PSA: March 1 security patch is possibly vulnerable to privileged code execution - Nokia 6.1 (2018) Guides, News, & Discussion

What this means is that we may be able to take advantage of this to gain root access long enough to boot twrp and root it permanently, so anyone who knows enough, can you please work to make this possible?

Nokia just pushed out the April security patch.

Related

[MASTER THREAD] Fire HD 8 (2017) (7th Generation)

Hi,
This is a list (incomplete) of all the ROMs, mods, hacks, guides, etc. available for the Fire HD 8 (2017).
This was a root progress discussion thread, and I think there's too much valuable information here to just let it get buried. So, following @Rortiz2's suggestion this thread was transformed to a master thread with the aim of providing a complete guide for anyone wanting to mod their tablet.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Device Codename: douglas
Specifications:
SoC: Mediatek MT8163
CPU: Cortex-A53 (Quad Core 4x1.3Ghz)
GPU: Mali 720
RAM: 1.5GB
Android: 5.1 (FireOS 5.x.x.x)
Storage: 16/32GB
Includes a MicroSD slot
Battery: 3210mAh
Display: 8"
Front Camera: 2MP
Rear Camera: 2MP
The italicized text below are my comments/clarifications.
The root method was patched in 5.6.4.0 (some versions of 5.6.4.0 still work so you could try) It is advisable to disable OTA updates or unlock the bootloader immediately. It is still possible to unlock by a different method, check the bootloader unlocking thread.
Bootloader Unlock and TWRP:
[UNLOCK][ROOT][TWRP][UNBRICK] Fire HD 8 2017 (douglas)
This is an excellent and complete guide which has everything you need for this. Requires Linux, so you'll have to either install it as dual-boot or use a live system if you are not using it already. You don't need to downgrade if you are on 5.6.4.0.
Rooting:
You can flash Magisk using TWRP after bootloader unlock. Using Magisk is recommended because SuperSU is no longer supported, and Magisk has modules, Magisk Hide, and the root prompt is working (In SuperSU it's not working so you have to always grant root permissions which is a major security loophole)
Rapid Temporary Root for HD 8 & HD 10
This is the first software root method discovered for this tablet and is a really easy and quick method of getting a root shell, and the link has a complete guide on it. Refer here for installing SuperSU for permanent root, and here for an automated script for Windows.
[ROOT] Hardmod Root Your Amazon Fire HD 8 (7th Gen)
This is first root method ever discovered for this tablet and is a hardware root. This link has a complete step-by-step guide, assuming you have some soldering experience.
ROMs:
[ROM][unlocked]Lineage-12.1 for Amazon Fire HD8 2017 (douglas)
The first (and currently only) ROM for this device and it works great!
Miscellaneous:
Amazon Fire Toolbox, I have never tried this but it looks awesome!
Without root:
Removing accounts and viewing Usage Access settings which are hidden.
Debloating guide without root
With root:
A debloating guide made for HD 10, but works fine on the HD 8.
You can install apps as system apps just as on any other device, and you can use the app Link2SD for converting user apps to system apps. Refer to this StackExchange post for a guide on how to install apps as system.
Flashing GApps works well with TWRP, but the 16GB version doesn't have enough space in the system for even the pico version. Probably using pm uninstall on some system apps would work.
General Tips:
To return to stock or recover from a soft brick:
(Don't use this if you have already unlocked your bootloader: if you want just stock FireOS flash it through TWRP, and if complete stock follow the guide in the unlock thread)
(This assumes that you have ADB installed, I would not advise you on how here, there are numerous guides waiting for a Google search. This will erase your data.)
Download your current FireOS or a later firmware version. You can find the latest over at Amazon's website.
Boot to the recovery mode of your tablet, and use the volume and power buttons to select "Apply Update via ADB".
Now connect the tablet to a PC with a USB cabke, open a command prompt or shell on the directory where you downloaded the firmware BIN, enter the command adb sideload X.bin (replace X with the name of the BIN) and wait until finished (DON'T disconnect your device from the PC)
Now select "Wipe Data/Factory Reset" and "Yes" to wipe data (you can skip doing this if you want your data, but note that the tablet may bootloop or complain about corrupted data)
Select "Reboot system now"
The firmware BINs are just renamed ZIP files: you can rename it from .bin to .zip and treat it as such.
Amazon employs an anti-rollback mechanism which could permanently brick your device if you flash an older version through adb sideload. If you really want an older FireOS, you can rename .bin to .zip and flash them through TWRP after unlocking.
The stock launcher AppID is com.amazon.firelauncher, the stock keyboard is com.amazon.redstone, and the OTA update apps are com.amazon.device.software.ota and com.amazon.kindle.otter.oobe.forced.ota.
Again, this list is incomplete, so please suggest any additions in the comments! (don't hesitate to suggest your own work-the target of this thread to be a comprehensive and complete guide on everything about this tablet)
Good luck modding this tablet!
Thread before changing to a master thread (for historical purposes )
NOW WE HAVE AN UNLOCKING METHOD WITH TWRP! THE CONTENT BELOW IS OUTDATED.
Hi,
Now, I'm sick of Amazon's bloat slowing my tablet, and the frustration of not being able to use root apps. Fire HD 10 got rooted, but HD 8 and HD 7 are still in dark. HD 7 users can at least downgrade their devices and hope for a root exploit, but HD 8 users can't. If anyone else wanting to root this tablet and make it super fast, get rid of Fire Launcher, use Xposed, remove bloat, etc., let's collaborate with this!
LATEST RELEASE - Fire OS 5.3.6.4/Fire OS 5.6.3.4
SECURITY PATCH - ???
KERNEL VERSION - 3.18.19
List of possible software root methods:
1.) eMMC overwriting
Thanks to the hardware root method, we have a full eMMC dump so using the loophole in the flash unlock process which causes overwriting partitions next to it, we could overwrite on all the way, flashing original things, to the system partition and then flash a modified system partition.
Additions to the list are welcome!
List of possible exploits
Additions to list are welcome!
1.)CVE-2017-8890
Status: Confirmed possible.
Description: As I think, this is the most exploitable currently. Running the PoC results in 'somewhat unnatural' Use-After-Free s but the PoC fails to orient them to escalate privileges.
Cons: This exploit is based on obsolete IPv4 sockets, unlike it's cousin CVE-2017-9077, which is based on IPv6, but rather the same exploitation as this. That 'may' make this harder to exploit, but of course there's no evidence.
I, really only added this to cons because you should have a con.
2.)CVE-2017-15868
Status: Unsure
Description: NP Hardass said that this vulnerability is present on the source,I haven't explored it yet.
Cons: ¯\_(ツ)_/¯
If you tried these exploits, please notify me in below and I'll update the status. UPDATE: No point on keeping on trying these kernel exploits as no one (please correct me) who knows to write exploits in C comes here anymore. If someone wants to try though I will start maintaining this list again. Come on, let's collaborate on this!!! :laugh:
Thanks!
Download the eMMC dump from here: https://www.androidfilehost.com/?w=files&flid=282721
PS: You can download original kernel sources from Amazon, just search for it.
Original Thread:
Hi,
Now, I'm sick of Amazon's bloat slowing my tablet, and the frustration of not being able to use root apps. Fire HD 10 got rooted, but HD 8 and HD 7 are still in dark. HD 7 users can at least downgrade their devices and hope for a root exploit, but HD 8 users can't. If anyone else wanting to root this tablet and make it super fast, get rid of Fire Launcher, use Xposed, remove bloat, etc., let's collaborate with this!
LATEST RELEASE - Fire OS 5.6.0.1
SECURITY PATCH - 2017/08/01
KERNEL VERSION - 3.18.19*
*a quite old release it is.
List of possible exploits
Additions to list are welcome!
1.)CVE-2017-12762
Status: Unsure
Description: A super likely-to-work great exploit. If you want you can go look at the kernel source (link included below the thread) 3.18.19 for proof, it starts in line 2640. Looks like a stack buffer overflow.
Cons: ASLR may be an absolute game killer in this case. And some skill is required to exploit, very less-known around the internet. And Amazon may have removed the ISDN support up from the roots of kernel, because it's VERY deprecated.
2.)CVE-2017-16939
Status: Unsure
Description: A nice attack vector. A PoC is available in SecuriTeam blogs, which triggers use-after-free. I tried contacting them for some help, but they almost instantly replied that they don't provide support for their reported vulnerabilities. Sad.
Cons: ¯\_(ツ)_/¯
3.)CVE-2017-15868
Status: Unsure
4.)CVE-2017-10661
Status: Unsure
5.)CVE-2017-7541
Status: Unsure
6.)CVE-2017-6074
Status: Unsure
If you tried these exploits, please notify me in below and I'll update the status. Come on, let's collaborate on this!!! :laugh:
Thanks!
I added the link to the vulnerable code, in case anyone was wondering.
I'm glad to see this thread. Since recently rediscovering the potential of an old Fire 6 and rooting it, removing the bloat and Googlizing it, I wanted to get something a little bigger. I just got my 7th gen HD 8 in the mail yesterday and was devastated to see it was 5.4.0.1. I've blocked OTA, deleted the update it had downloaded, installed Google Play et al., and used NoRoot Data Firewall to block all Amazon apps. Unfortunately, I do not have the expertise to contribute much toward an effort to root this device but would like to help in any way. I appreciate seeing others are out there working on it.
if i knew how to develop the exploits i would honestly try these
Thank you so much for making this thread but I hope I never have to come back here and help, but if i get some extra time in the future I do plan on running all my binaries + servers on the tablet as well. Not to mention just looking at that version number made me want to vomit.
[/COLOR]What steps should I take to increase performance on the hd 8 while we wait for root?
rawfullz said:
[/COLOR]What steps should I take to increase performance on the hd 8 while we wait for root?
Click to expand...
Click to collapse
Hello rawfullz!
Try Greenify. You can use a workaround to grant it Usage Access.
1) Download Activity Launcher and Greenify from Play Store.
2) Launch Activity Launcher.
3) Notice the "Recent" text in the task-bar, press it, and select "All" from the drop-down list.
4) Scroll all the way below until you find "Settings", and press it.
5) Again, scroll below until you find "Apps with usage access", and press it.
6) The hidden "Apps with usage access" menu will pop up.
7) Grant Greenify usage access there. (You can turn off usage access for all Amazon apps if you want, to increase performance but it's recommended to leave out "Storage Management" intact, just in case.)
8) Launch Greenify, and continue with the setup.
9) :laugh::laugh::laugh::laugh:
If you ever want to grant any other app Usage Access, do this procedure, but, remember that "Activity Launcher" is kind of dangerous, if you just launch random activities. I learned that the hard way.
REMOVED
Thank you for making this thread, im looking forward to this become real.
What I dont get is you can download the firmware.bin as well as the source code from amazon, Whats the problem devs should be able to root ?
derwoodbones said:
What I dont get is you can download the firmware.bin as well as the source code from amazon, Whats the problem devs should be able to root ?
Click to expand...
Click to collapse
Hello!
Yes, we definitely can get the firmware. But there are some troubles,
1. Amazon devices are not very well known among the community.
2. Devs don't want to spend their time on our devices, even if we root this thing, no custom ROMs because of the locked bootloader.
3. Amazon didn't leave any loopholes on their OS, they are too clever.
And, I don't think that Amazon will open source their firmware until they checked throughly for any exploits.
We'll have to find exploits the rough way. :crying:
Hey, what about the Janus vulnerability? If some dev is reading this, please help us, because it doesn't require the device.
Supersonic27543 said:
Hello!
Yes, we definitely can get the firmware. But there are some troubles,
1. Amazon devices are not very well known among the community.
2. Devs don't want to spend their time on our devices, even if we root this thing, no custom ROMs because of the locked bootloader.
3. Amazon didn't leave any loopholes on their OS, they are too clever.
And, I don't think that Amazon will open source their firmware until they checked throughly for any exploits.
We'll have to find exploits the rough way. :crying:
Click to expand...
Click to collapse
You don't need an unlocked bootloader to flash a ROM.
Take a look at the BT stack with BlueBorne.
Sent from my iPhone using Tapatalk
Supersonic27543 said:
Now, I'm sick of Amazon's bloat slowing my tablet
Click to expand...
Click to collapse
You forgot to add: "and I wanna to fill my tablet by the Google's bloatware (2 times slower than Amazon's), and also add some rootkits and spyware masked as "super-duper tools for young hackars"
Great to see this thread. Hope some devs collaborate and find a way. Can't wait.
Meanwhile, do you guys have any cool mod to try in the tab.
I have installed playstore and adfree iytb YouTube and bunch of usual apps.
Hello!
DragonFire1024 said:
You don't need an unlocked bootloader to flash a ROM.
Click to expand...
Click to collapse
Yes, you don't need an unlocked bootloader to flash a ROM, theoretically, if the ROM is signed by Amazon. But considering custom ROMs, Lineage, Resurrection Remix, Stock Android, is it possible to compile and flash them without an unlocked bootloader? I thought that you need a custom recovery = unlocked bootloader. Thanks!
sensboston said:
You forgot to add: "and I wanna to fill my tablet by the Google's bloatware (2 times slower than Amazon's), and also add some rootkits and spyware masked as "super-duper tools for young hackars"
Click to expand...
Click to collapse
Hah. :laugh::laugh::laugh:
Robius said:
Take a look at the BT stack with BlueBorne.
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
Great idea, gotta try this! Thanks!
EDIT: Not very confident though. Anyway, likely to work because the security patch of HD 8 is in August.
http://www.androidpolice.com/2017/0...atch-fixes-blueborne-bluetooth-vulnerability/
Someone got a bluetooth adapter handy?
Supersonic27543 said:
Hello!
Yes, you don't need an unlocked bootloader to flash a ROM, theoretically, if the ROM is signed by Amazon. But considering custom ROMs, Lineage, Resurrection Remix, Stock Android, is it possible to compile and flash them without an unlocked bootloader? I thought that you need a custom recovery = unlocked bootloader. Thanks!
Hah. :laugh::laugh::laugh:
Great idea, gotta try this! Thanks!
EDIT: Not very confident though. Anyway, likely to work because the security patch of HD 8 is in August.
http://www.androidpolice.com/2017/0...atch-fixes-blueborne-bluetooth-vulnerability/
Click to expand...
Click to collapse
Ask @ggow how he does it. But you don't need a unlocked bootloader. With root, FlashFire helps to get by the bootloader.

