whoami: bad uid 0 - Magisk

I replaced old /system/bin/toybox with a new binary from http://landley.net/toybox/bin then I created symlinks with for i in $(./toybox); do ln -s toybox $i. There is su in symlinks.
Now I cannot open Magisk anymore, stuck at splash screen mask.
Also MiXplorer cannot browse root dirs.
With Terminal Emulator I can still browse root dirs.
If I type which su I get /sbin/su which is a symlink to /sbin/magisk.
I have not yet tried to reboot because I fear to get stuck, maybe it would repair by itself but who knows?
If I type whoami I get bad uid 0, after su shell I get bad uid 2000 and so on.
How can I restore root? I can access TWRP recovery.

how about /sbin/su -c unlink /system/bin/su or wherever you symlinked toybox applets?
are you sure that binary is actually a replacement including all android specific applets (like getevent) for built-in toybox?
why did you replace system files in first place if you're actually on Magisk and could just use systemless overlays instead?

If I try to unlink it says it's read-only file system. I could try to do it in recovery but I'm afraid to reboot...
What is strange is that which su points to /sbin/magisk, so it should not consider the other su symlink to toybox
Another thing I noticed is that new symlink to toybox created with my script are root both UID and GID, while existing ones are root UID and shell GID
Toybox binary is specific for my Android ARMv8 http://landley.net/toybox/downloads/binaries/0.8.9/toybox-aarch64.
You are right about systemless overlays.

aarch64 is only the cpu architecture, doesn't say anything about android.
how did you install toybox on read-only file system? remount -o,rw /

ok, however the arch is right for my Snap855, I tried other applets embedded in toybox, like factor, and they work.
I used MiXplorer to write to system, I gave it root permissions so it could work on it. Now MiX is unarmed and Terminal Emulator can only read into root dirs but not write.

quick check with my toybox yours is missing all android specific applets
Code:
:/ $ cd $HOME
:/data/user/0/jackpal.androidterm/app_HOME $ ls -la
total 780
drwxrwx--x 2 u0_a152 u0_a152 4096 2023-01-30 14:46 .
drwxr-x--x 6 u0_a152 u0_a152 4096 2023-01-28 01:58 ..
-rwx--x--x 1 u0_a152 u0_a152 783680 2023-01-30 14:24 toybox
:/data/user/0/jackpal.androidterm/app_HOME $ ./toybox --version
toybox 0.8.9
:/data/user/0/jackpal.androidterm/app_HOME $ toybox --version
toybox 0.7.6-android
:/data/user/0/jackpal.androidterm/app_HOME $ for i in $(toybox); do ./toybox | grep -qw $i || echo $i; done
chcon
dd
diff
expr
getenforce
getfattr
gzip
load_policy
lsof
modprobe
more
restorecon
runcon
sendevent
setenforce
setprop
start
stop
stty
tr
traceroute
traceroute6
you should reinstall stock toybox from TWRP backup.
edit: this might help
Code:
:/ $ ls -lZ /system/bin/toybox
-rwxr-xr-x 1 root shell u:object_r:toolbox_exec:s0 352532 2008-12-31 17:00 /system/bin/toybox

I renamed the old toybox, so I could restore it from recovery.
Btw, I get this with ls -lZ
-rwxr-xr-x 1 0 2000 ? 825176 2023-01-29 07:34 /system/bin/toybox
Seem to have lost context there.
Thanks for your quick replies.

either you're on Jelly bean or you lost secontext. repair with chcon
Code:
chcon u:object_r:toolbox_exec:s0 /system/bin/toybox

You are right, new toybox does not have specific Android applet, like chcon or restorecon.
So, please correct me if I'm wrong, I reboot in TWRP, restore old toybox.
Then should I run chcon / restorecon or reboot straight away?
I lost secontext in all root dirs /, /system, /vendor, /sdcard...

not sure what ROM you're talking about. maybe you used ls of wrong toybox?

Don't understand your answer, what ROM are you referring to?
If I ./"toybox old" restorecon I get restorecon: Needs 1 argument (see "restorecon --help")
If I restorecon I get toybox: Unknown command restorecon (see "toybox --help")
Please advise me if it's right to restore old toybox via TWRP and reboot to system or there's the need to chcon / restorecon, thanks

please give the output of
Code:
grep ro.build.fingerprint /system/build.prop /system*/system/build.prop
it's very unlikely you lost every secontext. either it never existed or you just can't view.
restorecon won't help you much. only restoring TWRP backup could restore secontext as it was before.

grep ro.build.fingerprint /system/build.prop
ro.build.fingerprint=Xiaomi/cepheus_eea/cepheus:10/QKQ1.190825.002/V11.0.9.0.QFAEUXM:user/release-keys
ro.build.fingerprint_real=Xiaomi/cepheus/cepheus:10/QKQ1.190825.002/20.7.2:user/release-keys/1593694646

so your ROM is stock ROM Android 10 it must have secontext of course. in case it's true you lost every secontext best is download cepheus_eea_global_images_V11.0.9.0.QFAEUXM_20200421.0000.00_10.0_eea_31715f4bd1.tgz and flash_all_except_storage.bat
(you can backup boot in TWRP beforehand and flash boot.emmc.win from fastboot right after)
edit: build.prop usually is in /system(_root)/system/build.prop on new devices, so most likely what you think is build.prop is just from the TWRP image used.
maybe you didn't mount System?

Resolved
Rebooted into TWRP, restored original toybox, deleted my symlinks, checked secontexts ok, rebooted to system, all fine.
Thank for your support

you can place toybox in /data/adb/modules/toybox/system/xbin/toybox, make a diff and only symlink missing applets in there.
then create modules.prop, reboot and done.

Related

Previously broken GB root prohibits ICS404root script

The ICS404root script package has a fatal bug if a broken su already exists. Here's what happened on my D4.
I had root working fine on the GB version that shipped when I got the phone
I updated my stock (but rooted) D4 to 6.13.219 using normal OTA update and like an idiot, I forgot to use a root-keeper.
Confirmed root was broken as expected
Updated to ICS with "D4 6.16.217.zip". (I did no wipes other than the cache partition).
Everything worked fine and ICS is up and running
I ran the ICS404root.zip script package and get the following:
Code:
ICS404root # sh linux_runme_root_script.sh
Pushing files from root package to device...
4393 KB/s (586212 bytes in 0.130s)
4554 KB/s (1862336 bytes in 0.399s)
15 KB/s (660 bytes in 0.042s)
473 KB/s (22364 bytes in 0.046s)
Removing local copies.
Setting permissions.
Rebooting device...
Waiting for device to boot...
Attempting to place su binary on /system...
debugfs 1.42 (29-Nov-2011)
debugfs: debugfs: write: The file 'su' already exists
debugfs: debugfs: debugfs: debugfs: Cleaning up...
Rooting completed, must reboot.
Rebooting device...
Rooted.
So I have an old broken root on my phone, and this breaks the root script. I tried reinstalling superuser, but could only "uninstall updates" rather than uninstalling. (Uninstalling updates and re-installing them did not work.) I tried installing busybox but got root denied messages.
I *really* don't want to wipe my /system to fix this. Can the script be modified to deal with pre-existing su binaries?
UPDATE: (partially solved)
I ran debugfs in interactive mode and did a
Code:
debugfs: cd xbin
debugfs: rm su
debugfs: cd ..
debugfs: cd bin
debugfs: rm su
Then I completed the root hack manually and rebooted. I then updated Superuser and ran Titanium since I saw somewhere in a thread the TB will correct permissions on the su binary if they were funky. Sure enough it changed su from 4755 to 6755. After a reboot, everything was fine!
So... Root is attainable on ICS in the presence of a broken GB root, but the script should still be updated to deal with this.
ryanmcdonald said:
UPDATE: (partially solved)
I ran debugfs in interactive mode and did a
Code:
debugfs: cd xbin
debugfs: rm su
debugfs: cd ..
debugfs: cd bin
debugfs: rm su
Then I completed the root hack manually and rebooted. I then updated Superuser and ran Titanium since I saw somewhere in a thread the TB will correct permissions on the su binary if they were funky. Sure enough it changed su from 4755 to 6755. After a reboot, everything was fine!
So... Root is attainable on ICS in the presence of a broken GB root, but the script should still be updated to deal with this.
Click to expand...
Click to collapse
looks like i have the same issue except i got there a different way. i did use rootkeeper (though didn't do temp unroot before allowing OTA update to run), so i lost root when going to ics. not a big deal though, as the ics404root util worked fine to re-root.
well, i was having some odd issues like no sound when getting an sms, among others, so decided to do factory reset (without unrooting first). su is gone from the app drawer, but apparently it's still there as i get the same "debugfs: debugfs: write: The file 'su' already exists". i had to add a pause to the end of the batch file to be able to see that message, since it quits whether it worked or not, and you never see it.
i'm not familiar with what you mentioned about running debugfs in interactive. i tried using adb shell to poke around to see if i could find su and mv it to a .bak or something, but my linux command line skills are apparently too rusty. i found su in /system, but since /system is mounted as read only, i can't do anything. i eventually figured out how to get into interactive mode (forgot i had to specify the full path to debugfs since it's not in the default search path), but it tells me fs not open. i try to open, but i don't know what to give it for things like block size, etc:
Code:
[email protected]_maserati:/ $ /data/local/12m/debugfs
/data/local/12m/debugfs
debugfs 1.42 (29-Nov-2011)
debugfs: cd xbin
cd xbin
cd: Filesystem not open
debugfs: open_filesys
open_filesys
open_filesys: Usage: open [-s superblock] [-b blocksize] [-c] [-w] <device>
when looking around in adb shell, i could only find an su in /system/xbin - if i could come up with a way to delete this via adb, i think i could just run the regular root script and be done. any ideas?
still broken. i found a command that let me remount /system as rw, then i used rm su and verified it was gone w/ ls. re-ran ics404root batch file. no errors this time, but still no root on the phone. it seems to be putting su in there, but apparently it's corrupt. the way i check for root is to simply start titanium. right away it says it couldn't get root privileges.
Code:
C:\temp\droid4\ICS404root>adb shell
[email protected]_maserati:/ $ su
su
[email protected]_maserati:/ # mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /syste
m
2 /dev/block/mtdblock3 /system <
[email protected]_maserati:/ # cd /system/xbin
cd /system/xbin
[email protected]_maserati:/system/xbin # ls s*
ls s*
script
scriptreplay
sed
sendmail
seq
setarch
setconsole
setfont
setkeycodes
setlogcons
setsid
setuidgid
sh
sha1sum
sha256sum
sha512sum
showkey
slattach
sleep
smemcap
softlimit
sort
split
start-stop-daemon
stat
strings
stty
su
su.bak
sulogin
sum
sv
svlogd
swapoff
swapon
switch_root
sync
sysctl
syslogd
[email protected]_maserati:/system/xbin # rm su
rm su
[email protected]_maserati:/system/xbin # ls s*
ls s*
script
scriptreplay
sed
sendmail
seq
setarch
setconsole
setfont
setkeycodes
setlogcons
setsid
setuidgid
sh
sha1sum
sha256sum
sha512sum
showkey
slattach
sleep
smemcap
softlimit
sort
split
start-stop-daemon
stat
strings
stty
su.bak
sulogin
sum
sv
svlogd
swapoff
swapon
switch_root
sync
sysctl
syslogd
[email protected]_maserati:/system/xbin # rm su.bak
rm su.bak
[email protected]_maserati:/system/xbin # ls s*
ls s*
script
scriptreplay
sed
sendmail
seq
setarch
setconsole
setfont
setkeycodes
setlogcons
setsid
setuidgid
sh
sha1sum
sha256sum
sha512sum
showkey
slattach
sleep
smemcap
softlimit
sort
split
start-stop-daemon
stat
strings
stty
sulogin
sum
sv
svlogd
swapoff
swapon
switch_root
sync
sysctl
syslogd
[email protected]_maserati:/system/xbin # exit
exit
[email protected]_maserati:/ $ exit
exit
i have modified the batch file. i turned echo on and rem'd out the delete statements so i could see what was going on and so i wouldn't have to unzip it every time i tried it. (why does it delete the local stuff anyway?) i also added a pause at the end.
Code:
C:\temp\droid4\ICS404root>echo Connect your phone via USB to your PC and be sure
Connect your phone via USB to your PC and be sure
C:\temp\droid4\ICS404root>echo it ISN'T set to mount as a mass storage device.
it ISN'T set to mount as a mass storage device.
C:\temp\droid4\ICS404root>echo (ENTER to continue or push Ctrl-C to exit)
(ENTER to continue or push Ctrl-C to exit)
C:\temp\droid4\ICS404root>pause
Press any key to continue . . .
C:\temp\droid4\ICS404root>echo "Pushing files from root package to device..."
"Pushing files from root package to device..."
C:\temp\droid4\ICS404root>adb push busybox /data/local/12m/
2434 KB/s (586212 bytes in 0.235s)
C:\temp\droid4\ICS404root>adb push debugfs /data/local/12m/
2774 KB/s (1862336 bytes in 0.655s)
C:\temp\droid4\ICS404root>adb push rooter /data/local/12m/
71 KB/s (660 bytes in 0.009s)
C:\temp\droid4\ICS404root>adb push su /data/local/12m/
1818 KB/s (22364 bytes in 0.012s)
C:\temp\droid4\ICS404root>echo "Removing local copies."
"Removing local copies."
C:\temp\droid4\ICS404root>rem del busybox
C:\temp\droid4\ICS404root>rem del debugfs
C:\temp\droid4\ICS404root>rem del rooter
C:\temp\droid4\ICS404root>rem del su
C:\temp\droid4\ICS404root>echo "Setting permissions."
"Setting permissions."
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/busybox
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/debugfs
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/rooter
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/su
C:\temp\droid4\ICS404root>adb shell mv /data/local/12m/batch /data/local/12m/bat
ch.bak
C:\temp\droid4\ICS404root>adb shell ln -s /dev/block/mmcblk1p20 /data/local/12m/
batch
C:\temp\droid4\ICS404root>echo "Rebooting device..."
"Rebooting device..."
C:\temp\droid4\ICS404root>adb reboot
C:\temp\droid4\ICS404root>echo "Waiting for device to boot..."
"Waiting for device to boot..."
C:\temp\droid4\ICS404root>adb wait-for-device shell /data/local/12m/rooter
Attempting to place su binary on /system...
debugfs 1.42 (29-Nov-2011)
debugfs: debugfs: Allocated inode: 4359
debugfs: debugfs: debugfs: debugfs: Cleaning up...
Rooting completed, must reboot.
C:\temp\droid4\ICS404root>adb shell rm /data/local/12m/rooter
C:\temp\droid4\ICS404root>echo "Rebooting device..."
"Rebooting device..."
C:\temp\droid4\ICS404root>adb reboot
C:\temp\droid4\ICS404root>echo "Rooted."
"Rooted."
C:\temp\droid4\ICS404root>rem del AdbWinUsbApi.dll
C:\temp\droid4\ICS404root>rem del AdbWinApi.dll
C:\temp\droid4\ICS404root>rem del adb.exe
C:\temp\droid4\ICS404root>rem del linux_runme_root_script.sh
C:\temp\droid4\ICS404root>del
The syntax of the command is incorrect.
C:\temp\droid4\ICS404root>pause
Press any key to continue . . .
C:\temp\droid4\ICS404root>
i'm kinda stuck at this point, but at least my phone isn't bricked. but considering all the issues i've had w/ ICS (the separate notification and ringtone volumes which cannot be linked being the TOP of my sh*t list, right after the crappy dialer, the lousy SMS client (seriously, gray on black? i cant read that!) and the list goes on and on...) i'd honestly rather go back to stock rooted GB. chrome was the only other reason i wanted ics and it seemed to be pretty poorly implemented to me, so i have no more interest in ICS.
i almost wonder if it's worth intentionally bricking it and bringing it back to vzw for exchange, and hopefully the new one won't have ics yet.
ok, i am rooted again! i had to use the Droid 4 Utility ICS Only to do it. the links to the LITE version are broken, so i had to download the entire 600mb package, but it worked to root my phone. now to start reinstalling stuff w/ titanium!

