Rooting [1] is the process by which users of Android devices can attain privileged control (known as root access) over various subsystems of the device, usually smartphones and tablets. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.
Rooting is often performed to overcome limitations that carriers and hardware manufacturers put on some devices. Thus, rooting gives the ability (or permission) to alter or replace system applications and settings, run specialized applications ("apps") that require administrator-level permissions, or perform other operations that are otherwise inaccessible to a normal Android user. On some devices, rooting can also facilitate the complete removal and replacement of the device's operating system, usually with a more recent release of its current operating system.
Root access is sometimes compared to jailbreaking devices running the Apple iOS operating system. However, these are different concepts: Jailbreaking is the bypass of several types of Apple prohibitions for the end user, including modifying the operating system (enforced by a "locked bootloader"), installing non-officially approved (not available on the App Store) applications via sideloading, and granting the user elevated administration-level privileges (rooting). Many vendors such as HTC, Sony, OnePlus, Asus, Xiaomi, and Google explicitly provide the ability to unlock devices, and even replace the operating system entirely. [1] [2] [3] [4] Similarly, the ability to sideload applications is typically permissible on Android devices without root permissions. Thus, it is primarily the third aspect of iOS jailbreaking (giving users administrative privileges) that most directly correlates to Android rooting.
Rooting is distinct from SIM unlocking and bootloader unlocking. The former allows removing the SIM card lock on a phone, while the latter allows rewriting the phone's boot partition (for example, to install or replace the operating system). [5]
Rooting lets all user-installed applications run privileged commands typically unavailable to the devices in the stock configuration. Rooting is required for more advanced and potentially dangerous operations including modifying or deleting system files, removing pre-installed applications, and low-level access to the hardware itself (rebooting, controlling status lights, or recalibrating touch inputs.) A typical rooting installation also installs the Superuser application, which supervises applications that are granted root or superuser rights by requesting approval from the user before granting said permissions. A secondary operation, unlocking the device's bootloader verification, is required to remove or replace the installed operating system.
In contrast to iOS jailbreaking, rooting is not needed to run applications distributed outside of the Google Play Store, sometimes called sideloading. The Android OS supports this feature natively in two ways: through the "Unknown sources" option in the Settings menu and through the Android Debug Bridge. However, some US carriers, including AT&T, have prevented the installation of applications not on the Play Store in firmware, [6] although several devices are not subject to this rule, including the Samsung Infuse 4G; [7] AT&T lifted the restriction on most devices by the middle of 2011. [8]
As of 2011 [update] , the Amazon Kindle Fire defaults to the Amazon Appstore instead of Google Play, though like most other Android devices, Kindle Fire allows sideloading of applications from unknown sources, [9] and the "easy installer" application on the Amazon Appstore makes this easy. Other vendors of Android devices may look to other sources in the future. Access to alternate apps may require rooting but rooting is not always necessary.
Advantages of rooting include the possibility for complete control over the appearance, feel, and behaviour of the device. As a superuser has access to the device's system files, all aspects of the operating system can be customized with the only real limitation being the level of coding expertise. [10] Immediately expectable advantages of rooted devices include the following: [11] [12]
/sys/devices/platform/sec-battery/power_supply/battery/siop_level
system file, where 100 represents the highest technically supported charging rate. [18] [a] Some disadvantages of rooting include:
Rooting allows the user to obtain privileged access to a phone. It does not allow a user to install a new OS (custom firmware or custom ROM) or recovery image, and it doesn't allow a phone that is locked to a certain carrier to be used on another one. Related operations allow these.
Bootloader unlocking is sometimes a first step used to root the device; however, it is not the same as rooting the device. [24] Most devices come with a locked bootloader, which prevents users from installing a new boot image, which is often flashed when rooting a device or using a custom ROM. [25] The bootloader runs on device start-up and is in charge of loading the operating system on the phone. [26] It is generally in charge of verifying that phone system information hasn't been tampered with and is genuine. Nonetheless, people still perform this operation, as unlocking the bootloader allows users to install custom ROMs. [27]
The first step to do this is to generally to set up OEM unlocking, [28] and then to follow manufacturer specific instructions. [24] Not all devices can be bootloader unlocked, and some can only be unlocked with an exploit which usually needs a privilege escalation bug in order to remove software locks, which includes most LG V20 models and Verizon-sold Google Pixel devices. [29] [30]
The process of unlocking the bootloader might involve a factory reset, erasing all user data, third-party applications, and configuration. [31] [32]
SIM unlocking allows a phone that is locked to a certain carrier to be used on a different carrier. The instructions vary per device and carrier, but this might be done by first requesting the carrier to unlock the phone or purchasing an unlock code online. [33]
Some rooting methods involve the use of a command prompt and a development interface called the Android Debug Bridge (also known as ADB), while other methods may use existing vulnerabilities in devices. Due to similarly modeled devices often having a multitude of changes, rooting methods for one device when used for a different variant can result in bricking the device.
"Systemless root" is a variant of rooting in which the underlying device file system is not modified. Systemless root uses various techniques to gain root access without modifying the system partition of a device. Some root applications may include a "hiding" function, which makes attempts to mask the effects and results of rooting, often by whitelisting certain applications for the root or blocking access to affected files. [34] Systemless rooting has the advantage of not triggering the software-based version of SafetyNet, an Android feature that works by monitoring changes to system files and is used by applications such as Google Pay to detect whether a device has been tampered with such as by rooting. However, hardware-backed SafetyNet versions may be triggered by systemless rooting, as well as in unrooted devices shipped without Google Mobile Services (GMS). [35] [36] [37] [38] [39]
The distinction between "soft rooting" through a security vulnerability and "hard-rooting" by flashing a su
binary executable varies from exploit to exploit, and manufacturer to manufacturer. Soft-rooting requires that a device be vulnerable to privilege escalation, or replacing executable binaries. Hard-rooting is supported by the manufacturer, and it is generally only exposed for devices the manufacturer allows. [40] If a phone can be soft-rooted, it is also inherently vulnerable to malware. [40]
The process of rooting varies widely by manufacturer and device but sometimes includes exploiting one or more security bugs in the firmware (i.e., in the version of the Android OS installed on) of the device. [40] Once an exploit is discovered, a custom recovery image that will skip the digital signature check of firmware updates can be flashed. Then a modified firmware update that typically includes the utilities needed to run apps as root can be installed. For example, the su
binary (such as an open-source one paired with the Superuser [41] or SuperSU application [42] ) can be copied to a location in the current process' PATH (e.g., /system/xbin/
) and granted executable permissions with the chmod
command. A third-party supervisor application, like Superuser or SuperSU, can then regulate and log elevated permission requests from other applications. Many guides, tutorials, and automatic processes exist for popular Android devices facilitating a fast and easy rooting process.
The process of rooting a device may be simple or complex, and it even may depend upon serendipity. For example, shortly after the release of the HTC Dream (HTC G1), it was discovered that anything typed using the keyboard was being interpreted as a command in a privileged (root) shell. Although Google quickly released a patch to fix this, a signed image of the old firmware leaked, which gave users the ability to downgrade and use the original exploit to gain root access. Installable apps have managed to unlock immediate root access on some early 2010s Samsung smartphones. This has also been referred to as "one-click rooting". [43]
A security researcher, Grant Hernandez, demonstrated a use-after-free exploit in Binder, Android's IPC framework, to gain root privileges. [44] This exploit, tagged CVE-2019-2215, was alleged to be sold by the NSO Group. [45]
Some manufacturers, including Xiaomi, OnePlus, and Motorola, provide official support for unlocking the bootloader, allowing for rooting without exploiting a vulnerability. [46] However, the support may be limited only to certain phones – for example, LG released its bootloader unlock tool only for certain models of its phones. [47] Also, a manufacturer could discontinue bootloader unlocking support, as was the case with LG [48] and Huawei. [49]
The Google Nexus and Pixel line of devices can have their bootloader unlocked by simply connecting the device to a computer while in bootloader mode and running the Fastboot protocol with the command fastboot oem unlock
on older devices, [50] or fastboot flashing unlock
on newer devices. [51] After a warning is accepted, the bootloader is unlocked, so a new system image can be written directly to flash without the need for an exploit. Additionally, Pixel phones sold via certain carriers like Verizon disallow bootloader unlocking, [52] while others such as T-Mobile require a phone to be paid off and SIM unlocked before the bootloader can be unlocked. [53]
In the past, many manufacturers have tried to make non-rootable phones with more elaborate protections (like the Droid X), but exploits are usually still found eventually. There may be no root exploit available for new, or outdated phones. [54]
Until 2010, tablet and smartphone manufacturers, as well as mobile carriers, were mainly unsupportive of third-party firmware development. Manufacturers had expressed concern about improper functioning of devices running unofficial software [55] and related support costs. Moreover, firmware such as OmniROM and CyanogenMod sometimes offer features for which carriers would otherwise charge a premium, such as tethering. Due to that, technical obstacles such as locked bootloaders and restricted access to root permissions have commonly been introduced in many devices. For example, in late December 2011, Barnes & Noble and Amazon.com, Inc. began pushing automatic, over-the-air firmware updates, 1.4.1 to Nook Tablets and 6.2.1 to Kindle Fires, that removed one method to gain root access to the devices. The Nook Tablet 1.4.1 update also removed users' ability to sideload apps from sources other than the official Barnes & Noble app store (without modding). [56] [57]
However, as community-developed software began to grow popular in the late 2009 to early 2010, [58] [59] and following a statement by the Copyright Office and Librarian of Congress (US) allowing the use of "jailbroken" mobile devices, [60] [61] manufacturers and carriers have softened their position regarding CyanogenMod and other unofficial firmware distributions. Some manufacturers, including HTC, [62] Samsung, [63] Motorola [64] and Sony, [65] actively provide support and encourage development.
In 2011, the need to circumvent hardware restrictions to install unofficial firmware lessened as an increasing number of devices shipped with unlocked or unlockable bootloaders, similar to the Nexus and Pixel series of phones. Device manufacturer HTC has announced that it will support aftermarket software developers by making the bootloaders of all new devices unlockable. [55] However, carriers, such as Verizon and more recently AT&T, have continuously blocked OEMs from releasing retail devices with unlocked bootloaders, opting instead for "developer edition" devices that are only sold unsubsidized and off-contract. These are similar in practice to Nexus devices, but for a premium and with no contract discounts. More recently, since 2019, AT&T has allowed Pixel devices to have unlockable bootloaders once a device is paid off and SIM unlocked. [66]
In 2014, Samsung released a security feature called Knox, which verifies whether system and boot files were modified. If custom firmware was flashed, the eFuse is set to 0x1, permanently voiding the warranty and disabling Knox-enabled features such as Samsung Pay. [67] Additionally, certain Samsung devices lack the ability to flash custom software, namely Samsung phones and tablets released in North America after 2015, with an exception for devices lacking a cellular modem, [68] although there are exploits that can unlock the bootloader on some affected devices running older One UI versions. [69]
International treaties have influenced the development of laws affecting rooting. The 1996 World Intellectual Property Organization (WIPO) Copyright Treaty requires nations party to the treaties to enact laws against digital rights management (DRM) circumvention. The American implementation is the Digital Millennium Copyright Act (DMCA), which includes a process for establishing exemptions for non-copyright-infringing purposes such as rooting. The 2001 European Copyright Directive implemented the treaty in Europe, requiring member states of the European Union to implement legal protections for technological protection measures. The Copyright Directive includes exceptions to allow breaking those measures for non-copyright-infringing purposes, such as to run alternative software, [70] but member states vary on the implementation of the directive.
In 2010, Electronic Frontiers Australia said that it is unclear whether rooting is legal in Australia, and that anti-circumvention laws may apply. [71] These laws were strengthened by the Copyright Amendment Act 2006.
In November 2012, Canada amended its Copyright Act with new provisions prohibiting tampering with digital locks, with exceptions including software interoperability. [72] Rooting a device to run alternative software is a form of circumventing digital locks for the purpose of software interoperability.
There had been several efforts from 2008 to 2011 to amend the Copyright Act (Bill C-60, Bill C-61, and Bill C-32) to prohibit tampering with digital locks, along with initial proposals for C-11 that were more restrictive, [73] but those bills were set aside. In 2011, Michael Geist, a Canadian copyright scholar, cited iPhone jailbreaking as a non-copyright-related activity that overly broad Copyright Act amendments could prohibit. [74]
The Free Software Foundation Europe argues that it is legal to root or flash any device. According to the European Directive 1999/44/EC, replacing the original operating system with another does not void the statutory warranty that covers the hardware of the device for two years unless the seller can prove that the modification caused the defect. [75]
The law Copyright and Related Rights Regulations 2003 makes circumventing DRM protection measures legal for the purpose of interoperability but not copyright infringement. Rooting may be a form of circumvention covered by that law, but this has not been tested in court. [70] [76] Competition laws may also be relevant. [77]
India's copyright law permits circumventing DRM for non-copyright-infringing purposes. [78] [79] Indian Parliament introduced a bill including this DRM provision in 2010 and passed it in 2012 as Copyright (Amendment) Bill 2012. [80] India is not a signatory to the WIPO Copyright Treaty that requires laws against DRM circumvention, but being listed on the US Special 301 Report "Priority Watch List" applied pressure to develop stricter copyright laws in line with the WIPO treaty. [78] [79]
New Zealand's copyright law allows the circumvention of technological protection measure (TPM) as long as the use is for legal, non-copyright-infringing purposes. [81] [82] This law was added to the Copyright Act 1994 as part of the Copyright (New Technologies) Amendment Act 2008.
Rooting might be legal in Singapore if done to provide interoperability and not circumvent copyright, but that has not been tested in court. [83]
The Unlocking Consumer Choice and Wireless Competition Act guarantees that consumers can unlock or let others unlock their phones. Under the Digital Millennium Copyright Act (DMCA) rooting was illegal in the United States except by exemption. The U.S. Copyright Office granted an exemption to this law "at least through 2015". [84]
In 2010, in response to a request by the Electronic Frontier Foundation, the U.S. Copyright Office explicitly recognized an exemption to the DMCA to permit rooting. [85] [86] In their ruling, the Library of Congress affirmed on July 26, 2010, that rooting is exempt from DMCA rules with respect to circumventing digital locks. DMCA exemptions must be reviewed and renewed every three years or else they expire.
On October 28, 2012, the US Copyright Office updated their exemption policies. The rooting of smartphones continues to be legal "where circumvention is accomplished for the sole purpose of enabling interoperability of [lawfully obtained software] applications with computer programs on the telephone handset". However, the U.S. Copyright office refused to extend this exemption to tablets, arguing that the term "tablets" is broad and ill-defined, and an exemption to this class of devices could have unintended side effects. [87] [88] [89] The Copyright Office also renewed the 2010 exemption for unofficially unlocking phones to use them on unapproved carriers, but restricted this exemption to phones purchased before January 26, 2013. [88]
Tim Wu, a professor at Columbia Law School, argued in 2007 that jailbreaking is "legal, ethical, and just plain fun". [90] Wu cited an explicit exemption issued by the Library of Congress in 2006 for personal unlocking, which notes that locks "are used by wireless carriers to limit the ability of subscribers to switch to other carriers, a business decision that has nothing whatsoever to do with the interests protected by copyright" and thus do not implicate the DMCA. [91] Wu did not claim that this exemption applies to those who help others unlock a device or "traffic" in software to do so. [90] In 2010 and 2012, the U.S. Copyright Office approved exemptions to the DMCA that allow users to root their devices legally. [92] It is still possible to employ technical countermeasures to prevent rooting or prevent rooted phones from functioning. [93] It is also unclear whether it is legal to traffic in the tools used to make rooting easy. [93]
/sys/class/power_supply/battery/siop_level
is a shorthand symbolic link to that system file.A SIM lock, simlock, network lock, carrier lock or (master) subsidy lock is a technical restriction built into GSM and CDMA mobile phones by mobile phone manufacturers for use by service providers to restrict the use of these phones to specific countries and/or networks. This is in contrast to a phone that does not impose any SIM restrictions.
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
Boot ROM is a piece of read-only memory (ROM) that is used for booting a computer system. It contains instructions that are run after the CPU is reset to the reset vector, and it typically loads a bootloader. There are two types of boot ROM: a mask boot ROM that cannot be changed afterwards and a writable boot ROM such as an EEPROM or a flash memory chip.
Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen-based mobile devices such as smartphones and tablets. Android has historically been developed by a consortium of developers known as the Open Handset Alliance, but its most widely used version is primarily developed by Google. First released in 2008, Android is the world's most widely used operating system; the latest version, released on October 15, 2024, is Android 15.
The Nexus One is an Android smartphone designed and manufactured by HTC as Google's first Nexus smartphone. The Nexus became available on January 5, 2010, and features the ability to transcribe voice to text, an additional microphone for dynamic noise suppression, and voice guided turn-by-turn navigation to drivers.
iOS is a mobile operating system developed by Apple exclusively for its mobile devices. It was unveiled in January 2007 for the first-generation iPhone, which launched in June 2007. Major versions of iOS are released annually; the current stable version, iOS 18, was released to the public on September 16, 2024.
The HTC Dream is a smartphone developed by HTC. First released in September 2008 for $179 with a 2-year contract to T-Mobile, the Dream was the first commercially released device to use the Linux-based Android operating system, which was purchased and further developed by Google and the Open Handset Alliance to create an open competitor to other major smartphone platforms of the time, such as Symbian, BlackBerry OS, and iPhone OS. The operating system offers a customizable graphical user interface, integration with Google services such as Gmail, a notification system that shows a list of recent messages pushed from apps, and Android Market for downloading additional apps. This operating system's debut would later be followed by the Samsung Galaxy i7500, the first in what would become the long-running Samsung Galaxy series.
The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. Passed on October 12, 1998, by a unanimous vote in the United States Senate and signed into law by President Bill Clinton on October 28, 1998, the DMCA amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of the providers of online services for copyright infringement by their users.
iOS jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by Apple on devices running iOS and iOS-based operating systems. It is typically done through a series of kernel patches. A jailbroken device typically permits root access within the operating system and provides the right to install software unavailable through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.
The Android Dev Phone (ADP) is a SIM-unlocked and bootloader unlocked Android device that is designed for advanced developers. While developers can use regular consumer devices purchased at retail to test and use their apps, some developers may choose not to use a retail device, preferring an unlocked or no-contract device.
CyanogenMod is a discontinued open-source operating system for mobile devices, based on the Android mobile platform. Developed between 2009 and 2016, it was free and open-source software based on the official releases of Android by Google, with added original and third-party code, and based on a rolling release development model. Although only a subset of total CyanogenMod users elected to report their use of the firmware, on 23 March 2015, some reports indicated that over 50 million people ran CyanogenMod on their phones. It was also frequently used as a starting point by developers of other ROMs.
The hacking of consumer electronics is a common practice that users perform to customize and modify their devices beyond what is typically possible. This activity has a long history, dating from the days of early computer, programming, and electronics hobbyists.
The Nexus S is a smartphone co-developed by Google and Samsung and manufactured by Samsung Electronics for release in 2010. It was the first smartphone to use the Android 2.3 "Gingerbread" operating system, and the first Android device to support Near Field Communication (NFC) in both hardware and software.
The Samsung Captivate Glide (SGH-i927) as it is called in the United States, and sold as the Samsung Galaxy S Glide (SGH-i927R) in Canada, is the first physical QWERTY Galaxy S class smartphone running under the Android operating system to be released by Samsung for AT&T (US) and Rogers Wireless (Canada).
Samsung Knox is a proprietary security and management framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. Samsung Galaxy hardware, as well as software such as Secure Folder and Samsung Wallet, make use of the Knox framework.
The Unlocking Consumer Choice and Wireless Competition Act is a United States public law that repeals a rulemaking determination by the United States Copyright Office that left it illegal for people to unlock their cellphones.
Custom firmware, also known as aftermarket firmware, is an unofficial new or modified version of firmware created by third parties on devices such as video game consoles, mobile phones, and various embedded device types to provide new features or to unlock hidden functionality. In the video game console community, the term is often written as custom firmware or simply CFW, referring to an altered version of the original system software inside a video game console such as the PlayStation Portable, PlayStation 3, PlayStation Vita/PlayStation TV, PlayStation 4, Nintendo 3DS, Wii U and Nintendo Switch. Installing custom firmware on some devices requires bootloader unlocking.
Bootloader unlocking is the process of disabling the bootloader security that makes secure boot possible. It can make advanced customizations possible, such as installing custom firmware. On smartphones, this can be a custom Android distribution or another mobile operating system. Some bootloaders are not locked at all and some are locked, but can be unlocked with a command or with assistance from the manufacturer. Some do not include an unlocking method and can only be unlocked through a software exploit.
The booting process of Android devices starts at the power-on of the SoC and ends at the visibility of the home screen, or special modes like recovery and fastboot. The boot process of devices that run Android is influenced by the firmware design of the SoC manufacturers.
Thor is a communication protocol which is mainly used to communicate with the Bootloader of Samsung devices to make it write files into various partitions of the device. It is also possible to list the partitions or to reboot the phone through this protocol.