Rooting is an essential part of Android for a number of people in the Android community. While Snapdragon and Exynos devices usually see a lot of third-party development, MediaTek and Kirin don’t get as much love. MediaTek is generally used in devices that don’t sell a lot. But MediaTek chipsets also have a software flaw that has allowed XDA member diplomatic to find a way to root MediaTek ARM V8 devices.
diplomatic’s rooting tool, known as MTK-SU, makes uses of the software flaw on MediaTek chipsets. It was originally designed to root the Amazon Fire HD tablets and Fire TV 2nd gen. Amazon’s Fire devices are perhaps the most popular devices to ship with MediaTek chipsets, after all. But as it turns out, the rooting method actually works for all 64-bit MediaTek ARM V8 chipsets.
It means you can root MediaTek devices with MTK-SU, regardless of whether the device is a phone, tablet, TV, or anything else. To root MediaTek devices with MTK-SU, you don’t even need to unlock the bootloader. In fact, you can root even devices that are locked, albeit temporarily.
You probably know already, rooting voids your warranty. To root your device you will be relying on third-party tools and software. None of these third-parties, nor us, will take any blame in case you end up harming your device. You must understand the risks involved and take full responsibility for your actions. You can proceed with confidence that the method does work. Still, things can go wrong. In which case, you must understand that you were warned, and you still went with it anyway. Therefore, DroidViews cannot be held liable for any damage to your device.
The process of rooting itself neither requires you to format your device nor it should be formatted automatically. Still, make sure you have backed up everything important, including files and folders on your device’s internal storage. Creating a backup is never a bad idea.
Requirements to root Mediatek devices with mtk-su
- A phone, tablet or TV box based on Mediatek MT67xx, MT816x or MT817x chipsets
- A PC with ADB and Fastboot drivers installed. We have dedicated guides for installing it on all three major desktop operating systems: Windows (install Minimal ADB and Fastboot), Mac and Linux. Alternatively, you can just download the latest SDK Platform-tools and execute ADB and Fastboot commands.
- Enable USB debugging and OEM unlock on your device, found in Developer options.
- Make sure the device is charged at least 50%.
How to root MediaTek devices
- Download the mtk-su zip file linked above. If you’re visiting this page after a long time since it was published, you might want to check the source link at the bottom to get the latest zip file.
- Extract the zip and you’ll have two folders named arm and arm64 with an mtk-su binary in both the folders.
- arm64: 64-bit kernel and userspace
- arm: 32-bit userspace on a 64-bit or 32-bit kernel (will also work in 64-bit userspace)
- Now connect your device to your PC with a USB cable and use the command below to push mtk-su to your device’s /data/local/tmp/ folder.
adb push /path/to/mtk-su /data/local/tmp/
Replace /path/to/ with the path to the mtk-su binary in the arm64 or arm folder.
- Next, launch the adb shell.
- Switch to your tmp directory where you just placed mtk-su.
- Allow executable permissions to the binary.
chmod 755 mtk-su
- Finally, run the command below and make sure your device’s screen stays on and it does not go to sleep.
This will provide you with a root shell that you can do whatever you want to with. If the program gets stuck for more than a minute or your device’s screen turns off, close it. You can then run the following command.
This turns on verbose printing that will help the developer to debug any problems when you report it. The output of the above command is similar to this.
P00A_2:/data/local/tmp $ ./mtk-su -v param1: 0x3000, param2: 0x18040, type: 2 Building symbol table kallsyms_addresses pa 0x40bdd500 kallsyms_num_syms 70337, addr_count 70337 kallsyms_names pa 0x40c66d00, size 862960 kallsyms_markers pa 0x40d39800 kallsyms_token_table pa 0x40d3a100 kallsyms_token_index pa 0x40d3a500 Patching credentials init_task VA: 0xffffffc000fa2a20 Potential list_head tasks at offset 0x340 0xffffffc003148340 0xffffffc01d0bb240 0x0000000000008c comm swapper/0 at offset 0x5c0 Found own task_struct at node 0 real_cred VA: 0xffffffc0508b29c0 Parsing sel_read_enforce ffffffc0002fadb4+04: ADRP x0, 0xffffffc001113000 ffffffc0002fadb4+1c: LDR [x0, 404] selinux_enforce VA: 0xffffffc001113194 Setting selinux_enforce Switching selinux to permissive New UID/GID: 0/0 starting /system/bin/sh P00A_2:/data/local/tmp # id uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
With a hope that our tutorial to root MediaTek devices running ARM V8 chipset using MTK su would help you gain root privilege on your MediTek device, I wind up this article here.