How To Use Magisk To Root Android

[Janae Chebret]

Magisks support for Android Lollipop has been pretty broken for a while without it being noticed. Also, none of the active developers of Magisk have actual hardware to run Android Lollipop. We rely on using the official Android emulator for regression testing on older platforms, however Google never shipped a Lollipop emulator image with SELinux support, leaving us with no option but to drop Lollipop support since we don't feel comfortable supporting Android Lollipop without adequate testing.

Magic Mount, the feature that make modules modify partitions, has gone through a major rewrite. The existing implementation doesn't work well with OEMs injecting overlays into their system using overlayfs. The new implementation fundamentally changes how filesystem mirrors are created, giving us a more accurate clone of the unmodified filesystem.

Magisk allows modules to provide custom SELinux patches by including the file sepolicy.rule. Due to the complicated nature of SELinux patching, the compatibility of this functionality has been pretty spotty; many devices are not supported. In this release, a brand new pre-init partition detection mechanism has been designed to support even more devices. Due to complicated reasons, this detection mechanism cannot be performed in a custom recovery environment.

The new Zygisk API v4 is now live! It comes with new features and a refined PLT function hook API. The implementaton of Zygisk has also gone through some major refactoring, including new code loading/unloading mechanisms and a new PLT function hook implementation.

A significant portion of magiskinit (the critical software that runs before your device boots up) is completely rewritten from scratch. Ever since Android introduced Project Treble in Android 8.0, Magisk has been constantly fighting against the increasingly complex partitioning and early mount setups of all kinds of devices, sometimes with weird OEM specific implementations. It got to a point that magiskinit had become so complicated that few people (including myself!) were aware of every detail, and maintaining this piece of software like this was clearly not sustainable. After many months of planning (yes, this whole re-architecture has been in my head for a long time) and some help from external contributors, a whole new sepolicy injection mechanism is introduced into Magisk, solving the "SELinux Problem" once and for all.

Since this is a full paradigm shift on how Magisk hot-patch the device at boot, several behaviors that many developers implicitly relied on might not exist. For example, Magisk no longer patches fstabs in most scenarios, which means AVB will remain intact; some custom kernels rely on AVB being stripped out for them by Magisk.

Many might not realize, but using a trusted, unmodified Magisk app is really important. Magisk's root daemon treats the Magisk app differently and gives it blanket root access without any restrictions. A modded Magisk app can potentially backdoor your device.

And in case some of you are about to put on your tin foil hats, this is not designed to "vendor lock-in"; the goal is to make sure your root management app comes from the same developer of the underlying root implementation. Magisk's build system allows custom distributors to use its own signing keys, and in addition, I am also providing official debug builds which skips any signature verification for development.

I'm working on react native project that require SSL Pinning and Root Detection to be implemented, i've tried using the SSL pinner factory in okhttp method and android security config method for the SSL Pinning, as for the root detection i've tried jail-monkey in js side and rootbeer in native side, but despite all of that the SSL still can be bypassed using this frida script and shows that TrustManager (Android By using this, Frida scripts and also tracing can be detected (only in non-stalker mode, if I'm not wrong), so SSL Pinning bypass shouldn't perform on the device. The main drawback you can find in this example is that there's a lot readable and also patchable. So you must do some work to "avoid" easy patching (integrity checks on the NDK side, obfuscation, or some sort).

Aside from Frida, Magisk Hide and Zygisk deny list can be detected through his method as well: Magisk Hide detector. By using Isolated Processes you could test for Magisk and Zygisk. Although, I think Zygisk can be bypassed if you don't use ZygotePreload while spawning the Isolated Process.

I am using Fiddler, and I have to insert a CA Cert to decrypt the SSL certificate coming out of my device. My device running Android 13 is rooted, and when I installed my cert, it went into the user's section (as expected).

There are ways to get around this though - I've written a detail write-up of how Android HTTPS works generally and how to modify this using root here, and the details of some notable very recent related changes in Android 14 here.

If that doesn't work, check if you have a /apex/com.android.conscrypt/cacerts directory. If so, you have the Android 14 version of Conscrypt installed, and there's some extra steps. See the 2nd article above for full details, but in short: you need to use nsenter to add a bind mount for that /system/etc/security/cacerts path into the APEX path for every single running app process on the machine, including the Zygote/Zygote64 processes (which launch new processes in future, who will inherit this setting). That looks like this:

Alternatively, if that's too fiddly to do manually, you can use HTTP Toolkit which is a modern version of Fiddler I've built, that does HTTPS interception too but automates all the setup down to one click. That's all open-source, so if you want to see the full details of how this works so you can automate it yourself just follow the code from here.

The Pixel 3a came out of nowhere and flexed its muscles to show the industry that you can have a great phone without a hefty price tag. Since Pixel smartphones are first-party devices straight from Google, you can be sure you'll have root access one way or another. For right now the method used to get your Pixel 3a rooted will take a few steps, but they go by real quick.

Rooting your phone with Magisk opens up the world of mods like never before with a variety of benefits. One of the best things to come from Magisk is the ability to keep Google's SafetyNet flag from being tripped, which could stop you from using certain apps. With the platform continually evolving and getting better all the time, now's the perfect time to get started.

Of course, before you can get started with modding your Pixel 3a or rooting with Magisk, you'll need to unlock your bootloader. If you haven't done so yet, visit the guide below and get your bootloader taken care of before moving on with this guide.

There are two methods for rooting your Pixel 3a, and you can pick whichever one works better for you. The easiest and most beneficial of the two is done through the custom recovery environment via TWRP, which is the one most people will use for ease of access. The manual method is for when a device doesn't have TWRP support or for someone who prefers the old fashioned install process.

Using TWRP is the method that works best since it was created to make our lives easier in the first place by reducing the overall steps required for gaining root access. If you'd rather not waste any extra time with unnecessary manual steps, using a custom recovery to gain full root access is the way for you without a doubt. It doesn't get any easier than this!

Once your bootloader is unlocked, you need to grab the image file required to boot your Pixel 3a into TWRP. As mentioned previously, the benefits of installing Magisk on your system via TWRP provides the quickest route for gaining full root access. Having a custom recovery also means you can then install any ZIP file you want without having to rely on a computer when installed permanently.

The next thing you need to do is install the Magisk framework and the Magisk Manager app onto your system via a single ZIP file. This file will be installed within TWRP, and will patch your system to grant you full root access while passing Google's SafetyNet checks. Download the file below and place it in the "Download" folder on your phone's storage.

3a8082e126