[Guide] OnePlus 8T EASY ROOT (for all unlocked variants)

[Mpolo87]

CAVEAT
I've only tested this on my device (KB2005 / KB05AA), but it should be universally helpful as it's using your own boot.img so there's no need to find a matching package for your variant and os version.

CREDIT
The steps were buried across a few threads, I'm posting this so it'll be easier for others to find the information. All credit goes to xb360, FullOfHell, and TheUnkn0wn.

INFO​

The basic rundown is:

1. Use the semi-broken TWRP package to give yourself temporary su access through adb.
2. Extract the boot.img your phone is currently using to your pc.
3. Reboot to OxygenOS, copy over the boot.img you just extracted and then use Magisk to patch it.
4. Copy the boot.img back to your pc and use adb to temporarily boot your phone with it, giving you root access until reboot.
5. Use your temporary root access to allow Magisk to patch your internal as-yet unmodified boot.img to give you permanent root.

There seems to be some confusion in the thread, I'll try to clear up what's happening and why:

• The primary issue at hand is that you can't root your device without already having root privileges, for security reasons. Without a custom recovery like TWRP, there are a few more steps than usual (but mostly simple stuff).​
• Because we don't flash anything with this guide, it shouldn't cause any permanent bootloops if you use the wrong boot.img, if you get stuck in one just power cycle your phone. ​
• Updating with OTAs should be the same process as the other guides here.​
• Because of changes in Android, devices that launched with Android 10 and above will not allow you to modify the system partition, even with root. This is not a fault of this rooting method.​

Prerequisites:

• ADB and Fastboot installed.​
• An unlocked bootloader and USB debugging enabled.​

________________________________________________________

STEPS:​

1. Connect your phone to your pc and boot it into fastboot mode. You can leave it connected throughout this guide.

2. On your computer open a terminal/cmd prompt. Set the directory (on your pc) you want to work from, I'm using the desktop:

for Windows, type cd C:\Users\Yourname\Desktop​

for Mac, type cd desktop or cd /Users/yourname/Desktop​

Spoiler: How to set up adb and fastboot properly

To usb adb and fastboot commands outside of the folder those programs are located in, you'll need to add their location to the PATH list so your terminal can still find them when it's pointing to a different folder. If you want to skip this step, set the directory to the folder that contains adb instead of the desktop.

3. Next, use the terminal to check which A/B partition is active on your phone:

fastboot getvar all

a. You'll find it on this line: (bootloader) current-slot:a/b​

b. For simplicity I'll be referring to boot_a.img throughout the guide, make sure to use boot_b.img if that's the one marked as active on your device. ​

​

4. Download the semi-broken TWRP package to your desktop. We'll be using it to extract a copy of your active boot_a.img. It will give you temporary su access via adb, but there won't be a gui. Only boot from it, DO NOT FLASH IT:

fastboot boot recovery.img
adb shell
dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img
exit
adb pull /sdcard/boot_a.img boot_a.img
adb reboot

5. Copy the extracted boot_a.img file to a user accessible area of your phone, like your downloads folder.

6. Install the latest Magisk Canary apk on your phone. Open it and:

a. Select the Install option.​

b. Use Select and Patch a File on boot_a.img​

7. Copy the patched magisk_patched_a.img file back to your computer. In terminal, type adb reboot bootloader to get back to fastboot mode.

8. Temporarily boot with the patched image that corresponds to the active partition, DO NOT FLASH IT:

fastboot boot magisk_patched_a.img

Spoiler: Why we're booting and not flashing.

You could flash this boot.img, but it's safer to temporarily boot from it without overwriting your existing image in case anything went wrong along the way. The effect is that you still get root access without modifying your device, and then you can use the much safer Magisk direct install option, which has some safeguards in place.

9. By booting with the patched image, you now have temporary root access. To make it permanent open Magisk:

a. Select the Install option.​

b. Use Direct Install (Recommended) to root your internal boot.img​

10. Reboot and verify it worked.

 

[Mpolo87]

Forgot to tag it... if an admin is able to do so I'd appreciate it.

 

[TreatnHerRight]

Just applied for a bootloader unlock today. When i get approved ill attempt this guide.

I am currently on T-Mobile 11.0.5.7.KB09CB.

 

[tekno4ever]

Unlike other methods prvoided here for the 8T I got this method to work. Thank you very much!

clarification update: I own the t-mobile kb2007 model of phone

 

[lordxcom]

a couple of notes for any either newBs or old OPO users rejoining the party with a new onplus phone..
Some prework I had to do for my OnePlus 8T KB2005
-ensure you have the correct ADB driver installed, I installed the "15sec adb installer 1.4.2" found here on xda, watch the videos provided.
-ensure to unlock your bootloader first (*this will wipe your device.. didn't think about that..no pain no gain...)
-With device in bootloader/fastboot, run: fastboot flashing unlock
-verify with your phone to accept
-phone will reboot, just through the setup, I just skipped it all and opted for offline setup..
-renable OEM lock and USB debug
-restart back into bootloader/fastboot
-now you are ready to root

 

[Misledz]

Just came here to say that this is the most genius way to go about it and thanks OP for this solution. To add your screen would flicker in TWRP but you just want to type adb reboot bootloader after you are done copying off the boot files from your phone. Thanks OP!

 

[lordxcom]

After performing this, I am unable to write to /system even with root?
Unable to get through with es explorer, root explorer pro, or even use a app like Titanium to move a user app to system,unable to get r/w access.
Thanks in advance

 

[Misledz]

After performing this, I am unable to write to /system even with root?
Unable to get through with es explorer, root explorer pro, or even use a app like Titanium to move a user app to system,unable to get r/w access.
Thanks in advance

I'm having the same issue although its more tied in with removing youtube as a system app for vanced

 

[giacomowrc]

After performing this, I am unable to write to /system even with root?
Unable to get through with es explorer, root explorer pro, or even use a app like Titanium to move a user app to system,unable to get r/w access.
Thanks in advance

Actually Is not possible on devices borned with android 10 or above.

 

[Mpolo87]

Actually Is not possible on devices borned with android 10 or above.

To be clear, you're saying this isn't a fault with this root method and is just a security measure since Android 10?

 

[giacomowrc]

To be clear, you're saying this isn't a fault with this root method and is just a security measure since Android 10?

Yes of course.

 

[sameog]

CAVEAT
I've only tested this on my device (KB2005 / KB05AA), but it should be universally helpful as it's using your own boot.img so there's no need to find a matching package for your variant.

CREDIT
The steps were buried across a few threads, I'm posting this so it'll be easier for others to find the information. All credit goes to xb360, FullOfHell, and TheUnkn0wn.

INFO​

The basic rundown is:

1. Use the semi-broken TWRP package to give temporary su access through adb.​
2. Extract boot_a.img and boot_b.img to your computer.​
3. Reboot into OxygenOS and copy boot_a.img and boot_b.img back to your phone.​
4. Use Magisk to patch both images.​
5. Copy the patched images back to your computer.​
6. Use fastboot to temporarily boot using the patched image, giving you temporary root.​
7. Use Magisk to direct install for permanent root.​

Prerequisites:

• ADB and Fastboot installed.​
• An unlocked bootloader and USB debugging enabled.​

________________________________________________________

STEPS:​

1. Get the semi-broken TWRP .img. This won't give you a gui but will give you su access over adb. You DON'T want to flash this, we're just booting with it temporarily.

2. Restart your phone into fastboot mode.

3. On your computer open a terminal/cmd prompt and set the directory where you want to dump the files (ex: cd /your/path/here). Run the following:

fastboot boot recovery.img
adb shell
dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img
dd if=/dev/block/by-name/boot_b of=/sdcard/boot_b.img
exit
adb pull /sdcard/boot_a.img boot_a.img
adb pull /sdcard/boot_b.img boot_b.img

4. Copy the extracted files to a user accessible area of your phone.

5. Install the latest Magisk Canary release to your phone.

a. Select the Install option.​

b. Use Select and Patch a File on both boot_a.img and boot_b.img​

c. You should rename them or make note of the new names given by Magisk. You'll need to use one or the other depending on which partition is active. ​

6. Copy the patched .img files back to your computer.

7. Restart your phone back into fastboot mode.

8. On your computer, run:

fastboot getvar all

9. Find which A/B partition is active on this line: (bootloader) current-slot:a/b

10. Temporarily boot with the patched image that corresponds to the active partition, DO NOT FLASH IT:

fastboot boot patched-boot-a/b.img

11. You now have temporary root access, to make it permanent open Magisk:

a. Select the Install option.​

b. Use Direct Install (Recommended) to root your internal boot.img​

12. Reboot and verify it worked.

hey there! I was just about to try this method but confused with this syntax -- don't mind the quotes

"On your computer open a terminal/cmd prompt and set the directory where you want to dump the files (ex: cd /your/path/here)"

I'm painfully confused about this: cd /your/path/here. is this done during fastboot? I know fastboot commands but adb is where my brain doesn't get it. Please elaborate further and thanks.

