Rapid Temporary Root for HD 8 & HD 10

Search This thread

diplomatic

Senior Member
Mar 12, 2017
1,403
1,855
Software root method for Mediatek MT816x, MT817x and MT67xx!
A tool that gives you a temporary root shell with Selinux permissive to do with as you please​

STATUS
Confirmed Working
Fire HD 8 8th gen (2018) (thanks @xyz`) -- up to Fire OS 6.3.0.1 only
Fire HD 8 7th gen (2017) -- up to Fire OS 5.6.4.0 build 636558520 only
Fire HD 8 6th gen (2016) (thanks @bibikalka) -- up to Fire OS 5.3.6.4 build 626536720
Fire HD 10 7th gen (2017) (thanks @bibikalka) -- up to Fire OS 5.6.4.0 build 636558520 only
Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to Fire OS 5.2.6.9 only
Fire 7 9th gen (2019) (thanks @Michajin) -- up to Fire OS 6.3.1.2 build 0002517050244 only
Fire HD 10 9th gen (2019) -- up to Fire OS 7.3.1.0 only
Various phones and tablets up to Android 9.x (see link below for full list)
Note that for Fire OS 5, OS version 5.3.x.x is newer than 5.6.x.x.

Amazing Temp Root for MediaTek ARMv8: expanded thread covering all compatible MTK devices

DISCLAIMER
Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

REQUIREMENTS
Proficiency with the Thanks button under XDA posts
A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
Either:
  • A PC with ADB installed to interact with your device, or
  • A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands

INSTRUCTIONS
  1. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
    arm64: 64-bit kernel and userspace
    arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
    The arm64 one is suitable for most devices. The notable devices that need the arm version are the Fire HD 8 2018, Fire 7, and Fire HD 10 2019.
  2. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
    Code:
    adb push path/to/mtk-su /data/local/tmp/
  3. Open an adb shell
    Code:
    adb shell
  4. Change to your tmp directory
    Code:
    cd /data/local/tmp
  5. Add executable permissions to the binary
    Code:
    chmod 755 mtk-su
  6. At this point keep your tablet screen on and don't let it go to sleep. Run the program
    Code:
    ./mtk-su
    If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
    The -v option turns on verbose printing, which is necessary for me to debug any problems.
    It will take several seconds, but using the -v option, you should see output similar to this (with id command added):
    Code:
    $ ./mtk-su -v
    param1: 0x3000, param2: 0x18040, type: 2
    Building symbol table
    kallsyms_addresses pa 0x40bdd500
    kallsyms_num_syms 70337, addr_count 70337
    kallsyms_names pa 0x40c66d00, size 862960
    kallsyms_markers pa 0x40d39800
    kallsyms_token_table pa 0x40d3a100
    kallsyms_token_index pa 0x40d3a500
    Patching credentials
    Parsing current_is_single_threaded
    ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
    ffffffc000354868+54: ADD xd, x0, 2592
    init_task VA: 0xffffffc000fa2a20
    Potential list_head tasks at offset 0x340
    comm swapper/0 at offset 0x5c0
    Found own task_struct at node 1
    cred VA: 0xffffffc0358ac0c0
    Parsing avc_denied
    ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
    ffffffc0002f13bc+28: LDR [x0, 404]
    selinux_enforcing VA: 0xffffffc001113194
    Setting selinux_enforcing
    Switched selinux to permissive
    starting /system/bin/sh
    UID: 0  cap: 3fffffffff  selinux: permissive
    #
    Some other options:
    mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.​
    mtk-su -s: Prints the kernel symbol table​
    If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here.

    Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.

If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5.

FIRE OS 5 AND ANDROID 5 USERS: There's an automated SuperSU loader by @Rortiz2 that makes jumpstarting SuperSU quick and easy.

WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.

DOWNLOAD
Current Version
Release 23

Past releases & change log live at Amazing Temp Root for MediaTek ARMv8

FAQ
I got the error, "This firmware cannot be supported". What do I do?
This means that your device's firmware is not prone to the mechanism used by mtk-su. Check the firmware version and build number of the OS on your device. If your version is higher than that next to your device on the list above, then mtk-su will no longer work on your device. There may be other ways to achieve root. Check elsewhere on the forum.

