• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

Search This thread

Pippoloness

Member
Jun 24, 2021
12
0
Puoi utilizzare un'app di informazioni di sistema per cercare il livello API del telefono , nonché la piattaforma o l' hardware (ovvero la proprietà ro.board.platform)? Potrebbe essere qualcosa come mt65xx o mt67xx. Questo non è direttamente correlato a mtk-su, ma farebbe luce sul mistero.

Per installare root, devi sbloccare il bootloader e correggere l'immagine di avvio con Magisk. È necessario ottenere una copia del firmware da qualche parte o estrarla dal telefono con SP Flash Tool. Ecco una guida su come installare Magisk.
example app?
 

Pippoloness

Member
Jun 24, 2021
12
0
@Pippoloness, è strano, non sapevo di parlare italiano. :)

Usa qualsiasi app per le informazioni sul dispositivo dal Play Store. Hai citato CPU-Z. Probabilmente funzionerà. Un altro esempio: https://play.google.com/store/apps/details?id=com.ytheekshana.deviceinfo

@Pippoloness, è strano, non sapevo di parlare italiano. :)

Usa qualsiasi app per le informazioni sul dispositivo dal Play Store. Hai citato CPU-Z. Probabilmente funzionerà. Un altro esempio:https://play.google.com/store/apps/details?id=com.ytheekshana.deviceinfo
The information are:
I have Android Q 10.0, Model: i12Pro (Mtk6889_project), Hardware: Mtk6889 (32 bit), SeLinux Kernel 3.10.65, Language: Italiano, OpenGL ES: 2.0, ARMv7 rev. 5 (v7I) Cpu: 10 x 1,30 , Gpu: Mali-400 MP Arm (OpenGL ES 2.0) , Level API: 23 october 5 2015
Level patch securety: 5 march 2017, bootloader: unknown , Productor: Welcome, Google Play Services: 21.24.18, Architecture: 10x Arm Cortex-A7 @ 1,30 Ghz) rev. r0p5, with command adb getprop ro.board.platform i get: sc8830 , with command adb shell getprop ro.build.version.release i getprop this: 6.0
Grazie
 
Last edited:

diplomatic

Senior Member
Mar 12, 2017
1,410
1,872
The information are:
I have Android Q 10.0, Model: i12Pro (Mtk6889_project), Hardware: Mtk6889 (32 bit), SeLinux Kernel 3.10.65, Language: Italiano, OpenGL ES: 2.0, ARMv7 rev. 5 (v7I) Cpu: 10 x 1,30 , Gpu: Mali-400 MP Arm (OpenGL ES 2.0) , Level API: 23 october 5 2015
Level patch securety: 5 march 2017, bootloader: unknown , Productor: Welcome, Google Play Services: 21.24.18, Architecture: 10x Arm Cortex-A7 @ 1,30 Ghz) rev. r0p5, with command adb getprop ro.board.platform i get: sc8830 , with command adb shell getprop ro.build.version.release i getprop this: 6.0
Grazie

OK, thanks, that's very enlightening. Unfortunately, your phone is not exactly what it seems. The manufacturer and/or seller has lied to you about its features, as I suspected. The main specs have been wildly inflated in the firmware. For example, the real OS version is Android 6.0, not 10.0, according to the API level (23). (ro.build.version.release confirms this too.) The chip is actually a Unisoc/Spreadtrum sc8830 (from ro.board.platform), an older quad-core 32-bit chip with 3G. So it's not even a Mediatek at all, much less an mt6889. (Another distortion is the number of cores, which is really 4, not 10).

So there is not much more I can tell you about rooting it. You should do your own research. I came across a guide on the Hovatek forum, called "How to unlock Unisoc (SPD) bootloader using Identifier Token". I don't think I can post a link to it, but you can't miss it if you Google it. That might be a good place to start. Hope that helps. Good luck....
 

Pippoloness

Member
Jun 24, 2021
12
0
OK, thanks, that's very enlightening. Unfortunately, your phone is not exactly what it seems. The manufacturer and/or seller has lied to you about its features, as I suspected. The main specs have been wildly inflated in the firmware. For example, the real OS version is Android 6.0, not 10.0, according to the API level (23). (ro.build.version.release confirms this too.) The chip is actually a Unisoc/Spreadtrum sc8830 (from ro.board.platform), an older quad-core 32-bit chip with 3G. So it's not even a Mediatek at all, much less an mt6889. (Another distortion is the number of cores, which is really 4, not 10).

So there is not much more I can tell you about rooting it. You should do your own research. I came across a guide on the Hovatek forum, called "How to unlock Unisoc (SPD) bootloader using Identifier Token". I don't think I can post a link to it, but you can't miss it if you Google it. That might be a good place to start. Hope that helps. Good luck....
the strange thing is that both on cpu-z and device-info, it shows me 4 processors, other times it shows me 10, it could be that it is blocked and therefore it should be foul? Thanks
 

Pippoloness

Member
Jun 24, 2021
12
0
@Pippoloness, yes, the real amount of cores is 4, as that is the spec of sc8830. (I'm guessing by 'foul' you mean fake?) I don't know how they altered that info, but it's definitely not 10. Here, I found this app that gives you the real details about a fake device: https://play.google.com/store/apps/details?id=mark.fakedevicetest . Unfortunately, these scam phones from China are all too common these days...
sometimes he physically shows me 10, then 4, then 10 and so on
 

Paul_Neocube

Member
Aug 7, 2021
28
6
Android Wear
Moto G 5G
root-all-the-things.jpg


Software root method for MediaTek MT67xx, MT816x, and MT817x!

So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I created, MTK-SU, was originally aimed at helping Amazon Fire HD owners to easily root and unlock their tablets. (Without it, most models need a hardware mod to achieve root & unlock. This tool made rooting accessible to many times the number of owners. It also made possible to root the Fire TV gen 2.) But funny story: this method actually works on virtually all of MediaTek's 64-bit chips. Many devices of various vendors have already been confirmed.

So in case it's not clear, what mtk-su does is give you a root shell to do with as you please. It's like running 'su', but without the need to have su installed. That may be a holy grail for locked devices. On some devices, it may be possible to install a root manager for permanent root using mtk-su as a springboard.

The original thread is here: Rapid Temporary Root for HD 8 & HD 10. It's a great resource for info. But please avoid posting there about non-Amazon devices. This new thread is a catchall topic for other devices and vendors.

DISCLAIMER

Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software. There is a nonzero chance of any of these events happening as a result of using the tools or methods here.

REQUIREMENTS

Mastery of the Thanks button under XDA posts
A phone or tablet based on Mediatek MT67xx, MT816x, MT817x or MT6580 chipsets
Either:
  • A PC with ADB installed to interact with your device, or
  • A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
You agree to post the model name of any unconfirmed device which ran mtk-su successfully

INSTRUCTIONS FOR ADB

  1. Make sure you meet all the requirements listed above, especially the first and last ones.
  2. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
    arm64: 64-bit kernel and userspace
    arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
  3. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
    adb push path/to/mtk-su /data/local/tmp/
  4. Open an adb shell
    adb shell
  5. Change to your tmp directory
    cd /data/local/tmp
  6. Add executable permissions to the binary
    chmod 755 mtk-su
  7. At this point keep your device screen on and don't let it go to sleep. Run the command
    ./mtk-su
    It should only take a second or two. If the program gets stuck for more than a few seconds and your device is awake, press Ctrl+C to close it.
    The -v option turns on verbose printing, which is necessary for me to debug any problems.
    The output of ./mtk-su -v is similar to this:
    Code:
    $ ./mtk-su -v
    param1: 0x3000, param2: 0x18040, type: 2
    Building symbol table
    kallsyms_addresses pa 0x40bdd500
    kallsyms_num_syms 70337, addr_count 70337
    kallsyms_names pa 0x40c66d00, size 862960
    kallsyms_markers pa 0x40d39800
    kallsyms_token_table pa 0x40d3a100
    kallsyms_token_index pa 0x40d3a500
    Patching credentials
    Parsing current_is_single_threaded
    ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
    ffffffc000354868+54: ADD xd, x0, 2592
    init_task VA: 0xffffffc000fa2a20
    Potential list_head tasks at offset 0x340
    comm swapper/0 at offset 0x5c0
    Found own task_struct at node 1
    cred VA: 0xffffffc0358ac0c0
    Parsing avc_denied
    ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
    ffffffc0002f13bc+28: LDR [x0, 404]
    selinux_enforcing VA: 0xffffffc001113194
    Setting selinux_enforcing
    Switched selinux to permissive
    starting /system/bin/sh
    UID: 0  cap: 3fffffffff  selinux: permissive
    #
    Some other options:
    mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.​
    mtk-su -s: Prints the kernel symbol table​
    mtk-su -Z <context>: Runs shell in a new selinux context. Example: ./mtk-su -Z u:r:logd:s0
    If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here. When reporting a problem with a device, please post a link to the firmware and/or the kernel sources.

    Please post the model of any device that works with mtk-su that's not already confirmed.

    Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.

WARNING If you have a device with Android 6 or higher, it likely has dm-verity enabled. On such a device one does not simply remount the system partition as read/write. The remount command will probably fail. But if you succeed in forcing it somehow it will trigger dm-verity, which will result in a very bad day. Your device will become inoperable until you restore the stock system partition.

DOWNLOAD

Current Version
Release 23

Release 23 - August 24, 2020
  • Add support for some early Linux 3.10 tablet firmware
  • Add support for kernels with some debug features enabled

Release 22 - May 8, 2020
  • Expand kernel support
  • Enable seccomp handling for Android 8

Release 21 - March 14, 2020
  • Add support for more devices
  • Fix seccomp on 3.18 arm kernels

Release 20 - Dec 28, 2019
  • Add support for MT6580
  • Add support for some MT8183 versions
  • Fix handling of some 32-bit 4.x kernels with stack protection
  • Move to NDK build

Release 19 - October 20, 2019
  • Add -Z option for setting custom selinux context
  • Fix seccomp on armv7
  • Fix seccomp handling on late-revision 3.18 kernels
  • Improve error printing for critical failures
  • Strip supplementary groups in root shell
  • Do not spawn root shell on critical failures

Release 18 - July 29, 2019
  • Add support for kernel address space layout randomization (KASLR)
  • Change status output format

Release 17 - July 13, 2019
  • Fix missing capabilities under adb shell in Android 9.x
  • Disable seccomp in app mode of Android 9.x
  • Add support for MT6771 on Android 8.x
  • Reliability improvements

Release 16 - June 9, 2019
  • Add support for 32 & 64-bit kernels compiled with CONFIG_KALLSYMS_BASE_RELATIVE
  • Add support for MT676x on Android 7.x
  • Speedups

Release 15 - May 29, 2019
  • Run shell/command in global mount namespace -- mounting from apps is now visible to the whole system

Release 14 - May 22, 2019
  • Remove restriction for adb shell initial run on Android 8.0+
  • Add support for 32-bit kernels compiled under Android 8.0+
  • Add initial support for MT6771 on Android 9+
  • Minor bug fixes

Release 13 - May 16, 2019
  • Improve stack protection detection -- add support for some armv7-kernel 3.x phones

Release 12 - April 26, 2019
  • Unify the arm and armv7-kernel binaries into one
  • Support Linux 4.9.x
  • Improve speed and possibly reliability
  • Fix arm64 support for phones on kernel 3.10.65
  • Fix stack protection workaround for armv7 kernels
  • Update readme file

Release 11 - April 10, 2019
  • Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
  • Improve criteria for detecting strong stack protection

Release 10 - April 7, 2019
  • Fix support for the latest Oreo devices
  • Add compatibility for kernels with stack protection (Nokia phones)
  • Improve reliability
  • Initial support for 32-bit (armv7) kernels -- needs testing

Release 9 - April 1, 2019
  • Confirmed support for at least some Oreo devices
  • Fix bugs with R8

Release 8 - March 30, 2019 (REMOVED)
  • Lay the groundwork for Oreo devices
  • Improve performance
  • Improve reliability

Release 7 - March 17, 2019
  • Add/fix support for many Linux ver. ≤ 3.18.22 devices
  • Fix arm binary on Fire HD 10

Release 6 - March 13, 2019
  • Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
  • Minor bug fixes

Release 5 - March 7, 2019
  • Support kernels with CONFIG_KALLSYMS_ALL disabled
  • Improve reliability

Release 4 - March 4, 2019
  • Improve compatibility with phones
  • Support Fire TV 2 new FW
  • Minor bug fixes
  • Improve reliability

Release 3 - March 1, 2019
  • Add support for HD 10 7th gen
  • Add support for 3.10 kernel layout
  • Add possible support for MT67xx phones
  • Improve reliability

Release 2 - Feb. 27, 2019
  • Add support for HD 8 8th gen and 32-bit only user stacks

FAQ

I got the error, "This firmware cannot be supported". What's up with that?
This means that your device's firmware is not prone to the mechanism used by mtk-su. It may be a new device or it may have started from a firmware update. It will not be feasible to add root support for the current or future firmware versions. Check the last supported firmware version in post 4. If the last working FW is not listed and your device used to work with mtk-su, please report the last working version and/or your current version. In those cases, it may be possible to get mtk-su support by downgrading the firmware.

I got the error, "Firmware support not implemented". What gives?
That means that mtk-su does not recognize the type of firmware on your device. While It's technically possible to add basic detection, most of the time this error happens on devices that have already blocked mtk-su access. So implementing it would only kick the can down the road and probably lead to a, "This firmware cannot be supported" message (see above). If your device has Android 10+ or a security patch level at 03-2020 or higher, or if your firmware is newer than the last compatible version in post 4, there is no need to report this error.

Will this work on my phone?
Yes, it will work on your phone, unless it doesn't. But to be serious, there is no point in asking this question. If you have the device in hand, it is much quicker to just try out the above procedure than to wait for a response. You are usually the best person to answer that question. If your device is listed among the confirmed models or, to a lesser extent, your chipset is supported, that's a good indication that mtk-su will succeed, but that is not guaranteed. You should report your success or failure in this thread, along with the requested materials if it fails.

Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
  • It has already been answered in the FAQ or multiple times in the thread.
  • Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
  • Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled somehow ends up being more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

Will this work on an MT65xx or MT8127?
There is no support for most 32-bit chips. But there may be a couple where it's possible.

Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader.

I ran mtk-su successfully, but my apps still don't have root permissions.
Mtk-su does not give apps root permissions. It is not a permanent root solution in and of itself. It opens a command shell that has root and administrative capabilities within the context of that shell. It's up to you what you want to do with it. But also, there is a way to load Magisk using this tool without the need to unlock your bootloader. Just follow this guide.

How does this tool work?

It overwrites the process credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, the tool involves making use of the vulnerability known as CVE-2020-0069.

Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.

CREDITS

  • Thank you to everyone who has tested and provided feedback to help me add support for the large variety of MTK-based devices out there. There are simply too many people to list.
  • MediaTek, Inc., who leave holes and backdoors in their OS to make software like this possible :good:
  • Thank you to everyone who has donated. You're the best!
Yeah so of course I do not have arm or arm64 but I have armv7-A. This is the oldest and last phone out of three that I have attempted and once again I am unable to do much of anything to improve my devices. thanks nonetheless for your assistance in providing a better world for all of us Android lovers!
 
  • Like
Reactions: diplomatic

Duhjoker

Senior Member
Jul 13, 2019
204
25
no.

on most LG phones this is possible as long as its the same model and you dont flash aboot which is the bootloader.

but with mtk devices the boot chain changes as it uses a preloader for the bootchain. but thats not the reason since you wouldnt change those out any way.

the problem lies in the fact that MTK software is written MTK hardware in mind. so imho i wouldnt try it.

but you can always pay a few extra bucks to get it unlocked for any carrier but honestly i thought all phones were for years now after a certain time and most afaik are carrier unlocked out of the box.
.
 

ilya980

Member
Aug 15, 2019
36
1
I have a T-mobile TM-AC1900 wireless cellspot router. The router is made by ASUS, but re-branded to T-mobile. People figured out a way (downgrading, replacing a bootloader, patching, and re-flashing) to revert it to the stock ASUS firmware, after which the router turns back into ASUS RT-AC68U - a much better router with more capabilities. I am wondering if similar change is possible with this phone to revert it to a factory unlocked version with a stock LG firmware and remove all AT&T logos and bloatware. Will this phone accept a non-AT&T branded firmware image (not unsigned, but signed by LG) or will it only accept the AT&T-signed firmware?

In other words can I turn LG LM-X420AS into LG LM-X420QN? Would any of these firmwares work? https://lg-firmwares.com/lg-lmx420emw-firmwares/ Is this firmware publicly available? X420QN20d_00_NAO_US_OP_1107.kdz

Is there a debloater that can remove all AT&T, Amazon, Games, Google and all other crap from this phone?

For the SIM provider unlock, I see several places offer remote unlock, but I am uncomfortable with someone remotely logging into my PC. Is this unlock tool publicly available?

Thanks.
 
Last edited:

ilya980

Member
Aug 15, 2019
36
1
My phone just updated from 06/01/19 to 09/01/19 security patch. There was nothing I could do. The update message popped up a few times making phone unusable. I clicked "remind me later" a few times, but after 5 or so snoozes the phone still updated. Is there a way to stop the firmware updates? Next time it updates I will lose elevated terminal.
 

luridphantom

Senior Member
Apr 4, 2021
55
13
My phone just updated from 06/01/19 to 09/01/19 security patch. There was nothing I could do. The update message popped up a few times making phone unusable. I clicked "remind me later" a few times, but after 5 or so snoozes the phone still updated. Is there a way to stop the firmware updates? Next time it updates I will lose elevated terminal.
settings > developer options > disable automatic updates
 
  • Like
Reactions: ilya980

ilya980

Member
Aug 15, 2019
36
1
Is there any firmware (AT&T- branded or LG, or another) that can be flashed into this phone from the download mode? Is it possible to extract the OTA update pushed by AT&T and save it somewhere for recovery if needed? Where is the OTA update package saved? Are there any tools similar to Qualcomm's firehose that can be used to dump and flash partitions?
How do I put it into EDL mode?
Thanks.
 
Last edited:

M.White

New member
Jul 1, 2018
4
1
The trick works for the Huawei Y3 II (LUA-L21, C576B115, Android 5.1, EMUI 3.1 Lite) also. Thanks for your efforts @diplomatic ! (Just tried it out of desperation from not having enough internal storage place while trying to revive and reuse this old/er phone ;) )
 
  • Like
Reactions: diplomatic

Pachacouti

Senior Member
Jul 8, 2020
178
15
52
The Capital above the Lower one...
Psst... I got root, and sussed it would be wise to check your bootloder in arm64-v8a, if your bootloader is a 'user' variant... notice most newer OS after pie are all user build bootloaders compared to eng in pie?

Very relevant ;)

Magisk cant flash on a user build bootloader, so neither will this... unless already rooted of course ;)

I did wonder why all these custom roms avoid including bootloaders to run them, wiping the origional OS completely...
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    My phone just updated from 06/01/19 to 09/01/19 security patch. There was nothing I could do. The update message popped up a few times making phone unusable. I clicked "remind me later" a few times, but after 5 or so snoozes the phone still updated. Is there a way to stop the firmware updates? Next time it updates I will lose elevated terminal.
    settings > developer options > disable automatic updates
    1
    The trick works for the Huawei Y3 II (LUA-L21, C576B115, Android 5.1, EMUI 3.1 Lite) also. Thanks for your efforts @diplomatic ! (Just tried it out of desperation from not having enough internal storage place while trying to revive and reuse this old/er phone ;) )
    1
    Hello ppl. I had installed latest Magisk with this tut: https://forum.xda-developers.com/t/...rmv8-2020-08-24.3922213/page-75#post-84578549
    I can grant root to apps if needed. But I can't install any module. They simply ask me "install Magisk v20.4+"
    Is there any way to fix this?
    Device: BQ-5211 Strike

    Almost forgot... When I launch Magisk app with wifi it says "Requires Additional Setup", I press OK then my phone reboots and on next app launch i get this message again and so on... What is this?

    Looking for help
    I get this too... I magisk my bootloader hopefully to get magisk, it loads a greyed out icon on desktop showing what you posted. I CANNOT su at this point, yet magisk is installed to a bootloader, as in magisk_patched.img... so what's the point in magisking a bootloader that wont let us su until we can get online?

    I can however load the latest canary, and this problem goes away, but it then renders loading any earlier version obsolete, as well as rw created by systemrw_1.32...

    All these devs competing for the same link, offering their own links instead... it's sad when rw actually works until magisk forces that damn update that renders outr modules useless, when they worked before... even in android 10!

    Google and Apple block all...

    Hand in hand...
  • 128
    root-all-the-things.jpg


    Software root method for MediaTek MT67xx, MT816x, and MT817x!

    So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I created, MTK-SU, was originally aimed at helping Amazon Fire HD owners to easily root and unlock their tablets. (Without it, most models need a hardware mod to achieve root & unlock. This tool made rooting accessible to many times the number of owners. It also made possible to root the Fire TV gen 2.) But funny story: this method actually works on virtually all of MediaTek's 64-bit chips. Many devices of various vendors have already been confirmed.

    So in case it's not clear, what mtk-su does is give you a root shell to do with as you please. It's like running 'su', but without the need to have su installed. That may be a holy grail for locked devices. On some devices, it may be possible to install a root manager for permanent root using mtk-su as a springboard.

    The original thread is here: Rapid Temporary Root for HD 8 & HD 10. It's a great resource for info. But please avoid posting there about non-Amazon devices. This new thread is a catchall topic for other devices and vendors.

    DISCLAIMER

    Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software. There is a nonzero chance of any of these events happening as a result of using the tools or methods here.

    REQUIREMENTS

    Mastery of the Thanks button under XDA posts
    A phone or tablet based on Mediatek MT67xx, MT816x, MT817x or MT6580 chipsets
    Either:
    • A PC with ADB installed to interact with your device, or
    • A terminal emulator app
    Familiarity with ADB (if using PC) and basic Linux shell commands
    You agree to post the model name of any unconfirmed device which ran mtk-su successfully

    INSTRUCTIONS FOR ADB

    1. Make sure you meet all the requirements listed above, especially the first and last ones.
    2. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
      arm64: 64-bit kernel and userspace
      arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
    3. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
      adb push path/to/mtk-su /data/local/tmp/
    4. Open an adb shell
      adb shell
    5. Change to your tmp directory
      cd /data/local/tmp
    6. Add executable permissions to the binary
      chmod 755 mtk-su
    7. At this point keep your device screen on and don't let it go to sleep. Run the command
      ./mtk-su
      It should only take a second or two. If the program gets stuck for more than a few seconds and your device is awake, press Ctrl+C to close it.
      The -v option turns on verbose printing, which is necessary for me to debug any problems.
      The output of ./mtk-su -v is similar to this:
      Code:
      $ ./mtk-su -v
      param1: 0x3000, param2: 0x18040, type: 2
      Building symbol table
      kallsyms_addresses pa 0x40bdd500
      kallsyms_num_syms 70337, addr_count 70337
      kallsyms_names pa 0x40c66d00, size 862960
      kallsyms_markers pa 0x40d39800
      kallsyms_token_table pa 0x40d3a100
      kallsyms_token_index pa 0x40d3a500
      Patching credentials
      Parsing current_is_single_threaded
      ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
      ffffffc000354868+54: ADD xd, x0, 2592
      init_task VA: 0xffffffc000fa2a20
      Potential list_head tasks at offset 0x340
      comm swapper/0 at offset 0x5c0
      Found own task_struct at node 1
      cred VA: 0xffffffc0358ac0c0
      Parsing avc_denied
      ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
      ffffffc0002f13bc+28: LDR [x0, 404]
      selinux_enforcing VA: 0xffffffc001113194
      Setting selinux_enforcing
      Switched selinux to permissive
      starting /system/bin/sh
      UID: 0  cap: 3fffffffff  selinux: permissive
      #
      Some other options:
      mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.​
      mtk-su -s: Prints the kernel symbol table​
      mtk-su -Z <context>: Runs shell in a new selinux context. Example: ./mtk-su -Z u:r:logd:s0
      If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here. When reporting a problem with a device, please post a link to the firmware and/or the kernel sources.

      Please post the model of any device that works with mtk-su that's not already confirmed.

      Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.

    WARNING If you have a device with Android 6 or higher, it likely has dm-verity enabled. On such a device one does not simply remount the system partition as read/write. The remount command will probably fail. But if you succeed in forcing it somehow it will trigger dm-verity, which will result in a very bad day. Your device will become inoperable until you restore the stock system partition.

    DOWNLOAD

    Current Version
    Release 23

    Release 23 - August 24, 2020
    • Add support for some early Linux 3.10 tablet firmware
    • Add support for kernels with some debug features enabled

    Release 22 - May 8, 2020
    • Expand kernel support
    • Enable seccomp handling for Android 8

    Release 21 - March 14, 2020
    • Add support for more devices
    • Fix seccomp on 3.18 arm kernels

    Release 20 - Dec 28, 2019
    • Add support for MT6580
    • Add support for some MT8183 versions
    • Fix handling of some 32-bit 4.x kernels with stack protection
    • Move to NDK build

    Release 19 - October 20, 2019
    • Add -Z option for setting custom selinux context
    • Fix seccomp on armv7
    • Fix seccomp handling on late-revision 3.18 kernels
    • Improve error printing for critical failures
    • Strip supplementary groups in root shell
    • Do not spawn root shell on critical failures

    Release 18 - July 29, 2019
    • Add support for kernel address space layout randomization (KASLR)
    • Change status output format

    Release 17 - July 13, 2019
    • Fix missing capabilities under adb shell in Android 9.x
    • Disable seccomp in app mode of Android 9.x
    • Add support for MT6771 on Android 8.x
    • Reliability improvements

    Release 16 - June 9, 2019
    • Add support for 32 & 64-bit kernels compiled with CONFIG_KALLSYMS_BASE_RELATIVE
    • Add support for MT676x on Android 7.x
    • Speedups

    Release 15 - May 29, 2019
    • Run shell/command in global mount namespace -- mounting from apps is now visible to the whole system

    Release 14 - May 22, 2019
    • Remove restriction for adb shell initial run on Android 8.0+
    • Add support for 32-bit kernels compiled under Android 8.0+
    • Add initial support for MT6771 on Android 9+
    • Minor bug fixes

    Release 13 - May 16, 2019
    • Improve stack protection detection -- add support for some armv7-kernel 3.x phones

    Release 12 - April 26, 2019
    • Unify the arm and armv7-kernel binaries into one
    • Support Linux 4.9.x
    • Improve speed and possibly reliability
    • Fix arm64 support for phones on kernel 3.10.65
    • Fix stack protection workaround for armv7 kernels
    • Update readme file

    Release 11 - April 10, 2019
    • Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
    • Improve criteria for detecting strong stack protection

    Release 10 - April 7, 2019
    • Fix support for the latest Oreo devices
    • Add compatibility for kernels with stack protection (Nokia phones)
    • Improve reliability
    • Initial support for 32-bit (armv7) kernels -- needs testing

    Release 9 - April 1, 2019
    • Confirmed support for at least some Oreo devices
    • Fix bugs with R8

    Release 8 - March 30, 2019 (REMOVED)
    • Lay the groundwork for Oreo devices
    • Improve performance
    • Improve reliability

    Release 7 - March 17, 2019
    • Add/fix support for many Linux ver. ≤ 3.18.22 devices
    • Fix arm binary on Fire HD 10

    Release 6 - March 13, 2019
    • Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
    • Minor bug fixes

    Release 5 - March 7, 2019
    • Support kernels with CONFIG_KALLSYMS_ALL disabled
    • Improve reliability

    Release 4 - March 4, 2019
    • Improve compatibility with phones
    • Support Fire TV 2 new FW
    • Minor bug fixes
    • Improve reliability

    Release 3 - March 1, 2019
    • Add support for HD 10 7th gen
    • Add support for 3.10 kernel layout
    • Add possible support for MT67xx phones
    • Improve reliability

    Release 2 - Feb. 27, 2019
    • Add support for HD 8 8th gen and 32-bit only user stacks

    FAQ

    I got the error, "This firmware cannot be supported". What's up with that?
    This means that your device's firmware is not prone to the mechanism used by mtk-su. It may be a new device or it may have started from a firmware update. It will not be feasible to add root support for the current or future firmware versions. Check the last supported firmware version in post 4. If the last working FW is not listed and your device used to work with mtk-su, please report the last working version and/or your current version. In those cases, it may be possible to get mtk-su support by downgrading the firmware.

    I got the error, "Firmware support not implemented". What gives?
    That means that mtk-su does not recognize the type of firmware on your device. While It's technically possible to add basic detection, most of the time this error happens on devices that have already blocked mtk-su access. So implementing it would only kick the can down the road and probably lead to a, "This firmware cannot be supported" message (see above). If your device has Android 10+ or a security patch level at 03-2020 or higher, or if your firmware is newer than the last compatible version in post 4, there is no need to report this error.

    Will this work on my phone?
    Yes, it will work on your phone, unless it doesn't. But to be serious, there is no point in asking this question. If you have the device in hand, it is much quicker to just try out the above procedure than to wait for a response. You are usually the best person to answer that question. If your device is listed among the confirmed models or, to a lesser extent, your chipset is supported, that's a good indication that mtk-su will succeed, but that is not guaranteed. You should report your success or failure in this thread, along with the requested materials if it fails.

    Why don't you reply to my post?
    I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
    • It has already been answered in the FAQ or multiple times in the thread.
    • Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
    • Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
    After getting a root shell I'm still getting 'permission denied' errors. WTH?
    It may be that selinux is still being enforced. Having root with selinux enabled somehow ends up being more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

    Will this work on an MT65xx or MT8127?
    There is no support for most 32-bit chips. But there may be a couple where it's possible.

    Does this thing unlock the bootloader?
    No, it does nothing to unlock the bootloader.

    I ran mtk-su successfully, but my apps still don't have root permissions.
    Mtk-su does not give apps root permissions. It is not a permanent root solution in and of itself. It opens a command shell that has root and administrative capabilities within the context of that shell. It's up to you what you want to do with it. But also, there is a way to load Magisk using this tool without the need to unlock your bootloader. Just follow this guide.

    How does this tool work?

    It overwrites the process credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, the tool involves making use of the vulnerability known as CVE-2020-0069.

    Can I include mtk-su in my app or meta-tool?
    Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.

    CREDITS

    • Thank you to everyone who has tested and provided feedback to help me add support for the large variety of MTK-based devices out there. There are simply too many people to list.
    • MediaTek, Inc., who leave holes and backdoors in their OS to make software like this possible :good:
    • Thank you to everyone who has donated. You're the best!
    45
    Bootless root with Magisk and MTK-SU

    This guide is obsolete. Follow the new one for support for the latest Magisk
    -----------------------------------------------------------------------------------------------------------------------------------
    Get full root with Magisk on a locked bootloader!

    A major new development in MTK rooting is here. Now you can have Magisk on locked down devices! It runs entirely from the data partition: no need to modify boot or system. Any app that wants root access can have it. All Magisk Manager features are there as well.

    Now for the not-so-fine print: Read this whole post before starting. Only use this on devices on which you can recover the firmware through an outside channel such as recovery mode, download tool, etc. It's still unclear how safe this is to run on locked devices. After launching this system, there is still significant potential to brick your device. While precautions have been taken to block modifications to the boot partition, not everything has or can be accounted for. You must anticipate when a superuser action might alter your boot or system partitions and avoid doing that command. Do not try to update Magisk through Magisk Manager's Direct Install!... Even though testing has shown that that feature will fail, it might succeed with future versions of MM or on specific devices.

    REQUIREMENTS
    Advanced skills and experience using the Thanks button
    A device compatible with mtk-su
    mtk-su R19 or higher
    Magisk not installed on device

    LIMITATIONS
    Cannot modify boot partition unless bootloader is unlocked
    Cannot modify system/vendor partitions unless boot partition is altered
    Only Magisk versions up to 18.1 are currently supported--Magisk 19.x has lost the required 'magisk --startup' functionality
    Your mileage may vary with Android 9

    INSTRUCTIONS
    1. Make sure you meet all the requirements, including the first one.
    2. Download and install the init.d scripts support app. Make sure this app gets installed on the internal storage, not the external SD. (Support the developer.)
    3. Make a folder named 'init.d' on your internal storage. Also make a 'bin' folder inside 'init.d'. Set up the init.d app up like this:
      • Try to acquire root privileges: unchecked
      • Run scripts at boot time: checked
      • Execution delay: No delay
      • Selected folder: /storage/emulated/0/init.d
      • Execute all files: unchecked
      Remember that the folder structure has to be exactly as described, unless you manually edit the path in the script. You can also, in principle, use a different app if you want, but in that case you have to edit the package name path in the script as well.
    4. Download and install the Magisk Manager apk. For Android 9, the highest version that will work is 7.1.1. The latest version should be usable for Android 8.x and lower, but 7.1.1 may be better in all cases. Make sure this app is installed on the internal storage, not external SD.
    5. In MM, go to Settings, Update Channel, Custom, and enter this URL: https://raw.githubusercontent.com/topjohnwu/magisk_files/841e978604f989d04549013cd4dcc7e34aea5288/stable.json . This will freeze the update version of Magisk at 18.1. That's necessary for MM to create the right environment for Magisk modules to work.
    6. Download the current su-boot script, unzip it, and put suboot.sh inside your /sdcard/init.d folder.
    7. Download the current mtk-su zip and put your appropriate mtk-su file in your /sdcard/init.d/bin folder.
    8. Download the Magisk 18.1 zip (not 19.x or higher). Extract the arm/magiskinit file and move it to your /sdcard/init.d/bin folder. That is the only file you will need from that zip. (Support the developer.)
    9. Now you should be ready to launch the Magisk core. Either reboot or tap 'Run scripts now'. The process will take a few seconds before telling you that 1 script has finished. If it ran successfully, last execution result will show something like this:
      Code:
      Temporary root by [email protected]
      Home URL:
      https://forum.xda-developers.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
      --------------------------------------------------
      
      UID: 0  cap: 3fffffffff  selinux: permissive
      source type magisk does not exist
      Error in: allow magisk (null) (null) (null)
      client: launching new main daemon process
      That output was made by the latest mtk-su & suboot script. If you get a different result, then something may have gone wrong.
    10. At this point, you should be able to run 'su' or do a root request from an app and get a prompt.
    11. When you open Magisk Manager, it will prompt you with Requires Additional Setup. On this window, you can tap Yes. This is safe. Make sure that you have done step 5 before doing this.
    12. Turn off update checking in MM. Never try to do a direct-install Magisk Update on a locked device.

    DOWNLOAD (UPDATED 2019-12-28)
    suboot.zip

    FAQ
    My init.d app does not start at boot time
    It may be that your OS is not allowing the app to run in the background. Some OSs are too aggressive in managing background apps. Look in Settings for any background management or battery optimization or similar features, and disable them for the init.d app. The same tweak could benefit Magisk Manager.

    My Magisk modules will not load properly. What is going on?
    This method can only launch root after the init.d app starts up and runs the script. This is late in the boot cycle. Up to that point, root is not available. Unfortunately, many Magisk modules need to be loaded early in the boot process to work properly. I don't think there is much that can be done about that. (Perhaps a warm reboot would help, but that would cause problems of its own.)

    Can I modify or reimplement the suboot script and distribute it?
    Yes, absolutely. You may do whatever you want with the suboot.sh script. However, you may not distribute the mtk-su zip or binary. Instead, please ask your users to download the latest release from this thread.

    CREDITS
    Huge thanks to @mrmazak for helping me get this up and running on Android Pie
    26
    Up-to-date bootless root for Magisk 20+!
    Get full root on a locked device with the current Magisk!

    This script uses mtk-su to launch Magisk on compatible devices, including locked down ones! It runs entirely from the data partition--no need to modify the firmware. Root is available for any app that wants it.

    NEW FEATURES

    • MagiskHide & SafetyNet pass now work under Android 9
    • Modules pass minimum version check
    • Faster and more efficient loading
    • Logging works properly

    General warnings: Read this whole post before starting. Only use this on devices on which you can recover the firmware outside of Android such as recovery mode, download tool, etc. While precautions have been taken to block flashing of the boot partition, not everything has or can be accounted for. You must anticipate when a superuser action might alter your boot or system partitions and avoid doing that command. Do not try to update Magisk through Magisk Manager's Direct Install. Even though testing has shown that that feature will fail, it might succeed in some cases.

    REQUIREMENTS
    Mastery and comfort with using the Thanks button
    A device compatible with mtk-su in app mode
    Recent mtk-su from OP
    Magisk v19.4 to v21.4 only (not compatible with 22.0+)
    Magisk not installed on device

    LIMITATIONS
    Cannot modify boot partition unless bootloader is unlocked
    Cannot modify system/vendor partitions unless boot partition is altered
    Your mileage may vary with modules

    INSTRUCTIONS
    1. Make sure you meet all the requirements, including the first one.
    2. Download and install the init.d scripts support app. Make sure this app gets installed on the internal storage, not the external SD. (Support the developer.)
    3. Make a folder named 'init.d' on your internal storage. Also make a 'bin' folder inside 'init.d'. Set up the init.d app up like this:
      • Try to acquire root privileges: unchecked
      • Run scripts at boot time: checked
      • Execution delay: No delay
      • Selected folder: /storage/emulated/0/init.d
      • Execute all files: unchecked
    4. Remember that the folder structure has to be exactly as described, unless you manually edit the path in the script. You can also, in principle, use a different app if you want, but in that case you have to edit the package name path in the script as well.
    5. Download and install the latest Magisk Manager apk. Make sure this app is installed on the internal storage, not external SD.
    6. Download the current magisk-boot script, unzip it, and put magisk-boot.sh inside your /sdcard/init.d folder.
    7. Download the current mtk-su zip and put your appropriate mtk-su file in your /sdcard/init.d/bin folder.
    8. Download a Magisk zip package (19.4 to 21.4). Extract either arm/magiskinit64 or arm/magiskinit file and move/rename it to /sdcard/init.d/bin/magiskinit. (i.e. magiskinit64 should be renamed to magiskinit.) Pick one of 64-bit or 32-bit builds that corresponds to your kernel architecture. That is the only file you will need from that zip. (Support the developer.)
    9. Now you should be ready to launch the Magisk core. Either reboot or tap 'Run scripts now'. The process will take a few seconds before telling you that 1 script has finished. If it ran successfully, last execution result will show something like this:
      Code:
      Temporary root by [email protected]
      Home URL:
      https://forum.xda-developers.com/android/development/amazing-temp-root-mediatek-armv8-t3922213
      --------------------------------------------------
      /data/data/com.ryosoftware.initd/files/bin
      
      UID: 0 cap: 3fffffffff selinux: permissive
      Load policy from: /sys/fs/selinux/policy
      20.3:MAGISK (20300)
      client: launching new main daemon process
      On Android 9, you may see a 'Segmentation fault' if using v20.3+. This crash does not affect functionality. You can install v20.2 to avoid it.
      If you get a different result, then something may have gone wrong. Report problems here, except for errors about incompatible or unsupported platform.
    10. At this point, you should be able to call 'su' or do a root request from an app and get a prompt.
    11. When you open Magisk Manager, it will prompt you with Requires Additional Setup. On this window, you can tap Yes. This is safe.
    12. Never try to do a direct-install Magisk Update on a locked device. To update Magisk, do so manually. Simply download the latest Magisk package and extract its magiskinit(64) file to the init.d/bin directory.
    13. If upgrading from the old Magisk 18.x suboot method, you may need to clear your /data/adb directory in temp root shell before modules will work.

    DOWNLOAD (UPDATED 2020-04-02)
    magisk-boot.zip

    FAQ
    My init.d app does not start at boot time
    It may be that your OS is not allowing the app to run in the background. Some OSs are too aggressive in managing background apps. Look in Settings for any background management or battery optimization or similar features, and disable them for the init.d app. The same tweak could benefit Magisk Manager.

    My Magisk modules will not load properly. What is going on?
    This method can only launch root after the init.d app starts up and runs the script. This is late in the boot cycle. Up to that point, root is not available. Unfortunately, many Magisk modules need to be loaded early in the boot process to work properly. I don't think there is much that can be done about that. (Perhaps a warm reboot would help, but that would cause problems of its own.)

    Can I modify or reimplement the magisk-boot script and distribute it?
    Yes, absolutely. You may do whatever you want with magisk-boot.sh. However, you may not distribute the mtk-su zip or binary. Instead, please ask your users to download the latest release from this thread.
    23

    INSTRUCTIONS FOR TERMINAL APP

    You can optionally run mtk-su on a terminal emulator such as Terminal Emulator for Android (recommended) or Termux. The basic idea is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
    1. Make sure you meet all the requirements from the first post, especially the first and last ones.
    2. Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
    3. Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
      General idea: cp path/to/mtk-su ./
      For example,
      cp /sdcard/mtk-su_r14/arm64/mtk-su ./
      For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
    4. Make file executable
      chmod 700 mtk-su
    5. Run the program
      ./mtk-su

    If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and/or kernel sources, if possible.

    Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
    cd
    cp path/to/mtk-su ./
    chmod 700 mtk-su
    ./mtk-su
    23
    PROJECTS USING THIS TEMP ROOT