M 142: Rooting Android Studio's Emulator (15 pts)

What You Need for This Project

A computer with Android Studio installed.
A MacOS machine. I used an M1.

Purpose

To gain root privileges on an Android device which has Google Play installed.

Warning for Windows Users
In June, 2023, this project stopped working for Windows users.
I recommend doing this project instead:
M 145: Making a Rooted Android Emulator

Creating an Emulated Phone

The best way to make this work is to create this exact phone.

In Android Studio, on the right side, click the "Virtual Device Manager" button, outlined in red in the image below.

Then click the plus-sign, outlined in yellow in the image below, and click "Create Virtual Device".

Make these selections:

Select "Pixel 4" and click Next.
Select an API of "API 35" and Services of "Google Play Store". Click a System Image of "Google Play...", then click Finish.
Click Yes.

Wait while the system image downloads and installs.

Click Finish.

Start your Emulator

Start your new Pixel 4, Android 11, emulator, as shown below.

Cloning the rootAVD Repository

The steps depend on your operating system. Follow the appropriate instructions below.

Mac Users
In a Terminal, execute these commands:
git clone https://github.com/newbit1/rootAVD.git cd rootAVD adb devices
If you see an error message saying "command not found", execute this command to fix the Path:
export PATH=$PATH:~/Library/Android/sdk/platform-tools
Then execute this command again:
adb devices

Windows Users
In a Web browser, go to
https://github.com/newbit1/rootAVD
Click the Code button. Click "Download ZIP", as shown below.
At the bottom of your Windows desktop, click the yellow folder icon to launch File Explorer.
Open your Downloads folder. Right-click the rootAVD-master.zip file and click "Extract All...," Extract.
Open a Command Prompt window and execute these commands:
cd Downloads cd rootAVD-master cd rootAVD-master adb devices
If you see an error message saying "Not found: adb", close the Command Prompt window.
Open an Administrator Command Prompt window and execute this command to fix the Path:
setx /M PATH "%PATH%;%userprofile%\appdata\local\android\sdk\platform-tools"
Close the Administrator Comand Prompt window and open a normal Comand Prompt window.
Then execute these commands:
cd Downloads cd rootAVD-master cd rootAVD-master adb devices

You should see your device listed, as shown below.

Using rootAVD

The steps depend on your operating system. Follow the appropriate instructions below.

Mac Users
In a Terminal, execute these commands:
./rootAVD.sh ListAllAVDs
You see a long list of commands for many Android versions.
Execute the command with the correct API number for your emulator, which is probably API 30, x86, ending in "ramdisk.img", as shown below:
./rootAVD.sh ~/Library/Android/sdk/system-images/android-30/google_apis_playstore/x86/ramdisk.img
If the script works perfectly, Aa lot of messages scroll by, as shown below, and your emulator shuts off.
If it hangs on "Trying to install Apps/*", stop it with Ctrl+C.

Windows Users
In the Command Prompt, execute this command:
rootAVD.bat ListAllAVDs | grep 35
You see a list of commands, as shown below.
Execute the first command, the one with no added parameters. On my system, it was:
./rootAVD.sh system-images/android-35/google_apis_playstore/arm64-v8a/ramdisk.img
A lot of messages scroll by, and your emulator shuts off.

Cold Booting your Emulator

In Android Studio, in Device Manager, on the line showing your device, at the right side, click the down-arrow, and click "Cold Boot Now", as shown below.

If you see a box saying "Bluetooth keeps stopping", click "Close app".

Opening Magisk

On your Android home screen, put the mouse just above the search box at the bottom.

Hold down the mouse button and drag up to see all the apps.

Tap the Magisk app, outlined in red in the image below.

A box pops up asking "Allow Magisk to send you notifications".

Tap Allow.

In the main Magisk screen, tap the Update button, outlined in red in the image below.

In the next screen, tap the slider to "Allow from this source" and, at the top left, tap the back-arrow.

Tap the Update button again.

A page of text appears. At the bottom right, tap INSTALL.

Magixk closes. A notification pops up, saying "Magisk has been updated".

Opening a Root Shell

Make sure your Android device is visible and convenient--you only have ten seconds to react to a prompt.

In a Command Prompt or Terminal, execute these commands:

adb shell
su

A prompt appears on your Android device, as shown below.

Click GRANT.

You get a root shell, as shown below.

Troubleshooting
If you are too slow, you need to open Magisk on your emulator.
At the bottom, click Superuser.
Toggle the "[SharedUID] Shell" switch.

M 142.1: id (15 pts)
In your root shell, execute this command:
id
Find the text covered by a green box in the image below. That's the flag.

Sources

Rooting an Android Emulator for Mobile Security Testing

Posted 10-7-22
PATH command fixed 10-17-11
Minor updates to instructions 3-13-23
Magisk update processed added 6-21-23
Referral to M 145 added 7-1-23
Troubleshoting steps updated 4-29-24
Updated 9-22-25