1: YOU MUST EXTRACT THE .IMG FILE FROM THE TAR AND FLASH WITH TWRP. For some reason flashing with ODIN does NOT work with the images attached to this thread.
2: To make ODIN tars, look at @drExel's post here.
3: In most variants, TWRP 220.127.116.11 appears to work, though there are some issues. On some devices, it takes a REALLY long time to boot into TWRP, making you believe the device has frozen, but just give it time and it will load eventually. On other devices, TWRP loads, but touch does not work. In these cases, the S-Pen works without any problems (but is very sensitive). Some users have posted alternate TWRPs that work properly; search the thread for this. I am not including it here because I have not personally tried these versions myself.
4: Since this issue came up multiple times, though it is mentioned in the instructions below, I am stressing this once again. DO NOT ALLOW TWRP TO AUTOMATICALLY INSTALL SUPERSU WHEN YOU HIT REBOOT. THIS WILL CAUSE A BOOTLOOP, GUARANTEED! YOU MUST FLASH THE BETA 2.52 SUPERSU MANUALLY AFTER FLASHING THE PATCHED BOOT.IMG AND CONFIRMING THE DEVICE WORKS PROPERLY!
5: If you take the time to read the entire thread, you will find redirects to other kernels, firmwares and more. I am sure they are excellent, but having not used any of them, I cannot vouch for the outcomes if you flash them. All information related to the other firmwares and any questions you have about them are best served by going to their dedicated threads. This thread is ONLY for a pure stock firmware with only the boot.img patched to permit root, and nothing else touched.
6: XPosed Framework does not work yet for TW LL, but @wanam has an unofficial version here that various members have reported works quite well.
7: Knox WILL be tripped. If you care about Knox, leave now and do not come back!
The thread originally began as a pure tutorial, with only the P607T image. But given the requests others had, and my need to confirm that this works on all variants, I made more patched images. No 'simple instructions' were available earlier because this was not intended for end-users who might flash and find that it does not work. Now that all the images are confirmed working, and we have tested on all variants, here is a simplified set of instructions for those who just wish to flash and do not care what they are flashing.
1: Update to fully stock 5.1.1 for your device. Whether it is OTA or ODIN flash using a firmware from sammobile or elsewhere does not matter. You start with a fully stock device running 5.1.1.
2: Download the appropriate patched_boot.img for your device. They are attached as tar files due to XDA size restrictions, so you must untar and then save the .img file to your device. Also download SuperSU Beta 2.52.zip and save it as is to the same folder on your device where you put the .img file.
3: Download TWRP 18.104.22.168 for your device and flash it with ODIN. To get TWRP to stick, when the device reboots, you must go directly into recovery. If the device reboots normally, TWRP will be replaced by the stock recovery. There are guides on how to flash TWRP and you should go look at them if you are unsure how to do this.
4: Once you are in TWRP, go the Install area. The default is for installing .zip files. At the bottom right of the screen, you will see a button to change to Images. Hit this. Then select the patched_boot.img file that you saved on your device in the previous step. When you hit install, TWRP will ask you whether this is a boot image or a recovery image. Select Boot. Let TWRP do its thing. When done, go back and hit reboot. TWRP will volunteer to install SuperSU for you now. SAY NO TO THIS. If you accept this install, your device will bootloop and you have start all over again!
5: Make sure the device rebooted without any problems. You will see a red "Kernel SEAndroid Not Enforcing" message when you reboot. Ignore it, it just means that the patched boot.img is working. Once you have confirmed that the device is able to boot properly with the patched boot.img, reboot into recovery again. Go back to Install, this time, stick with Zip mode and install the Beta SuperSU 2.52.zip that you saved to your device. Reboot.
6: If you followed instructions properly, you will reboot without any problems. Run SuperSU, allow it to update if it wants to, and to disable knox if you want to. You have a rooted device now with a virgin firmware.
7: This process has worked for enough people now that any errors are user errors. If you are bootlooping after following these instructions to the letter, you should do a full factory reset and try from scratch. A previous incorrect flash of SuperSU that caused a bootloop seems to persist even if you reflash the stock firmware and messes things up. Always perform a clean install!
Tutorial to patch your own boot.img
This section is NOT meant for the non-technical end-user who "... just wants root ... "
So far, it seems the only way to get root on the 5.1.1 Firmware was to flash a permissive kernel that disabled SEAndroid completely. This is a bit like killing the patient to cure the disease. @Chainfire describes a 'trick' to get root with a fully stock kernel on this thread. Special Thanks to @garyd9 and @SHM for helping me get everything working properly.
1) Extract boot.img from your device's stock firmware.
2) Unpack the boot.img to get access to the ramdisk.
3) Copy the sepolicy file from the ramdisk. You will be patching this file to make the usual SuperSU method work again.
The stock image can be extracted from the firmware using any archive tool. To unpack the boot.img, you can take a look at the following threads for tools and instructions.
Carliv's Kitchen : Windows, very beginner friendly.
SHM's Toolset : I used this on Linux.
copy sepolicy from the ramdisk folder to your adb folder (If you are on Windows and using Minimal ADB and Fastboot; I am assuming linux users don't need to be told what to do here )
1) Connect an already rooted device running 4.4+ firmware & SuperSU Beta 2.50+ to your system. Make sure you have adb access.
2) Push the sepolicy file to the device.
3) Run supolicy on the sepolicy file to patch it.
4) Pull the sepolicy file back to your computer.
I used my rooted Note 2 to get the job done. ANY rooted device that permits adb should do the trick, but it needs to be on 4.4+ firmware and running SuperSU Beta 2.50+.
Once you have an adb connection established, do the following (this is from Chainfire's thread referenced at the beginning):
adb push sepolicy /data/local/tmp/sepolicy adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out" adb shell su -c "chmod 0644 /data/local/tmp/sepolicy_out" adb pull /data/local/tmp/sepolicy_out sepolicy_out
1) Replace the sepolicy file in the stock ramdisk with the newly patched sepolicy file.
2) Repack the ramdisk.
3) Make a new boot.img with the stock kernel and repacked ramdisk.
4) Flash new boot.img on your Note 10.1. Reboot, make sure everything is working.
Replace the sepolicy in the ramdisk with the sepolicy_out file that you pulled from your reference device. This means RENAME sepolicy_out and overwrite the original sepolicy file.
Repack the ramdisk using the instructions that came with your tool.
Make a new patchedboot.img file using the instructions that came with your tool.
Copy this patchedboot.img file to your Note 10.1, reboot into TWRP, go to the install zip section, toggle image mode, flash the patchedboot.img file and reboot the device. DECLINE TWRP's friendly offer to install SuperSU for you. This will cause a bootloop!If the device reboots successfully, pat yourself on the back. At this point, all you have done is patched the sepolicy to allow rooting, but you have not yet rooted the device.
1) Use TWRP to install SuperSU Beta 2.50+ (I used 2.52)
Copy SuperSU Beta 2.50+ (I used 2.52) to the device, reboot into TWRP and install SuperSU. Reboot for rooted Note 10.1 running a Stock Kernel and no compromised SEAndroid. Of course, it goes without saying, this will trip knox. Also, please note that XPosed is not out for 5.1.1 yet, at least not officially. @wanam has an unofficial version here that various members have reported works well.