gogogoghost / ZRoot

Easy to use root on Android. For calling system service and more.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool


ZRoot is a library that makes it easy to use root on Android, such as calling system service with root privilege.


See sample or user guide below.

Hidden API

Before using ZRoot, your project needs a hidden_api module to provide some hidden API.

Create a module named hidden_api, add classes that you need into the module, like IActivityManager ServiceManager.

Add dependency to your application module:

compileOnly project(path: ':hidden_api')

Add Dependency

Add it in your root build.gradle at the end of repositories:

allprojects {
    repositories {
        maven { url 'https://jitpack.io' }

Add the dependency

dependencies {
    implementation 'site.zbyte:zroot:${version}'

Add content provider into Application tag of AndroidManifest.xml


Start ZRoot

 * start by blocked api with 5000ms timeout
val zRoot = Starter(
        //remote process uid: 0 for root or 2000 for shell

Call system service

 * get remote service binder of activity
 * it is a proxy with root to ServiceManager.getService("activity")
val service = zRoot.getRemoteService("activity")

 * convert to IActivityManager
val mAm = IActivityManager.Stub.asInterface(service)

 * call remote api
 * mAm.broadcastIntent...
 * mAm.startActivity...

Call ContentProvider

 * get ContentProvider from activity service via root
val authority = "settings"
val holder = mAm.getContentProviderExternal(authority, 0, null,null)

 * it equivalent to:
 *     settings put secure accessibility_enabled 1
 * via root user
val bundle = Bundle()
bundle.putString("value", "1")

Use an existing binder with root

 * proxy an existing local binder
val existingBinder=ServiceManager.getService("activity")

 * get a proxy
val proxyBinder=zRoot.makeBinderProxy(existingBinder)

 * convert to IActivityManager
val mAm = IActivityManager.Stub.asInterface(service)

 * call remote api
 * mAm.broadcastIntent...
 * mAm.startActivity...

Run custom code(service) on remote root process

See ZRoot-builder.


We need to use hidden APIs like IActivityManager, ServiceManager, etc. This kind of operation will be blocked from Android 9(P), using AndroidHiddenApiBypass to solve it

Run the demo app

  1. Download source code

    git clone --recurse-submodules git@github.com:gogogoghost/ZRoot.git

    Be sure the submodule(builder) was downloaded.

  2. Enter the ZRoot/builder directory and run the following command.

    For Linux: ./gradlew uploadArchives

    For Windows: gradlew.bat uploadArchives

  3. Open the project with Android Studio, and you can run the app module on your device that had root privilege.


There are 4 modules in the project: app, hidden_api, runner, sdk.

app: It's a demo application to show the sample code.

hidden_api: If you often code with some root privilege, you probably know what a hidden API is. Otherwise, ignore it, and good luck.

runner: This module is used to help sdk to run remote code with root privilege.

sdk: Here is the core of project.

Waiting to be added more details...


Easy to use root on Android. For calling system service and more.


Language:Java 70.0%Language:Kotlin 19.8%Language:C++ 8.7%Language:AIDL 1.1%Language:CMake 0.2%Language:Shell 0.2%