How To Guide Root POCO M4 Pro 4G (fleur) using Magisk

Search This thread

soutaminori

Member
Aug 18, 2017
8
12
There are no TWRPs for this device at all, as far as I know. Just the unofficial OrangeFox recovery.
I wanna try port trwp from realme narzo 50 cz that phone very similar. But the problem i can't find recovery.img from stock firmware. After i search information about this. Yap now i know its bundle with boot.img.
I can't found guide porting recovery from boot.img or something similar. If anyone found it please share. I wanna try.
 

pokrol

Member
Feb 8, 2008
12
1
Rooting the POCO M4 Pro 4G (fleur) turned out to be quite straightforward. Note, I have a 2201117PG (EEA), you may have a different experience, it's not my fault if you brick your phone etc. Backup before you start as this will wipe your phone.

The process can be broken down into 4 steps:
  1. Unlock Bootloader
  2. Source boot.img
  3. Patch boot.img (using Magisk)
  4. Flash patched boot.img (using adb)


1. Unlock Bootloader​

Note: This step will wipe your phone.

This can be done using the official tool from MIUI, using MediatekBootloaderUnlock (Windows 10/11), or using mtkclient (Any OS but requires Python). I will explain the mtkclient option as I'm on Linux and don't trust MIUI with more personal data than I have to.

Step-by-step (adapted from this How to Guide):
  • Install mtkclient and its dependencies (easier if familiar with installing python packages etc., straightforward for me on Linux)
  • On your phone activate developer mode and turn on USB debugging and OEM unlocking
  • Turn off phone and disconnect from computer
  • In the directory where you installed mtkclient run:
    • python mtk e metadata,userdata,md_udc
      • This erases your data
      • At this point plug your phone in (still turned off)
    • python mtk da seccfg unlock
      • This unlocks the bootloader
    • python mtk reset
      • This reboots the phone
  • Disconnect USB cable and reboot phone
    • When it boots a message is displayed warning that dm-verity is corrupted. Click the power button to dismiss and continue booting.

2. Source boot.img​

  • Find your MIUI version in Settings -> About phone -> MIUI Version and look for the version number (e.g. 13.0.6.0(RKEEUXM))
  • Visit the MIUI Updates Tracker and download the matching Stable Fastboot update
  • Unzip the TGZ and the TAR that it contains then navigate to the images directory and find the boot.img file

3. Patch boot.img​

We need to patch the boot.img to give it root powers. We do this on the phone using Magisk.

Step-by-step (adapted from the Magisk installation instructions):
  • On your phone, download Magisk and install it
  • Connect your phone to your computer and put the boot.img you extracted on your phone somewhere
  • Open Magisk and in "Magisk" section tap "Install"
  • Choose the "Select and Patch a File" option and select your boot.img in the file browser and let Magisk patch it
  • Find the patched boot image in Downloads (called magisk_patched_*.img) and copy it to your computer in the same directory as the vbmeta.img we extracted earlier

4. Flash patched boot.img​

Finally we need to replace the current boot.img on the phone with our patched one that has root powers. This is called flashing and is done using adb.

Step-by-step:
  • Install the Android SDK platform tools which contains adb and fastboot
  • Install a USB driver that supports fastboot mode
  • Ensure your phone is connected, USB debugging is enabled and working, and OEM Unlocking is enabled
  • In the directory you copied the magisk_patched_*.img to run:
    • adb reboot bootloader
      • This reboots your phone into fastboot mode. Wait until "FASTBOOT" is displayed on the screen
    • fastboot flash boot magisk_patched_*.img
      • This flashes the patched boot.img to give you root
    • fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
      • This flashes the vbmeta.img, disabling the dm-verity corruption message at startup
  • Once it's done reboot your phone by pressing and holding the power button
That's all there is to it! This took me about an hour as I was working out all the steps as I've not rooted in a phone in nearly a decade - I reckon with a fast internet connection you could get it done in about 15 minutes.



Tidying up​

You can delete all the stuff you downloaded onto your computer and the boot.img and magisk_patched_*.img from your phone.

It's a good idea to disable automatic OTA updates (Settings -> Additional settings -> Developer options -> Automatic sytem updates) so that you can update through Magisk.

Some apps will be able to tell that you have rooted your phone, and may stop you from using them. You can check this by downloading YASNAC onto your phone and seeing if it passes. If not (which it won't) the most straightforward solution is to add the Universal SafetyNet Fix module to Magisk, then enable Zygisk in Magisk settings and restart your phone, which will be enough to pass SafetyNet Attestation. If they're clever and still detect the root then in Magisk toggle Enforce DenyList and add the problematic apps to the DenyList.



Updating Magisk
You cannot update Magisk via the Magisk app, as this device does not allow writing to the boot partition at runtime.

Instead, update the Magisk app, then use it to patch your stock boot.img and flash it manually using fastboot, as if you were installing it from scratch (as above). This will not wipe your user data, but be sure to backup first in case something goes wrong.
For new rom, normally only OTA and recovery ROm available. Yesterday new ROM 13.0.6.0.SKEMIXM launched, and no fastboot rom. I tried to extract with python - no luck, Error.

Then, a small smart program appear, pretty straightforward for extract boot.img from recovery ROM.

I found it here
 
  • Like
Reactions: aricooperdavis
For new rom, normally only OTA and recovery ROm available. Yesterday new ROM 13.0.6.0.SKEMIXM launched, and no fastboot rom. I tried to extract with python - no luck, Error.

Then, a small smart program appear, pretty straightforward for extract boot.img from recovery ROM.

I found it here
Thanks for pointing out the payload dumper program in Go, I'll update the post. It's strange that the fastboot ROM hasn't been released for that update, I'll give it a few days before I worry about that as my phone still doesn't think there's an update available, so it might not have made it to all update servers yet?
 

BoysNap

Member
Apr 12, 2020
9
0
Can anybody give me poco m4 pro 4g NVDATA, NVRAM and nvcfg partion backup in bin or img?

I lost mine and I need the partition to edit.
 

BoysNap

Member
Apr 12, 2020
9
0
Thanks for pointing out the payload dumper program in Go, I'll update the post. It's strange that the fastboot ROM hasn't been released for that update, I'll give it a few days before I worry about that as my phone still doesn't think there's an update available, so it might not have made it to all update servers yet?
I also had same issue.. for me it was due to the fact that I flashed Different region of offical rom before....
I solved the problem by using SP Flash tool V6 From Mi Flash Pro... it worked for me ...
I flashed it using the older version of the Rom and checked for the update... It works.
Before that it was showing No Update available or Network issue or Connection issue to server....
SP Flash tool V6 From Mi Flash Pro Works and loads the scatter file with no issues.
I also use a program to bypass the Authentication File issue

I tried using Normal SP Flash tool from Mi Flash Pro tool (not the v6) and it got stuck saying about the partition size issue of cust or userdata on scatter file... I formatted every partition and I ended up erasing the NVDATA and other important ones...
I Used NVDATA from Realme Narzo 30 to Boot from the Suck in recovery with error "NV DATA Corruptted" message.
I don't have Backup of this phones NVDATA and other to edit it.
So be careful.. Only use Download (NOT Format All + Download)..
Always backup NVRAM and others before using SP Flash Tool.
 

BoysNap

Member
Apr 12, 2020
9
0
Its working, but now the System are 20,45 GB. Why so much? Can i delete it?
I also had this issue. before that flashed it through Mi flash which caused this issue...Then when I used SP Flash tool V6 form Mi Flash Pro (BROM), it got fixed... Only use Download (not Format All + Download). Always backup NVDATA, NVRAM and NVCFG.
 

Attachments

  • Screenshot_2022-09-21-09-35-46-144_com.miui.securitycenter.jpg
    Screenshot_2022-09-21-09-35-46-144_com.miui.securitycenter.jpg
    304.2 KB · Views: 17
Jun 27, 2019
39
4
Moto X4
POCO M3
I followed all the steps down to every word, my phn's stuck in the poco start screen. Anyone knows what to do?
Ive got the stock recovery, and for some odd reason fastboot commands work only in the "FASTBOOTD" screen and not the the "FASTBOOT" screen which you get from "adb reboot bootloader" command.
I try to shut it down and it boots up back again in the same screen and is stuck there.
Im clueless and I really dont know what to do. Some help would be greatly appreciated.
edit: I tried to use the stock recovery and wipe data. I dont know what happened now I cant open the fastboot menu. Did I loose access to USB debugging?
I tried to connect the phone with the MIAssistant but the app doesnt recognise the device.
 
Last edited:
Jun 27, 2019
39
4
Moto X4
POCO M3
Can we not just flash a custom recovery and flash magisk from there?
That's what I've been doing for the last 5 years of rooting phones. Why go through all that annoying commands and stuff? Is it bcz its a MediaTek device?
 
Can we not just flash a custom recovery and flash magisk from there?
That's what I've been doing for the last 5 years of rooting phones. Why go through all that annoying commands and stuff? Is it bcz its a MediaTek device?
There's more than one way to skin a cat. At the time of writing this guide there were no reliable custom recoveries for this phone (even now I don't think there are any stable ones actively being supported by the developers). Please do write a new guide on how to root with a custom recovery, it would be greatly appreciated by many who are more used to this method!
 

pokrol

Member
Feb 8, 2008
12
1
Can we not just flash a custom recovery and flash magisk from there?
That's what I've been doing for the last 5 years of rooting phones. Why go through all that annoying commands and stuff? Is it bcz its a MediaTek device?
My understanding, at least my phone, there are two slots for boot.
mi recovery at slot A

boot at slot B.

So, for boot already with magisk, must write to B, like:

set_active b
fastboot flash boot_b magisk_patched.img
reboot

magisk_patched.img you can use original boot.img if you still don't have it.
 
I followed all the steps down to every word, my phn's stuck in the poco start screen. Anyone knows what to do?
We've got to the bottom of this through PMs - due to incompatible USB drivers not recognising fastboot, warhead was flashing the boot.img through fastbootd, which isn't possible as it lives in the userspace. I'll update the tutorial to make it clear that you must use fastboot and not fastbootd.
 
Jun 27, 2019
39
4
Moto X4
POCO M3
We've got to the bottom of this through PMs - due to incompatible USB drivers not recognising fastboot, warhead was flashing the boot.img through fastbootd, which isn't possible as it lives in the userspace. I'll update the tutorial to make it clear that you must use fastboot and not fastbootd.
I got what I did wrong. Make sure to get the boot.img of the rom you're phone is in. For eg. if your phone is in Miui 13.0.2 make sure to get the boot.img of miui 13.0.2 of your device. I was stupid enough to update the phone to 13.0.2 and use a 13.0.1 boot.img to install magisk. Boot images were not able to be completely replaced, hence the bootloop.
@aricooperdavis thanks a ton for your help!
 
  • Like
Reactions: aricooperdavis

sclass

Member
May 28, 2008
11
0
Does this ROM support working DC Dimming? The AMOLED flickering (PWM) of M4 pro 4G is terrible and it's there even at 100% lighting.
 
I thought "Magisk" was a custom ROM...
Very broadly, Magisk is a tool that allows you to modify operating system boot images in order to gain root access to them (i.e. "root your phone"). A ROM is more like an entirely new operating system. This is a guide for how to root your stock boot image using Magisk.
 
  • Like
Reactions: sclass

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Work like a charm, thank you.
    1
    Pokemon Go not working when Magisk enabled. Even with Zygist and exclusion list. Any clue ?
    Try spoofing your device fingerprint - Pokemon Go might be using the new Play Integrity check.
    1
    Downloaded and installed USNF MOD 2.0 and SafetyNet does not fail anymore (USNF makes my device no longer HARDWARE_BACKED).
    It works fine now. Many thanks !
  • 6
    Rooting the POCO M4 Pro 4G (fleur) turned out to be quite straightforward. Note, I have a 2201117PG (EEA), you may have a different experience, it's not my fault if you brick your phone etc. Backup before you start as this will wipe your phone.

    The process can be broken down into 4 steps:
    1. Unlock Bootloader
    2. Source boot.img
    3. Patch boot.img (using Magisk)
    4. Flash patched boot.img (using adb)


    1. Unlock Bootloader​

    Note: This step will wipe your phone.

    This can be done using the official tool from MIUI, using MediatekBootloaderUnlock (Windows 10/11, which reportedly does not wipe your user data), or using mtkclient (Any OS but requires Python). I will explain the mtkclient option as I'm on Linux and don't trust MIUI with more personal data than I have to.

    Step-by-step (adapted from this How to Guide):
    • Install mtkclient and its dependencies (easier if familiar with installing python packages etc., straightforward for me on Linux)
    • On your phone activate developer mode and turn on USB debugging and OEM unlocking
    • Turn off phone and disconnect from computer
    • In the directory where you installed mtkclient run:
      • python mtk e metadata,userdata,md_udc
        • This erases your data
        • At this point plug your phone in (still turned off)
      • python mtk da seccfg unlock
        • This unlocks the bootloader
      • python mtk reset
        • This reboots the phone
    • Disconnect USB cable and reboot phone
      • When it boots a message is displayed warning that dm-verity is corrupted. Click the power button to dismiss and continue booting.

    2. Source boot.img​

    • Find your MIUI version in Settings -> About phone -> MIUI Version and look for the version number (e.g. 13.0.6.0(RKEEUXM))
    • Visit the MIUI Updates Tracker and download the matching Stable Fastboot update (if you can't find it scroll down to Extracting boot.img from Payload)
    • Unzip the TGZ and the TAR that it contains then navigate to the images directory and find the boot.img file

    3. Patch boot.img​

    We need to patch the boot.img to give it root powers. We do this on the phone using Magisk.

    Step-by-step (adapted from the Magisk installation instructions):
    • On your phone, download Magisk and install it
    • Connect your phone to your computer and put the boot.img you extracted on your phone somewhere
    • Open Magisk and in "Magisk" section tap "Install"
    • Choose the "Select and Patch a File" option and select your boot.img in the file browser and let Magisk patch it
    • Find the patched boot image in Downloads (called magisk_patched_*.img) and copy it to your computer in the same directory as the vbmeta.img we extracted earlier

    4. Flash patched boot.img​

    Finally we need to replace the current boot.img on the phone with our patched one that has root powers. This is called flashing and is done using adb.

    Step-by-step:
    • Install the Android SDK platform tools which contains adb and fastboot
    • Install a USB driver that supports fastboot mode (you cannot use fastbootd for this or you'll bootloop)
    • Ensure your phone is connected, USB debugging is enabled and working, and OEM Unlocking is enabled
    • In the directory you copied the magisk_patched_*.img to run:
      • adb reboot bootloader
        • This reboots your phone into fastboot mode. Wait until "FASTBOOT" is displayed on the screen
      • fastboot flash boot magisk_patched_*.img
        • This flashes the patched boot.img to give you root
      • fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
        • This flashes the vbmeta.img, disabling the dm-verity corruption message at startup
    • Once it's done reboot your phone by pressing and holding the power button
    That's all there is to it! This took me about an hour as I was working out all the steps as I've not rooted in a phone in nearly a decade - I reckon with a fast internet connection you could get it done in about 15 minutes.



    Extract boot.img from Payload​

    If you can't find a fastboot image (boot.img) for your version then you might be able to extract it from the full firmware package. This will require the use of a third party tool such as payload-dumper (python) or payload-dumper-go. Note that you may be better off just waiting for the fastboot image to be released to the public.



    Tidying up​

    You can delete all the stuff you downloaded onto your computer and the boot.img and magisk_patched_*.img from your phone.

    It's a good idea to disable automatic OTA updates (Settings -> Additional settings -> Developer options -> Automatic sytem updates) so that you can update through Magisk.

    Some apps will be able to tell that you have rooted your phone, and may stop you from using them. You can check this by downloading YASNAC onto your phone and seeing if it passes. If not (which it won't) the most straightforward solution is to add the Universal SafetyNet Fix module to Magisk, then enable Zygisk in Magisk settings and restart your phone, which will be enough to pass SafetyNet Attestation. If they're clever and still detect the root then in Magisk toggle Enforce DenyList and add the problematic apps to the DenyList.



    Updating Magisk
    You cannot update Magisk via the Magisk app, as this device does not allow writing to the boot partition at runtime.

    Instead, update the Magisk app, then use it to patch your stock boot.img and flash it manually using fastboot, as if you were installing it from scratch (as above). This will not wipe your user data, but be sure to backup first in case something goes wrong.
    4
    Unlock Bootloade and Root and RECOVERY for Poco M4 Pro (4G) with out Pyton (on Windows 10\11):

    Unlock Bootloader:
    1.Download the MediatekBootloaderUnlock archive. Unpack the archive ZIP.
    2. Open the Driver folder and right-click the cdc-acm.inf file, select "Install"
    3.Now go back to the main folder and install the USBDK (x64 for 64-bit OS, x86 for 32-bit OS) on your PC (also right click - install).
    4. Reboot the PC.
    5.Turn off the phone.
    6.Run the UnlockBootloader.bat file to start the bootloader unlock process. We keep it on, it is in a state of response from the phone, if the firewood, the cable is connected, then everything is ok, I’ll tell you right away that it turned out 3 times.
    7.Now connect the phone to the computer with a cable by holding down the volume up + down + power button. (If the volume up button doesn't work, try using volume up or volume up + volume down or all three hardware buttons) while the UnlockBootloader.bat file is open.
    8.Once the phone is detected, some commands will be run in the UnlockBootloader.bat file. Let the commands finish and as soon as the window closes. Your bootloader will be unlocked.
    BY THE WAY! - You can lock the bootloader again by following the same steps without clearing. Just use LockBootloader.bat with the same steps.

    Root:
    Downloading the official firmware for the phone, I took fleur_global_images_V13.0.7.0.RKEMIXM_20220419.0000.00_11.0_global (approximately 5.6GB in weight)
    Unpacked it ZIP, pulled out 2 files from there fleur_global_images_V13.0.7.0.RKEMIXM_20220419.0000.00_11.0_global\images
    boot.img and vbmeta.img

    Downloaded Magisk STABLE Version: 24.3 - download on telephone, setup APP
    Launch Magisk Manager. When a pop-up window appears asking you to install Magisk, select INSTALL and select install again.

    Click on "Fix Boot Image File".
    Connect your device to PC via USB cable. Make sure USB debugging is enabled.
    Download ADB \ fastoot (I took tools_r29.0.6-windows)
    Run CMD as Administrator
    We write -
    adb devices - the phone must be determined (QX ********* device - so all drivers are correct)
    adb reboot bootloader - The phone reboots into fastboot mode - an inscription on the screen if dm-verity corruption messages appear - press POWER to continue
    fastboot flash boot boot_PATCH.img (file name how to change)
    fastboot flash vbmeta --disable-verity --dsable-verification vbmeta.img - will remove the inscription dm-verity corruption


    OrangeFox-R11 RECOVERY:​

    Download, and Run CMD as Administrator
    We write -
    fastboot flash boot XXXXNAMEXXXX.img
    Flash !boot! not fastboot flash recovery XXXXNAMEXXXX.img
    2
    ******Update******
    i fixed that problem by pushing both volume buttons before connecting the phone to the computer.
    ********************

    Hi i hope you guys can help me out..

    I am using a Imac on mx linux.
    I have a Xiaomi Redmi note 11s on miui version 13.0.8.0 (RKEEUXM), i have both oem-unlocking and usb debugging on in developers mode.

    When i connect my phone to my pc and use the "adb devices" command it shows my device, when i boot my phone to fastboot and use the "./fastboot devices" command it shows my device so i know there is a good connection between it. even when i boot my phone in "recovery mode" and use the adb command it shows my phone as "sideload"

    When i use/run python3 mtk_gui it starts but i never can get a connection between my phone and mtkclient.
    When i run the command line only by using "python3 mtk e metadata,userdata,md_udc" it shows me this :


    [email protected]:~/mtkclient
    $ python3 mtk e metadata,userdata,md_udc
    MTK Flash/Exploit Client V1.5.9 (c) B.Kerler 2018-2022

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.


    ...........

    Port - Hint:

    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.

    Now i follow the exact steps you described but it doesnt recognise my phone.

    Does someone know what the problem could be ?

    thanks.

    ******Update******
    i fixed that problem by pushing both volume buttons before connecting the phone to the computer.
    ********************
    2
    Here you go!

    2
    Well done, glad you've got it sorted!

    To clarify, this essentially follows the same 4 steps outlined in my post but using different tools that don't require python:
    1. Unlock Bootloader
      - Used MediatekBootloaderUnlock rather than mtkclient
    2. Source boot.img
      - Managed to find the images online without having to extract them from a ROM. @Lark5, where?
    3. Patch boot.img (using Magisk)
      - Same
    4. Flash patched boot.img (using adb)
      - Same
    I think there's also a custom recovery install too (OrangeFox). I tend not to bother, but it can be convenient.
    2. Find ROM on this link: https://mirom.ezbox.idv.tw/en/phone/fleur/roms-global-stable/
    Fastboot Download V13.0.7.0.RKEMIXM
    Explanations:
    For fastboot (~5.6Gb) - firmware version, just unzip the ZIP, inside there is boot.img and vbmeta
    For recovery (-2.5Gb) needed to extract boot.img Through Pyton for example

    thanks for the help aricooperdavis