What is rooting ?

Wikipedia definition:

"Rooting is the process by which users of Android devices can attain privileged control (known as root access) over various subsystems of the device, usually smartphones and tablets. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives access to administrative (superuser) permissions similar to those on Linux [...]"

To put it simply, one might want to do something on a device that requires special access, like uninstalling an application that was provided by the vendor as part of the system.

As the application is considered to be part of the system, the user needs to be able to delete the privileged files related to the application, hence the requirement to become a "super-user" in the Unix way.

A case for the Pixel 4a

On Android, there is a way to become superuser of the device at hand.

And just like Linux, it is done by executing the su binary.

Sounds simple and straightforward, right ?

Problem is, su is never shipped by default by any smartphone manufacturer, and for obvious reasons : privilege escalation can be a security loophole in the wrong hands, especially with phones ; devices which are at the same time easily misplaced and contain very personal data nowadays.

The process of gaining access to su has evolved over the years, as security loopholes were patched and new ways were engineered, and one of the popular method for the time being is called KernelSU.

As the name implies, it is a kernel based framework.

It relies on debugging mechanisms like the Linux kernel probes (aka. kprobes) to provide hardware breakpoints, access physical memory or intercept any system call of any process invisibly, among other functionalities, thanks to the capability of running in kernel mode.

"Additionally, KernelSU provides a module system via OverlayFS, which allows you to load your custom plugin into system." [*]

It is actually through that module loading mechanism that we get access to su, which is the primary module provided by the framework.

So, how to actually install KernelSU ?

As said before, this is a kernel based framework : there is no way around rebuilding the kernel with the proper modifications to embed the framework into it.

The resulting modified Android kernel can then be delivered as a boot sector image which needs to be flashed into the device using the flashboot tool (one of the Android SDK Platform Tools).

With the su enabled kernel, it is just a matter of logging in and calling su :

$ ./adb shell
sunfish:/ $ su
su
sunfish:/ #

Notice how the prompt changed from '$' to '#', to mark the change in user. Subtle, yet powerful.

Shortcomings, room for improvement

KernelSU is not without issues though.

For one, it is best suited for Generic Kernel Images (GKI for short).

The GKI project is a key initiative by Google to address kernel fragmentation in Android by unifying the core kernel across all devices, beginning with Android 12 and devices shipping with kernel version 5.10.

Reducing the fragmentation due to vendor specific changes in the kernel allowed both security and Android major release updates to be rolled-out in more efficient and streamlined way, thus reducing the overall fragmentation across Android releases (ie. it is now easier for hardware vendors to improve their software update support thanks to the GKI project).

Helas, the Pixel 4a shipped with Android 10 and kernel 4.14 : GKI was still in the works at the time.

As a consequence, the latest versions of KernelSU are not compatible with Android kernel 4.14, and I had to rely on the older KernelSU v0.9.5, which is not ideal because a lot of fixes, new features and improvements are not available.

This situation brings me to the second shortcoming : application developers came out with ways to detect root privileges escalation provided by KernelSU and prevent their apps to be run in such situations (again, obvious security concerns may justify such a move, at the expense of the user rights to do what he needs to with the device).

One solution to that problem is called KernelSU Next.

Simply put, this new framework improves upon the former by :

• providing support for both GKI and non-GKI Android kernels,
• providing a module called SUSFS which goal is to hide root escalation to userspace applications.

And these are only two of the benefits highlighted with regards to the Pixel 4a case.

Once again, I got my hands dirty and patched my kernel in a suitable manner to obtain a boot sector image to be flashed into the device ; the installation process remains the same once you are familiar with the ways of KernelSU.

Going forward, it might be interesting to provide those modified boot sector images for my Evolution X users who need root access on their phones.

For now, if you are interested in this experiment, you can download below :

• my kernelSU boot image for the Pixel 4a, and
• my kernelSU Next + SUSFS patches boot image for the Pixel 4a.

This is additional work on top of providing security and major release updates, so it will depend on community demand ; as is the case with community driven projects.

That is the way :-).