Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

McAAA

New member
Dec 26, 2020
1
1
11
Temporary root by [email protected]
Home URL:
--------------------------------------------------


armv8l machine
Temporary root by [email protected]
Home URL:
--------------------------------------------------


Failed critical init step 1
Returned 1
 
  • Like
Reactions: Adonis Tapchina

dedetok

Member
Mar 24, 2018
7
1
13
Jakarta
It is work on Evercoss Genpro X Pro S50 MT6735 android 7.0 (NO ROOT) firmware source http://evercoss.com/img/software/EVERCOSS_S50_7_0_021_P1_180314_OE_CPB.zip

EVERCOSS_S50:/ $ cd /data/local/tmp
EVERCOSS_S50:/data/local/tmp $ ./mtk-su -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 4
Building symbol table
kallsyms_addresses pa 0x40bc2460
kallsyms_num_syms 54191, addr_count 54191
kallsyms_names pa 0x40bf7330, size 646794
kallsyms_markers pa 0x40c951c0
kallsyms_token_table pa 0x40c95510
kallsyms_token_index pa 0x40c95890
Patching credentials
Parsing current_is_single_threaded
c0362760: MOVW R0, #0x8d50
c0362764: MOVT R0, #0xc102
Possible list_head tasks at offset 0x290
comm swapper/0 at offset 0x400
Found own task_struct at node 1
cred VA: 0xc667e500
init_task VA: 0xc1028d50
Parsing avc_denied
c0aeca70: MOVW R12, #0x1278
c0aeca74: MOVT R12, #0xc113
selinux_enforcing VA: 0xc1131278
Setting selinux_enforcing
Selinux is already permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
EVERCOSS_S50:/data/local/tmp #
EVERCOSS_S50:/system/etc # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:shell:s0

I need to remove bloatware com.android.sc , but fail.
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)
EVERCOSS_S50:/data/local/tmp # pm uninstall com.android.sc
Failure [DELETE_FAILED_INTERNAL_ERROR]

success when using -k --user 0
EVERCOSS_S50:/data/local/tmp # pm uninstall -k --user 0 com.android.sc
Success

It still exists when I query list package
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)

After I reboot the device, com.android.sc will installed its self.
Any suggestion?

Thank you
Sincerey, Dedetok
 
Last edited:

Supermatt01

Senior Member
Nov 20, 2010
736
79
48
Surabaya
It is work on Evercoss Genpro X Pro S50 MT6735 android 7.0 (NO ROOT) firmware source http://evercoss.com/img/software/EVERCOSS_S50_7_0_021_P1_180314_OE_CPB.zip

EVERCOSS_S50:/ $ cd /data/local/tmp
EVERCOSS_S50:/data/local/tmp $ ./mtk-su -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 4
Building symbol table
kallsyms_addresses pa 0x40bc2460
kallsyms_num_syms 54191, addr_count 54191
kallsyms_names pa 0x40bf7330, size 646794
kallsyms_markers pa 0x40c951c0
kallsyms_token_table pa 0x40c95510
kallsyms_token_index pa 0x40c95890
Patching credentials
Parsing current_is_single_threaded
c0362760: MOVW R0, #0x8d50
c0362764: MOVT R0, #0xc102
Possible list_head tasks at offset 0x290
comm swapper/0 at offset 0x400
Found own task_struct at node 1
cred VA: 0xc667e500
init_task VA: 0xc1028d50
Parsing avc_denied
c0aeca70: MOVW R12, #0x1278
c0aeca74: MOVT R12, #0xc113
selinux_enforcing VA: 0xc1131278
Setting selinux_enforcing
Selinux is already permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
EVERCOSS_S50:/data/local/tmp #

I need to remove bloatware com.android.sc , but fail.
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)
EVERCOSS_S50:/data/local/tmp # pm uninstall com.android.sc
Failure [DELETE_FAILED_INTERNAL_ERROR]

success when using -k --user 0
EVERCOSS_S50:/data/local/tmp # pm uninstall -k --user 0 com.android.sc
Success

It still exists when I query list package
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)

After I reboot the device, com.android.sc will installed its self.
Any suggestion?

Thank you
Sincerey, Dedetok
If you have a locked bootloader, it likely won't allow you to edit system files. Trying to freeze the app may be more successful if you use TB.
i succeeded in rooting my philips e518, and used dd command to get full magisk support. HOW AMAZING!
What do you mean by DD command to get full Magisk support? I have a hated OPPO phone that in getting really cost wanting to replace anyway. I might be game for some hacking attempts. (The warranty is already expired and they still won't help me unlock the bootloader.)
 
  • Like
Reactions: dedetok

diplomatic

Senior Member
Mar 12, 2017
1,398
1,846
123
I need to remove bloatware com.android.sc , but fail.
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)
EVERCOSS_S50:/data/local/tmp # pm uninstall com.android.sc
Failure [DELETE_FAILED_INTERNAL_ERROR]

success when using -k --user 0
EVERCOSS_S50:/data/local/tmp # pm uninstall -k --user 0 com.android.sc
Success

It still exists when I query list package
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)

After I reboot the device, com.android.sc will installed its self.
Any suggestion?
Try "pm disable..." or "pm hide...". You can't rightly uninstall system packages because the system partition is read-only. Disabling has practically the same effect as uninstalling.
 

DragonFire1024

Senior Member
Mar 27, 2017
4,677
1,871
233
40
Fort Lauderdale
www.twitter.com
Try "pm disable..." or "pm hide...". You can't rightly uninstall system packages because the system partition is read-only. Disabling has practically the same effect as uninstalling.
Code:
adb shell pm uninstall --user 0 com.package.name
That's pretty much the same as disabling the packages. If it doesn't work add -k just before the package name and try again. on some devices you will not be able to reenable these packages unless you do a factory reset. On some devices you can navigate to where the application is in the system and tap on it and reinstall it that way.
 
  • Like
Reactions: dedetok

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
on some devices you will not be able to reenable these packages unless you do a factory reset. On some devices you can navigate to where the application is in the system and tap on it and reinstall it that way.
Now that we have root access we can also remove/edit the app entry in /data/system/users/0/package-restrictions.xml file and then reboot...
 
  • Like
Reactions: dedetok

dedetok

Member
Mar 24, 2018
7
1
13
Jakarta
Now that we have root access we can also remove/edit the app entry in /data/system/users/0/package-restrictions.xml file and then reboot...
in /data/system/users/0/package-restrictions.xml file, at line 286 I found
<pkg name="com.android.sc" ceDataInode="418206" />

I remove it and restart. After ./mtk-su -v,
# pm uninstall -k --user 0 com.android.sc
Success
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc

But com.android.sc still exist. What does <pkg name="com.android.sc" ceDataInode="418206" /> mean?

Thank you
dedetok
 
  • Like
Reactions: adeptustech

Patulong69

New member
Jan 6, 2021
2
0
11
Temporary root by [email protected]
Home URL:
--------------------------------------------------


Temporary root by [email protected]
Home URL:
--------------------------------------------------


Failed critical init step 1
exit: 1
 

HemanthJabalpuri

Senior Member
Feb 19, 2018
985
340
73
Andhra Pradesh, INDIA 🇮🇳
t.me
@diplomatic
I am doing some small experiments with MEmu emulator by rooting with Magisk. For this I am referencing your Magisk solution and this

I am getting 'Bad /sbin mount?' error.
I am confused with below code.
Code:
# Create tmpfs /sbin overlay
# This may crash on system-as-root with no /root directory
./magisk -c >&2

touch /sbin/.init-stamp

if [ ! -f /sbin/magiskinit ] || [ ! -f /sbin/magisk ]; then
  echo "Bad /sbin mount?" >&2
  setenforce 1
  exit 1
fi
Since magisk -c only displays version right?
How /sbin/magiskinit or /sbin/magisk will be created with magisk -c?

Also, only thing that I found different with emulator.sh is
Code:
$BINDIR/magisk --daemon
instead of
Code:
magisk --post-fs-data
sleep 1		# hack to prevent race with later service calls
magisk --service
magisk --boot-complete
What is the difference between these two?

emulator.sh is working fine to set Magisk for granting su permission to apps.

Thanks
 
Last edited:

diplomatic

Senior Member
Mar 12, 2017
1,398
1,846
123
@diplomatic
I am doing some small experiments with MEmu emulator by rooting with Magisk. For this I am referencing your Magisk solution and this

I am getting 'Bad /sbin mount?' error.
I am confused with below code.
Code:
# Create tmpfs /sbin overlay
# This may crash on system-as-root with no /root directory
./magisk -c >&2

touch /sbin/.init-stamp

if [ ! -f /sbin/magiskinit ] || [ ! -f /sbin/magisk ]; then
  echo "Bad /sbin mount?" >&2
  setenforce 1
  exit 1
fi
Since magisk -c only displays version right?
How /sbin/magiskinit or /sbin/magisk will be created with magisk -c?
OK, that's a good question. The line "./magisk -c >&2" actually calls magiskinit using its magisk applet, not the magisk executable. This is a little undocumented feature I found in Magisk's code that came in very handy for this solution. You can see it at work here: running magiskinit renamed to magisk calls the magisk_proxy_main() function, which calls MagiskProxy::start(). That does most of the work of setting up the directory tree and extracting magisk, etc, and finally calling the real magisk with the -c parameter. So I don't see a reason you have to replicate all those steps manually in the script if the native magisk code does them for you automatically...

Also, only thing that I found different with emulator.sh is
Code:
$BINDIR/magisk --daemon
instead of
Code:
magisk --post-fs-data
sleep 1        # hack to prevent race with later service calls
magisk --service
magisk --boot-complete
What is the difference between these two?

emulator.sh is working fine to set Magisk for granting su permission to apps.

Thanks
Well, the official position is that starting Magisk at runtime this way only the supports the core mode. Magisk modules are never started with 'magisk --daemon'. My 3 calls make at least some effort of running module boot-up scripts. Even though a lot of modules do not work this late in the game, many of them function just fine....

- D
 
  • Love
Reactions: HemanthJabalpuri

HemanthJabalpuri

Senior Member
Feb 19, 2018
985
340
73
Andhra Pradesh, INDIA 🇮🇳
t.me
Last edited:

diplomatic

Senior Member
Mar 12, 2017
1,398
1,846
123
@HemanthJabalpuri, have you made the link magisk to the file magiskinit? Have you noticed the part that runs before the SU_MINISCRIPT block?
Code:
    cp $SRCDIR/bin/magiskinit ./
    chmod 700 magiskinit

    ln -fs magiskinit magiskpolicy
    ln -fs magiskinit magisk
If you have, what are the contents of /sbin after running ./magisk?

- D
 
  • Love
Reactions: HemanthJabalpuri

HemanthJabalpuri

Senior Member
Feb 19, 2018
985
340
73
Andhra Pradesh, INDIA 🇮🇳
t.me
@diplomatic
Before asking you about magisk -c doubt, I made a mistake in your script.

I replaced symlinking line with magiskinit -x magisk magisk. I thought it will work same as symlink. But it is not the case.

Now it is working fine with symlinking.

Thanks for the great work.

Edit:- My final script to Root MEmu with Magisk is attached below.
 

Attachments

Last edited:
  • Like
Reactions: diplomatic