 

[Mpolo87]

hey there! I was just about to try this method but confused with this syntax -- don't mind the quotes

"On your computer open a terminal/cmd prompt and set the directory where you want to dump the files (ex: cd /your/path/here)"

I'm painfully confused about this: cd /your/path/here. is this done during fastboot? I know fastboot commands but adb is where my brain doesn't get it. Please elaborate further and thanks.

When you open a terminal or command prompt on your computer it is, by default, 'pointing' to a certain folder. Since we're pulling files from the phone to pc it'll dump there, so it's easiest to set the location in advance, for your own convenience. You can just make a folder on your desktop and drag it onto the terminal window to automatically input that path after typing cd, which just means 'change directory'. This isn't a fastboot or adb thing, just a feature of terminals, so you'd do this in advance.

 

[sameog]

When you open a terminal or command prompt on your computer it is, by default, 'pointing' to a certain folder. Since we're pulling files from the phone to pc it'll dump there, so it's easiest to set the location in advance, for your own convenience. You can just make a folder on your desktop and drag it onto the terminal window to automatically input that path after typing cd, which just means 'change directory'. This isn't a fastboot or adb thing, just a feature of terminals, so you'd do this in advance.

Attached are 2 photos -- the 1st photo is the "before" I dragged my intended folder into command prompt. the 2nd photo is the "after" I dragged my intended folder into command prompt. Still hella confused.

 

[sameog]

Please note: I love this guide. It's cohesive and well-written. I just need pictures to "see" on what and where to do. I'm visual.

UPDATE: I followed the tuturial to the best of my ability and I got nothing. I'm giving up and taking a step back.

PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./fastboot boot recovery.img
Sending 'boot.img' (64964 KB) OKAY [ 1.660s]
Booting OKAY [ 0.084s]
Finished. Total time: 1.939s
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully
OnePlus8T:/ # dd if=/dev/block/by-name/boot_a of=/sdcard/boot_a.img
196608+0 records in
196608+0 records out
100663296 bytes (96 M) copied, 0.194981 s, 492 M/s
OnePlus8T:/ # dd if=/dev/block/by-name/boot_b of=/sdcard/boot_b.img
196608+0 records in
196608+0 records out
100663296 bytes (96 M) copied, 0.185497 s, 518 M/s
OnePlus8T:/ # exit
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb pull /sdcard/boot_a.img boot_a.img
/sdcard/boot_a.img: 1 file pulled, 0 skipped. 27.7 MB/s (100663296 bytes in 3.470s)
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb pull /sdcard/boot_b.img boot_b.img
/sdcard/boot_b.img: 1 file pulled, 0 skipped. 32.0 MB/s (100663296 bytes in 2.997s)
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows> ./adb reboot
PS C:\Program Files (x86)\platform-tools_r30.0.5-windows>

 

[Mpolo87]

Attached are 2 photos -- the 1st photo is the "before" I dragged my intended folder into command prompt. the 2nd photo is the "after" I dragged my intended folder into command prompt. Still hella confused.

You're missing the command "cd" before the path to change the directory to the new one. It should be cd C:\Users\Mr. Lew\Desktop\oneplus 8t boot image then press enter. Now you can reference any file in that folder by just the name without its entire path as a prefix being required.

 

[zengin]

A difficult method

 

[sameog]

Diğer yöntemden hiç de kolay değil.

huh?

 

[sameog]

Honestly, if there's a kind of soul out there who can share their unpatched kb2007 boot image (tmobile version), I would greatly appreciate it. I'm been banging my head on the wall with this for about 2 months with no help. I've received TONS of half-baked one liner answers but no "full-scale" tutorial. I'm giving up on this.
NOTE: I'm just frustrated guys. Not bashing the OP. It shouldn't be this hard but it became this way.

 

[Misledz]

Honestly, if there's a kind of soul out there who can share their unpatched kb2007 boot image (tmobile version), I would greatly appreciate it. I'm been banging my head on the wall with this for about 2 months with no help. I've received TONS of half-baked one liner answers but no "full-scale" tutorial. I'm giving up on this.
NOTE: I'm just frustrated guys. Not bashing the OP. It shouldn't be this hard but it became this way.

While this is a temporary solution, it is also a bad solution because you can land with not being able to boot your phone every time an incremental update comes along.