Root an Android Smartphone with No Ramdisk (Tecno LC6 Pouvoir 3 Air)
How to Root an Android Smartphone with No Ramdisk (Tecno LC6 Pouvoir 3 Air)
Requirements:
# Windows and/or Linux PC (Windows recommended due to Drivers and Software availability and compatibility)
# ADB platform tools
# Flashing software
# Unlocked Bootloader
# Stock/Custom ROM
# Magisk
# TWRP
# Android Smartphone with no Ramdisk
Note:// The smartphone used for this demonstration is Tecno LC6 Pouvoir 3 Air. Therefore, instructions will be inclined towards achieving objectives on this specific phone, including; Flashing Software to download, Stock ROM and other specifications here and there. For varying devices, this procedure may not apply as is. The LC6 device has the following features of interest (for purposes of reproduction of results);
#
# Android 9 Pie
# Mediatek Processor (MT6763)
#
Setting up your Windows PC for the task:
Get your hands on a PC running Windows OS (the procedure was done on Windows 10, so probably Win7 and Win8.x might not suffice).
# Download and install necessary Android Drivers, not necessarily TECNO specific. You can get the drivers from different sources, but I recommend that you get them from your official device’s (smartphone or PC) website/repository or from the links provided by maintainers of the Android Open Source Project (AOSP).
# Download and install the ADB platform tools. Again, there are many sources, but get them from the official AOSP website. For Windows, the tools come packaged in a ZIP archive. Make sure to extract them to the directory you will be working on. At this point, press and hold on ‘Shift‘ key as you right click on the directory with the ADB platform tools, and click on “Open PowerShell Here“. Leave the Powershell window open.
# Download the Flashing Software.
Installing Flashing Software:
For LC6, the “Transsion Software Download” was searched for, downloaded, installed and used. The following metadata were of interest when checking for the legitimacy of the software, as I did not find any official copy;
#
# Executable name: SWD_AfterSales.exe
# Internal Name : SoftwareDownload.exe
# Legal Copyright : TRANSSION Copyright
# Language Code : Chinese (Simplified)
# Product Version : 4.1901.23.17
#
It is necessary to have this software on standby, for flashing the custom software you will work with, and also in case the flashing process goes wrong and probably results in a boot-loop, amongst other possible issues. At that point, you can just flash the stock ROM and get your phone working again.
Note:// I recommend that you use a PC or OS dedicated to such tasks as research and development, or one that does not have much to lose when downloading and dealing with unofficial software and packages, for safety and security reasons. If such a PC is unavailable, make sure to purge the unofficial software/packages as soon as you are done with this Android Rooting process.
Enabling Developer Options:
Before anything else, you need to be a developer to proceed with whatever fishy business you wanna do on your device. To do this, navigate on your device to ‘Settings‘ and then to ‘System’ and ‘About phone‘. Locate ‘Build number‘ and tap on it 8 times. Clicking on the option the 8th time should toast a message saying, “No need, you are already a developer.”. Go back one step to ‘System‘ and there should now be an added setting for ‘Developer options‘. Click on it and toggle on the button. Next, locate the setting ‘USB debugging‘ and enable it.
Backing up your Data:
It is always recommended that you do a full backup or a partial backup of all important data before performing any actions that might lead to user data loss. On this note, you should regularly make data backups and make it a habit, even when you are not performing such actions, that is, under normal circumstances. You can backup your data;
#
# Manually to an external storage device,
# Using the following ADB commands that target the “/sdcard/” and copies it as it is;
adb pull /sdcard ./sdcard-backup/ -a
Unlocking your Bootloader:
Bootloaders come locked by default to prevent writing changes. It is understandable, since majority of phone users only perform just purely basic tasks, unlike YOU, who is actually interested in ‘knowing’ your device better to ‘unlock potential’ (whatever that is). To proceed you must unlock your phone’s Bootloader. There are several ways;
#
# Via ‘Developer options‘ — On newer Android devices, you can enable bootloader unlocking in ‘Developer options’. On LC6, there is such an option, which you should toggle on, before proceeding.
# Via ADB — To complete unlocking the bootloader, we will use ADB (Android Debugging Bridge). It is time to get your hands dirty…
#
#
# Connect your phone to the PC, and allow MTP to enable USB debugging.
# Switch to the Powershell window you had opened earlier. Type in ‘cmd‘ and hit the ‘Return/Enter’ key to switch to Command Prompt, and avoid the hassle of syntax in powershell (Note:// Throughout this process, you must not change the current working directory in the Command Prompt in Powershell. Current working directory is the directory with “adb.exe” and “fastboot.exe” tools);
cmd
# Type in “adb devices” (and hit the ‘Return’ key – an action that should be done after every command, and which I will avoid repeating). When working with powershell, the same command should be, “.\adb.exe devices“. An identifier for your device should appear on the screen after the command runs, but next to the identifier, will be an ‘unauthorized‘ label, that should be eliminated by checking always allowing debugging from the PC and tapping on “Allow” on a pop up that appears on the Android device. Running the command again should indicate a label ‘device‘ now. (Note:// Always confirm that ADB is active using this command before proceeding with other commands!)
adb devices
# It is good to know if your device is already rooted or not. At this point, you can know that by checking for the “su” binary which is installed and present on every rooted device;
adb shell
su
# The result of the first command is a terminal marked by a dollar sign ($) at the end. This indicates that you are now interacting with your device’s file system directly from your PC. Terminal is the Linux equivalent of Powershell/Command Prompt. Android has Terminal because it is in fact a Linux distro. You can confirm this by;
uname -a
# If the result of the second command, ‘su‘ is “/system/bin/sh: su: not found“, then your device is not rooted. However, if the result is “Permission denied“, your device is definitely rooted, probably with no Root Manager. Else, if you get a floating request for root access, or note that the sign in terminal changed from “$” to “#“, then your device is both rooted, and has a Root Manager and its upon you whether or not to continue reading this article.
# Type in “adb reboot bootloader“. The phone should reboot to bootloader, and the first time that happens, a warning message might appear on screen, warning you about unlocking the bootloader. (Read it carefully, but Do Not listen. Accept the consequences of your actions!). You should now be in the famous Bootloader.
adb reboot bootloader
# On Bootloader, we use “fastboot” and not “adb“. To confirm that we are in bootloader, use “fastboot devices“. This should return your device identifier;
fastboot devices
# To Unlock the Bootloader, use “fastboot flashing unlock“. A warning message will appear on screen, warning you about consequences of unlocking the bootloader and using custom ROM. (Again, Read it carefully, but Do Not listen!) (Note:// After this Warning, the device automatically Erases all user data by doing a factory Reset – which is why you should always start by Backing up your Data before messing around!)
fastboot flashing unlock
#To confirm that the bootloader is unlocked, type in “fastboot flashing get_unlock_ability“. This command should return ‘0‘, indicating unlocked.
fastboot flashing get_unlock_ability
Flashing Stock/Custom ROM:
You need to have a Stock/Custom ROM offline, as a downloaded package matching your device model (in my case, its TECNO-LC6).
NB:// ROMs should be downloaded from sources that appear convincingly credible to you. (I got no recommendations! The reason for no tips is that TECNO smartphones, have a small market-share worldwide, unlike other popular smartphones, and thus have no volunteer developers I know of, willing to commit to build or support custom build ROMS like LineageOS, OmniROM, etc., officially for the specific smartphone-line!)
Extract the contents of the package to your desired directory. This step is required to locate ROM files.
I assume that you managed to find a website/repository that appeared legitimate to download your ROM from. This is your device that you intend to use after this process, and the mere fact that the ROM you have is from an unofficial source is chilling. What’s more chilling than that is just the thought of the possibility that the ROM is bundled by a malicious person. It is why it is important to verify your source.
It is time to run “Transsion Software Download“.
#
# Run the software as an Administrator to avoid permission issues.
# Disconnect your device, power it off and
# Your device should be recognized by the software as a COM port, like “(COM 17) MediaTek Preloader USB VCOM“. You cannot proceed if your device is not recognized. If not recognized, you can try to disconnect and reconnect your phone, or reboot your PC to apply Driver changes.
# Click on the setting icon on the software’s ‘Operation Area‘ and then click on ‘Load‘ to locate the device’s “Scatter File“, a file that is present in MTK ROMS, and that consists of the contents of a ROM as well as hashes of the ROM files. Click on ‘Confirm‘ to complete loading the contents of the ROM.
# Ensure that you can still see the COM port on the software UI, indicating that the device is still connected and recognized before clicking on the “START” button on the software’s ‘Operation Area‘. Do Not Interrupt the process or you might regret doing it! Wait until the process is done, after which the status in the ‘Result‘ section changes from ‘Ongoing‘ to ‘[01]PASS(1/1)‘. If a different status like FAIL is reported, repeat the process and diagnose your issue till you get the PASS!
# Reboot the device if it did not automatically do so. It might take a minute to reach the end of the booting process, so be patient. If it takes too long, you can restart it by long pressing the power button, or the power button and a volume key (might differ with device). After a successful boot, complete setting the initial device settings to land on the Home screen. You need not setup complex configurations like accounts and security for now.
#
The flash process is necessary so that we are working with ROM files from the same image. If there was a copy of whatever ROM files were used by the Stock ROM before flashing, we would not have performed the process, but instead just worked with the specific image files to the next steps.
Next thing we need is to download TWRP (Team Win Recovery Project) and Magisk root solution and manager
Installing TWRP & Magisk:
You need an internet connection on your phone or PC for this. Download the two apk files in their respective official sources;
#
# TWRP — https://dl.twrp.me/twrpapp/
# Magisk — https://github.com/topjohnwu/Magisk/releases
#
Install the two apps. Enable “Run with root permissions” for TWRP.
Patching Recovery with Magisk:
Implications:
For all the installation instructions for Magisk, visit the official developer, topjohnwu’s Github repository and blog. There you can understand what Magisk is all about, and how to do installation on devices with varying properties, the most notable being “RAMDISK“!
The instructions for Magisk installation on devices with Ramdisk in boot, is quite different from devices w/out Ramdisk. For those devices with boot ramdisk, Magisk patches the Boot image, while for those devices without boot ramdisk, Magisk patches and ‘hijacks’ the Recovery image. Hijacking in this context implies that Magisk root solution cannot be installed as it normally should via the boot ramdisk, and therefore, the only solution to get ROOT access to your device is to patch the Recovery image, which means that the recovery image is modified.
The result of the above action is that your phone will have root access, BUT will have no recovery. Recovery is the area you can access advanced options of wiping your device data and cache, sideloading files, etc. Once you patch the Recovery image, recovery will be gone and will be modified to be the gateway to ROOT access of your device! Now with the abstract view of what will happen, let’s get practical, shall we?
How to Patch Recovery with Magisk:
#
# Copy the Recovery image to the root directory of your phone, at “/sdcard/“. You can do it manually via USB cable using MTP, or via ADB in the CLI;
adb push /path/to/recovery.img /sdcard/
# Open up Magisk and tap on “Install” to begin the patching process. Under ‘Options‘ there should be two option, “Preserve force encryption” and “Recovery Mode”. Select them if they aren’t by default. Tap on ‘Next‘.
# Under ‘Method‘ check the radio button next to “Select and Patch a File“. You should land on your file manager. Select the “recovery.img” file you copied earlier. Tap on ‘LET’S GO‘. A log of what is happening should appear on the next interface named “Installation“.
# When you see the last log, “All done!“, tap on the back button. You can find the patched recovery image under “/sdcard/Downloads/magisk_patched_[RANDOMCHARACTERS].img“. To make it something you can work with, rename the file to “recovery-magisk-patched.img“.
# Copy the patched recovery image to your PC in the current working directory, manually, or using ADB;
adb pull sdcard/Downloads/recovery-magisk-patched.img ./
# Next, you need to switch your phone’s state to Bootloader;
adb reboot bootloader
Rooting the Device / Flashing Patched Recovery:
The long awaited step in this whole process is finally here! (You must be in Bootlader/fastboot state of your device!);
#
# Confirm that your device is discoverable;
fastboot devices
# Copy the “vbmeta.img” file from the unarchived ROM, to the current working directory.
# Disable “dm-verity” && “forced encryption” before flashing the patched recovery. (NB:// This step is very crucial to avoid a boot-loop that will require you to repeat the steps under “Rooting the Device / Flashing Patched Recovery” to solve it!);
fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img
# Proceed to flash the patched recovery image;
fastboot flash recovery recovery-magisk-patched.img
# Reboot to recovery;
fastboot reboot recovery
# Giving the command is not enough to boot into recovery, so, press and hold the key combination that takes you to recovery, after issuing the “fastboot reboot recovery” command. It might take some time but you should land in your home screen, which should not be different in any way probally contrary to your expectations.
#
# Locate and start up Magisk app. This time, you should note something different in here. There should be an added button named “Uninstall Magisk” and some 4 floating buttons at the bottom of the app. This is it! This is all what we searching for all this time! When you see the button “Uninstall Magisk” and the four Magisk root management buttons, that’s a confirmation that Magisk installation was successful, and an implication that your device is now ROOTED!
#
Confirmation of ROOT access:
# To confirm that you now have root access to your device, on CLI, use the following commands;
adb shell
su
# The latter command is the command of interest. You should not get an error “su: not found” like before. Instead, you should get a floating request for root access by “ADB Shell“. You should click on “Grant” to allow ADB to have root access to your device. (Note:// This request will appear each time for every app that will need root access, and the good thing is that you can manage all applications with root access by using the 2nd of the four buttons (L2R) in Magisk). By granting root access, the symbol on the terminal of your device should change from “$” to “#” (check the first image of this article, where ADB commands are issued in Kali Linux).
#
Making Root Changes Persistent:
At this point, you have root access to your device. However, these major changes to your device to your device are only short-lived if not made persistent/permanent. You might be curious to test this theory by restarting your phone and trying to get into recovery where Magisk did its magic in an effort to go back to your rooted device. Go ahead if you will, but I would recommend not if you wanna save on time and avoid getting frustrated by “I told you so!“.
At this point for your device, you’ll have to flash the Magisk Patched Recovery image every time your phone goes off or if you shut it down normally! If you don’t want root access to disappear, then use the Magisk “Reboot” button in Magisk App. This implies that your phone must never be powered off, like ever, or you must use the ‘Reboot‘ buttons in Magisk if you wanna retain root access. If you can manage to comply to these terms, good luck!
There is however a solution to this. Devices with only the legacy A partition, or rather those without the A/B partitions are known to overwrite the foreign recovery to the stock one on a normal reboot, therefore happily rendering all your rooting process useless. To prevent this, we will use TWRP, which you installed earlier;
#
# Open Magisk and patch the patched-magisk-recovery.img (the .img file you used to successfully root your device). Magisk will recognize the file as already patched (if you are keen in the logs), but will still go ahead to patch it yet again! The file is saved at “/sdcard/Download” if you haven’t changed the default save location. Note the file, which should be in a format like “magisk_patched_[RANDOMCHARACTERS].img“. You can rename it.
#
# Navigate to TWRP and under settings, check the box “Run with root permissions“, if you haven’t already. This should prompt you to grant TWRP Superuser rights (the prompt is set to count down to 0, after which superuser rights will be automatically denied), which you should accept. If the prompt times out before you grant TWRP superuser rights, go to the Magisk app, tap on the Root Manager button (2nd button) and toggle on the button next to “Official TWRP App“.
# Now back to TWRP, click on “TWRP FLASH“. Don’t select any device. (If you had, or if one is selected, no worries, this doesn’t affect the subsequent steps!)
# Click on “Select a file to flash..“! This generates a floating file manager that allows you to locate your flash file, in our case the “magisk_patched_[RANDOMCHARACTERS].img” under the Download directory! Select the file by checking the adjacent check box and click on “SELECT (1)“.
# Next, click on “FLASH TO RECOVERY” to start the FLashing process. Once done, you get a success confirmation. Click on “Done” and Exit TWRP.
#
# Now, navigate to the Magisk App and click on the Reboot icon next to the Settings icon and click on “Reboot to Recovery“! Wait for your phone to reboot.
# The reboot should take you back to your rooted device instead of going into your devices usual recovery menu (because Magisk hijacked your devices Recovery to operate, as discussed earlier!)
#
If you tested the theory, or in whatever happened lands you resets your root progress to zero, you just have to repeat steps from the section named “Rooting the Device / Flashing Patched Recovery“!
Switching to Rooted and Unrooted Device States:
It is kinda cool, how you can get two device states, rooted and unrooted, conveniently in the same device;
#
# If you shutdown your device normally, from the off-state, that is, if you power on your device normally, it should take you to the unrooted version of your device.
# To get root access, or to get the rooted version of your device, shutdown your device and use the get-into-recovery menu/mode key combination (Power Key + Volume Up).
#
Note that, no matter how long, or how many times you press the combination, your device will never boot into the usual Recovery state! This is your new normal!
Errors that should not be a cause of Alarm;
# It is known that, after the bootloader is successfully unlocked, an error appears during the initial stages of the booting process, stating:
Orange State
Your device has been unlocked and can’t be trusted
Your device will boot in 5 seconds
# It is also known, and may be true for you that, after successful rooting of your device, SIM card(s) are not detected (No SIM card), and SIM network disappears completely in rooted mode! In unrooted mode however, SIM network is all good. To fix, this, some more tweaks must be done.
Unrooting your Device;
Of course you can unroot your device any time you feel like;
#
# Using the “Uninstall Magisk” button, or
# By flashing the Stock/Custom ROM
#
How to Root an Android Smartphone with No Ramdisk (Tecno LC6 Pouvoir 3 Air)
Hacking | thetqweb