android rooting

An Intro to the Systemless Interface of Rooting Android Phones

[Total: 1    Average: 5/5]

What you can learn from this article:

  1. What is meant by rooting an Android phone
  2. Steps to take before proceeding to root your phone
  3. Google’s SafetyNet check
  4. The preferred root method in today’s world – Magisk – and an outline on how it works
  5. Things you can do after flashing Magisk – the utility of rooting your phone
  6. Things (I feel) you should avoid doing after rooting systemless-ly
  7. Uninstalling Magisk
  8. What to do in case the phone is bricked

What this article will not teach you:

Specific methods to root your phone or flash custom recoveries. Such methods vary greatly from one phone to another. For example, in Samsung phones, you can flash files with a software called Odin, which is specifically written for Samsung phones. On other brands, you have to use some other software, if they exist, or use Fastboot. I have not included these topics in this article. My attempt has been to keep the content of the article as general as possible, so that it is applicable to a large number of different devices rather than cater to a specific device.

Disclaimer:

This article is meant to provide information to the readers regarding the Android rooting process. Please do not hold me or Physics Forums responsible if your device is bricked before, during or after the rooting process.

You need to have a clear understanding of the working of the Android system before you try to root your phone. Remember that rooting your phone will bestow superpowers upon you. If you do not know how to utilise these powers and safeguard them, you might make your device vulnerable to threats which can, among other things, steal your personal information and empty your bank account.

You must clearly understand that once you root your phone, unlock the bootloader or flash a custom recovery, the warranty of your phone is void.

As Android is an open-source project, modifications to the stock ROM are considered legal in most countries. However, you should enquire into the laws of your country and ensure that you are not doing anything illegal.

Don’t say that we didn’t warn you!

What is meant by rooting an Android phone?

If you have used Windows, you must be familiar with “administrator permissions”. On Linux, there is the concept of super user (SU) privileges. Something similar exists in Android. The process of gaining super user privileges on an Android device is commonly called rooting. The system super user account is called root, hence the term rooting. This account has permissions over all files and programs on a UNIX-based system. It has full control over the operating system.

Rooting is done using an SU interface that supervises the root permissions granted to different applications. The process of flashing the SU application is generally done through Android Debug Bridge (ADB) from PC, or from the recovery, which is a minimal Android boot image that provides maintenance functions.

Before proceeding to root your phone…

  1. Backup your stock ROM and data

Before you root your phone, you must ensure that in case of any mishap during or after the rooting process, you should be able to restore your phone to the state that it was in before the mishap. This means that you should backup the important sectors of the phone memory, which can be restored later if the situation demands. In addition to backing up your media, documents, etc., you also have to backup /system, /boot, /data and /recovery partitions.

  • /system has the files that make up your Android framework.
  • /boot contains files that are executed when the Android system boots.
  • /data consists of the data of all user-installed applications which are present in the internal storage.
  • /recovery houses the image of the recovery console, which is an independent interface that can be triggered by certain hardware key combinations. Recovery works when the Android OS has not loaded, so you can make changes to partitions like /system and /boot from it. These partitions are otherwise mounted read-only. Recovery will work even if the Android system cannot boot, thereby providing you with an opportunity to detect and rectify the errors that are preventing the system from booting normally.

Backing up /system and /boot constitutes backing up your stock ROM. Along with that, /data is also backed up, so that the app data is not lost.

There is another directory, /vendor. According to Android Open Source Project (AOSP) documentations,

The /vendor partition contains any binary that is not distributable to the Android Open Source Project (AOSP). If there is no proprietary information, this partition may be omitted.

/vendor is not a very important directory, so you can ignore it while backing up.

Your phone comes preloaded with a stock recovery. The problem is, this recovery has very limited functions, as most phone companies do not want users to tweak their stock ROM. Important functions like backup and flashing files are not available in the stock recovery. In order to carry out such functions, you have to flash a custom recovery like TWRP (Team Win Recovery Project). TWRP fulfils all the requirements of a good custom recovery. On the downside, once you flash TWRP, you won’t be able to back up the stock recovery.

There are some ways to backup the stock recovery. For example, you can download the Flashify app from Play Store, which has an option to back up the stock recovery. But for almost all such methods available, your phone has to be rooted. If you (somehow) root your phone without using the recovery, you will lose the stock /system and /boot partitions, which is not acceptable at any cost. So, don’t lament over losing the stock recovery. In addition, TWRP is so useful that there will hardly be an instance when you would want to return to the stock recovery.

Once you have flashed TWRP, it is easy to backup your ROM. Instructions for backing up from TWRP are widely available, so I am not mentioning them here.

One point to remember is that, TWRP does not back up your media files. Be sure to back those up separately before rooting.

  1. Unlock the bootloader

Referring to the AOSP documentations once again,

A bootloader is a vendor-proprietary image responsible for bringing up the kernel on a device.

Unlocking the bootloader means you are allowing modifications in your system.

Different phones have different ways of unlocking the bootloader. For example, in Samsung, simply toggling a button in Developer Options in settings will unlock the bootloader. In some others, you have to run a program called fastboot on your PC and through it, you can unlock your bootloader. Some devices might not need this step at all; you can directly proceed to flashing a custom ROM in those phones. Search Google for the method applicable to your device.

Google’s SafetyNet check:

Towards the end of the year 2014, several Android users with rooted phones found that Android Pay was no longer working on their phones. This is because Google had introduced its latest invention – SafetyNet – in Play Services and Android Pay was making use of that.

SafetyNet tells an app whether the phone is in a tampered state or not. This feature is now included in Google Play Services by default. There are many parameters based on which Google issues the SafetyNet results. SafetyNet has two parts: basicIntegrity and ctsProfileMatch. As per the Android Developers’ Guide on SafetyNet, CTS (Compatibility Test Suite) Profile matching is a stricter test compared to basicIntegrity. Most apps making use of SafetyNet will work if the latter is satisfied, while some (like banking apps) demand that the phone should pass the former as well.

Among other parameters, SafetyNet checks whether the /system partition has been tampered with. Once it finds a tampering, the ctsProfileMatch test will start yielding a negative result. (How SafetyNet finds this tampering is out of the scope of this article; refer to Further Reading section for some idea.)

Keep in mind that SafetyNet is a necessary evil. Say you are a layman, and you do not know anything about the Android framework or rooting. You give your phone to a person for repairing something. That person roots your phone, installs malware and returns it to you, but you don’t notice that. He aims at stealing your personal data. But once you start using your phone, Google detects the tampering, prevents any vulnerable app (like banking apps or mobile wallets) from running on your phone, and informs you that your phone is unsafe. In fact, even an OTA (Over-The-Air) upgrade to your stock ROM may have a bug that can leave your system unsecure. SafetyNet is a boon to users in these situations.

The preferred root interface in the modern world – Magisk – and an outline on how it works

There are two types of root interfaces – one that modifies the /system partition directly (the traditional way), and one that does not do so. The latter interface is termed “systemless”. Traditional interfaces like SuperSU cannot bypass SafetyNet.

Some experienced members at XDA Developers realised that, among other things, if the interface doesn’t directly tamper with /system, then SafetyNet can be fooled. But there seemed to be never-ending lists of bugs when such systemless interfaces were tested. Finally, John Wu (XDA username: topjohnwu) devised Magisk, which could bypass the SafetyNet check (both ctsProfileMatch and basicIntegrity).

If you look at the Android booting process, you will find that at one stage, the kernel calls the init process. Magisk replaces this init with magiskinit. This replacement is unavoidable, and changes are made in /boot partition. But /system partition is left unaltered.

Magisk provides root access by providing a working binary with the path /sbin/.magisk/su. Any application that tries to run this will bring up Magisk to grant them root access, which is, in turn, managed and maintained by the Magisk Manager application.

Magisk uses the well-known Linux technique bind mount. Bind mount is an alternate view of the file directory, but any changes done in bind mount are not reflected in the original file system. In essence, it is a property of the live system. So, if you make modifications in /system respecting the guidelines of systemless rooting, you will see (using a root file browser) that /system has been modified. But in reality, the changes are made in the bind mount. The original /system is available at /sbin/.magisk/mirror/system. Magisk can unmount /sbin and the bind mounts to hide all modifications easily.

Another important and interesting feature of Magisk is MagiskHide, which can hide the root from apps which tend to malfunction when they detect that the device is rooted (even if SafetyNet is bypassed by the root interface). This done by making the bind mounts invisible to that app.

As a side note, Magisk has no dedicated website, and all updates are announced at XDA Developers. So, download Magisk only from the official thread on XDA.

Things you can do after flashing Magisk – the utility of rooting your phone systemless-ly

  1. Unleash the power of Magisk modules

Once you have flashed Magisk, you have full control over your device. Magisk provides you with the power of modules. Modules are programs that will modify your system under the hood of Magisk. They are accessible from Magisk Manager -> Downloads. Click on the download sign, and choose Install. Once the flashing finishes, you will find a Reboot sign. All installations come into effect only when the phone is rebooted.

First download and flash the module Busybox for Android NDK (the one developed by XDA member osm0sis). You might not understand what it is doing right now, but many other modules will require this, so keep it ready. Also, install a terminal emulator app (like Termux) from Play Store.

The next thing to check is whether your phone passes the SafetyNet check. Open the Magisk Manager app, and tap the Start SafetyNet Check on the front page. It will most probably request your permission to download a module; give consent to the download. Chances are that you will see a screen like this:

Magisk SafetyNet success

If SafetyNet check fails, flash the module MagiskHide Props Config. Follow the instructions online, and you should be able to fix the problem.

After this, you are welcome to try out other modules that you find interesting. Some modules that I personally find interesting are: YouTube Vanced Magisk Repo, App Systemizer (terminal emulator), Energized Protection and FDE.AI.

Before flashing a module, read its official thread (mostly on XDA) and the readme.md file on Github to make sure you know what you are doing. Not all modules that you see listed will be compatible with your phone. Some of them might need other modules for working, so check that out too. Your phone should not have more than one kernel-tweaking modules working together, otherwise either both will shut down, or your device will malfunction.

In order to remove a module, go to Magisk Manager -> Modules, click on the bin icon next to the module you want to remove, and reboot. Any changes made by the module on the bind mount will be restored.

  1. View your file system using a root file browser

If you are interested in the technicalities of how things work in Android, you may download a root file browser and use it to view the files that were hidden from your view till date. Study the directories to see how the Android file system works. Don’t modify anything unless you know what you are doing, otherwise you may brick your phone.

  1. Flash custom ROMs

Once you have a rooted phone with a custom recovery, you can try custom ROMs. These ROMs are often much better than the stock ROMs. One famous custom ROM is LineageOS. Installation guides of custom ROMs are widely available on the net. Before flashing them, make sure to check the following:

  1. The known issues, and how they will affect you.
  2. You have downloaded the official build of the ROM.
  3. The version is specifically meant for your phone and is compatible with the CPU architecture of your device.
  4. Your preferred root method works with that ROM.
  5. The apps that you are using currently are compatible with that ROM.
  6. Whether you need to separately flash Google Play Services like OpenGApps.

Checking these are important. For example, there is no official LineageOS build for Samsung Galaxy On7. Somebody on XDA developed an unofficial build, but that has issues with camera and VoLTE, so it is kind of useless to flash such a ROM.

Things (I feel) you should avoid doing after rooting systemless-ly

There are some applications available in Play Store, like Titanium Backup, which will give you options to natively modify the /system partition. Refrain from using such applications, because those will break the systemless interface of Magisk. Always respect the systemless technology of Magisk. For direct modifications of /system and other partitions, you are welcome to use traditional root interfaces like SuperSU.

Uninstalling Magisk

Simply download the uninstaller zip available online at XDA, and flash it through TWRP. /sbin and all bind mounts will be unmounted.

New versions of Magisk are released regularly, and the uninstaller file is updated too. Some update might not be compatible with your phone, in which case you would be sticking to an older version of Magisk. In the meanwhile, the uninstaller for the old version may be removed from the website. Remember that the uninstaller is version-specific (no question of forward or backward compatibility). So, always download the uninstaller and store it somewhere safe when you flash or update Magisk.

What to do in case the phone is bricked

When your phone cannot load the files of the Android OS and boot normally, it is said to be bricked. One of the most common ways of bricking the phone is through a bootloop, where the bootloader tries to execute the boot scripts, fails to do so, and recursively keeps on trying and failing. Bootloop is often encountered while rooting a device or when a custom ROM is flashed.

Different phones show different indications when they are bricked. Some phones, for example Samsung, will keep on showing the company’s logo during booting, but never actually finish booting. If you leave it in that condition, it will keep on trying to boot until the battery is completely drained.

If you find your phone in a bootloop, do not panic. It is very common to brick devices during rooting or flashing custom ROMs. When I had tried to root my phone for the first time, I had also ended up with a bricked device. And guess what – I had not made a backup of the stock ROM, so I was in a greater mess. If you have followed the article properly, you should have already backed up the stock ROM using TWRP.

When the device is in a bootloop, pull out the battery to shut it down completely. Then boot into recovery. First, uninstall Magisk by flashing the uninstaller zip (you should have that downloaded). Then restore the backup that you had made using TWRP before rooting your phone. This should restore your phone to the state it was in before rooting.

If in a rare case your phone still does not work properly, try searching Google for the stock ROM of your phone, and flash that. That will surely remove all the problems.

Final words

Android is an open-source project, so the source codes of Magisk, its modules, etc. are available publicly on Github or other repositories. However, directly reading these files may become difficult and time-consuming for a person who is not experienced in this field. In this article, I have tried to compile together whatever I have learnt till date about Magisk and systemless rooting in a less-technical language compared to the original source files, so that it can appeal to a larger audience. Some things might change with time, and I will try to keep the article updated as far as possible. If I come to learn something more on these topics, I will add them too.

I sincerely thank Greg Bernhardt, the admin of Physics Forums, for providing this opportunity to me. Without his efforts, this article would have never become a reality.

Further Reading:

Comment Thread

8 replies
  1. Wrichik Basu
    Wrichik Basu says:
    Regarding bootloop: for devices having built-in (non-removable) batteries it is fine to leave them on charger till you calm down ad look for solution.

    That’s why I always prefer phones which have removable batteries. :wink:

    BTW getting stock ROM might be a pain.

    Yes, primarily because the backup you make from TWRP cannot be compiled into a .tar file easily. Otherwise by now XDA would have flooded the internet with the stock ROMs of all available devices.

  2. anorlunda
    anorlunda says:
    Good article Wrichik. I learned from it. But it feels incomplete without these two important points.

    1. Why? What are the benefits of rooting your phone?
    2. Who is qualified?

    For example, I see that an app developer with many phones available may benefit from rooting.
    But I also fear that consumers with limited technical skills, motivated by questionable benefits of rooting, and playing with their one and only digital device, may be ill advised to play with rooting. There may also be bad actors advising vulnerable people to root their phones to gain something attractive.

    "View your file system using a root file browser" that is not a utility that an ordinary consumer considers a benefit. In the USA, we like to use the Aunt Millie metaphor. Is rooting something that your great aunt Millie could do? should do?

    I considered rooting only once about 10 years ago. I wanted to make my phone a WiFi hotspot. I feared doing it because of inexperience, and because I had no local support group of friends who could rescue me if I bricked my phone. Also, that was the only phone my wife and I owned, and we were cruising on remote islands with no access to the cell provider’s stores or repair centers. But before I could decide, an update from the provider added wifi hotspot as a standard feature.

    The author can edit Insight articles. I suggest that you may want to add some paragraphs to the article, and not just reply in this comment thread.

  3. Wrichik Basu
    Wrichik Basu says:
    Why? What are the benefits of rooting your phone?

    Since this article focuses on systemless rooting, the greatest benefit (without changing to a custom ROM) is the power of modules. I have written on that briefly, because if I started writing about each and every module that I use currently, it would become another separate article. Anyways, I will add a few points.

    "View your file system using a root file browser" that is not a utility that an ordinary consumer considers a benefit. In the USA, we like to use the Aunt Millie metaphor. Is rooting something that your great aunt Millie could do? should do?

    No, she shouldn’t. Let’s be frank about it: rooting is not for a layman. Just like you would refrain from teaching perturbative QCD to a person having insufficient knowledge in physics, I would advise people who have no idea on the Android system to keep away from rooting, because this thing is no joke. For example, I would not root my parents’ phones, because if some problem suddenly crops up, I might know how to handle that, but they won’t be able to do anything without my support. And I won’t be available all the time to tackle these problems.

    But that does not always mean that you cannot root if you are a layman. I was a layman too when I started out with these things, but I have learnt and am still learning on these topics. If you are interested in these things, knowledge will come to you automatically, and once you are confident enough, you can proceed to root your phones. You will make mistakes, like @Rive said, and you have to be prepared for that.

  4. anorlunda
    anorlunda says:
    No, she shouldn’t. Let’s be frank about it: rooting is not for a layman.

    I’m suggesting that the article should say that prominently. Laymen could be fooled into doing something they don’t understand. And if someone approaches you and says "do what that Insights article says" to your phone so that you can use this neat new feature, you should run away.

  5. Wrichik Basu
    Wrichik Basu says:
    I’m suggesting that the article should say that prominently. Laymen could be fooled into doing something they don’t understand. And if someone approaches you and says "do what that Insights article says" to your phone so that you can use this neat new feature, you should run away.

    Updated the article.

  6. Wrichik Basu
    Wrichik Basu says:
    Well, as the Android is now, there are not many benefits coming with rooting. I think the real benefits of the process described above are:
    – TWRP, as a great systemless platform for backup and ROM changes
    – easy availability of custom ROMs, as bloatware-free platforms with a kind of ‘extended support’ for older or abandoned hardware

    There are other benefits as well. For example, Magisk has a module Energized Protection (I have mentioned it in the updated version of the article). This module has a file of blacklisted hosts, and it simply blocks all requests to those hosts. Thus, it blocks ads and malicious websites not only on the web browsers, but also on apps. The root browser app that I have complains that it cannot connect to the Google Ad hosts. Such strict ad blocking is not possible without rooting the phone.

  7. Wrichik Basu
    Wrichik Basu says:
    I replaced a ‘non-replaceable’ battery in an HTC One M9, and in a Samsung Galaxy S6 — the M9 required disassembly all the way past the motherboard — you almost have to have the skill of a jeweler or a watchmaker to do that.

    You need to have really stable hands and infinite patience while tearing down a smartphone. A salute to you and anyone else who is experienced in this.

  8. Wrichik Basu
    Wrichik Basu says:
    Exactly because of things like this is why I don’t like running rooted. Fine and nice to have it as an option, but in general it is not a good idea to have a permanent access to admin/root.

    The hosts file is saved in /system/etc. This means that in order to modify that file, the malware will ask for your permission to use the Magisk SU binary to get root access. If you deny permissions to any app that you don’t recognize, you should be safe.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply