Rapid Temporary Root for HD 8 & HD 10

1,334 posts
Thanks Meter: 1,766
By diplomatic, XDA Ad-Free Senior Member on 26th February 2019, 02:58 AM
Post Reply Email Thread
Software root method for Mediatek MT816x, MT817x and MT67xx!
A tool that gives you a temporary root shell with Selinux permissive to do with as you please

Confirmed Working
Fire HD 8 8th gen (2018) (thanks @xyz`) -- up to Fire OS only
Fire HD 8 7th gen (2017) -- up to Fire OS build 636558520 only
Fire HD 8 6th gen (2016) (thanks @bibikalka) -- up to Fire OS build 626533320
Fire HD 10 7th gen (2017) (thanks @bibikalka) -- up to Fire OS build 636558520 only
Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to Fire OS only
Fire 7 9th gen (2019) (thanks @Michajin) -- up to Fire OS build 0002517050244 only
Fire HD 10 9th gen (2019) -- up to Fire OS only
Various phones and tablets up to Android 9.x (see link below for full list)
Note that for Fire OS 5, OS version 5.3.x.x is newer than 5.6.x.x.

Amazing Temp Root for MediaTek ARMv8: expanded thread covering all compatible MTK devices

Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

Proficiency with the Thanks button under XDA posts
A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
  • A PC with ADB installed to interact with your device, or
  • A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands

  1. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
    arm64: 64-bit kernel and userspace
    arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
    The arm64 one is suitable for most devices. The notable devices that need the arm version are the Fire HD 8 2018, Fire 7, and Fire HD 10 2019.
  2. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
    adb push path/to/mtk-su /data/local/tmp/
  3. Open an adb shell
    adb shell
  4. Change to your tmp directory
    cd /data/local/tmp
  5. Add executable permissions to the binary
    chmod 755 mtk-su
  6. At this point keep your tablet screen on and don't let it go to sleep. Run the program
    If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
    The -v option turns on verbose printing, which is necessary for me to debug any problems.
    It will take several seconds, but using the -v option, you should see output similar to this (with id command added):
    $ ./mtk-su -v
    param1: 0x3000, param2: 0x18040, type: 2
    Building symbol table
    kallsyms_addresses pa 0x40bdd500
    kallsyms_num_syms 70337, addr_count 70337
    kallsyms_names pa 0x40c66d00, size 862960
    kallsyms_markers pa 0x40d39800
    kallsyms_token_table pa 0x40d3a100
    kallsyms_token_index pa 0x40d3a500
    Patching credentials
    Parsing current_is_single_threaded
    ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
    ffffffc000354868+54: ADD xd, x0, 2592
    init_task VA: 0xffffffc000fa2a20
    Potential list_head tasks at offset 0x340
    comm swapper/0 at offset 0x5c0
    Found own task_struct at node 1
    cred VA: 0xffffffc0358ac0c0
    Parsing avc_denied
    ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
    ffffffc0002f13bc+28: LDR [x0, 404]
    selinux_enforcing VA: 0xffffffc001113194
    Setting selinux_enforcing
    Switched selinux to permissive
    starting /system/bin/sh
    UID: 0  cap: 3fffffffff  selinux: permissive

    Some other options:
    mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.
    mtk-su -s: Prints the kernel symbol table
    If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here.

    Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.

If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5.

FIRE OS 5 AND ANDROID 5 USERS: There's an automated SuperSU loader by @Rortiz2 that makes jumpstarting SuperSU quick and easy.

WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.

Current Version
Release 22

Past releases & change log live at Amazing Temp Root for MediaTek ARMv8

I got the error, "This firmware cannot be supported". What do I do?
This means that your device's firmware is not prone to the mechanism used by mtk-su. Check the firmware version and build number of the OS on your device. If your version is higher than that next to your device on the list above, then mtk-su will no longer work on your device. There may be other ways to achieve root. Check elsewhere on the forum.

Will this work on the Fire 7?
No, it is very doubtful this method can be used on the MT8127 chipset. The same also goes for the Fire TV stick.

After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.

How does this tool work?
It overwrites the process's credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, I don't think I should discuss that as of yet.

Will this work on the Fire TV Stick 4K?
Unfortunately, no. While it has a 64-bit chip, the required vulnerabilities are not present in its OS.

Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.

Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
  • It has already been answered in the FAQ or multiple times in the thread.
  • Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
  • Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
  • @Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
  • Thank you to everyone who has donated. You're the best!
The Following 136 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 03:02 AM |#2  
Senior Member
Thanks Meter: 316
Donate to Me
I want to thank you again for your efforts on this! I was ill the days before, so I didn't get much time to test SuperSU, and I'm trying to make a script now. Good luck to everyone who tries this!
EDIT: Oops, sorry for the reserve post.
The Following 6 Users Say Thank You to Supersonic27543 For This Useful Post: [ View ] Gift Supersonic27543 Ad-Free
26th February 2019, 03:10 AM |#3  
OP Senior Member
Thanks Meter: 1,766
Donate to Me
How to use without a PC
You can optionally use mtk-su from a terminal emulator such as Termux or Terminal Emulator for Android (my preference). The gist of the process is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
  1. Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
  2. Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
    General idea: cp path/to/mtk-su ./
    For example,
    cp /sdcard/mtk-su_r14/arm64/mtk-su ./
    For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
  3. Make file executable
    chmod 700 mtk-su
  4. Run the program

If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and kernel sources, if possible.

Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cp path/to/mtk-su ./
chmod 700 mtk-su
The Following 8 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 03:18 AM |#4  
cybersaga's Avatar
Senior Member
Loyalist, ON
Thanks Meter: 73
Great work!

So could this theoretically work for any Mediatek device? Or do specific modifications need to be done for another model chip?

What do you think is likely the worst to happen if this is tried as-is on another device? Will it just not work? Or explode the device?

I have an Acer B3-A40 that has an MT8167 chip that I wouldn't mind rooting.
26th February 2019, 03:47 AM |#5  
OP Senior Member
Thanks Meter: 1,766
Donate to Me
@cybersaga, yes, it's very possible it will work on an mt8167 device. Although I can't 100% guarantee it won't damage your device, I would just go ahead and try it. The risk is very minimal. It will print some error if it fails. I think realistically, I would need to tweak some parameters or make a workaround if there's a problem.

The method should be applicable to most 64-bit platforms. There are newer 4.x kernels where the necessary hole is not present, though. But time will tell what devices this ultimately will be compatible with.
The Following 3 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 03:54 AM |#6  
cybersaga's Avatar
Senior Member
Loyalist, ON
Thanks Meter: 73
That's super neat. I'll probably give it a try sometime this week.
26th February 2019, 04:04 AM |#7  
Senior Member
Thanks Meter: 325
Very cool from what I can see, however it doesn't work on HD8 2018 because there's no 64-bit userspace (only the kernel is 64-bit), could you recompile it for arm?
26th February 2019, 04:27 AM |#8  
OP Senior Member
Thanks Meter: 1,766
Donate to Me
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...
The Following 2 Users Say Thank You to diplomatic For This Useful Post: [ View ] Gift diplomatic Ad-Free
26th February 2019, 04:59 AM |#9  
Senior Member
Thanks Meter: 325
Originally Posted by diplomatic

Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...

Maybe you can just compile it as a static binary instead if that's easier.
26th February 2019, 12:10 PM |#10  
Thanks Meter: 66
Awesome! I just rooted my HD8 2017

Try the automated script by @Rortiz2

Previous instructions:

For anyone that is confused by the process of manually installing SuperSu, I did the following...

IMPORTANT: This is for FireOS 5 devices such as HD8 2017. Do not attempt this on HD8 2018
  1. Install SuperSu from Playstore
  2. Download SuperSu and unzip somewhere
  3. adb push arm64/su arm64/supolicy arm64/ /data/local/tmp
  4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
  5. mount -o remount -rw /system
  6. cp /data/local/tmp/su /system/xbin/su
  7. cp /data/local/tmp/su /system/xbin/daemonsu
  8. cp /data/local/tmp/supolicy /system/xbin/
  9. cp /data/local/tmp/ /system/lib/
  10. cp /data/local/tmp/ /system/lib64/
  11. chmod 0755 /system/xbin/su
  12. chcon u:object_r:system_file:s0 /system/xbin/su
  13. chmod 0755 /system/xbin/daemonsu
  14. chcon u:object_r:system_file:s0 /system/xbin/daemonsu
  15. at this point, running su should work and show a root shell
  16. daemonsu --auto-daemon
  17. Open SuperSu app and allow it to update the su binary

My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems less error-prone
The Following 38 Users Say Thank You to dutchthomas For This Useful Post: [ View ] Gift dutchthomas Ad-Free
26th February 2019, 02:49 PM |#11  
Senior Member
Thanks Meter: 1,061

Wow!!! This is crazy !!! Where have you been before??? I almost had to drill a hole into HD8 2016!!!

I tried this on HD8 2016, FireOS, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.

My HD8 2016 output:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #

Edit: Despite my super careful SuperSu injection into FireOS system image, I still could not get SuperSu to work after I restored this image using FlashFire. Regardless, the method from this thread also rooted in no time! Awesome!
The Following 4 Users Say Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
Post Reply Subscribe to Thread

fire hd 10, fire hd 8, root

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes