Software root method for MediaTek MT67xx, MT816x, and MT817x!
So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I created, MTK-SU, was originally aimed at helping Amazon Fire HD owners to easily root and unlock their tablets. (Without it, most models need a hardware mod to achieve root & unlock. This tool made rooting accessible to many times the number of owners. It also made possible to root the Fire TV gen 2.) But funny story: this method actually works on virtually all of MediaTek's 64-bit chips. Many devices of various vendors have already been confirmed.
So in case it's not clear, what mtk-su does is give you a root shell to do with as you please. It's like running 'su', but without the need to have su installed. That may be a holy grail for locked devices. On some devices, it may be possible to install a root manager for permanent root using mtk-su as a springboard.
The original thread is here: Rapid Temporary Root for HD 8 & HD 10. It's a great resource for info. But please avoid posting there about non-Amazon devices. This new thread is a catchall topic for other devices and vendors.
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software. There is a nonzero chance of any of these events happening as a result of using the tools or methods here.
Mastery of the Thanks button under XDA posts
A phone or tablet based on Mediatek MT67xx, MT816x, MT817x or MT6580 chipsets
- A PC with ADB installed to interact with your device, or
- A terminal emulator app
You agree to post the model name of any unconfirmed device which ran mtk-su successfully
INSTRUCTIONS FOR ADB
- Make sure you meet all the requirements listed above, especially the first and last ones.
- Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
arm64: 64-bit kernel and userspace
arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
- Connect your device to ADB and push mtk-su to your /data/local/tmp folder
adb push path/to/mtk-su /data/local/tmp/
- Open an adb shell
- Change to your tmp directory
- Add executable permissions to the binary
chmod 755 mtk-su
- At this point keep your device screen on and don't let it go to sleep. Run the command
The -v option turns on verbose printing, which is necessary for me to debug any problems.
The output of ./mtk-su -v is similar to this:
$ ./mtk-su -v param1: 0x3000, param2: 0x18040, type: 2 Building symbol table kallsyms_addresses pa 0x40bdd500 kallsyms_num_syms 70337, addr_count 70337 kallsyms_names pa 0x40c66d00, size 862960 kallsyms_markers pa 0x40d39800 kallsyms_token_table pa 0x40d3a100 kallsyms_token_index pa 0x40d3a500 Patching credentials Parsing current_is_single_threaded ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000 ffffffc000354868+54: ADD xd, x0, 2592 init_task VA: 0xffffffc000fa2a20 Potential list_head tasks at offset 0x340 comm swapper/0 at offset 0x5c0 Found own task_struct at node 1 cred VA: 0xffffffc0358ac0c0 Parsing avc_denied ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000 ffffffc0002f13bc+28: LDR [x0, 404] selinux_enforcing VA: 0xffffffc001113194 Setting selinux_enforcing Switched selinux to permissive starting /system/bin/sh UID: 0 cap: 3fffffffff selinux: permissive #
mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.mtk-su -s: Prints the kernel symbol tablemtk-su -Z <context>: Runs shell in a new selinux context. Example: ./mtk-su -Z u:r:logd:s0If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here. When reporting a problem with a device, please post a link to the firmware and/or the kernel sources.
Please post the model of any device that works with mtk-su that's not already confirmed.
Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.
WARNING If you have a device with Android 6 or higher, it likely has dm-verity enabled. On such a device one does not simply remount the system partition as read/write. The remount command will probably fail. But if you succeed in forcing it somehow it will trigger dm-verity, which will result in a very bad day. Your device will become inoperable until you restore the stock system partition.
Release 23 - August 24, 2020
- Add support for some early Linux 3.10 tablet firmware
- Add support for kernels with some debug features enabled
Release 22 - May 8, 2020
- Expand kernel support
- Enable seccomp handling for Android 8
Release 21 - March 14, 2020
- Add support for more devices
- Fix seccomp on 3.18 arm kernels
Release 20 - Dec 28, 2019
- Add support for MT6580
- Add support for some MT8183 versions
- Fix handling of some 32-bit 4.x kernels with stack protection
- Move to NDK build
Release 19 - October 20, 2019
- Add -Z option for setting custom selinux context
- Fix seccomp on armv7
- Fix seccomp handling on late-revision 3.18 kernels
- Improve error printing for critical failures
- Strip supplementary groups in root shell
- Do not spawn root shell on critical failures
Release 18 - July 29, 2019
- Add support for kernel address space layout randomization (KASLR)
- Change status output format
Release 17 - July 13, 2019
- Fix missing capabilities under adb shell in Android 9.x
- Disable seccomp in app mode of Android 9.x
- Add support for MT6771 on Android 8.x
- Reliability improvements
Release 16 - June 9, 2019
- Add support for 32 & 64-bit kernels compiled with CONFIG_KALLSYMS_BASE_RELATIVE
- Add support for MT676x on Android 7.x
Release 15 - May 29, 2019
- Run shell/command in global mount namespace -- mounting from apps is now visible to the whole system
Release 14 - May 22, 2019
- Remove restriction for adb shell initial run on Android 8.0+
- Add support for 32-bit kernels compiled under Android 8.0+
- Add initial support for MT6771 on Android 9+
- Minor bug fixes
Release 13 - May 16, 2019
- Improve stack protection detection -- add support for some armv7-kernel 3.x phones
Release 12 - April 26, 2019
- Unify the arm and armv7-kernel binaries into one
- Support Linux 4.9.x
- Improve speed and possibly reliability
- Fix arm64 support for phones on kernel 3.10.65
- Fix stack protection workaround for armv7 kernels
- Update readme file
Release 11 - April 10, 2019
- Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
- Improve criteria for detecting strong stack protection
Release 10 - April 7, 2019
- Fix support for the latest Oreo devices
- Add compatibility for kernels with stack protection (Nokia phones)
- Improve reliability
- Initial support for 32-bit (armv7) kernels -- needs testing
Release 9 - April 1, 2019
- Confirmed support for at least some Oreo devices
- Fix bugs with R8
Release 8 - March 30, 2019 (REMOVED)
- Lay the groundwork for Oreo devices
- Improve performance
- Improve reliability
Release 7 - March 17, 2019
- Add/fix support for many Linux ver. ≤ 3.18.22 devices
- Fix arm binary on Fire HD 10
Release 6 - March 13, 2019
- Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
- Minor bug fixes
Release 5 - March 7, 2019
- Support kernels with CONFIG_KALLSYMS_ALL disabled
- Improve reliability
Release 4 - March 4, 2019
- Improve compatibility with phones
- Support Fire TV 2 new FW
- Minor bug fixes
- Improve reliability
Release 3 - March 1, 2019
- Add support for HD 10 7th gen
- Add support for 3.10 kernel layout
- Add possible support for MT67xx phones
- Improve reliability
Release 2 - Feb. 27, 2019
- Add support for HD 8 8th gen and 32-bit only user stacks
I got the error, "This firmware cannot be supported". What's up with that?
This means that your device's firmware is not prone to the mechanism used by mtk-su. It may be a new device or it may have started from a firmware update. It will not be feasible to add root support for the current or future firmware versions. Check the last supported firmware version in post 4. If the last working FW is not listed and your device used to work with mtk-su, please report the last working version and/or your current version. In those cases, it may be possible to get mtk-su support by downgrading the firmware.
I got the error, "Firmware support not implemented". What gives?
That means that mtk-su does not recognize the type of firmware on your device. While It's technically possible to add basic detection, most of the time this error happens on devices that have already blocked mtk-su access. So implementing it would only kick the can down the road and probably lead to a, "This firmware cannot be supported" message (see above). If your device has Android 10+ or a security patch level at 03-2020 or higher, or if your firmware is newer than the last compatible version in post 4, there is no need to report this error.
Will this work on my phone?
Yes, it will work on your phone, unless it doesn't. But to be serious, there is no point in asking this question. If you have the device in hand, it is much quicker to just try out the above procedure than to wait for a response. You are usually the best person to answer that question. If your device is listed among the confirmed models or, to a lesser extent, your chipset is supported, that's a good indication that mtk-su will succeed, but that is not guaranteed. You should report your success or failure in this thread, along with the requested materials if it fails.
Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
- It has already been answered in the FAQ or multiple times in the thread.
- Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
- Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
It may be that selinux is still being enforced. Having root with selinux enabled somehow ends up being more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.
Will this work on an MT65xx or MT8127?
There is no support for most 32-bit chips. But there may be a couple where it's possible.
Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader.
I ran mtk-su successfully, but my apps still don't have root permissions.
Mtk-su does not give apps root permissions. It is not a permanent root solution in and of itself. It opens a command shell that has root and administrative capabilities within the context of that shell. It's up to you what you want to do with it. But also, there is a way to load Magisk using this tool without the need to unlock your bootloader. Just follow this guide.
How does this tool work?
It overwrites the process credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, the tool involves making use of the vulnerability known as CVE-2020-0069.
Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.
- Thank you to everyone who has tested and provided feedback to help me add support for the large variety of MTK-based devices out there. There are simply too many people to list.
- MediaTek, Inc., who leave holes and backdoors in their OS to make software like this possible :good:
- Thank you to everyone who has donated. You're the best!
79.6 KB Views: 27,160
80.2 KB Views: 6,713