How to manually update su and SuperSu file through ADB root shell?

I have an un-rooted device, with Android 5.0 system, and the core is ARM Coretex A53.
I happen to found "adb root" works, that means I can play as root through ADB shell.
I successfully deleted a trash apk, renowned "kingroot", from my system.
Then, I try to manually update su and SuperSu file, through the bellowing commands:
# mount -o rw,remount /system
# cp /sdcard/mrw/su /system/xbin/su
# cp /sdcard/mrw/su /system/bin/su
# pm install /sdcard/mrw/superuser.apk
(I'm using a 2.46 SuperSu version, which should be OK for Android 5.0 system)
But it fails. The SuperSu told me " su binary not installed".
My questions:
1. Is this a feasible way to update Su and SuperSu, and get root access?
2. There's a bunch of architect, I tried both "arm" and "arm64", but none of the su binary can work. Which architect shall I choose, when I'm running on a ARM Coretex A53 core? ( I know it is a 64bit core)
Thanks a lot, and Best Regards,
towenyu
Did you get this device secondhand? Also what device is it, since many have their own root method because of OEM crap.
That said, you only need su in one location, either /system/xbin/su or /system/bin/su (I typically see it in /system/xbin/su). I'm not sure what happens if it's in both, but it's just wasted space.
You can try these commands through adb root; since you already were able to get su onto your device, it may be just a matter of ownership and permissions:
Code:
# mount -o rw,remount /system
# chmod 755 /system/xbin/su
# chown root:root /system/xbin/su
# mount -o ro,remount /system
chown 755 sets the permissions to rwxr-xr-x (user gets read/write/execute, group/other gets read/execute). Execute is the important bit here, since otherwise the su binary can't do its job. After those commands, try SuperSU again and see if it works (you might need a reboot, because of how Android 5.0+ handles changes to /system) The last mount -o ro command just changes /system back to read-only, to prevent accidental changes to other parts.
Successfully rooted!
Not that simple, but basically follow the update-binary script already inside supersu package.
Only need to made slight modification due to my system won't support "unzip"
Now that you're successfully rooted, go install Busybox, that'll give you a lot of Linux commands Android doesn't have by default, including unzip.
xfullmetal17 said:
Now that you're successfully rooted, go install Busybox, that'll give you a lot of Linux commands Android doesn't have by default, including unzip.
Click to expand...
Click to collapse
Thanks for your advice! I will try it.
But don't there's already a Busybox in android system? I guess what I need to do is find somewhere a more powerful busybox binary -- or build it by my own, but that may be not so easy for me.
Android has some basic Linux commands support, but I don't think it has Busybox (if you have a custom ROM you may have some additional commands, but since you said unrooted I don't think it was installed.
This is one of the most popular installers for Busybox: https://play.google.com/store/apps/details?id=stericson.busybox
I've used it since I first rooted with Android 2.2 and haven't had any issues with it (save for lack of vim, since stock Android doesn't have the correct libraries for it)
rooting my htc m9 running marshmallow
Hi, I'm totally blind, and twrp isn't an option for me since it doesn't have a built in screen reader. I would like to install supersu to system, would some one kindly help me in telling me what files to put where. I think the m9 is arm64, but besides su and supersu.apk, I think there's installrecovery.ssh and some other files that have to go in, so please help some one
xfullmetal17 said:
Android has some basic Linux commands support, but I don't think it has Busybox (if you have a custom ROM you may have some additional commands, but since you said unrooted I don't think it was installed.
This is one of the most popular installers for Busybox: https://play.google.com/store/apps/details?id=stericson.busybox
I've used it since I first rooted with Android 2.2 and haven't had any issues with it (save for lack of vim, since stock Android doesn't have the correct libraries for it)
Click to expand...
Click to collapse
Hi guys ,
it is possible to run manualy via adb shell update-binary file from META-INF supersu folder for install it ? (means before unpacked folder supersu is copied to ex. /tmp)
I'm asking bcose no custom recovery and no root on my device yet.
Thx
nalas said:
Hi guys ,
it is possible to run manualy via adb shell update-binary file from META-INF supersu folder for install it ? (means before unpacked folder supersu is copied to ex. /tmp)
I'm asking bcose no custom recovery and no root on my device yet.
Thx
Click to expand...
Click to collapse
I have same saturation, no TWRP, no SU installed on my device: [email protected]_cn:/ #, Android M,
What I have is a userdebug boot.img support "adb root", so my draft commands in my mind please run one by one, not batch.. WARNING, this may make your system bootloop,take your own risk!!!.)
fastboot flash boot boot_userdebug.img
fastboot reboot
adb wait-for-device
adb root
adb remount
adb disable-verity
adb shell setenforce 0
adb reboot
cd D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64
adb wait-for-device
adb root
adb remount
adb shell setenforce 0
adb push .\su /system/bin/su
adb push .\su /system/xbin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb shell /system/bin/su --daemon&
adb install ..\common\Superuser.apk
adb shell setenforce 0
adb disable-verity
if you found SuperSU not found root, try adb shell setenforce 0 again.
then you can get SuperSU found su file need to update, use normal way to do it.
then, it will be "Installation success !"
Enjoy it.
so reference log:
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb root
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb remount
remount succeeded
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
[100%] /system/bin/su
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/xbin/su
adb: error: failed to copy 'su' to '/system/xbin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb shell
[email protected]_cn:/ # su
[email protected]_cn:/ # cd /system/bin
[email protected]_cn:/system/bin # chmod 06755 su
chmod: chmod 'su' to 106755: Read-only file system
1|[email protected]_cn:/system/bin # ls su
su
[email protected]_cn:/system/bin # ls -al su
-rwxr-xr-x root shell 108496 2008-02-29 03:33 su
[email protected]_cn:/system/bin # su --intall
[email protected]_cn:/system/bin # su --daemon&
[1] 6146
[email protected]_cn:/system/bin # getenforce
Enforcing
[1] + Done su --daemon
[email protected]_cn:/system/bin # setenforce 0
[email protected]_cn:/system/bin # getenforce
Permissive
[email protected]_cn:/system/bin # exit
[email protected]_cn:/system/bin # exit
[email protected]_cn:/ # exit
/system/bin/su
exit
^C
Azlun said:
I have same saturation, no TWRP, no SU installed on my device: [email protected]_cn:/ #, Android M,
What I have is a userdebug boot.img support "adb root", so my draft commands in my mind please run one by one, not batch.. WARNING, this may make your system bootloop,take your own risk!!!.)
fastboot flash boot boot_userdebug.img
fastboot reboot
adb wait-for-device
adb root
adb remount
adb disable-verity
adb shell setenforce 0
adb reboot
cd D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64
adb wait-for-device
adb root
adb remount
adb shell setenforce 0
adb push .\su /system/bin/su
adb push .\su /system/xbin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb shell /system/bin/su --daemon&
adb install ..\common\Superuser.apk
adb shell setenforce 0
adb disable-verity
if you found SuperSU not found root, try adb shell setenforce 0 again.
then you can get SuperSU found su file need to update, use normal way to do it.
then, it will be "Installation success !"
Enjoy it.
so reference log:
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb root
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb remount
remount succeeded
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
[100%] /system/bin/su
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/xbin/su
adb: error: failed to copy 'su' to '/system/xbin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb shell
[email protected]_cn:/ # su
[email protected]_cn:/ # cd /system/bin
[email protected]_cn:/system/bin # chmod 06755 su
chmod: chmod 'su' to 106755: Read-only file system
1|[email protected]_cn:/system/bin # ls su
su
[email protected]_cn:/system/bin # ls -al su
-rwxr-xr-x root shell 108496 2008-02-29 03:33 su
[email protected]_cn:/system/bin # su --intall
[email protected]_cn:/system/bin # su --daemon&
[1] 6146
[email protected]_cn:/system/bin # getenforce
Enforcing
[1] + Done su --daemon
[email protected]_cn:/system/bin # setenforce 0
[email protected]_cn:/system/bin # getenforce
Permissive
[email protected]_cn:/system/bin # exit
[email protected]_cn:/system/bin # exit
[email protected]_cn:/ # exit
/system/bin/su
exit
^C
Click to expand...
Click to collapse
Thank You - I will check and give feedback
Can I somehow just copy su and supersu files to phone (stock ROM) with full root shell to get root? Unfortunately bootloader is locked and only root shell is available.
user4978023 said:
Can I somehow just copy su and supersu files to phone (stock ROM) with full root shell to get root? Unfortunately bootloader is locked and only root shell is available.
Click to expand...
Click to collapse
Of course not. If it were that easy rooting would be a non-issue for devices with a locked bootloader.
towenyu said:
Successfully rooted!
Not that simple, but basically follow the update-binary script already inside supersu package.
Only need to made slight modification due to my system won't support "unzip"
Click to expand...
Click to collapse
Can you give more details ?
I'm in a similar situation (/system/bin/su and /system/xbin/su "updated" from Supersu zip , root access from adb shell , rom built as userdebug) but I'm unable to launch the update-binary through adb to get the TV fully rooted..

Cannot enter 'u:r:init:s0' context again, after reboot

Hi everyone,
I have a tough device, I spent lost of time to root it.
There days, I almost succeed.
But I met a problem: after rebooted, I cannot remount rootfs and /system.
The detailed description is following. Can anybody help me?
my device information:
hardware: vivo X5MAX L
android version: 4.4.4
rom: Funtouch OS 2.0(version PD1408L_A_1.16.6)
kernel version: 3.10.28​
root approach:
1. downgrade firmware
2. get temporary root via kingroot by system vulnerability
3. get root shell via kingroot
4. remove kingroot, and install supersu binary via root shell by hand
5. add launch script to /system/etc/install-recovery.sh​
After all, everything looks perfect.
But after I rebooted my device, I cannot remount rootfs and /system
Code:
[email protected]_32:/ $ su
[email protected]_32:/ # id
uid=0(root) gid=0(root) context=u:r:init_shell:s0
[email protected]_32:/ # mount -o rw,remount /
mount: Operation not permitted
255|[email protected]_32:/ # busybox mount -o rw,remount rootfs /
mount: permission denied (are you root?)
Then, I noticed, after rebooted, su shell will got a context u:r:init_shell:s0, not u:r:init:s0.
When I run su before rebooted, I will get u:r:init:s0.
And I cannot get u:r:init_shell:s0 by su -cn
Code:
[email protected]_32:/ $ su -cn u:r:init:s0 -c "busybox id"
uid=0 gid=0 context=u:r:init_shell:s0
[email protected]_32:/ $ su -cn init -c "busybox id"
uid=0 gid=0 context=u:r:init_shell:s0
BTW: I never used this command before, and I cannot found any demo show how to call with -cn. Maybe I'm wrong.
And I have checked daemonsu run in correct context as document state
Code:
[email protected]_32:/ # ps -Z | grep daemonsu
u:r:init:s0 root 297 1 daemonsu:mount:master
u:r:init:s0 root 530 1 daemonsu:master
u:r:init:s0 root 4059 530 daemonsu:0
u:r:init:s0 root 4123 530 daemonsu:10133
u:r:init:s0 root 4773 530 daemonsu:10088
u:r:init:s0 root 5590 530 daemonsu:10131
u:r:init:s0 root 8353 530 daemonsu:10132
u:r:init:s0 root 15832 4059 daemonsu:0:15829
[email protected]_32:/ # ps -Z | grep $$
u:r:init_shell:s0 root 15836 15832 sh
u:r:init_shell:s0 root 15863 15836 ps
u:r:init_shell:s0 root 15864 15836 grep
And, also, the parent progress of 'sh' is 'daemonsu:0:15829'
Then, I do a lot of other tries. But no further successful.
And I red many documents about SELinux and SEDroid.
But I'm a really new people on SELinux.
So I still cannot found out where the problem is.
Can anybody point out where the problem?
Thanks
Did you not just try the installers here: http://forum.xda-developers.com/apps/supersu/v2-64-2-66-supersu-mode-t3286120 also the superSU app should prompt you to install its binaries for you
i have same problem with ramdisc extraction faliure...and othing seems to help

How To Guide How to make files in /system writable

How to make files in /system writable
In Android 12 and newer /system is mounted read-only can not be remounted read-write anymore.
Sometimes it's useful that one or more files in /system are writable (for example for develop tasks or for testing)
This can be implemented using Magisk (see How to change files in the directory /system for more details)
Example :
Make the file /system/etc/vimrc writable
Note:
In Android 12 /etc is a symbolic link to /system/etc.
Open a (adb) shell as user root and do
Bash:
# create a dummy Magisk module
#
mkdir -p /data/adb/modules/writable_system/system/etc
# copy the file that should be writable to the Magisk module directory
#
cp /system/etc/vimrc /data/adb/modules/writable_system/system/etc/
# make the file in the Magisk module directory writable
#
chmod +w /data/adb/modules/writable_system/system/etc/vimrc
Now reboot the phone.
After the reboot the file /system/etc/vimrc is writable by the user root, Example:
Code:
ASUS_I006D:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
ASUS_I006D:/ #
ASUS_I006D:/ # ls -l /system/etc/vimrc
-rw-r--r-- 0 root root 3350 2022-11-04 11:36 /system/etc/vimrc
ASUS_I006D:/ # tail -2 /system/etc/vimrc
\ | wincmd p | diffthis
endif
ASUS_I006D:/ #
ASUS_I006D:/ # echo '" Test Comment' >>/system/etc/vimrc
ASUS_I006D:/ #
ASUS_I006D:/ # tail -2 /system/etc/vimrc
endif
" Test Comment
ASUS_I006D:/ #
Only the user root can access the directory /data/adb. Therefor the files configured using this approach are only writable by the user root.
To make a file in /system writable for non-root users use this method:
Open a (adb) shell and execute as user shell:
Bash:
#
# create a directory that is writable for the user shell
#
mkdir /data/local/tmp/writable_system
mkdir /data/local/tmp/writable_system/etc
#
# copy the file that should be writable to that directory
#
cp /system/etc/vimrc /data/local/tmp/writable_system/etc
The next commands must be executed as user root:
Bash:
# create dummy Magisk module
#
mkdir -p /data/adb/modules/writable_system/system/etc
#
# create a symbolic link to the file in the writable directory in the directory with the dummy Magisk module
#
ln -s /data/local/tmp/writable_system/etc/vimrc /data/adb/modules/writable_system/system/etc
Now reboot the phone.
After the reboot the file /system/etc/vimrc is writable by the user shell, Example:
Code:
ASUS_I006D:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid),3012(readtracefs) context=u:r:shell:s0
ASUS_I006D:/ $
ASUS_I006D:/ $ tail -2 /system/etc/vimrc
\ | wincmd p | diffthis
endif
ASUS_I006D:/ $
ASUS_I006D:/ $ echo '" Test Comment' >>/system/etc/vimrc
ASUS_I006D:/ $
ASUS_I006D:/ $ tail -2 /system/etc/vimrc
endif
" Test Comment
ASUS_I006D:/ $
Important:
The writable directory can also be in a sub directory in /sdcard. But be aware that /sdcard is mounted late in the boot process so it might be that the overwritten file in /system will be used by the OS when the bind mount points to a non-existent file if using a sub directory in /sdcard.
The changes to the file done using these methods are "persistent" as long as Magisk is installed in the boot partition.
To restore the file with the original contents after each new reboot of the phone without removing the writable config open a (adb) shell as user root and execute:
Bash:
#
# restore the file /data/adb/modules/writable_system/system/etc/vimrc from the original file /system/etc/vimrc
#
# this must be done before Magisk creates the bind mounts
#
echo "cp /system/etc/vimrc /data/adb/modules/writable_system/system/etc/vimrc">/data/adb/post-fs-data.d/restore_vimrc.sh
chmod 755 /data/adb/post-fs-data.d/restore_vimrc.sh
Now the file in the dummy Magisk module will be restored with the contents of the original file from /system after each reboot
To temporary access the original file from /system just stop the Magisk daemon, Example:
Code:
ASUS_I006D:/ # echo '"Test Test' >>/etc/vimrc
ASUS_I006D:/ #
ASUS_I006D:/ # tail -1 /etc/vimrc
"Test Test
ASUS_I006D:/ #
ASUS_I006D:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
ASUS_I006D:/ #
ASUS_I006D:/ # magisk --stop
ASUS_I006D:/ #
ASUS_I006D:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
ASUS_I006D:/ #
ASUS_I006D:/ # tail -1 /etc/vimrc
endif
ASUS_I006D:/ #
Note
Stopping the Magisk daemon will disable all bind mounts done by Magisk.
Restarting the Magisk daemon will not re-create the bind mount - to re-activate the bind mount for the writable file after stopping the Magisk daemon the phone must be rebooted.
To make more then one file writable in a sub directory in /system you can also replace the complete folder using these commands as user root:
Bash:
#
# make all files in /system/etc writable by the user root
#
mkdir -p /data/adb/modules/writable_system/system/etc/
cd /system/etc
find . | cpio -pdum /data/adb/modules/writable_system/system/etc/
touch /data/adb/modules/writable_system/system/etc/.replace
Now Magisk will replace the directory /system/etc with the directory /data/adb/modules/writable_system/system/etc after the next reboot
Notes
You should test these commands with a not important file like /system/etc/vimrc before changing important files.
It is NOT recommended to use this approach on productive phones.
See How to change any file or directory using Magisk for another approach to change files on read-only mounted filesystems.
Trouble Shooting
As always: If something does not work like expected check the Magisk log file /cache/magisk.log and also check the infos in this post.
Does this method require root on device?
FormulaSea said:
Does this method require root on device?
Click to expand...
Click to collapse
yes
Is there any method don't require root?
This looks interesting. Are you using OverlayFS for this? Looks like you did quite the research on this
Read-only is boring even as root. It's time for some RW baby
FormulaSea said:
Does this method require root on device?
Click to expand...
Click to collapse
I don't know a method to do this without root access.
But you can disable the root access in Magisk after implementing the changes . You could even uninstall tne Magisk app afterwards (but not the Magisk part from the boot partition)
regards
Bernd
lebigmac said:
This looks interesting. Are you using OverlayFS for this? Looks like you did quite the research on this
Read-only is boring even as root. It's time for some RW baby
Click to expand...
Click to collapse
I don't know what exactly you mean by "OverlayFS" - I use MagiskModules to modify files in /system and as far as I know Magisk used bind mounts to implement it.
>>Read-only is boring even as root.
Correct, but if you made the changes directly in /system, they would not survive the next OS upgrade.
One of the great advantages of this feature of Magisk is that it survives an OS upgrade - so as long as the change is compatible with the installed OS version, it only needs to be done once.
regards
Bernd
Thanks it worked on the audio folders on my 7t pro but didn't work on the boot animation folder. Both folders appear in the adb though with there files. Let me know op if you figure out how to do the boot animation folder it's moved to /my_product/ instead of /system/ I see that the my product folder and boot animation appear in the adb modules like the audio folder does and I swapped files the same way as with my audio modding but the changes for boot didn't take effect.
cbomb1337 said:
Thanks it worked on the audio folders on my 7t pro but didn't work on the boot animation folder. Both folders appear in the adb though with there files. Let me know op if you figure out how to do the boot animation folder it's moved to /my_product/ instead of /system/ I see that the my product folder and boot animation appear in the adb modules like the audio folder does and I swapped files the same way as with my audio modding but the changes for boot didn't take effect.
Click to expand...
Click to collapse
/my_product is not in the list of folders supported by Magisk so that may not work
Please post the output of these commands (executed as root user):
df -h
mount
ls -ald /*
ls -lZd /my_product
and a
ls -ldZ $( find /data/adb/modules/ )
and
cat /cache/magisk.log
(or attach the log file to the post if too big)
regards
Bernd
Here is this the correct log file. Thank you for responding to me.
cbomb1337 said:
Here is this the correct log file. Thank you for responding to me.
Click to expand...
Click to collapse
can you also post the output of the OS commands listed?
I Don't know how.
It didn't let me add the log here. Sorry that's it's cut and paste I tried a few termux commands to save a log but the were blank. I don't understand how to do it right.
Edit here I managed to upload the log to drive
https://drive.google.com/uc?id=1uWurf_462b5uLC_D21SFcgLcBWiXQZOn&export=download
bnsmb said:
can you also post the output of the OS commands listed?
Click to expand...
Click to collapse
Linefeeds are missing in that file so it's very hard to interpret the file contents correct
Can you do in a adb shell on the phone:
Bash:
(
set -x
set -v
su -
echo
df -h
echo
mount
echo
ls -ald /*
echo
ls -lZd /my_product
echo
ls -ldZ $( find /data/adb/modules/ )
echo
) > /sdcard/Download/oscmds.log 2>&1
then
Bash:
gzip /sdcard/Download/oscmds.log
and post / upload the file
/sdcard/Download/oscmds.log.gz
regards
Bernd
and
Here is the gzip I wasn't sure what was going on after entering that first command the termux was frozen for a few minutes. Also With the folders in the module folder and them being a copy of the original folder is it ok to delete them as a whole folder to remove the rw and revert it of needed. I tried it and didn't see any issues doing it but wanted to know if it reverted it properly and does deleting the module folders make me lose anything original that was in it or is my stock stuff safe because it's through magisk.
cbomb1337 said:
Here is the gzip I wasn't sure what was going on after entering that first command the termux was frozen for a few minutes. Also With the folders in the module folder and them being a copy of the original folder is it ok to delete them as a whole folder to remove the rw and revert it of needed. I tried it and didn't see any issues doing it but wanted to know if it reverted it properly and does deleting the module folders make me lose anything original that was in it or is my stock stuff safe because it's through magisk.
Click to expand...
Click to collapse
Looks like /my_product is a directory in the root filesystem but on the other hand there is a mount point called /mnt/vendor/my_product so I'm not sure about that.
If /my_product is really only a separate directory in the root filesystem the only method to change it is to manipulate the ramdisk used for booting the phone (only if the phone is using a ramdisk, of course).
Can you check if there are other directories called my_product:
find / -type d -name my_product 2>/dev/null
And, if there are any, compare the files in that directory with the files in the directory /my_product?
regards
Bernd
The only folder that has the same boot animation files is the /dev/ ones and the mnt one like you said.
It's all good if it can't be done i just found a magisk module before which works for flashing my boot animation
cbomb1337 said:
The only folder that has the same boot animation files is the /dev/ ones and the mnt one like you said.
Click to expand...
Click to collapse
Then it can't be done using the standard Magisk feature for making r/o mounted filesystems read-write.
cbomb1337 said:
It's all good if it can't be done i just found a magisk module before which works for flashing my boot animation
Click to expand...
Click to collapse
OK, do you have the URL?
And you could just check the contents of the zip file with the Magisk Module on how it's implemented
regards
Bernd
bnsmb said:
Then it can't be done using the standard Magisk feature for making r/o mounted filesystems read-write.
OK, do you have the URL?
And you could just check the contents of the zip file with the Magisk Module on how it's implemented
regards
Bernd
Click to expand...
Click to collapse
I read the module it mentions binding. I don't understand none of it :/ I upload the module here and removed the boot animation to make it small.
cbomb1337 said:
I read the module it mentions binding. I don't understand none of it :/ I upload the module here and removed the boot animation to make it small.
Click to expand...
Click to collapse
Cool -- that's the solution I also found in the meantime (and successfully tested it on my Zenfone 8)
In principle the module does for the bootanimation file what Magisk does if you replace some directories or files in /system
I will write a general HowTo how that works today or in the next days
regards
Bernd

How To Guide How to change any file or directory using Magisk

To change a file (or directory) in one of the read-only mounted filesystems in the Android OS Magisk can be used.
(see How to change files in the directory /system with Magisk and How to make files in /system writable )
But this method only works for files in the directories /system, /vendor, /product, or /system_ext.
In current Android OS implementations there are a lot of other directories on read-only filesystems with files that must be changed or replaced to change the behaviour of Android.
For example on some Android implementations the boot animation is in the file /my_product/media/bootanimation/bootanimation.zip. The standard mechanism to change a file on a read-only mounted filesystem via Magisk can not be used to replace this file with another file.
But Magisk also supports executing scripts while booting the phone (see How to run a script at every boot using Magisk)
And the Magisk init scripts in the directory /data/adb/post-fs-data.d are executed early in the boot process. Therefor we can create a Magisk init script to replace any file with another file using the same method Magisk is using (that is a "mount -o bind ..." ):
Note
All commands in this Howto must be done by the user root.
Example
To replace the boot animation with another one copy the ZIP file with the new boot animation to the directory /data/adb (or any other read-write mounted directory available early in the boot process), e.g:
Code:
ASUS_I006D:/data # ls -l /data/adb/Earth_bootanimation.zip
-rw-r--r-- 1 u0_a130 media_rw 13227720 2022-04-16 10:58 /data/adb/Earth_bootanimation.zip
ASUS_I006D:/data #
Make sure that the permissions and SELinux contexts for the file are okay using these commands:
Bash:
chown root:root /data/adb/Earth_bootanimation.zip
chmod 0644 /data/adb/Earth_bootanimation.zip
chcon -v u:object_r:system_file:s0 /data/adb/Earth_bootanimation.zip
Result:
Code:
ASUS_I006D:/data # ls -ldZ /data/adb/Earth_bootanimation.zip
-rw-r--r-- 1 root root u:object_r:system_file:s0 13227720 2022-04-16 10:58 /data/adb/Earth_bootanimation.zip
ASUS_I006D:/data #
Now create a Magisk init script to replace the file via bind mount:
Bash:
echo "mount -o bind /data/adb/Earth_bootanimation.zip /system/media/bootanimation.zip " >/data/adb/post-fs-data.d/change_bootanimation.sh
chmod 755 /data/adb/post-fs-data.d/change_bootanimation.sh
That's it .. Reboot the phone and enjoy the new animation.
To remove the new animation just delete the script /data/adb/post-fs-data.d/change_bootanimation.sh and reboot the phone.
The same method can be used to replace a complete directory using these steps:
e.g. to make the directory /odm/etc writable do:
Bash:
#
# create the new directory
#
mkdir /data/adb/odm_etc
#
# copy the existing files in /odm/etc to the new directory
#
cd /odm/etc && find . | cpio -pdum /data/adb/odm_etc
#
# create the Magisk init script to replace /odm/etc with the new directory /data/adb/odm_etc
#
echo "# make /odm writable
mount -o bind /data/adb/odm_etc /odm/etc
" >/data/adb/post-fs-data.d/make_odm_etc_writable
chmod 0755 /data/adb/post-fs-data.d/make_odm_etc_writable
Now reboot the phone and check the result:
Code:
ASUS_I006D:/ #
ASUS_I006D:/ # ls -l /odm/etc
total 15
-rw-r--r-- 1 root root 4961 2009-01-01 01:00 NOTICE.xml.gz
-rw------- 1 root root 1136 2009-01-01 01:00 build.prop
-r--r--r-- 1 root root 0 2009-01-01 01:00 fs_config_dirs
-r--r--r-- 1 root root 0 2009-01-01 01:00 fs_config_files
-rw-r--r-- 1 root root 0 2009-01-01 01:00 group
-rw-r--r-- 1 root root 0 2009-01-01 01:00 passwd
drwxr-xr-x 2 root root 3452 2023-01-18 16:30 selinux
ASUS_I006D:/ #
#
# create a new file in the directory used to replace /odm/etc
#
ASUS_I006D:/ # touch /data/adb/odm_etc/test.$$
ASUS_I006D:/ # ls -l /data/adb/odm_etc/test.$$
-rw-r--r-- 1 root root 0 2023-01-18 16:41 /data/adb/odm_etc/test.4597
ASUS_I006D:/ #
#
# check the contents of the directory /odm/etc
#
ASUS_I006D:/ # ls -l /odm/etc/test.$$
-rw-r--r-- 1 root root 0 2023-01-18 16:41 //odm/etc/test.4597
ASUS_I006D:/ #
Caution
I'm sure there is a reason why this feature is not implemented for all directories by default in Magisk
And, for example, if you make the directory /odm/etc writable using the method described above Android will complain after the next reboot with an error message that something is wrong with your phone.
Therefor please use with care! If possible only use this approach to make single files writable.
Trouble Shooting
In case the phone does not boot anymore after replacing a file or directory using this method:
Reboot the phone from a recovery with adb support (like TWRP) and delete the script in /data/adb/post-fs-data to fix the error
Notes
Files or directories that are used by Android before the Magisk init scripts are executed can not be changed using this method. These files must be replaced by changing the files in the ramdisk on the boot partition (see How to change files in the boot image using Magisk and How to trigger an action when a property is changed )
There are various Magisk Modules available in the internet to replace the animation that use this technique
To test a boot animation while the Android OS is running do:
Bash:
mount -o bind /data/adb/bootanimation_android12.zip /system/media/bootanimation.zip
bootanimation
Update 24.06.2023/bs
See the post https://forum.xda-developers.com/t/...directory-using-magisk.4543103/#post-88679517 below in this thread for using an overlayfs to make files read-write.
Can it be used to add a self-signed SSL certificate? And also this method works only with ASUS ZenFone 8 or also with others (e.g. OnePlus 9 pro)?
Romano36 said:
Can it be used to add a self-signed SSL certificate? And also this method works only with ASUS ZenFone 8 or also with others (e.g. OnePlus 9 pro)?
Click to expand...
Click to collapse
Hi
Can it be used to add a self-signed SSL certificate?
Click to expand...
Click to collapse
What is the purpose of the new SSL certificate?
If you intend to change the SSL certificate that was used to create the OS :
I did not test this but I'm pretty sure that you can not replace that certificate in an installed OS.
And also this method works only with ASUS ZenFone 8 or also with others (e.g. OnePlus 9 pro)?
Click to expand...
Click to collapse
This method works for all phones and OS that are supported by Magisk.
regards
Bernd
Modded by moderator
Romano36 said:
My purpose is to put a new certificate in this folder /system/etc/security/cacerts/. I have to try.
Click to expand...
Click to collapse
That should work . But I suggest to use a "dummy" Magisk module for that purpose -- see:
How to change files in the directory /system with Magisk
How to change files in the directory /system with Magisk Note: I tested the instructions below with Magisk 24. 25.0, and 25.2 on an ASUS Zenfone 8 running OmniROM (Android 12 ) . The filesystem for /system is normally mounted read-only In...
forum.xda-developers.com
regards
Bernd
Thanks!!!
bnsmb said:
To change a file (or directory) in one of the read-only mounted filesystems in the Android OS Magisk can be used.
(see How to change files in the directory /system with Magisk and How to make files in /system writable )
But this method only works for files in the directories /system, /vendor, /product, or /system_ext.
In current Android OS implementations there are a lot of other directories on read-only filesystems with files that must be changed or replaced to change the behaviour of Android.
For example on some Android implementations the boot animation is in the file /my_product/media/bootanimation/bootanimation.zip. The standard mechanism to change a file on a read-only mounted filesystem via Magisk can not be used to replace this file with another file.
But Magisk also supports executing scripts while booting the phone (see How to run a script at every boot using Magisk)
And the Magisk init scripts in the directory /data/adb/post-fs-data.d are executed early in the boot process. Therefor we can create a Magisk init script to replace any file with another file using the same method Magisk is using (that is a "mount -o bind ..." ):
Note
All commands in this Howto must be done by the user root.
Example
To replace the boot animation with another one copy the ZIP file with the new boot animation to the directory /data/adb (or any other read-write mounted directory available early in the boot process), e.g:
Code:
ASUS_I006D:/data # ls -l /data/adb/Earth_bootanimation.zip
-rw-r--r-- 1 u0_a130 media_rw 13227720 2022-04-16 10:58 /data/adb/Earth_bootanimation.zip
ASUS_I006D:/data #
Make sure that the permissions and SELinux contexts for the file are okay using these commands:
Bash:
chown root:root /data/adb/Earth_bootanimation.zip
chmod 0644 /data/adb/Earth_bootanimation.zip
chcon -v u:object_r:system_file:s0 /data/adb/Earth_bootanimation.zip
Result:
Code:
ASUS_I006D:/data # ls -ldZ /data/adb/Earth_bootanimation.zip
-rw-r--r-- 1 root root u:object_r:system_file:s0 13227720 2022-04-16 10:58 /data/adb/Earth_bootanimation.zip
ASUS_I006D:/data #
Now create a Magisk init script to replace the file via bind mount:
Bash:
echo "mount -o bind /data/adb/Earth_bootanimation.zip /system/media/bootanimation.zip " >/data/adb/post-fs-data.d/change_bootanimation.sh
chmod 755 /data/adb/post-fs-data.d/change_bootanimation.sh
That's it .. Reboot the phone and enjoy the new animation.
To remove the new animation just delete the script /data/adb/post-fs-data.d/change_bootanimation.sh and reboot the phone.
The same method can be used to replace a complete directory using these steps:
e.g. to make the directory /odm/etc writable do:
Bash:
#
# create the new directory
#
mkdir /data/adb/odm_etc
#
# copy the existing files in /odm/etc to the new directory
#
cd /odm/etc && find . | cpio -pdum /data/adb/odm_etc
#
# create the Magisk init script to replace /odm/etc with the new directory /data/adb/odm_etc
#
echo "# make /odm writable
mount -o bind /data/adb/odm_etc /odm/etc
" >/data/adb/post-fs-data.d/make_odm_etc_writable
chmod 0755 /data/adb/post-fs-data.d/make_odm_etc_writable
Now reboot the phone and check the result:
Code:
ASUS_I006D:/ #
ASUS_I006D:/ # ls -l /odm/etc
total 15
-rw-r--r-- 1 root root 4961 2009-01-01 01:00 NOTICE.xml.gz
-rw------- 1 root root 1136 2009-01-01 01:00 build.prop
-r--r--r-- 1 root root 0 2009-01-01 01:00 fs_config_dirs
-r--r--r-- 1 root root 0 2009-01-01 01:00 fs_config_files
-rw-r--r-- 1 root root 0 2009-01-01 01:00 group
-rw-r--r-- 1 root root 0 2009-01-01 01:00 passwd
drwxr-xr-x 2 root root 3452 2023-01-18 16:30 selinux
ASUS_I006D:/ #
#
# create a new file in the directory used to replace /odm/etc
#
ASUS_I006D:/ # touch /data/adb/odm_etc/test.$$
ASUS_I006D:/ # ls -l /data/adb/odm_etc/test.$$
-rw-r--r-- 1 root root 0 2023-01-18 16:41 /data/adb/odm_etc/test.4597
ASUS_I006D:/ #
#
# check the contents of the directory /odm/etc
#
ASUS_I006D:/ # ls -l /odm/etc/test.$$
-rw-r--r-- 1 root root 0 2023-01-18 16:41 //odm/etc/test.4597
ASUS_I006D:/ #
Caution
I'm sure there is a reason why this feature is not implemented for all directories by default in Magisk
And, for example, if you make the directory /odm/etc writable using the method described above Android will complain after the next reboot with an error message that something is wrong with your phone.
Therefor please use with care! If possible only use this approach to make single files writable.
Trouble Shooting
In case the phone does not boot anymore after replacing a file or directory using this method:
Reboot the phone from a recovery with adb support (like TWRP) and delete the script in /data/adb/post-fs-data to fix the error
Notes
Files or directories that are used by Android before the Magisk init scripts are executed can not be changed using this method. These files must be replaced by changing the files in the ramdisk on the boot partition (see How to change files in the boot image using Magisk and How to trigger an action when a property is changed )
There are various Magisk Modules available in the internet to replace the animation that use this technique
To test a boot animation while the Android OS is running do:
Bash:
mount -o bind /data/adb/bootanimation_android12.zip /system/media/bootanimation.zip
bootanimation
Click to expand...
Click to collapse
Hello,
I would like to create a Magisk module that targets the file /odm/etc/mixer_paths.xml.
I am a little confused about the examples you have given. Can you please guide me using the directory I mentioned? It would be very helpful. Thank you.
sargodian2 said:
Hello,
I would like to create a Magisk module that targets the file /odm/etc/mixer_paths.xml.
I am a little confused about the examples you have given. Can you please guide me using the directory I mentioned? It would be very helpful. Thank you.
Click to expand...
Click to collapse
Hi
no Magisk module necessary (but it can be done also via Magisk Module, of course)
Use
- install Magisk
- become root user
- create the file /data/adb/mixer_paths.xml with the changed contents
- create the script /data/adb/post-fs-data.d/change_odm_etc_mixer.sh :
echo "mount -o bind /data/adb/mixer_paths.xml /odm/etc/mixer_paths.xml " >/data/adb/post-fs-data.d/change_odm_etc_mixer.sh
- make the script executable
chmod 755 /data/adb/post-fs-data.d/change_odm_etc_mixer.sh
- reboot
Note that these instructions only work if the file /odm/etc/mixer_paths.xml already exists - you can not create additional files using this approach.
regards
Bernd
bnsmb said:
Hi
no Magisk module necessary (but it can be done also via Magisk Module, of course)
Use
- install Magisk
- become root user
- create the file /data/adb/mixer_paths.xml with the changed contents
- create the script /data/adb/post-fs-data.d/change_odm_etc_mixer.sh :
echo "mount -o bind /data/adb/mixer_paths.xml /odm/etc/mixer_paths.xml " >/data/adb/post-fs-data.d/change_odm_etc_mixer.sh
- make the script executable
chmod 755 /data/adb/post-fs-data.d/change_odm_etc_mixer.sh
- reboot
Note that these instructions only work if the file /odm/etc/mixer_paths.xml already exists - you can not create additional files using this approach.
regards
Bernd
Click to expand...
Click to collapse
Thank You, It worked.
thank you bnsmb
i fallowed your clear steps to modify cscfeature.xml on my S23
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
amk316 said:
View attachment 5938113
Click to expand...
Click to collapse
what's the message of this screenshot?
bnsmb said:
what's the message of this screenshot?
Click to expand...
Click to collapse
when i bind cscfeature.xml on my s23 MemoryDetector app detected it!!!
amk316 said:
when i bind cscfeature.xml on my s23 MemoryDetector app detected it!!!
Click to expand...
Click to collapse
>>when i bind cscfeature.xml on my s23 MemoryDetector app detected it!!!
and do you think that shouldn't be?
I don't know what the MemoryDetector app is used for but is quite easy for an app to check the current mounts to find bind mounts. So it works like expected.
regards
Bernd
Another method to change files in read-only filesystems is to use an overlay filesystem.
This method is implemented in the Magisk Module Magisk Overlayfs.
The source code for this Magisk module is available here:
https://github.com/HuskyDG/magic_overlayfs
Using this Magisk Module every file in most of the read-only filesystems in Android can be changed;
excerpt from the documentation:
Make most parts of system partition (/system, /vendor, /product, /system_ext, /odm, /odm_dlkm, /vendor_dlkm, ...) become read-write.
Click to expand...
Click to collapse
I successfully tested this Magisk Module on an ASUS Zenfone 8 running OmniROM 13.
Notes:
There is no installable zip file in the repository for the Magisk Overlayfs . But the repository contains a script to create the zip file (build.sh).
Note that I had to change the code to create the Magisk module zip file in the script build.sh to create an installable Magisk Module:
I replaced the line
Bash:
zip -r9 out/magisk-module-release.zip out/magisk-module
with
Bash:
cd out/magisk-module && zip -r9 ../magisk-module-release.zip

Categories

Resources