What you can learn from this article:
- What is meant by rooting an Android phone
- Steps to take before proceeding to root your phone
- Google’s SafetyNet check
- The preferred root method in today’s world – Magisk – and an outline on how it works
- Things you can do after flashing Magisk – the utility of rooting your phone
- Things (I feel) you should avoid doing after rooting systemless-ly
- Uninstalling Magisk
- What to do in case the phone is bricked
What this article will not teach you:
Specific methods to root your phone or flash custom recoveries. Such methods vary greatly from one phone to another. For example, in Samsung phones, you can flash files with a software called Odin, which is specifically written for Samsung phones. On other brands, you have to use some other software, if they exist, or use Fastboot. I have not included these topics in this article. My attempt has been to keep the content of the article as general as possible, so that it is applicable to a large number of different devices rather than cater to a specific device.
This article is meant to provide information to the readers regarding the Android rooting process. Please do not hold me or Physics Forums responsible if your device is bricked before, during or after the rooting process.
You need to have a clear understanding of the working of the Android system before you try to root your phone. Remember that rooting your phone will bestow superpowers upon you. If you do not know how to utilise these powers and safeguard them, you might make your device vulnerable to threats which can, among other things, steal your personal information and empty your bank account.
You must clearly understand that once you root your phone, unlock the bootloader or flash a custom recovery, the warranty of your phone is void.
As Android is an open-source project, modifications to the stock ROM are considered legal in most countries. However, you should enquire into the laws of your country and ensure that you are not doing anything illegal.
Don’t say that we didn’t warn you!
What is meant by rooting an Android phone?
If you have used Windows, you must be familiar with “administrator permissions”. On Linux, there is the concept of super user (SU) privileges. Something similar exists in Android. The process of gaining super user privileges on an Android device is commonly called rooting. The system super user account is called root, hence the term rooting. This account has permissions over all files and programs on a UNIX-based system. It has full control over the operating system.
Rooting is done using an SU interface that supervises the root permissions granted to different applications. The process of flashing the SU application is generally done through Android Debug Bridge (ADB) from PC, or from the recovery, which is a minimal Android boot image that provides maintenance functions.
Before proceeding to root your phone…
Backup your stock ROM and data
Before you root your phone, you must ensure that in case of any mishap during or after the rooting process, you should be able to restore your phone to the state that it was in before the mishap. This means that you should backup the important sectors of the phone memory, which can be restored later if the situation demands. In addition to backing up your media, documents, etc., you also have to backup
/systemhas the files that make up your Android framework.
/bootcontains files that are executed when the Android system boots.
/dataconsists of the data of all user-installed applications which are present in the internal storage.
/recoveryhouses the image of the recovery console, which is an independent interface that can be triggered by certain hardware key combinations. Recovery works when the Android OS has not loaded, so you can make changes to partitions like
/bootfrom it. These partitions are otherwise mounted read-only. Recovery will work even if the Android system cannot boot, thereby providing you with an opportunity to detect and rectify the errors that are preventing the system from booting normally.
/boot constitutes backing up your stock ROM. Along with that,
/data is also backed up, so that the app data is not lost.
There is another directory,
/vendor. According to Android Open Source Project (AOSP) documentations,
/vendorpartition contains any binary that is not distributable to the Android Open Source Project (AOSP). If there is no proprietary information, this partition may be omitted.
/vendor is not a very important directory, so you can ignore it while backing up.
Your phone comes preloaded with a stock recovery. The problem is, this recovery has very limited functions, as most phone companies do not want users to tweak their stock ROM. Important functions like backup and flashing files are not available in the stock recovery. In order to carry out such functions, you have to flash a custom recovery like TWRP (Team Win Recovery Project). TWRP fulfils all the requirements of a good custom recovery. On the downside, once you flash TWRP, you won’t be able to back up the stock recovery.
There are some ways to backup the stock recovery. For example, you can download the Flashify app from Play Store, which has an option to back up the stock recovery. But for almost all such methods available, your phone has to be rooted. If you (somehow) root your phone without using the recovery, you will lose the stock
/boot partitions, which is not acceptable at any cost. So, don’t lament over losing the stock recovery. In addition, TWRP is so useful that there will hardly be an instance when you would want to return to the stock recovery.
Once you have flashed TWRP, it is easy to backup your ROM. Instructions for backing up from TWRP are widely available, so I am not mentioning them here.
One point to remember is that, TWRP does not back up your media files. Be sure to back those up separately before rooting.
Unlock the bootloader
Referring to the AOSP documentations once again,
A bootloader is a vendor-proprietary image responsible for bringing up the kernel on a device.
Unlocking the bootloader means you are allowing modifications in your system.
Different phones have different ways of unlocking the bootloader. For example, in Samsung, simply toggling a button in Developer Options in settings will unlock the bootloader. In some others, you have to run a program called fastboot on your PC and through it, you can unlock your bootloader. Some devices might not need this step at all; you can directly proceed to flashing a custom ROM in those phones. Search Google for the method applicable to your device.
Google’s SafetyNet check:
Towards the end of the year 2014, several Android users with rooted phones found that Android Pay was no longer working on their phones. This is because Google had introduced its latest invention – SafetyNet – in Play Services and Android Pay was making use of that.
SafetyNet tells an app whether the phone is in a tampered state or not. This feature is now included in Google Play Services by default. There are many parameters based on which Google issues the SafetyNet results. SafetyNet has two parts: basicIntegrity and ctsProfileMatch. As per the Android Developers’ Guide on SafetyNet, CTS (Compatibility Test Suite) Profile matching is a stricter test compared to basicIntegrity. Most apps making use of SafetyNet will work if the latter is satisfied, while some (like banking apps) demand that the phone should pass the former as well.
Among other parameters, SafetyNet checks whether the
/system partition has been tampered with. Once it finds a tampering, the ctsProfileMatch test will start yielding a negative result. (How SafetyNet finds this tampering is out of the scope of this article; refer to Further Reading section for some idea.)
Keep in mind that SafetyNet is a necessary evil. Say you are a layman, and you do not know anything about the Android framework or rooting. You give your phone to a person for repairing something. That person roots your phone, installs malware and returns it to you, but you don’t notice that. He aims at stealing your personal data. But once you start using your phone, Google detects the tampering, prevents any vulnerable app (like banking apps or mobile wallets) from running on your phone, and informs you that your phone is unsafe. In fact, even an OTA (Over-The-Air) upgrade to your stock ROM may have a bug that can leave your system unsecure. SafetyNet is a boon to users in these situations.
The preferred root interface in the modern world – Magisk – and an outline on how it works
There are two types of root interfaces – one that modifies the
/system partition directly (the traditional way), and one that does not do so. The latter interface is termed “systemless”. Traditional interfaces like SuperSU cannot bypass SafetyNet.
Some experienced members at XDA Developers realised that, among other things, if the interface doesn’t directly tamper with
/system, then SafetyNet can be fooled. But there seemed to be never-ending lists of bugs when such systemless interfaces were tested. Finally, John Wu (XDA username: topjohnwu) devised Magisk, which could bypass the SafetyNet check (both ctsProfileMatch and basicIntegrity).
If you look at the Android booting process, you will find that at one stage, the kernel calls the
init process. Magisk replaces this
magiskinit. This replacement is unavoidable, and changes are made in
/boot partition. But
/system partition is left unaltered.
Magisk provides root access by providing a working binary with the path
/sbin/.magisk/su. Any application that tries to run this will bring up Magisk to grant them root access, which is, in turn, managed and maintained by the Magisk Manager application.
Magisk uses the well-known Linux technique bind mount. Bind mount is an alternate view of the file directory, but any changes done in bind mount are not reflected in the original file system. In essence, it is a property of the live system. So, if you make modifications in
/system respecting the guidelines of systemless rooting, you will see (using a root file browser) that
/system has been modified. But in reality, the changes are made in the bind mount. The original
/system is available at
/sbin/.magisk/mirror/system. Magisk can unmount
/sbin and the bind mounts to hide all modifications easily.
Another important and interesting feature of Magisk is MagiskHide, which can hide the root from apps which tend to malfunction when they detect that the device is rooted (even if SafetyNet is bypassed by the root interface). This done by making the bind mounts invisible to that app.
As a side note, Magisk has no dedicated website, and all updates are announced at XDA Developers. So, download Magisk only from the official thread on XDA.
Things you can do after flashing Magisk – the utility of rooting your phone systemless-ly
Unleash the power of Magisk modules
Once you have flashed Magisk, you have full control over your device. Magisk provides you with the power of modules. Modules are programs that will modify your system under the hood of Magisk. They are accessible from Magisk Manager -> Downloads. Click on the download sign, and choose Install. Once the flashing finishes, you will find a Reboot sign. All installations come into effect only when the phone is rebooted.
First download and flash the module Busybox for Android NDK (the one developed by XDA member osm0sis). You might not understand what it is doing right now, but many other modules will require this, so keep it ready. Also, install a terminal emulator app (like Termux) from Play Store.
The next thing to check is whether your phone passes the SafetyNet check. Open the Magisk Manager app, and tap the Start SafetyNet Check on the front page. It will most probably request your permission to download a module; give consent to the download. Chances are that you will see a screen like this:
If SafetyNet check fails, flash the module MagiskHide Props Config. Follow the instructions online, and you should be able to fix the problem.
After this, you are welcome to try out other modules that you find interesting. Some modules that I personally find interesting are: YouTube Vanced Magisk Repo, App Systemizer (terminal emulator), Energized Protection and FDE.AI.
Before flashing a module, read its official thread (mostly on XDA) and the
readme.md file on Github to make sure you know what you are doing. Not all modules that you see listed will be compatible with your phone. Some of them might need other modules for working, so check that out too. Your phone should not have more than one kernel-tweaking modules working together, otherwise either both will shut down, or your device will malfunction.
In order to remove a module, go to Magisk Manager -> Modules, click on the bin icon next to the module you want to remove, and reboot. Any changes made by the module on the bind mount will be restored.
View your file system using a root file browser
If you are interested in the technicalities of how things work in Android, you may download a root file browser and use it to view the files that were hidden from your view till date. Study the directories to see how the Android file system works. Don’t modify anything unless you know what you are doing, otherwise you may brick your phone.
Flash custom ROMs
Once you have a rooted phone with a custom recovery, you can try custom ROMs. These ROMs are often much better than the stock ROMs. One famous custom ROM is LineageOS. Installation guides of custom ROMs are widely available on the net. Before flashing them, make sure to check the following:
- The known issues, and how they will affect you.
- You have downloaded the official build of the ROM.
- The version is specifically meant for your phone and is compatible with the CPU architecture of your device.
- Your preferred root method works with that ROM.
- The apps that you are using currently are compatible with that ROM.
- Whether you need to separately flash Google Play Services like OpenGApps.
Checking these are important. For example, there is no official LineageOS build for Samsung Galaxy On7. Somebody on XDA developed an unofficial build, but that has issues with camera and VoLTE, so it is kind of useless to flash such a ROM.
Things (I feel) you should avoid doing after rooting systemless-ly
There are some applications available in Play Store, like Titanium Backup, which will give you options to natively modify the
/system partition. Refrain from using such applications, because those will break the systemless interface of Magisk. Always respect the systemless technology of Magisk. For direct modifications of
/system and other partitions, you are welcome to use traditional root interfaces like SuperSU.
Simply download the uninstaller zip available online at XDA, and flash it through TWRP.
/sbin and all bind mounts will be unmounted.
New versions of Magisk are released regularly, and the uninstaller file is updated too. Some update might not be compatible with your phone, in which case you would be sticking to an older version of Magisk. In the meanwhile, the uninstaller for the old version may be removed from the website. Remember that the uninstaller is version-specific (no question of forward or backward compatibility). So, always download the uninstaller and store it somewhere safe when you flash or update Magisk.
What to do in case the phone is bricked
When your phone cannot load the files of the Android OS and boot normally, it is said to be bricked. One of the most common ways of bricking the phone is through a bootloop, where the bootloader tries to execute the boot scripts, fails to do so, and recursively keeps on trying and failing. Bootloop is often encountered while rooting a device or when a custom ROM is flashed.
Different phones show different indications when they are bricked. Some phones, for example Samsung, will keep on showing the company’s logo during booting, but never actually finish booting. If you leave it in that condition, it will keep on trying to boot until the battery is completely drained.
If you find your phone in a bootloop, do not panic. It is very common to brick devices during rooting or flashing custom ROMs. When I had tried to root my phone for the first time, I had also ended up with a bricked device. And guess what – I had not made a backup of the stock ROM, so I was in a greater mess. If you have followed the article properly, you should have already backed up the stock ROM using TWRP.
When the device is in a bootloop, pull out the battery to shut it down completely. Then boot into recovery. First, uninstall Magisk by flashing the uninstaller zip (you should have that downloaded). Then restore the backup that you had made using TWRP before rooting your phone. This should restore your phone to the state it was in before rooting.
If in a rare case your phone still does not work properly, try searching Google for the stock ROM of your phone, and flash that. That will surely remove all the problems.
Android is an open-source project, so the source codes of Magisk, its modules, etc. are available publicly on Github or other repositories. However, directly reading these files may become difficult and time-consuming for a person who is not experienced in this field. In this article, I have tried to compile together whatever I have learnt till date about Magisk and systemless rooting in a less-technical language compared to the original source files, so that it can appeal to a larger audience. Some things might change with time, and I will try to keep the article updated as far as possible. If I come to learn something more on these topics, I will add them too.
I sincerely thank Greg Bernhardt, the admin of Physics Forums, for providing this opportunity to me. Without his efforts, this article would have never become a reality.
- Android device partitions and file systems
- Android boot process (on XDA developers)
- Wikipedia page on rooting
- A blog post on SafetyNet
- A guide to flashing Magisk using TWRP
- Some details of SafetyNet at Android Developer website
- Magisk developer details, as provided by John Wu on Github
- Magisk documentations on Github
- An answer on Android StackExchange on how Magisk works
- Joshua J. Drake et al. – Android Hacker’s Handbook (The book does not include systemless rooting, as Magisk was written after that)
- A collection of Magisk modules at XDA. Not all the modules will work on your phone, so be aware before flashing.
- A thread on XDA discussing how to install and uninstall Magisk modules through TWRP
- What is ADB & Fastboot?
- Download ADB and Fastboot without installing Android SDK
Studying physics at Scottish Church College, Kolkata. Interested in Quantum field theory (Flavour physics), Experimental particle physics, Quantum gravity.