eric/ericxliu-me
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
13abf5792b86529e9a1514ad817397c4042bee4b
ericxliu-me/content/posts/rooting-pixel-2-xl-for-reverse-engineering.md
Automated Publisher 3b1396d814
All checks were successful
Hugo Publish CI / build-and-deploy (push) Successful in 26s
Details
📚 Auto-publish: Add/update 1 blog posts 
Generated on: Thu Jan  8 06:02:38 UTC 2026
Source: md-personal repository
2026-01-08 06:02:38 +00:00

94 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Why I Downgraded Magisk to Root My Pixel 2 XL"
date: 2026-01-07
draft: false
---
For the past few weeks, I've been stuck in a stalemate with my EcoFlow Bluetooth Protocol Reverse Engineering Project. I have the hci snoop logs, I have the decompiled APK, and I have a strong suspicion about where the authentication logic is hiding. But suspicion isn't proof.
Static analysis has its limits. I found the "smoking gun" function—a native method responsible for encrypting the login payload—but understanding *how* it constructs that payload within a strict 13-byte limit purely from assembly (ARM64) was proving to be a headache.
I needed to move from **static analysis** to **dynamic analysis**. I needed to hook the function at runtime, inspect the memory, and see the data before it gets encrypted. To do that, I needed a rooted Android device.
The only candidate in my drawer? An 8-year-old **Google Pixel 2 XL ("taimen")** that hadn't been turned on since 2017.
## The Objective
Bring this relic back to life, update it to the final official firmware, and gain `su` access to install Frida and tcpdump. It sounds simple, but 2026 tools don't always play nice with 2017 hardware.
## Phase 1: The "I Forgot My Password" Hurdle
The first problem was mundane: I didn't remember the PIN. My only way in was a physical **Hard Reset**, which relies on a specific sequence of hardware button inputs:
1. **Fastboot Mode**: Hold `Power` + `Vol Down` until the familiar bootloader screen appears.
2. **Recovery Mode**: Use volume keys to select "Recovery Mode".
3. **The "No Command" Trick**: The phone reboots to a broken android logo. To get the actual menu, you have to hold `Power` and tap `Vol Up` *once*.
4. **Wipe**: Select `Wipe data/factory reset`.
**The Catch**: This triggers **Factory Reset Protection (FRP)**. Upon boot, the device required authentication with the Google Account previously synced to the hardware. Since I verified my identity using the original credentials, I could proceed; otherwise, bypassing this security feature would have been a significant roadblock.
## Phase 2: The Update Trap
Once in, I checked the version: `Android 10 (QP1A.190711.020)`. This was ancient. The Pixel 2 XL officially supports Android 11, and I wanted the latest possible base for compatibility with modern tools.
I tried the easy route: **Settings > System Update**.
**The Result**: Failure. The phone refused to pull the final OTA (`RP1A.201005.004.A1`), likely due to the Google update servers no longer prioritizing this EOL device.
### The Fix: Manual Flashing
I had to bypass the OTA system entirely. I downloaded the [final Factory Image](https://developers.google.com/android/images) from Google.
```bash
# Don't rely on OTA. Flash the whole valid state.
fastboot -w update image-taimen-rp1a.201005.004.a1.zip
```
*Note: I used the `-w` flag here since I had just wiped the device anyway. This gave me a pristine, stock Android 11 environment to break.*
## Phase 3: The Magisk "Time Travel"
This is where "modern tools meets old hardware" caused the most pain.
**The Hypothesis**: Rooting a Pixel is standard procedure.
1. Extract `boot.img` from the factory zip.
2. Patch it with the latest **Magisk** app.
3. Flash it back.
**The Reality**: Bootloop.
I used **Magisk v30.6** (the latest as of writing). The patch process "succeeded," but flashing the resulting image caused the phone to immediately crash back to the bootloader with a "Cannot find valid operating system" error.
### Debugging the Bootloop
I suspected a regression in how modern Magisk handles the antiquated boot partition structure of the Pixel 2 (A/B partitions, but pre-GKI).
I decided to perform some "software archaeology" and use a version of Magisk that was contemporary with the device's lifespan. I grabbed **Magisk v25.0** (released around 2022).
1. **Repatch**: I patched the *exact same* stock `boot.img` using the v25.0 app.
2. **Reflash**:
```bash
# Flash to both slots to be safe
fastboot flash boot_a magisk_patched_25000.img
fastboot flash boot_b magisk_patched_25000.img
```
**The Result**: Success. The phone booted, and the Magisk app confirmed `Installed: 25.0`.
```bash
adb shell "su -c id"
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0
```
## Key Insights
* **Don't Trust OTAs on EOL Devices**: If you're reviving old hardware, the OTA mechanism is likely broken or unreliable. Go straight to the factory images.
* **Version Matching Matters**: Tools like Magisk evolve. Using a 2026 root method on a 2017 kernel is a recipe for instability. Sometimes, downgrading your tools is the only way forward.
* **A/B Partitions**: Always flash your patched boot image to *both* slots (`boot_a` and `boot_b`) to avoid active slot mismatches causing boot failures.
With root access secured, the path is now clear to install Frida and finally intercept those elusive EcoFlow authentication packets.
## References
1. [Google Pixel Factory Images](https://developers.google.com/android/images)
2. [Magisk Installation Guide](https://topjohnwu.github.io/Magisk/install.html)
3. [Magisk GitHub Releases](https://github.com/topjohnwu/Magisk/releases)
4. [XDA Guide: Unlock/Flash/Root Pixel 2 XL](https://xdaforums.com/t/guide-unlock-flash-root-for-the-pixel-2-xl-taimen.3702418/)
Reference in New Issue View Git Blame Copy Permalink