To be safe run checkver.py every time you handshake since 5.0.4 is starting to roll out! Checkout the 5.0.3.1 tag in order to use this older method.

Root the Device

Linux (Mac OS X or Windows w/ changes)

Python 3.x

PySerial sudo yum install python3-pyserial # Fedora or RedHat sudo apt-get install python3-serial # Ubuntu or Debian

USB Male A to Male A cable

R/W access to /dev/ttyACM0 (or use sudo)

ADB USB access (optional, but helpful)

Stop ModemManager (if you have it setup, which blocks handshaking)

Code: git clone --branch 5.0.3.1 https://gitlab.com/zeroepoch/aftv2-tools.git cd aftv2-tools wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.root.img.gz wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.diff.gz gunzip system.root.img.gz gunzip system.diff.gz adb reboot ; ./handshake.py # or restart but run ./handshake.py first ./checkver.py # STOP if it reports NO! ./patch_mmc.hs 0x00000000058e0000 system.root.img system.diff # takes ~2 hours # last address is 0x50dce600

sudo pip3 install pyserial

wget $URL

curl -O $URL

su

Code: adb shell su pm disable com.amazon.device.software.ota

Code: wget http://download.zeroepoch.com/aftv2/5.0.3.1/system.orig.img.gz gunzip system.orig.img.gz adb push system.orig.img /data/local/tmp adb shell su pm enable com.amazon.device.software.ota dd if=/data/local/tmp/system.orig.img of=/dev/block/platform/mtk-msdc.0/by-name/system bs=1m sync reboot

Background Info

Tips

notify=1

notify=0

/data/data/eu.chainfire.supersu/files/supersu.cfg

Special Thanks

It's taken quite a bit of effort, but I've finally managed to create a pre-rooted system image (as well as backup the original) and provide a semi-efficient way to flash the rooted system image. Before attempting any of the steps listed below. You should also have a unmodified/pristine system partition. You would probably know if you had any modifications and at this point that would be uncommon. If the patching fails for some reason just power off the device, reboot your computer (resets the serial port buffer), start the handshake script, then turn on the device. Once the handshake completes run the patching command again. There is no harm running the patching command two or more times. If it keeps hanging try a different computer.To get started you will need a system that meets the following requirements:Now run the following sequence of commands:For Macs (see post #115 , thanks @ ians325 ) to satisfy the requirements above you will need to install python 3.5.0 for Mac OS X from python.org then run "" to install pyserial. Instead of "" use "".Windows is working now, but it's constantly improving to make it easier for novice users. The bash script has been ported to a batch file (no cygwin needed) and the serial port has some auto-detection built in now. The files needed for Windows have already been added to the repo but the README is constantly evolving. @ ImCoKeMaN (big thanks) and myself are working to improve the process and make it easier for Windows users.Anyone interested in rooting using an Ubuntu VM should watch the YouTube video by @ ultimate_spy_binns https://www.youtube.com/watch?v=CZQqLoO6ojM . There is also a script to help automate the process if you are doing this on an Ubuntu live CD/USB found here (by @ BagiMT ).To test that root is working you should first connect to adb shell and then run the command "". You will need to accept a prompt on the screen (HDMI port) at least once. The shell should change from a dollar-sign ($) prompt to a hash (#) prompt.If you would like to disable updates after rooting you can use the following commands:To go back to stock in case you want to update or for whatever other reason:I don't always have the best luck transferring large files over ADB so another option is to copy the uncompressed image file to a microSD card and changing the path to /storage/sdcard1/system.orig.img. Be extremely careful that you have the right path, that the file you are reading exists, and that the file is around 1.2 GB in size. Otherwise you may potentially trash your system.This root method works by rebooting the device and halting the boot process at the MediaTek preloader. Once halted at the preloader we can use the preloader binary API to send a series of MMC commands to the flash chip which allows 512 byte blocks to be read and written using a simple FIFO. Since we have both the original and modified system images we can generate a list of blocks that are different between the two images and only patch those blocks. This means we need to write less than 10 MB instead of 1.2 GB. If we had to send the entire system image at the speeds the preloader is limited to it would take about 2 weeks. If for some reason the system partition becomes unbootable that would be your only option to recover right now. By sending just the differences the patching only takes about 2 hours. There are ways to speed this up (about 5-10 minutes instead), but you'd need to obtain limited root access first using a much much more complicated procedure. I choose to provide instead a slower but much simpler series of commands.The MT preloader is a process that runs before the regular bootloader (lk/fastboot) and of course before the kernel boots. It only shows up for about 3 seconds. Unfortunately the preloader is writable and could potentially be updated. The entire boot chain is cryptographically signed from what I've been able to inspect including the preloader. An unlocked bootloader would most likely be needed to flash a custom kernel (no kexec built-in of course, but modules/device drivers can be loaded) and create ROMs not based on stock. @ rbox has been working on getting kexec working as a module but no ETA yet. So in conclusion the tools here allow you to modify the flash contents and using these facilities we have add SuperSU binaries to the system partition.Anyone interested in how root was obtained should look at the history starting with this post. You should also read the README file from the aftv2-tools git repo. Also feel free to PM me if you have any questions.If you want to disable the pop-up message when becoming root you can changetoin. You need to reboot the device after making this change. It's also suggested to make the file read-only because it seems to get reset sometimes. (Thanks @ ultimate_spy_binns