SuperSU v2.77 BETA - Note7 (Exynos) shenanigans
Posted on 2016-08-27, 35 comments, 324 +1's, imported from Google+/Chainfire

NOTICE: This content was originally posted to Google+, then imported here. Some formatting may be lost, links may be dead, and images may be missing.

Unfortunately SuperSU did not work on the Note7 (Exynos) out-of-the-box. As its release has been delayed in my country, we've had to resort to remote debugging, which is slow and frustrating. But, thanks to the ever helpful Dr.Ketan and SeraphSephiroth we finally got it working.

New exploit protections

As isn't uncommon with Samsung, they've built-in some new (and arguably ineffective to actual exploits) protections directly to the kernel code, that cannot be turned off by just modifying the boot image ramdisk.

This time, they've decided to kernel panic in case a 'priviliged' process (uid or gid below or equal to 1000, so this includes root and system processes) creates another process that isn't stored in /system or rootfs. SuperSU itself does this, but so do a great many root apps. Any time this happens: immediate reboot.

I'm not going to elaborate why in my opinion this is a fairly useless protection exploit-wise, but needless to say it is fairly bothersome for the normal root user, which is probably a lot more relevant for the average reader here.

Unfortunately - unlike many of the security features developed by Google - this feature is not easily disabled by modifying initramfs (boot image ramdisk), and requires further trickery to bypass.

Maybe a better bypass is yet to by found, but for the time being, I have resorted to patching the check inside the kernel itself when the systemless SuperSU boot image is created. This prevents the user from needing a custom source-built kernel, but it's questionable how long this hex patch will work. The code that performs this patch is fairly trivial - it may keep working the rest of the Note7's lifetime, or stop working the next update.

In other words, this could end up being resource intensive to support, or not. We don't know yet. We have to wait and see what Samsung is going to do.

Bearer of bad news

We know S and Note development are generally strongly related, so we should assume to see the same 'protections' appear in the S7 sooner or later as well. This is probably the (ugly) way forward.


Aside from the binary/hex patch SuperSU employs (see common/hexpatch inside the ZIP), there are some more ways to get around this protection.

If you're compiling kernels from source, it seems that setting CONFIG_RKP_NS_PROT=n gets rid of these protections. You may want to disable other RKP and TIMA settings as well, but that is the one directly relating to this issue.

This protection also disables itself in recovery mode, so simply copying a boot image with these protections to the recovery partition and rebooting into recovery (which will then just launch Android) will work beautifully as well.


The test CFARs I have made so far for the Note7 have not worked, so since both TWRP and SuperSU ZIPs are already available for this device, I'm dropping CFAR development until I have a device in-hand.


SuperSU BETA thread:

TWRP flashable ZIP:

[BETA][2016.08.27] SuperSU v2.77

Stiles commented on 2016-08-27 at 22:52:

Wow that's dumb

Jc Adduono commented on 2016-08-27 at 22:54:

wat ineffective saucery, samsung will need 2 take lessons in defense against the dark arts if they r 2 defeat lord chainfiredemort

TEKHD commented on 2016-08-27 at 23:06:


Stiles commented on 2016-08-27 at 23:33:

Note I717 days woot

Horst-G. Thiel commented on 2016-08-28 at 01:03:

Works also great on Galaxy S7 herolte and LG G4 H815 , thank you Chainfire!

Robert Rivera commented on 2016-08-28 at 01:59:

I have an ATT Nexus 6, can I root. I want to move my device to a std Android version and remove ATT overload.

Alexander Terry commented on 2016-08-28 at 03:00:

+Robert Rivera yes you can. To remove the at&crap simply wipe try /OEM partition

Brandon Patillo commented on 2016-08-28 at 03:31:


William Aston commented on 2016-08-28 at 05:15:

Do you need me to send you this Qualcomm Note 7?

Deepu Geevarghese commented on 2016-08-28 at 08:22:


MrKaon commented on 2016-08-28 at 13:34:

Typical Samsung ??

yi pea commented on 2016-08-28 at 14:27:

Qualcomm Note 7?

miketucky350 commented on 2016-08-28 at 15:29:

+Robert Rivera You have a nexus so yes supersu works perfect but what overload are you talking about ATT don't touch Nexus firmwares.

Steve Swiss commented on 2016-08-28 at 17:49:

+Chainfire  FYI... We have discovered this version does not work on the Moto G 2015, recovery log all looks good, like it flashed but no SuperSU app and no root, and version 2.76 continues to perform correctly. We flash using the "SYSTEMLESS=true" parameter in /data/.supersu of TWRP recovery environment.

N1m0Y commented on 2016-08-28 at 21:05:

Ok on notes 4 with XRom v2 + kernel Emotion? Thx??

mangkat mAncing commented on 2016-08-29 at 03:55:

Gimana caranya unr oot hp andromax G2 mohon infonya

Wisnu Afrianto commented on 2016-08-29 at 10:24:

Systemless root not work on lenovo a7000 with android 6.0 , installed with TWRP recovery and original stock boot image the result fail... Can some one help with this

Steve Swiss commented on 2016-08-29 at 13:03:

+Wisnu Afrianto Use SuperSU 2.76, the current stable version, with the systemless 'echo' command in TWRP terminal, should clear up the problem.

Aaron Segaert commented on 2016-08-29 at 16:44:

If it is possible to load a kernel module on Samsung devices (I have no idea if modules are supported or if the modules need to be signed, etc.) then something like the wp_mod module I used to do for HTC devices might be easier to maintain than hacking the kernel binary.

Jc Adduono commented on 2016-08-31 at 20:44:

Samsung typically disables kernel modules on their Exynos devices, and uses module signing on their Snapdragon ones.

javid hussain commented on 2016-09-01 at 01:15:

it doesn't full unroot in official miui8 redmi note 3 snapdragon, once flashed there is no turning back

Surge Raval commented on 2016-09-01 at 15:35:

+Aaron Segaert I just had someone run a binary that checks for this on the US variants of the note 7. The load_module() function is definitely present, and they must be signed (see lkmauth) usually you can NOP the lkmauth checking function out if you find the address by decompressing the zimage since the check is just a BNE instruction, thus allowing for unsigned modules. The problem is /dev/mem isn't enabled on stock devices, so unless there's a way to use mknod or something else so we can mmap /dev/mem, I don't know if this solution would work for devices without a custom kernel.

Also binary patching using xxd on Android is fairly straightforward, not sure what method +Chainfire uses though.

Paul Baker commented on 2016-09-01 at 16:00:

Any link for twrp zip for v2.78

Chad Barnes commented on 2016-09-01 at 22:57:

+Chainfire​ I'm sure I'm just being to lazy to read but do I have any options for my at&pee note4?

Chad Barnes commented on 2016-09-01 at 22:57:

Other than temp root

Illuminati Nation commented on 2016-09-01 at 22:58:

Let's seek out the light , don't fail to join the brotherhood of the Illuminati .fame , wealth , money , riches and power shall become your title in just three days .if interested contact our supreme headquarters through whatsapp, on +15876000458, and just say Hail Satan for your online initiation. Hail satanas. +15876000458 think well and follow your heart and know that forward ever backward never. (Kurumanka dangazi) distance is never a problem ?666/?\

salah bob commented on 2016-09-03 at 02:47:

Root honor u19 no rotry?

Deepu Geevarghese commented on 2016-09-06 at 07:41:

z+Surge Raval

dĺòx v ee


Chad Barnes commented on 2016-09-06 at 08:06:


Long Hưng Nguyễn commented on 2016-09-18 at 01:13:

Good app

Nayila Kolin commented on 2016-10-01 at 20:23:

علي بي احمد بي

John Francis, jr. commented on 2016-10-06 at 02:27:

any update as of 9-27-2016?

Gökhan Boz Videoları commented on 2016-10-07 at 15:11:

After installation I get a network error compiling android nougat number n3e71b root

Jjdkf Jjskx commented on 2016-10-20 at 16:42:


Player Xxx commented on 2016-11-17 at 07:26:

me ok

This post is over a month old, commenting has been disabled.