[WIP][2016.01.21] Android 6.0 Marshmallow [CLOSED]

Status
Not open for further replies.
Search This thread

Chainfire

Moderator Emeritus / Senior Recognized Developer
Oct 2, 2007
11,452
87,856
www.chainfire.eu
All discussion should go the SuperSU BETA thread

Attached find modified boot.img for the Nexus firmwares released so far. Together with SuperSU v2.50+ these allow root with SELinux in Enforcing mode.

These are the stock boot images from Google, with the ramdisk modified as follows:
- patched sepolicy
- disabled dmverity (if applicable)
- disabled forceencrypt (if applicable)

Rooting procedure:
- flash/upgrade to Marshmellow
- flash modified boot.img
- flash/boot TWRP and sideload latest v2.50+

Acquiring root without modifying the boot images is still under investigation. Please note that the current method will not be officially supported. Future roots may require a clean system: we are at a very early stage of root for 6.0, methods used are subject to change.

For the modders, you can do the sepolicy modifications yourself as follows:
- root a reference device (4.4+ with SELinux enabled) with v2.50+
- extract the sepolicy file from the target boot image's ramdisk
- with the reference device connected to ADB:

Code:
adb push sepolicy /data/local/tmp/sepolicy
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out"
adb shell su -c "chmod 0644 /data/local/tmp/sepolicy_out"
adb pull /data/local/tmp/sepolicy_out sepolicy_out

- replace the sepolicy file in the boot image's ramdisk with the sepolicy_out file
- profit

(this trick should also work on the Samsung 5.1.1 kernels that people are having issues with lately)

Fugu requires v2.51+
 

Attachments

  • hammerhead-mra58k-boot.zip
    7.8 MB · Views: 93,415
  • shamu-mra58k-boot.zip
    7.8 MB · Views: 48,344
  • razor-mra58k-boot.zip
    7.2 MB · Views: 15,304
  • razorg-mra58k-boot.zip
    7.2 MB · Views: 7,362
  • volantis-mra58k-boot.zip
    7.7 MB · Views: 8,376
  • volantisg-mra58k-boot.zip
    7.7 MB · Views: 4,795
  • fugu-mra58k-boot.zip
    6 MB · Views: 9,257
  • bullhead-mdb08i-boot.zip
    10 MB · Views: 31,256
  • angler-mdb08k-boot.zip
    9.5 MB · Views: 43,110
  • razor-mra58u-boot.zip
    7.2 MB · Views: 6,707
Last edited:

Chainfire

Moderator Emeritus / Senior Recognized Developer
Oct 2, 2007
11,452
87,856
www.chainfire.eu
EXPERIMENT: Root without modifying /system

EXPERIMENTAL, ARE YOU SURE YOU WANT THIS ?

All discussion should go the SuperSU BETA thread

Idea
To have root on modern Android versions, we need our files to be executable and our daemon to be started on boot. We normally do this by making modifications to /system, tapping into binaries and scripts executed by init. If we're also modifying the boot image, then we should be able to do all this without modifying system at all. A benefit of this is that it makes OTAs easier - reflashing the boot image is less hassle than reflashing system.

As the binaries should still be updatable, and we don't know the space we have available in the boot image itself, we're mounting a (writable) ext4 image with /su as mount point from /data, and modifying PATH accordingly. Interestingly, for reasons yet unknown to me, if the image is mounted r/o by init, later remounting it r/w causes a bunch of issues. So we're keeping it r/w (for root) for now.

An overlayfs/unionfs solution would be even more ideal, transparently placing files in /system without modifying the actual partition, but I have not been able to find one that is (a) compatible with all Android architectures and (b) not kernel dependent and (c) not GPL - or even just one of those requirements, really. It's technically all possible, it just needs to be done.

Caveats
- Apps with hardcoded paths to su (seriously?) will bork
- Factory reset unroots
- Factory reset wipes pin
- ...
- Bugs... Bugs everywhere!

Instructions
You must absolutely re-flash your stock /system partition, or the separate root instances will interfere with eachother. The installer for this experiment will not clean up old root files.
- Flash stock /system (and /vendor and /oem, if present)
- Flash the attached boot image
- Flash the attached SuperSU ZIP in TWRP

Ramdisk modifications
- include (post above this one)
- init.rc (devs: please open file for reference)
--- on init
------ mkdir /su ...
--- on post-fs-data
------ copy image from cache to data (for rooting without access to /data in custom recovery)
------ mount image to /su
--- service daemonsu
- init.environ.rc
--- export PATH, prepended with /su/bin
- file_contexts
--- /su(/.*)? u:eek:bject_r:system_file:s0

NOTE
- Not all SuperSU options are supported yet in this mode
- I have not tested with encrypted devices
- /system should never be remounted r/w, I hope I didn't miss anything here
- Root with modifying /system is also still operational. I can't predict what the exploiters will need.
- I'm not sure where we're going with this. Future roots may require a clean system.

BETA-SuperSU-v2.56-20151030013730.zip
 

Attachments

  • hammerhead-mra58k-boot-systemless.zip
    7.8 MB · Views: 38,985
  • angler-mdb08k-boot-systemless.zip
    9.5 MB · Views: 17,651
  • bullhead-mdb08i-boot-systemless.zip
    10 MB · Views: 9,213
  • fugu-mra58k-boot-systemless.zip
    6 MB · Views: 4,102
  • razor-mra58k-boot-systemless.zip
    7.2 MB · Views: 4,471
  • razorg-mra58k-boot-systemless.zip
    7.2 MB · Views: 3,396
  • razor-mra58u-boot-systemless.zip
    7.2 MB · Views: 4,107
  • shamu-mra58k-boot-systemless.zip
    7.8 MB · Views: 12,827
  • volantis-mra58k-boot-systemless.zip
    7.7 MB · Views: 4,075
  • volantisg-mra58k-boot-systemless.zip
    7.7 MB · Views: 4,995
Last edited:

Chainfire

Moderator Emeritus / Senior Recognized Developer
Oct 2, 2007
11,452
87,856
www.chainfire.eu
Changes

(The changelogs for the specific SuperSU versions can be found here: http://xdaforums.com/showpost.php?p=23427824&postcount=3)

2016.01.21
- v2.67 ZIP

2016.01.03
- v2.66 ZIP

2015.12.26
- v2.65 ZIP

2015.12.20
- v2.64 ZIP

2015.12.11
- v2.62-3 ZIP:
--- (systemless) ZIP: Fix calling wrong script name for custom patcher script
--- (systemless) ZIP: Improve APK overwrite
--- (systemless) ZIP: Do not move backups from /cache to /data, just copy them
(there are no changes to SuperSU itself compared to v2.62, just minor script changes in the ZIP)

2015.12.10
- v2.62 ZIP

2015.12.07
- v2.61 ZIP

2015.12.05
- v2.60 ZIP with automated boot image patcher

2015.10.30 #2
- Added systemless root experiment for other Nexus than hammerhead

2015.10.30
- Added systemless root experiment for hammerhead

2015.10.28
- Added Angler kernel
- Added Razor mra58u kernel

2015.10.20
- Added Bullhead kernel

2015.10.08
- New image for Fugu, requires v2.51

2015.10.07
- New images, should fix the factory reset issues some users with encrypted data were seeing
 
Last edited:

Chainfire

Moderator Emeritus / Senior Recognized Developer
Oct 2, 2007
11,452
87,856
www.chainfire.eu
EXPERIMENT: Root without modifying /system #2: Automation

EXPERIMENTAL, ARE YOU SURE YOU WANT THIS ?

All discussion should go the SuperSU BETA thread

Continuing on the previous post, here is SuperSU v2.62 BETA, with automated boot image patching. It's been tested by myself on various Samsung's running anything from 4.3 to 5.1, and all of the recent Nexus devices on 6.0. Even on CM13. Other users have tested it with success on various other devices.

If you are coming from any SuperSU install in /system, you must re-flash the stock system (and vendor and oem, if present) partition contents prior to installing this.

If you are coming from a SuperSU 2.56 system-less install, you must re-flash the stock boot image prior to installing this.

If you are coming from a SuperSU 2.60 system-less install, or were not rooted at all, then you can just flash the ZIP without any special prior instructions.

If TWRP offers you to keep /system read-only, indeed keep it read-only.

If TWRP tells you SuperSU is not installed, and asks you to install it, do not do it, you will break things!

If on Android 6.0 or Samsung 5.1, the ZIP installer will install SuperSU in systemless mode and patch the boot image. The boot image patcher currently only supports gzip compressed ramdisks and the standard Android boot image format. Some devices do not use the standard format, and many custom kernels use a compression other than gzip. A backup is made (/data/stock_boot_<sha>.img.gz) of the original boot image before patching it.

Further implementation details (including an updated list of changes to the ramdisk) are explained in the installer script itself, as usual.

Notes on 2.62+

A poor man's overlay is used on /system/xbin. We are creating a copy of /system/xbin in /su/xbin_bind, adding a symlink to /su/bin/su there, then mounting the entire thing on top of the original /system/xbin. This is likely to fix some compatibility issues with some apps, without actually modifying /system. Removing /su/xbin_bind and rebooting will disable this feature, or "echo BINDSYSTEMXBIN=false>>/data/.supersu" in recovery root shell before a SuperSU ZIP flash.

If you have one of those devices that refuse to remount system r/w in Android such as the Nexus 6P, but you do want to do this, "echo FSTABSYSTEMRW=true>>/data/.supersu" in recovery root shell before a SuperSU ZIP flash will patch the boot image in such a way that remounting will work. This feature itself breaks OTA compatibility, regardless of if you end up writing to /system or not.

Both of these features are likely temporary.

Notes on 2.64+

There have been a lot of changes to the ZIP installer. Hopefully they won't break a lot of installs. If 2.64 works well, it is likely to be promoted to the "main beta" in place of 2.52, and the How-To SU document will be updated with the relevant information.

A major change in setup is that the ZIP installer will try to detect 6.0 firmwares that can be rooted without doing a systemless install. In other words, a root that modifies only /system, but not the boot image. If this is possible, the installer will install into /system (unless you override via "echo SYSTEMLESS=true>>/data/.supersu").

This may catch (a) firmwares that allow sepolicy reloading from /data but have a locked bootloader and (b) custom firmwares setup to handle this. Regarding the latter, while it is not as clean as systemless, those running custom firmwares are more likely to want to modify /system anyway, it is less likely to mess with updates to those firmwares, and it prevents the necessity of reflashing the ZIP after each kernel switch. Of course, the kernel's SELinux policies must support this! See this thread for details for devs.

Notes on 2.65+

As 2.65 adds /su/xbin, I recommend flashing the ZIP rather than installing the APK from the ZIP, as some people tend to do.

Notes on 2.67+

I recommend flashing the ZIP rather than installing the APK from the ZIP, as some people tend to do.

Downloads

BETA-SuperSU-v2.60-20151205163135.zip
BETA-SuperSU-v2.61-20151207213702.zip
BETA-SuperSU-v2.62-20151210170034.zip
BETA-SuperSU-v2.62-2-20151211155442.zip
BETA-SuperSU-v2.62-3-20151211162651.zip
BETA-SuperSU-v2.64-20151220185127.zip
BETA-SuperSU-v2.65-20151226141550.zip
BETA-SuperSU-v2.66-20160103015024.zip
BETA-SuperSU-v2.67-20160121175247.zip
 
Last edited:
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 861
    EXPERIMENT: Root without modifying /system #2: Automation

    EXPERIMENTAL, ARE YOU SURE YOU WANT THIS ?

    All discussion should go the SuperSU BETA thread

    Continuing on the previous post, here is SuperSU v2.62 BETA, with automated boot image patching. It's been tested by myself on various Samsung's running anything from 4.3 to 5.1, and all of the recent Nexus devices on 6.0. Even on CM13. Other users have tested it with success on various other devices.

    If you are coming from any SuperSU install in /system, you must re-flash the stock system (and vendor and oem, if present) partition contents prior to installing this.

    If you are coming from a SuperSU 2.56 system-less install, you must re-flash the stock boot image prior to installing this.

    If you are coming from a SuperSU 2.60 system-less install, or were not rooted at all, then you can just flash the ZIP without any special prior instructions.

    If TWRP offers you to keep /system read-only, indeed keep it read-only.

    If TWRP tells you SuperSU is not installed, and asks you to install it, do not do it, you will break things!

    If on Android 6.0 or Samsung 5.1, the ZIP installer will install SuperSU in systemless mode and patch the boot image. The boot image patcher currently only supports gzip compressed ramdisks and the standard Android boot image format. Some devices do not use the standard format, and many custom kernels use a compression other than gzip. A backup is made (/data/stock_boot_<sha>.img.gz) of the original boot image before patching it.

    Further implementation details (including an updated list of changes to the ramdisk) are explained in the installer script itself, as usual.

    Notes on 2.62+

    A poor man's overlay is used on /system/xbin. We are creating a copy of /system/xbin in /su/xbin_bind, adding a symlink to /su/bin/su there, then mounting the entire thing on top of the original /system/xbin. This is likely to fix some compatibility issues with some apps, without actually modifying /system. Removing /su/xbin_bind and rebooting will disable this feature, or "echo BINDSYSTEMXBIN=false>>/data/.supersu" in recovery root shell before a SuperSU ZIP flash.

    If you have one of those devices that refuse to remount system r/w in Android such as the Nexus 6P, but you do want to do this, "echo FSTABSYSTEMRW=true>>/data/.supersu" in recovery root shell before a SuperSU ZIP flash will patch the boot image in such a way that remounting will work. This feature itself breaks OTA compatibility, regardless of if you end up writing to /system or not.

    Both of these features are likely temporary.

    Notes on 2.64+

    There have been a lot of changes to the ZIP installer. Hopefully they won't break a lot of installs. If 2.64 works well, it is likely to be promoted to the "main beta" in place of 2.52, and the How-To SU document will be updated with the relevant information.

    A major change in setup is that the ZIP installer will try to detect 6.0 firmwares that can be rooted without doing a systemless install. In other words, a root that modifies only /system, but not the boot image. If this is possible, the installer will install into /system (unless you override via "echo SYSTEMLESS=true>>/data/.supersu").

    This may catch (a) firmwares that allow sepolicy reloading from /data but have a locked bootloader and (b) custom firmwares setup to handle this. Regarding the latter, while it is not as clean as systemless, those running custom firmwares are more likely to want to modify /system anyway, it is less likely to mess with updates to those firmwares, and it prevents the necessity of reflashing the ZIP after each kernel switch. Of course, the kernel's SELinux policies must support this! See this thread for details for devs.

    Notes on 2.65+

    As 2.65 adds /su/xbin, I recommend flashing the ZIP rather than installing the APK from the ZIP, as some people tend to do.

    Notes on 2.67+

    I recommend flashing the ZIP rather than installing the APK from the ZIP, as some people tend to do.

    Downloads

    BETA-SuperSU-v2.60-20151205163135.zip
    BETA-SuperSU-v2.61-20151207213702.zip
    BETA-SuperSU-v2.62-20151210170034.zip
    BETA-SuperSU-v2.62-2-20151211155442.zip
    BETA-SuperSU-v2.62-3-20151211162651.zip
    BETA-SuperSU-v2.64-20151220185127.zip
    BETA-SuperSU-v2.65-20151226141550.zip
    BETA-SuperSU-v2.66-20160103015024.zip
    BETA-SuperSU-v2.67-20160121175247.zip
    543
    All discussion should go the SuperSU BETA thread

    Attached find modified boot.img for the Nexus firmwares released so far. Together with SuperSU v2.50+ these allow root with SELinux in Enforcing mode.

    These are the stock boot images from Google, with the ramdisk modified as follows:
    - patched sepolicy
    - disabled dmverity (if applicable)
    - disabled forceencrypt (if applicable)

    Rooting procedure:
    - flash/upgrade to Marshmellow
    - flash modified boot.img
    - flash/boot TWRP and sideload latest v2.50+

    Acquiring root without modifying the boot images is still under investigation. Please note that the current method will not be officially supported. Future roots may require a clean system: we are at a very early stage of root for 6.0, methods used are subject to change.

    For the modders, you can do the sepolicy modifications yourself as follows:
    - root a reference device (4.4+ with SELinux enabled) with v2.50+
    - extract the sepolicy file from the target boot image's ramdisk
    - with the reference device connected to ADB:

    Code:
    adb push sepolicy /data/local/tmp/sepolicy
    adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out"
    adb shell su -c "chmod 0644 /data/local/tmp/sepolicy_out"
    adb pull /data/local/tmp/sepolicy_out sepolicy_out

    - replace the sepolicy file in the boot image's ramdisk with the sepolicy_out file
    - profit

    (this trick should also work on the Samsung 5.1.1 kernels that people are having issues with lately)

    Fugu requires v2.51+
    508
    EXPERIMENT: Root without modifying /system

    EXPERIMENTAL, ARE YOU SURE YOU WANT THIS ?

    All discussion should go the SuperSU BETA thread

    Idea
    To have root on modern Android versions, we need our files to be executable and our daemon to be started on boot. We normally do this by making modifications to /system, tapping into binaries and scripts executed by init. If we're also modifying the boot image, then we should be able to do all this without modifying system at all. A benefit of this is that it makes OTAs easier - reflashing the boot image is less hassle than reflashing system.

    As the binaries should still be updatable, and we don't know the space we have available in the boot image itself, we're mounting a (writable) ext4 image with /su as mount point from /data, and modifying PATH accordingly. Interestingly, for reasons yet unknown to me, if the image is mounted r/o by init, later remounting it r/w causes a bunch of issues. So we're keeping it r/w (for root) for now.

    An overlayfs/unionfs solution would be even more ideal, transparently placing files in /system without modifying the actual partition, but I have not been able to find one that is (a) compatible with all Android architectures and (b) not kernel dependent and (c) not GPL - or even just one of those requirements, really. It's technically all possible, it just needs to be done.

    Caveats
    - Apps with hardcoded paths to su (seriously?) will bork
    - Factory reset unroots
    - Factory reset wipes pin
    - ...
    - Bugs... Bugs everywhere!

    Instructions
    You must absolutely re-flash your stock /system partition, or the separate root instances will interfere with eachother. The installer for this experiment will not clean up old root files.
    - Flash stock /system (and /vendor and /oem, if present)
    - Flash the attached boot image
    - Flash the attached SuperSU ZIP in TWRP

    Ramdisk modifications
    - include (post above this one)
    - init.rc (devs: please open file for reference)
    --- on init
    ------ mkdir /su ...
    --- on post-fs-data
    ------ copy image from cache to data (for rooting without access to /data in custom recovery)
    ------ mount image to /su
    --- service daemonsu
    - init.environ.rc
    --- export PATH, prepended with /su/bin
    - file_contexts
    --- /su(/.*)? u:eek:bject_r:system_file:s0

    NOTE
    - Not all SuperSU options are supported yet in this mode
    - I have not tested with encrypted devices
    - /system should never be remounted r/w, I hope I didn't miss anything here
    - Root with modifying /system is also still operational. I can't predict what the exploiters will need.
    - I'm not sure where we're going with this. Future roots may require a clean system.

    BETA-SuperSU-v2.56-20151030013730.zip
    412
    Changes

    (The changelogs for the specific SuperSU versions can be found here: http://xdaforums.com/showpost.php?p=23427824&postcount=3)

    2016.01.21
    - v2.67 ZIP

    2016.01.03
    - v2.66 ZIP

    2015.12.26
    - v2.65 ZIP

    2015.12.20
    - v2.64 ZIP

    2015.12.11
    - v2.62-3 ZIP:
    --- (systemless) ZIP: Fix calling wrong script name for custom patcher script
    --- (systemless) ZIP: Improve APK overwrite
    --- (systemless) ZIP: Do not move backups from /cache to /data, just copy them
    (there are no changes to SuperSU itself compared to v2.62, just minor script changes in the ZIP)

    2015.12.10
    - v2.62 ZIP

    2015.12.07
    - v2.61 ZIP

    2015.12.05
    - v2.60 ZIP with automated boot image patcher

    2015.10.30 #2
    - Added systemless root experiment for other Nexus than hammerhead

    2015.10.30
    - Added systemless root experiment for hammerhead

    2015.10.28
    - Added Angler kernel
    - Added Razor mra58u kernel

    2015.10.20
    - Added Bullhead kernel

    2015.10.08
    - New image for Fugu, requires v2.51

    2015.10.07
    - New images, should fix the factory reset issues some users with encrypted data were seeing
    102
    The latest WIP version has become the main BETA version.

    For all intents and purposes, this thread is closed. It will be cleaned up and unstickied in good time.