you of course want to avoid updating Magisk binaries through MM. That's pretty important because doing so will probably stop your device from booting.

The Following 2 Users Say Thank You to mrmazak For This Useful Post: [ View ] Gift mrmazak Ad-Free
18th April 2019, 10:35 AM |#11  
OP Senior Member
Thanks Meter: 1,030
 
Donate to Me
More
Quote:
Originally Posted by KevMetal

looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...

ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img

what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...

reason being that bootloader is locked and this device is on marshmallow ...

*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..

* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?

or installing mixplorer with root privileges for examle ..

Cool... let us know the results of running mtk-su on that phone, as well as the full model name so I can list it.

So you're on the right track about installing permanent root. I was pretty vague about it in the OP because it's a complex topic and it's pretty risky territory. Before trying to mod your boot image with systemless root and/or verity disabled, you have to check how restrictive your BL is. It's very possible that it can accept self-signed or unsigned images without needing to unlock. You can check this in a minesweeper fashion by flashing your stock recovery with the OEM signature removed and see if it boots. If not, Android will restore the stock recovery automatically, no harm done.

If you want to flash partitions from a root shell, you can use the dd command. FlashFire is a glorified dd flasher. For example, to flash a recovery image you would do
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery
The exact path of the dev node varies by device. You should do more research about it if you're interested. To dump partitions, essentially do the reverse of if= and of=.

If you want, you can post your stock recovery image and I can modify it so you can test how restrictive your BL is. There's no need to jump ahead to TWRP yet.
The Following User Says Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
Post Reply Subscribe to Thread

Tags
mediatek, mt67xx, root

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes