Yet Another Android Rooting Guide (YAARG)

There are legitimate reasons to need to obtain complete control over your Android phone’s operating system (and plenty of irresponsible ones.) I recently rooted a Moto G4 phone to research Android’s permissions model.

There are several ways to gain root privileges. I will cover “systemless” root, a relatively new and safer method of rooting which this article explains well. Also, this article is a good technical introduction to how — and why — rooting works on Android phones.

First, we need to unlock the bootloader of the Android phone. This is much more straightforward if the manufacturer of the phone officially supports unlocking the bootloader for that phone model (no, really). Typically, you will provide the manufacturer with your name and email address, the phone’s unique IMEI number, and your checkbox acknowledgment of the legal repercussions in exchange for a secret passcode you will use to successfully unlock the bootloader.

This guide is written for the Moto G4 Play edition, a relatively new (2016) phone that ships with Android Marshmallow (and can be upgraded to Nougat). Motorola officially supports these models. As their website helpfully notes, it’s best to buy the phone without an exclusive network carrier, as the carrier may have imposed additional lockdowns on the bootloader that are difficult (and likely not worth your time) to figure out how to bypass.

All of the following steps will require a host machine that can run Android’s SDK platform-tools (specifically, we want to use adb and fastboot.) The host machine needs to be able to connect to the phone over USB debugging mode, which can be activated by following these straightforward steps. Let’s make sure the phone is recognized and controllable by the host machine — unlock the phone screen, plug it in with USB debugging mode enabled, and accept the prompt that should pop up on the phone to authorize the connection. Verify the connection by opening your host machine’s terminal and running the following command:$ adb devices (you should see an identifier for your phone along with the word “device” after it. If it says “unauthorized” instead, it’s likely there’s a problem with enabling and using USB debugging mode. If there is nothing listed at all when running the command, there might be a problem with your USB port hardware, or your phone screen is not unlocked.)

$ adb reboot bootloader

This should reboot your phone into the bootloader and await further instructions; test that you can still communicate with the phone by running $ fastboot devices. Some phones require manual navigation to the bootloader screen after being rebooted, so be sure to check your phone’s screen for instructions if it is not already recognized by fastboot. Then, we can grab the IMEI-based code we need to submit to the phone’s manufacturer for developer registration:

$ fastboot oem show_unlock_codes (might be fastboot flashing unlock or similar command for other phone manufacturers.)

Take all of the numbers returned and copy them together (no spaces) to your clipboard. Then, enter the code on your phone manufacturer’s bootloader unlock support website (e.g., here is Motorola’s). Your manufacturer should then give you a passcode that you can use to officially unlock the bootloader! With the passcode now on your clipboard:

$ fastboot oem unlock <INSERT_PASSCODE_HERE>

Great! Now we can mess with the bootloader — which will give us the ability to boot the phone into arbitrary ROMs, such as different operating systems or tools that are not possible on the (currently unrooted) Android OS ROM. What we want to boot into instead of the default Android OS is a barebones partition manager that can allow us to forcibly install (flash) Android apps with root privileges onto the default OS.

Download the variant of TWRP that matches your phone’s model. It’s a popular partition manager that will give us an environment to install any APK as a system app.

$ fastboot flash recovery twrp.img(the path or file name of the image you’re using may not be the same as shown, that’s okay.)

Now, at last, we can forcibly install (flash) an app on the phone with root privileges. There are several popular apps which, upon getting root access, will simply allow the user to grant other apps, such as the shell app ( ) root access. This is exactly what we came for! Magisk is an open source “root manager app” that we can use to give any installed app root privileges. After successfully doing this, we don’t necessarily need the root manager app anymore, so it can be deleted if desired.

Congrats! Most of the interesting new things you can do with the default Android OS require the Xposed Framework (push the appropriate ZIP file to /sdcard/and flash install it with TWRP from recovery mode — then reboot the phone and install the APK file:adb install XposedInstaller_3.1.5.apk). Otherwise, it might be worth checking out the Android Open Source Project (AOSP), which provides the source code for the entire Android OS stack and guidance on developing and ultimately compiling the code into a ROM to flash onto your phone. With great power comes great responsibility…