How To Guide [GUIDE] Pixel 6 "oriole": Unlock Bootloader, Update, Root, Pass SafetyNet

Search This thread

badabing2003

Recognized Contributor
Sep 17, 2012
1,449
1,684
So I used PixelFlasher to update to Android 13. Does it do this by default (or is this more a question for that thread)?
I'm not sure what exactly "this" refers to in your question, if it is about flashing to both slots, then it is a choice in PixelFlasher, you choose what you want.
The default is unselected, however the application remembers your last choices even after restarting.

If "this" refers to whether you need to flash to both slots every month, the answer is not crispy clear, most often you don't, however if a bootloader bug is discovered that Google's does not want that specific version of bootloader to be downgradeable to, then it would be best to flash to both slots to make sure your older slot sides not inadvertently attempt to boot to it and cause a brick.
This was the first we had seen from Google.
 

nettech_gt

Senior Member
Jun 11, 2007
60
0
I have a Pixel 6 rooted/unlocked bootloader (purchased from Google) I use Verizon for service. Back in July I was on the June build (12.1.0 (SQ3A.220605.009.B1, Jun 2022) as I decided to skip installing the July build. Then in August even though I have "Automatic system updates" disabled in "Developer Options" I got a notification that there was security updates available. I clicked on restart on the notification and after rebooting I was on build (12.1.0 (SQ3A.220705.003.A3, Jul 2022, Verizon, Verizon MVNOs). I no longer had root. I side loaded build (12.1.0 (SQ3A.220705.004, Jul 2022) and re rooted. Now in September I'm not ready to install Adroid 13 yet but all month long I kept getting the same notification as before. I finaly clicked on restart and again after rebooting I'm back at build (12.1.0 (SQ3A.220705.003.A3, Jul 2022, Verizon, Verizon MVNOs) Why is it forcing me to build (12.1.0 (SQ3A.220705.003.A3, Jul 2022, Verizon, Verizon MVNOs)? How can I get root back and stay on 12 and not have keep re-rooting? Help! Thanks!
 

V0latyle

Forum Moderator
Staff member
I have a Pixel 6 rooted/unlocked bootloader (purchased from Google) I use Verizon for service. Back in July I was on the June build (12.1.0 (SQ3A.220605.009.B1, Jun 2022) as I decided to skip installing the July build. Then in August even though I have "Automatic system updates" disabled in "Developer Options" I got a notification that there was security updates available. I clicked on restart on the notification and after rebooting I was on build (12.1.0 (SQ3A.220705.003.A3, Jul 2022, Verizon, Verizon MVNOs). I no longer had root. I side loaded build (12.1.0 (SQ3A.220705.004, Jul 2022) and re rooted. Now in September I'm not ready to install Adroid 13 yet but all month long I kept getting the same notification as before. I finaly clicked on restart and again after rebooting I'm back at build (12.1.0 (SQ3A.220705.003.A3, Jul 2022, Verizon, Verizon MVNOs) Why is it forcing me to build (12.1.0 (SQ3A.220705.003.A3, Jul 2022, Verizon, Verizon MVNOs)? How can I get root back and stay on 12 and not have keep re-rooting? Help! Thanks!
I'm afraid I don't have an answer for you; I think other users have noticed the same thing, and I haven't seen there to be any fix.
 

ardiesel

Member
Jun 3, 2014
16
3
I'm on Pixel 6 Pro. Rooted and latest magisk. OTA update came thru. I haven't installed. When in magisk I pressed restore images and got a warning "no stock backup". Won't complete restoration so I can download the update. Any ideas on what I can do?
 

tutuco

Senior Member
Apr 16, 2007
65
6
SAO PAULO
Google Pixel 6 Pro
I'm on Pixel 6 Pro. Rooted and latest magisk. OTA update came thru. I haven't installed. When in magisk I pressed restore images and got a warning "no stock backup". Won't complete restoration so I can download the update. Any ideas on what I can do?
Hey I face the same problem last month.
In this Github I found a way to fix this error.
Remember you should have the stock boot.img that you are running on your device.
 

V0latyle

Forum Moderator
Staff member
Ok. Thanks. Any major issues with Android 13 that have heard of yet?
I don't have a Pixel 6; I suggest you explore some of the other Pixel 6 threads.