Will this work on the Fire 7?
No, it is very doubtful this method can be used on the MT8127 chipset. The same also goes for the Fire TV stick.

After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.

How does this tool work?
It overwrites the process's credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, I don't think I should discuss that as of yet.

Will this work on the Fire TV Stick 4K?
Unfortunately, no. While it has a 64-bit chip, the required vulnerabilities are not present in its OS.

Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.

Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
  • It has already been answered in the FAQ or multiple times in the thread.
  • Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
  • Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
CREDITS
  • @Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
  • Thank you to everyone who has donated. You're the best!
 
Last edited:

diplomatic

Senior Member
Mar 12, 2017
1,403
1,855
How to use without a PC

INSTRUCTIONS FOR TERMINAL APP
You can optionally use mtk-su from a terminal emulator such as Termux or Terminal Emulator for Android (my preference). The gist of the process is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
  1. Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
  2. Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
    General idea: cp path/to/mtk-su ./
    For example,
    Code:
    cp /sdcard/mtk-su_r14/arm64/mtk-su ./
    For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
  3. Make file executable
    Code:
    chmod 700 mtk-su
  4. Run the program
    Code:
    ./mtk-su

If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and kernel sources, if possible.

Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cd
cp path/to/mtk-su ./
chmod 700 mtk-su
./mtk-su
 
Last edited:

cybersaga

Senior Member
Jul 11, 2018
139
74
Loyalist, ON
Great work!

So could this theoretically work for any Mediatek device? Or do specific modifications need to be done for another model chip?

What do you think is likely the worst to happen if this is tried as-is on another device? Will it just not work? Or explode the device? :)

I have an Acer B3-A40 that has an MT8167 chip that I wouldn't mind rooting.
 

diplomatic

Senior Member
Mar 12, 2017
1,403
1,855
@cybersaga, yes, it's very possible it will work on an mt8167 device. Although I can't 100% guarantee it won't damage your device, I would just go ahead and try it. The risk is very minimal. It will print some error if it fails. I think realistically, I would need to tweak some parameters or make a workaround if there's a problem.

The method should be applicable to most 64-bit platforms. There are newer 4.x kernels where the necessary hole is not present, though. But time will tell what devices this ultimately will be compatible with.
 
Last edited:

xyz`

Senior Member
Jan 6, 2019
115
335
Very cool from what I can see, however it doesn't work on HD8 2018 because there's no 64-bit userspace (only the kernel is 64-bit), could you recompile it for arm?
 

diplomatic

Senior Member
Mar 12, 2017
1,403
1,855
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...
 
  • Like
Reactions: ersen.o and @pops

xyz`

Senior Member
Jan 6, 2019
115
335
Oh, that's a bummer, @xyz`. Why would they do that? I think there's some other tweaks I have to make besides compiling it. I'll post a test version as soon as I can. This might be the case for other devices too...

Maybe you can just compile it as a static binary instead if that's easier.
 

dutchthomas

Senior Member
Apr 8, 2012
78
68
Awesome! I just rooted my HD8 2017

Try the automated script by @Rortiz2

Previous instructions:

For anyone that is confused by the process of manually installing SuperSu, I did the following...

IMPORTANT: This is for FireOS 5 devices such as HD8 2017. Do not attempt this on HD8 2018

  1. Install SuperSu from Playstore
  2. Download SuperSu and unzip somewhere
  3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
  4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
  5. mount -o remount -rw /system
  6. cp /data/local/tmp/su /system/xbin/su
  7. cp /data/local/tmp/su /system/xbin/daemonsu
  8. cp /data/local/tmp/supolicy /system/xbin/
  9. cp /data/local/tmp/libsupol.so /system/lib/
  10. cp /data/local/tmp/libsupol.so /system/lib64/
  11. chmod 0755 /system/xbin/su
  12. chcon u:eek:bject_r:system_file:s0 /system/xbin/su
  13. chmod 0755 /system/xbin/daemonsu
  14. chcon u:eek:bject_r:system_file:s0 /system/xbin/daemonsu
  15. at this point, running su should work and show a root shell
  16. daemonsu --auto-daemon
  17. Open SuperSu app and allow it to update the su binary

My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems less error-prone
 
Last edited:

bibikalka

Senior Member
May 14, 2015
1,352
1,087
@diplomatic

Wow!!! This is crazy !!! Where have you been before??? :D I almost had to drill a hole into HD8 2016!!! :D

I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.

