How to root Android using Ubuntu

The Big Picture

Android consists of three parts relevant to rooting

  1. the bootloader
  2. recovery system
  3. main system

typically only the main system is running, that is the Linux Kernel, the launcher, the phone app etc.. If we talk about rooting, that means we want to add an additional app to the main system which may access secured parts of the main system and also acts as a gatekeeper for other apps that want to get access too.

The problem is that we need access to the secure parts of the system in order to do so, which means that we cant simply install that app (e.g. an apk) from within the main system.

This means we have to go one level down. This is where the recovery system is. Typically you do not see it, as it is only active when the main system can not run – either because a system update is installed or because you do a factory reset.
As the recovery system can do a full system update, it means that it has also access to the secured parts of the main system – exactly what we need. Unfortunately the stock recovery system does not allow installing apps, so we have to replace it.
But before that we have to talk about the bootloader.

The bootloader is a tiny piece of software which decides wether to start the recovery or the main system (or another main system, like Ubuntu Phone). But in the default configuration in only starts systems that it knows and trusts. In this configuration the bootloader is called locked. Although it prevents malicious software to change the phone and spy on us, it also prevents us from replacing the recovery system. This concept is also coming to the PC btw where it is called secure-boot.

Here is a graphical overview of the Android components:

android-brs

So what we need to do in order to get root access is

  1. unlock the bootloader
  2. replace the recovery system
  3. install a superuser app

Note that unlocking the bootloader also allows attackers to circumvent any of the android security features. It is possible directly access all the files on the phone from the bootloader.
Therefore android will wipe all userdata when the bootloader is unlocked

Preparations

First you need to install the fastboot binary to be able to perform low-level communication with the device

apt-get install android-tools-fastboot

Next you have to allow non-root users to execute commands over USB, so you do not have to run fastboot as root. For this create the file

/etc/udev/rules.d/51-android.rules

with the following content

SUBSYSTEM=="usb", ATTR{idVendor}=="<VENDOR>", MODE="0666", GROUP="plugdev"

you can find the value for <VENDOR> on the page linked here.

Finally you have to reboot into fastboot mode. Usually there is a key combination you have to press on startup.

Remember this key combination as you will need some more times.

Samsung Devices however, like the Galaxy S3, do not support the fastboot mode – instead they have a download mode, which uses a proprietary Samsung protocol. To flash those you have to use the Heimdall tool. While this article does not cover the heimdall CLI calls, the general discussion still applies.

Unlocking the Bootloader

for google devices, like a Nexus 4 or Nexus 7 it is just

fastboot oem unlock

if you have a Sony Xperia device, like a Xperia Z, you additionally have to request a unlock key and then do

fastboot oem unlock 0x<KEY>

where <KEY> is the key you obtained.

Replacing the Recovery System

There are two prominent alternative recovery systems with the ability to install apps

Clock Work Mod (CWM) is probably most known so we will use that one. From the Website linked above download the recovery image which fits your phone.
Here you have the choice between the ordinary recovery which uses the volume buttons of your device for navigation and the touch recovery which supports the touch screen.

fastboot flash recovery <RECOVERY>.img

where <RECOVERY> is the name of the file you downloaded. For instance for a Nexus 5 and CWM 6.0.4.5 it would be

fastboot flash recovery recovery-clockwork-6.0.4.5-hammerhead.img

Installing the superuser app

Again we have several choices here

although SuperSU is the most prominent one, I would recommend getting Superuser by CWM, as it is open source and also nag-free as there is no “pro” version of it.

To install we need to get this zip archive and copy it to the device. To install it, we need to reboot into fastboot mode and then select “Recovery Mode” to get to the recovery system. Once in Recovery mode select

install zip -> choose zip from /sdcard

then browse and select the “superuser.zip” you just copied.

Once installed select

Go Back -> reboot system now

Once the system has started you should have a “Superuser” App on your device. Congratulations, you are done.

Optional: flash stock recovery

As the recovery is responsible for installing system updates it is a good idea to revert to stock version after you installed root, so the system can auto-update itself again. However a system update will also remove your superuser app so you will have to repeat the above procedure again.

If you have a Google Nexus Device, you can grab the factory images here.  There you will find a image of the stock recovery and restore it by

fastboot flash recovery recovery.img
  • Remco Stoutjesdijk

    I have to do some rooting every now and then and always forget how the process works and end up googling somewhere.

    This description is the first one I’ve seen that actually explains what the process does rather than just lists a sequence of actions; I might actually remember it this time around. Best explanation I’ve seen up to now, anywhere on the net. Dziękuję bardzo!

  • Alwin Mark

    You have to add the apt-source before you can install android-tools-fastboot: http://www.ubuntuupdates.org/ppa/webupd8?dist=precise

    sudo add-apt-repository ppa:nilarimogard/webupd8
    sudo apt-get update
    sudo apt-get install android-tools-fastboot

    • rojtberg

      this is only necessary for precise – starting from quantal fastboot is in the offical archives..

  • John Rose

    I’m using Ubuntu Trusty with a Nexus 10 (manta).
    I’ve unlocked the bootloader (fastboot oem unlock) OK.
    I’ve replaced the recovery system with CWM’s Touch version (fastboot flash recovery Downloads/recovery-clockwork-touch-6.0.4.7-manta.img).
    I haven’t installed the superuser app as it was already installed.
    When I try reboot into fastboot mode, there is no reboot option and only the Device Information shows: I’ve tried clicking Start and everywhere else & nothing happens. I’ve trie a normal reboot (by holding down just the power button) & it showed Google followed by 4 coloured circles but nothing else happens. Any suggestions?

    • rojtberg

      in the fastboot mode you do not have touch yet, so you have to navigate using the volume buttons for up/ down and the power button for enter.

      • John Rose

        First time I used the Touch version; second time I used the non-touch version and it was OK

  • John Rose

    I’ve just reflashed a stock image for manta 4.4.2 (bootloader-manta-mantamf01) and still same result.

  • John Rose

    I’ve just unbricked my Nexus 10 by following:
    http://www.android.gs/how-to-unbrick-google-nexus-10/
    However, both verions of Root Checker (from Free Android Tools & Joeykrim) still say that the Nexus does not have root access.

    • rojtberg

      if you do a factory reset like described in the link you will lose any root app. This is because installing the root means modifying the root filesystem which gets replaced during factory reset. This is also true for a system upgrade (like from android 4.3 to 4.4).

      • John Rose

        I should have said that after doing the unbrick, that I successfully followed your instructions (I think that I caused the brick originally by not doing the Flash Stock Recovery successfully as I didn’t realise that the recovery.img file needs to be extracted from one of the extracted files). I’ve also tried instructions at:
        http://www.modaco.com/topic/359282-superboot-nexus-10-root-solution/
        with equal lack of success re Root Checker.

        • rojtberg

          this is strange. Did the “Installing the superuser app” step work for you? i.e. do you see the superuser app and can start it?

          • John Rose

            On starting superuser app, it says that Superuser binary must be updated. I click ‘Recovery Install’ button (other button is Cancel). It then says ‘error installing Superuser’, ‘send log to developer’ but ther are no logs!

          • rojtberg

            installing the superuser binary via “recovery install” will only work with CWM Recovery. So if you already reverted to stock recovery, you probably need to switch back and forth one more time.

          • John Rose

            I started again. All went well including the Optional Flash Stock Recovery. However, when trying to reinstall cmw’s superuser: I rebooted into fastboot mode (with usb not connected to my PC) and then selected (I.e. got it highlighted & then pressed power switch) “Recovery Mode” to get to the recovery system but I then get an Android yellow picture with ‘No command’ underneath. So I have no option to select install zip.

          • rojtberg

            thats the problem: you should only flash Stock Recovery when you have verified that superuser is running. That means prior to flashing to stock you need to install the superuser app via zip and start it at least once so it can install the sudo binary.

          • John Rose

            I just noticed that Superuser app is still present on phone. Both Root Checker apps say that phone is rooted. I’m sure that I did Stock Recovery. And I’ve just done Stock Recovery again to make sure & Superuser app is still present. So it looks like everything is now OK

  • Issa

    no way to do it for zopo device like zop950

  • Antonio

    I would have been nice to know that after unlocking the recovery system all date in the device is ERASED.

    Now it is too late for me, but maybe not for others.

  • bigmac turd

    i feel like a dumb dumb… maybe its been a long night full of failures.

    im on linux mint, i have a htc incredible. i have installed fastboot

    now what lol, fastboot oem unlock 0x0bb4 ….

    so i power up the device with volum-up-key to see the bootloader ***locked*** and linux is still waiting…

    how do i unlock the bootloader. . .

    • rojtberg

      note that the instructions in the post were only for Google Nexus devices. I have no experience with HTC devices. However you might take a look at: http://www.htcdev.com/bootloader

  • pentag

    very revealing