Magisk now supports system-as-root and the Google Pixel 3/Pixel 3a’s logical partitions on Android Q
Google released the first Android Q beta back in March, and root access via Magisk quickly became available for the Google Pixel and Google Pixel 2. The Google Pixel 3, however, could not be rooted on Android Q because the developer of Magisk, XDA Recognized Developer topjohnwu, needed to figure out how to work with the new logical partitions layout. With his new internship at Apple, topjohnwu has had less time to work on Magisk, but that hasn’t stopped him from having two big breakthroughs in development. In the latest Canary release, Magisk now supports system-as-root, making it harder for apps to detect root access, and also supports devices with logical partitions such as the Pixel 3 and Pixel 3a XL series on Android Q.
Google Pixel 3 and Pixel 3a Logical Partition Support on Android Q
To help developers test AOSP versions of Android on existing devices, Google releases Generic System Images (GSIs) that can be booted on Project Treble-compatible devices (any device that launched with Android 9 Pie or later.) Installing a GSI requires unlocking the bootloader, which may not be possible on all devices, and flashing a system image over fastboot after wiping user data. In Android Q, Google is introducing a new feature called Dynamic System Updates which lets developers boot a GSI without unlocking the bootloader or wiping data. In order to support Dynamic System Updates, a device needs to have logical partitions that can be dynamically resized to make space for the GSI installation. The Google Pixel 3, Google Pixel 3 XL, Google Pixel 3a, and Google Pixel 3a XL have logical partitions on the Android Q betas, though only the Pixel 3 and Pixel 3 XL support DSU. Nonetheless, it’s because of this radical change in the partition structure that Magisk wasn’t working.
When topjohnwu is determined, nothing stops him from achieving root access. Just the other day, he announced that he had successfully rooted his Pixel 3 XL on Android Q beta 4. His commit description here explains the technical details of how he achieved logical partition support, but what’s important is that Magisk can now be installed on devices with or without logical partitions.
For devices with A/B dual partitions, the system partition is mounted as the root directory (/), but devices without A/B dual partitions have the system partition mounted at /system. This makes system-only OTAs impossible on non-A/B devices because files in the ramdisk, which need updating, are located in the boot partition. That’s why, in order to make system-only OTAs possible in Android Pie and above, Google mandates that all devices launching with Android Pie support the system-as-root partition layout. In the system-as-root layout, the ramdisk image is merged into the system image, which is mounted as rootfs.
Since Google introduced system-as-root, the solution to root devices was to revert system-as-root back to the old partition “initramfs rootfs” layout. That works fine for Android 7.1 to Android 9 Pie since Android has legacy support for this old layout, but Android Q completely removes support as system-as-root is now mandatory for all devices, even for those devices that are updating to Android Q. Prior versions of Magisk still worked thanks to some “really nasty hacks,” but topjohnwu wasn’t satisfied with that solution so to properly support system-as-root he has introduced “MagiskInit.”
A nice side effect of properly support the system-as-root partition layout is that one potential avenue of root detection has been squashed. As topjohnwu graciously explained to me, the old “revert to initramfs rootfs” method was easy for apps to detect because Magisk would mount system to ‘/system_root’ and bind mount ‘/system_root/system’ to ‘/system.’ All an app would need to do to detect the presence of root is check whether ‘/system_root’ exists or if ‘/’ is ‘rootfs.’ However, it’s not clear that any apps actually took advantage of this to detect root. Still, it’s better safe than sorry.
Android Q introduces support for something called the “blastula pool” to the Android application lifecycle. MagiskHide was unable to detect apps to hide root access from if the new “process pool” feature was enabled. The latest Canary release now supports this feature. According to topjohnwu: “To properly support the new blastula pool optimization introduced in Q, I had rewritten a good chunk of ptracing logic for process monitoring.”
If you have a Pixel 3, Pixel 3 XL, Pixel 3a, or Pixel 3a XL on the Android Q beta, try out the latest Magisk Canary release and let us know if you manage to root your device.