diff --git a/content/posts/rooting-pixel-2-xl-for-reverse-engineering.md b/content/posts/rooting-pixel-2-xl-for-reverse-engineering.md new file mode 100644 index 0000000..4a07b40 --- /dev/null +++ b/content/posts/rooting-pixel-2-xl-for-reverse-engineering.md @@ -0,0 +1,93 @@ +--- +title: "Why I Downgraded Magisk to Root My Pixel 2 XL" +date: 2026-01-07 +draft: false +--- + + +For the past few weeks, I've been stuck in a stalemate with my EcoFlow Bluetooth Protocol Reverse Engineering Project. I have the hci snoop logs, I have the decompiled APK, and I have a strong suspicion about where the authentication logic is hiding. But suspicion isn't proof. + +Static analysis has its limits. I found the "smoking gun" function—a native method responsible for encrypting the login payload—but understanding *how* it constructs that payload within a strict 13-byte limit purely from assembly (ARM64) was proving to be a headache. + +I needed to move from **static analysis** to **dynamic analysis**. I needed to hook the function at runtime, inspect the memory, and see the data before it gets encrypted. To do that, I needed a rooted Android device. + +The only candidate in my drawer? An 8-year-old **Google Pixel 2 XL ("taimen")** that hadn't been turned on since 2017. + +## The Objective +Bring this relic back to life, update it to the final official firmware, and gain `su` access to install Frida and tcpdump. It sounds simple, but 2026 tools don't always play nice with 2017 hardware. + +## Phase 1: The "I Forgot My Password" Hurdle + +The first problem was mundane: I didn't remember the PIN. My only way in was a physical **Hard Reset**, which relies on a specific sequence of hardware button inputs: + +1. **Fastboot Mode**: Hold `Power` + `Vol Down` until the familiar bootloader screen appears. +2. **Recovery Mode**: Use volume keys to select "Recovery Mode". +3. **The "No Command" Trick**: The phone reboots to a broken android logo. To get the actual menu, you have to hold `Power` and tap `Vol Up` *once*. +4. **Wipe**: Select `Wipe data/factory reset`. + +**The Catch**: This triggers **Factory Reset Protection (FRP)**. Upon boot, the device required authentication with the Google Account previously synced to the hardware. Since I verified my identity using the original credentials, I could proceed; otherwise, bypassing this security feature would have been a significant roadblock. + +## Phase 2: The Update Trap + +Once in, I checked the version: `Android 10 (QP1A.190711.020)`. This was ancient. The Pixel 2 XL officially supports Android 11, and I wanted the latest possible base for compatibility with modern tools. + +I tried the easy route: **Settings > System Update**. +**The Result**: Failure. The phone refused to pull the final OTA (`RP1A.201005.004.A1`), likely due to the Google update servers no longer prioritizing this EOL device. + +### The Fix: Manual Flashing +I had to bypass the OTA system entirely. I downloaded the [final Factory Image](https://developers.google.com/android/images) from Google. + +```bash +# Don't rely on OTA. Flash the whole valid state. +fastboot -w update image-taimen-rp1a.201005.004.a1.zip +``` + +*Note: I used the `-w` flag here since I had just wiped the device anyway. This gave me a pristine, stock Android 11 environment to break.* + +## Phase 3: The Magisk "Time Travel" + +This is where "modern tools meets old hardware" caused the most pain. + +**The Hypothesis**: Rooting a Pixel is standard procedure. +1. Extract `boot.img` from the factory zip. +2. Patch it with the latest **Magisk** app. +3. Flash it back. + +**The Reality**: Bootloop. +I used **Magisk v30.6** (the latest as of writing). The patch process "succeeded," but flashing the resulting image caused the phone to immediately crash back to the bootloader with a "Cannot find valid operating system" error. + +### Debugging the Bootloop +I suspected a regression in how modern Magisk handles the antiquated boot partition structure of the Pixel 2 (A/B partitions, but pre-GKI). + +I decided to perform some "software archaeology" and use a version of Magisk that was contemporary with the device's lifespan. I grabbed **Magisk v25.0** (released around 2022). + +1. **Repatch**: I patched the *exact same* stock `boot.img` using the v25.0 app. +2. **Reflash**: + +```bash +# Flash to both slots to be safe +fastboot flash boot_a magisk_patched_25000.img +fastboot flash boot_b magisk_patched_25000.img +``` + +**The Result**: Success. The phone booted, and the Magisk app confirmed `Installed: 25.0`. + +```bash +❯ adb shell "su -c id" +uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0 +``` + +## Key Insights + +* **Don't Trust OTAs on EOL Devices**: If you're reviving old hardware, the OTA mechanism is likely broken or unreliable. Go straight to the factory images. +* **Version Matching Matters**: Tools like Magisk evolve. Using a 2026 root method on a 2017 kernel is a recipe for instability. Sometimes, downgrading your tools is the only way forward. +* **A/B Partitions**: Always flash your patched boot image to *both* slots (`boot_a` and `boot_b`) to avoid active slot mismatches causing boot failures. + +With root access secured, the path is now clear to install Frida and finally intercept those elusive EcoFlow authentication packets. + +## References + +1. [Google Pixel Factory Images](https://developers.google.com/android/images) +2. [Magisk Installation Guide](https://topjohnwu.github.io/Magisk/install.html) +3. [Magisk GitHub Releases](https://github.com/topjohnwu/Magisk/releases) +4. [XDA Guide: Unlock/Flash/Root Pixel 2 XL](https://xdaforums.com/t/guide-unlock-flash-root-for-the-pixel-2-xl-taimen.3702418/)