Root Android: how it works – connect

© Tim Kaufmann / connect

The Google Pixel 3 is currently one of the most easily rootable devices.

“Root” is the administrator of the Linux world from which Android also originates. “Rooting” therefore means obtaining administration rights. To do this, remove the write protection for the memory area (more precisely: the partition mounted under / system) on which the manufacturer has installed the Android operating system. This allows you to change Android functions and settings that the manufacturer actually protected.

Tip: There are good reasons for rooting, but there are also many that speak against it. Read our Pro & Contra “Android rooting” before you start.

Android root 2020

Rooting can be confusing. The procedure depends on both the mobile phone and the version of Android that is running on it. In addition, cell phones can contain very different hardware despite having a similar or even identical model name. And then there are mobile phone providers who adapt the software to the cell phones they sell and make it difficult to root. While this is primarily a problem in the US market. However, it makes it difficult to find suitable instructions for your own mobile phone on the Internet.

We can list four different root methods from the current state. CF-Auto-Root, Framaroot, KingRoot and Towelroot are outdated methods for Android up to version 5. They use errors in the operating system to give the user root rights. These methods also have their name from “exploiting”. They are called “exploits”. Now Android has developed so far over the years that exploits rarely work. Today Android is usually rooted according to the following procedure:

  1. Unlock the boot loader
  2. Install Custom Recovery System
  3. Unlock root rights

We describe this procedure in more detail below.

Android root with Magisk

Before you make changes to your cell phone, you should back up the data stored on it. For security reasons, all existing data is deleted from the cell phone. We have already described how Android backups work.

To make it easier to understand, let’s look at the root process from the end: Android must be modified to gain root rights. If Android is already running, this is no longer possible. So you need to make the change before Android starts. To do this, you have to start another operating system instead of Android when the system starts. In principle, this is easy, because the second system is part of every Android device. It is called the Recovery System and is actually used to restore a damaged Android installation and to install updates. As part of the root process, you replace it with alternative software, the so-called “Custom Recovery System”.

We recommend TeamWin Recovery Project, TWRP for short, but as of May 2020 still has problems with devices that come with Android 10. With its help, you then play root software on the phone that modifies Android accordingly. The current trend is Magiskthat works on Android from version 4.2. SuperSU was also popular for many years, but is hardly developed any further and is quickly discovered by anti-root measures by app manufacturers.

So there is only one question left: How do you get the Custom Recovery System on the phone? The boot loader helps you with this, i.e. the software that starts first when Android is switched on and then typically loads Android – or the recovery system. This brings us to the crucial part of rooting. Depending on the manufacturer and model, the boot loader is sometimes more, less well protected against user intervention.

So whether a cell phone can be rooted at all depends on whether you can unlock the boot loader (so-called “unlock”). Ideally, this is easily done using the Android settings. Search the web for the name of your cell phone in connection with keywords such as “unlock bootloader” or “bootloader unlock” to find out more.

Android root in practice

How far theory and practice can sometimes be apart is shown by our self-experiment with a Google Pixel 3. The boot loader was unlocked without any problems, but we were unable to copy TWRP to the device – presumably because TWRP on the pixel devices generally not yet with Android 10 gets along.

But there is an alternative way that works without custom recovery. But it means a little more effort.


First, we unlock the Android developer options by tapping the build number displayed there seven times in quick succession in the cell phone settings under “About the phone”. Then we switch to the developer options (under “System> Advanced”) and allow USB debugging. In this way we allow the cell phone to react to commands issued by the PC via USB.

We issue these commands using two command line programs called adb and fastboot. They are part of the Android Platform Tools provided by Google (download for Windows | macOS | Linux). After unpacking the download, we connect the Pixel 3 via USB and wait until Windows 10 has recognized the Pixel 3 and set up the drivers.

Tip: Other cell phones sometimes need additional drivers. Google’s help pages contain one List of important download links.

We start the adb program with the command

adb devices

A security question appears on the cell phone, which we confirm.

© Tim Kaufmann / connect

The cell phone appears with its serial number in the list of connected devices – so communication works.

Up to this point, the process is no different from rooting other devices (apart from the fact that we have not yet unlocked the boot loader in the developer options). The special now follows.

Magisk patched bootloader

Our different root process is based on the fact that we use Magisk to modify a file supplied by Google with Android. It has to match the version of Android that runs on the cell phone exactly. To ensure this, we first load a current one Factory imageFor the Pixel 3. The ZIP file contains Google’s original Android installation for the pixel.

After unpacking, we find a whole series of files in the folder that was created. With a double click on the file “flash-all.bat” we ensure that the PC installs the factory image on the mobile phone via USB. We load the app while the transfer is running Magisk ManagerThat is part of Magisk. Then we fish the file from the factory image and unzip it as well. So we come across the file “boot.img”, which we immediately copy onto the cell phone together with Magisk Manager.

Android is now freshly installed on the phone. We start the cell phone, complete the initial setup, unlock the developer options again and this time, in addition to USB debugging, we also unlock the boot loader.

© Screenshot: Tim Kaufmann / connect

At best, the manufacturer allows the boot loader to be unlocked using Android’s developer options.

Then we transfer the boot.img and the MagiskManager.apk to the mobile phone via Explorer. In the Android settings, we allow the installation of apps from unknown sources under “Security”. Then we install Magisk Manager by tapping the APK file.

In Magisk Manager we tap on “Install Magisk” and then on “Select and patch a file”. In the next step we select the “boot.img” file that we have just transferred to the cell phone. Magisk Manager now modifies the file so that it contains the changes necessary for root. This creates a new file called magisk_patched.img. We copy them with the command

adb pull /storage/emulated/0/Download/magisk_patched.img

back to the PC. There we move them to the Platform Tools folder.

© Tim Kaufmann / connect

With Magisk Manager, we edit part of the factory image so that we can then root Android.

Almost standard again: fastboot installs Magisk

From here on, the steps are similar to the standard procedure, except that TWRP is not installed. We switch off the cell phone, wait a short moment and then start the boot loader. To do this, we hold down the on / off button together with the volume down button until the display turns on and then we first release the on / off button. You can find key combinations for other cell phones on the web (cell phone model plus keywords such as “Start bootloader”).

The boot loader automatically starts in Fastboot mode. With

fastboot devices

we make sure that communication with the mobile phone works here too. Then we trigger the unlocking of the bootloader

fastboot flashing unlock

© Tim Kaufmann / connect

Unlock bootloader with fastboot

The boot loader asks if the pixel should really be unlocked. With the volume button we switch to the approval (“Unlock the bootloader”) and confirm by pressing “OK”.

© Tim Kaufmann / connect

Unlock bootloader

The smartphone restarts and the boot loader appears again. With

fastboot flash boot magisk_patched.img

we replace the original boot image with the one modified by Magisk Manager. A brave one

fastboot reboot

brings us back to Android. We complete the initial setup again and then install Magisk Manager.

© Tim Kaufmann / connect

Done: Magisk Manager confirms the correct installation and completes it with a final download.

Tip: For Magisk there are a number more practical Extensions that you should check out. You can find help for daily use in the Magisk forum on XDA Developers.

more on the subject

You May Also Like

About the Author: Jan Gruber

Leave a Reply

Your email address will not be published. Required fields are marked *