My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #


Edit: Despite my super careful SuperSu injection into FireOS 5.3.6.4 system image, I still could not get SuperSu to work after I restored this image using FlashFire. Regardless, the method from this thread also rooted 5.3.6.4 in no time! Awesome!
 
Last edited:

teamfresno

Senior Member
Apr 14, 2015
112
20
Awesome! I just rooted my HD8 2017

For anyone that is confused by the process of manually installing SuperSu, I did the following:
  1. Install SuperSu from Playstore
  2. Download SuperSu and unzip somewhere
  3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
  4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
  5. mount -o remount -rw /system
  6. cp /data/local/tmp/su /system/xbin/su
  7. cp /data/local/tmp/su /system/xbin/daemonsu
  8. cp /data/local/tmp/supolicy /system/xbin/
  9. cp /data/local/tmp/libsupol.so /system/lib/
  10. cp /data/local/tmp/libsupol.so /system/lib64/
  11. at this point, running su should work and show a root shell
  12. daemonsu --auto-daemon
  13. Open SuperSu app and allow it to update the su binary

My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.

Thanks for this! I'm not sure if I'm doing it correctly, but everything works fine until I get to #11. Do I just type su? When I do, it says permission denied.

EDIT: Just tried the new commands you edited and it worked. My FireHD 8 7th gen is now rooted.
 
Last edited:
  • Like
Reactions: twocrows

k4y0z

Senior Member
Nov 27, 2015
1,429
1,835
Software root method found for Mediatek MT8163, MT8173 and MT67xx!
Great work!

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.
If you want to zero out preloader, you should do it this way:
Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.
 

diplomatic

Senior Member
Mar 12, 2017
1,403
1,855
@diplomatic

Wow!!! This is crazy !!! Where have you been before??? :D I almost had to drill a hole into HD8 2016!!! :D

I tried this on HD8 2016, FireOS 5.3.2.1, and the method worked! It takes less than 1 second to run, way faster than any Kingoroot. I had to exit and run again to get system mounting permissions rw as per @dutchthomas recommendation {mount -o remount -rw /system}. Then I updated su manually (using armv7 binaries from SR5-SuperSU-v2.82-SR5-20171001224502.zip - on HD10 2017 I am always using armv7 versions as well), and let SuperSu update itself. Full success! SuperSu needs to be set to "Grant" as per this link.

Now, for HD8 2018 I believe the following could work. 0) Drain the battery to really minimal amount ~ 3% 1) Run this to get temp root. 2) Zero out boot0 {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. At this point the device should be booting into BootRom mode (as claimed by others - @xyz`, @hwmod, @k4y0z, can you confirm?). In BootRom, run the scripts from this link. If it hangs in BootRom, just let it sit disconnected from anything. The low battery should shut it down, and you can try again later in BootRom. Low battery would remove the need to open the case should the amonet script hang.

Actually, for HD8 2018, if RPMB does not need to be cleared, all of amonet steps could be done via dd while having a temporary root shell. One could dd all of LK/TZ/boot/recovery/preloader. If RPMB needs clearing, then one should still dd everything but the preloader, which instead should be zeroed out {dd if=/dev/zero of=/dev/block/mmcblk0boot0}. Then amonet would be used to clear our RPMB, and put the preloader back. One of the current seeming issues is that amonet appears to write LK exploit into the memory area outside of boot0 size (thus precluding dd operation for that piece of code into boot0) - see this link for details. If this issue could be addressed, then HD8 2018 could be unlockable without ever opening the case.

