How To Guide Root POCO M4 Pro 4G (fleur) using Magisk

Search This thread

Finnit0

Senior Member
Jul 10, 2013
74
7
Which vbmeta do you use? Is it included in the stock rom or is magisk creating one when patching?
 

Finnit0

Senior Member
Jul 10, 2013
74
7
Hmm tried to root my phone. I used MediatekBootloaderUnlock unlock my phone which seems to work as It boots into fastboot. I sourced my boot.img from MIUI Updates Tracker and extracted the payload with payload-dumper-go. Patched the boot.img with Magisk 24.3 and 25.2 and wasn able to flash them using fastboot, i get:

unknown partition 'magisk_patched-24300_W5CEK.img'
error: cannot determine image filename for 'magisk_patched-24300_W5CEK.img'

anyone, any ideas what isn't working?
 

Finnit0

Senior Member
Jul 10, 2013
74
7
You shouldn't need to extract the payload if you download the fastboot file, the boot.img is in there if you just extract the contents.

Also, what exactly is the command you're running that gives you that error - it looks like you may be missing out the partition name before the filename?
Ohh ****, I missed boot in fastboot flash boot patched_boot.img. So that is the mistake I think.

But I am not sure what you mean by fastboot file? I downloaded the rom from the MIUI Updates Tracker thread and if I unzip that with 7zip I get the payload.bin. Which needs be extractet?!?

Notes for your guide: I think you could change the order? It makes more sense to first patch the boot.img with magisk and than unlock the phone? Otherwise if you delete the data you need to log in etc. ... before you can patch the boot.img and flash it.

As well, I used the MediatekBootloaderUnlock to unlock my phone and it wasn't necessary to wipe data. That is nice, because now I can backup my apps and data with migrate once SU is working and than switch to another rom.

Additionally one question concerning vbmeta. Why do we need to flash the vbmeta.img? As I understand we disable the verity check when flashing vbmeta.img, hence there is no vbmeta.img necessary since the checksum it contains is incorrect, becaus boot.img has been patched?
 
The MIUI Updates Tracker page that you've linked contains links to "Stable Fastboot" files (ending in .tgz) and "Stable Recovery" files (ending in .zip). You want the fastboot file so you don't have to extract the boot.img from the payload.bin contained in the recovery file.

The reason I start with unlocking the bootloader is because there is no other way to root your phone. You can patch the boot.img using Magisk on any device, and you can root your phone using a custom recovery and not use adb, but all of these assume you have an unlocked bootloader, so there's no point doing anything else if you can't unlock your bootloader. It's also the most time consuming step if you're going to wait for Xiaomi to do it officially.

It's good to know that the MediatekBootloaderUnlock tool doesn't wipe your data - as I'm on Linux not Windows I can't test or help people troubleshoot this method, so I won't recommend it as the default approach in the OP, but will mention it.
 

Roshan Baleshwar

New member
May 20, 2020
2
0
Rooting the POCO M4 Pro 4G (fleur) turned out to be quite straightforward. Note, I have a 2201117PG (EEA), you may have a different experience, it's not my fault if you brick your phone etc. Backup before you start as this will wipe your phone.

The process can be broken down into 4 steps:
  1. Unlock Bootloader
  2. Source boot.img
  3. Patch boot.img (using Magisk)
  4. Flash patched boot.img (using adb)


1. Unlock Bootloader​

Note: This step will wipe your phone.

This can be done using the official tool from MIUI, using MediatekBootloaderUnlock (Windows 10/11, which reportedly does not wipe your user data), or using mtkclient (Any OS but requires Python). I will explain the mtkclient option as I'm on Linux and don't trust MIUI with more personal data than I have to.

Step-by-step (adapted from this How to Guide):
  • Install mtkclient and its dependencies (easier if familiar with installing python packages etc., straightforward for me on Linux)
  • On your phone activate developer mode and turn on USB debugging and OEM unlocking
  • Turn off phone and disconnect from computer
  • In the directory where you installed mtkclient run:
    • python mtk e metadata,userdata,md_udc
      • This erases your data
      • At this point plug your phone in (still turned off)
    • python mtk da seccfg unlock
      • This unlocks the bootloader
    • python mtk reset
      • This reboots the phone
  • Disconnect USB cable and reboot phone
    • When it boots a message is displayed warning that dm-verity is corrupted. Click the power button to dismiss and continue booting.

2. Source boot.img​

  • Find your MIUI version in Settings -> About phone -> MIUI Version and look for the version number (e.g. 13.0.6.0(RKEEUXM))
  • Visit the MIUI Updates Tracker and download the matching Stable Fastboot update (if you can't find it scroll down to Extracting boot.img from Payload)
  • Unzip the TGZ and the TAR that it contains then navigate to the images directory and find the boot.img file

3. Patch boot.img​

We need to patch the boot.img to give it root powers. We do this on the phone using Magisk.

Step-by-step (adapted from the Magisk installation instructions):
  • On your phone, download Magisk and install it
  • Connect your phone to your computer and put the boot.img you extracted on your phone somewhere
  • Open Magisk and in "Magisk" section tap "Install"
  • Choose the "Select and Patch a File" option and select your boot.img in the file browser and let Magisk patch it
  • Find the patched boot image in Downloads (called magisk_patched_*.img) and copy it to your computer in the same directory as the vbmeta.img we extracted earlier

4. Flash patched boot.img​

Finally we need to replace the current boot.img on the phone with our patched one that has root powers. This is called flashing and is done using adb.

Step-by-step:
  • Install the Android SDK platform tools which contains adb and fastboot
  • Install a USB driver that supports fastboot mode (you cannot use fastbootd for this or you'll bootloop)
  • Ensure your phone is connected, USB debugging is enabled and working, and OEM Unlocking is enabled
  • In the directory you copied the magisk_patched_*.img to run:
    • adb reboot bootloader
      • This reboots your phone into fastboot mode. Wait until "FASTBOOT" is displayed on the screen
    • fastboot flash boot magisk_patched_*.img
      • This flashes the patched boot.img to give you root
    • fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
      • This flashes the vbmeta.img, disabling the dm-verity corruption message at startup
  • Once it's done reboot your phone by pressing and holding the power button
That's all there is to it! This took me about an hour as I was working out all the steps as I've not rooted in a phone in nearly a decade - I reckon with a fast internet connection you could get it done in about 15 minutes.



Extract boot.img from Payload​

If you can't find a fastboot image (boot.img) for your version then you might be able to extract it from the full firmware package. This will require the use of a third party tool such as payload-dumper (python) or payload-dumper-go. Note that you may be better off just waiting for the fastboot image to be released to the public.



Tidying up​

You can delete all the stuff you downloaded onto your computer and the boot.img and magisk_patched_*.img from your phone.

It's a good idea to disable automatic OTA updates (Settings -> Additional settings -> Developer options -> Automatic sytem updates) so that you can update through Magisk.

Some apps will be able to tell that you have rooted your phone, and may stop you from using them. You can check this by downloading YASNAC onto your phone and seeing if it passes. If not (which it won't) the most straightforward solution is to add the Universal SafetyNet Fix module to Magisk, then enable Zygisk in Magisk settings and restart your phone, which will be enough to pass SafetyNet Attestation. If they're clever and still detect the root then in Magisk toggle Enforce DenyList and add the problematic apps to the DenyList.



Updating Magisk
You cannot update Magisk via the Magisk app, as this device does not allow writing to the boot partition at runtime.

Instead, update the Magisk app, then use it to patch your stock boot.img and flash it manually using fastboot, as if you were installing it from scratch (as above). This will not wipe your user data, but be sure to backup first in case something goes wrong.
When I tried to flash the magisk patch img it says corrupted img . What should I do ?
 

bxdever

Member
Jan 21, 2014
14
2
I just bought a Poco M4 5G (not pro), there doesn't seem to be any dedicated thread for that. Would this same method also work?
 

edwin_r

Member
Dec 22, 2018
18
2
Hello,
I just followed the instruction and it worked like a charm! Thanks for the tutorial.
I wanted to go further by installing SmaliPatcherModule as I know by experience it helps a lot spoofing GPS. So I did it correctly I think (not the first time and on many phones), but now it doesn't boot to system (after several minutes it goes to the MIUI recovery)
Anyhow, my question is: is it the fact of installing the module itself or maybe I checked too many options (in fact all of them except "Samsung Knox"+"recovery reboot"), or something else??? Is this module still necessary on this phone

Any clue will help me :)
Thank you
 
  • Like
Reactions: aricooperdavis
Anyhow, my question is: is it the fact of installing the module itself or maybe I checked too many options (in fact all of them except "Samsung Knox"+"recovery reboot"), or something else??? Is this module still necessary on this phone
I'm not familiar with Smali Patcher, but it sounds like it's patching android framework source files, which definitely has the potential to stop it booting. Whether it's necessary or not depends on what you're using it for - it's mostly a collection of other patches, so I'm sure you can find other magisk modules that have the functionality you need from it. The dev is no longer active on XDA so it's unlikely to get ongoing support.
 
  • Like
Reactions: edwin_r

edwin_r

Member
Dec 22, 2018
18
2
I'm not familiar with Smali Patcher, but it sounds like it's patching android framework source files, which definitely has the potential to stop it booting. Whether it's necessary or not depends on what you're using it for - it's mostly a collection of other patches, so I'm sure you can find other magisk modules that have the functionality you need from it. The dev is no longer active on XDA so it's unlikely to get ongoing support.
Yep, right, no support for a long, but strangely, this is the only module that worked for me for all my xiaomi/poco phones. Today, it's the first time I faced this issue. Basically, it's to avoid "jumps" in games like Pokemon Go or the discontinued Harry Potter: Wizards Unite, and for sure to hide an app as a mock location

For those who will/were in the same situation of no boot, in recovery, clearing data allows to be in Android. It's still faster than flashing a rom + magisk, but you will still have to re-install all your app and reconfigure your softs (including magisk modules)

If someone found the perfect solution to hide root/spoofing etc. i'm willing to learn
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Yes, you can just flash the un-patched boot.img to unroot.
    1
    hi,

    i have well rooted it
    right now, i can't install the miui OTA update
    how to do it ? or to disable the notification ?
    thks
    1
    I have unlocked the phone (Note 11s fleur - V13.0.10.0.RKEEUXM), but which fastboot firmware do i need for extracting boot.img and vbmeta.img, EEU or Global ?
    EEU :)
  • 7
    Rooting the POCO M4 Pro 4G (fleur) turned out to be quite straightforward. Note, I have a 2201117PG (EEA), you may have a different experience, it's not my fault if you brick your phone etc. Backup before you start as this will wipe your phone.

    The process can be broken down into 4 steps:
    1. Unlock Bootloader
    2. Source boot.img
    3. Patch boot.img (using Magisk)
    4. Flash patched boot.img (using adb)


    1. Unlock Bootloader​

    Note: This step will wipe your phone.

    This can be done using the official tool from MIUI, using MediatekBootloaderUnlock (Windows 10/11, which reportedly does not wipe your user data), or using mtkclient (Any OS but requires Python). I will explain the mtkclient option as I'm on Linux and don't trust MIUI with more personal data than I have to.

    Step-by-step (adapted from this How to Guide):
    • Install mtkclient and its dependencies (easier if familiar with installing python packages etc., straightforward for me on Linux)
    • On your phone activate developer mode and turn on USB debugging and OEM unlocking
    • Turn off phone and disconnect from computer
    • In the directory where you installed mtkclient run:
      • python mtk e metadata,userdata,md_udc
        • This erases your data
        • At this point plug your phone in (still turned off)
      • python mtk da seccfg unlock
        • This unlocks the bootloader
      • python mtk reset
        • This reboots the phone
    • Disconnect USB cable and reboot phone
      • When it boots a message is displayed warning that dm-verity is corrupted. Click the power button to dismiss and continue booting.

    2. Source boot.img​

    • Find your MIUI version in Settings -> About phone -> MIUI Version and look for the version number (e.g. 13.0.6.0(RKEEUXM))
    • Visit the MIUI Updates Tracker and download the matching Stable Fastboot update (if you can't find it scroll down to Extracting boot.img from Payload)
    • Unzip the TGZ and the TAR that it contains then navigate to the images directory and find the boot.img file

    3. Patch boot.img​

    We need to patch the boot.img to give it root powers. We do this on the phone using Magisk.

    Step-by-step (adapted from the Magisk installation instructions):
    • On your phone, download Magisk and install it
    • Connect your phone to your computer and put the boot.img you extracted on your phone somewhere
    • Open Magisk and in "Magisk" section tap "Install"
    • Choose the "Select and Patch a File" option and select your boot.img in the file browser and let Magisk patch it
    • Find the patched boot image in Downloads (called magisk_patched_*.img) and copy it to your computer in the same directory as the vbmeta.img we extracted earlier

    4. Flash patched boot.img​

    Finally we need to replace the current boot.img on the phone with our patched one that has root powers. This is called flashing and is done using adb.

    Step-by-step:
    • Install the Android SDK platform tools which contains adb and fastboot
    • Install a USB driver that supports fastboot mode (you cannot use fastbootd for this or you'll bootloop)
    • Ensure your phone is connected, USB debugging is enabled and working, and OEM Unlocking is enabled
    • In the directory you copied the magisk_patched_*.img to run:
      • adb reboot bootloader
        • This reboots your phone into fastboot mode. Wait until "FASTBOOT" is displayed on the screen
      • fastboot flash boot magisk_patched_*.img
        • This flashes the patched boot.img to give you root
      • fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
        • This flashes the vbmeta.img, disabling the dm-verity corruption message at startup
    • Once it's done reboot your phone by pressing and holding the power button
    That's all there is to it! This took me about an hour as I was working out all the steps as I've not rooted in a phone in nearly a decade - I reckon with a fast internet connection you could get it done in about 15 minutes.



    Extract boot.img from Payload​

    If you can't find a fastboot image (boot.img) for your version then you might be able to extract it from the full firmware package. This will require the use of a third party tool such as payload-dumper (python) or payload-dumper-go. Note that you may be better off just waiting for the fastboot image to be released to the public.



    Tidying up​

    You can delete all the stuff you downloaded onto your computer and the boot.img and magisk_patched_*.img from your phone.

    It's a good idea to disable automatic OTA updates (Settings -> Additional settings -> Developer options -> Automatic sytem updates) so that you can update through Magisk.

    Some apps will be able to tell that you have rooted your phone, and may stop you from using them. You can check this by downloading YASNAC onto your phone and seeing if it passes. If not (which it won't) the most straightforward solution is to add the Universal SafetyNet Fix module to Magisk, then enable Zygisk in Magisk settings and restart your phone, which will be enough to pass SafetyNet Attestation. If they're clever and still detect the root then in Magisk toggle Enforce DenyList and add the problematic apps to the DenyList.



    Updating Magisk
    You cannot update Magisk via the Magisk app, as this device does not allow writing to the boot partition at runtime.

    Instead, update the Magisk app, then use it to patch your stock boot.img and flash it manually using fastboot, as if you were installing it from scratch (as above). This will not wipe your user data, but be sure to backup first in case something goes wrong.
    4
    Unlock Bootloade and Root and RECOVERY for Poco M4 Pro (4G) with out Pyton (on Windows 10\11):

    Unlock Bootloader:
    1.Download the MediatekBootloaderUnlock archive. Unpack the archive ZIP.
    2. Open the Driver folder and right-click the cdc-acm.inf file, select "Install"
    3.Now go back to the main folder and install the USBDK (x64 for 64-bit OS, x86 for 32-bit OS) on your PC (also right click - install).
    4. Reboot the PC.
    5.Turn off the phone.
    6.Run the UnlockBootloader.bat file to start the bootloader unlock process. We keep it on, it is in a state of response from the phone, if the firewood, the cable is connected, then everything is ok, I’ll tell you right away that it turned out 3 times.
    7.Now connect the phone to the computer with a cable by holding down the volume up + down + power button. (If the volume up button doesn't work, try using volume up or volume up + volume down or all three hardware buttons) while the UnlockBootloader.bat file is open.
    8.Once the phone is detected, some commands will be run in the UnlockBootloader.bat file. Let the commands finish and as soon as the window closes. Your bootloader will be unlocked.
    BY THE WAY! - You can lock the bootloader again by following the same steps without clearing. Just use LockBootloader.bat with the same steps.

    Root:
    Downloading the official firmware for the phone, I took fleur_global_images_V13.0.7.0.RKEMIXM_20220419.0000.00_11.0_global (approximately 5.6GB in weight)
    Unpacked it ZIP, pulled out 2 files from there fleur_global_images_V13.0.7.0.RKEMIXM_20220419.0000.00_11.0_global\images
    boot.img and vbmeta.img

    Downloaded Magisk STABLE Version: 24.3 - download on telephone, setup APP
    Launch Magisk Manager. When a pop-up window appears asking you to install Magisk, select INSTALL and select install again.

    Click on "Fix Boot Image File".
    Connect your device to PC via USB cable. Make sure USB debugging is enabled.
    Download ADB \ fastoot (I took tools_r29.0.6-windows)
    Run CMD as Administrator
    We write -
    adb devices - the phone must be determined (QX ********* device - so all drivers are correct)
    adb reboot bootloader - The phone reboots into fastboot mode - an inscription on the screen if dm-verity corruption messages appear - press POWER to continue
    fastboot flash boot boot_PATCH.img (file name how to change)
    fastboot flash vbmeta --disable-verity --dsable-verification vbmeta.img - will remove the inscription dm-verity corruption


    OrangeFox-R11 RECOVERY:​

    Download, and Run CMD as Administrator
    We write -
    fastboot flash boot XXXXNAMEXXXX.img
    Flash !boot! not fastboot flash recovery XXXXNAMEXXXX.img
    2
    ******Update******
    i fixed that problem by pushing both volume buttons before connecting the phone to the computer.
    ********************

    Hi i hope you guys can help me out..

    I am using a Imac on mx linux.
    I have a Xiaomi Redmi note 11s on miui version 13.0.8.0 (RKEEUXM), i have both oem-unlocking and usb debugging on in developers mode.

    When i connect my phone to my pc and use the "adb devices" command it shows my device, when i boot my phone to fastboot and use the "./fastboot devices" command it shows my device so i know there is a good connection between it. even when i boot my phone in "recovery mode" and use the adb command it shows my phone as "sideload"

    When i use/run python3 mtk_gui it starts but i never can get a connection between my phone and mtkclient.
    When i run the command line only by using "python3 mtk e metadata,userdata,md_udc" it shows me this :


    [email protected]:~/mtkclient
    $ python3 mtk e metadata,userdata,md_udc
    MTK Flash/Exploit Client V1.5.9 (c) B.Kerler 2018-2022

    Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

    Port - Hint:

    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.


    ...........

    Port - Hint:

    Power off the phone before connecting.
    For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
    For preloader mode, don't press any hw button and connect usb.

    Now i follow the exact steps you described but it doesnt recognise my phone.

    Does someone know what the problem could be ?

    thanks.

    ******Update******
    i fixed that problem by pushing both volume buttons before connecting the phone to the computer.
    ********************
    2
    Here you go!

    2
    Well done, glad you've got it sorted!

    To clarify, this essentially follows the same 4 steps outlined in my post but using different tools that don't require python:
    1. Unlock Bootloader
      - Used MediatekBootloaderUnlock rather than mtkclient
    2. Source boot.img
      - Managed to find the images online without having to extract them from a ROM. @Lark5, where?
    3. Patch boot.img (using Magisk)
      - Same
    4. Flash patched boot.img (using adb)
      - Same
    I think there's also a custom recovery install too (OrangeFox). I tend not to bother, but it can be convenient.
    2. Find ROM on this link: https://mirom.ezbox.idv.tw/en/phone/fleur/roms-global-stable/
    Fastboot Download V13.0.7.0.RKEMIXM
    Explanations:
    For fastboot (~5.6Gb) - firmware version, just unzip the ZIP, inside there is boot.img and vbmeta
    For recovery (-2.5Gb) needed to extract boot.img Through Pyton for example

    thanks for the help aricooperdavis