I'm on Pixel 6 Pro. Rooted and latest magisk. OTA update came thru. I haven't installed. When in magisk I pressed restore images and got a warning "no stock backup". Won't complete restoration so I can download the update. Any ideas on what I can do?
This happens because you flashed the patched boot image, so Magisk didn't have a backup. To fix this, you'd need to reflash the unpatched boot image, then live boot the patched image. At this point since the boot image has been "restored" you don't need to do that in Magisk; just download the update and install Magisk to inactive slot.

If you manually update in the future, don't flash the patched image - just live boot it and perform Direct Install in Magisk which will create a backup of the original.
 
  • Like
Reactions: phaino00

badabing2003

Recognized Contributor
Sep 17, 2012
1,449
1,684
I don't have a Pixel 6; I suggest you explore some of the other Pixel 6 threads.


This happens because you flashed the patched boot image, so Magisk didn't have a backup. To fix this, you'd need to reflash the unpatched boot image, then live boot the patched image. At this point since the boot image has been "restored" you don't need to do that in Magisk; just download the update and install Magisk to inactive slot.

If you manually update in the future, don't flash the patched image - just live boot it and perform Direct Install in Magisk which will create a backup of the original.
I haven't done direct install for a long time, yet when I check the backups that I have, I see
Code:
drwxr-xr-x   2 root     root      3452 2022-10-03 14:21 magisk_backup_7f04123661284ff8d554f01060b00eb6f188a07b
The timestamp matches the date/time I updated my phone with PF.
but the SHA1 is incorrect, 7f04123661284ff8d554f01060b00eb6f188a07b is the September release's boot.img SHA1
Yet the config file has the correct SHA1 for October

Code:
KEEPVERITY=true
KEEPFORCEENCRYPT=true
PATCHVBMETAFLAG=false
RECOVERYMODE=false
SHA1=2bde725117d3bd0990437faf06d37baa9adeb818

Who's making this backup? what process? It can't be direct install which I have not done for a while.
I just tried to create a patch file both in Magisk Manager UI and also using boot_patch.sh and I did not get a new backup.
Something must be creating them, but what ?
I can add into PF a feature to create these, but I'd like to understand the mechanics first, if there is a process that creates it, I don't want to stand in the way of it.
 

V0latyle

Forum Moderator
Staff member
I haven't done direct install for a long time, yet when I check the backups that I have, I see
Code:
drwxr-xr-x   2 root     root      3452 2022-10-03 14:21 magisk_backup_7f04123661284ff8d554f01060b00eb6f188a07b
The timestamp matches the date/time I updated my phone with PF.
but the SHA1 is incorrect, 7f04123661284ff8d554f01060b00eb6f188a07b is the September release's boot.img SHA1
Yet the config file has the correct SHA1 for October

Code:
KEEPVERITY=true
KEEPFORCEENCRYPT=true
PATCHVBMETAFLAG=false
RECOVERYMODE=false
SHA1=2bde725117d3bd0990437faf06d37baa9adeb818

Who's making this backup? what process? It can't be direct install which I have not done for a while.
I just tried to create a patch file both in Magisk Manager UI and also using boot_patch.sh and I did not get a new backup.
Something must be creating them, but what ?
I can add into PF a feature to create these, but I'd like to understand the mechanics first, if there is a process that creates it, I don't want to stand in the way of it.
Are you sure Magisk isn't creating these? I don't know exactly how this works, I just know that flashing the patched image instead of using Direct Install prevents restoring the original image because there's no "clean" backup.
 

badabing2003

Recognized Contributor
Sep 17, 2012
1,449
1,684
Are you sure Magisk isn't creating these? I don't know exactly how this works, I just know that flashing the patched image instead of using Direct Install prevents restoring the original image because there's no "clean" backup.
Yes that's exactly my point,
I don't know how Magisk is creating these, at what point?
and why does it have the wrong backup?

It's a perfect question for the Magisk thread seniors.
I'll post it there later.
 
  • Like
Reactions: V0latyle

capntrips

Senior Member
Aug 29, 2020
303
669
OnePlus 6T
Google Pixel 6
I haven't done direct install for a long time, yet when I check the backups that I have, I see
Code:
drwxr-xr-x   2 root     root      3452 2022-10-03 14:21 magisk_backup_7f04123661284ff8d554f01060b00eb6f188a07b
[...]
Who's making this backup? what process? It can't be direct install which I have not done for a while.
[...]
Something must be creating them, but what ?
Yes that's exactly my point,
I don't know how Magisk is creating these, at what point?

Magisk's run_migrations, which is called at various times, creates them. The stock_boot.img file is created in boot_patch.sh.


but the SHA1 is incorrect, 7f04123661284ff8d554f01060b00eb6f188a07b is the September release's boot.img SHA1
and why does it have the wrong backup?

Without digging into the code, my best guess is boot_patch is getting called on the old stock image at the end of the flashing process and leaving the stock_boot.img file behind to later get backed up in run_migrations.

Edit: Or maybe the file is getting left behind by the previous run and run_migrations isn't called until sometime during the current flash. A simple way to test that would be to clear the backup, boot_patch the latest image. source util_functions.sh, call run_migrations, and see if the correct backup gets created (or maybe flash the stock image twice).
 
Last edited:

badabing2003

Recognized Contributor
Sep 17, 2012
1,449
1,684
Magisk's run_migrations, which is called at various times, creates them. The stock_boot.img file is created in boot_patch.sh.





Without digging into the code, my best guess is boot_patch is getting called on the old stock image at the end of the flashing process and leaving the stock_boot.img file behind to later get backed up in run_migrations.

Edit: Or maybe the file is getting left behind by the previous run and run_migrations isn't called until sometime during the current flash. A simple way to test that would be to clear the backup, boot_patch the latest image. source util_functions.sh, call run_migrations, and see if the correct backup gets created (or maybe flash the stock image twice).
Thanks, it helps
I'm still trying to figure out the exact flow, at what point run_migration is triggered, and by whom.
I can see that it is triggered at the end of direct install but I haven't done direct install for a long time.
there must be some other trigger to run the migration script..
Or maybe the file is getting left behind by the previous run
The thing is, in my case there was never stock_boot.img file being left behind in the /data/adb/magisk directory because the script did not run from there (it ran from /), and anytime I checked the contents of /data/adb/magisk directory, I never saw it.
Regardless that creation is a copy of the passed Boot image and it is created at patch_boot.sh runtime

I appreciate your feedback, as you lead me to the code that tackles this, I'm still trying to figure out all the details.

Thanks again.
 

capntrips

Senior Member
Aug 29, 2020
303
669
OnePlus 6T
Google Pixel 6
The thing is, in my case there was never stock_boot.img file being left behind in the /data/adb/magisk directory because the script did not run from there (it ran from /), and anytime I checked the contents of /data/adb/magisk directory, I never saw it.

I ran a few quick tests, and the stock_boot.img was created in /data/adb/magisk once by the Patch command in PixelFlasher. The file disappeared without a backup being created on reboot, so that likely eliminates the old one hanging around from the previous month. The file was not created by subsequent patches from within PixelFlasher. I have no idea why it was created the first time but not later.

Also, simply opening the Magisk app runs run_migrations.

Edit: I deleted the ramdisk.cpio and kernel files from the /data/adb/magisk folder, and PixelFlasher created the stock_boot.img file during the patch process again. I then opened the Magisk app and the backup was created. Also, I wanted to note that the backup image is gzipped, so it would need to be decompressed before the SHA1 sum would match:

Code:
# gunzip -c /data/magisk_backup_7f04123661284ff8d554f01060b00eb6f188a07b/boot.img.gz | sha1sum
7f04123661284ff8d554f01060b00eb6f188a07b  -
 
Last edited:

Octagon8008

New member
Nov 1, 2022
2
0
Hi, I just today purchased a Pixel 6 Pro that came with the TP1A.221005.002 build.
Bootloader is locked and greyed out. Seems that this is the intended experience.
I was planning on unlocking the bootloader, but it seems Google stopped allowing OEM unlocking in Android 13.

Is there any hope for google to go back on this ? OEM unlocking was the reason for most people to purchase Pixels, so it would seem kinda stupid to take away their only actual feature... Do correct me if I'm wrong...

Thanks for all the ressources you make available, just frustrated that this doesn't work :(
 

V0latyle

Forum Moderator
Staff member
FYI, your post was moved from the sticky thread, because that wasn't the appropriate place to ask your question.
Hi, I just today purchased a Pixel 6 Pro that came with the TP1A.221005.002 build.
Bootloader is locked and greyed out. Seems that this is the intended experience.
I was planning on unlocking the bootloader, but it seems Google stopped allowing OEM unlocking in Android 13.
Not true.
Is there any hope for google to go back on this ? OEM unlocking was the reason for most people to purchase Pixels, so it would seem kinda stupid to take away their only actual feature... Do correct me if I'm wrong...

Thanks for all the ressources you make available, just frustrated that this doesn't work :(
This has not been removed or disabled in any way from Google non-carrier devices. The device does need to be connected to the Internet before OEM unlocking will become available; if it remains unavailable, it must be a carrier locked variant. I assume you did not buy this device direct from Google?
 
  • Like
Reactions: phaino00

Octagon8008

New member
Nov 1, 2022
2
0
Ah cheers, apologies,
FYI, your post was moved from the sticky thread, because that wasn't the appropriate place to ask your question.
I did not realize I was replying to the sticky

Not true.

This has not been removed or disabled in any way from Google non-carrier devices. The device does need to be connected to the Internet before OEM unlocking will become available; if it remains unavailable, it must be a carrier locked variant. I assume you did not buy this device direct from Google?
Ah, understood.
I bought it second hand, but in Hong Kong - didn't think it would be carrier locked to Verizon as my imei check seems to indicate, since I could connect my HK SIM card.
Nuance between vendor and bootloader unlock it would seem!

> IMEI.info: Pixel 6 Pro (128GB, Stormy Black, US VZW)

Should have done my research!
My understanding is that I'm sol?
Ah well, picked it up for 300 bucks so I might just try and sell it and buy one where I have checked the imei beforehand.

Thanks for your patience, been a long afternoon trying to get this resolved.
 

V0latyle

Forum Moderator
Staff member
Ah cheers, apologies,

I did not realize I was replying to the sticky
Quite alright, we just moved your post and all is good.
Ah, understood.
I bought it second hand, but in Hong Kong - didn't think it would be carrier locked to Verizon as my imei check seems to indicate, since I could connect my HK SIM card.
Nuance between vendor and bootloader unlock it would seem!

> IMEI.info: Pixel 6 Pro (128GB, Stormy Black, US VZW)

Should have done my research!
My understanding is that I'm sol?
Yes, unfortunately. There is no way to unlock the bootloader on a VZW device. The only way this might be possible is through an IMEI change, but AFAIK that requires specialized tools and software, and is illegal in some countries.
Ah well, picked it up for 300 bucks so I might just try and sell it and buy one where I have checked the imei beforehand.

Thanks for your patience, been a long afternoon trying to get this resolved.
That's what XDA is here for.
 

ukgblazem

New member
Jul 30, 2016
4
0
26
Union
OnePlus 8T
Google Pixel 6
⚠️⚠️⚠️WARNING! IF YOU ARE UPDATING TO ANDROID 13 FOR THE FIRST TIME, READ THIS FIRST! ⚠️⚠️⚠️

If you are looking for my guide on a different Pixel, find it here:
Update 6-20-22: Magisk 25.1 is recommended as this includes fixes for OTA updates, as well as support for the Android 13 beta.
Discussion thread for migration to 24.0+.

DO NOT use any version of Magisk lower than Canary 23016 as it does not yet incorporate the necessary fixes for Android 12 and your device.


WARNING: YOU AND YOU ALONE ARE RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOUR DEVICE. THIS GUIDE IS WRITTEN WITH THE EXPRESS ASSUMPTION THAT YOU ARE FAMILIAR WITH ADB, MAGISK, ANDROID, AND ROOT. IT IS YOUR RESPONSIBILITY TO ENSURE YOU KNOW WHAT YOU ARE DOING.

Prerequisites:


Android Source - Setting up a device for development


  1. Follow these instructions to enable Developer Options and USB Debugging.
  2. Enable OEM Unlocking. If this option is grayed out, unlocking the bootloader is not possible.
  3. Connect your device to your PC, and open a command window in your Platform Tools folder.
  4. Ensure ADB sees your device:
    Code:
    adb devices
    If you don't see a device, make sure USB Debugging is enabled, reconnect the USB cable, or try a different USB cable.
    If you see "unauthorized", you need to authorize the connection on your device.
    If you see the device without "unauthorized", you're good to go.
  5. Reboot to bootloader:
    Code:
    adb reboot bootloader
  6. Unlock bootloader: THIS WILL WIPE YOUR DEVICE!
    Code:
    fastboot flashing unlock
    Select Continue on the device screen.

  1. Install Magisk on your device.
  2. Download the factory zip for your build.
  3. Inside the factory zip is the update zip: "device-image-buildnumber.zip". Open this, and extract boot.img
  4. Copy boot.img to your device.
  5. Patch boot.img with Magisk: "Install" > "Select and Patch a File"
  6. Copy the patched image back to your PC. It will be named "magisk_patched-23xxx_xxxxx.img". Rename this to "master root.img" and retain it for future updates.
  7. Reboot your device to bootloader.
  8. Flash the patched image:
    Code:
    fastboot flash boot <drag and drop master root.img here>
  9. Reboot to Android. Open Magisk to confirm root - under Magisk at the top, you should see "Installed: <Magisk build number>

  1. Before you download the OTA, open Magisk, tap Uninstall, then Restore Images. If you have any Magisk modules that modify system, uninstall them now.
  2. Take the OTA update when prompted. To check for updates manually, go to Settings > System > System Update > Check for Update
  3. Allow the update to download and install. DO NOT REBOOT WHEN PROMPTED. Open Magisk, tap Install at the top, then Install to inactive slot. Magisk will then reboot your device.
  4. You should now be updated with root.

  1. Download the OTA.
  2. Reboot to recovery and sideload the OTA:
    Code:
    adb reboot sideload
    Once in recovery:
    Code:
    adb sideload ota.zip
  3. When the OTA completes, you will be in recovery mode. Select "Reboot to system now".
  4. Allow system to boot and wait for the update to complete. You must let the system do this before proceeding.
  5. Reboot to bootloader.
  6. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  8. Reboot your device. You should now be updated with root.
Note: You can use Payload Dumper to extract the contents of the OTA if you want to manually patch the new boot image. However, I will not cover that in this guide.

Please note that the factory update process expects an updated bootloader and radio. If these are not up to date, the update will fail.
  1. Download the factory zip and extract the contents.
  2. Reboot to bootloader.
  3. Compare bootloader versions between phone screen and bootloader.img build number
    Code:
    fastboot flash bootloader <drag and drop new bootloader.img here>
    If bootloader is updated, reboot to bootloader.
  4. Compare baseband versions between phone screen and radio.img build number
    Code:
    fastboot flash radio <drag and drop radio.img here>
    If radio is updated, reboot to bootloader.
  5. Apply update:
    Code:
    fastboot update --skip-reboot image-codename-buildnumber.zip
    When the update completes, the device will be in fastbootd. Reboot to bootloader.
  6. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  8. Reboot your device. You should now be updated with root.
Note: If you prefer, you can update using the flash-all script included in the factory zip. You will have to copy the script, bootloader image, radio image, and update zip into the Platform Tools folder; you will then have to edit the script to remove the -w option so it doesn't wipe your device.
The scripted commands should look like this:
Code:
fastboot flash bootloader <bootloader image name>
fastboot reboot bootloader
ping -n 5 127.0.0.1 > nul
fastboot flash radio <radio image name>
fastboot reboot bootloader
ping -n 5 127.0.0.1 > nul
fastboot update  --skip-reboot <image-device-buildnumber.zip>
Once this completes, you can reboot to bootloader and either boot your master patched image, or if you patched the new image, flash it at this time.

PixelFlasher by @badabing2003 is an excellent tool that streamlines the update process - it even patches the boot image for you.
The application essentially automates the ADB interface to make updating and rooting much easier. However, it is STRONGLY recommended that you still learn the "basics" of using ADB.

For instructions, downloads, and support, please refer to the PixelFlasher thread.

  1. Follow the instructions on the Android Flash Tool to update your device. Make sure Lock Bootloader and Wipe Device are UNCHECKED.
  2. When the update completes, the device will be in fastbootd. Reboot to bootloader.
  3. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  4. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  5. Reboot your device. You should now be updated with root.

SafetyNet has been deprecated for the new Play Integrity API. More information here.

In a nutshell, Play Integrity uses the same mechanisms as SafetyNet for the BASIC and DEVICE verdicts, but uses the Trusted Execution Environment to validate those verdicts. TEE does not function on an unlocked bootloader, so legacy SafetyNet solutions will fail.

However, @Displax has modified the original Universal SafetyNet Fix by kdrag0n; his mod is able to bypass TEE, meaning that the device will pass BASIC and DEVICE integrity.

Mod available here. Do not use MagiskHide Props Config with this mod.

This is my configuration that is passing Safety Net. I will not provide instructions on how to accomplish this. Attempt at your own risk.

Zygisk + DenyList enabled
All subcomponents of these apps hidden under DenyList:
  • Google Play Store
  • GPay
  • Any banking/financial apps
  • Any DRM media apps
Modules:
  • Universal SafetyNet Fix 2.3.1 Mod - XDA post
To check SafetyNet status:
To check Play Integrity status:
I do not provide support for Magisk or modules. If you need help with Magisk, here is the Magisk General Support thread. For support specifically with Magisk v24+, see this thread.

Points of note:
  • The boot image is NOT the bootloader image. Do not confuse the two - YOU are expected to know the difference. Flashing the wrong image to bootloader could brick your device.
  • While the Magisk app is used for patching the boot image, the app and the patch are separate. This is what you should see in Magisk for functioning root:
    screenshot_20211218-194517-png.5486339
  • "Installed" shows the version of patch in the boot image. If this says N/A, you do not have root access - the boot image is not patched, or you have a problem with Magisk.
  • "App" simply shows the version of the app itself.
  • If you do not have a patched master boot image, you will need to download the factory zip if you haven't already, extract the system update inside it, then patch boot.img.
  • If you prefer updating with the factory image, you can also extract and manually patch the boot image if desired.
  • Some Magisk modules, especially those that modify read only partitions like /system, may cause a boot loop after updating. As a general rule, disable these modules before updating. You are responsible for knowing what you have installed, and what modules to disable.


Credits:
Thanks to @ipdev , @kdrag0n , @Didgeridoohan , and last but not least, @topjohnwu for all their hard work!
You have saved my life lol
 

Top Liked Posts

  • 1
    Yes, my mistake. Don't know why i wrote "patching", it is "flashing". I know the difference :)

    I will stay on 12 for now. Also, will return in few hours, hopefully with smile on my face :)

    And, thank you!!!
  • 3
    Thanks for easing my mind about this guys! So just a misunderstanding on my side. :)

    I was having some issues with applying an OTA update and keeping root through Magisk Manager and I thought that maybe for that to work both slots should have up-to-date, working firmware (and to test that I tried booting from them).

    Luckily I learned a lot from all this flashing, rooting, updating with adb, fastboot and PixelFlasher and I think that should I ever screw up a future update I should be able to recover without data loss pretty easy and quick now.
    1
    Not quite true...you just have to use bootctl to tell it to boot to the other slot. Simply setting the other slot active in bootloader short circuits the process.
    I was answering in the way that person was trying to do it without getting into more in depth details. I saw your earlier post.

    .........................
    1
    Yes, my mistake. Don't know why i wrote "patching", it is "flashing". I know the difference :)

    I will stay on 12 for now. Also, will return in few hours, hopefully with smile on my face :)

    And, thank you!!!
  • 47
    ⚠️⚠️⚠️WARNING! IF YOU ARE UPDATING TO ANDROID 13 FOR THE FIRST TIME, READ THIS FIRST! ⚠️⚠️⚠️

    If you are looking for my guide on a different Pixel, find it here:
    Update 6-20-22: Magisk 25.1 is recommended as this includes fixes for OTA updates, as well as support for the Android 13 beta.
    Discussion thread for migration to 24.0+.

    DO NOT use any version of Magisk lower than Canary 23016 as it does not yet incorporate the necessary fixes for Android 12 and your device.


    WARNING: YOU AND YOU ALONE ARE RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOUR DEVICE. THIS GUIDE IS WRITTEN WITH THE EXPRESS ASSUMPTION THAT YOU ARE FAMILIAR WITH ADB, MAGISK, ANDROID, AND ROOT. IT IS YOUR RESPONSIBILITY TO ENSURE YOU KNOW WHAT YOU ARE DOING.

    Prerequisites:


    Android Source - Setting up a device for development


    1. Follow these instructions to enable Developer Options and USB Debugging.
    2. Enable OEM Unlocking. If this option is grayed out, unlocking the bootloader is not possible.
    3. Connect your device to your PC, and open a command window in your Platform Tools folder.
    4. Ensure ADB sees your device:
      Code:
      adb devices
      If you don't see a device, make sure USB Debugging is enabled, reconnect the USB cable, or try a different USB cable.
      If you see "unauthorized", you need to authorize the connection on your device.
      If you see the device without "unauthorized", you're good to go.
    5. Reboot to bootloader:
      Code:
      adb reboot bootloader
    6. Unlock bootloader: THIS WILL WIPE YOUR DEVICE!
      Code:
      fastboot flashing unlock
      Select Continue on the device screen.

    1. Install Magisk on your device.
    2. Download the factory zip for your build.
    3. Inside the factory zip is the update zip: "device-image-buildnumber.zip". Open this, and extract boot.img
    4. Copy boot.img to your device.
    5. Patch boot.img with Magisk: "Install" > "Select and Patch a File"
    6. Copy the patched image back to your PC. It will be named "magisk_patched-23xxx_xxxxx.img". Rename this to "master root.img" and retain it for future updates.
    7. Reboot your device to bootloader.
    8. Flash the patched image:
      Code:
      fastboot flash boot <drag and drop master root.img here>
    9. Reboot to Android. Open Magisk to confirm root - under Magisk at the top, you should see "Installed: <Magisk build number>

    1. Before you download the OTA, open Magisk, tap Uninstall, then Restore Images. If you have any Magisk modules that modify system, uninstall them now.
    2. Take the OTA update when prompted. To check for updates manually, go to Settings > System > System Update > Check for Update
    3. Allow the update to download and install. DO NOT REBOOT WHEN PROMPTED. Open Magisk, tap Install at the top, then Install to inactive slot. Magisk will then reboot your device.
    4. You should now be updated with root.

    1. Download the OTA.
    2. Reboot to recovery and sideload the OTA:
      Code:
      adb reboot sideload
      Once in recovery:
      Code:
      adb sideload ota.zip
    3. When the OTA completes, you will be in recovery mode. Select "Reboot to system now".
    4. Allow system to boot and wait for the update to complete. You must let the system do this before proceeding.
    5. Reboot to bootloader.
    6. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    8. Reboot your device. You should now be updated with root.
    Note: You can use Payload Dumper to extract the contents of the OTA if you want to manually patch the new boot image. However, I will not cover that in this guide.

    Please note that the factory update process expects an updated bootloader and radio. If these are not up to date, the update will fail.
    1. Download the factory zip and extract the contents.
    2. Reboot to bootloader.
    3. Compare bootloader versions between phone screen and bootloader.img build number
      Code:
      fastboot flash bootloader <drag and drop new bootloader.img here>
      If bootloader is updated, reboot to bootloader.
    4. Compare baseband versions between phone screen and radio.img build number
      Code:
      fastboot flash radio <drag and drop radio.img here>
      If radio is updated, reboot to bootloader.
    5. Apply update:
      Code:
      fastboot update --skip-reboot image-codename-buildnumber.zip
      When the update completes, the device will be in fastbootd. Reboot to bootloader.
    6. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    8. Reboot your device. You should now be updated with root.
    Note: If you prefer, you can update using the flash-all script included in the factory zip. You will have to copy the script, bootloader image, radio image, and update zip into the Platform Tools folder; you will then have to edit the script to remove the -w option so it doesn't wipe your device.
    The scripted commands should look like this:
    Code:
    fastboot flash bootloader <bootloader image name>
    fastboot reboot bootloader
    ping -n 5 127.0.0.1 > nul
    fastboot flash radio <radio image name>
    fastboot reboot bootloader
    ping -n 5 127.0.0.1 > nul
    fastboot update  --skip-reboot <image-device-buildnumber.zip>
    Once this completes, you can reboot to bootloader and either boot your master patched image, or if you patched the new image, flash it at this time.

    PixelFlasher by @badabing2003 is an excellent tool that streamlines the update process - it even patches the boot image for you.
    The application essentially automates the ADB interface to make updating and rooting much easier. However, it is STRONGLY recommended that you still learn the "basics" of using ADB.

    For instructions, downloads, and support, please refer to the PixelFlasher thread.

    1. Follow the instructions on the Android Flash Tool to update your device. Make sure Lock Bootloader and Wipe Device are UNCHECKED.
    2. When the update completes, the device will be in fastbootd. Reboot to bootloader.
    3. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    4. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    5. Reboot your device. You should now be updated with root.

    SafetyNet has been deprecated for the new Play Integrity API. More information here.

    In a nutshell, Play Integrity uses the same mechanisms as SafetyNet for the BASIC and DEVICE verdicts, but uses the Trusted Execution Environment to validate those verdicts. TEE does not function on an unlocked bootloader, so legacy SafetyNet solutions will fail.

    However, @Displax has modified the original Universal SafetyNet Fix by kdrag0n; his mod is able to bypass TEE, meaning that the device will pass BASIC and DEVICE integrity.

    Mod available here. Do not use MagiskHide Props Config with this mod.

    This is my configuration that is passing Safety Net. I will not provide instructions on how to accomplish this. Attempt at your own risk.

    Zygisk + DenyList enabled
    All subcomponents of these apps hidden under DenyList:
    • Google Play Store
    • GPay
    • Any banking/financial apps
    • Any DRM media apps
    Modules:
    • Universal SafetyNet Fix 2.3.1 Mod - XDA post
    To check SafetyNet status:
    To check Play Integrity status:
    I do not provide support for Magisk or modules. If you need help with Magisk, here is the Magisk General Support thread. For support specifically with Magisk v24+, see this thread.

    Points of note:
    • The boot image is NOT the bootloader image. Do not confuse the two - YOU are expected to know the difference. Flashing the wrong image to bootloader could brick your device.
    • While the Magisk app is used for patching the boot image, the app and the patch are separate. This is what you should see in Magisk for functioning root:
      screenshot_20211218-194517-png.5486339
    • "Installed" shows the version of patch in the boot image. If this says N/A, you do not have root access - the boot image is not patched, or you have a problem with Magisk.
    • "App" simply shows the version of the app itself.
    • If you do not have a patched master boot image, you will need to download the factory zip if you haven't already, extract the system update inside it, then patch boot.img.
    • If you prefer updating with the factory image, you can also extract and manually patch the boot image if desired.
    • Some Magisk modules, especially those that modify read only partitions like /system, may cause a boot loop after updating. As a general rule, disable these modules before updating. You are responsible for knowing what you have installed, and what modules to disable.


    Credits:
    Thanks to @ipdev , @kdrag0n , @Didgeridoohan , and last but not least, @topjohnwu for all their hard work!
    7
    Magisk Canary was updated to 23016 last night. This includes a fix for the vbmeta header issue, meaning that disabling verity/verification should no longer be required, and we should be able to root as we did before. This needs testing, make sure you back up your data and photos before you do this!

    Additionally, for the Pixel 6 and 6 Pro, fstab will now load from /system/etc which should fix the root issue many of you were having.

    Q: "If verity/verification are disabled, do I need to enable them now?"
    A: No. The only thing you have to do is update to Magisk 23016.
    Q: "Will enabling verity/verification wipe my data?"
    A: No.

    I will be updating the OP to reflect this.
    5
    Magisk 24306 (release notes) is now available on the canary channel, and I can confirm that the installation to the inactive slot OTA method is working for the April update.
    5
    Interesting. How did you command the reboot?

    When I tried to update this way on my wife's 5a, it bootlooped back to the original slot.
    I always follow these steps once I know the OTA is available:

    1. Open Magisk and select 'Uninstall Magisk -> Restore Images'
    2. Open Settings and Download/Install OTA *DO NOT REBOOT*
    3. Go back to Magisk and select 'Install -> Install to Inactive Slot (After OTA)' *DO NOT REBOOT*
    4. Go back to Settings and 'Reboot' to finalize the OTA
    5
    So, if I use this tool after rooting OTA updates will work and I'll still have root?

    Edit: And can you explain more clearly the process on how to do this?

    No, the tool does nothing to maintain root. It simply allows you to take the OTA. You will still need to reboot into fastboot and flash or boot from a patched boot image.

    The steps would be:
    1. Restore boot in the Magisk app
    2. Restore vbmeta in Vbmeta Patcher
    3. Take the OTA in System Updater
    4. Patch vbmeta in Vbmeta Patcher
    5. Patch the new boot image in the Magisk app and copy it to your computer
    6. Reboot into fastboot
    7. Boot from the new patched boot image
    8. Direct Install Magisk in the Magisk App
    As I noted the quote post, this process should be considered experimental until it has been more thoroughly tested. You should consider backing up any critical data before attempting it, in case something goes wrong.

    I'm working on another tool to make it a bit easier to acquire the new boot image in step 5, but that will likely be a few days. Hopefully we'll be able to install Magisk to the inactive slot on Pixel devices again in the future, which would consolidate steps 5-8.