A tool that gives you a temporary root shell with Selinux permissive to do with as you please
Fire HD 8 8th gen (2018) (thanks @xyz`) -- up to Fire OS 22.214.171.124 only
Fire HD 8 7th gen (2017) -- up to Fire OS 126.96.36.199 build 636558520 only
Fire HD 8 6th gen (2016) (thanks @bibikalka) -- up to Fire OS 188.8.131.52 build 626533320
Fire HD 10 7th gen (2017) (thanks @bibikalka) -- up to Fire OS 184.108.40.206 build 636558520 only
Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to Fire OS 220.127.116.11 only
Fire 7 9th gen (2019) (thanks @Michajin) -- up to Fire OS 18.104.22.168 build 0002517050244 only
Fire HD 10 9th gen (2019) -- up to Fire OS 22.214.171.124 only
Various phones and tablets up to Android 9.x (see link below for full list)
Note that for Fire OS 5, OS version 5.3.x.x is newer than 5.6.x.x.
Amazing Temp Root for MediaTek ARMv8: expanded thread covering all compatible MTK devices
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.
Proficiency with the Thanks button under XDA posts
A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
- A PC with ADB installed to interact with your device, or
- A terminal emulator app
- Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
arm64: 64-bit kernel and userspace
arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
The arm64 one is suitable for most devices. The notable devices that need the arm version are the Fire HD 8 2018, Fire 7, and Fire HD 10 2019.
- Connect your device to ADB and push mtk-su to your /data/local/tmp folder
adb push path/to/mtk-su /data/local/tmp/
- Open an adb shell
- Change to your tmp directory
- Add executable permissions to the binary
chmod 755 mtk-su
- At this point keep your tablet screen on and don't let it go to sleep. Run the program
The -v option turns on verbose printing, which is necessary for me to debug any problems.
It will take several seconds, but using the -v option, you should see output similar to this (with id command added):
$ ./mtk-su -v param1: 0x3000, param2: 0x18040, type: 2 Building symbol table kallsyms_addresses pa 0x40bdd500 kallsyms_num_syms 70337, addr_count 70337 kallsyms_names pa 0x40c66d00, size 862960 kallsyms_markers pa 0x40d39800 kallsyms_token_table pa 0x40d3a100 kallsyms_token_index pa 0x40d3a500 Patching credentials Parsing current_is_single_threaded ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000 ffffffc000354868+54: ADD xd, x0, 2592 init_task VA: 0xffffffc000fa2a20 Potential list_head tasks at offset 0x340 comm swapper/0 at offset 0x5c0 Found own task_struct at node 1 cred VA: 0xffffffc0358ac0c0 Parsing avc_denied ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000 ffffffc0002f13bc+28: LDR [x0, 404] selinux_enforcing VA: 0xffffffc001113194 Setting selinux_enforcing Switched selinux to permissive starting /system/bin/sh UID: 0 cap: 3fffffffff selinux: permissive #
Some other options:
mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.
mtk-su -s: Prints the kernel symbol tableIf you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here.
Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.
If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5.
FIRE OS 5 AND ANDROID 5 USERS: There's an automated SuperSU loader by @Rortiz2 that makes jumpstarting SuperSU quick and easy.
WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.
Past releases & change log live at Amazing Temp Root for MediaTek ARMv8
I got the error, "This firmware cannot be supported". What do I do?
This means that your device's firmware is not prone to the mechanism used by mtk-su. Check the firmware version and build number of the OS on your device. If your version is higher than that next to your device on the list above, then mtk-su will no longer work on your device. There may be other ways to achieve root. Check elsewhere on the forum.
Will this work on the Fire 7?
No, it is very doubtful this method can be used on the MT8127 chipset. The same also goes for the Fire TV stick.
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.
Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.
How does this tool work?
It overwrites the process's credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, I don't think I should discuss that as of yet.
Will this work on the Fire TV Stick 4K?
Unfortunately, no. While it has a 64-bit chip, the required vulnerabilities are not present in its OS.
Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.
Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
- It has already been answered in the FAQ or multiple times in the thread.
- Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
- Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
- @Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
- Thank you to everyone who has donated. You're the best!