My HD8 2016 output:
Code:
C:\Program Files\Minimal ADB and Fastboot>adb shell
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 mtk-su
[email protected]:/data/local/tmp $ ./mtk-su  -v
Building symbol table
kallsyms_addresses_pa 0x40ad8f00
kallsyms_num_syms 67082, addr_count 67082
kallsyms_names_pa 0x40b5c100
Size of kallsyms_names 805834 bytes
kallsyms_markers_pa 0x40c20d00
kallsyms_token_table_pa 0x40c21600
kallsyms_token_index_pa 0x40c21a00
Patching credentials
init_task va: ffffffc000edaa20
Possible list_head tasks at offset 0x338
0xffffffc0030c8338 0xffffffc050347638 0x000000000000008c
comm offset 0x5a8 comm: swapper/0
Found own task_struct at node 0
real_cred: 0xffffffc052669900, cred: 0xffffffc052669900
New UID/GID: 0/0
Setting selinux permissive
Found adrp at offset 4
ADRP x0, base is 0xffffffc001030000
Found ldr at offset 28
LDR [x0,444], selinux_enforce VA is 0xffffffc0010301bc
Switched selinux to permissive
starting /system/bin/sh
[email protected]:/data/local/tmp #

Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.

Awesome! I just rooted my HD8 2017

For anyone that is confused by the process of manually installing SuperSu, I did the following:
  1. Install SuperSu from Playstore
  2. Download SuperSu and unzip somewhere
  3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
  4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
  5. mount -o remount -rw /system
  6. cp /data/local/tmp/su /system/xbin/su
  7. cp /data/local/tmp/su /system/xbin/daemonsu
  8. cp /data/local/tmp/supolicy /system/xbin/
  9. cp /data/local/tmp/libsupol.so /system/lib/
  10. cp /data/local/tmp/libsupol.so /system/lib64/
  11. at this point, running su should work and show a root shell
  12. daemonsu --auto-daemon
  13. Open SuperSu app and allow it to update the su binary

My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems like a less error-prone middle ground.

Oh, nice, thanks for this... This is more straightfoward than doing it "offline". I just realized Chainfire has instructions specifically for dealing with exploits here.
 
  • Like
Reactions: dutchthomas

k4y0z

Senior Member
Nov 27, 2015
1,429
1,835
Thanks for the feedback, bro! So the HD8 2016 is crossed off the untested list. For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.

Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.
 
Last edited:
  • Like
Reactions: sol-invictus

Rortiz2

Senior Member
Mar 1, 2018
2,025
1,227
Barcelona
LOL
Very nice!
Awesome work @diplomatic
If you had discovered it before, I would not have asked you to compile TWRP for the BQ M8 and I would not have bothered you. By the way I I prefer to have TWRP. (thanks!)
I have reinstalled stock in my BQ M8 and the script has worked! If you want you can add it to the list of devices...
On Fire 7 7th Gen it not worked.. But we have TWRP.
EDIT: I have tried again and now I get this error
Code:
130|[email protected]_M8:/data/local/tmp $ ./mtk-su -v
Building symbol table
kallsyms_addresses_pa 0x40a43000
kallsyms_num_syms 49221, addr_count 49221
kallsyms_names_pa 0x40aa3400
Size of kallsyms_names 602609 bytes
kallsyms_markers_pa 0x40b36600
kallsyms_token_table_pa 0x40b36c00
warning: token_count 1
kallsyms_token_index_pa 0x40b36d00
Patching credentials
__ksymtab_init_task not found
New UID/GID: 2000/2000
Setting selinux permissive
find_selinux_enforce_var() returned -1
starting /system/bin/sh
 
Last edited:

bibikalka

Senior Member
May 14, 2015
1,352
1,087
Flashing TWRP isn't enough.
LK-payload needs to be written to boot0 at offset 0x200000.
Additionally you need to have the correct version of LK installed.
If you have an older version it could just be overwritten.
If your installed LK is newer, you will have to zero out RPMB.

... For the HD8 2018, as far as I see, you can just flash the premade TWRP to recovery by dd. Why do you need to do the whole bootrom procedure? Then reboot to recovery to check if everything's ok. If not, Android will just restore the stock recovery on next boot. If TWRP works, just install Magisk or whatever you do to modify boot.

Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.

If you want to zero out preloader, you should do it this way:
Code:
su -c "echo 0 > /sys/block/mmcblk0boot0/force_ro; cat /dev/zero > /dev/block/mmcblk0boot0; echo 'EMMC_BOOT' > /dev/block/mmcblk0boot0"
that way the sanity check of amonet won't fail.
I'm not sure about the boot0 size on the HD8. According to @xyz` it is 4MB on the HD8 as well.

OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?

For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.

Fire HD8 2016:
Code:
major minor  #blocks  name
 179        0   15388672 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       5120 mmcblk0p2
 179        3      10240 mmcblk0p3
 179        4      10240 mmcblk0p4
 179        5        256 mmcblk0p5
 179        6        500 mmcblk0p6
 179        7      16268 mmcblk0p7
 179        8      16384 mmcblk0p8
 179        9       6144 mmcblk0p9
 179       10        512 mmcblk0p10
 179       11       8192 mmcblk0p11
 179       12      10240 mmcblk0p12
 179       13       1024 mmcblk0p13
 179       14       5120 mmcblk0p14
 179       15       5120 mmcblk0p15
 179       16      40320 mmcblk0p16
 179       17       1024 mmcblk0p17
 179       18       1024 mmcblk0p18
 179       19    1653024 mmcblk0p19
 179       20     434176 mmcblk0p20
 179       21        512 mmcblk0p21
 179       22      16384 mmcblk0p22
 179       23       4320 mmcblk0p23
 179       24   13138927 mmcblk0p24
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4

Fire HD8 2018:
Code:
major minor  #blocks  name
 179        0   15267840 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       4608 mmcblk0p2
 179        3       1024 mmcblk0p3
 179        4       1024 mmcblk0p4
 179        5       1024 mmcblk0p5
 179        6       5120 mmcblk0p6
 179        7       5120 mmcblk0p7
 179        8      40448 mmcblk0p8
 179        9        512 mmcblk0p9
 179       10       8192 mmcblk0p10
 179       11      16384 mmcblk0p11
 179       12      20480 mmcblk0p12
 179       13    3177472 mmcblk0p13
 179       14     230400 mmcblk0p14
 179       15     512000 mmcblk0p15
 179       16   11240431 mmcblk0p16
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4
 

JJ2017

Senior Member
Jan 7, 2017
57
36
Huawei P20 Pro
@diplomatic - awesome work - just had to give it a go for myself...

Factory reset my HD8 (2017) (root originally via @t0x1cSH "Fire hd8 2017 root, debrick" post) and followed your post plus the 'speedy SU install' from @dutchthomas - post 10.

One difficulty: mtk-su seemed to run fine and UID= 0 was shown - but I did have trouble getting the the 'mount -o remount -rw /system' command to work at first - it needed a few attempts.
And then, using the work-through from post 10, I couldn't get full root (i.e. 'su' accepted at command prompt) until I changed permissions on each of the copied SU components (su, daemonsu etc) to those prescribed in @<br />'s awesome Hardmod post.

Bit strange? I was using Fire OS 5.3.6.0 - I wonder if version makes any difference? Got there eventually tho' :good:
 

Rortiz2

Senior Member
Mar 1, 2018
2,025
1,227
Barcelona
Yep! Cannot just flash TWRP on HD8 2018 - need to also unlock bootloader, otherwise TWRP won't boot. Which is not a problem, and in theory can be done all via dd - except for the amonet address issue (2Mb), see more below.



OK - once boot0 is zeroed out, how does one get into BootRom after that? One basically turns off the tablet, and then plugs it into Linux with amonet listening? Which tablet models were tested so far with this BootRom activation method?

For the boot0 size, see these outputs from 2 tablets, 'cat /proc/partitions'. In both cases, boot0 is only 1Mb - 1024 blocks below. So it's not possible to dd beyond that 1Mb from within FireOS. If the exploit was placed at ~512 Kb, then it'd be all in range.

Fire HD8 2016:
Code:
major minor  #blocks  name
 179        0   15388672 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       5120 mmcblk0p2
 179        3      10240 mmcblk0p3
 179        4      10240 mmcblk0p4
 179        5        256 mmcblk0p5
 179        6        500 mmcblk0p6
 179        7      16268 mmcblk0p7
 179        8      16384 mmcblk0p8
 179        9       6144 mmcblk0p9
 179       10        512 mmcblk0p10
 179       11       8192 mmcblk0p11
 179       12      10240 mmcblk0p12
 179       13       1024 mmcblk0p13
 179       14       5120 mmcblk0p14
 179       15       5120 mmcblk0p15
 179       16      40320 mmcblk0p16
 179       17       1024 mmcblk0p17
 179       18       1024 mmcblk0p18
 179       19    1653024 mmcblk0p19
 179       20     434176 mmcblk0p20
 179       21        512 mmcblk0p21
 179       22      16384 mmcblk0p22
 179       23       4320 mmcblk0p23
 179       24   13138927 mmcblk0p24
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4

Fire HD8 2018:
Code:
major minor  #blocks  name
 179        0   15267840 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       4608 mmcblk0p2
 179        3       1024 mmcblk0p3
 179        4       1024 mmcblk0p4
 179        5       1024 mmcblk0p5
 179        6       5120 mmcblk0p6
 179        7       5120 mmcblk0p7
 179        8      40448 mmcblk0p8
 179        9        512 mmcblk0p9
 179       10       8192 mmcblk0p10
 179       11      16384 mmcblk0p11
 179       12      20480 mmcblk0p12
 179       13    3177472 mmcblk0p13
 179       14     230400 mmcblk0p14
 179       15     512000 mmcblk0p15
 179       16   11240431 mmcblk0p16
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       1024 mmcblk0boot0
 179       33          2 mmcblk0boot0p1
 179       34          2 mmcblk0boot0p2
 179       35        256 mmcblk0boot0p3
 179       36        747 mmcblk0boot0p4

When you execute that command, simply turn off the tablet and when you connect it to the PC it will detect it in BootROM Mode. Checked in Fire 7 2017.
 
  • Like
Reactions: bibikalka

Top Liked Posts

  • There are no posts matching your filters.
  • 144
    Software root method for Mediatek MT816x, MT817x and MT67xx!
    A tool that gives you a temporary root shell with Selinux permissive to do with as you please​

    STATUS
    Confirmed Working
    Fire HD 8 8th gen (2018) (thanks @xyz`) -- up to Fire OS 6.3.0.1 only
    Fire HD 8 7th gen (2017) -- up to Fire OS 5.6.4.0 build 636558520 only
    Fire HD 8 6th gen (2016) (thanks @bibikalka) -- up to Fire OS 5.3.6.4 build 626536720
    Fire HD 10 7th gen (2017) (thanks @bibikalka) -- up to Fire OS 5.6.4.0 build 636558520 only
    Fire TV 2 2015 (mt8173-based) (thanks @el7145) -- up to Fire OS 5.2.6.9 only
    Fire 7 9th gen (2019) (thanks @Michajin) -- up to Fire OS 6.3.1.2 build 0002517050244 only
    Fire HD 10 9th gen (2019) -- up to Fire OS 7.3.1.0 only
    Various phones and tablets up to Android 9.x (see link below for full list)
    Note that for Fire OS 5, OS version 5.3.x.x is newer than 5.6.x.x.

    Amazing Temp Root for MediaTek ARMv8: expanded thread covering all compatible MTK devices

    DISCLAIMER
    Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software.

    REQUIREMENTS
    Proficiency with the Thanks button under XDA posts
    A Fire HD tablet based on mt8163 or mt8173 (or another MTK ARMv8 device)
    Either:
    • A PC with ADB installed to interact with your device, or
    • A terminal emulator app
    Familiarity with ADB (if using PC) and basic Linux shell commands

    INSTRUCTIONS
    1. Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
      arm64: 64-bit kernel and userspace
      arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
      The arm64 one is suitable for most devices. The notable devices that need the arm version are the Fire HD 8 2018, Fire 7, and Fire HD 10 2019.
    2. Connect your device to ADB and push mtk-su to your /data/local/tmp folder
      Code:
      adb push path/to/mtk-su /data/local/tmp/
    3. Open an adb shell
      Code:
      adb shell
    4. Change to your tmp directory
      Code:
      cd /data/local/tmp
    5. Add executable permissions to the binary
      Code:
      chmod 755 mtk-su
    6. At this point keep your tablet screen on and don't let it go to sleep. Run the program
      Code:
      ./mtk-su
      If the program gets stuck for more than a few seconds, press Ctrl+C to close it.
      The -v option turns on verbose printing, which is necessary for me to debug any problems.
      It will take several seconds, but using the -v option, you should see output similar to this (with id command added):
      Code:
      $ ./mtk-su -v
      param1: 0x3000, param2: 0x18040, type: 2
      Building symbol table
      kallsyms_addresses pa 0x40bdd500
      kallsyms_num_syms 70337, addr_count 70337
      kallsyms_names pa 0x40c66d00, size 862960
      kallsyms_markers pa 0x40d39800
      kallsyms_token_table pa 0x40d3a100
      kallsyms_token_index pa 0x40d3a500
      Patching credentials
      Parsing current_is_single_threaded
      ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
      ffffffc000354868+54: ADD xd, x0, 2592
      init_task VA: 0xffffffc000fa2a20
      Potential list_head tasks at offset 0x340
      comm swapper/0 at offset 0x5c0
      Found own task_struct at node 1
      cred VA: 0xffffffc0358ac0c0
      Parsing avc_denied
      ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
      ffffffc0002f13bc+28: LDR [x0, 404]
      selinux_enforcing VA: 0xffffffc001113194
      Setting selinux_enforcing
      Switched selinux to permissive
      starting /system/bin/sh
      UID: 0  cap: 3fffffffff  selinux: permissive
      #
      Some other options:
      mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.​
      mtk-su -s: Prints the kernel symbol table​
      If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here.

      Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.

    If you succeed in getting temporary root, at that point you might want to install SuperSU for a more permanent root solution. Here is the official guide on which files should be present to kickstart SuperSU from temporary root. They are available in the latest SuperSU zip file. Remember that this only applies to Fire OS 5.

    FIRE OS 5 AND ANDROID 5 USERS: There's an automated SuperSU loader by @Rortiz2 that makes jumpstarting SuperSU quick and easy.

    WARNING FOR FIRE HD 8 2018 AND OTHER FIRE OS 6 DEVICES: If you have achieved root on such a device, do not remount the system partition as read/write. The remount command will probably not work. But forcing it will trigger dm-verity, which will result in a very bad day. Your tablet will become inoperable until you restore the stock system partition. You can accomplish a lot without modifying /system. But if you would like to get persistent root with Magisk by unlocking the bootloader, head on over to @bibikalka's outstanding Unlock/Magisk/TWRP Tutorial.

    DOWNLOAD
    Current Version
    Release 23

    Past releases & change log live at Amazing Temp Root for MediaTek ARMv8

    FAQ
    I got the error, "This firmware cannot be supported". What do I do?
    This means that your device's firmware is not prone to the mechanism used by mtk-su. Check the firmware version and build number of the OS on your device. If your version is higher than that next to your device on the list above, then mtk-su will no longer work on your device. There may be other ways to achieve root. Check elsewhere on the forum.

    Will this work on the Fire 7?
    No, it is very doubtful this method can be used on the MT8127 chipset. The same also goes for the Fire TV stick.

    After getting a root shell I'm still getting 'permission denied' errors. WTH?
    It may be that selinux is still being enforced. Having root with selinux enabled is somehow more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.

    Does this thing unlock the bootloader?
    No, it does nothing to unlock the bootloader. But after running mtk-su, you may be able to use @xyz`'s revolutionary LK exploit or derivative works to achieve what is effectively an unlocked bootloader on some devices. Namely, you should be able to flash the specially crafted TWRP image using dd from Android.

    How does this tool work?
    It overwrites the process's credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, I don't think I should discuss that as of yet.

    Will this work on the Fire TV Stick 4K?
    Unfortunately, no. While it has a 64-bit chip, the required vulnerabilities are not present in its OS.

    Can I include mtk-su in my app or meta-tool?
    Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.

    Why don't you reply to my post?
    I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
    • It has already been answered in the FAQ or multiple times in the thread.
    • Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
    • Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
    CREDITS
    • @Supersonic27543 for helping me port it to Fire OS 5 and namely the HD 8 7th gen
    • Thank you to everyone who has donated. You're the best!
    39
    Awesome! I just rooted my HD8 2017

    Try the automated script by @Rortiz2

    Previous instructions:

    For anyone that is confused by the process of manually installing SuperSu, I did the following...

    IMPORTANT: This is for FireOS 5 devices such as HD8 2017. Do not attempt this on HD8 2018

    1. Install SuperSu from Playstore
    2. Download SuperSu and unzip somewhere
    3. adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
    4. Follow directions from OP to get a root shell. You should not get permission denied when running ls. If you see permission denied, run exit and try again. Took me a few tries
    5. mount -o remount -rw /system
    6. cp /data/local/tmp/su /system/xbin/su
    7. cp /data/local/tmp/su /system/xbin/daemonsu
    8. cp /data/local/tmp/supolicy /system/xbin/
    9. cp /data/local/tmp/libsupol.so /system/lib/
    10. cp /data/local/tmp/libsupol.so /system/lib64/
    11. chmod 0755 /system/xbin/su
    12. chcon u:eek:bject_r:system_file:s0 /system/xbin/su
    13. chmod 0755 /system/xbin/daemonsu
    14. chcon u:eek:bject_r:system_file:s0 /system/xbin/daemonsu
    15. at this point, running su should work and show a root shell
    16. daemonsu --auto-daemon
    17. Open SuperSu app and allow it to update the su binary

    My tablet hung at the boot logo when I manually installed SuperSu via the linked instructions. Installing the bare minimum and letting the SuperSu app do the rest seems less error-prone
    21
    ok im noob but i cannot push adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
    plus chmod: /system/xbin/su: No such file or directory


    PS C:\Users\Kenny\Desktop\platform-tools> adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
    error: device '(null)' not found
    PS C:\Users\Kenny\Desktop\platform-tools> adb push arm64/su arm64/supolicy arm64/libsupol.so /data/local/tmp
    cannot stat 'arm64/su': No such file or directory
    PS C:\Users\Kenny\Desktop\platform-tools> ^C
    PS C:\Users\Kenny\Desktop\platform-tools> adb shell
    karnak:/ $ cd /data/local/tmp
    karnak:/data/local/tmp $ chmod 755 mtk-su
    karnak:/data/local/tmp $ ./mtk-su -v
    Building symbol table
    kallsyms_addresses_pa 0x40baf400
    kallsyms_num_syms 69054, addr_count 69054
    kallsyms_names_pa 0x40c36300
    Size of kallsyms_names 830042 bytes
    kallsyms_markers_pa 0x40d00e00
    kallsyms_token_table_pa 0x40d01700
    kallsyms_token_index_pa 0x40d01b00
    Patching credentials
    init_task va: ffffffc000fcea20
    Possible list_head tasks at offset 0x338
    0xffffffc0030c8338 0xffffffc02f2b53b8 0x000000000000008c
    comm offset 0x5a8 comm: swapper/0
    Found own task_struct at node 0
    real_cred: 0xffffffc0387bf980, cred: 0xffffffc0387bf980
    New UID/GID: 0/0
    Setting selinux permissive
    Found adrp at offset 4
    ADRP x0, base is 0xffffffc00112e000
    Found ldr at offset 28
    LDR [x0,444], selinux_enforce VA is 0xffffffc00112e1bc
    Switched selinux to permissive
    starting /system/bin/sh
    karnak:/data/local/tmp # chmod 0755 /system/xbin/su
    chmod: /system/xbin/su: No such file or directory
    1|karnak:/data/local/tmp # /system/xbin/su
    /system/bin/sh: /system/xbin/su: not found
    127|karnak:/data/local/tmp #
    I made a automated-root method using this exploit.
    USE V3.0: https://forum.xda-developers.com/showpost.php?p=79441935&postcount=629
    19
    Automated Root 3

    In the end I have been able to make everything automatic and do not have to execute any command manually.
    I can assure you that this version:
    • Do not bring the supersu with ads
    • I have tested it and it worked perfectly on my Aquaris M8 (MT8163B)
    • It works with the mtk-su in the arm64 folder

    If you want to make it work on a device that uses the mtk-su from the arm folder, you just have to replace the mtk-su that is in the "files" folder.
    NOTE: If you give permission permission denied, do Cntrl + c and rerun the script.
    --->NOTE: Be sure to put grant in supersu!!<---
    So, sorry for the inconvenience caused in the previous Automated Roots. I will erase them.
    Regards!
    13
    Semi automated root v2

    Hi all,
    I updated the semi automated root:
    What have I updated?
    • All the commands that had to be written one by one, now run in a single command: sh data/local/ tmp/root_fire.sh
    • Removed instructions2.txt and fire2-root.bat
    • Added a menu to choose each device

    Download: REMOVED! USE v3.0: https://forum.xda-developers.com/showpost.php?p=79441935&postcount=629
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone