The process of rooting culminates in having an su binary with the proper set-uid permissions on the system partition. This allows elevating privileges whenever needed. The su binary is usually accompanied by an Android application, such as SuperUser or SuperSU, that provides a graphical prompt each time an appli-cation requests root access. If the request is granted, the appliappli-cation invokes the su binary to execute the requested command. These su wrapper Android
applications also manage which applications or users should be granted root access automatically, without prompting the user.
N O T E The latest version of Chainfi re SuperSU can be downloaded as a recov-ery update package from http://download.chainfire.eu/supersu or as a standalone application from Google Play at https://play.google.com/store/
apps/details?id=eu.chainfire.supersu.
The ClockworkMod SuperUser package can be obtained from Google Play at https://play.google.com/store/apps/details?id=com
.koushikdutta.superuser. The source code is available at https://github .com/koush/Superuser.
On devices with an unlocked or unlockable boot loader, gaining root access is very easy, as you do not have to rely on exploiting an unpatched security hole.
The fi rst step is to unlock the boot loader. If you haven’t done it already, depend-ing on the device you should either use fastboot oem unlock as described in the “Locked and Unlocked Boot Loaders” section, or use a vendor-specifi c boot loader unlock tool to legitimately unlock the device.
At the time of this writing, Motorola, HTC, and Sony-Ericsson support boot loader unlocking on some devices through their unlock portal websites.
N O T E The boot loader unlock portal for Motorola is available at https://
motorola-global-portal.custhelp.com/app/standalone/bootloader/
unlock-your-device-a.
The boot loader unlock portal for HTC is available at http://www.htcdev.com/
bootloader.
The boot loader unlock portal for SonyEricsson is available at http://
unlockbootloader.sonymobile.com/.
When the boot loader is unlocked, the user is free to make custom mod-ifi cations to the device. At this point, there are several ways to include the appropriate su binary for the device’s architecture in the system partition, with the correct permissions.
You can modify a factory image to add an su binary. In this example, we unpack an ext4 formatted system image, mount it, add an su binary, and repack it. If we fl ash this image, it will contain the su binary and the device will be rooted.
mkdir systemdir
simg2img system.img system.raw
mount -t ext4 -o loop system.raw systemdir cp su systemdir/xbin/su
chown 0:0 systemdir/xbin/su chmod 6755 systemdir/xbin/su
make_ext4fs -s -l 512M -a system custom-system.img systemdir umount systemdir
If the device is an AOSP-supported device, you can compile a userdebug or eng Android build from source. Visit http://source.android.com/source/
building.html for more information on building Android from source. These build confi gurations provide root access by default:
curl http://commondatastorage.googleapis.com/git-repo-downloads/repo \ -o ~/bin/repo
chmod a+x ~/bin/repo
repo init -u https://android.googlesource.com/platform/manifest repo sync
source build/envsetup.sh lunch full_maguro-userdebug
Whether you built your custom system image by modifying a factory image or by compiling your own, you must fl ash the system partition for it to take effect. For example, the following command shows how to fl ash this image using the fastboot protocol:
fastboot flash system custom-system.img
The most straightforward method is to boot a custom recovery image. This allows copying the su binary into the system partition and setting the appropri-ate permissions through a custom updappropri-ate package.
N O T E When using this method, you are booting the custom recovery image with-out fl ashing it, so you use it only to fl ash an su binary on the system partition withwith-out modifying the recovery partition at all.
To do this, download a custom recovery image and su update package. The custom recovery image can be one of your choosing, as long as it supports your device. Similarly, the su update package can be SuperSU, SuperUser, or another of your choice.
1. You should place both downloads into the device’s storage, typically on the SD card mounted as /sdcard.
2. Next, put the device into fastboot mode.
3. Now, open a command prompt, and type fastboot boot recovery.img, where recovery.img is the raw recovery image you downloaded.
4. From the recovery menu, select the option to apply an update zip fi le and browse to the folder on your device storage where you have placed the update package with the su binary.
Additionally, devices using Android 4.1 or later contain a new feature called sideload. This feature allows applying an update zip over ADB without copy-ing it to the device beforehand. To sideload an update, run the command adb sideload su-package.zip, where su-package.zip is the fi lename of the update
After unlocking the boot loader on some devices, you can boot unsigned code but you can’t fl ash unsigned code. In this case, fl ashing a custom system or recovery image is only possible after gaining root on the booted system. In this scenario, you would use dd to write a custom recovery image directly to the block device for the recovery partition.