This is mainly for newer MTK devices for which there are no "one-click root" solutions available yet. With modifications, it should apply to some non MTK devices as well.
This method is quite risky! If the SP Flash Tool backup comes out corrupt, you could get a brick!
Tools required:
1) MTKDroid tools ( http://forum.xda-developers.com/showthread.php?t=2160490 )
2) SPFlash Tools ( http://forum.xda-developers.com/showthread.php?t=2650125 )
3) Easy Magic TWRP Installer ( http://forum.xda-developers.com/showthread.php?t=2798257 )
4) Cofface's Bootimg tools ( http://en.miui.com/thread-27657-1-1.html )
5) 15s ADB installer ( http://forum.xda-developers.com/showthread.php?t=2588979 )
6) Chainfire's ADBD insecure ( http://forum.xda-developers.com/showthread.php?t=1687590 )
7) SPFT vcom drivers ( http://forum.xda-developers.com/showthread.php?t=2206421 )
If you already have a SP Flash Tools ROM for your phone, you can use the boot.img from that, and go straight to "SU through ADB"
Steps to get boot.img:
1) If you don't already have ADB, Fastboot, and drivers for your phone, download Snoop05's 15s ADB installer, and install ADB, fastboot, and drivers.
2) Connect your phone to your computer, and wait for all the drivers to finish installing. Open a command prompt window and type "ADB devices". If you see your device serial number, then proceed, else see the bottom of this post.
3) Open MTKDroid Tools. Click the "root" button on the bottom right. If it roots successfully, you don't need my guide!
4) Click "blocks map". You will see the partition structure of your phone. Press the "Create scatter file" button on this window. If it creates a scatter, go to step 5.
4a) If the scatter button is grayed out, close MTKDroid. Open the folder where you extracted MTKDroid Tools.
4b) Open MTKdroidTools.ini
4c) There is a line saying, "ScatVer111 =". After that, there are some numbers. Those numbers refer to MTK SoC numbers. Add your SoC number to the end of that line. You can get that number from CPU-Z or similar apps. Save the file.
4d) Open MTKDroid and do step 4 now. Remember, the scatter created in this way might not be particularly reliable. But it will work fine for SPFT readBack. Just don't try to use this to flash your phone without checking it first!
5) Open SP Flash Tool. On the "download" tab, click "scatter loading", and load the scatter file created in step 4.
6) Open the "Readback" tab. Click "add" on the top. Double click the new entry that appears. Choose a location to store your ROM dump in.
7) In the dialog that appears, choose "Hex" under "type".
7a) Open the scatter file created in step 4. Search for "partition_name: BOOTIMG".
7b) Look at the number after "partition_size". Enter that number in SP Flash Tools as end address. Enter the value of "linear_start_addr" in "start address", and "partition size" in end address".
8) Disconnect your phone, and switch it off. Take out the battery, and connect it to your computer. Wait for the drivers to install, then disconnect the phone again. If the drivers don't install, check the end of this post.
9) Click "readback" on SP Flash Tools, and connect the phone (without the battery). Press the power button ONCE.
10) SPFT will start the readback. Go to the folder where you saved the SPFT ROM_ file you read right now, and rename it "boot.img"
To get SU through ADB:
11) Move boot.img and Cofface's bootimg tools to the same folder. Press shift and right-click inside the folder, then choose "open command window here". In the command prompt, type "bootimg --unpack-bootimg". Your boot.img will get extracted.
12) Open the "initrd" folder that just got created. Open the ramdisk folder. Find the folder that has a file called "adbd". Delete adbd. Open Chainfire's ADBD insecure with 7zip, and go to "assets". Copy the adbd.21.png file to the folder from which you just deleted "adbd" from. Rename this file "adbd" (without quotes, of course). Open default.prop, and change ro.secure to 0, ro.debugable to 1
13) In the command window, type bootimg --repack-bootimg. It will create two files, boot-new.img, and boot-old.img. "boot-old.img" is your phone's original (stock) boot. "boot-new" is the newly modified one.
14) Switch on and connect your phone. Type "adb reboot bootloader" in command prompt. Your phone will reboot, and show something like "=fastboot". Type "fastboot boot boot-new.img". If your phone reboots, then it's fine, skip 14 a, and continue to step 15.
14a) Otherwise, now comes the most dangerous part. Type "fastboot flash boot boot-new.img". If your boot.img has been corrupted somehow, this will kill your phone. If that happens, flash your stock ROM with SPFlash, there are many guides on XDA, check them. Type "fastboot reboot".
15) Now you have an insecure bootloader. Type "adb shell" in command prompt to check. If you get a prompt like "[email protected]" or "android#", that means that you now have root access through adb. Now you only need to extend it beyond ADB.
INSTALLING THE SU BINARY
Just pushing SU and giving it the correct permissions is enough for some phones, others are more difficult. If pushing it does not work, see the custom recovery method.
Push SU
1) Download the SU binary, and SuperSU. Open a command prompt in the directory where you kept the SU binary, and type:
Now install Root Checker or some similar application, and check if you have got root access.
Through custom recovery:
1) Type:
2) Do all the steps in the "Steps to get boot.img" section again, but this time, use the "linear_start_addr" and "partition_size" values of your recovery partition. Name the result "recovery.img".
3) Open the TWRP auto port utility, with the phone disconnected from the computer. Select the manual port option. Follow all the instructions on-screen. Connect the phone when asked, and install the new recovery when the option comes up.
4) After booting to TWRP, go to "reboot" -> "system". When TWRP askes to root your phone, tap "yes". After booting, install SuperSU from the app store.
DONE!
Some phones have problems with wifi when using the modified boot.img, if so, just:
If your phone is not recognized when you connect it without the battery:
Connect without the battery.
Open device manager, and find the device with an "!" beside it. Double-click that ->update drivers -> "Let me chose" -> Android device -> Vcom driver. Install that, then it should work.
If "adb devices" do not list your phone, do the steps above, but choose "ADB interface" this time.
This method is quite risky! If the SP Flash Tool backup comes out corrupt, you could get a brick!
Tools required:
1) MTKDroid tools ( http://forum.xda-developers.com/showthread.php?t=2160490 )
2) SPFlash Tools ( http://forum.xda-developers.com/showthread.php?t=2650125 )
3) Easy Magic TWRP Installer ( http://forum.xda-developers.com/showthread.php?t=2798257 )
4) Cofface's Bootimg tools ( http://en.miui.com/thread-27657-1-1.html )
5) 15s ADB installer ( http://forum.xda-developers.com/showthread.php?t=2588979 )
6) Chainfire's ADBD insecure ( http://forum.xda-developers.com/showthread.php?t=1687590 )
7) SPFT vcom drivers ( http://forum.xda-developers.com/showthread.php?t=2206421 )
If you already have a SP Flash Tools ROM for your phone, you can use the boot.img from that, and go straight to "SU through ADB"
Steps to get boot.img:
1) If you don't already have ADB, Fastboot, and drivers for your phone, download Snoop05's 15s ADB installer, and install ADB, fastboot, and drivers.
2) Connect your phone to your computer, and wait for all the drivers to finish installing. Open a command prompt window and type "ADB devices". If you see your device serial number, then proceed, else see the bottom of this post.
3) Open MTKDroid Tools. Click the "root" button on the bottom right. If it roots successfully, you don't need my guide!
4) Click "blocks map". You will see the partition structure of your phone. Press the "Create scatter file" button on this window. If it creates a scatter, go to step 5.
4a) If the scatter button is grayed out, close MTKDroid. Open the folder where you extracted MTKDroid Tools.
4b) Open MTKdroidTools.ini
4c) There is a line saying, "ScatVer111 =". After that, there are some numbers. Those numbers refer to MTK SoC numbers. Add your SoC number to the end of that line. You can get that number from CPU-Z or similar apps. Save the file.
4d) Open MTKDroid and do step 4 now. Remember, the scatter created in this way might not be particularly reliable. But it will work fine for SPFT readBack. Just don't try to use this to flash your phone without checking it first!
5) Open SP Flash Tool. On the "download" tab, click "scatter loading", and load the scatter file created in step 4.
6) Open the "Readback" tab. Click "add" on the top. Double click the new entry that appears. Choose a location to store your ROM dump in.
7) In the dialog that appears, choose "Hex" under "type".
7a) Open the scatter file created in step 4. Search for "partition_name: BOOTIMG".
7b) Look at the number after "partition_size". Enter that number in SP Flash Tools as end address. Enter the value of "linear_start_addr" in "start address", and "partition size" in end address".
8) Disconnect your phone, and switch it off. Take out the battery, and connect it to your computer. Wait for the drivers to install, then disconnect the phone again. If the drivers don't install, check the end of this post.
9) Click "readback" on SP Flash Tools, and connect the phone (without the battery). Press the power button ONCE.
10) SPFT will start the readback. Go to the folder where you saved the SPFT ROM_ file you read right now, and rename it "boot.img"
To get SU through ADB:
11) Move boot.img and Cofface's bootimg tools to the same folder. Press shift and right-click inside the folder, then choose "open command window here". In the command prompt, type "bootimg --unpack-bootimg". Your boot.img will get extracted.
12) Open the "initrd" folder that just got created. Open the ramdisk folder. Find the folder that has a file called "adbd". Delete adbd. Open Chainfire's ADBD insecure with 7zip, and go to "assets". Copy the adbd.21.png file to the folder from which you just deleted "adbd" from. Rename this file "adbd" (without quotes, of course). Open default.prop, and change ro.secure to 0, ro.debugable to 1
13) In the command window, type bootimg --repack-bootimg. It will create two files, boot-new.img, and boot-old.img. "boot-old.img" is your phone's original (stock) boot. "boot-new" is the newly modified one.
14) Switch on and connect your phone. Type "adb reboot bootloader" in command prompt. Your phone will reboot, and show something like "=fastboot". Type "fastboot boot boot-new.img". If your phone reboots, then it's fine, skip 14 a, and continue to step 15.
14a) Otherwise, now comes the most dangerous part. Type "fastboot flash boot boot-new.img". If your boot.img has been corrupted somehow, this will kill your phone. If that happens, flash your stock ROM with SPFlash, there are many guides on XDA, check them. Type "fastboot reboot".
15) Now you have an insecure bootloader. Type "adb shell" in command prompt to check. If you get a prompt like "[email protected]" or "android#", that means that you now have root access through adb. Now you only need to extend it beyond ADB.
INSTALLING THE SU BINARY
Just pushing SU and giving it the correct permissions is enough for some phones, others are more difficult. If pushing it does not work, see the custom recovery method.
Push SU
1) Download the SU binary, and SuperSU. Open a command prompt in the directory where you kept the SU binary, and type:
Code:
adb remount
adb push su /system/bin/su [case sensitive]
adb shell chmod 6755 /system/bin/su [case sensitive]
adb shell chown root:root /system/bin/su [case sensitive]
adb push SuperSU.apk /system/app/SuperSU.apk [case sensitive]
adb shell chmod 644 /system/app/SuperSU.apk [case sensitive]
adb shell chown root:root /system/app/SuperSU.apk [case sensitive]
adb rebootThrough custom recovery:
1) Type:
Code:
adb remount
adb shell rm /system/bin/su3) Open the TWRP auto port utility, with the phone disconnected from the computer. Select the manual port option. Follow all the instructions on-screen. Connect the phone when asked, and install the new recovery when the option comes up.
4) After booting to TWRP, go to "reboot" -> "system". When TWRP askes to root your phone, tap "yes". After booting, install SuperSU from the app store.
DONE!
Some phones have problems with wifi when using the modified boot.img, if so, just:
Code:
fastboot flash boot boot-old.imgConnect without the battery.
Open device manager, and find the device with an "!" beside it. Double-click that ->update drivers -> "Let me chose" -> Android device -> Vcom driver. Install that, then it should work.
If "adb devices" do not list your phone, do the steps above, but choose "ADB interface" this time.
Last edited:
