root phone with magisk

2022-01-15 · 4 min read

We'll be rooting our device with Magisk Manager by patching a stock boot.img and then reflashing that image onto the device. Once completed, we should have a fully rooted device that can install adblock, use f.lux, run busybox cli tools, and so on.

Note: this assumes we've already unlocked our bootloader, since we need to flash a patched boot partition.

Caveats #

We can't automatically install OTA updates, otherwise we'll lose root. To preserve root, follow OTA updates for rooted android phone.

Install #

(Windows) Download the Google Windows USB driver and extract somewhere. Right click -> Install.
(Windows) Follow the instructions https://developer.android.com/studio/run/oem-usb#InstallingDriver to install the driver software or upgrade it.
Download the basic sdk platform-tools and extract somewhere https://developer.android.com/studio/releases/platform-tools.

Make sure we can see our device:
```
$ adb devices
List of devices attached
FA7AL1A02016    device
```
(Linux) If adb doesn't detect the device, try linux ADB udev setup.
Find our device (Pixel 2 - walleye) and the factory image corresponding with our current build (RP1A.201005.004.A1, Dec 2020) here (https://developers.google.com/android/images#walleye). Download the zip file under "Link". The file's pretty big, but we really only need the boot.img (inside another inner zip lol). Put that somewhere.
Now we need to push the boot.img onto our device so Magisk Manager can patch it.

(Windows) For some weird reason this command fails when run inside Git bash shell, so we need to run it in good ol' CMD lmao.
```
$ adb push images/pixel2-walleye-rp1a.201005.004.a1/boot.img /sdcard/Download
```
Back on our device, open up Magisk Manager, hit Magisk -> Install -> Select and Patch a File, and choose our /sdcard/Download/boot.img. This step should patch the boot.img and produce a file like magisk_patched-23000_Oin7Q.img.
(Pixel 5a - 2022/01/15) Didn't work the first time with stable Magisk; needed to install the latest canary from https://github.com/topjohnwu/magisk-files/blob/master/canary.json

Pull the patched boot.img off our device.

$ adb pull /sdcard/Download/magisk_patched-23000_Oin7Q.img images/pixel2-walleye-rp1a.201005.004.a1/

Now we want to flash our patched boot.img onto our phone. Reboot the phone into fastboot mode (Restart -> Hold Volume Down or adb reboot bootloader). fastboot should detect the device now:

$ fastboot devices
FA7AL1A02016    fastboot

Finally, flash the patched boot.img.

$ fastboot flash boot images/pixel2-walleye-rp1a.201005.004.a1/magisk_patched-23000_Oin7Q.img
Sending 'boot_b' (32768 KB)                        OKAY [  0.733s]
Writing 'boot_b'                                   OKAY [  0.533s]
Finished. Total time: 1.396s

Restart the phone normally. Opening Magisk Manager should now detect the device as fully rooted!

Post-Install #

Make sure automatic OTA updates are set OFF in the developer settings so it doesn't silently update and clobber our root.
In order for our device to run certain apps that disallow root, we'll need to pass Google SafetyNet. To see our current status, hit "Check SafetyNet" in Magisk Manager. By default, our device will probably fail to pass Attestation. Unfortunately, this is even trickier for more recent devices which will run attestations inside a secure enclave. I believe there are some more sophisticated work-arounds to circumvent this.
To pass SafetyNet, let's first enable "MagiskHide" in the settings.
Also enable "Hide the Magisk app" and give it a different name. I called it "M A G I S K M A N A G E R" lmao.
Unfortunately, my phone still doesn't pass the ctsProfile check even after the above. I don't need to hide right now, so maybe figure this out later...
AdBlocking: Install AdAway from F-Droid. Enable "Systemless hosts" in Magisk Manager and then Reboot. Inside AdAway, use the Root-based AdBlock and then Reboot again.