How To Guide [GUIDE] Pixel 6 Pro "raven": Unlock Bootloader, Update, Root, Pass SafetyNet

Search This thread

V0latyle

Forum Moderator
Staff member
If you are looking for my guide on a different Pixel, find it here:
Update 5-13-22: While Magisk 24.0 has been updated for use with Android 12, many users on the Pixel 6 and 6 Pro are still experiencing issues. It is strongly recommended to use Canary 24310. This version also includes beta support for A13B2.
Discussion thread for migration to 24.0.

DO NOT use any version of Magisk lower than Canary 23016 as it does not yet incorporate the necessary fixes for Android 12 and your device.


WARNING: YOU AND YOU ALONE ARE RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOUR DEVICE. THIS GUIDE IS WRITTEN WITH THE EXPRESS ASSUMPTION THAT YOU ARE FAMILIAR WITH ADB, MAGISK, ANDROID, AND ROOT. IT IS YOUR RESPONSIBILITY TO ENSURE YOU KNOW WHAT YOU ARE DOING.

Prerequisites:


Android Source - Setting up a device for development


  1. Follow these instructions to enable Developer Options and USB Debugging.
  2. Enable OEM Unlocking. If this option is grayed out, unlocking the bootloader is not possible.
  3. Connect your device to your PC, and open a command window in your Platform Tools folder.
  4. Ensure ADB sees your device:
    Code:
    adb devices
    If you don't see a device, make sure USB Debugging is enabled, reconnect the USB cable, or try a different USB cable.
    If you see "unauthorized", you need to authorize the connection on your device.
    If you see the device without "unauthorized", you're good to go.
  5. Reboot to bootloader:
    Code:
    adb reboot bootloader
  6. Unlock bootloader: THIS WILL WIPE YOUR DEVICE!
    Code:
    fastboot flashing unlock
    Select Continue on the device screen.

  1. Install Magisk on your device.
  2. Download the factory zip for your build.
  3. Inside the factory zip is the update zip: "device-image-buildnumber.zip". Open this, and extract boot.img
  4. Copy boot.img to your device.
  5. Patch boot.img with Magisk: "Install" > "Select and Patch a File"
  6. Copy the patched image back to your PC. It will be named "magisk_patched-23xxx_xxxxx.img". Rename this to "master root.img" and retain it for future updates.
  7. Reboot your device to bootloader.
  8. Flash the patched image:
    Code:
    fastboot flash boot <drag and drop master root.img here>
  9. Reboot to Android. Open Magisk to confirm root - under Magisk at the top, you should see "Installed: <Magisk build number>

  1. Before you download the OTA, open Magisk, tap Uninstall, then Restore Images. If you have any Magisk modules that modify system, uninstall them now.
  2. Take the OTA update when prompted. To check for updates manually, go to Settings > System > System Update > Check for Update
  3. Allow the update to download and install. DO NOT REBOOT WHEN PROMPTED. Open Magisk, tap Install at the top, then Install to inactive slot. Magisk will then reboot your device.
  4. You should now be updated with root.

  1. Download the OTA.
  2. Reboot to recovery and sideload the OTA:
    Code:
    adb reboot sideload
    Once in recovery:
    Code:
    adb sideload ota.zip
  3. When the OTA completes, you will be in recovery mode. Select "Reboot to system now".
  4. Allow system to boot and wait for the update to complete. You must let the system do this before proceeding.
  5. Reboot to bootloader.
  6. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  8. Reboot your device. You should now be updated with root.
Note: You can use Payload Dumper to extract the contents of the OTA if you want to manually patch the new boot image. However, I will not cover that in this guide.

Please note that the factory update process expects an updated bootloader and radio. If these are not up to date, the update will fail.
  1. Download the factory zip and extract the contents.
  2. Reboot to bootloader.
  3. Compare bootloader versions between phone screen and bootloader.img build number
    Code:
    fastboot flash bootloader <drag and drop new bootloader.img here>
    If bootloader is updated, reboot to bootloader.
  4. Compare baseband versions between phone screen and radio.img build number
    Code:
    fastboot flash radio <drag and drop radio.img here>
    If radio is updated, reboot to bootloader.
  5. Apply update:
    Code:
    fastboot update --skip-reboot image-codename-buildnumber.zip
    When the update completes, the device will be in fastbootd. Reboot to bootloader.
  6. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  8. Reboot your device. You should now be updated with root.
Note: If you prefer, you can update using the flash-all script included in the factory zip. You will have to copy the script, bootloader image, radio image, and update zip into the Platform Tools folder; you will then have to edit the script to remove the -w option so it doesn't wipe your device.
The scripted commands should look like this:
Code:
fastboot update bootloader <bootloader image name>
fastboot reboot bootloader
ping -n 5 127.0.0.1 > nul
fastboot update radio <radio image name>
fastboot reboot bootloader
ping -n 5 127.0.0.1 > nul
fastboot update  --skip-reboot --slot=all <image-device-buildnumber.zip>
Once this completes, you can reboot to bootloader and either boot your master patched image, or if you patched the new image, flash it at this time.

  1. Follow the instructions on the Android Flash Tool to update your device. Make sure Lock Bootloader and Wipe Device are UNCHECKED.
  2. When the update completes, the device will be in fastbootd. Reboot to bootloader.
  3. Boot the master root image (See note 1):
    Code:
    fastboot boot <drag and drop master root.img here>
    Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
  4. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
  5. Reboot your device. You should now be updated with root.

This is my configuration that is passing Safety Net. I will not provide instructions on how to accomplish this. Attempt at your own risk.

Zygisk + DenyList enabled
All subcomponents of these apps hidden under DenyList:
  • Google Play Store
  • GPay
  • Any banking/financial apps
  • Any DRM media apps
Modules:
To check SafetyNet status:
I do not provide support for Magisk or modules. If you need help with Magisk, here is the Magisk General Support thread. For support specifically with Magisk v24+, see this thread.

Points of note:
  • The boot image is NOT the bootloader image. Do not confuse the two - YOU are expected to know the difference. Flashing the wrong image to bootloader could brick your device.
  • While the Magisk app is used for patching the boot image, the app and the patch are separate. This is what you should see in Magisk for functioning root:
    screenshot_20211218-194517-png.5486339
  • "Installed" shows the version of patch in the boot image. If this says N/A, you do not have root access - the boot image is not patched, or you have a problem with Magisk.
  • "App" simply shows the version of the app itself.
  • If you do not have a patched master boot image, you will need to download the factory zip if you haven't already, extract the system update inside it, then patch boot.img.
  • If you prefer updating with the factory image, you can also extract and manually patch the boot image if desired.
  • Some Magisk modules, especially those that modify read only partitions like /system, may cause a boot loop after updating. As a general rule, disable these modules before updating. You are responsible for knowing what you have installed, and what modules to disable.


Credits:
Thanks to @ipdev , @kdrag0n , @Didgeridoohan , and last but not least, @topjohnwu for all their hard work!
 
Last edited:

Ghisy

Senior Member
Mar 27, 2010
1,681
480
Now THIS is a useful thread! Thanks 👍

I might try to root my P6P this week-end.

If I already took the OTA from Google, can I just go to #6? (there's no data on my phone yet, just BL unlocked)

"6. Reflash vbmeta to disable boot verification"
 

V0latyle

Forum Moderator
Staff member
Now THIS is a useful thread! Thanks 👍

I might try to root my P6P this week-end.

If I already took the OTA from Google, can I just go to #6? (there's no data on my phone yet, just BL unlocked)

"6. Reflash vbmeta to disable boot verification"
Yes. You're basically on a clean factory flash. It might still throw a "corrupted" error at you but a factory reset fixes it.
Is it necessary to flash modified boot to "slot all"? I never did this before without issues. I always just did flash boot modifiedboot.img
Not really; I prefer to do that after OTA because OTA is an out of band update that installs to the inactive slot. You don't really have to use the slot commands at all, but I've come into the habit of using them.
 

V0latyle

Forum Moderator
Staff member
Is there any way to go back to DM Verity + AVB enabled without wiping after this?
Yes - this is in fact the default state if the "disable" flags are not used. All you'd have to do is reflash vbmeta without any flags. Make sure you fully intend to do so, because 1. You won't be able to run a modified boot image, thereby preventing permanent root and 2. If you decided to disable vbmeta again, you would have to wipe data again.
 

mkhcb

Senior Member
Nov 2, 2012
305
313
For the Android flash tool method, can't you just patch the boot image and add it to the flash tool and skip the reboot to then flash the patched boot?

Someone needs to make a batch file for the above.
 
Last edited:

V0latyle

Forum Moderator
Staff member

@V0latyle, Is there any downside of using Factory Update vs OTA Sideload for monthly update? Since I will need to download the factory zip anyway for both methods, I would go with the factory update.​

Nope, no downside that I'm aware of; many people used the factory images for updates on Android 11 and prior without any problems. Just make sure you flash it with --disable-verification --disable-verity
For the Android flash tool method, can't you just patch the boot image and add it to the flash tool and skip the reboot to then flash the patched boot?

Someone needs to make a batch file for the above.
I think you're confusing Android Flash Tool with something else. Take a look at the link - you connect your phone via USB and can install firmware direct from Google. There is no option to substitute your own files, which is a good thing.

As for adding the boot image to the flash process...I would avoid this, personally. You CAN edit the flash-all.bat to do this and some members here have. But, P6 and P6 Pro users have run into problems using a boot image they patched prior to updating, so here is my recommendation:

Flash the factory image with verity and verification disabled, and let the update complete including a boot to system. Once in system, you can then patch the boot image, reboot to bootloader, and flash it to /boot.
 

Bandsalat

Member
Sep 17, 2018
10
3
> Yes - this is in fact the default state if the "disable" flags are not used. All you'd have to do is reflash vbmeta without any flags. Make sure you fully intend to do so, because 1. You won't be able to run a modified boot image, thereby preventing permanent root and 2. If you decided to disable vbmeta again, you would have to wipe data again.

Tried that, but the P6 Pro fails to boot and just goes back to the bootloader after this.
 
  • Wow
Reactions: roirraW "edor" ehT

biTToe

Senior Member
I have a dumb question:
There seem to be two different commands to disable flags:
fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
&
fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

Are they equivalent i.e., does the order matter?
 

roirraW "edor" ehT

Forum Moderator
Staff member
I have a dumb question:
There seem to be two different commands to disable flags:
fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
&
fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

Are they equivalent i.e., does the order matter?
No, the order doesn't matter; yes, they're equivalent.
 

V0latyle

Forum Moderator
Staff member
No, the order doesn't matter; yes, they're equivalent.
The way I like to think of it is like this:

[Application: Fastboot/adb] [Command: What you want to do] [Destination: Where you want it to be done] [Modifiers: How you want it to be done] [Payload: What you want to be put there]

Those of us who grew up with DOS would probably do it like this:
Code:
fastboot flash vbmeta vbmeta.img --disable-verity --disable-verification

But I believe it could also be done like this:
Code:
fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
 

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    Have you tried live booting followed by a direct install? :) This way if it fails , android will just boot the stock boot image
    That's an excellent idea for @android_dan.

    Edit/add-on:
    Thanks for the reply. Maybe 'm being dense but not sure how the flash tool is going to help. The problem isn't recovering from the bootloop. That's just a matter of flashing an unpatched boot image. The problem is what could be causing the patched file to bootloop the phone. I've updated this rooted phome 3 or 4 times now by flashing a patched boot file with no issues and have changed nothing on the phone
    I suggested the Official Google Android Flash Tool site because it has fixed things that manually flashing the factory image hasn't, in at least a dozen examples I've read about in this section alone in the six months the P6P has been out.

    I know that it doesn't sound necessarily rational, but it's happened often enough and almost every time it's been suggested to someone to do that instead of manually flashing the factory image zip, that the online tool fixed their issue.
    4
    Magisk Canary 24309 is out with support for the Pixel 6 Android 13 beta.

    Download
    4
    No idea.. this was the 1st time it's happened to me on A12. Do you think I should use canary? Mind you, I should note the 'direct install' option was still available, but when I tried it it failed , can't remember the error.

    See post above and I think there's a note a page or two back too. 24.3 doesn't work for the later April FW
    3
    Android Flash Tool got me back into the OS. I patched the May boot.img then flashed it. I'm good and rooted.
    thank you very much for the help
  • 81
    If you are looking for my guide on a different Pixel, find it here:
    Update 5-13-22: While Magisk 24.0 has been updated for use with Android 12, many users on the Pixel 6 and 6 Pro are still experiencing issues. It is strongly recommended to use Canary 24310. This version also includes beta support for A13B2.
    Discussion thread for migration to 24.0.

    DO NOT use any version of Magisk lower than Canary 23016 as it does not yet incorporate the necessary fixes for Android 12 and your device.


    WARNING: YOU AND YOU ALONE ARE RESPONSIBLE FOR ANYTHING THAT HAPPENS TO YOUR DEVICE. THIS GUIDE IS WRITTEN WITH THE EXPRESS ASSUMPTION THAT YOU ARE FAMILIAR WITH ADB, MAGISK, ANDROID, AND ROOT. IT IS YOUR RESPONSIBILITY TO ENSURE YOU KNOW WHAT YOU ARE DOING.

