Why I Downgraded Magisk to Root My Pixel 2 XL

For the past few weeks, I’ve been stuck in a stalemate with my EcoFlow Bluetooth Protocol Reverse Engineering Project. I have the hci snoop logs, I have the decompiled APK, and I have a strong suspicion about where the authentication logic is hiding. But suspicion isn’t proof.

Static analysis has its limits. I found the “smoking gun” function—a native method responsible for encrypting the login payload—but understanding how it constructs that payload within a strict 13-byte limit purely from assembly (ARM64) was proving to be a headache.

I needed to move from static analysis to dynamic analysis. I needed to hook the function at runtime, inspect the memory, and see the data before it gets encrypted. To do that, I needed a rooted Android device.

The only candidate in my drawer? An 8-year-old Google Pixel 2 XL (“taimen”) that hadn’t been turned on since 2017.

The Objective Link to heading

Bring this relic back to life, update it to the final official firmware, and gain su access to install Frida and tcpdump. It sounds simple, but 2026 tools don’t always play nice with 2017 hardware.

Phase 1: The “I Forgot My Password” Hurdle Link to heading

The first problem was mundane: I didn’t remember the PIN. My only way in was a physical Hard Reset, which relies on a specific sequence of hardware button inputs:

1. Fastboot Mode: Hold Power + Vol Down until the familiar bootloader screen appears.
2. Recovery Mode: Use volume keys to select “Recovery Mode”.
3. The “No Command” Trick: The phone reboots to a broken android logo. To get the actual menu, you have to hold Power and tap Vol Up once.
4. Wipe: Select Wipe data/factory reset.

The Catch: This triggers Factory Reset Protection (FRP). Upon boot, the device required authentication with the Google Account previously synced to the hardware. Since I verified my identity using the original credentials, I could proceed; otherwise, bypassing this security feature would have been a significant roadblock.

Phase 2: The Update Trap Link to heading

Once in, I checked the version: Android 10 (QP1A.190711.020). This was ancient. The Pixel 2 XL officially supports Android 11, and I wanted the latest possible base for compatibility with modern tools.

I tried the easy route: Settings > System Update. The Result: Failure. The phone refused to pull the final OTA (RP1A.201005.004.A1), likely due to the Google update servers no longer prioritizing this EOL device.

The Fix: Manual Flashing Link to heading

I had to bypass the OTA system entirely. I downloaded the final Factory Image from Google.

# Don't rely on OTA. Flash the whole valid state.
fastboot -w update image-taimen-rp1a.201005.004.a1.zip

Note: I used the -w flag here since I had just wiped the device anyway. This gave me a pristine, stock Android 11 environment to break.

Phase 3: The Magisk “Time Travel” Link to heading

This is where “modern tools meets old hardware” caused the most pain.

The Hypothesis: Rooting a Pixel is standard procedure.

1. Extract boot.img from the factory zip.
2. Patch it with the latest Magisk app.
3. Flash it back.

The Reality: Bootloop. I used Magisk v30.6 (the latest as of writing). The patch process “succeeded,” but flashing the resulting image caused the phone to immediately crash back to the bootloader with a “Cannot find valid operating system” error.

Debugging the Bootloop Link to heading

I suspected a regression in how modern Magisk handles the antiquated boot partition structure of the Pixel 2 (A/B partitions, but pre-GKI).

I decided to perform some “software archaeology” and use a version of Magisk that was contemporary with the device’s lifespan. I grabbed Magisk v25.0 (released around 2022).

1. Repatch: I patched the exact same stock boot.img using the v25.0 app.
2. Reflash:

# Flash to both slots to be safe
fastboot flash boot_a magisk_patched_25000.img
fastboot flash boot_b magisk_patched_25000.img

The Result: Success. The phone booted, and the Magisk app confirmed Installed: 25.0.

❯ adb shell "su -c id"
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0

Key Insights Link to heading

• Don’t Trust OTAs on EOL Devices: If you’re reviving old hardware, the OTA mechanism is likely broken or unreliable. Go straight to the factory images.
• Version Matching Matters: Tools like Magisk evolve. Using a 2026 root method on a 2017 kernel is a recipe for instability. Sometimes, downgrading your tools is the only way forward.
• A/B Partitions: Always flash your patched boot image to both slots (boot_a and boot_b) to avoid active slot mismatches causing boot failures.

With root access secured, the path is now clear to install Frida and finally intercept those elusive EcoFlow authentication packets.

References Link to heading

1. Google Pixel Factory Images
2. Magisk Installation Guide
3. Magisk GitHub Releases
4. XDA Guide: Unlock/Flash/Root Pixel 2 XL