Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
OnePlusRoot

Root OnePlus5 without unlocking the bootloader

Gain adb root.

$ adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"

Download Magisk-v14.0 and extract it somewhere. Download MagiskManager.

Now, open a shell (adb shell).

OnePlus5:/ # mkdir /data/magisk
OnePlus5:/ #

Push the required file to the device:

adb push {arm64/*,common/*} /data/magisk/
arm64/magisk: 1 file pushed. 6.7 MB/s (192736 bytes in 0.027s)
arm64/magiskboot: 1 file pushed. 20.2 MB/s (316536 bytes in 0.015s)
common/boot_patch.sh: 1 file pushed. 3.1 MB/s (7732 bytes in 0.002s)
common/init.magisk.rc: 1 file pushed. 0.3 MB/s (675 bytes in 0.003s)
common/magisk.apk: 1 file pushed. 21.6 MB/s (3311368 bytes in 0.147s)
common/util_functions.sh: 1 file pushed. 2.5 MB/s (6688 bytes in 0.003s)
6 files pushed. 17.9 MB/s (3835735 bytes in 0.205s)

Download busybox for arm. Extract it and push it to the device:

adb push busybox-armv6l/system/xbin/busybox /data/magisk/

Install MagiskManager:

adb install ../MagiskManager-v5.4.0.apk

Back on the ADB shell (adb shell):

OnePlus5:/ # cd /data/magisk/
OnePlus5:/data/magisk # ls
boot_patch.sh busybox init.magisk.rc magisk magisk.apk magiskboot util_functions.sh
OnePlus5:/data/magisk # ./magisk --createimg magisk.img 64
Creating filesystem with parameters:
    Size: 67108864
    Block size: 4096
    Blocks per group: 32768
    Inodes per group: 4096
    Inode size: 256
    Journal blocks: 1024
    Label:
    Blocks: 16384
    Block groups: 1
    Reserved block group size: 7
Created filesystem with 11/4096 inodes and 1294/16384 blocks
OnePlus5:/data/magisk # mv magisk.img ..
OnePlus5:/data/magisk # ./magisk --createimg xbin.img 64
Creating filesystem with parameters:
    Size: 67108864
    Block size: 4096
    Blocks per group: 32768
    Inodes per group: 4096
    Inode size: 256
    Journal blocks: 1024
    Label:
    Blocks: 16384
    Block groups: 1
    Reserved block group size: 7
Created filesystem with 11/4096 inodes and 1294/16384 blocks
OnePlus5:/data/magisk # ./magisk --mountimg xbin.img xbin
/dev/block/loop0
OnePlus5:/data/magisk # cp /system/xbin/* xbin/
OnePlus5:/data/magisk # cp magisk xbin
OnePlus5:/data/magisk # umount xbin
OnePlus5:/data/magisk # rmdir xbin
OnePlus5:/data/magisk # ./magisk --mountimg xbin.img /system/xbin
/dev/block/loop0
OnePlus5:/data/magisk # magisk --post-fs
OnePlus5:/data/magisk # magisk --post-fs-data
OnePlus5:/data/magisk # magisk  --service

That's it, your phone is now rooted and Magisk modules should work too. After a reboot you'll need to repeat the last steps:

$ adb shell
OnePlus5:/ # cd /data/magisk/
OnePlus5:/data/magisk # ./magisk --mountimg xbin.img /system/xbin
/dev/block/loop0
OnePlus5:/data/magisk # magisk --post-fs
OnePlus5:/data/magisk # magisk --post-fs-data
OnePlus5:/data/magisk # magisk  --service
Owner

aldur commented Nov 14, 2017

Credits for the initial exploit to the amazing Elliot Alderson (@fs0c131y): https://twitter.com/fs0c131y?s=09.

Roguyt commented Nov 14, 2017

Is it required to apply the last step after every reboot ? Or just once for the installation ?

Seems like you forgot to mention having to chmod +x magisk, other than that it seems to be working perfectly

MagiskManager also seems to report "Not Rooted"

Owner

aldur commented Nov 14, 2017

@Roguyt: you need the last steps after any reboot.
@martmists: it was already executable in my case, are you using Windows by any chance?

Arch Linux here, might just be linux preventing you from getting already executable files from a zip/download

@aldur su doesn't seem to be working however, any clue?

Same here. Had to chmod, and it said magisk installed, no root. Now it says magisk not installed, no root. Any ideas?

Roguyt commented Nov 14, 2017

@aldur No way to auto execute those lines ?
Either ways everything is working as expected 👌

@Roguyt I might be able to make a bash script for Linux users, will report back once done.

Owner

aldur commented Nov 14, 2017

@Roguyt: Yeah it's the next thing I'll work on, my plan is to do it without requiring a computer.

Roguyt commented Nov 14, 2017

@aldur Good luck, i'm still trying to install Xposed through Magisk but it seems to doesn't want to install.
Still a good way to root but not really reliable for everything

Owner

aldur commented Nov 14, 2017

To those of you having troubles, double check that magisk_daemon is running:

OnePlus5:/ # ps | grep magisk
root      4911  0     1     35204  3752  __skb_recv 7fa055b49c S magisk_daemon
u0_a149   6308  902   831   1800832 51952 SyS_epoll_ 7fa8df04fc S com.topjohnwu.magisk

If it is running and MagiskManager is not detecting root, kill it (kill 6308 in my case) and start it again.

Owner

aldur commented Nov 14, 2017

@Roguyt: yeah I didn't try Xposed yet, but it probably requires something more. Check where the update_script is failing and start debugging from there.

@aldur Yep, working now. Thank you.

Roguyt commented Nov 14, 2017

@aldur Apparently it failed just from copying zip to /system /vendor, etc so i guess rip
Anyway i think yeah it needs some changes and that this root is a POC of Qualcomm and manufacturers mistakes

when i put this comand :

adb push {arm64/,common/} /data/magisk/

got this :

1|OnePlus3T:/ # adb push {arm64/,common/} /data/magisk/
adb push {arm64/,common/} /data/magisk/
/system/bin/sh: adb: not found

what i do.

Owner

aldur commented Nov 14, 2017

@Roguyt yeah our whole thing here does not touch system, if Xposed wants to modify anything there it won't work, we have dm-verity enabled and that forbids the bootloader from booting the system if any partition is modified.
@jrekiri85 you need to run that command from your PC.

Roguyt commented Nov 14, 2017

@aldur Yep that's what i was thinking and kinda confirmed by knowledge. Still a great POC :p

@aldur I've been thinking... Since magisk has this magisk_merge.img that integrates with /system, would it be possible to make something that can flash to /system using that image file?

@aldur im running the comand on the pc, not on the mobile

xaviex commented Nov 14, 2017

@aldur Any word on if this is going to trip safety net?

Lopry02 commented Nov 14, 2017

Adoperando questo metodo, il dispositivo avrà sempre la spunta su Safetynet?

In order to push the required files to your device, you need to do this:
OnePlus5:/ # exit
Then you can use adb to push those files without the errors. After that and installing Magisk Manager, you can return to the adb shell.
As @martmists stated earlier, run this command:
chmod +x magisk
Otherwise, you get the "Permission denied" error when running the main Magisk program.
I hope that clears up a lot of things when doing this on your devices.

SpasilliumNexus commented Nov 15, 2017

I haven't tried rooting my OnePlus 3T this way (yet), but by the looks of it, couldn't you use a Terminal app to apply those last four commands after every reboot, or do you need to be root to apply them?

If root is not needed, and you can run them in Terminal, using Tasker to run the task at every boot would be much simpler for those who use it. You can even have the task show a notification when it completes.

YUDHPK commented Nov 15, 2017

Do we pass safety net or not?

Will i able to het OTA update after this?

@SpasilliumNexus you will need to run them from ADB, as you do not have root until those commands are entered, and root is needed to run those magisk commands.

in oneplus3 i do it follow you write
magisk say Magiskv14.0 has install but not root.....

@tangsilian Make sure the magisk daemon is running

joedu12 commented Nov 15, 2017

I've rebooted then the com.android.engineeringmode disappeared, how can this be possible ? :o

@aldur few reboots later, experiencing same issue as others. Daemon undetected, even when restarted.

Update: magisk su works, su does NOT

The daemon also only seems to run while ADB is connected

Owner

aldur commented Nov 15, 2017

@martmists, are you sure about the daemon? I am currently running with all the developer options disabled, without issues.

Owner

aldur commented Nov 15, 2017

@YUDHPK: Yes you'll pass safetynet and you'll receive OTA.

@aldur Weird, could this have been caused by windows vs linux? I'll try windows in a few minutes to check.

Managed to get it working on Windows and Magisk 14.0 (On Linux I used 14.3), however root was lost after disconnecting from ADB

can some one make a video with a step by step guide.

Lopry02 commented Nov 15, 2017

@xaviex I'm from Italy and I thought I could ask my question in Italian to aldur because he's from Italy. I asked if this root method can pass Safetynet or not

Owner

aldur commented Nov 15, 2017

@Lopry02 it will pass safetynet, by the way.

@ITsMu1zz I'll see if I can make one later

@aldur How did you get the daemon process to persist after disconnecting from ADB? To me it seems like the daemon was bound to the ADB session.

OnePlus3T:/ $ su
Starting daemon requires root: Connection refused
1|OnePlus3T:/ $ magisk su
Starting daemon requires root: Connection refused
1|OnePlus3T:/ $

@Roguyt I made an attempt, though this code is untested and I have limited Linux experience.
Check the files out here

xaviex commented Nov 15, 2017

@martmists IS this a test of a zero reboot code required?

You sadly will have to run code at reboot. As of right now I'm trying to work on making modules that mount /system work using a dummy file and merge img

YUDHPK commented Nov 15, 2017

Magisk su working perfectly on my one plus 3t with open beta 17
successfully passed safety net test.
next task i will try is to use adaway systemless to block ads and then reboot
Thanks @aldur

Hi! Can you make the same with the OnePlus 2 please?

@Wipperland what type of processor is it, and does it have the EngineeringMode app installed?

andQlimax commented Nov 15, 2017

@YUDHPK on your oneplus 3T with Oreo beta it working fine right? Did you only followed instruction or did something different?

YUDHPK commented Nov 15, 2017

i followed the instructions @andQlimax (read everything even comments before starting)

guys i have a question . currently i am using android oreo open beta 17 on my 3T with stock recovery and locked bootloader .
what will happen if i change system by mistakely?
also my device is encrypted by default.

It will not allow to change system because dm-verity is still enabled, I tried it.

Is there a way to unlock bootloader state with root, without trigger the factory reset?

xaviex commented Nov 15, 2017

@aldur How would one go about removing magisk, is this functionality already built inm?

@xaviex to remove magisk, simply reboot (or use umount /system/xbin) and delete /data/magisk.img and /data/magisk/

@andQlimax I'm looking for a way to edit boot.img without triggering dm-verity, but it seems near-impossible to pull off... unless of course you unlock your bootloader

@sirmordred I'll see about making a custom script to use for SuperSU

ThatGuyWhoUsesLinux commented Nov 15, 2017

Uh, Probably doing this wrong. I enter the first command: adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
and get the error:
Starting: Intent { cmp=com.android.engineeringmode/.qualcomm.DiagEnabled }
Error type 3
Error: Activity class {com.android.engineeringmode/com.android.engineeringmode.qualcomm.DiagEnabled} does not exist.

@ThatGuyWhoUsesLinux are you sure you have the EngineeringMode app? It doesn't seem like it, and it's the core of this exploit.

Any way to unroot O.o

Lopry02 commented Nov 15, 2017

Thanks a lot @aldur

ThatGuyWhoUsesLinux commented Nov 16, 2017

@martmists Yes, I checked before attempting this exploit.

@aldur @martmists nevermind, its working good :) (confirmed on OnePlus3T)
TO ALL i made an app that automates all the process and install SuperSU here you go https://github.com/sirmordred/AngelaRoot

chuckfecht commented Nov 16, 2017

On OnePlus 3t with Android Oreo open beta, I'm getting the error "Please use BootBridge from @AdrianDC to flash Magisk" while running
sh boot_patch.sh busybox init.magisk.rc magisk magisk.apk magiskboot util_functions.sh. (I modified the command from above slightly because as it was it refused to work)

xaviex commented Nov 16, 2017

So what are the chances of finding a way to run magisk, untethered, in such a way that doesn't trip safetynet

YUDHPK commented Nov 16, 2017

@chuckfecht
divide this command
adb push {arm64/,common/} /data/magisk/
into two separate commands like

  1. adb push arm64/ /data/magisk/
  2. adb push common/ /data/magisk/
also while executing the commands you should be inside extracted magisk folder in the terminal

osm0sis commented Nov 16, 2017

You could just use your adb root to dd dump the boot.img and then use Magisk Manager to patch it, and then dd flash the rooted boot.img back. Full root that persists through reboot.

YUDHPK commented Nov 16, 2017

@osm0sis
i have the rom zip file from which i can extract the boot.img
then i can patch boot.img file using Magisk manager will it work ?
i flashed the boot.img using magisk manager
edit:
it didnt work.

After root do we have to update full size ota or the one we recieve in system updates?

martmists commented Nov 16, 2017

@rootxharsh to remove magisk, simply reboot (or use umount /system/xbin) and delete /data/magisk.img and /data/magisk/
@chuckfecht Don't run that, it's just the result of ls. We cannot patch the boot image yet sadly :P
@xaviex Currently magisk does not trip safetynet
@osm0sis Feel free to make a guide and test it! I've been thinking about adding that, but I'm worried about dm-verity screwing us over.
@prakashgd As long as the OTA doesn't remove persist.sys.adbroot it's perfectly fine to update using system updates

Guddu4 commented Nov 16, 2017

@sirmordred
https://github.com/sirmordred/AngelaRoot
Will this apk install magisk too??

@Guddu4 It can easily be modified to install Magisk, but no, as of now it does NOT.

@martmists feel free to contribute it brah, adding Magisk support shouldnt be hard as you said (it needs third script and needs magisk files in asset) any contributions are welcome

Update: using Flashify to flash magisk's patched boot WILL cause a bootloop.

YUDHPK commented Nov 16, 2017

can we flash recovery like twrp after obtaining root?

@YUDHPK You can try, but you will risk bootlooping. You can use either dd or any flashing app that uses root to flash. If you get it to work, let me know and I'll see if I can reproduce it

Guddu4 commented Nov 16, 2017

@martmists
After getting root what's the procedure to install magisk..
I am noob at this...
Can some one make guide for it...

YUDHPK commented Nov 16, 2017

@martmists i can't risk of getting a bootloop.
also i prepared a script package just like you but it works with just 2 scripts (for user)
1 required for installing
1 for reinitializing after reboot

last but not the least to uninstall.

tested on my oneplus 3 open beta 18

Also friends substratum is also working with root(just like old times . i didnt make it happen)

YUDHPK commented Nov 16, 2017

@Guddu4 this will work for you (even i have average linux knowlegde)
installation proof
image
image

reinitilaization proof
image

@martmists sorry for using the same repo name as yours BackDoorRootScripts and some files which gives warning as i am not a good writer

Guddu4 commented Nov 16, 2017

Thanks @YUDHPK

The Angela back door still working with today oneplus 3t open beta update?

andQlimax commented Nov 16, 2017

@YUDHPK thanks. Downloading the new open beta OTA. It detected root, so it is downloading the full OTA. Even if I removed magisk.
Probably because the adb shell root is still active

FYI: probably OP should be updated with new Magisk 14.4 and new apk?

YUDHPK commented Nov 16, 2017

@andQlimax don't worry nothing will happen .
you just need to install again.

also here we are testing some new concept so its better to use stable v14.0 version instead of beta

For anyone having trouble with Magisk detecting your root, try launching the EngineerMode app again and clicking "Privilege Recover."
According to this guy, quote, "root from the Qualcomm App and root from Magisk can't cohabit".
This fixed Magisk not detecting root for me (I'm on OP2)

@YUDHPK Tried flashing twrp with the locked bootloader via the backdoor, soft bricked my phone. Have to reflash original boot.img to fix

Can confirm the above for flashing a patched boot.img, though a system reset had to be done as I got locked out of my device

@martmists I was locked out as well. All I had to do was boot the boot.img in fastboot (fastboot boot [location]/boot.img)

I'm trying to get Unified Hosts Adblock on magisk working but no luck. I install the module and restart manually(restart in app does not work). After restarting I execute the final few commands. The final 3 commands I execute twice as first time magisk will say it's not rooted. After that I try su && hosts but hosts cannot be found...Systemless hosts also is toggled off again after restart.

Why can't we disable the DM Verity thing, which we do when we change the recovery.

@TurtleSandals this is because magisk doesn't run on boot and is unable to mount /system before it becomes a busy partition.

@apurvakumar01 I believe DM-Verity is part of the boot partition which is hard to edit out. Magisk supposedly is able to patch this but I've had no luck so far.

Raboo commented Nov 18, 2017

Is there no way to make the root persistent across reboots?

Not until we can patch boot.img @Raboo

Hi everyone...sorry for out of topic bcoz i'm using diffrent phone brand and model..l'm looking everywhere to root my device Lenovo PB1 750M
6.0.1 mushmallow...already tried all kinds of roots app about 12 i think...please give me any suggestion...
Can i using root plus one ?....please show me or teach me...
Thank you all...

Raboo commented Nov 19, 2017

@martmists ok, thanks for the info.

OOS5 is apparently rolling out for those in Canada; can anybody report on whether the update removes the backdoor?

I used it on my OP3T before the update and you retain adb root after the update at least. I do not know if they have already patched out the command to get it. Reapplying magisk root worked without a hitch after upgrading.

Blubster commented Nov 20, 2017

It seems the backdoor is no longer there in OOS 5.0 on my OP3T. I tried this morning to launch the intent, it opens on my screen but i do not get any root adb with this.
On my screen there are four options :
Engineer Mode Toggle
Serial
Full port switch
Rndis,diag switch
None of these options enable a root ADB :

adb shell id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r🐚s0

We can say they were pretty quick to remove this backdoor! ^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment