Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

McAAA · Dec 26, 2020 1 1 11

Temporary root by [email protected]
Home URL:

Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

Software root method for MediaTek MT67xx, MT816x, and MT817x! So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I...

forum.xda-developers.com

--------------------------------------------------

armv8l machine
Temporary root by [email protected]
Home URL:

Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

Software root method for MediaTek MT67xx, MT816x, and MT817x! So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I...

forum.xda-developers.com

--------------------------------------------------

Failed critical init step 1
Returned 1

dedetok · Dec 29, 2020

It is work on Evercoss Genpro X Pro S50 MT6735 android 7.0 (NO ROOT) firmware source http://evercoss.com/img/software/EVERCOSS_S50_7_0_021_P1_180314_OE_CPB.zip

EVERCOSS_S50:/ $ cd /data/local/tmp
EVERCOSS_S50:/data/local/tmp $ ./mtk-su -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 4
Building symbol table
kallsyms_addresses pa 0x40bc2460
kallsyms_num_syms 54191, addr_count 54191
kallsyms_names pa 0x40bf7330, size 646794
kallsyms_markers pa 0x40c951c0
kallsyms_token_table pa 0x40c95510
kallsyms_token_index pa 0x40c95890
Patching credentials
Parsing current_is_single_threaded
c0362760: MOVW R0, #0x8d50
c0362764: MOVT R0, #0xc102
Possible list_head tasks at offset 0x290
comm swapper/0 at offset 0x400
Found own task_struct at node 1
cred VA: 0xc667e500
init_task VA: 0xc1028d50
Parsing avc_denied
c0aeca70: MOVW R12, #0x1278
c0aeca74: MOVT R12, #0xc113
selinux_enforcing VA: 0xc1131278
Setting selinux_enforcing
Selinux is already permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
EVERCOSS_S50:/data/local/tmp #
EVERCOSS_S50:/system/etc # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:shell:s0

I need to remove bloatware com.android.sc , but fail.
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)
EVERCOSS_S50:/data/local/tmp # pm uninstall com.android.sc
Failure [DELETE_FAILED_INTERNAL_ERROR]

success when using -k --user 0
EVERCOSS_S50:/data/local/tmp # pm uninstall -k --user 0 com.android.sc
Success

It still exists when I query list package
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)

After I reboot the device, com.android.sc will installed its self.
Any suggestion?

Thank you
Sincerey, Dedetok

Supermatt01 · Dec 28, 2020 at 7:38 AM

dedetok said:
It is work on Evercoss Genpro X Pro S50 MT6735 android 7.0 (NO ROOT) firmware source http://evercoss.com/img/software/EVERCOSS_S50_7_0_021_P1_180314_OE_CPB.zip

EVERCOSS_S50:/ $ cd /data/local/tmp
EVERCOSS_S50:/data/local/tmp $ ./mtk-su -v
armv7l machine
param1: 0x1000, param2: 0x8040, type: 4
Building symbol table
kallsyms_addresses pa 0x40bc2460
kallsyms_num_syms 54191, addr_count 54191
kallsyms_names pa 0x40bf7330, size 646794
kallsyms_markers pa 0x40c951c0
kallsyms_token_table pa 0x40c95510
kallsyms_token_index pa 0x40c95890
Patching credentials
Parsing current_is_single_threaded
c0362760: MOVW R0, #0x8d50
c0362764: MOVT R0, #0xc102
Possible list_head tasks at offset 0x290
comm swapper/0 at offset 0x400
Found own task_struct at node 1
cred VA: 0xc667e500
init_task VA: 0xc1028d50
Parsing avc_denied
c0aeca70: MOVW R12, #0x1278
c0aeca74: MOVT R12, #0xc113
selinux_enforcing VA: 0xc1131278
Setting selinux_enforcing
Selinux is already permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
EVERCOSS_S50:/data/local/tmp #

I need to remove bloatware com.android.sc , but fail.
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)
EVERCOSS_S50:/data/local/tmp # pm uninstall com.android.sc
Failure [DELETE_FAILED_INTERNAL_ERROR]

success when using -k --user 0
EVERCOSS_S50:/data/local/tmp # pm uninstall -k --user 0 com.android.sc
Success

It still exists when I query list package
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)

After I reboot the device, com.android.sc will installed its self.
Any suggestion?

Thank you
Sincerey, Dedetok

If you have a locked bootloader, it likely won't allow you to edit system files. Trying to freeze the app may be more successful if you use TB.

texsd123 said:
i succeeded in rooting my philips e518, and used dd command to get full magisk support. HOW AMAZING!

What do you mean by DD command to get full Magisk support? I have a hated OPPO phone that in getting really cost wanting to replace anyway. I might be game for some hacking attempts. (The warranty is already expired and they still won't help me unlock the bootloader.)

diplomatic · Dec 30, 2020 at 10:56 PM

dedetok said:
I need to remove bloatware com.android.sc , but fail.
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)
EVERCOSS_S50:/data/local/tmp # pm uninstall com.android.sc
Failure [DELETE_FAILED_INTERNAL_ERROR]

success when using -k --user 0
EVERCOSS_S50:/data/local/tmp # pm uninstall -k --user 0 com.android.sc
Success

It still exists when I query list package
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc -> bloatware Android/Trojan.Syringe.AD (System Application)

After I reboot the device, com.android.sc will installed its self.
Any suggestion?

Try "pm disable..." or "pm hide...". You can't rightly uninstall system packages because the system partition is read-only. Disabling has practically the same effect as uninstalling.

DragonFire1024 · Dec 31, 2020 at 3:04 AM

diplomatic said:
Try "pm disable..." or "pm hide...". You can't rightly uninstall system packages because the system partition is read-only. Disabling has practically the same effect as uninstalling.

Code:

adb shell pm uninstall --user 0 com.package.name

That's pretty much the same as disabling the packages. If it doesn't work add -k just before the package name and try again. on some devices you will not be able to reenable these packages unless you do a factory reset. On some devices you can navigate to where the application is in the system and tap on it and reinstall it that way.

CXZa · Dec 31, 2020 at 7:36 AM

DragonFire1024 said:
on some devices you will not be able to reenable these packages unless you do a factory reset. On some devices you can navigate to where the application is in the system and tap on it and reinstall it that way.

Now that we have root access we can also remove/edit the app entry in /data/system/users/0/package-restrictions.xml file and then reboot...

dedetok · Jan 5, 2021 at 7:30 AM

CXZa said:
Now that we have root access we can also remove/edit the app entry in /data/system/users/0/package-restrictions.xml file and then reboot...

in /data/system/users/0/package-restrictions.xml file, at line 286 I found
<pkg name="com.android.sc" ceDataInode="418206" />

I remove it and restart. After ./mtk-su -v,
# pm uninstall -k --user 0 com.android.sc
Success
EVERCOSS_S50:/data/local/tmp # pm list package com.android.sc
package:com.android.screenrecord
package:com.android.sc

But com.android.sc still exist. What does <pkg name="com.android.sc" ceDataInode="418206" /> mean?

Thank you
dedetok

Patulong69 · Jan 6, 2021 2 0 11

Temporary root by [email protected]
Home URL:

Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

Software root method for MediaTek MT67xx, MT816x, and MT817x! So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I...

forum.xda-developers.com

--------------------------------------------------

Temporary root by [email protected]
Home URL:

Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

Software root method for MediaTek MT67xx, MT816x, and MT817x! So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I...

forum.xda-developers.com

--------------------------------------------------

Failed critical init step 1
exit: 1

VD171 · Jan 10, 2021 at 3:09 PM

Working perfectly on:
- Lenovo C2 Vibe (k10a40) (MT6735P).
- LG K10 Novo (M250DS) (MT6750).

NOT working on:
- Motorola Moto E6s (XT2053-2) (MT6762).

Thank you very much

NULLER09 · Jan 12, 2021 1 0 11

SElinux_enforcing not found, what's happen?

Yassen Elkadi · Jan 13, 2021 2 0 11

Is there a solution to this

problem

CXZa · Jan 14, 2021 at 6:13 PM

Yassen Elkadi said:
Is there a solution to this problem

Wrong forum to ask such...

Imperial X12 · Jan 14, 2021 1 0 11

Plz root opportunity A5s v.A44

Tech0308 · Jan 16, 2021 at 1:16 AM

Thanks! Rooted with magisk MT6735 (Huawei Y6ii Compact(LYO-L01))

jhayza09 · Jan 16, 2021 at 5:12 AM

Thanks

HemanthJabalpuri · Jan 16, 2021

@diplomatic
I am doing some small experiments with MEmu emulator by rooting with Magisk. For this I am referencing your Magisk solution and this

I am getting 'Bad /sbin mount?' error.
I am confused with below code.

Code:

# Create tmpfs /sbin overlay
# This may crash on system-as-root with no /root directory
./magisk -c >&2

touch /sbin/.init-stamp

if [ ! -f /sbin/magiskinit ] || [ ! -f /sbin/magisk ]; then
  echo "Bad /sbin mount?" >&2
  setenforce 1
  exit 1
fi

Since magisk -c only displays version right?
How /sbin/magiskinit or /sbin/magisk will be created with magisk -c?

Also, only thing that I found different with emulator.sh is

Code:

$BINDIR/magisk --daemon

instead of

Code:

magisk --post-fs-data
sleep 1		# hack to prevent race with later service calls
magisk --service
magisk --boot-complete

What is the difference between these two?

emulator.sh is working fine to set Magisk for granting su permission to apps.

Thanks

diplomatic · Jan 19, 2021 at 10:43 AM

HemanthJabalpuri said:
@diplomatic
I am doing some small experiments with MEmu emulator by rooting with Magisk. For this I am referencing your Magisk solution and this

I am getting 'Bad /sbin mount?' error.
I am confused with below code.

Code:

# Create tmpfs /sbin overlay # This may crash on system-as-root with no /root directory ./magisk -c >&2 touch /sbin/.init-stamp if [ ! -f /sbin/magiskinit ] || [ ! -f /sbin/magisk ]; then echo "Bad /sbin mount?" >&2 setenforce 1 exit 1 fi

Since magisk -c only displays version right?
How /sbin/magiskinit or /sbin/magisk will be created with magisk -c?

OK, that's a good question. The line "./magisk -c >&2" actually calls magiskinit using its magisk applet, not the magisk executable. This is a little undocumented feature I found in Magisk's code that came in very handy for this solution. You can see it at work here: running magiskinit renamed to magisk calls the magisk_proxy_main() function, which calls MagiskProxy::start(). That does most of the work of setting up the directory tree and extracting magisk, etc, and finally calling the real magisk with the -c parameter. So I don't see a reason you have to replicate all those steps manually in the script if the native magisk code does them for you automatically...

HemanthJabalpuri said:
Also, only thing that I found different with emulator.sh is

Code:

$BINDIR/magisk --daemon

instead of

Code:

magisk --post-fs-data sleep 1 # hack to prevent race with later service calls magisk --service magisk --boot-complete

What is the difference between these two?

emulator.sh is working fine to set Magisk for granting su permission to apps.

Thanks

Well, the official position is that starting Magisk at runtime this way only the supports the core mode. Magisk modules are never started with 'magisk --daemon'. My 3 calls make at least some effort of running module boot-up scripts. Even though a lot of modules do not work this late in the game, many of them function just fine....

- D

HemanthJabalpuri · Jan 19, 2021

@diplomatic
Thanks for answering. I am waiting for your answer.

But what about my Bad /sbin mount? error in my case? When I use your script to setup Magisk in MEmu emulator, I am getting this error. But emulator.sh from Magisk repo https://github.com/topjohnwu/Magisk/blob/v21.2/scripts/emulator.sh is working fine for granting Superuser permission to apps.

Thanks again.

diplomatic · Jan 20, 2021 at 6:55 AM

@HemanthJabalpuri, have you made the link magisk to the file magiskinit? Have you noticed the part that runs before the SU_MINISCRIPT block?

Code:

    cp $SRCDIR/bin/magiskinit ./
    chmod 700 magiskinit

    ln -fs magiskinit magiskpolicy
    ln -fs magiskinit magisk

If you have, what are the contents of /sbin after running ./magisk?

- D

HemanthJabalpuri · Jan 21, 2021

@diplomatic
Before asking you about magisk -c doubt, I made a mistake in your script.

I replaced symlinking line with magiskinit -x magisk magisk. I thought it will work same as symlink. But it is not the case.

Now it is working fine with symlinking.

Thanks for the great work.

Edit:- My final script to Root MEmu with Magisk is attached below.

Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

New member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

New member

Senior Member

New member

New member

Senior Member

New member

Senior Member

New member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Attachments