How exactly does NRT root my device?

Answer: This software does not use an exploit to root your device, instead it relies upon the low-level access gained from unlocking the bootloader.

Fundamentally, the basic steps involved in rooting any Nexus device are as follows:

  1. Unlock the bootloader
  2. Boot/flash into an alternate recovery
  3. Use that recovery to flash a Superuser recovery zip

NRT helps automate these primary procedures in addition to some desired additional steps.  More specifically, when checking “flash custom recovery” under the root button – the script also takes care of flashing custom recovery for you, and renaming a certain system file, which (if present) can prevent the custom recovery from sticking properly.  That file being:

/system/recovery-from-boot.p

Additionally, if “flash custom recovery’ is checked the toolkit also installs a simple root user app called Quick Reboot(by PhongIT); which provides a simple way to reboot your device directly into bootloader, recovery, or system.  This is very useful whenever you are trying to modify your device without a computer handy.  Automatically installing this light weight app during the root procedure can be disabled in the toolkits options menu.

By default, NRT also installs the user root app Busybox Installer Free (by Stericson) for installing and configuring all the latest essential applets for you.  Busybox is not a requirement for root, however a lot of Playstore root apps require its applets to run properly.  This automatic installation of Stericson’s Busybox Installer can be disabled in the toolkits options menu, or switched to install Busybox Pro via the Playstore instead.

To fully automate these procedures, NRT makes use of (modified) boot.img’s which I  tweaked and re-compiled for each build (and each device).  Temporarily booting these modified boot.img’s enables running privileged commands; more specifically, gaining adb root shell access.  NRT utilizes this increased shell access to push a specialized auto-generated temporary script file called ‘openrecoveryscript’ to your device.  This ‘openrecoveryscript’  file which now resides in your devices /cache/recovery/ directory gets read-in by TWRP custom recovery and ultimately directs it to flash a series of zips.  More specially it flashes SuperSU by Chainfire, a zip I packaged for installing the user root app busybox, and another zip I packaged for installing Quick Reboot and auto-renaming the system file I mentioned previously (if the user checked “flash custom recovery”).

When the script finally completes it provides some info on how to install the busybox applets and confirm root.  And thats that. ^_^

Feel free to ask me any (more-specific) questions about the process if you have any.  Cheers!

Leave a Reply