Rooted! Yowza!

I successfully rooted my Moto E 2015 (XT1528) last night. Woot!FYI I am letting you know what I did, not encouraging you to try the same - if you bork your device I'll be sorry to read about it but that's your choice.I have only tried it on the one device so far - it has survived several reboots, even let me flash a recovery image (from the OS, not fastboot) though it did not work. It seems changes to /system are maintained. I don't have a great procedure, today you are getting my dump of the things that I did.As an aside, I have a suspicion that KingRoot may be working better with the 1528, though it did not work the first few times for me even when I was playing around. It may be worth running a few cycles just to see if you can get it to root without doing any of this extra hacky stuff.Currently these notes will mainly be helpful to modestly experienced Linux users, hopefully someone can come along and make an easy workflow from them - maybe I'll do it, if I get around to it. Obviously requires debugging and Google tools, and the drivers on Windows.1) Connect to phone shell over ADB: adb shell2) Install KingRoot on the 1528 (I got an update after my attempt, so latest may work differently - if not see if you can find the one from before the latest update).3) In adb,while [ 1 ] ; do ls /system/xbin/su ; if [ $? -eq 0 ] ; then /system/xbin/su ; fi ; done4) This will loop through "No such file or directory". This is a nasty task, but adding a sleep caused the method to fail so.... YMMV. Feel free to add 'sleep 0.1 ; ' into the loop (after fi and before done) if you really need to or your phone is bogging down.5) Start KingRoot, attempt root or whatever it says.5a) Here there's a divergence - on a past run, I had gotten to this point, and KingRoot had asked me to authorize adb. I did it and it stored the permission, but then the root failed and the device reset. This may (?) be necessary to do, at least once, to get the speed for 6 and following. A note - once you have set the permission in KingRoot DO NOT CLEAR THE APPLICATION SETTINGS. Just let it run out, fail, then retry.6) Once KingRoot starts the spinner, hit the task switch button (rightmost, box softkey). Keep your thumb ready.7) As soon as* you see the "No such file or directory" output change, swipe KingRoot away.* Note that I am old and not a gamer, hence my "as soon as" may not be quite as quick as yours.** If you don't have the permission saved above, you need to accept the root request; that's more important than killing Kingroot. However speed here seems to be important, as something KingRoot does later was causing the system to become unstable for me.8) DO NOT CLOSE YOUR ADB SHELL! You have a temporary root, hopefully, if all is well. If not you may as well run KingRoot out and/or reboot.8a) The time I was successful, the UI was completely responsive and the phone was normal. I think that is key, as the times I was not successful the UI was a bit wonky.8b) On the 2014 ME, the system would kill /system/xbin/su moments after you got this root shell. I did not see that kind of thing on the 1528 but better safe than sorry - act as though this root shell is the only root you have right this moment.9) After swiping away, I killed the kingroot service from my root shell, though now I don't think this was necessary:ps | grep kingrootps | grep u0_a212 (the user from the kingroot service application)kill XXXXX (second number/PID from the k_worker process)kill XXXXX (second number/PID from the kinguser process)10) I created a temporary su binary, had to do this on the 2014 ME but honestly I don't think it was necessary for the 1528:cp /system/xbin/su /mnt/obb/suchmod 4755 /mnt/obb/su11) Copied it to a few more places too just in case, runmount | grep rw | grep -v nosuidto see which file systems are available. I think this is unnecessary, too, I was just being paranoid.12) I started another adb shell session in a second window, used /mnt/obb/su to obtain root, and started logcat (pipe it to a file also). THIS MIGHT BE REALLY IMPORTANT - or it might do nothing. My thought on necessity is that having logcat open might be flagging to some watchdog that the system is in developer mode.Steps 8-12 happened within about 10 seconds after the initial root. I don't know how fast you have to be, but I was in a hurry and did not want my root to get squashed again.13) I replaced /system/bin/su with the live binary - I believe this was actually a bad move, but including for completeness:## DO NOT DO THIS?# rm /system/bin/su # delete symlink# cp /system/xbin/su /system/bin/su# chmod 4755 /system/bin/su14) I remounted /system read-write - this is the point at which the 2014 ME went into lockdown when I was playing with it. But on the 1528 it just worked:mount -o remount,rw /system15) I deleted the NFL app from /system/app, just to see if I could:rm -r /system/app/ 16) I added some options I wanted to build.prop:echo ro.config.low_ram=true >> /system/build.prop # See other XDA discussions on this, if you are interestedecho net.tethering.noprovisioning=true >> /system/build.prop # Don't have a way to test this, as I don't have a SIM in the phone :/Then I tried some stuff I did not get working:17) I tried to change the kernel minfree settings but it was lost on reboot - still working on that one.18) After reboot, ran kingroot the rest of the way, and deleted a couple random things. Oddly nothing bad happened, so maybe KingRoot can occasionally work without any intervention?19) I installed SuperSU but it did not take over. Also, I can't modify /system/xbin/su by hand - may need to play with the King supolicy tool.20) I installed stericson's busybox, guess it worked?21) PLEASE DON'T DO THIS but I flashed the 1526's recovery.img using flashify, it did not start. Really we probably need to use something like is used on the Kindles for a secondary boot. Anyway the system still boots fine, just the recovery partition is broken right now.22) Backed up a couple things in Titanium, which seems to be working fine.23) Rebooted a few more times, just to be sure things were still working.24) Added a line into /system/etc/init.qcom.post_boot.sh . The change is persistent but does not seem to work - have to investigate that.TODO:1) Put back the original recovery image.2) Fix the minfree settings. That was my #1 reason for rooting.Right now I'm guessing I end up putting it into the post_boot script, if I can prove it really runs.3) Install SuperSU over kingroot4) See if I can convince the TRWP image to boot by changing the /system/etc/install-recovery.cfg and/or /system/recovery-from-boot.p5) When that fails, look into the Kindle stuff for secondary booting/chroot