# Magisk Tools Magisk comes with a huge collections of tools for installation, daemons, and utilities for developers. This documentation covers the 4 binaries and all included applets. The binaries and applets are shown below: ``` magiskboot /* binary */ magiskinit /* binary */ magiskpolicy /* binary */ supolicy -> magiskpolicy magisk /* binary */ resetprop -> magisk su -> magisk ``` ### magiskboot A tool to unpack / repack boot images, parse / patch / extract cpio, patch dtb, hex patch binaries, and compress / decompress files with multiple algorithms. `magiskboot` natively supports (which means it does not rely on external tools) common compression formats including `gzip`, `lz4`, `lz4_legacy` , `lz4_lg` ([the LG edition](https://events.static.linuxfound.org/sites/events/files/lcjpcojp13_klee.pdf) of `lz4_legacy`, only used on LG), `lzma`, `xz`, and `bzip2`. The concept of `magiskboot` is to make boot image modification simpler. For unpacking, it parses the header and extracts all sections in the image, decompressing on-the-fly if compression is detected in any sections. For repacking, the original boot image is required so the original headers can be used, changing only the necessary entries such as section sizes and checksum. All sections will be compressed back to the original format if required. The tool also supports many CPIO and DTB operations. ``` Usage: ./magiskboot [args...] Supported actions: unpack [-n] [-h] Unpack to its individual components, each component to a file with its corresponding file name in the current directory. Supported components: kernel, kernel_dtb, ramdisk.cpio, second, dtb, extra, and recovery_dtbo. By default, each component will be automatically decompressed on-the-fly before writing to the output file. If '-n' is provided, all decompression operations will be skipped; each component will remain untouched, dumped in its original format. If '-h' is provided, the boot image header information will be dumped to the file 'header', which can be used to modify header configurations during repacking. Return values: 0:valid 1:error 2:chromeos repack [-n] [outbootimg] Repack boot image components using files from the current directory to [outbootimg], or 'new-boot.img' if not specified. is the original boot image used to unpack the components. By default, each component will be automatically compressed using its corresponding format detected in . If a component file in the current directory is already compressed, then no addition compression will be performed for that specific component. If '-n' is provided, all compression operations will be skipped. If env variable PATCHVBMETAFLAG is set to true, all disable flags in the boot image's vbmeta header will be set. verify [x509.pem] Check whether the boot image is signed with AVB 1.0 signature. Optionally provide a certificate to verify whether the image is signed by the public key certificate. Return value: 0:valid 1:error sign [name] [x509.pem pk8] Sign with AVB 1.0 signature. Optionally provide the name of the image (default: '/boot'). Optionally provide the certificate/private key pair for signing. If the certificate/private key pair is not provided, the AOSP verity key bundled in the executable will be used. extract [partition] [outfile] Extract [partition] from to [outfile]. If [outfile] is not specified, then output to '[partition].img'. If [partition] is not specified, then attempt to extract either 'init_boot' or 'boot'. Which partition was chosen can be determined by whichever 'init_boot.img' or 'boot.img' exists. can be '-' to be STDIN. hexpatch Search in , and replace it with cpio [commands...] Do cpio commands to (modifications are done in-place) Each command is a single argument, add quotes for each command. Supported commands: exists ENTRY Return 0 if ENTRY exists, else return 1 rm [-r] ENTRY Remove ENTRY, specify [-r] to remove recursively mkdir MODE ENTRY Create directory ENTRY in permissions MODE ln TARGET ENTRY Create a symlink to TARGET with the name ENTRY mv SOURCE DEST Move SOURCE to DEST add MODE ENTRY INFILE Add INFILE as ENTRY in permissions MODE; replaces ENTRY if exists extract [ENTRY OUT] Extract ENTRY to OUT, or extract all entries to current directory test Test the cpio's status Return value is 0 or bitwise or-ed of following values: 0x1:Magisk 0x2:unsupported 0x4:Sony patch Apply ramdisk patches Configure with env variables: KEEPVERITY KEEPFORCEENCRYPT backup ORIG Create ramdisk backups from ORIG restore Restore ramdisk from ramdisk backup stored within incpio dtb [args...] Do dtb related actions to Supported actions: print [-f] Print all contents of dtb for debugging Specify [-f] to only print fstab nodes patch Search for fstab and remove verity/avb Modifications are done directly to the file in-place Configure with env variables: KEEPVERITY test Test the fstab's status Return values: 0:valid 1:error split Split image.*-dtb into kernel + kernel_dtb sha1 Print the SHA1 checksum for cleanup Cleanup the current working directory compress[=format] [outfile] Compress with [format] to [outfile]. /[outfile] can be '-' to be STDIN/STDOUT. If [format] is not specified, then gzip will be used. If [outfile] is not specified, then will be replaced with another file suffixed with a matching file extension. Supported formats: gzip zopfli xz lzma bzip2 lz4 lz4_legacy lz4_lg decompress [outfile] Detect format and decompress to [outfile]. /[outfile] can be '-' to be STDIN/STDOUT. If [outfile] is not specified, then will be replaced with another file removing its archive format file extension. Supported formats: gzip zopfli xz lzma bzip2 lz4 lz4_legacy lz4_lg ``` ### magiskinit This binary will replace `init` in the ramdisk of a Magisk patched boot image. It is originally created for supporting devices using system-as-root, but the tool is extended to support all devices and became a crucial part of Magisk. More details can be found in the **Pre-Init** section in [Magisk Booting Process](details.md#magisk-booting-process). ### magiskpolicy (This tool is aliased to `supolicy` for compatibility with SuperSU's sepolicy tool) This tool could be used for advanced developers to modify SELinux policies. In common scenarios like Linux server admins, they would directly modify the SELinux policy sources (`*.te`) and recompile the `sepolicy` binary, but here on Android we directly patch the binary file (or runtime policies). All processes spawned from the Magisk daemon, including root shells and all its forks, are running in the context `u:r:magisk:s0`. The rule used on all Magisk installed systems can be viewed as stock `sepolicy` with these patches: `magiskpolicy --magisk 'allow magisk * * *'`. ``` Usage: ./magiskpolicy [--options...] [policy statements...] Options: --help show help message for policy statements --load FILE load monolithic sepolicy from FILE --load-split load from precompiled sepolicy or compile split cil policies --compile-split compile split cil policies --save FILE dump monolithic sepolicy to FILE --live immediately load sepolicy into the kernel --magisk apply built-in Magisk sepolicy rules --apply FILE apply rules from FILE, read and parsed line by line as policy statements (multiple --apply are allowed) If neither --load, --load-split, nor --compile-split is specified, it will load from current live policies (/sys/fs/selinux/policy) One policy statement should be treated as one parameter; this means each policy statement should be enclosed in quotes. Multiple policy statements can be provided in a single command. Statements has a format of " [args...]". Arguments labeled with (^) can accept one or more entries. Multiple entries consist of a space separated list enclosed in braces ({}). Arguments labeled with (*) are the same as (^), but additionally support the match-all operator (*). Example: "allow { s1 s2 } { t1 t2 } class *" Will be expanded to: allow s1 t1 class { all-permissions-of-class } allow s1 t2 class { all-permissions-of-class } allow s2 t1 class { all-permissions-of-class } allow s2 t2 class { all-permissions-of-class } Supported policy statements: "allow *source_type *target_type *class *perm_set" "deny *source_type *target_type *class *perm_set" "auditallow *source_type *target_type *class *perm_set" "dontaudit *source_type *target_type *class *perm_set" "allowxperm *source_type *target_type *class operation xperm_set" "auditallowxperm *source_type *target_type *class operation xperm_set" "dontauditxperm *source_type *target_type *class operation xperm_set" - The only supported operation is 'ioctl' - xperm_set format is either 'low-high', 'value', or '*'. '*' will be treated as '0x0000-0xFFFF'. All values should be written in hexadecimal. "permissive ^type" "enforce ^type" "typeattribute ^type ^attribute" "type type_name ^(attribute)" - Argument 'attribute' is optional, default to 'domain' "attribute attribute_name" "type_transition source_type target_type class default_type (object_name)" - Argument 'object_name' is optional "type_change source_type target_type class default_type" "type_member source_type target_type class default_type" "genfscon fs_name partial_path fs_context" ``` ### magisk When the magisk binary is called with the name `magisk`, it works as a utility tool with many helper functions and the entry points for several Magisk services. ``` Usage: magisk [applet [arguments]...] or: magisk [options]... Options: -c print current binary version -v print running daemon version -V print running daemon version code --list list all available applets --remove-modules [-n] remove all modules, reboot if -n is not provided --install-module ZIP install a module zip file Advanced Options (Internal APIs): --daemon manually start magisk daemon --stop remove all magisk changes and stop daemon --[init trigger] callback on init triggers. Valid triggers: post-fs-data, service, boot-complete, zygote-restart --unlock-blocks set BLKROSET flag to OFF for all block devices --restorecon restore selinux context on Magisk files --clone-attr SRC DEST clone permission, owner, and selinux context --clone SRC DEST clone SRC to DEST --sqlite SQL exec SQL commands to Magisk database --path print Magisk tmpfs mount path --denylist ARGS denylist config CLI --preinit-device resolve a device to store preinit files Available applets: su, resetprop Usage: magisk --denylist [action [arguments...] ] Actions: status Return the enforcement status enable Enable denylist enforcement disable Disable denylist enforcement add PKG [PROC] Add a new target to the denylist rm PKG [PROC] Remove target(s) from the denylist ls Print the current denylist exec CMDs... Execute commands in isolated mount namespace and do all unmounts ``` ### su An applet of `magisk`, the MagiskSU entry point. Good old `su` command. ``` Usage: su [options] [-] [user [argument...]] Options: -c, --command COMMAND Pass COMMAND to the invoked shell -g, --group GROUP Specify the primary group -G, --supp-group GROUP Specify a supplementary group. The first specified supplementary group is also used as a primary group if the option -g is not specified. -Z, --context CONTEXT Change SELinux context -t, --target PID PID to take mount namespace from -h, --help Display this help message and exit -, -l, --login Pretend the shell to be a login shell -m, -p, --preserve-environment Preserve the entire environment -s, --shell SHELL Use SHELL instead of the default /system/bin/sh -v, --version Display version number and exit -V Display version code and exit -mm, -M, --mount-master Force run in the global mount namespace ``` ### resetprop An applet of `magisk`. An advanced system property manipulation utility. Check the [Resetprop Details](details.md#resetprop) for more background information. ``` Usage: resetprop [flags] [options...] Options: -h, --help show this message (no arguments) print all properties NAME get property NAME VALUE set property entry NAME with VALUE --file FILE load props from FILE --delete NAME delete property Flags: -v print verbose output to stderr -n set props without going through property_service (this flag only affects setprop) -p read/write props from/to persistent storage (this flag only affects getprop and delprop) ```