Why "adb root" does nothing?

I have a OnePlus 6T. It is rooted by TWRP and Magisk. I have set ro.debuggable to 1. But when I type adb root it does this:

I cannot even use adb pull on system files.

Answer

On production (user) build of a ROM, you can't start adbd as root unless ROM or at least adbd binary is rebuilt with required modifications. Reason is the ALLOW_ADBD_ROOT build flag ^{(1, 2)}.

That's why adbd Insecure was developed, which replaced the adbd binary with a modified one.

On a userdebug or eng build (or with insecure adbd binary extracted from any of these build types):

• If ro.secure=0, adbd runs as root when enabled from Settings (Developer Options) ⁽³⁾. However adb root won't work ⁽⁴⁾.


• If ro.debuggable=1, adb root will restart adbd as root ^{(5, 6)}.

However adbd can be built from modified source code to skip all these checks. Additionally SELinux should also be taken care of, if in enforcing mode. adbd must be allowed to run in unrestricted superuser context: u:r:su:s0 ^{(7, 8)}, which isn't the case for user builds ^{(9, 10, 11)}. See this answer for more details.

Android properties can be overwritten using /data/local.prop on userdebug/eng builds i.e. if ALLOW_LOCAL_PROP_OVERRIDE build flag is set ^{(12, 13)}. But this doesn't work for ro.* properties ⁽¹⁴⁾ and same is true for setprop commandline tool. However default.prop / prop.default file - which could be located under multiple possible locations depending on the device build configurations ⁽¹⁵⁾ - can be modified to change read-only properties (if not already set from some other property file or *.rc file). If the file is in ramdisk, boot.img needs to be modified.

Magisk's resetprop tool can reset the read-only properties even if they are already set. ro.secure and ro.debuggable both may have possibly been changed as a part of MagiskHide policy ⁽¹⁶⁾, which you can revert back to allow adbd run as root.

Another related property is ro.adb.secure, which controls public key authentification. By setting ro.adb.secure=0 on userdebug/eng builds, authentification is skipped (no device unauthorized message ever) ^{(17, 18, 19)}. Related: Storage location of “adb_keys”.