How To Guide Root POCO M4 Pro 4G (fleur) using Magisk

[aricooperdavis]

Rooting the POCO M4 Pro 4G (fleur) turned out to be quite straightforward. Note, I have a 2201117PG (EEA), you may have a different experience, it's not my fault if you brick your phone etc. Backup before you start as this will wipe your phone.

The process can be broken down into 4 steps:

1. Unlock Bootloader
2. Source boot.img
3. Patch boot.img (using Magisk)
4. Flash patched boot.img (using adb)

1. Unlock Bootloader​

Note: This step will wipe your phone.

This can be done using the official tool from MIUI, using MediatekBootloaderUnlock (Windows 10/11, which reportedly does not wipe your user data), or using mtkclient (Any OS but requires Python). I will explain the mtkclient option as I'm on Linux and don't trust MIUI with more personal data than I have to.

Step-by-step (adapted from this How to Guide):

• Install mtkclient and its dependencies (easier if familiar with installing python packages etc., straightforward for me on Linux)
• On your phone activate developer mode and turn on USB debugging and OEM unlocking
• Turn off phone and disconnect from computer
• In the directory where you installed mtkclient run:
  • python mtk e metadata,userdata,md_udc
    • This erases your data
    • At this point plug your phone in (still turned off)
  • python mtk da seccfg unlock
    • This unlocks the bootloader
  • python mtk reset
    • This reboots the phone
• Disconnect USB cable and reboot phone
  • When it boots a message is displayed warning that dm-verity is corrupted. Click the power button to dismiss and continue booting.

2. Source boot.img​

• Find your MIUI version in Settings -> About phone -> MIUI Version and look for the version number (e.g. 13.0.6.0(RKEEUXM))
• Visit the MIUI Updates Tracker and download the matching Stable Fastboot update (if you can't find it scroll down to Extracting boot.img from Payload)
• Unzip the TGZ and the TAR that it contains then navigate to the images directory and find the boot.img file

3. Patch boot.img​

We need to patch the boot.img to give it root powers. We do this on the phone using Magisk.

Step-by-step (adapted from the Magisk installation instructions):

• On your phone, download Magisk and install it
• Connect your phone to your computer and put the boot.img you extracted on your phone somewhere
• Open Magisk and in "Magisk" section tap "Install"
• Choose the "Select and Patch a File" option and select your boot.img in the file browser and let Magisk patch it
• Find the patched boot image in Downloads (called magisk_patched_*.img) and copy it to your computer in the same directory as the vbmeta.img we extracted earlier

4. Flash patched boot.img​

Finally we need to replace the current boot.img on the phone with our patched one that has root powers. This is called flashing and is done using adb.

Step-by-step:

• Install the Android SDK platform tools which contains adb and fastboot
• Install a USB driver that supports fastboot mode (you cannot use fastbootd for this or you'll bootloop)
• Ensure your phone is connected, USB debugging is enabled and working, and OEM Unlocking is enabled
• In the directory you copied the magisk_patched_*.img to run:
  • adb reboot bootloader
    • This reboots your phone into fastboot mode. Wait until "FASTBOOT" is displayed on the screen
  • fastboot flash boot magisk_patched_*.img
    • This flashes the patched boot.img to give you root
  • fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
    • This flashes the vbmeta.img, disabling the dm-verity corruption message at startup
• Once it's done reboot your phone by pressing and holding the power button

That's all there is to it! This took me about an hour as I was working out all the steps as I've not rooted in a phone in nearly a decade - I reckon with a fast internet connection you could get it done in about 15 minutes.

Extract boot.img from Payload​

If you can't find a fastboot image (boot.img) for your version then you might be able to extract it from the full firmware package. This will require the use of a third party tool such as payload-dumper (python) or payload-dumper-go. Note that you may be better off just waiting for the fastboot image to be released to the public.

Tidying up​

You can delete all the stuff you downloaded onto your computer and the boot.img and magisk_patched_*.img from your phone.

It's a good idea to disable automatic OTA updates (Settings -> Additional settings -> Developer options -> Automatic sytem updates) so that you can update through Magisk.

Some apps will be able to tell that you have rooted your phone, and may stop you from using them. You can check this by downloading YASNAC onto your phone and seeing if it passes. If not (which it won't) the most straightforward solution is to add the Universal SafetyNet Fix module to Magisk, then enable Zygisk in Magisk settings and restart your phone, which will be enough to pass SafetyNet Attestation. If they're clever and still detect the root then in Magisk toggle Enforce DenyList and add the problematic apps to the DenyList.



Updating Magisk
You cannot update Magisk via the Magisk app, as this device does not allow writing to the boot partition at runtime.

Instead, update the Magisk app, then use it to patch your stock boot.img and flash it manually using fastboot, as if you were installing it from scratch (as above). This will not wipe your user data, but be sure to backup first in case something goes wrong.

 

[MarkLev]

Rooting the POCO M4 Pro 4G (fleur) turned out to be quite straightforward. Note, I have a 2201117PG (EEA), you may have a different experience, it's not my fault if you brick your phone etc.

The process can be broken down into 4 steps:

1. Unlock Bootloader
2. Source boot.img (using payload_dumper)
3. Patch boot.img (using Magisk)
4. Flash patched boot.img (using adb)

1. Unlock Bootloader​

This can be done using the official tool from MIUI or using mtkclient. I went for the mtkclient option as I don't want to send more of my personal data to MIUI than I have to.

Step-by-step (adapted from this How to Guide):

• Install mtkclient and its dependencies (easier if familiar with installing python packages etc., straightforward for me on Linux)
• On your phone activate developer mode and turn on USB debugging and OEM unlocking
• Turn off phone and disconnect from computer
• In the directory where you installed mtkclient run:
  • python mtk e metadata,userdata,md_udc
    • At this point plug your phone in (still turned off)
  • python mtk da seccfg unlock
  • python mtk reset
• Disconnect USB cable and reboot phone
  • When it boots a message is displayed saying it is corrupted. Click the power button to dismiss and continue booting.

2. Source boot.img​

The boot.img needs to be extracted from the official MIUI firmware package using payload_dumper.

Step-by-step:

• Download the firmware package for your device (you can check what version you need in Settings -> About phone -> MIUI version (For POCO)
• Extract the .zip and find the payload.bin file
• Download the payload dumper, extract the zip, and place the payload.bin file in the payload_dumper folder
• In the payload_dumper directory run:
  • python payload_dumper.py payload.bin
• This will extract lots of files from the firmware package. You only need to keep boot.img and vbmeta.img

3. Patch boot.img​

We need to patch the boot.img to give it root powers. We do this on the phone using Magisk.

Step-by-step (adapted from the Magisk installation instructions):

• On your phone, download Magisk and install it
• Connect your phone to your computer and put the boot.img you extracted on your phone somewhere
• Open Magisk and in "Magisk" section tap "Install"
• Choose the "Select and Patch a File" option and select your boot.img in the file browser and let Magisk patch it
• Find the patched boot image in Downloads (called magisk_patched_*.img) and copy it to your computer in the same directory as the vbmeta.img we extracted earlier

4. Flash patched boot.img​

Finally we need to replace the current boot.img on the phone with our patched one that has root powers. This is called flashing and is done using adb.

Step-by-step:

• Install the Android SDK platform tools which contains adb and fastboot
• Install a USB driver that supports fastboot mode
• Ensure your phone is connected, USB debugging is enabled and working, and OEM Unlocking is enabled
• In the directory you copied the magisk_patched_*.img to run:
  • adb reboot bootloader
    • This reboots your phone into fastboot mode. Wait until "FASTBOOT" is displayed on the screen
  • fastboot flash boot magisk_patched_*.img
  • fastboot flash vbmeta --disable-verity --dsable-verification vbmeta.img
• Once it's done reboot your phone by pressing and holding the power button

That's all there is to it! This took me about an hour as I was working out all the steps as I've not rooted in a phone in nearly a decade - I reckon with a fast internet connection you could get it done in about 15 minutes.

Tidying up​

You can delete all the stuff you downloaded onto your computer and the boot.img and magisk_patched_*.img from your phone.

It's a good idea to disable automatic OTA updates (Settings -> Additional settings -> Developer options -> Automatic sytem updates) so that you can update through Magisk.

Some apps will be able to tell that you have rooted your phone, and may stop you from using them. You can check this by downloading YASNAC onto your phone and seeing if it passes. If not (which it won't) the most straightforward solution is to add the Universal SafetyNet Fix module to Magisk, then enable Zygisk in Magisk settings and restart your phone, which will be enough to pass SafetyNet Attestation. If they're clever and still detect the root then in Magisk toggle Enforce DenyList and add the problematic apps to the DenyList.

Wow, Thank you very much!
Very details!
Will try it in my spare time.

 

[aricooperdavis]

Wow, Thank you very much!
Very details!
Will try it in my spare time.

Good luck, let us know how it goes and what you do with your root! So far I've installed AdAway and De-Bloater

 

[Lark5]

aricooperdavis. hi!​

I buy phone Poco M4 Pro (4G) (fleur). Please help me get ROOT rights for this phone.
I do not have PYTHON, but I have mtkclient - the bootloader is unlocked, and there is an Android SDK for fastboot firmware.
Global 13.0.7.0 RKEMIXM now. You have 2 file 1.magisk_patched_*.img and 2. vbmeta.img for Global 13.0.7.0 ? Can I save them for download?

After unlocking the bootloader, using the mtkclient method, a new notification appeared
- dm-verity coruption
You device is corrupt/
It can't be trusted and may not work properly
Press power button to contime
Or, device will power off in 5 sec. Always need PRESS POWER for contime again How to fix it?

 

[aricooperdavis]

It sounds like you've done everything right so far.

Global 13.0.7.0 RKEMIXM now. You have 2 file 1.magisk_patched_*.img and 2. vbmeta.img for Global 13.0.7.0 ? Can I save them for download?

Sorry, I have the EEA firmware; RKEEUXM.

If you want to extract the boot.img and vbmeta.img from your firmware package you will have to install python. This is worth doing as installing updates in the future may require you to do this extraction process again.

Alternatively you may be able to use mtk to dump these images directly from the phone, but I don't have any experience with this. To perform updates this way you would have to completely unroot and relock the bootloader, update the firmware, then re-dump the new boot and vbmeta images and root again. I think just installing python is probably easier...

The error message you're seeing is dm-verity, and we disable this when flashing the vbmeta.img in step 4, which I've edited to clarify. You can see that we disable it in the final fastboot command:

fastboot flash vbmeta --disable-verity --dsable-verification vbmeta.img

• This flashes the vbmeta.img, disabling the dm-verity corruption message at startup

Good luck with your rooting!

 

[Lark5]

Unlock Bootloade and Root and RECOVERY for Poco M4 Pro (4G) with out Pyton (on Windows 10\11):

Unlock Bootloader:
1.Download the MediatekBootloaderUnlock archive. Unpack the archive ZIP.
2. Open the Driver folder and right-click the cdc-acm.inf file, select "Install"
3.Now go back to the main folder and install the USBDK (x64 for 64-bit OS, x86 for 32-bit OS) on your PC (also right click - install).
4. Reboot the PC.
5.Turn off the phone.
6.Run the UnlockBootloader.bat file to start the bootloader unlock process. We keep it on, it is in a state of response from the phone, if the firewood, the cable is connected, then everything is ok, I’ll tell you right away that it turned out 3 times.
7.Now connect the phone to the computer with a cable by holding down the volume up + down + power button. (If the volume up button doesn't work, try using volume up or volume up + volume down or all three hardware buttons) while the UnlockBootloader.bat file is open.
8.Once the phone is detected, some commands will be run in the UnlockBootloader.bat file. Let the commands finish and as soon as the window closes. Your bootloader will be unlocked.
BY THE WAY! - You can lock the bootloader again by following the same steps without clearing. Just use LockBootloader.bat with the same steps.

Root:
Downloading the official firmware for the phone, I took fleur_global_images_V13.0.7.0.RKEMIXM_20220419.0000.00_11.0_global (approximately 5.6GB in weight)
Unpacked it ZIP, pulled out 2 files from there fleur_global_images_V13.0.7.0.RKEMIXM_20220419.0000.00_11.0_global\images
boot.img and vbmeta.img

Downloaded Magisk STABLE Version: 24.3 - download on telephone, setup APP
Launch Magisk Manager. When a pop-up window appears asking you to install Magisk, select INSTALL and select install again.

Click on "Fix Boot Image File".
Connect your device to PC via USB cable. Make sure USB debugging is enabled.
Download ADB \ fastoot (I took tools_r29.0.6-windows)
Run CMD as Administrator
We write -
adb devices - the phone must be determined (QX ********* device - so all drivers are correct)
adb reboot bootloader - The phone reboots into fastboot mode - an inscription on the screen if dm-verity corruption messages appear - press POWER to continue
fastboot flash boot boot_PATCH.img (file name how to change)
fastboot flash vbmeta --disable-verity --dsable-verification vbmeta.img - will remove the inscription dm-verity corruption

OrangeFox-R11 RECOVERY:​

Downloads for : -Android- Generic Device/Other | AndroidFileHost.com | Download GApps, Roms, Kernels, Themes, Firmware and more. Free file hosting for all Android developers.

Download GApps, Roms, Kernels, Themes, Firmware, and more. Free file hosting for all Android developers.

androidfilehost.com

Download, and Run CMD as Administrator
We write -
fastboot flash boot XXXXNAMEXXXX.img
Flash !boot! not fastboot flash recovery XXXXNAMEXXXX.img

 

[aricooperdavis]

Well done, glad you've got it sorted!

To clarify, this essentially follows the same 4 steps outlined in my post but using different tools that don't require python:

1. Unlock Bootloader
   - Used MediatekBootloaderUnlock rather than mtkclient
2. Source boot.img
   - Managed to find the images online without having to extract them from a ROM. @Lark5, where?
3. Patch boot.img (using Magisk)
   - Same
4. Flash patched boot.img (using adb)
   - Same

I think there's also a custom recovery install too (OrangeFox [not yet officially supported]) at the end. I tend not to bother with custom recoveries as I stick with the stock MIUI ROM and a custom recovery would complicate applying OTA updates. However, if you wish to install a custom ROM (anything other than a stock MIUI signed boot.img) then a custom recovery would be necessary, and they can also facilitate taking device backups etc.

 

[Lark5]

Well done, glad you've got it sorted!

To clarify, this essentially follows the same 4 steps outlined in my post but using different tools that don't require python:

1. Unlock Bootloader
   - Used MediatekBootloaderUnlock rather than mtkclient
2. Source boot.img
   - Managed to find the images online without having to extract them from a ROM. @Lark5, where?
3. Patch boot.img (using Magisk)
   - Same
4. Flash patched boot.img (using adb)
   - Same

I think there's also a custom recovery install too (OrangeFox). I tend not to bother, but it can be convenient.

2. Find ROM on this link: https://mirom.ezbox.idv.tw/en/phone/fleur/roms-global-stable/
Fastboot Download V13.0.7.0.RKEMIXM
Explanations:
For fastboot (~5.6Gb) - firmware version, just unzip the ZIP, inside there is boot.img and vbmeta
For recovery (-2.5Gb) needed to extract boot.img Through Pyton for example

thanks for the help aricooperdavis

 

[aricooperdavis]

Find ROM on this link: https://mirom.ezbox.idv.tw/en/phone/fleur/roms-global-stable/

That's a great resource - the files it links to seem to be hosted on MIUIs servers too, so they're verifiably official

The more general link for all regions (not just global) for this phone would be: https://mirom.ezbox.idv.tw/en/phone/fleur/

I've updated the instructions to reflect your experience, thanks @Lark5!

 

[Daafafagsgsgs]

Rooting the POCO M4 Pro 4G (fleur) turned out to be quite straightforward. Note, I have a 2201117PG (EEA), you may have a different experience, it's not my fault if you brick your phone etc. Backup before you start as this will wipe your phone.

The process can be broken down into 4 steps:

1. Unlock Bootloader
2. Source boot.img
3. Patch boot.img (using Magisk)
4. Flash patched boot.img (using adb)

1. Unlock Bootloader​

Note: This step will wipe your phone.

This can be done using the official tool from MIUI, using MediatekBootloaderUnlock (Windows 10/11), or using mtkclient (Any OS but requires Python). I will explain the mtkclient option as I'm on Linux and don't trust MIUI with more personal data than I have to.

Step-by-step (adapted from this How to Guide):

• Install mtkclient and its dependencies (easier if familiar with installing python packages etc., straightforward for me on Linux)
• On your phone activate developer mode and turn on USB debugging and OEM unlocking
• Turn off phone and disconnect from computer
• In the directory where you installed mtkclient run:
  • python mtk e metadata,userdata,md_udc
    • This erases your data
    • At this point plug your phone in (still turned off)
  • python mtk da seccfg unlock
    • This unlocks the bootloader
  • python mtk reset
    • This reboots the phone
• Disconnect USB cable and reboot phone
  • When it boots a message is displayed warning that dm-verity is corrupted. Click the power button to dismiss and continue booting.

2. Source boot.img​

Note: if your MIUI version (Available at: Settings -> About phone -> MIUI version) has a "Fastboot" file listed here then you can download that file and unzip it to find the boot.img and vbmeta.img, then skip to step 3.

Otherwise you'll have to extract them from the official MIUI firmware package using payload_dumper as follows.

Step-by-step:

• Download the firmware package for your device (you can check what version you need in Settings -> About phone -> MIUI version (For POCO))
• Extract the .zip and find the payload.bin file
• Download the payload dumper, extract the zip, and place the payload.bin file in the payload_dumper folder
• In the payload_dumper directory run:
  • python payload_dumper.py payload.bin
• This will extract lots of files from the firmware package. You only need to keep boot.img and vbmeta.img

3. Patch boot.img​

We need to patch the boot.img to give it root powers. We do this on the phone using Magisk.

Step-by-step (adapted from the Magisk installation instructions):

• On your phone, download Magisk and install it
• Connect your phone to your computer and put the boot.img you extracted on your phone somewhere
• Open Magisk and in "Magisk" section tap "Install"
• Choose the "Select and Patch a File" option and select your boot.img in the file browser and let Magisk patch it
• Find the patched boot image in Downloads (called magisk_patched_*.img) and copy it to your computer in the same directory as the vbmeta.img we extracted earlier

4. Flash patched boot.img​

Finally we need to replace the current boot.img on the phone with our patched one that has root powers. This is called flashing and is done using adb.

Step-by-step:

• Install the Android SDK platform tools which contains adb and fastboot
• Install a USB driver that supports fastboot mode
• Ensure your phone is connected, USB debugging is enabled and working, and OEM Unlocking is enabled
• In the directory you copied the magisk_patched_*.img to run:
  • adb reboot bootloader
    • This reboots your phone into fastboot mode. Wait until "FASTBOOT" is displayed on the screen
  • fastboot flash boot magisk_patched_*.img
    • This flashes the patched boot.img to give you root
  • fastboot flash vbmeta --disable-verity --dsable-verification vbmeta.img
    • This flashes the vbmeta.img, disabling the dm-verity corruption message at startup
• Once it's done reboot your phone by pressing and holding the power button

That's all there is to it! This took me about an hour as I was working out all the steps as I've not rooted in a phone in nearly a decade - I reckon with a fast internet connection you could get it done in about 15 minutes.

Tidying up​

You can delete all the stuff you downloaded onto your computer and the boot.img and magisk_patched_*.img from your phone.

It's a good idea to disable automatic OTA updates (Settings -> Additional settings -> Developer options -> Automatic sytem updates) so that you can update through Magisk.

Some apps will be able to tell that you have rooted your phone, and may stop you from using them. You can check this by downloading YASNAC onto your phone and seeing if it passes. If not (which it won't) the most straightforward solution is to add the Universal SafetyNet Fix module to Magisk, then enable Zygisk in Magisk settings and restart your phone, which will be enough to pass SafetyNet Attestation. If they're clever and still detect the root then in Magisk toggle Enforce DenyList and add the problematic apps to the DenyList.

When I gave this command fast boot flash dm verify it always unknown option in my cmd any solution ? can anybody help me??

 

[aricooperdavis]

When I gave this command fast boot flash dm verify it always unknown option in my cmd any solution ? can anybody help me??

Make sure you're copying the command exactly - it's fastboot rather than fast boot and verity not verify. Did you install the Android SDK platform tools that contain fastboot? You may need to restart after this install to make the command available in your command prompt/shell.

 

[Daafafagsgsgs]

Make sure you're copying the command exactly - it's fastboot rather than fast boot and verity not verify. Did you install the Android SDK platform tools that contain fastboot? You may need to restart after this install to make the command available in your command prompt/shell.

Yeah i copied the same command but how to install Android sdk tools can you suggest me a video?

 

[aricooperdavis]

Yeah i copied the same command but how to install Android sdk tools can you suggest me a video?

Go to this link, scroll to the downloads section, and select the right download for your OS, then follow the instructions.

This video shows the process, but has very annoying music!

 

[Daafafagsgsgs]

Make sure you're copying the command exactly - it's fastboot rather than fast boot and verity not verify. Did you install the Android SDK platform tools that contain fastboot? You may need to restart after this install to make the command available in your command prompt/shell.

I installed and tried everything this error comes

 

[aricooperdavis]

Interesting, that sounds like you've got an outdated version of fastbook. What does fastboot --version give you?

 

[Daafafagsgsgs]

Can i flash it with my phone ??
Adb otg app??

 

[aricooperdavis]

I don't know, I can't help you with that.

 

[Daafafagsgsgs]

Interesting, that sounds like you've got an outdated version of fastbook. What does fastboot --version give you?

Fastboot version

 

[aricooperdavis]

That's not an official version of fastboot, so it looks like it's missing the command you need. Download the proper Android SDK tools from Android (the same as the original link) and replace your "Minimal" version with it.

 

[Daafafagsgsgs]

That's not an official version of fastboot, so it looks like it's missing the command you need. Download the proper Android SDK tools from Android (the same as the original link) and replace your "Minimal" version with it.

After many tries i found that the command given is wrong

fastboot flash vbmeta --disable-verity --dsable-verification vbmeta.img
This is given


It will be
fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img

I is Missing Now i have flashed vb meta and problem is solved with the fastboot version i have

By the way thanks