Moto X4 Firmware Recovery Toolbox

Note: This is a bash script, meaning to use it you must be on Linux.
Note: You must already have fastboot and adb installed on your system.
Background​
I like messing around modding my device, and quite a few times that has resulted in bootloops, and other issues. After getting tired of repeating the recovery process so many times, I decided to just write a bash script to almost completely automate the process. It guides you with easy user-prompts, and can be used by someone with little knowledge.
I'm not a professional, I just have some skills that allow me to develop simple tools for myself. I'm just releasing it in-case it might be helpful to someone else.
Restrictions​
It's only for Moto X4 Payton Fi phones, any other device would require modifications to the script. Over time I do plan on making more updates to it as I develop it for myself. It will become and all-in-one tool, with more functionality in the future.
Features​
- Ability to recover your phone from soft-bricks automatically.
- Ability to install the latest TWRP as a custom recovery automatically.
- Ability to install latest firmware automatically.
- Ability to install systemless root via Magisk automatically.
Download​
The latest version will always be available on my git repository.
Github Repository: github.com/menevia16a/Firmware-Recovery_MotoX4​
Thank you, now may actually unlock this device. Still on fence, with no signed images. I may wait for Pie update, if it ever happens. These tools will be a big help.
kkjb said:
Thank you, now may actually unlock this device. Still on fence, with no signed images. I may wait for Pie update, if it ever happens. These tools will be a big help.
Click to expand...
Click to collapse
Thanks for the reply, when the firmware image for the pie update is released I should do another update to this too. But honestly you can always use the tool and when it installs the system and boots up, go to the ota update before continuing the script and accept the ota updates and continue the script once the system is booted up again.

Amazing Temp Root for MediaTek ARMv8 [2020-08-24]