    Prerequisites:


    Android Source - Setting up a device for development


    1. Follow these instructions to enable Developer Options and USB Debugging.
    2. Enable OEM Unlocking. If this option is grayed out, unlocking the bootloader is not possible.
    3. Connect your device to your PC, and open a command window in your Platform Tools folder.
    4. Ensure ADB sees your device:
      Code:
      adb devices
      If you don't see a device, make sure USB Debugging is enabled, reconnect the USB cable, or try a different USB cable.
      If you see "unauthorized", you need to authorize the connection on your device.
      If you see the device without "unauthorized", you're good to go.
    5. Reboot to bootloader:
      Code:
      adb reboot bootloader
    6. Unlock bootloader: THIS WILL WIPE YOUR DEVICE!
      Code:
      fastboot flashing unlock
      Select Continue on the device screen.

    1. Install Magisk on your device.
    2. Download the factory zip for your build.
    3. Inside the factory zip is the update zip: "device-image-buildnumber.zip". Open this, and extract boot.img
    4. Copy boot.img to your device.
    5. Patch boot.img with Magisk: "Install" > "Select and Patch a File"
    6. Copy the patched image back to your PC. It will be named "magisk_patched-23xxx_xxxxx.img". Rename this to "master root.img" and retain it for future updates.
    7. Reboot your device to bootloader.
    8. Flash the patched image:
      Code:
      fastboot flash boot <drag and drop master root.img here>
    9. Reboot to Android. Open Magisk to confirm root - under Magisk at the top, you should see "Installed: <Magisk build number>

    1. Before you download the OTA, open Magisk, tap Uninstall, then Restore Images. If you have any Magisk modules that modify system, uninstall them now.
    2. Take the OTA update when prompted. To check for updates manually, go to Settings > System > System Update > Check for Update
    3. Allow the update to download and install. DO NOT REBOOT WHEN PROMPTED. Open Magisk, tap Install at the top, then Install to inactive slot. Magisk will then reboot your device.
    4. You should now be updated with root.

    1. Download the OTA.
    2. Reboot to recovery and sideload the OTA:
      Code:
      adb reboot sideload
      Once in recovery:
      Code:
      adb sideload ota.zip
    3. When the OTA completes, you will be in recovery mode. Select "Reboot to system now".
    4. Allow system to boot and wait for the update to complete. You must let the system do this before proceeding.
    5. Reboot to bootloader.
    6. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    8. Reboot your device. You should now be updated with root.
    Note: You can use Payload Dumper to extract the contents of the OTA if you want to manually patch the new boot image. However, I will not cover that in this guide.

    Please note that the factory update process expects an updated bootloader and radio. If these are not up to date, the update will fail.
    1. Download the factory zip and extract the contents.
    2. Reboot to bootloader.
    3. Compare bootloader versions between phone screen and bootloader.img build number
      Code:
      fastboot flash bootloader <drag and drop new bootloader.img here>
      If bootloader is updated, reboot to bootloader.
    4. Compare baseband versions between phone screen and radio.img build number
      Code:
      fastboot flash radio <drag and drop radio.img here>
      If radio is updated, reboot to bootloader.
    5. Apply update:
      Code:
      fastboot update --skip-reboot image-codename-buildnumber.zip
      When the update completes, the device will be in fastbootd. Reboot to bootloader.
    6. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    7. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    8. Reboot your device. You should now be updated with root.
    Note: If you prefer, you can update using the flash-all script included in the factory zip. You will have to copy the script, bootloader image, radio image, and update zip into the Platform Tools folder; you will then have to edit the script to remove the -w option so it doesn't wipe your device.
    The scripted commands should look like this:
    Code:
    fastboot update bootloader <bootloader image name>
    fastboot reboot bootloader
    ping -n 5 127.0.0.1 > nul
    fastboot update radio <radio image name>
    fastboot reboot bootloader
    ping -n 5 127.0.0.1 > nul
    fastboot update  --skip-reboot --slot=all <image-device-buildnumber.zip>
    Once this completes, you can reboot to bootloader and either boot your master patched image, or if you patched the new image, flash it at this time.

    1. Follow the instructions on the Android Flash Tool to update your device. Make sure Lock Bootloader and Wipe Device are UNCHECKED.
    2. When the update completes, the device will be in fastbootd. Reboot to bootloader.
    3. Boot the master root image (See note 1):
      Code:
      fastboot boot <drag and drop master root.img here>
      Note: If you prefer, you can download the factory zip and manually patch the new boot image, then flash it after the update. Do not flash an older boot image after updating.
    4. Your device should boot with root. Open Magisk, tap Install, and select Direct Install.
    5. Reboot your device. You should now be updated with root.

    This is my configuration that is passing Safety Net. I will not provide instructions on how to accomplish this. Attempt at your own risk.

    Zygisk + DenyList enabled
    All subcomponents of these apps hidden under DenyList:
    • Google Play Store
    • GPay
    • Any banking/financial apps
    • Any DRM media apps
    Modules:
    To check SafetyNet status:
    I do not provide support for Magisk or modules. If you need help with Magisk, here is the Magisk General Support thread. For support specifically with Magisk v24+, see this thread.

    Points of note:
    • The boot image is NOT the bootloader image. Do not confuse the two - YOU are expected to know the difference. Flashing the wrong image to bootloader could brick your device.
    • While the Magisk app is used for patching the boot image, the app and the patch are separate. This is what you should see in Magisk for functioning root:
      screenshot_20211218-194517-png.5486339
    • "Installed" shows the version of patch in the boot image. If this says N/A, you do not have root access - the boot image is not patched, or you have a problem with Magisk.
    • "App" simply shows the version of the app itself.
    • If you do not have a patched master boot image, you will need to download the factory zip if you haven't already, extract the system update inside it, then patch boot.img.
    • If you prefer updating with the factory image, you can also extract and manually patch the boot image if desired.
    • Some Magisk modules, especially those that modify read only partitions like /system, may cause a boot loop after updating. As a general rule, disable these modules before updating. You are responsible for knowing what you have installed, and what modules to disable.


    Credits:
    Thanks to @ipdev , @kdrag0n , @Didgeridoohan , and last but not least, @topjohnwu for all their hard work!
    9
    Magisk Stable is now at version 24.1, so I will no longer be providing any Magisk updates.

    You can use any version of Magisk now - Stable, Beta, or Canary. as long as it is 23016 or newer.

    Once again, if you want to switch versions of Maagisk, it is HIGHLY RECOMMENDED that you "Complete Uninstall" within Magisk before installing the new version. Multiple instances of Magisk can break root.

    If you simply want to update Magisk, the best way to do so is from within the app.


    Once the February update is out, I will perform some testing with installing to inactive slot, and if it works, I will update this guide.

    Given the low activity on this thread, I will probably close it if everything goes well with the next update.

    Thank you all for your testing and contributions.
    8
    My update process is to remove vbmeta.img (in addition to removing the -w flag in the flash-all script) from the factory zip before I flash it in fastboot. Seems to have worked so far, ymmv.
    7
    I just used this method, (same one described on Magisk website here https://topjohnwu.github.io/Magisk/ota.html) and it worked perfectly, both root and safetynet.
    Can someone explain to me why you see all kind of guide to update which are far more complicated than that ?
    Part of it is due to device differences - non A/B devices can't use seamless updates, so re-rooting is only possible by either patching the boot image directly, or by flashing Magisk in a custom recovery.

    Part of it is also due to user preferences. Some people, like me, prefer to update using the factory images, instead of OTA.

    And part of it is probably a bit of misinformation mixed in with anecdotes, where people who don't fully understand how the process works, but they declare that something has to be done a certain way because of what worked for them.

    I try to stick to the first two. I've spent a lot of time learning about how Android works, so I make a point of providing instructions that align with how everything is supposed to be done, while accommodating alternatives for those who want them.

    Are you 100% sure?

    Cause topjohnwu said that OTA patching from within Magisk was broken for Pixel devices.

    See here

    Notice the date of that post, 16 months ago. Magisk Canary 23017 re-incorporated the ability to install to inactive slots.

    I have been following the commits closely, so when 23017 was released, I announced it in my guides. Had you read back a couple pages, your question has been answered.

    If you don't believe me, check the commits here.
    7
    Magisk Canary updated to 23019
    Changes:
    - [Zygisk] Skip loading modules into the Magisk app to prevent conflicts
    - [MagiskBoot] Change `zopfli` to a more reasonable config so it doesn't take forever
    - [General] Several `BusyBox` changes

    Preferred method of update is from within Magisk app.


    If installing for the first time, here is the APK Download