Systemless Root Is Now Available For The Pixel/Pixel XL: Here's How To Root Pixel/Pixel XL
XDA Senior Recognized Developer Chainfire had been working over the past few days on finding a way to root the Google Pixel & Pixel XL. Chainfire has now released SuperSU v.2.78 SR2 (Stable Release 2), by installing which one can gain root access on the Pixel devices.
In his Google+ post, Chainfire talked about the new partitions which have been introduced in the Pixel devices:
New partition layout (Pixel and probably many future devices):
- There are two of several Android partitions, boot, system, vendor
- The recovery and cache partitions are gone
- The root / directory for Android is now part of the system partition, instead of the boot partition (initramfs)
- Recovery is now inside the normal boot image, and uses its initramfs (which used to be used by Android)
In our last post, we had discussed in detail how with the introduction of dm-verity in Marshmallow, Google had made it impossible for us to modify the /system partition. Thus to get root access on Marshmallow, Chainfire had resorted to modifying the RAMDisk, which is responsible for loading up multiple system images when the device boots up, Add on to that with the introduction of Nougat, Google had merged the RAMDisk into the /system partition and thus in order to root the Pixel devices, we need to follow newer strategies.
Quoting from our last post:
Prior to Android Marshmallow, any device could be rooted by simply modifying the /system partition and then by including some init scripts in the system partition. The init scripts would then be executed when the phone boots up, setting in a set of changes (at the boot-up time) which are required to gain root access.Thus to root the Pixel devices, either Chainfire could have gone back to the rooting methods followed in KitKat & Lollipop and he could have looked of ways to exploit the /system partition to get the root access working or he could have gone with the modification of the RAMDisk as he had done in Marshmallow. Chainfire had tried the former method, but could not find an exploit to get pass the dm-verity barrier as the kernel in the Pixel devices force enables dm-verity on boot.
The rooting method Chainfire followed in the screenshot he had uploaded to Twiiter included making a slight change to the kernel through which dm-verity could be disabled and thus changes to the /system partition could be made easily. However Chainfire has now gone for a brand new methodology to root the Pixel devices. This methodology does not tinker with dm-verity at all. Chainfire's current methodology is stated below.
The current solution is forcing the kernel to again use the boot image's initramfs as root directory, rather using the files from the system partition, and ignore the dm-verity settings the bootloader insists on.
This change to the boot sequence requires a small patch the kernel binary (inside the boot image), but does not require a kernel recompile. It should be portable to other kernels and thus remains a generic solution, though SuperSU's installer only supports uncompressed and GZIP compressed kernel binaries at this time.
This change also requires that the contents of the root directory from the system partition are imported to the boot image, so we can modify these files without modifying the system partition, and thus keep dm-verity happy, should the user wish to keep it enabled.
Since the boot image's initramfs was already used by recovery as well, we replace /init by a new custom binary that can detect between recovery and normal/charger mode, and choose which files from initramfs to use accordingly.
The contents of the root directory in the system partition are now ignored, aside from their import during the root process.
The system partition is now mounted to /system_root, with the /system directory symlinked to /system_root/system. This move is blatantly stolen from the stock recovery mechanism.
How to gain root access on the Google Pixel/Pixel XL?
To gain root access on your Pixel device, you must have unlocked the bootloader on your device. To unlock the bootloader on the Pixel devices brought Verizon in the US or EE in the UK, you can use the dePixel8 tool by SunShine Developers. To unlock the bootloader on a carrier unlocked Pixel device brought from the Google Store, Flipkart, Amazon, eBay or any other online store, you need to follow the following instructions:
1. Head over to the Settings menu on your Pixel device. Scroll down to the About phone option located at the bottom of the menu and open it.
2. In the About phone menu, tap on the option titled "Build Number" 7 times. This will enable the "Developer Options".
3. Again go to the Settings menu and head over to the Developer Options. In the Developer Options, tick the checkbox next to the option "OEM unlocking".
4. Turn off your device. Hold and press together the volume down and the power key.
5. Use the volume down key to scroll down to the fastboot option. Press the power key to enter fastboot.
6. Download the ADB and Fastboot binaries for your device along the USB Drivers from this XDA thread.
7. Open the ADB folder from the files you downloaded from the above link. Hold the Shift button on your keyboard and right click in the empty folder space to see the above menu. Select "Open command window here".
8. In the window that opens next, type "fastboot oem unlock" and follow the on-screen instructions.
To root your Pixel now, download the following files as per your device:
Now boot again into fastboot as mentioned above and run "fastboot boot boot-to-root.img", Wait for a few minutes. The device will reboot at least twice. You should be rooted once Android is fully booted up.
Systemless Root Is Now Available For The Pixel/Pixel XL: Here's How To Root Pixel/Pixel XL
Reviewed by Krittin Kalra
on
10/30/2016 01:40:00 PM
Subscribe To Us
Get All The Latest Updates Delivered Straight To Your Inbox For Free!