Hi Fellow old and New Devs,
The title suggests it all. I have four questions that I think ALL newbies want to understand. I would try and explain them, but as I am just coming out of the newbie stage, I'm sure people would prefer an answer from a experianced Dev.
When answering a question please put the Question Number. Feel free to answer only one or two of the questions, I'm sure other people will cover your missing fields of knowledge.
Here they are:
1. What is rooting? Can I root my device (HTC Buzz Wildfire) and keep the stock interface? Will I loose my data?
2. What do all these Dev's mean by Recovery? What are they, why are they needed?
3. What is a ROM? Do I need to be rooted for a custom ROM? How can you trust them? Will I loose my data when installing a custom ROM?
4. What is a Kernal? How are they Different to ROM's? Should I change from the stock Kernal?
I know this is a tall order and you could write a book on the topic, but please could you write a short (a couple of sentaces will do) paragraph on each question you choose to do.
When we get enough understandable answers I will edit this post publish the Final answers for other newbies in the future.
Also feel free to enter the poll! As this is a Dev site I presume one of the options will have the most votes but we will see....
Cheers for any contribution in advanced.
th3ant
th3ant said:
Hi Fellow old and New Devs,
The title suggests it all. I have four questions that I think ALL newbies want to understand. I would try and explain them, but as I am just coming out of the newbie stage, I'm sure people would prefer an answer from a experianced Dev.
When answering a question please put the Question Number. Feel free to answer only one or two of the questions, I'm sure other people will cover your missing fields of knowledge.
Here they are:
1. What is rooting? Can I root my device (HTC Buzz Wildfire) and keep the stock interface? Will I loose my data?
2. What do all these Dev's mean by Recovery? What are they, why are they needed?
3. What is a ROM? Do I need to be rooted for a custom ROM? How can you trust them? Will I loose my data when installing a custom ROM?
4. What is a Kernal? How are they Different to ROM's? Should I change from the stock Kernal?
I know this is a tall order and you could write a book on the topic, but please could you write a short (a couple of sentaces will do) paragraph on each question you choose to do.
When we get enough understandable answers I will edit this post publish the Final answers for other newbies in the future.
Also feel free to enter the poll! As this is a Dev site I presume one of the options will have the most votes but we will see....
Cheers for any contribution in advanced.
th3ant
Click to expand...
Click to collapse
Okay, from the best of my understanding, here we go:
1: Rooting. To understand this, we must consider a computer, running linux, windows, or mac. In windows, the "Administrator" account is similar to the root account in linux and mac. Basically if you have root privileges in a system, you can modify every part of the filesystem, as well as perform any tasks the system is equipped to handle. Basically achieving root on an android device means that you can unlock the ability to flash roms, mod, and otherwise hack your device any which way you like. Nearly every model of android device has been rooted, so in most cases, yes you can root XXXXX phone. Also, since you're just gaining privileges, you can root without losing any data, apps, or settings.
2: Recovery. This is a long standing concept in SoC/Embedded device hacking. Basically it is a minimal operating system that performs some very basic, but very important tasks. The reason for it is so that you can write to the necessary areas on the NAND, which would be "busy" while android is booted. This offers a way to access the necessary partitions and write data to them while the data is not being accessed. It's also useful for backing up your NAND. Hence the name "nandroid."
3: ROM. By definition, it means "Read Only Memory." This is a chip on the board. ROM has evolved over the years. It started out as a chip that was sensitive to UV light. The earliest ROMs were "flashed" to a device by stenciling out the pathways and exposing the chip to UV radiation. Nowadays, we have fancy EEPROMs instead, which stands for Electronically Erasable Programmable Read Only Memory. This means that you can "flash" the chip by means of software, namely via Recovery mode in our case. Different ROMs have different features. They are all variations on source code made available by AOSP, or the android open source project. Some projects have their own code tracking, such as CyanogenMod. In most devices, you must be rooted to be able to install a ROM, however it is not explicitly necessary. A bit vague, I suppose. Specifically the tablet I own, the WITS a81e, you can flash a ROM to it just by putting the correct files on the TF card. This is not very common with phones, however. Flashing any rom that is not just a newer version of your current ROM will require a full format. For instance, if you have cyanogenmod and switch to a Sense or Blur ROM, you must format, but if you update from CM6 to CM6.1 you will not need to wipe. How can you trust ROM's? Well the best way to know is to either roll your own, or go with CyanogenMod, as their source is freely and easily available for scrutiny and improvement, along with a nice changelog tracker.
4. Kernels. A kernel is basically the most low level part of an operating system. It interfaces directly with the processor and provides all instruction for operation. Linux is technically not an operating system, it's a Kernel. The different distributions have the Linux kernel, and use their own different User Interfaces. Different kernels in android devices can allow you to overclock. There are many choices in kernels, and the features they offer. Some features are BFS/CFS which is the priority scheduling of processes. Some kernels allow you to charge your battery differently and conserve life. These are often called battery kernels. Also, some kernels unlock extra multitouch points in certain devices. There are different versions of the linux kernel, with many improvements with each iteration. Currently, the latest kernel available that I know of for android devices is 2.6.37. The froyo default kernel was a 2.6.32. I wish I knew a bit more about kernels, however this is about all I know. Perhaps someone could help us out and expand on this a bit?
Brilliant answer not too complicated... let's see what others say....
Sent from my HTC Wildfire using XDA App
What he said...
Pyroboy1080 well said...
That pretty much covers it.
thx for the infos..
Agreed. Thanks for using the poll!
nothing to add on that, as we used to say "merci beaucoup"
Can't ROM
Gotta be something stupid......
Can't install 2.2 or 2.3. Tried two different ODIN flashers. When I do the reset I do not get the triangel with downloading in the center. I'm rooted, Have ROM Manager, Superuser, Root Explorer, Super Manager, I'm unlocked.
I have Android SDK, Congnitive 4.1, NPS, Samsung Kies,SGH I897 USB Drivers, What else? I think I have it covered. In any case I never get the download . Even if I do a "ROM Manager Install fron SD Card, the result is a screen, blue at top and yellow at bottom with the last line saying "Installing Multi- CSC. I can let it run all night, no change in ROM. Does the Captivate sold by ATT have some kind of block or filter keeping me from updating?
Current firmware is 2.1 update 1, baseband I897UCJH7, Kernel 2.6.29 [email protected] #2, Build ECLAIR.UCJH7
Thanks
To better answer your question, I first need to know what type of device you're using...
fxstsb said:
Gotta be something stupid......
Can't install 2.2 or 2.3. Tried two different ODIN flashers. When I do the reset I do not get the triangel with downloading in the center. I'm rooted, Have ROM Manager, Superuser, Root Explorer, Super Manager, I'm unlocked.
I have Android SDK, Congnitive 4.1, NPS, Samsung Kies,SGH I897 USB Drivers, What else? I think I have it covered. In any case I never get the download . Even if I do a "ROM Manager Install fron SD Card, the result is a screen, blue at top and yellow at bottom with the last line saying "Installing Multi- CSC. I can let it run all night, no change in ROM. Does the Captivate sold by ATT have some kind of block or filter keeping me from updating?
Current firmware is 2.1 update 1, baseband I897UCJH7, Kernel 2.6.29 [email protected] #2, Build ECLAIR.UCJH7
Thanks
Click to expand...
Click to collapse
didn't know where to ask this?
hello, everyone..
i have some questions, i'm hoping some of you can anwser.
I used unrevoked to root my htc desire. after that, I used alpharev to gain s-off.
everything went fine, i got the joker, the white screen that lets me pick different options..
now Í tried all those options, nothing works.
I've been searching all night for a solution, and it seems my recovery boot and rom are missing? and what I came across is installing ANDROID SDK tools, and then run fastboot to recover an image. So I installed SDK tools, but fastboot doesn't run, it says some .dll driver is missing. in the platform-tools map is that .dll driver, should i move it?
Can someone get me a step by step tutorial on how to make my desire work again? Im kind of a noob, all I needed was to make a screenshot..
Thanks in advance, it would be appreciated so much..
Pyroboy, I'm using a Samsung Captivate. In another thread someone lead me to "All in One Toolbox". The other stuff is just stuff. That allowed me to install my ROM.
So you've got a cheap Chinese phone based on the budget MediaTek MTK MT67xx SoC (system-on-a-chip) chipset and you want to root it.
You've tried lots of tools and failed, and you've been searching the internet and xda for your model and found nothing (or you might have found stock ROMs for your device online but not rooted ones). Read on....
These phones are INSANELY common all across Asia because MediaTek is the cheapest chip manufacturer and so is the top choice for <USD$100 super-cheap (often free subsidized) phones. Here is a partial list of phones that use the MT67xx across many countries:
Sony Xperia E4g | Kingzone N3 Plus | Bluboo X8 4G | Bluboo X6 | Elephone P6000 | Just5 Blaster | Unistar X8 | Ulefone Be Pro | Cubot X16 | Lenovo Vibe P1m | Meizu m2 | Doogee X5Pro | Lenovo A2010 | Acer Liquid Z530 | Micromax Canvas Express 4G Q413 | Huawei Enjoy 5 | Elephone M2 | Doogee Valencia2 Y100 Pro | Gionee Marathon M5 | coolpad note 3 lite | coolpad note 3 | Alcatel One Touch Flash Plus | Gionee Elife S7 | Lenovo Vibe S1 | Lenovo K3 Note | Lenovo P70 | Lenovo A7000[35] | Meizu M1 Note | Sony Xperia C4 / C4 Dual | Sony Xperia C5 Ultra / C5 Ultra Dual | DaKeLe Big Cola 3 (iPhone 6 clone) | HTC One E9s | HTC Desire 820s | Mlais M52 Red Note | Innjoo One [36] | Ulefone Be Touch[37] | Ulefone Be Touch 2 | Kingzone Z1 | Umi eMax | Mstar S700 | Vivo X6/X6 Plus | THL 2015[38] | Huawei Enjoy 5s | Elephone M2 | Lenovo A7010 | Lenovo K4 Note | Acer Liquid Z530S | Meizu m2 note | InnJoo two [39] | Infinix Note 2 X600 | Elephone P6000 Pro | Elephone P8000 | BLU Life One X (2016) | BLUBOO XTOUCH | Coolpad Note 3 | Quantum Go 4G | Xiaomi Redmi Note 3 | Xiaomi Redmi Note 2/ Prime | LeTV Le 1s | Meizu m1 metal | Meizu MX5 | Gionee Elife E8 | Sony Xperia M5 / M5 Dual | BLU Pure XL | Allview X2 Soul Xtreme | HTC One M9+ | HTC One E9+ | Infinix Zero 3 | Lenovo K5 Note | Sony Xperia XA | Meizu MX6 | iNew L4 1 GB | Oukitel U8 Universe Tap | Bluboo C100 | Siswoo A5 price comparison | Gionee Marathon M5 | Zopo Color E ZP350 | Doogee S6000 | Cubot X15 | Meizu m2 2GB 16GB | VK World VK560 | ZTE Blade D6 | Leagoo Elite 4 1GB 16GB | Oukitel U6 | iNew L4 2 GB | VK World Discovery S1 | Wiko Selfy 4G | Acer Liquid Z630 2GB 16GB | THL 2015 A | Blackview BV2000 | UMI Fair 1GB 8GB | NO.1 S6 (4g) | iNew U5 | ZTE Blade V6 | Huawei Enjoy 5 TIT-AL00 | Acer Liquid Z530 | Uhans U100 | Zopo Hero 1 | Ulefone Paris X | Zopo Flash C ZP530+ | ZTE Blade A1 | Uimi U6 | Gionee Marathon M5 Prime | Uimi U6c | HomTom HT7 Pro | ZTE Small Fresh 3 C880S | Zopo Color S5.5 | KingZone N5 MT6735 1.3GHz | MyWigo City 2 | LG K8 K350N | AIS Lava iris 500 | Lava iris 550Q
Click to expand...
Click to collapse
I am including the list above for two reasons:
so that people searching for their model may find this thread and be helped
so that you can just get a glimpse of the insane variety of companies and models that use the same chip family
For reasons explained below, you will find that most of these devices are resistant to the "easy" one-click rooting methods and most of them do not work with ANY of the "easy" tools that have been developed for other phones, even MediaTek (MTK)-specific tools. Of course tool support will improve over time, but as we will explain, there is something unique about your MediaTek device that will always make it harder to root.
I finally got my MT67xx-based phone rooted, and here is the information that I wished someone had posted on xda as I slogged through my search.
My goal here is NOT to provide the steps for a specific phone model, but rather to help the (literally) millions of you out there who have MT67xx-based phones find a solution by giving you a few basics to understand MediaTek MTK and rooting, and pointing you in the right direction so you know what questions to ask.
There's some bad news, and some worse news...
WHAT ALL THESE PHONES HAVE IN COMMON:
The MT67xx chipset inside your phone uses a relatively new (2014) 64-bit processor architecture, compared to the ubiquitous MediaTek MTK MT65xx, MT83xx, MT81xx processors that use a 32-bit architecture. And around the same time that MT67xx came out, MediaTek also switched devices to a new filesystem/partition format which determines where and how Android and all your data gets stored in your device's flash memory.
What these two technical changes mean is that:
many of the vulnerabilities in Android that the "easy" one-click root tools exploited to do their job (e.g. old standbys like RageAgainstTheCage, framaroot, etc.) no longer work. Updating Android is another thing that often causes these vulnerabilities to cease to work, but changing processor architectures is a biggie too.
many (but not all) of the old tools developed to root and otherwise modify MediaTek devices broke, and have not yet been fixed. Most notable is the MTK Droid Tool, a standard tool for hacking MTK devices that you will still find used in 99% of guides out there on the internet. It doesn't work on your MT67xx (at least no version I could find). Same is true of many other tools, such as some of the tools to reset your phones IMEI when rooting/modding operations disrupt your ability to call, tools to get into "MTK Engineer Mode" etc.
That is why you will find so many pages on the internet that say "Root Any Android Phone" (complete BS: if you see this, the person is either clueless or lying) or even "Root Any MediaTek Phone" and the procedure fails.
So, you would think that the cool ROM hackers and root tool folks would whip up some new tools quickly, right?
This is the point where you need to understand a harsh reality...
WHAT ALL THESE PHONES DON'T HAVE IN COMMON:
This is perhaps Android's greatest strength and weakness: every manufacturer (as well as ROM hacker here on xda) is free to tweak open-source Android in almost any way they see fit, whether to save money, integrate a new feature, customize for local market and culture, try to lock out competition, or whatever. And so they did.
Even though these devices all use MT67xx chips, it seems like every manufacturer felt compelled to make as many tiny changes as possible, and the result is that there is no easy way for kind xda hackers to develop one master ROM image of Android that will run on them all (rooted or otherwise). And it's even hard to make a rooting tool or mod that works on all devices.
Instead, the device-specific differences are significant enough that you actually need a developer to spend hours to days on each model in order to produce a workable Android ROM (rooted or otherwise).
And that is why, all over xda-developers and other sites, you rarely see custom ROMs for your MTK device. Although I'm guessing there are many times more cheap MTK devices in the world than devices with more expensive chipsets, the market of cheap devices is utterly fragmented into hundreds of vendors, so it is generally not worth any ROM hacker's time to develop for a particular device, because the reward (glory or karma, whatever turns them on) is minimal compared to a single device (e.g. most Samsungs) that is used by millions.
Sometimes the cheap MTK software/hardware changes that break both root tools and ROMs seem trivial and pointless. Like a vendor might move a critical system file for no obvious reason, switch the order of SD cards so that old software breaks, leave out key system programs they thought "nobody would need," introduce new and usually-broken encryption methods to lock out modders, etc.
THE SILVER LINING
Seems pretty grim, huh?
This cloud has one major silver lining.
I'm going to tell you about a tool that does work on MT67xx devices. You may or may not end up using this tool as part of your rooting strategy (more below), but it's good to hear some good news sometime
As far as I can tell, all MediaTek devices MT67xx, MT65xx, MT83xx, MT81xx work with the SP Flash Tool, a MediaTek MTK-specific tool that lets you flash (write) new versions of Android and tools that you need to install or modify Android (ROMs, custom recovery images, recovery updates) on to your device.
SP Flash Tool lets you flash "images" to your device, even if your device is totally bricked or has been utterly wiped clean from some earlier messup. An "image" is geek speak for a file that contains the whole contents of a partition of your Android device's storage, such as the partitions that contain the Android operating system (boot and system), the partitions that contain a recovery tool that lets you do less primitive operations like updating Android, installing SuperSU, or backing up your device (recovery), or even the partition with the logo shown on boot (logo).
So that means SP Flash Tool is super-powerful and super-dangerous (in fact, it's suicidal if you use it on a device containing important data you haven't backed up), but on the other hand it also means that at least you always have some tool that can install new images, no matter how messed up you have made your device.
The significance of this cannot be understated. For Android devices with other chipsets, there is of course some way to flash images (various tools referred to as "recovery console," "bootloader/fastboot mode," etc), but the chipset and manufacturers (even on some MediaTek MTK devices) try to ruin your day by:
locking your bootloader or recovery console so it can only flash images cryptographically signed by the manufacturer using secret keys, meaning you can't use them to modify your phone in the way you want,
providing you only with flashing methods that work if the certain partitions stay intact---meaning that if you make a certain kind of mistake, you may much more easily "brick" your phone so that you have no way of ever using it for anything but a doorstop.
MediaTek's SP Flash Tool, on the other hand, does not get in your way with any kind of lock---it always lets you flash images to the device, even if your flash memory has become completely garbled with nonsense. The tool literally works on your phone before your phone has started to boot up (kind of scary actually and a huge design flaw security risk, oh well). It is still up to you of course to flash something that works, but at least you have the option.
A very important principle for SP Flash Tool is: only flash partitions that you need to flash. That will likely be recovery, and maybe boot/system and maybe logo if you are playing around. Even though you may find a ROM with all partitions, only flash the ones the instructions say you need to flash. Otherwise you invite problems that might clear important settings on your device (e.g. mobile radio/carrier settings you need for your calling to work, etc.).
You're probably thinking that using SP Flash Tool, you can first make a backup of your device, so that no matter what you try, you can always restore your backup. Good news: this is kind of true: the SP Flash Tool is capable of this kind of backup, as seen in this thread, this thread, and this thread. But when you look at those threads, you will see there is a catch: the technique relies on being able to extract something called a "scatter file" from your device, and the tool they always use for this? You guessed it, MTK Droid Tool, the tool that doesn't (yet) work on MT67xx devices. This nice thread explains the situation and gives you a way to get the "scatter file" to make your backup, but as you can see it's more technical than many people will be willing to do. So basically we are waiting for better tools to be available to less technical users for backing up MT67xx devices. If you don't mind bricking your device at all or until such a tool comes out, it won't matter. But for most users you will want some kind of backup in your rooting strategy. If anyone knows of a better new tool that works on MT67xx, please reply below.
So consider the application of SP Flash Tool as a backup tool for MT67xx devices to be something that's not ready for everyone yet. If anyone knows an easier tool for making scatter files on MT67xx or even doing backup, let us know.
There are other ways of making backups of your device before you attempt to root your device, though, so you might not need to use SP Flash Tool as your backup. More later...
Also, some reading this thread may have found a stock ROM for your exact device (one that is just like the manufacturer gave you, not rooted) that can serve as your backup in case your rooting attempts fail.
HOW TO ROOT YOUR PHONE
Typically when you want to root any Android device, you google the name of the device with "root" and you will find either:
"easy" one-click rooting tools (e.g. Kingoroot, Kingroot, One Click Root, framaroot) that you install on your device or your PC and click one button to root.
software that you are supposed to flash to your Android device to make it rooted (either complete ROM images containing a complete copy of Android for your device, already rooted and usually with other handy mods, or flashable update images that root your existing copy of Android).
The "easy" one-click tools may be worth trying, because they literally are just one click, but they come with a massive downside: many of them, such as Kingoroot, have been repeatedly accused of, and occasionally caught at, doing extremely shady things on your device after installation, such as sending your device's private IMEI number to servers in China. Kingroot (yes, it's different from Kingoroot) is a one-click tool that is recommended on xda, but which installs extremely invasive "purify" and/or "scanning" software on your device (also frequently connecting with servers in China for unknown reasons which the closed-source makers of these tools will not disclose). I personally find the many creepy clone Kingroot advertising websites and obviously-fake "user" posts about Kingroot that are gushingly positive about Kingroot to be a major, major red flag. If they have to make fake one-sided posts to convince people to install, what are they hiding? Many people use Kingroot simply because they've tried everything else and it's the only one-click tool that can root their device (because the Kingroot developers accomplish root using new exploits that nobody else has found, and devote significant resources to keeping up to date on exploits, perhaps using money they got from.....), then they use other tools that supposedly strip away Kingroot and its bloat/sketchiness and replace it with a more trusted root solution such as SuperSU (SuperSU requires your phone to be already rooted or requires you to flash something to install it). There even seems to be an arms war between Kingroot and these "Kingroot stripping tools" which causes problems on your phone as each party releases updates. You get the picture.
If you're reading this thread, you may have already tried these one-click tools and seen that they don't work on your MT67xx, or you may be too suspicious of them.
So, you moved on to looking for software that you could flash to your device that would root your device.
You searched in xda and Google for your make and model and found.....nothing. Except hopefully this thread.
Now you know why you didn't find anything using your make and model (you didn't skip the sections above, did you?). Fortunately, there is some hope.
Flashable software that can root your device will likely take one of two forms:
ROM: A complete ROM (complete version of Android, with images for boot and system partitions) that is already rooted, and probably contains other nice enhancements you might like as well. To use a ROM image, you flash the boot image and system image your boot and system partitions using SP Flash Tool.
UPDATE: An update file that you apply on top of your existing version of Android to get root, such as the one distributed with SuperSU. To apply this type of update, you don't install an APK file (e.g. from the Play Store). Instead, you download a "recovery flashable ZIP" and boot your device into a special "recovery mode" where you make some choices on a retro 1970s text menu to choose and apply the update---more later.
If you want to use a ROM, the ROM definitely has to be customized for your device. Flashing a ROM meant for another device is a near-guarantee to render your device inoperable, unless the other device literally only differs by the marketing name (extremely unlikely: remember when we said above how each manufacturer loves to make tiny confounding changes?).
So you are unlikely to find a ROM for your device at all (if you did, you probably wouldn't be reading this thread). If you have a lot of spare time on your hands, you could try flashing ROMs from a lot of similar devices (definitely it must be the same chipset and Android version, ideally same country, same mobile carrier or another company that actually uses the same mobile carrier's network). But that's not too likely to succeed. If you do succeed, my god definitely post it to xda so future people can be helped.
So you are left with the option of rooting your device using a "recovery flashable ZIP" update like the one that comes with SuperSU.
You still need to ask two questions:
does SuperSU (or other rooting package) work on my device?
does the "recovery mode" that comes with your device let you flash these ZIPs?
For question 1 you are not likely to find an answer (again because of the insane fragmentation of devices in the MTK market as explained above). So you are going to have to just try it, after making a backup. You can at least feel comforted by the fact that the amazing developer, Chainfire, has done insane amounts of work to make SuperSU's flashable installer ZIP work on as many devices as possible. But it's nearly impossible that he's had time to test on your MTK device, because of the severe low-end market fragmentation problem explained above (and don't ask him to: it's your job to try).
You can find many tutorials on the internet about how to get to your device's recovery mode (it's device-specific but typically involves holding down 2-3 buttons while turning on your device then making further menu choices, then holding down two buttons again when you see an image of an android laying on his back) and how to install the "recovery flashable ZIP" that comes with SuperSU or your root package.
Question 2 really depends on your device. Even though all devices we are talking about here use MT67xx chips, many device makers give you a crippled "recovery mode" that will only install updates cryptographically signed by the manufacturer using a secret key, meaning they are useless for installing SuperSU. You should just give it a try and see if you get an error message during install about the "signature" of the update being wrong (remember, while trying the SuperSU update, if you suddenly see the android lying down again, hit the same sequence of buttons that you used to get into the recovery console in the first place to get back to a screen with actual information).
If the stock recovery mode that comes with your device is not suitable for installing SuperSU, then you need to replace the recovery mode that comes with your phone with a "custom recovery" (Chainfire actually recommends using a custom recovery anyway to avoid problems). Fortunately, you have a tool in your arsenal which can replace the stock recovery with a custom recovery: SP Flash Tool. Whew. The recovery mode on your device is on one of those partitions that you can flash with SP Flash Tool. All you need to do is find a custom recovery "image" from the internet that can do SuperSU. By far the most common custom recovery tools people use are called TWRP and CWM (ClockWorkMod). These custom recovery tools even give you other cool features that the stock recovery didn't, like the ability to make backups in a way that is much easier and less technical than with SP Flash Tool.
So everything's great, right? Just install TWRP/CWM and then install SuperSU.
Well, not quite. It turns out that just like Android versions, recovery images have to be built specifically for your device. There isn't just one file for TWRP/CWM: there's one per device. So you are now faced with the challenge of finding a custom recovery image that works on your device.
So it seems like Catch-22, right? You're stuck.
Well, not exactly. It turns out that while recovery consoles are indeed device-specific, they are less device specific than Android versions. Your chances of finding a recovery image that was designed for another similar MT67xx device but works on your device are much greater than your (near zero) chances of finding a complete Android ROM that does the same.
So search on xda and Google for the chipset of your device, and look for people who have successfully used custom recovery images across similar devices. For example, my device has an MT6735 so I searched on xda and found several threads where people used recovery consoles across devices. Read the threads for your chipset and see if you recognize any similar devices. Or just try some (after making a back-up of course, including a backup of the stock recovery image in case you need to go back to that (though some devices have a nifty feature where they will restore the stock recovery automatically if a custom recovery crashes)). They may work, they may not. If you have success, definitely report it here to help others.
So hopefully, maybe with some trial and error, you can install SuperSU to root your phone, either using your phone's stock recovery or a working custom recovery that you can find on the internet. Whew.
Since you will be looking for rooting solutions on the internet and seeing many guides, I should mention that other than using SP Flash Tool or the recovery mode, there is another way to flash images to your device, usually known as the bootloader or "fastboot mode." Fastboot mode is an alternative to the "recovery mode" (you enter the fastboot mode by pushing a different set of buttons down as you turn on your device). You will find tons of references to fastboot mode as it is a key way to flash on many devices, but for your MediaTek MTK device, fastboot mode is unlikely to be useful to you: as an MTK owner, you have access to SP Flash Tool which is not encumbered by the many restrictions that some device vendors place on fastboot mode and is pretty much better all-around. Fastboot mode involves using adb command line tools, which are intimidating to some users. Many vendors completely lock down fastboot mode so that it cannot flash at all, some vendors require you to find a magic easter egg option to enable fastboot flashing and force you to erase all your data in the process of just turning that switch on, and some vendors make you call them to get a l33t secret code that you have to use to enter to unlock fastboot using an "oem unlock". Fortunately, you can bypass all that idiotic DRM nonsense by just using SP Flash Tool and get the same work done. The only advantage of fastboot mode is on some devices it lets you boot a proposed recovery console to try it one time without actually installing it: but on my device, and many MTK devices, that functionality is simply not implemented.
So what if you have exhausted all the possibilities above, and you are still stuck: None of the one-click tools work on your device. You can't find a ROM for your device. SuperSU can't be installed using your stock recovery mode, and you can't find any custom recovery image that works on your device that you could use to install SuperSU on your device. Well, then you are really in new territory where there are further steps you can take, but it's going to get a lot more technical. Since SP Flash Tool works, you do have the power to modify system files on your device, so you do have the power to root the device. First of all you can become a ROM developer and build a ROM for your device, but that is a massive undertaking and I don't even know if you can find the correct drivers to accomplish this. So instead, to get root, you're going to have to figure out how to extract a partition image (boot or system) from your device, extract all the files from that image (there are "kitchens" on xda that help you do this kind of thing), modify those files in a way that gives you root, flash the partition back, and then boot your system normally, letting the nefarious code you added give you root as the system boots. This is non-trivial but kind of fun if you are into that kind of punishment. I went through that whole process because I thought my device was one of those extreme cases (I had not yet figured out that there was probably some other custom recovery image that would have worked on my device, because there was no thread explaining this fact on xda ). The steps I took are definitely beyond the scope of this post, but if folks are interested I can share some details in a separate post (there is nothing revolutionary: I hacked /init.rc to perform an elaborate series of file copies, chmod, chown, etc. at user boot time to install SuperSU, basically simulating all the many steps that SuperSU would have taken from its install script in the recovery mode, had I been able to use the useless locked recovery mode on my device).
After you root your phone (and depending on how you root your phone) you may run into a situation where you can no longer make/receive calls because you have accidentally cleared out your phone's IMEI setting.
This, again, is a case where there are a ton of tools to fix your IMEI that are designed specially for MTK devices, but most of them do not work on MT67xx series, only the older chips (yes, you guessed it, including our old friend MTK Droid Tool).
So you will probably have to hunt around until you find an IMEI fixer that works. Many guides suggested a super-creepy Chinese app called Mobile Uncle that includes a horrific screen begging me to install all the most privacy-destroying popular Chinese social media apps, but Mobile Uncle failed to work on my MT67xx, so save yourself the viruses and use another tool. After I rooted my phone I tried 3 different apps until I found one called "MTK Engineering" that just worked, and I set my IMEI by following the visual guide in method number 1 on this website (I didn't use Mobile Uncle but the UI is the same), adding in the extra hack of adding a space between the "AT" and the "+" , and surrounding the IMEI number in quotes, as explained on this website. Phew.
Good luck and hope this guide saved you from going down several 12-hour ratholes like I did!!!
MANY MANY THANKS: I have linked to many articles on xda and the internet above. Please explore those links for more information. Thanks to Chainfire for sure for SuperSU and for whoever made SP Flash Tool (MediaTek?). And I really got a lot of helpful info from alexzap's articles. This MTK rooting/flashing guide is also pretty cool but doesn't address the newer MT67xx issues.
(reserved)
lsemprini said:
So you've got a cheap Chinese phone based on the budget MediaTek MTK MT67xx SoC (system-on-a-chip) chipset and you want to root it.
Click to expand...
Click to collapse
First of all, thank you very much for such an educational thread. I am also a newbie to MediaTek devices but after owning an MT6752 Desire 820s there are a ton of things I have learned so far with the device and MediaTek in general which I am glad to share.
lsemprini said:
So that means SP Flash Tool is super-powerful and super-dangerous (in fact, it's suicidal if you use it on a device containing important data you haven't backed up), but on the other hand it also means that at least you always have some tool that can install new images, no matter how messed up you have made your device.
Click to expand...
Click to collapse
I totally agree with you, SP Flashtool is the best thing to have ever happened to the MediaTek fraternity. I have been using it to test flashing partitions on my phone, corrupting the bootloader and bricking the device but it would always come to my rescue.
It is so powerful such that it can unlock, lock or relock the bootloader on HTC devices without using the official HTC bootloader unlocking method, fastboot or adb and does not require root.
The HTC bootloader somehow restricts a phone to boot into meta mode for flashing but holding volume up while connecting phone to PC tends to force the phone to access meta mode where flashing of any partition can be carried out by SP Flashtool.
I consider this a security risk but still interesting as it is too easy to access the device's userdata partition via a recovery hack since it can unlock the device's bootloader and flash a custom recovery, preserving the userdata partition which would have been wiped if one used official methods unless one encrypted their internal storage.
However newer MediaTek devices seem to have fixed this security hole. The likes of HTC One M9+, E9 and E9+ with an MT6795 processor cannot be flashed by SP Flashtool unless the device is S-off as of now. It could work with an SP Flashtool update maybe?
lsemprini said:
So consider the application of SP Flash Tool as a backup tool for MT67xx devices to be something that's not ready for everyone yet. If anyone knows an easier tool for making scatter files on MT67xx or even doing backup, let us know.
Click to expand...
Click to collapse
Well, it is possible to backup newer MediaTek SOCs (MT67XX) devices using SP Flashtool's Readback feature without root but it requires the exact scatter file of the firmware one is currently on, or at least the Partition start address of a partition you want to back up and its physical size if one cannot get the scatter file.
MTKDroidtools can at least show the partition types on the MT67XX devices but unfortunately the start and physical addresses of the partitions are not exactly as they are supposed to be on the device.
However if you are lucky to find the scatter file you can use it to readback on SP Flashtool, not reading back the entire NAND of the phone but reading back each partition individually as it is depicted on the scatter file and saving the backup file as partion_name.img eg boot.img. This is technically dding an entire partition but without using root.
The start address is depicted on the scatter file and the length is the partition_size on the scatter file.
This can be vital especially for creating a custom recovery for a device which is currently unrooted.
lsemprini said:
So you've got a cheap Chinese phone based on the budget MediaTek MTK MT67xx SoC (system-on-a-chip) chipset and you want to root it.
You've tried lots of tools and failed, and you've been searching the internet and xda for your model and found nothing (or you might have found stock ROMs for your device online but not rooted ones). Read on....
These phones are INSANELY common all across Asia because MediaTek is the cheapest chip manufacturer and so is the top choice for <USD$100 super-cheap (often free subsidized) phones. Here is a partial list of phones that use the MT67xx across many countries:
I am including the list above for two reasons:
so that people searching for their model may find this thread and be helped
so that you can just get a glimpse of the insane variety of companies and models that use the same chip family
For reasons explained below, you will find that most of these devices are resistant to the "easy" one-click rooting methods and most of them do not work with ANY of the "easy" tools that have been developed for other phones, even MediaTek (MTK)-specific tools. Of course tool support will improve over time, but as we will explain, there is something unique about your MediaTek device that will always make it harder to root.
I finally got my MT67xx-based phone rooted, and here is the information that I wished someone had posted on xda as I slogged through my search.
My goal here is NOT to provide the steps for a specific phone model, but rather to help the (literally) millions of you out there who have MT67xx-based phones find a solution by giving you a few basics to understand MediaTek MTK and rooting, and pointing you in the right direction so you know what questions to ask.
There's some bad news, and some worse news...
WHAT ALL THESE PHONES HAVE IN COMMON:
The MT67xx chipset inside your phone uses a relatively new (2014) 64-bit processor architecture, compared to the ubiquitous MediaTek MTK MT65xx, MT83xx, MT81xx processors that use a 32-bit architecture. And around the same time that MT67xx came out, MediaTek also switched devices to a new filesystem/partition format which determines where and how Android and all your data gets stored in your device's flash memory.
What these two technical changes mean is that:
many of the vulnerabilities in Android that the "easy" one-click root tools exploited to do their job (e.g. old standbys like RageAgainstTheCage, framaroot, etc.) no longer work. Updating Android is another thing that often causes these vulnerabilities to cease to work, but changing processor architectures is a biggie too.
many (but not all) of the old tools developed to root and otherwise modify MediaTek devices broke, and have not yet been fixed. Most notable is the MTK Droid Tool, a standard tool for hacking MTK devices that you will still find used in 99% of guides out there on the internet. It doesn't work on your MT67xx (at least no version I could find). Same is true of many other tools, such as some of the tools to reset your phones IMEI when rooting/modding operations disrupt your ability to call, tools to get into "MTK Engineer Mode" etc.
That is why you will find so many pages on the internet that say "Root Any Android Phone" (complete BS: if you see this, the person is either clueless or lying) or even "Root Any MediaTek Phone" and the procedure fails.
So, you would think that the cool ROM hackers and root tool folks would whip up some new tools quickly, right?
This is the point where you need to understand a harsh reality...
WHAT ALL THESE PHONES DON'T HAVE IN COMMON:
This is perhaps Android's greatest strength and weakness: every manufacturer (as well as ROM hacker here on xda) is free to tweak open-source Android in almost any way they see fit, whether to save money, integrate a new feature, customize for local market and culture, try to lock out competition, or whatever. And so they did.
Even though these devices all use MT67xx chips, it seems like every manufacturer felt compelled to make as many tiny changes as possible, and the result is that there is no easy way for kind xda hackers to develop one master ROM image of Android that will run on them all (rooted or otherwise). And it's even hard to make a rooting tool or mod that works on all devices.
Instead, the device-specific differences are significant enough that you actually need a developer to spend hours to days on each model in order to produce a workable Android ROM (rooted or otherwise).
And that is why, all over xda-developers and other sites, you rarely see custom ROMs for your MTK device. Although I'm guessing there are many times more cheap MTK devices in the world than devices with more expensive chipsets, the market of cheap devices is utterly fragmented into hundreds of vendors, so it is generally not worth any ROM hacker's time to develop for a particular device, because the reward (glory or karma, whatever turns them on) is minimal compared to a single device (e.g. most Samsungs) that is used by millions.
Sometimes the cheap MTK software/hardware changes that break both root tools and ROMs seem trivial and pointless. Like a vendor might move a critical system file for no obvious reason, switch the order of SD cards so that old software breaks, leave out key system programs they thought "nobody would need," introduce new and usually-broken encryption methods to lock out modders, etc.
THE SILVER LINING
Seems pretty grim, huh?
This cloud has one major silver lining.
I'm going to tell you about a tool that does work on MT67xx devices. You may or may not end up using this tool as part of your rooting strategy (more below), but it's good to hear some good news sometime
As far as I can tell, all MediaTek devices MT67xx, MT65xx, MT83xx, MT81xx work with the SP Flash Tool, a MediaTek MTK-specific tool that lets you flash (write) new versions of Android and tools that you need to install or modify Android (ROMs, custom recovery images, recovery updates) on to your device.
SP Flash Tool lets you flash "images" to your device, even if your device is totally bricked or has been utterly wiped clean from some earlier messup. An "image" is geek speak for a file that contains the whole contents of a partition of your Android device's storage, such as the partitions that contain the Android operating system (boot and system), the partitions that contain a recovery tool that lets you do less primitive operations like updating Android, installing SuperSU, or backing up your device (recovery), or even the partition with the logo shown on boot (logo).
So that means SP Flash Tool is super-powerful and super-dangerous (in fact, it's suicidal if you use it on a device containing important data you haven't backed up), but on the other hand it also means that at least you always have some tool that can install new images, no matter how messed up you have made your device.
The significance of this cannot be understated. For Android devices with other chipsets, there is of course some way to flash images (various tools referred to as "recovery console," "bootloader/fastboot mode," etc), but the chipset and manufacturers (even on some MediaTek MTK devices) try to ruin your day by:
locking your bootloader or recovery console so it can only flash images cryptographically signed by the manufacturer using secret keys, meaning you can't use them to modify your phone in the way you want,
providing you only with flashing methods that work if the certain partitions stay intact---meaning that if you make a certain kind of mistake, you may much more easily "brick" your phone so that you have no way of ever using it for anything but a doorstop.
MediaTek's SP Flash Tool, on the other hand, does not get in your way with any kind of lock---it always lets you flash images to the device, even if your flash memory has become completely garbled with nonsense. The tool literally works on your phone before your phone has started to boot up (kind of scary actually and a huge design flaw security risk, oh well). It is still up to you of course to flash something that works, but at least you have the option.
A very important principle for SP Flash Tool is: only flash partitions that you need to flash. That will likely be recovery, and maybe boot/system and maybe logo if you are playing around. Even though you may find a ROM with all partitions, only flash the ones the instructions say you need to flash. Otherwise you invite problems that might clear important settings on your device (e.g. mobile radio/carrier settings you need for your calling to work, etc.).
You're probably thinking that using SP Flash Tool, you can first make a backup of your device, so that no matter what you try, you can always restore your backup. Good news: this is kind of true: the SP Flash Tool is capable of this kind of backup, as seen in this thread, this thread, and this thread. But when you look at those threads, you will see there is a catch: the technique relies on being able to extract something called a "scatter file" from your device, and the tool they always use for this? You guessed it, MTK Droid Tool, the tool that doesn't (yet) work on MT67xx devices. This nice thread explains the situation and gives you a way to get the "scatter file" to make your backup, but as you can see it's more technical than many people will be willing to do. So basically we are waiting for better tools to be available to less technical users for backing up MT67xx devices. If you don't mind bricking your device at all or until such a tool comes out, it won't matter. But for most users you will want some kind of backup in your rooting strategy. If anyone knows of a better new tool that works on MT67xx, please reply below.
So consider the application of SP Flash Tool as a backup tool for MT67xx devices to be something that's not ready for everyone yet. If anyone knows an easier tool for making scatter files on MT67xx or even doing backup, let us know.
There are other ways of making backups of your device before you attempt to root your device, though, so you might not need to use SP Flash Tool as your backup. More later...
Also, some reading this thread may have found a stock ROM for your exact device (one that is just like the manufacturer gave you, not rooted) that can serve as your backup in case your rooting attempts fail.
HOW TO ROOT YOUR PHONE
Typically when you want to root any Android device, you google the name of the device with "root" and you will find either:
"easy" one-click rooting tools (e.g. Kingoroot, Kingroot, One Click Root, framaroot) that you install on your device or your PC and click one button to root.
software that you are supposed to flash to your Android device to make it rooted (either complete ROM images containing a complete copy of Android for your device, already rooted and usually with other handy mods, or flashable update images that root your existing copy of Android).
The "easy" one-click tools may be worth trying, because they literally are just one click, but they come with a massive downside: many of them, such as Kingoroot, have been repeatedly accused of, and occasionally caught at, doing extremely shady things on your device after installation, such as sending your device's private IMEI number to servers in China. Kingroot (yes, it's different from Kingoroot) is a one-click tool that is recommended on xda, but which installs extremely invasive "purify" and/or "scanning" software on your device (also frequently connecting with servers in China for unknown reasons which the closed-source makers of these tools will not disclose). I personally find the many creepy clone Kingroot advertising websites and obviously-fake "user" posts about Kingroot that are gushingly positive about Kingroot to be a major, major red flag. If they have to make fake one-sided posts to convince people to install, what are they hiding? Many people use Kingroot simply because they've tried everything else and it's the only one-click tool that can root their device (because the Kingroot developers accomplish root using new exploits that nobody else has found, and devote significant resources to keeping up to date on exploits, perhaps using money they got from.....), then they use other tools that supposedly strip away Kingroot and its bloat/sketchiness and replace it with a more trusted root solution such as SuperSU (SuperSU requires your phone to be already rooted or requires you to flash something to install it). There even seems to be an arms war between Kingroot and these "Kingroot stripping tools" which causes problems on your phone as each party releases updates. You get the picture.
If you're reading this thread, you may have already tried these one-click tools and seen that they don't work on your MT67xx, or you may be too suspicious of them.
So, you moved on to looking for software that you could flash to your device that would root your device.
You searched in xda and Google for your make and model and found.....nothing. Except hopefully this thread.
Now you know why you didn't find anything using your make and model (you didn't skip the sections above, did you?). Fortunately, there is some hope.
Flashable software that can root your device will likely take one of two forms:
ROM: A complete ROM (complete version of Android, with images for boot and system partitions) that is already rooted, and probably contains other nice enhancements you might like as well. To use a ROM image, you flash the boot image and system image your boot and system partitions using SP Flash Tool.
UPDATE: An update file that you apply on top of your existing version of Android to get root, such as the one distributed with SuperSU. To apply this type of update, you don't install an APK file (e.g. from the Play Store). Instead, you download a "recovery flashable ZIP" and boot your device into a special "recovery mode" where you make some choices on a retro 1970s text menu to choose and apply the update---more later.
If you want to use a ROM, the ROM definitely has to be customized for your device. Flashing a ROM meant for another device is a near-guarantee to render your device inoperable, unless the other device literally only differs by the marketing name (extremely unlikely: remember when we said above how each manufacturer loves to make tiny confounding changes?).
So you are unlikely to find a ROM for your device at all (if you did, you probably wouldn't be reading this thread). If you have a lot of spare time on your hands, you could try flashing ROMs from a lot of similar devices (definitely it must be the same chipset and Android version, ideally same country, same mobile carrier or another company that actually uses the same mobile carrier's network). But that's not too likely to succeed. If you do succeed, my god definitely post it to xda so future people can be helped.
So you are left with the option of rooting your device using a "recovery flashable ZIP" update like the one that comes with SuperSU.
You still need to ask two questions:
does SuperSU (or other rooting package) work on my device?
does the "recovery mode" that comes with your device let you flash these ZIPs?
For question 1 you are not likely to find an answer (again because of the insane fragmentation of devices in the MTK market as explained above). So you are going to have to just try it, after making a backup. You can at least feel comforted by the fact that the amazing developer, Chainfire, has done insane amounts of work to make SuperSU's flashable installer ZIP work on as many devices as possible. But it's nearly impossible that he's had time to test on your MTK device, because of the severe low-end market fragmentation problem explained above (and don't ask him to: it's your job to try).
You can find many tutorials on the internet about how to get to your device's recovery mode (it's device-specific but typically involves holding down 2-3 buttons while turning on your device then making further menu choices, then holding down two buttons again when you see an image of an android laying on his back) and how to install the "recovery flashable ZIP" that comes with SuperSU or your root package.
Question 2 really depends on your device. Even though all devices we are talking about here use MT67xx chips, many device makers give you a crippled "recovery mode" that will only install updates cryptographically signed by the manufacturer using a secret key, meaning they are useless for installing SuperSU. You should just give it a try and see if you get an error message during install about the "signature" of the update being wrong (remember, while trying the SuperSU update, if you suddenly see the android lying down again, hit the same sequence of buttons that you used to get into the recovery console in the first place to get back to a screen with actual information).
If the stock recovery mode that comes with your device is not suitable for installing SuperSU, then you need to replace the recovery mode that comes with your phone with a "custom recovery" (Chainfire actually recommends using a custom recovery anyway to avoid problems). Fortunately, you have a tool in your arsenal which can replace the stock recovery with a custom recovery: SP Flash Tool. Whew. The recovery mode on your device is on one of those partitions that you can flash with SP Flash Tool. All you need to do is find a custom recovery "image" from the internet that can do SuperSU. By far the most common custom recovery tools people use are called TWRP and CWM (ClockWorkMod). These custom recovery tools even give you other cool features that the stock recovery didn't, like the ability to make backups in a way that is much easier and less technical than with SP Flash Tool.
So everything's great, right? Just install TWRP/CWM and then install SuperSU.
Well, not quite. It turns out that just like Android versions, recovery images have to be built specifically for your device. There isn't just one file for TWRP/CWM: there's one per device. So you are now faced with the challenge of finding a custom recovery image that works on your device.
So it seems like Catch-22, right? You're stuck.
Well, not exactly. It turns out that while recovery consoles are indeed device-specific, they are less device specific than Android versions. Your chances of finding a recovery image that was designed for another similar MT67xx device but works on your device are much greater than your (near zero) chances of finding a complete Android ROM that does the same.
So search on xda and Google for the chipset of your device, and look for people who have successfully used custom recovery images across similar devices. For example, my device has an MT6735 so I searched on xda and found several threads where people used recovery consoles across devices. Read the threads for your chipset and see if you recognize any similar devices. Or just try some (after making a back-up of course, including a backup of the stock recovery image in case you need to go back to that (though some devices have a nifty feature where they will restore the stock recovery automatically if a custom recovery crashes)). They may work, they may not. If you have success, definitely report it here to help others.
So hopefully, maybe with some trial and error, you can install SuperSU to root your phone, either using your phone's stock recovery or a working custom recovery that you can find on the internet. Whew.
Since you will be looking for rooting solutions on the internet and seeing many guides, I should mention that other than using SP Flash Tool or the recovery mode, there is another way to flash images to your device, usually known as the bootloader or "fastboot mode." Fastboot mode is an alternative to the "recovery mode" (you enter the fastboot mode by pushing a different set of buttons down as you turn on your device). You will find tons of references to fastboot mode as it is a key way to flash on many devices, but for your MediaTek MTK device, fastboot mode is unlikely to be useful to you: as an MTK owner, you have access to SP Flash Tool which is not encumbered by the many restrictions that some device vendors place on fastboot mode and is pretty much better all-around. Fastboot mode involves using adb command line tools, which are intimidating to some users. Many vendors completely lock down fastboot mode so that it cannot flash at all, some vendors require you to find a magic easter egg option to enable fastboot flashing and force you to erase all your data in the process of just turning that switch on, and some vendors make you call them to get a l33t secret code that you have to use to enter to unlock fastboot using an "oem unlock". Fortunately, you can bypass all that idiotic DRM nonsense by just using SP Flash Tool and get the same work done. The only advantage of fastboot mode is on some devices it lets you boot a proposed recovery console to try it one time without actually installing it: but on my device, and many MTK devices, that functionality is simply not implemented.
So what if you have exhausted all the possibilities above, and you are still stuck: None of the one-click tools work on your device. You can't find a ROM for your device. SuperSU can't be installed using your stock recovery mode, and you can't find any custom recovery image that works on your device that you could use to install SuperSU on your device. Well, then you are really in new territory where there are further steps you can take, but it's going to get a lot more technical. Since SP Flash Tool works, you do have the power to modify system files on your device, so you do have the power to root the device. First of all you can become a ROM developer and build a ROM for your device, but that is a massive undertaking and I don't even know if you can find the correct drivers to accomplish this. So instead, to get root, you're going to have to figure out how to extract a partition image (boot or system) from your device, extract all the files from that image (there are "kitchens" on xda that help you do this kind of thing), modify those files in a way that gives you root, flash the partition back, and then boot your system normally, letting the nefarious code you added give you root as the system boots. This is non-trivial but kind of fun if you are into that kind of punishment. I went through that whole process because I thought my device was one of those extreme cases (I had not yet figured out that there was probably some other custom recovery image that would have worked on my device, because there was no thread explaining this fact on xda ). The steps I took are definitely beyond the scope of this post, but if folks are interested I can share some details in a separate post (there is nothing revolutionary: I hacked /init.rc to perform an elaborate series of file copies, chmod, chown, etc. at user boot time to install SuperSU, basically simulating all the many steps that SuperSU would have taken from its install script in the recovery mode, had I been able to use the useless locked recovery mode on my device).
After you root your phone (and depending on how you root your phone) you may run into a situation where you can no longer make/receive calls because you have accidentally cleared out your phone's IMEI setting.
This, again, is a case where there are a ton of tools to fix your IMEI that are designed specially for MTK devices, but most of them do not work on MT67xx series, only the older chips (yes, you guessed it, including our old friend MTK Droid Tool).
So you will probably have to hunt around until you find an IMEI fixer that works. Many guides suggested a super-creepy Chinese app called Mobile Uncle that includes a horrific screen begging me to install all the most privacy-destroying popular Chinese social media apps, but Mobile Uncle failed to work on my MT67xx, so save yourself the viruses and use another tool. After I rooted my phone I tried 3 different apps until I found one called "MTK Engineering" that just worked, and I set my IMEI by following the visual guide in method number 1 on this website (I didn't use Mobile Uncle but the UI is the same), adding in the extra hack of adding a space between the "AT" and the "+" , and surrounding the IMEI number in quotes, as explained on this website. Phew.
Good luck and hope this guide saved you from going down several 12-hour ratholes like I did!!!
MANY MANY THANKS: I have linked to many articles on xda and the internet above. Please explore those links for more information. Thanks to Chainfire for sure for SuperSU and for whoever made SP Flash Tool (MediaTek?). And I really got a lot of helpful info from alexzap's articles. This MTK rooting/flashing guide is also pretty cool but doesn't address the newer MT67xx issues.
Click to expand...
Click to collapse
My device MT6735 I want IMEI restore tool
I tried mobileuncle tool not working for imei backup restore
Wow, a lot to read there, but this has been the most helpful thing I have found so far related to rooting my phone model. Not sure why this thread hadn't appeared in my earlier Google searches even though this thread has already been around for three months. Anyway...
You said your device has an MT6735 SoC, can I ask which phone model you have? as that's the exact same SoC that mine has (LG K8), and you've managed to root yours.
Apparently trying to root an LG K8 with a one-click root tool has bricked a few people's phones, so I don't even want to give that option a try.
It seems the best method for me to try would be getting a working custom recovery onto my phone, then installing SuperSU, all after making a backup of course. Hopefully I won't need to resort to modifying files myself like you had done, I dunno if I'd be confident enough to either.
Thank you for such a thorough guide and explanation. Time to go look up custom recoveries~
lsemprini said:
The significance of this cannot be understated. For Android devices with other chipsets, there is of course some way to flash images (various tools referred to as "recovery console," "bootloader/fastboot mode," etc), but the chipset and manufacturers (even on some MediaTek MTK devices) try to ruin your day by:
locking your bootloader or recovery console so it can only flash images cryptographically signed by the manufacturer using secret keys, meaning you can't use them to modify your phone in the way you want,
providing you only with flashing methods that work if the certain partitions stay intact---meaning that if you make a certain kind of mistake, you may much more easily "brick" your phone so that you have no way of ever using it for anything but a doorstop.
.
Click to expand...
Click to collapse
I have an iBaby888 i6S+ Clone, mt6735, very good chip, hampered by bad design in the way the device's main storage is. Of course, I can fix this with a tool called "Reziser" which will open up that 2gb upper limit, BUT, I need to apply the zip from a Custom Recovery. But I can't INSTALL any Custom Recovery, Why? Because the bootloader is not only LOCKED: it is NON-UNLOCKABLE. /fastboot oem unlock = FAILS every time. I don't comprehend this idiocy of design, in a device that comes with a fake IMEI in the first place. Not to mention the device has issues with Google App updates which cause play store to stop working within 5 minutes of unboxing.
What do I do to unlock this? Or, better yet, is there a pre-made, unlocked Recovery ROM I can flash with SPflash, that is 8.4mb or less? One of the reasons why TWRP fails is that it tells me that my Boot.img or Recovery.img are too big and will cause "overlap" - When I know that I they are *not* too large. But I am thinking this failure is occurring because of the LOCKED state of my boot loader and stock recovery. And the Stock recovery is practically worthless.
Is there some kind of secret code or fastboot command I can apply to bust the crud out of this junk? This device COULD run as well as the device it is mimicking, if not for the 2gb main storage limit and locked bootloader that prevents all useful tools from being loaded. I can't even install xPosed, because the main binary has to be installed via Recovery, and it is also why SuperSU Me bricks the device, Kingroot is the only method of rooting it, and there is no working method of replacing Kingroot with SuperSU, all because of the locked issue.
I have a similar my6582 device, I rooted it and installed CWM recovery, no sweat, using MTK Droid tools. But Oh Yes! Guess what! There is NO Version of the tool for 67xx's! and that device actually has a 4gb storage area, in that respect it's a better device, save for the very low-res screen (160dpi, my iBaby version is 320dpi).
So, you got anything I can try, I am only just learning now to work with Androids, I have been an Apple Jailbreaker for 5 years (which is why I love these clones). I had a similar issue with running out of system storage space on Apple devices too, but we use system folder stashing (symlinking to the larger user partition) to prevent our system storage from being stuffed full. I have noticed on my Samsung and other higher end androids, I am always given 8 to 16 gb of system storage. But these MediaTek devices, why in blazes are they only given 2 to 4gb of space. when the chip can handle so much more? I can only move so many apps to my card with Apps2SD, and if you move too many, the system does not run well.
Sorry for the rant, I have been up against brick wall city over and over today, I have tried a dozen tools that all failed to unlock my bootloader, all for the same reason, the default unlock method just doesn't work.
Aerieana said:
Wow, a lot to read there, but this has been the most helpful thing I have found so far related to rooting my phone model. Not sure why this thread hadn't appeared in my earlier Google searches even though this thread has already been around for three months. Anyway...
You said your device has an MT6735 SoC, can I ask which phone model you have? as that's the exact same SoC that mine has (LG K8), and you've managed to root yours.
Apparently trying to root an LG K8 with a one-click root tool has bricked a few people's phones, so I don't even want to give that option a try.
It seems the best method for me to try would be getting a working custom recovery onto my phone, then installing SuperSU, all after making a backup of course. Hopefully I won't need to resort to modifying files myself like you had done, I dunno if I'd be confident enough to either.
Thank you for such a thorough guide and explanation. Time to go look up custom recoveries~
Click to expand...
Click to collapse
Have you managed to root your LG K8?
LG K8
I see I'm not the only one wondering about rooting his/her LG K8 Let me know if u figure out sth about it
Would be good to see some tracking on which phones have had success before we buy the phone.... what do I best search for in choosing a cheap phone?
Alcatel Onetouch POP Astro 5042T MT6732
removed
some interesting information regarding flashing and rooting some MT67xx phones
removed
X-weApon-X said:
I have an iBaby888 i6S+ Clone, mt6735, very good chip, hampered by bad design in the way the device's main storage is. Of course, I can fix this with a tool called "Reziser" which will open up that 2gb upper limit, BUT, I need to apply the zip from a Custom Recovery. But I can't INSTALL any Custom Recovery, Why? Because the bootloader is not only LOCKED: it is NON-UNLOCKABLE. /fastboot oem unlock = FAILS every time. I don't comprehend this idiocy of design, in a device that comes with a fake IMEI in the first place. Not to mention the device has issues with Google App updates which cause play store to stop working within 5 minutes of unboxing.
Click to expand...
Click to collapse
I have the same device as you. I managed to get it rooted by using Kingroot & Kinguser APK here on XDA. Once that was done, I backed up the chinese bloatware to the sd card and removed them. I now have about 500gb free space on system as I moved most of my must have apps to the system/apps folder.
Google Play for me does not crash because I changed the space available. This I believe is the key, Google Play crashing was always because of low space. Mine has updated and I can still use it.
The only isue I have is that the 6735 is slow. I don't know if it's the cheap sd/emmc or lack of RAM, but the phone can get pretty slow. Now that I have root I can make changes here and there. I plan on opening it up and replacing the SD card with a faster one.
I've tried unlocking the bootloader and it failed for mine too. I may try one of these services that unlocks MTK bootloaders.
Still working on performance on mine but thus far I have removed 90% of the iPhone esque apps and have all Android appsnow, no more Apple looks...only lock screen and settings.
Chaos Storm said:
I have the same device as you. I managed to get it rooted by using Kingroot & Kinguser APK here on XDA. Once that was done, I backed up the chinese bloatware to the sd card and removed them. I now have about 500gb free space on system as I moved most of my must have apps to the system/apps folder.
Click to expand...
Click to collapse
When you removed those, did they leave an ugly icon on the springboard? What did you use to remove them, I used Apps2SD. I really want to know how to access the icons on the "Springboard", I don't know where they are in the Filesystem.
I created a TWRP recovery for mine, it's totally upside down, really difficult to manage, but the first thing I did when I booted, was to go into recovery and close it right away to install SuperSU. From there, it's easy. I can share the recovery.img I made. It's larger than the allotted 6544kb, I'm not sure if it is causing me any problems, it might be because of the larger size.
Google Play for me does not crash because I changed the space available. This I believe is the key, Google Play crashing was always because of low space. Mine has updated and I can still use it.
Click to expand...
Click to collapse
Did you use "Resize"? - I used that, and it increases UserData from 2gb to 4gb, that's as big as it gets. My Samsung GTAB3 has 12gb of UserData, that's adequate, I can install ALL of my apps to internal. But you can't install Resizer from anywhere than Recovery. Same with the Lollipop version of xPosed.
The only issue I have is that the 6735 is slow. I don't know if it's the cheap sd/emmc or lack of RAM, but the phone can get pretty slow. Now that I have root I can make changes here and there. I plan on opening it up and replacing the SD card with a faster one.
Click to expand...
Click to collapse
6735 is much faster than an MT6582, but any speed is cancelled out by the inordinate partitioning system. Just not enough ROOM. My GTAB3 seems much faster, but only because I have so much more free space even after installing 100 apps.
Replacing the SDcard Should be easy, I did it to my other clone, installed my Patriot card, which is the best card I've had. Be really careful, take the SIM slot out, unscrew the two bottom screws, then use one of the Apple Suction Cup tools to pull up from the Home/Touch ring. The entire assembly should pop right out. Be very careful! Flip it over, and unscrew all of the little screws. Take the audio assembly out from the bottom, and then you can probably see where the Card goes in if you pull up on the Motherboard, on mine it is right under the Front Camera. There is a little battery taped in there, untape that and you'll see a little Ribbon Cable, carefully take that off. The Card slot is right underneath, you can reach in with Tweezers and pull it out, then reverse the process putting the new card in. Of course, on the iBaby clone, it may be more like the Sophone, once you start pulling up on the Display, you will see if it's a full assembly or if the Display comes off. If that's the case, it's much easier to get to the Card slot, but you have to carefully remove the display.
One thing I noticed, without GAPPs it hauls arse. I was running it after flashing with Format+Download, after reboot, it has a *****in Android black logo on white, with a little "Bite mark" cut out of the side. I love that. here are the codes to add the Apple logo and GAPPs:
1. *#35741#*
2.*#15963#*
Choose the leftmost button on the first row.
Choose the rightmost button on the second row.
Tap on Reboot.
- That process will do a "factory reset" while Installing GAPPs, so don't install any apps before you do that.
I've tried unlocking the bootloader and it failed for mine too. I may try one of these services that unlocks MTK bootloaders.
Click to expand...
Click to collapse
There is no need to do it, if you install a Recovery, I can give you my image. Once you have TWRP installed, you can do everything.
Still working on performance on mine but thus far I have removed 90% of the iPhone esque apps and have all Android appsnow, no more Apple looks...only lock screen and settings.
Click to expand...
Click to collapse
I left the Camera, Calculator, "Facetime" = Skype, but I hate Skype so I removed the fook out of THAT. That damned "UC Browser" has to go, and the "Tips", "Watch" and "Stocks" are placeholders that do nothing. "Health" is Runtastic, but the Chinese version has SLife which is a better app. I backed all of the cloneapps with Titanium, but they are system apps, so I don't know if they can be restored, I'm trying to restore SLife now. Didn't go in. I'll try again later. But I, wondering if when you uninstalled the crappapps, if it left icons on your springboard.
Crap! I just tried to install Xposed, and FAILED because my 2GB System area is TOTALLY full, probably because of the GAPPS + the Crappapps. Now I have to get in there and delete the crap out of some serious stuff. The GAPPS apps are HUGE. I don't want them all, just Market/Google. Google Music was installed, I hate that and don't use it.
Oh Yah, if you find you want to block Google App updates, read down in this thread. This was about 2 months of research before I came up with this method, which worked until I flashed my device a month ago:
http://forum.xda-developers.com/group.php?do=discuss&group=&discussionid=4064
I just followed my own instructions, so we'll see how effective this is.
---------- Post added at 01:38 AM ---------- Previous post was at 01:30 AM ----------
When I removed the apps I also removed the Home Launcher and replaced it with Google Home. However, after a few system edits it has started to crash, most likely because some of the system functions are tied to the home launcher, so I've reverted it back to semi stock.
I removed the apps by using Root Explorer and going to:
/system/apps , /system/priv-app, /system/vendor/operator/app, /system/app_ch, /system/app_en and cut & paste to the sd card. There is at least 600MB of space just in useless chinese apps.
If you have a TWRP to share that would be awesome.
Is there a way to backup the stock recovery just in case? To flash the new recovery do you do that via fastboot?
Thanks in advance!
So I spent some time today porting TWRP and got that working.
From what I've read from the TWRP thread, I would need to compile TWRP from sources to fix the rotation bug. I might do that if I have time.
Since CyanogenMod was released for another MTK6735 device, I am doing a quick and dirty port to see how well if at allit plays with the goophone, as CM would be awesome to have.
Chaos Storm said:
Since CyanogenMod was released for another MTK6735 device, I am doing a quick and dirty port to see how well if at allit plays with the goophone, as CM would be awesome to have.
Click to expand...
Click to collapse
Well, quick and dirty it was. Even though I double checked the META-INF and made sure everything was OK, the second attempt at porting resulted in a bootloop and no more recovery.
Anyways, I found the required firmware files on needrom and have gotten the phone back running.What's interesting is that on the previous build the dialer code would not work, but now they do. Anyways, now that I have a rom for this phone, I can hack to my hearts content.
META Mode MT6753
Hi guys,
I spend a few hours to recover my bricket ulefone paris via SP Flash Tool & going into META mode.
Problem is: device isnt recognized any more after a flash with a wrong preloader (ok, it was an offical rom, but anyway..). But how does the META mode for the MT6753 chipset works?
I´ve tried several combinations (Volume +, Volume + and Power, Volume -, etc.) when connecting it via USB to my PC running SP Flash with the correct image - but the device manager show no new device.
Before the false flash it worked perfect....
So is there another possibility to flash this device via META mode or is the another key combination for META mode?
Thanks!
Thanks!
A huge thank you for being the only one out there to clearly articulate the issue that is specific to the MTK chipset and SP Tools version that needs to be used. I waded through so many forums to find this very useful info. Appreciated.
Estupenda y muy trabajada explicación de lsemprini :good:
Para los profanos se deduce entonces que hay que confiar de las app´s como kingoroot, etc. que te prometen con 1 click brickear tu phone, tienes muchas posibilidades de conseguirlo.
Me uno al equipo entonces de los que tenemos un MediaTek MT6750 comprado barato, pero eso sí, con 3 Gb de RAM y 32 Gb de ROM + slot card.
Pero soy de los que me gusta to have root in my phone y veo que tendré que esperar.
He visto for developers este sitio con esta información que me ha parecido interesante: http://www.ayudaroot.com/general/conseguir-archivo-scatter-cualquier-dispositivo-mtk/
Please, up any information about news news.
Cheeeeeers!
Root to alls Meizu
Hi guys!
Good news para los poseedores de terminales Meizu.
No se necesita aplicaciones de terceros ni correr el riesgo de dejar hecho un ladrillo nuestro juguete, ya que la firma Meizu contempla el derecho de superusuario desde nuestro propio terminal. Puede variar según que modelo, en concreto desde el que yo tengo el Meizu M5 se hace de forma tan sencilla como ir a:
Ajustes > huellas y seguridad > permisos de superusuario. Además puedes escoger qué tipo de aplicaciones tendrán derechos de superuser y cuáles no lo tendrán.
En otros modelos se hace desde la cuenta "My flame" que es la ROM que usa Meizu en Android.
click en My Flame > para acceder a más ajustes del registro > en Personal Settings, en la parte inferior verás que hay la opción con otro click de > abrir > system privileges
Y eso es todo amigos! sencillo y sin complicaciones, como debe de ser !
Una vez tenemos root privileges sobre nuestro Meizu, me gustaría si alguien sabe cómo hacer un downgrade de smarshmallow a kitkat, ya que no me gusta nada la 6, para mí, la mejor es la 4.4.4.
Bye!
Android and iOS are the most popular mobile operating systems on the market. Both offer a variety of apps and settings but, eventually reach their limits at a certain point. Rooting or Jailbreaking your phone (or tablet) will offer you thousands of tweaks, skins and new apps that you should not miss out on. It will also help you to remove bloatware.:laugh:
Android Launchers and lock screen widgets are great tools to customize your Android experience without rooting your device. You are also able to root your device and customize it with a launcher and widgets afterwards. If your Android device is rooted but you don’t want flash a custom ROM, Xposed Framework might be the perfect solution for you. You are, however, also able to add new features to your custom ROM with Xposed. With the release of Android 5.0 Lollipop Google replaced the former Dalvik cache with ART. Luckily, Xposed was adapted to Android 6.0 Marshmallow
This guide is based on Google Nexus devices, but most of the things also apply to other Android devices. Some might require more work while others can be rooted quite easily, but in the end it’s no rocket science. Rooting and customisation is especially easy on Nexus devices as factory images are freely available on the Google website. However, many other popular devices like the can easily be restored using different tools available on XDA developers. I would suggest to have a quick look at the forums and I’m pretty sure that you’ll find help for your device.
Android Rooting Terms You Should Know
Before we get started, I would like to explain a few terms because the terminology can get complicated and confusing. This will help you to understand other device specific guides. I’ll try to keep it short and not go into (technical) details. Please share any questions regarding this in the comments below – I’ll do my best to answer them.
ART
ART stands for Android Runtime and replaces the formerly used Dalvik cache. It was introduced in Android 4.4 and has completely taken over in Android 5.0. I don’t want to go too deep into technical differences, but ART is said to improve battery life and app performance, amongst others.
Bootloader
The Bootloader is your phone’s software foundation. It’s basically what runs before your operating system starts (like a PC’s BIOS). As many manufactures don’t want you to modify your phone’s OS, it needs to be unlocked before you are able to root your phone or install custom ROMs (explained later).
Brick
This is something you don’t want to happen to your Android device. Like the name already implies, a bricked phone (or tablet) can only be used as a paperweight or nice decoration for your apartment. Bricked devices are irreversibly damaged and won’t work anymore. This can, for instance, happen if damaged ROMs are installed or wrong firmwares are flashed. Always make sure to read instructions and verify checksums (a set of numbers that identify the file) to make sure nothing goes wrong. If you’re lucky and your device is only soft-bricked, meaning that it does not boot but still turns on, you might be able to get it back to life.
BusyBox
Android, being based on Linux/Unix, offers a limited amount of UNIX commands (which most users won’t need anyways). BusyBox will implement more commands that are necessary for some root apps to work properly.
Custom ROM
A custom ROM is a modified version of the Android operating system. Tweaks, additional features, different themes or an enhanced performance are usually included. Custom ROMs also offer the possibility to use a newer, unreleased, version of Android on your phone that might usually not be available for your device because of restrictions from manufacturer or providers.
Dalvik
Dalvik is a virtual machine that processes Android app code. Consequently, it is responsible for translating app code into actions on your Android device.
Fastboot
Fastboot is a diagnostic- and engineering tool which offers you several features such as launching in recovery mode or flashing image files.
Kernel
The kernel is the brain of your phone that controls how the system and hardware interact. It’s basically the lowest level of your operating system that manages memory and hardware.
NAND partition
NAND stands for “Negated AND” or “NOT AND” and describes the hard drive partition that stores all system relevant information like the bootloader, recovery mode or the kernel.
NANDroid backup
A NANDroid backup is a complete system backup of your Android device. This backup can be restored later and might save your phone after flashing a faulty ROM or theme.
Radio
The radio is responsible for sending and receiving voice and data. Using an optimized radio can improve your phone’s reception or increase battery life.
Recovery Mode
Recovery mode offers you the possibility to perform system-level tasks (like formatting, defragmenting, etc.), backing-up your devices or install custom ROMs. Android offers a limited stock recovery function. More sophisticated recoveries like ClockworkMod Recovery and TWRP Recovery offer additional features and are easier to use.
Root
Rooting will give you full administrator access of your device. It might also void your warranty (depending on the device and your place of residence), so make sure to handle your device with care after rooting it. You are always able to revert this process by simply flashing a stock-ROM (the original ROM installed by your phone’s manufacturer). Doing this will also “restore” your warranty.
S-OFF
S-OFF means that the NAND partition of your Android device is unlocked. This mostly applies to HTC phones.
Superuser
Rooting your phone will create a new “account” with complete administrative permissions. This superuser account is used by some apps and functions.
Xposed Framework
Xposed Framework is an app that can be installed on a rooted Android device which offers custom ROM like features on stock Android. It has been updated and is now fully compatible to Android 5.0 and Android 6.0.
5 Reasons to root
With Android becoming better and better, many people ask themselves if it’s still worth rooting. For example, you’re not able to use Android Pay if your Android phone is rooted. The same applies in other cases, where App developers decide to not support rooted devices for security reasons.
In addition to that, Android M will come with many features like “Doze” which basically replace root apps such as Greenify. So what exactly are reasons to root in 2016?
You have an old(er) Android device. With root access, you’re able to flash a custom ROM with the latest version of Android. Because of this, you don’t rely so much on your device manufacturer to keep you up to date.
AdAway. While I’m all-in for supporting developers, some apps don’t offer an ad-free paid version. With AdAway you’re able to get rid of all unwanted ads which is simply not possible without root.
Titanium Backup. Android M will bring Auto Backup for Apps, but unfortunately it’s still up to the developer if he/she wants to implement it or not. Titanium Backup is a simply but powerful tool that backups simply everything.
Change DPI. With many devices coming with high-res displays nowadays, some people prefer to have more screenspace than big app icons. While changing DPI can also be done without root, it often breaks different apps.
Remove bloatware. This one is easy. Remove all the crap your mobile carrier put on your device. Who doesn’t want to do this?
How to Fully Backup Your Device Without Root
If your Android device is not rooted yet, you won’t be able to perform NANDroid backups. I wouldn’t suggest to root your tablet or phone without having a proper backup, because there is always a chance of error and you don’t want to brick your device.
Simple ADB Backup let’s you create a full backup of your device without root access and is the perfect solution for users without root access. The free program also offers a restore function and runs on Windows and Linux.
If you’re already rooted, make sure to check out our guide on performing a NANDroid backup.
How to Root Your Android Device
The rooting process differs from device to device which makes it impossible to give general instructions on rooting here. I’ve linked guides for some of the most popular devices below. Using the terms described earlier should make the rooting process easier for you. If your phone or tablet is not on the list, you most certainly can find a guide on the XDA-Developers forums.
Google Nexus 4, Nexus 5, Nexus 7 and Nexus 10
Google Nexus 6P
Google Nexus 5X
Oppo OnePlus 2
Samsung Galaxy S6
LG G4
Samsung Galaxy Note 5
Always make sure to perform NANDroid backups of your devices to be able to restore your phone or tablet to a working state. I would also recommend to validate checksums and carefully read through the instructions to avoid bricking your device.
Most Important Fastboot Commands
When confronted with Android rooting, you often have to work with fastboot. Fastboot is part of Google’s Android SDK and is mostly used to re-flash partitions on your Android device, similar to (custom) recovery mode. You usually use fastboot in the following manner:
fastboot [ <option> ] <command>
Here’s a list of all options and commands:
Options
-w erase userdata and cache
-s <serial number> specify device serial number
-p <product> specify product name
-c <cmdline> override kernel commandline
-i <vendor id> specify a custom USB vendor id
-b <base_addr> specify a custom kernel base address
-n <page size> specify the nand page size. default: 2048
Commands
update <filename> reflash device from update.zip
flashall flash boot + recovery + system
flash <partition> [ <filename> ] write a file to a flash partition
erase <partition> erase a flash partition
getvar <variable> display a bootloader variable
boot <kernel> [ <ramdisk> ] download and boot kernel
flash:raw boot <kernel> [ <ramdisk> ] create bootimage and flash it
devices list all connected devices
reboot reboot device normally
reboot-bootloader reboot device into bootloader
Now that we’ve covered all existing fastboot commands and options, let’s have a closer look at the most important ones and what they do / mean:
fastboot oem unlock
This is a special command and not part of the initial list. Using this command, you can unlock the bootloader for Google Nexus devices.
fastboot flash recovery recovery.img
This command will flash a custom recovery to your Android device. Depending on the file name, you need to change the bold part of the command. Please not that this only works with *.img files
fastboot -w
Caution: This command will completely wipe your device
fastboot update filename.zip
This command will update your ROM based on the provided *.zip file
Custom Recovery Mode
The standard Android recovery mode is very limited and does not offer many features. That’s where replacement recoveries like Team Win Recovery Project (TWRP) and ClockworkMod Recovery (CWRM) come in place. They offer the possibility to flash custom ROMs which is not possible with the stock recovery mode. Other features include a file browser for update.zips, adb shell and NANDroid backups. Without a custom recovery you won’t be able to flash a custom ROM.
It does not really matter which replacement recovery you install, just go with the one that suits you most. In some rare cases the root script or custom ROM installation only works with either TWRP or CWM. Nowadays, TWRP is the king of custom recoveries and would be my suggestion for you to use.
TWRP – Team Win Recovery Project
Team Win Recovery Project‘s custom recovery offers an easy and touch driven user interface. It includes all typical recovery features needed to install custom ROMs, kernels, other tweaks and many more. You are also able to backup and restore your device using TWRP.
ClockworkMod Recovery used to be one of the most popular custom recovery modes. However, in the last 2 years TWRP took over the throne and became the most popular recovery. It also includes all advanced recovery features like installing custom ROMs and other files, as well as a backup and restore function. You can control the CWM UI via touch or key-input.
Understanding Custom ROM Versions
As Custom ROMs are constantly improved, they usually come in four different categories: Nightly, Milestone, Release Candidate and Stable. This is what you can expect in every stage:
Nightly
Nightly versions are usually generated every 24 hours and can be highly experimental and unstable. Especially early versions of a new custom ROM can have many bugs and missing features. If you want to have the latest features while risking instability – go for nightlies!
Milestone Snapshot
Milestone Snapshots are basically nightly versions that have reached a certain milestone. They can be regarded as being quite stable, but may include certain bugs and issues. Since they are only created every few weeks (or months), they won’t have the latest features that might be included in the nightly versions. If you are looking for the latest features while having a rather stable system, check out milestone snapshots.
Release Candidate
Release candidates, as the name already implies, are one of the last builds before the stable version of a custom ROM is released. RCs are mostly stable but might have a few minor issues. If you’re looking for something stable and ready for daily use, I would recommend to go with release candidates!
Stable
Stable versions are (obviously) the most stable versions around, with all or nearly all problems fixed. Some stable ROMs may still include some smaller issues or certain things not working. Stable versions are definitely the safest way to go, but it might take months before a new stable with new features or fixes is released.
Official, Unofficial & Combined Releases
It is also important to say that custom ROMs are often available as official and unofficial releases. Later use the source code of the official release (if publicly available) and adapt it to devices not supported by the main developers. Unfortunately, this often leads to a delay. In addition to that, many developers combine features of different custom ROMs.
Custom ROMs
Custom Roms offer you a variety of new features, tweaks and visual enhancements. The best source to find a working one for your device is the XDA-Developers forum. Many custom ROMs are based on the two big releases: CyanogenMod and Paranoid Android. The easiest way to find the best custom ROM for you is to compare their features or simply test them for a few days. To make your start easier, I’ve written a few words about the major custom ROMs below.
I’m only able to give you a limited overview in here. If you really want to dive in I would recommend checking out your device specific sub forums on XDA developers. With Android modding becoming more and more popular, you’re often able to find many different custom ROMS for your device, especially if it’s one of the more popular phones or tablet.
CyanogenMod
CyanogenMod looks very similar to stock Android, but offers several enhancements and tweaks. Besides increased system performance and reliability, it includes many interface enhancements and integrated features. CM is one of the most popular custom ROM solutions as it brings a stock Android experience to many devices that come with a heavily-skinned Android version such as LG or Samsung Galaxy devices.
CyanogenMod Features
OpenVPN integration
Lockscreen gestures
Expanded quick settings
DSP equalizer
Complete Theme engine including own theme store
Wi-Fi, bluetooth, and USB tethering
CPU over- & underclocking
Based on Stock Android
Latest CyanogenMod Version
CyanogenMod is usually up-to-date and uses the latest Android version. The latest version available is:
CM 13.0 – based on Android 6.0 Marshmallow
A quite unique feature of CyanogenMod is it’s installer which makes installing the custom ROM quite easy. Besides flashing the ROM it will also root your Android device and will guide you through the whole process. Unfortunately, the installer is currently only available for Windows.
CyanogenMod is available for the majority of popular Android devices. You can find a list of supported devices on the CyanogenMod website.
BlissRom
BlissRom is a new kid on the block. They basically take CyanogenMod as a source and add some magic to its. While updates are not as frequent as with CyanogenMod, the team covers the most important stuff and usually releases up-to-date stuff.
BlissRom Features
Based on CyanogenMod (= all of its features)
Audio Improvements
Endless list of visual improvements
Global gestures
Modified power menu
Latest BlissRom Version
The latest BlissRom version is based on CM 12.1 and is called BlissPop and still running Android 5.1.1.
BlissRom is available on a range of devices. You can find a list here.
ParanoidAndroid
ParanoidAndroid is completely different to CyanogenMod and one of the “newer” custom ROMs out there. It’s currently my favorite custom ROM as it’s fairly close to stock Android while adding cool features like Peek and Hover. Next to CyanogenMod it seems like PA is king in the custom ROM scene. Unfortunately, the team only supports a small range of devices (Google Nexus & Oppo, OnePlusOne). There are, however, so-called Legacy versions available which support other devices.
ParanoidAndroid Features
Floating notifications & multitasking
Hidden Navigation PIE mode
UI customization
Gesture controls
CyanogenMod themes support
I was running PA on my Nexus devices and really loved it. It’s stable, fast and battery life is great. I can highly recommend this ROM.
Latest ParanoidAndroid Version
The latest PA version is based on Android 5.0 Lollipop. PA usually works with nightly version that are quite stable and frequently updated. Unfortunately it has not been updated to Marshmallow yet. It also seems like the official version for Oppo devices is maintained more frequently than the legacy versions.
ParanoidAndroid Availability
An overview of officially supported Google Nexus, OnePlusOne and Oppo devices can be found here. Legacy devices are listed here.
Device-specific custom ROMs
The custom ROM scene developed itself into a certain direction in the last year, especially with stock ROMs including more and more features. As device manufacturers often don’t publish official drivers, custom ROMs like CyanogenMod are not able to support all features. Because of this, custom ROMs are often developing in a direction of adapting ads to devices. Because of this, I cannot give you great recommendation for all devices. I would personally suggest to either go with the big players like CyanogenMod or look for a popular specific ROM for your device. The XDA Developers forums should do the trick for that.
Flashing Custom Kernels
Kernels are the brain of your Android device and communicate between software and hardware. Therefore, they are responsible for managing things like CPU / GPU clocking speed, screen sensitivity / colors or voltage. By using a custom kernel you can not only improve battery life, but also increase system performance.
Many custom ROMs already come with their own kernels. This is done to implement software communication of the custom ROM with the hardware of the device and also to ensure a better performance. Nevertheless, you are often also able to flash custom kernels to custom ROMs. If you decided to stick to a rooted version of stock Android, flashing a new kernel can offer you additional performance with the convenience of a stock OS. Unfortunately, there are no “big” kernel releases that work for multiple devices and it’s hard for me to give any suggestions here. I would suggest to check the dedicated XDA-Developers forum for your device
After downloading the custom kernel, you usually have to reboot to recovery and flash it from there. That’s it! Always make sure to check compatibility of the kernel with your ROM and device, because flashing a wrong kernel can brick your phone!
Apps
Rooting your Android device will offer you many benefits. Besides the features mentioned above, you can also install great apps that require to go deep into the system. Using them with an un-rooted device is not possible. Below I’ve listed a few apps that I like and use on an everyday basis. Feel free to share other apps in the comments section below!
Titanium Backup
Titanium Backup is a great backup tool for Android devices that offers tons of features. It provides the possibility to backup your data, settings and apps. Scheduled backups are also available. The paid pro version offers lots of great features like syncing backups with cloud-based storage providers such as Dropbox, Google Drive or Box. In my opinion this is one of the best root apps and a must-get. Especially if you’re a flash-a-holic, performing and restoring quick backups of all your apps (incl. settings and save games) is really easy and convenient with Titanium Backup.
ROM Manager
When you constantly switch between custom ROMs, ClockworkMod’s ROM Manager is one of the essential apps to get. Besides flashing ClockworkMod recovery, it will help you to organise and install your custom ROMs and backing-up your Android device. The paid premium version includes additional features like automatic backups, web connect and incremental ROM downloads.
AdAway
I struggled a little bit when deciding to either include AdAway or not, because it’s great for users but bad for app publishers and marketers. Google removed it from Google Play but you can still get it on the AdAway website. Like AdBlock Plus on your computer, the app modifies your Android devices hosts file to prevent apps and browsers to display advertisements. This will not only improve your app usage experience, but also increase battery life and decrease mobile traffic. Be fair and purchase paid versions of apps or donate a small amount to developers to make sure they will keep on programming great apps!
Google has recently begun to remove certain apps that violate their distribution agreements from Google Play. If you’re still interested in installing AdAway, please refer to the AdAway website.
Xposed Framework
Xposed Framework is a great app that offers the possibility to add features to your Android devices without flashing a custom ROM (or in addition to it). You’re able to install modules which offer visual customisation or battery improvements, amongst others.
Greenify
Greenify is a great app to improve battery life and system performance because it puts selected apps in hibernation mode. Not having tons of apps stored in RAM or running as system processes will make your Android device faster and increase your user experience. Please refer to full review for more information.
Frequently Asked Rooting Questions
1. How can I restore stock Android?
To get back stock Android, simply flash a stock ROM suitable for your device. This way you’ll get an unrooted, stock Android version with restored warranty.
2. What happens to my settings, contacts and apps when I install a custom ROM?
It’s always recommended to wipe your device before installing a custom ROM for the first time. If your Google account is linked to your phone, contacts, emails and apps will automatically be downloaded after launching the custom ROM and logging in to your Google account. You can backup your settings with apps like XYZ.
3. How can I upgrade a custom ROM?
Most custom ROMs offer a update function, some directly integrated to the OS, others using a specific app. You can also use ROM Manager to update certain custom ROMs.
4. Is it possible to just root a phone and not install a custom ROM?
Yes, simply use a stock ROM and root it. If you update it, your root-access will be gone, though.
5. Do I need to go step-by-step to upgrade my Android device or can I directly go to the latest version available?
You can usually simply flash the latest ROM and are good to go. Custom ROM updates usually come in a full package, meaning that you have to download the complete ROM to update it. The downloads are usually about 100-200 MB.
6. Is there a special order to flash a ROM or kernel?
I would suggest flashing the ROM first as they often include their own custom kernels. Afterwards, boot your phone with the custom ROM, go back to the recovery mode and flash the kernel. Also make sure to check whether your custom kernel is supported by the ROM.
7. Can I update or change certain parts of Android without flashing a ROM?
Not in terms of getting a newer Android version. However, you should have a look at Xposed Framework as it brings many custom ROM features to your Android installation.
8. Do I have to downgrade my phone to flash ROM XYZ?
No – as long as your bootloader is unlocked and you have a custom recovery installed. With some devices, you need to downgrade to be able to do that. Custom ROMs usually don’t require a certain Android version because everything OS-wise is overwritten anyways.
9. Is there a custom ROM for my phone / tablet?
I would recommend to head over to the XDA developers forums and perform a search query there. If you’re using one of the popular devices there are usually many custom ROMs available. You can always check out Xposed Framework to add some more features to your Android device if no custom ROM is available.
Final Words
Do you have any questions about the rooting process, custom ROMs, tweaks or apps? Do you maybe want to share other great apps that I might have forgotten? Feel free to do so in the comments below!
I am interested in rooting my android but do not know how to begin and how to identify my LG
how to know whether the recovery image in working or not without flashing on android
how can i create a virtual android environment that mimics my android kernel and os .So that i can flash recovery on virtual android without damaging my physical device........plesae help me .i am new to this :crying::crying:
sai2698 said:
how can i create a virtual android environment that mimics my android kernel and os .So that i can flash recovery on virtual android without damaging my physical device........plesae help me .i am new to this :crying::crying:
Click to expand...
Click to collapse
you can use virtual box on PC
just get a tutorial on internet
monterlarge said:
I am interested in rooting my android but do not know how to begin and how to identify my LG
Click to expand...
Click to collapse
just google your device and search for the compatible ROM
EASY PEASY
sai2698 said:
how can i create a virtual android environment that mimics my android kernel and os .So that i can flash recovery on virtual android without damaging my physical device........plesae help me .i am new to this :crying::crying:
Click to expand...
Click to collapse
Use virtual box
Devices & Linux Versions I or other Testers have Successfully Gained Root on:
(Likely All) MTK CPU Based Android devices UP TO 11 (Maybe 12? I haven't tested) (I.e LG, Sony, Select Samsung devices)
Android Devices with LINUX KERNEL VERSIONS - 5.8 - 4.14 - Maybe More? (Needs Testing)
-THIS GUIDE IS NOT BEGINNER FRIENDLY - BASIC UNDERSTANDING OF PYTHON, UNIX/LINUX ETC WILL BE REQUIRED!-
If you have been holding off updating your device, well here's some good news, your device may still be vulnerable to a method to gain root access (and subsequently, possibly the ability to edit Build.prop and therefore allow the ability for OEM unlocking on USA based devices.) <- correct me if I'm wrong, but this should be possible, and once done, should persist across updates, correct?
As of the time of writing this, there is not currently a simplified APK method, but, still this process is relatively straight forward.
Alot of the methods used HAVE been patched from what I understand, but there have got to be plenty of devices out there still which are not updated. This project aims to compile all current, former and future Root methods into an APK that will do all the leg-work. If its able to find a working method, the GUI will pop a root shell for the end user. This SHOULD work, regardless of the setting of the "OEM UNLOCK" option in the dev options. A bypass, essentially.
Regardless, The project linked below uses a myriad of known exploits & vulnerabilities and looks to find one that will work.
Methods used are:
Nearly all of GTFOBins
Writeable docker.sock
CVE-2022-0847 (Dirty pipe)
CVE-2021-4034 (pwnkit)
CVE-2021-3560
It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More methods to root will be added over time too.
There is also an alternative (Dirty Pipe) injection method the uses @topjohnwu 's Magisk , this should be implemented into the apk. See this Github repo, Here.
I would imagine this could be implented in a way to target devices that have stopped being supported for updates, aswell, that do not have TWRP, such as the SM-T307U.
One big note - I am betting there are still ALOT of devices that are in inventory at retailers that remain on the vulnerable OS. So keeping that in mind, I'd say this is worth building.
What needs to be done:
TESTING!
Build APK - HELP NEEDED WITH THIS!
Deploy
Main Goals:
Get bootloader unlock ability for devices normally not unlockable (I.e North American Samsung Galaxy S22, Etc)
Above can be achieved by getting temp root via methods detailed here or otherwise, then editing build.prop, altering the below settings (The settings may be worded differently or simply not present at all, depending on device and Firmware version):
sys.oem_unlocking_allowed to 1
ro.oem_unlock_supported to 1 (most devices are set to 1 by default.)
ro.boot.flash.locked to 0
ro.secure to 0
ro.debuggable to 1
I think there may be one or two more that pretaint to Flash.locked. I.e flash.locked.other--or something very close.
Locally, gain temp root (System preferred, but any root will do.) on as many device types as possible.
Give device control back to end user.
Stay up-to-date on new exploits for root access & update apk accordingly.
STAY ETHICAL!!!! This is, in the end, a research project. Meaning all work preformed in the context of this project could result in a damaged or bricked device. By participating in this project you acknoledge these risks and accept them, and agree to not hold me, XDA, or anyone else responsible if you do some dumb ****. - k0mraid3
Github Project link: HERE for my fork & HERE for the original project.
My fork will incorporate the original project, as well as other found root access methods, such as the magisk injection method mentioned above - my repo is mainly used as a hub for the APK's dev - i don't have enough time to work on it at the moment but all are welcome to help.
July 15th 2022 (UPDATE) (SAMSUNG DEVICES ONLY): A new Escalation method has been found via the Galaxy app store (Versions BEFORE Galaxy Store 4.5.41.8). No details known yet, but it is said to be very easy. See CVE-2022-33708 (July132022). Unknown if downgrading the app to 4.5.0.0 will enable the method again or not.
Cred: liamg
One method to run Traitor on device - Thanks @DevinDking for sharing this.
Steps to get script on phone.
//
#!/bin/sh
set -e
dir=/data/local/tmp
adb=${adb:-"adb"}
$adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
$adb shell chmod 755 ${dir}/traitor"
//
Now to run script start a new terminal
//
adb shell
#!/bin/sh
set -e
dir=/data/local/tmp
adb=${adb:-"adb"}
${dir}/traitor //script opens
//
But I assume this wouldn't work right, and isn't right.
Idk trying my best here xD
Click to expand...
Click to collapse
Tools & References:
Linux (and Android, FTMP) Privilege Escalation Techniques
Dirty Pipe - Magisk Injection
Traitor - Main Repo
GTFOBins
CVE Database (Public Database for exploits, vulnerabilities, etc.)
Windows Subsystem For Linux (Great for Dev)
ADB App Control - Cred @Cyber.Cat
Leaked Samsung Source Code ***Mod Edit: Link Removed***
Crontab Root Template script (File Attached - you still must edit crontab with "crontab -e" and point it to this file, see comments for guide, I will add one to post later)
Android Image Kitchen Used to create custom image's etc.
MTK Client
MTK Meta Utility (Source-???)
Will add more as time goes on and more found.
Interesting Attack vectors -
GFX Componets of a system.
Issues with Linux itself (i.e Dirty Pipe)
Privilage escalation via any means (I.e GTFOBins)
unprotected system process - Hijack them if possible (i.e RILService Mode, and a wide range of other OEM apps left on devices after ship)
7/24/22 - Samsung, LG & Other OEM's obfuscating (Intentionally Hiding) Fastboot and ADB Bootloader interfaces on PC
So over the last week or so i dived head first into USB Dev - ill save you the time and sum it up.
Vendors and OEM's are actively obfuscating the USB connection between your smartphone and the PC to keep you from Rooting. As far as im aware, there is no Universal way to fix this as each OEM screws with the USB drivers differently. THIS needs to be a point of focus for the rooting community. However, i have found a few tools for Dev if you wish to screw with this. (I'll upload them tonight)
7/24/22 - MTK (MediaTek) based Exploits
I Will try to compile a few methods for FORCING Bootloader Unlock on MTK based Devices as well as a way for manipulating said devices. I will attach two tools to this thread, these tools are EXTREMELY POWERFUL and can completely **** up your device. When i say REALLY F*CK UP your device, I mean to the point you cant even access recovery, Download OR bootloader mode. I'm Talking a blank DEAD device. So use with caution.
With that said, lets talk about the tools. You will need a basic understanding of Python to make use of MTK Client
First up, we have MTK Meta Utility (Currently Version 44) (Download Below)
Next we have MTK Client (Github Link)
So what can you do? Well, you can crash the Preloader to Brom with MTK Meta Utility while at the same time using MTK Client to send any payload you like to the device via Fastboot.
I know, vague right now, but ill add detail over the coming days.
I will continue to update the below list as new methods are discovered.
If you find Guides, tutorials or new exploits, please link them in the comments so I can include them in future development!
Telegram Channel: Here.
Information on Vulnerabilities, exploits & methods - CVE-2022-0847 (Jfrog) - The Story Of "Dirty Pipe" - XDA - Dirty Pipe - PWNKIT (CVE--2021-4034) - CVE-2021-3560 - Docker Breakout / Privilege Escalation - CVE-2022-33708 (July132022) - CVE-2022-33701 (July122022) - CVE-2022-22268 (Unlock Knox Guard with DEX) (JAN2022) - MTK Client -
Dev Team & credit to -
@topjohnwu - LiamG - @wr3cckl3ss1 - bkerler -
UPDATED - 7/29/22
There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.
Don't update... destroyer of worlds
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
olivehue512 said:
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
Click to expand...
Click to collapse
Lol, everybody already updated the patch
blackhawk said:
Lol, everybody already updated the patch
Click to expand...
Click to collapse
This is just sad panda. I'm gonna skip next update anyways unless it comes with an actual other phone that is BL unlocked. I feel like everyone wants this so bad it can't be that far out before it happens.
Does the Magisk injection method work after July patch? I was reading through the work they did to get it done. Props to those guys.
sierratango88 said:
There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.
Click to expand...
Click to collapse
Has it got a fancy number yet?! Eager to try this!!!! Maybe it can be put in with the others.
olivehue512 said:
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
Click to expand...
Click to collapse
Well, because they are known and accepted vulnerabilities and exploits. A very few have even been marked as "WONTFIX" such as the TTY method.
olivehue512 said:
This is just sad panda. I'm gonna skip next update anyways unless it comes with an actual other phone that is BL unlocked. I feel like everyone wants this so bad it can't be that far out before it happens.
Does the Magisk injection method work after July patch? I was reading through the work they did to get it done. Props to those guys.
Click to expand...
Click to collapse
Honestly, it's worth a shot but I doubt it.
One of the goals behind building the APK compilation of all these different tactics is to enable the end user to "give it a shot" easily on different devices, without having to know how to run all of this manually. Basically imagine an apk that just tries all the above methods and if ones successful the gui will pop a root shell open. From there, the possibilities are endless. Edit Build.prop, SELinux, Verity, Etc.
FYI even you applied the July update, seems like the Kernel version is still from June 21st, is still 5.10xxxx so we could still benefit from this exploit. Very interested in how we can get root here in the US.
K0mraid3 said:
Has it got a fancy number yet?! Eager to try this!!!! Maybe it can be put in with the others.
Click to expand...
Click to collapse
There hasn't been a CVE assigned to it yet that I am aware of.
xgerryx said:
FYI even you applied the July update, seems like the Kernel version is still from June 21st, is still 5.10xxxx so we could still benefit from this exploit. Very interested in how we can get root here in the US.
Click to expand...
Click to collapse
Go to the Github linked and try the different methods, see if you can pop a root and nano build.prop to allow OEM unlocking?
sierratango88 said:
There hasn't been a CVE assigned to it yet that I am aware of.
Click to expand...
Click to collapse
GREAT news for us! LEts get this temp root! lol
Looks like another new one! CVE-2022-33708
Another Samsung Exclusive - CVE-2022-33701
So, ive just spent my entire friday and friday night MANUALLY testing all the GTFOBins & reproducing some of the newer CVE's on Samsung Galaxy S7 Edge (Android 9) -Galaxy tab A 8.4, (Android 11), Galaxy S21 & S22 (Android 12) --- A little bit of progress made. Again, ill need someone with better working knowledge on APKs & Java to really move forward. All i can say so far, is this all must be awk for sammie, because cronie is looking promising
"crontab -e"
interesting find. not "New" but still new-ish enough some may be able to use. CVE-2022-22268 (Unlock Knox Guard with DEX)
New to this all but not rooting. Anyone recommend a way tutorial on how to try these methods on Win 11?
I don't have a deep understanding of Linux, I have tried, debian and unbuntu. I get traitor to run but it's detecting the Linux kernel and not my phones. How can I get the program to search for vulnerability on my phone not my Linux. I would love a more in depth guide and I'd love to give feedback on methods.
DevinDking said:
I don't have a deep understanding of Linux, I have tried, debian and unbuntu. I get traitor to run but it's detecting the Linux kernel and not my phones. How can I get the program to search for vulnerability on my phone not my Linux. I would love a more in depth guide and I'd love to give feedback on methods.
Click to expand...
Click to collapse
i had the same issue but cant remember how i worked that out. let me see if i can find out what i did on win11