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Software root method for MediaTek MT67xx, MT816x, and MT817x!​
So it's no big secret that not too long ago, I found a way to achieve temporary root on MediaTek chipsets. No preinstalled root solution or device unlock was needed. The tool I created, MTK-SU, was originally aimed at helping Amazon Fire HD owners to easily root and unlock their tablets. (Without it, most models need a hardware mod to achieve root & unlock. This tool made rooting accessible to many times the number of owners. It also made possible to root the Fire TV gen 2.) But funny story: this method actually works on virtually all of MediaTek's 64-bit chips. Many devices of various vendors have already been confirmed.
So in case it's not clear, what mtk-su does is give you a root shell to do with as you please. It's like running 'su', but without the need to have su installed. That may be a holy grail for locked devices. On some devices, it may be possible to install a root manager for permanent root using mtk-su as a springboard.
The original thread is here: Rapid Temporary Root for HD 8 & HD 10. It's a great resource for info. But please avoid posting there about non-Amazon devices. This new thread is a catchall topic for other devices and vendors.
DISCLAIMER​Anything you do that is described in this thread is at your own risk. No one else is responsible for any data loss, corruption or damage of your device, including that which results from bugs in this software. There is a nonzero chance of any of these events happening as a result of using the tools or methods here.
REQUIREMENTS​Mastery of the Thanks button under XDA posts
A phone or tablet based on Mediatek MT67xx, MT816x, MT817x or MT6580 chipsets
Either:
A PC with ADB installed to interact with your device, or
A terminal emulator app
Familiarity with ADB (if using PC) and basic Linux shell commands
You agree to post the model name of any unconfirmed device which ran mtk-su successfully
INSTRUCTIONS FOR ADB​
Make sure you meet all the requirements listed above, especially the first and last ones.
Download the current mtk-su zip file to your PC and unzip it. Inside will be 2 directories: 'arm' & 'arm64' with an 'mtk-su' binary in each. Pick one for your device. Differences between the flavors:
arm64: 64-bit kernel and userspace
arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
Connect your device to ADB and push mtk-su to your /data/local/tmp folder
adb push path/to/mtk-su /data/local/tmp/
Open an adb shell
adb shell
Change to your tmp directory
cd /data/local/tmp
Add executable permissions to the binary
chmod 755 mtk-su
At this point keep your device screen on and don't let it go to sleep. Run the command
./mtk-su
It should only take a second or two. If the program gets stuck for more than a few seconds and your device is awake, press Ctrl+C to close it.
The -v option turns on verbose printing, which is necessary for me to debug any problems.
The output of ./mtk-su -v is similar to this:
Spoiler
Code:
$ ./mtk-su -v
param1: 0x3000, param2: 0x18040, type: 2
Building symbol table
kallsyms_addresses pa 0x40bdd500
kallsyms_num_syms 70337, addr_count 70337
kallsyms_names pa 0x40c66d00, size 862960
kallsyms_markers pa 0x40d39800
kallsyms_token_table pa 0x40d3a100
kallsyms_token_index pa 0x40d3a500
Patching credentials
Parsing current_is_single_threaded
ffffffc000354868+50: ADRP x0, 0xffffffc000fa2000
ffffffc000354868+54: ADD xd, x0, 2592
init_task VA: 0xffffffc000fa2a20
Potential list_head tasks at offset 0x340
comm swapper/0 at offset 0x5c0
Found own task_struct at node 1
cred VA: 0xffffffc0358ac0c0
Parsing avc_denied
ffffffc0002f13bc+24: ADRP x0, 0xffffffc001113000
ffffffc0002f13bc+28: LDR [x0, 404]
selinux_enforcing VA: 0xffffffc001113194
Setting selinux_enforcing
Switched selinux to permissive
starting /system/bin/sh
UID: 0 cap: 3fffffffff selinux: permissive
#
Some other options:
mtk-su -c <command>: Runs <command> as root. Default command is /system/bin/sh.​mtk-su -s: Prints the kernel symbol table​mtk-su -Z <context>: Runs shell in a new selinux context. Example: ./mtk-su -Z u:r:logd:s0​If you see any errors other than about unsupported or incompatible platform or don't get a root shell, report it here. When reporting a problem with a device, please post a link to the firmware and/or the kernel sources.
Please post the model of any device that works with mtk-su that's not already confirmed.
Important: in rare cases, it may be necessary to run the tool multiple times before you hit UID 0 and get selinux permissive. If you don't achieve root on a particular run, the "UID: N cap: xxxxx...." line will reflect that. If it doesn't say "UID: 0 cap: 3fffffffff selinux: permissive", type exit to close the subshell and try mtk-su again.
WARNING If you have a device with Android 6 or higher, it likely has dm-verity enabled. On such a device one does not simply remount the system partition as read/write. The remount command will probably fail. But if you succeed in forcing it somehow it will trigger dm-verity, which will result in a very bad day. Your device will become inoperable until you restore the stock system partition.
DOWNLOAD​Current Version
Release 23
Spoiler: Changelog
Release 23 - August 24, 2020
Add support for some early Linux 3.10 tablet firmware
Add support for kernels with some debug features enabled
Release 22 - May 8, 2020
Expand kernel support
Enable seccomp handling for Android 8
Release 21 - March 14, 2020
Add support for more devices
Fix seccomp on 3.18 arm kernels
Release 20 - Dec 28, 2019
Add support for MT6580
Add support for some MT8183 versions
Fix handling of some 32-bit 4.x kernels with stack protection
Move to NDK build
Release 19 - October 20, 2019
Add -Z option for setting custom selinux context
Fix seccomp on armv7
Fix seccomp handling on late-revision 3.18 kernels
Improve error printing for critical failures
Strip supplementary groups in root shell
Do not spawn root shell on critical failures
Release 18 - July 29, 2019
Add support for kernel address space layout randomization (KASLR)
Change status output format
Release 17 - July 13, 2019
Fix missing capabilities under adb shell in Android 9.x
Disable seccomp in app mode of Android 9.x
Add support for MT6771 on Android 8.x
Reliability improvements
Release 16 - June 9, 2019
Add support for 32 & 64-bit kernels compiled with CONFIG_KALLSYMS_BASE_RELATIVE
Add support for MT676x on Android 7.x
Speedups
Release 15 - May 29, 2019
Run shell/command in global mount namespace -- mounting from apps is now visible to the whole system
Release 14 - May 22, 2019
Remove restriction for adb shell initial run on Android 8.0+
Add support for 32-bit kernels compiled under Android 8.0+
Add initial support for MT6771 on Android 9+
Minor bug fixes
Release 13 - May 16, 2019
Improve stack protection detection -- add support for some armv7-kernel 3.x phones
Release 12 - April 26, 2019
Unify the arm and armv7-kernel binaries into one
Support Linux 4.9.x
Improve speed and possibly reliability
Fix arm64 support for phones on kernel 3.10.65
Fix stack protection workaround for armv7 kernels
Update readme file
Release 11 - April 10, 2019
Fix up and enable rooting for 32-bit kernels -- first such device confirmed (thanks @anthonykb)
Improve criteria for detecting strong stack protection
Release 10 - April 7, 2019
Fix support for the latest Oreo devices
Add compatibility for kernels with stack protection (Nokia phones)
Improve reliability
Initial support for 32-bit (armv7) kernels -- needs testing
Release 9 - April 1, 2019
Confirmed support for at least some Oreo devices
Fix bugs with R8
Release 8 - March 30, 2019 (REMOVED)
Lay the groundwork for Oreo devices
Improve performance
Improve reliability
Release 7 - March 17, 2019
Add/fix support for many Linux ver. ≤ 3.18.22 devices
Fix arm binary on Fire HD 10
Release 6 - March 13, 2019
Add support for some devices with kernel 4.4.x (MT8167 confirmed by @cybersaga)
Minor bug fixes
Release 5 - March 7, 2019
Support kernels with CONFIG_KALLSYMS_ALL disabled
Improve reliability
Release 4 - March 4, 2019
Improve compatibility with phones
Support Fire TV 2 new FW
Minor bug fixes
Improve reliability
Release 3 - March 1, 2019
Add support for HD 10 7th gen
Add support for 3.10 kernel layout
Add possible support for MT67xx phones
Improve reliability
Release 2 - Feb. 27, 2019
Add support for HD 8 8th gen and 32-bit only user stacks
FAQ​I got the error, "This firmware cannot be supported". What's up with that?
This means that your device's firmware is not prone to the mechanism used by mtk-su. It may be a new device or it may have started from a firmware update. It will not be feasible to add root support for the current or future firmware versions. Check the last supported firmware version in post 4. If the last working FW is not listed and your device used to work with mtk-su, please report the last working version and/or your current version. In those cases, it may be possible to get mtk-su support by downgrading the firmware.
I got the error, "Firmware support not implemented". What gives?
That means that mtk-su does not recognize the type of firmware on your device. While It's technically possible to add basic detection, most of the time this error happens on devices that have already blocked mtk-su access. So implementing it would only kick the can down the road and probably lead to a, "This firmware cannot be supported" message (see above). If your device has Android 10+ or a security patch level at 03-2020 or higher, or if your firmware is newer than the last compatible version in post 4, there is no need to report this error.
Will this work on my phone?
Yes, it will work on your phone, unless it doesn't. But to be serious, there is no point in asking this question. If you have the device in hand, it is much quicker to just try out the above procedure than to wait for a response. You are usually the best person to answer that question. If your device is listed among the confirmed models or, to a lesser extent, your chipset is supported, that's a good indication that mtk-su will succeed, but that is not guaranteed. You should report your success or failure in this thread, along with the requested materials if it fails.
Why don't you reply to my post?
I read every post in this thread, and respond to practically every post that warrants a response. Sometimes I will only click a Thanks as an acknowledgement. The reasons I may not answer your question are:
It has already been answered in the FAQ or multiple times in the thread.
Your post is unrelated to this project. It may be specific to your device, which would make it off topic for this thread.
Your question is extremely vague and you appear to be intentionally leaving out basic information (e.g. fishing).
After getting a root shell I'm still getting 'permission denied' errors. WTH?
It may be that selinux is still being enforced. Having root with selinux enabled somehow ends up being more restrictive than a normal shell user. First, check that mtk-su succeeded in setting selinux to permissive by running getenforce. If it says Enforcing, then exit your shell and run mtk-su again.
Will this work on an MT65xx or MT8127?
There is no support for most 32-bit chips. But there may be a couple where it's possible.
Does this thing unlock the bootloader?
No, it does nothing to unlock the bootloader.
I ran mtk-su successfully, but my apps still don't have root permissions.
Mtk-su does not give apps root permissions. It is not a permanent root solution in and of itself. It opens a command shell that has root and administrative capabilities within the context of that shell. It's up to you what you want to do with it. But also, there is a way to load Magisk using this tool without the need to unlock your bootloader. Just follow this guide.
How does this tool work?
It overwrites the process credentials & capabilities in the kernel in order to gain privileges. It also turns off selinux enforcement by overwriting the kernel's selinux_enforcing variable. As for how it accesses that memory, the tool involves making use of the vulnerability known as CVE-2020-0069.
Can I include mtk-su in my app or meta-tool?
Generally speaking, you may not distribute any mtk-su zip or binaries with your software. That includes doing any automatic download of those files into your app. You can still use it with your tools. But you should ask your users to visit this thread and download the current release zip themselves. No apps have been permitted to bundle or auto-download mtk-su.
CREDITS​
Thank you to everyone who has tested and provided feedback to help me add support for the large variety of MTK-based devices out there. There are simply too many people to list.
MediaTek, Inc., who leave holes and backdoors in their OS to make software like this possible :good:
Thank you to everyone who has donated. You're the best!
INSTRUCTIONS FOR TERMINAL APP​You can optionally run mtk-su on a terminal emulator such as Terminal Emulator for Android (recommended) or Termux. The basic idea is to copy the executable to the terminal app's internal directory and run it from there. These are the instructions for Termux, but a similar procedure applies to all terminal shell apps.
Make sure you meet all the requirements from the first post, especially the first and last ones.
Download the current mtk_su zip to your device and unzip it. Take note of where you extracted it. Pick the variant that fits your device. (See above.)
Open Termux and copy the mtk-su binary to its home directory, which in this case is the shell's initial working directory.
General idea: cp path/to/mtk-su ./
For example,
cp /sdcard/mtk-su_r14/arm64/mtk-su ./
For this to work, you have to enable the Storage permission for your term app. Do not try to circumvent the cp command with clever copying methods involving file managers or external tools. Mtk-su will not get the right permissions that way.
Make file executable
chmod 700 mtk-su
Run the program
./mtk-su
If mtk-su fails, post the output of ./mtk-su -v here along with a link to firmware and/or kernel sources, if possible.
Note that for most terminal shell apps, the internal app directory is stored in the variable $HOME. So in general you would do
cd
cp path/to/mtk-su ./
chmod 700 mtk-su
./mtk-su
PROJECTS USING THIS TEMP ROOT​
Partition Backup Helper for Termux by @mrmazak
Creates a script that automatically backs up your device's partitions, which may come in handy for repairs or experimenting.
Full bootless root with Magisk (for 20.x to 21.4) by @diplomatic
Loads Magisk without modifying the firmware.
Full bootless root with Magisk for 22.x+ by @HemanthJabalpuri
Loads the latest Magisk version without modifying the firmware.
Status
NOTE: Any firmware update released after March, 2020 is bound to block this temp root. Think twice before updating your device if you would like to keep using mtk-su.
Confirmed Devices
Acer Iconia One 10 B3-A30/B3-A40/B3-A50 series
Acer Iconia One 8 B1-860 series
Acer Iconia Talk S
Alba tablet series
Alcatel 1 5033 series
Alcatel 1C
Alcatel 3L (2018) 5034 series
Alcatel 3T 8
Alcatel A5 LED 5085 series
Alcatel A30 5049 series
Alcatel Idol 5
Alcatel/TCL A1 A501DL
Alcatel/TCL LX A502DL
Alcatel Tetra 5041C
Alcatel U5 / Orange Rise 52
Alldocube iPlay10 Pro
Alldocube iPlay8
Amazon Fire 7 2019 -- up to Fire OS 6.3.1.2 build 0002517050244 only
Amazon Fire HD 8 2016 -- up to Fire OS 5.3.6.4 build 626533320
Amazon Fire HD 8 2017 -- up to Fire OS 5.6.4.0 build 636558520 only
Amazon Fire HD 8 2018 -- up to Fire OS 6.3.0.1 only
Amazon Fire HD 10 2017 -- up to Fire OS 5.6.4.0 build 636558520 only
Amazon Fire HD 10 2019 -- up to Fire OS 7.3.1.0 only
Amazon Fire TV 2 -- up to Fire OS 5.2.6.9 only
ANRY S20
ASUS ZenFone 3 Max ZC520TL
ASUS ZenFone Max Plus X018D
ASUS ZenPad 3s 10 Z500M
ASUS ZenPad Z3xxM(F) MT8163-based series
Barnes & Noble NOOK Tablet 7" BNTV450 & BNTV460
Barnes & Noble NOOK Tablet 10.1" BNTV650
Blackview A8 Max
Blackview BV9600 Pro (Helio P60)
BLU Life Max
BLU Life One X
BLU R1 series
BLU R2 LTE
BLU S1
BLU Tank Xtreme Pro
BLU Vivo 8L
BLU Vivo XI
BLU Vivo XL4
Bluboo S8
BQ Aquaris M4.5
BQ Aquaris M8
CAT S41
Coolpad Cool Play 8 Lite
Coolpad Legacy S(R)
Cubot Power
Doogee X70
Dragon Touch K10
Echo Feeling
Evercoss Genpro X Pro S50
Gionee F103 Pro
Gionee M7
Gionee S9
HiSense Infinity H12 Lite
HTC Desire 12
HomTom HT20
Huawei GR3 series
Huawei Y5II
Huawei Y6II MT6735 series
ION Gravity
Lava Iris 88S
Lenovo A5
Lenovo C2 series
Lenovo Tab E7
Lenovo Tab E8
Lenovo Tab2 A10-70F
Lenovo Tab3 10
Lenovo Vibe K5 Note
LG K8+ (2018) X210ULMA (MTK)
LG K10--K430 series
LG K10 (2017)
LG K50
LG Q7 (MTK)
LG Stylo 4 (MTK) -- up to Q710AL11k
LG Tribute Dynasty
LG X power 2/M320 series (MTK)
LG Xpression Plus 2/Harmony 3/K40 LMX420 series
Lumigon T3
Meizu M5c
Meizu M6
Meizu Pro 7 Plus
Motorola Moto C series
Motorola Moto E3 series (MTK)
Motorola Moto E4 series (MTK)
Nokia 1
Nokia 1 Plus
Nokia 3
Nokia 3.1
Nokia 3.1 Plus
Nokia 5.1
Nokia 5.1 Plus/X5
Odys PACE 10 (MT8163)
Onn 7" Android tablet
Onn 8" & 10" tablet series (MT8163) -- up to 10/2019 FW only
Oppo A59 series
Oppo A5s -- up to A.30 only
Oppo A7x -- up to Android 8.x
Oppo F5 series/A73 -- up to A.39
Oppo F7 series -- Android 8.x only
Oppo F9 series -- Android 8.x only
Oppo R9xm series
Oukitel K6
Oukitel K9
Oukitel K12
Oukitel U18
Philips E518
Protruly D7
RCA Voyager III - RCT6973W43MDN
Realme 1
Realme 3
Snopow M10 series
Sony Xperia C4
Sony Xperia C5 series
Sony Xperia L1
Sony Xperia L3
Sony Xperia M5 series
Sony Xperia XA series
Sony Xperia XA1 series
Southern Telecom Smartab ST1009X (MT8167)
Teclast M30
TECNO Spark 3 series
Umidigi F1 series
Umidigi Power
Verizon Ellipsis 10 HD QTAXIA1
Vernee Mix 2
Wiko Ride
Wiko Sunny
Wiko View3
Xiaomi Redmi 6/6A series
ZTE Blade 10 Prime
ZTE Blade A530
ZTE Blade A7 Prime
ZTE Blade D6/V6
ZTE Blade V8 Lite
ZTE Quest 5 Z3351S
ZTE Voyage 4S/Blade A611/Blade A610
Support Problematic*
Most/all Vivo phones
Most/all Huawei/Honor models with Android 8+
Most Oppo phones in app mode
Oppo F11 -- up to CPH1911EX_11_A.22 only
Most/all Samsung MTK-based phones
Supported Chipsets
Including, but not limited to: MT6735, MT6737, MT6738, MT6739, MT6750, MT6752, MT6753, MT6755, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6771, MT6779, MT6795, MT6797, MT6799, MT8163, MT8167, MT8173, MT8176, MT8183, MT6580, MT6595
* These devices typically use kernel modifications to deter root access via exploits. But this temp root method can still attain root on most of these models in theory. However, I will not be adding support for such non-standard kernels in the main release versions. A tailored version of mtk-su can be made to handle a protected kernel in a specific firmware. This is not something I'm usually motivated to do. But it's possible to make such a version if you can somehow encourage me.
Re-re-reserved
Great work mate!! I would liked to of kept secret till I got myself a new Sony L3 and backup the ta thought.
:laugh:
:highfive:
LOL... thanks!
Don't worry man, no one reads this forum
Great work. Having used both a hardware root method and this method on a pair of devices I have, mtk-su was waaaaaaay easier to work with. Big thanks!
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...
ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img
what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...
reason being that bootloader is locked and this device is on marshmallow ...
*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..
* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?
or installing mixplorer with root privileges for examle ..
KevMetal said:
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...
ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img
what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...
reason being that bootloader is locked and this device is on marshmallow ...
*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..
* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?
or installing mixplorer with root privileges for examle ..
Click to expand...
Click to collapse
@diplomatic made a good outline of the the steps to "jump" into full root. At least until rebooted.
I will add the link to the post, but keep the discussion that follows , here in this thread
*Copied from post https://forum.xda-developers.com/showpost.php?p=79348378&postcount=569
diplomatic said:
For advanced users or devs: here's a general overview for a method to get root with Magisk without having to modify your boot image.
Get a Magisk zip file and extract the magiskinit binary. Push magiskinit to your device.
Extract the magisk binary from magiskinit with ./magiskinit -x magisk
Make a symbolic link to (or a copy of) magiskinit and call it magiskpolicy.
Make a symbolic link to (or a copy of) magisk and call it su.
Make a small ext4 image of about 2 to 4MB (using something like make_ext4fs -J -l 2MB). In it, place Magisk's magisk and su binaries. The su binary could be either a link to magisk or a copy of it. (Idea borrowed from @k4y0z's unlock method.)
Get a root shell with mtk-su
Patch the running sepolicy with a magisk context using ./magiskpolicy --live --magisk 'allow magisk * * *' .
Start a temporary Magisk daemon with ./magisk --daemon
Start a temporary Magisk root shell with ./su. This may involve prompts from Magisk Manager.
Check to make sure the new root shell has the context u:r:magisk:s0. Don't proceed if it's not that context.
From the magisk context shell, mount the ext4 image to /system/xbin with
losetup /dev/block/loop0 magisk.img
mount /dev/block/loop0 /system/xbin​You may be able to combine those 2 commands into one, but I wasn't able to on my device.
Kill the temporary magisk daemon with killall magiskd. The point of this is to launch a new daemon from within the magisk se-context. Otherwise there will be problems with selinux.
Start a new daemon with magisk --daemon. Notice that there's no ./ at the start. This is to test the loopback img.
Exit the temporary ./su shell. You may get an error message, but that's fine. At this point you should be back to the mtk-su shell.
Exit the mtk-su shell.
Check if su works. You should get a prompt from Magisk Manager.
At this point, if you get a normal root shell, you can do setenforce 1.
Now all apps that want su access will have it with proper prompting.
Have some app execute steps 6 through 17 at every startup.
Steps 1-5 are done once. Step 6 onward are done at every boot session. A script would probably help. I'm sure this is missing some details, but I just wanted to convey the general idea.
EDIT: If you get this system up and running, you of course want to avoid updating Magisk binaries through MM. That's pretty important because doing so will probably stop your device from booting.
Click to expand...
Click to collapse
KevMetal said:
looks great ...i want to try it on a Vodafone carrier branded mtk67__ device in Spain / Europe to see what happens ...
ultimately i would want to use su to pull a copy of stock recovery to sd card / that and boot partition.img
what about after pulling stock recovery & porting twrp i flash twrp with flashfire or similar and after booting directly to recovery flash dm-verity disable .zip ...
reason being that bootloader is locked and this device is on marshmallow ...
*so my question is ...
will mounting rw on marshmallow trip dm-verity immediately and bootloop instantly or only on reboot ...if it's on reboot it would serve my purpose ..
* next question is if im running as su in shell how will I "give" escalated privileges to third party apk like flashfire for example or is it possible to disable dm-verity from root shell using commands ?
or installing mixplorer with root privileges for examle ..
Click to expand...
Click to collapse
Cool... let us know the results of running mtk-su on that phone, as well as the full model name so I can list it.
So you're on the right track about installing permanent root. I was pretty vague about it in the OP because it's a complex topic and it's pretty risky territory. Before trying to mod your boot image with systemless root and/or verity disabled, you have to check how restrictive your BL is. It's very possible that it can accept self-signed or unsigned images without needing to unlock. You can check this in a minesweeper fashion by flashing your stock recovery with the OEM signature removed and see if it boots. If not, Android will restore the stock recovery automatically, no harm done.
If you want to flash partitions from a root shell, you can use the dd command. FlashFire is a glorified dd flasher. For example, to flash a recovery image you would do
dd if=recovery.img of=/dev/block/platform/mtk-msdc.0/11230000.MSDC0/by-name/recovery
The exact path of the dev node varies by device. You should do more research about it if you're interested. To dump partitions, essentially do the reverse of if= and of=.
If you want, you can post your stock recovery image and I can modify it so you can test how restrictive your BL is. There's no need to jump ahead to TWRP yet.
diplomatic said:
If you want, you can post your stock recovery image and I can modify it so you can test how restrictive your BL is. There's no need to jump ahead to TWRP yet.
Click to expand...
Click to collapse
Most MTK's allow the boot probably due to difficulties during OTA patches indeed a lot of the OEM OTA's I have seen actually flash the recovery.img to the boot partition first then reboot do the update flash the recovery to recovery partition then reboot to recovery do the final check then reflash the boot.img back to the boot partition.
I think this is so if the OTA fails at any point they are always in recovery mode. If any of that makes sense :laugh:
Some mtk fstab's I have seen even have a flag that states verify "recoveryonly" so you can flash a TWRP recovery.img to the boot and it will boot up but it will not if flashed to the recovery of course OEM's may have other ideas and implementations so caution and a way back are definitely needed.
It's definitely a game of Russian roulette with a one in six chance of you finding the loaded chamber.
Been too secure can backfire on OEM's and cost them as with the Amazon Fire Phone I brick 3 or 4 of those suckers trying to unlock it and even they could do nothing with them so they would just give me a new one and I am convinced they actually locked themselves out on that devices and that's why it never got a version update or bootloader unlock which is a shame because it was a good phone. :silly:
bigrammy said:
Most MTK's allow the boot probably due to difficulties during OTA patches
Click to expand...
Click to collapse
OK, but I don't see how any of this would prevent cryptographic signature checking and enforcement at any OTA installation stage. Do you have any reason to believe that most devices that are not unlockable have support for unsigned images?
diplomatic said:
OK, but I don't see how any of this would prevent cryptographic signature checking and enforcement at any OTA installation stage. Do you have any reason to believe that most devices that are not unlockable have support for unsigned images?
Click to expand...
Click to collapse
Depends on oem I guess eg: Lenovo TAB2 never unlock the bootloader, Infocus Never unlocked the bootloader, All China brands various I never unlocked the bootloaders yet all rooted with custom recovery's installed although most of these were Android 6.0 so AVB used by Magisk SuperSU etc works for them.
Nokia3 I did unlock the bootloader but I beginning to think maybe I didn't need to and maybe I can test that theory soon when I get one back I loaned out.
Big brands like Sony Defo need to be unlocked but lessor brands I am not so sure about.
OK, good to know, @bigrammy
diplomatic said:
OK, good to know, @bigrammy
Click to expand...
Click to collapse
I might try flash the boot of my Sony XA1 (bootloader locked) with a TWRP recovery over the weekend and see what happens. It just means me having to boot windows to recover it if it fails and I have not done that in 18 months or more :laugh:
EDIT: Unsigned TWRP Failed to boot so now I will try with a AVB signed image and see what happens.
EDIT 2: AVB signed TWRP Failed verification check too. :laugh:
PS: Never unlocked the Lumigon T3 (my daily driver) either and that was marketed a secure device it took me about 30 min's to to make a scatter file then pull the boot with SPFlashTool ported over TWRP from my Infocus pre patched the boot with Magisk flashed them back done. Again it seems AVB sig was enough for this device too but again Android 6.0. :laugh:
OK.... it would be interesting what happens with the Sony...
It's pretty much the same deal with the Asus Zenpad series. The Z3xxM series, based on MT8163, can be flashed without unlocking the BL. On the old Android 6 FW, you needed to have an AVB signature for it go through. On Android 7, you don't even need that. However, for the high-end MT8176-based Zenpad Z500M, they locked it down so that you'd need to unlock before installing a custom boot/recovery--OEM sig support only.
bigrammy said:
EDIT: Unsigned TWRP Failed to boot so now I will try with a AVB signed image and see what happens.
EDIT 2: AVB signed TWRP Failed verification check too. :laugh:
Click to expand...
Click to collapse
LOL... I guess I'll have to stick to unlocking my Sonys before installing root.
I have a question
I have been looking ways to root redmi 6a. Xiaomi have been imposing 15d grace period one any request to unlock boot loader. Very annoyed
My question is if I manage to root it and install TWRP. can I still modify the boot loader without unlocking it?
Tia
Sent from my Redmi 6A using Tapatalk
Hi, @ahhl
If you can install and boot TWRP without unlocking the bootloader, you can almost definitely install permanent root to a boot image. The question is whether the locked BL on that phone will boot an image that is unsigned or wipe out instead. This is what bigrammy and I were just talking about above. I'd love to know if mtk-su works on that phone, btw....
i will try. but i am just novice?. i read thru the conversation between you and bigrammy, only to 30% goes thru my head?
if i manage run mtk-su, then flash twrp, if the flashing did not work, it will just reboot back using stock boot.? i do not have to worry something i need to do just like bigrammy did for 30min, just to get the phone running? as the reboot just wipe twrp? is this true?

KingoRoot Pay?

Downloaded the official kingoroot app, but it reads:
SUCCESSFUL DETECTION CAN BE ROOT
you need to pay 10$ after rooting
you need to pay 10$ after rooting
You must have a computer for the boot process
After the root is successful, agree to pay 10$
MAIL:
Phone is a Samsung J4+
What am I supposed to do?
My dear friend, do you not know MAGISK?
Magisk - The Magic Mask for Android
Welcome to the Magisk Release / Announcement thread! For all up-to-date info and links, please directly check Magisk's GitHub Page Installation Download count of previously XDA hosted files: 25,490,945 v1: 8746 v2: 2251 v3: 3790 v4...
forum.xda-developers.com
TeslaShock1 said:
Downloaded the official kingoroot app, but it reads:
SUCCESSFUL DETECTION CAN BE ROOT
you need to pay 10$ after rooting
you need to pay 10$ after rooting
You must have a computer for the boot process
After the root is successful, agree to pay 10$
MAIL:
Phone is a Samsung J4+
What am I supposed to do?
Click to expand...
Click to collapse
it's 2021 KingoRoot is only viable back in 2011 era
ineedroot69 said:
it's 2021 KingoRoot is only viable back in 2011 era
Click to expand...
Click to collapse
Magisk works on almost any device with Android higher than 4.2.
Magisk certainly is the best way to root an android device.
"Magisk is, and always will be, free and open-source."
"Magisk is a suite of open source tools for customizing Android, supporting devices higher than Android 4.2. It covers fundamental parts of Android customization: root, boot scripts, SELinux patches, AVB2.0 / dm-verity / forceencrypt removals etc."

Understanding Google's special warning instructions to avoid bricking a Pixel 6, Pixel 6 Pro & Pixel 6a when updating from Android 12 to Android 13

Google posts additional instructions for Pixel 6 owners that flashed Android 13
Can someone explain what the problem is BEFORE people fall prey to it?
Google issued a warning today saying the following:
With Android 13, Google made it so that the Pixel 6, 6 Pro, and 6a cannot reinstall Android 12 in order to address a security issue. In addressing that vulnerability, another problem might arise, and Google has released instructions on how to avoid bricking your device if you flashed Android 13.
A security vulnerability exists with the previous bootloader on the Pixel 6 series, and Android 13 makes it so that the vulnerable version associated with Android 12 cannot be reinstalled.
However, even after flashing an Android 13 factory image - which is different than sideloading an OTA image - on the Pixel 6 series and successfully updating, an Android 12 build remains on your phone. This is due to Android's A/B (seamless) system updates, which are meant to provide redundancy.
Click to expand...
Click to collapse
My question is simply to ask someone who understands this A/B stuff to explain WHERE the specific problem is with the Pixel 6 series but not in any other Pixel? (I have a Samsung which doesn't do the A/B stuff.)
I only know the basics, which is that the newly downloaded OS goes into one partition while the original OS is running in the other partition and somehow they swap when it's time to switch over.
GalaxyA325G said:
Google posts additional instructions for Pixel 6 owners that flashed Android 13
Can someone explain what the problem is BEFORE people fall prey to it?
Click to expand...
Click to collapse
See here
GalaxyA325G said:
My question is simply to ask someone who understands this A/B stuff to explain WHERE the specific problem is with the Pixel 6 series but not in any other Pixel? (I have a Samsung which doesn't do the A/B stuff.)
Click to expand...
Click to collapse
There's two elements in play here. First is the Tensor (Pixel 6 / 6 Pro / 6a) platform bootloader for Android 13, which increments a permanent anti-rollback counter in the device upon successful boot of Android 13. Sort of an e-fuse; it prevents rolling back the bootloader. This does not affect previous Pixels, and was implemented because of a critical security vulnerability in the Android 12 bootloader. This also prevents loading older bootloader images.
Second is the A/B slot system, which is the AOSP recommended format for OEMs to use so as to facilitate seamless updates...
GalaxyA325G said:
I only know the basics, which is that the newly downloaded OS goes into one partition while the original OS is running in the other partition and somehow they swap when it's time to switch over.
Click to expand...
Click to collapse
Sort of.
There's two slots: A and B. Each slot has its own critical partitions: /bootloader_a, /radio_a, /boot_a, /system_a, and so on. The /data partition is shared by both slots.
The way this works is almost exactly as you described. Let's say the system is running on slot A. When an update becomes available, update_engine can download the OTA package, extract the payload, and write the update to slot B - all in the background while the OS is running. This allows user activities to continue and does not prevent critical functions such as phone calls, texts, etc. Once the installation to the other slot is finished, update_engine prompts the user to reboot. It then sets the updated slot, slot B, as "active" so the device will boot from that slot when rebooted. If boot is successful, the system marks that slot as "successful" so the device will always boot from that slot. From the user perspective, their device is only "down" for a couple minutes while it reboots into the updated slot.
If boot fails for whatever reason - bootloop due to corrupt image for example - it will "recycle" to the original slot so the device remains useable instead of being stuck with a corrupted, unbootable update.
The two come together in what is the problem for the Tensor devices: the OTA method only updates one slot, meaning there will now be an Android 13 bootloader on the "new" slot, and Android 12 on the "old" slot. If Android 13 boots far enough to increment the anti-rollback, but later fails and the device recycles to the Android 12 slot, the device will fail to boot because the Android 12 bootloader has now been locked out by the anti-rollback counter.
The reason this doesn't affect Samsung devices is because Samsung has stubbornly resisted the AOSP model and continues to use a standalone /recovery partition instead of the A/B format. The drawback to this is that the system must go "down" for an extended period of time while the update is installed in recovery, preventing use of the device.
Thanks for the clear explanation. From what I've read in other posts, a second fastboot OTA will install Android 13 on the second slot, preventing a potential future brick. Other posts have speculated that Google might create a compliant bootloader for A12L, but there's nothing official, on that. From where I stand, this issue should have been immediately addressed by Google simultaneous with the release of BlueJay. My current choice is to hold-off on A13 until these types of major bugs capable of bricking a device are addressed. Perhaps the Calyx OS folks will tackle this, as well.

Categories

Resources