Mtk-su Failed Critical Init Step 3 ^hot^ May 2026

Quick fix checklist — "mtk-su failed critical init step 3"

Context: This error appears when attempting to use mtk-su (MediaTek su binary) for root on an Android device and the su initializer fails at step 3. Likely causes: incompatible binary, SELinux, wrong daemon/init handling, or missing required permissions.

Follow these steps in order (assume adb or terminal with root flashing tools available):

1. Backup

   • Backup userdata and boot images (fastboot/adb). Don’t proceed without backups.

2. Confirm device & firmware compatibility

   • Verify exact device model and Android/firmware build. mtk-su must match kernel/selinux and libc expectations. If you haven’t already, get the device model and build.prop values.

3. Use correct mtk-su version

   • Replace mtk-su with a version built for your chipset/Android version (userland vs. kernel ABI). Download a build targeted to your kernel/Android API level.

4. Check SELinux mode

   • Temporarily set SELinux to permissive to test:
     • adb shell su (or via custom recovery) and run:

       setenforce 0
       

     • If step 3 error disappears, SELinux denial is the cause. Prefer fixing policy rather than keeping permissive.

5. Inspect logcat and dmesg

   • Capture logs while reproducing the error:

     adb logcat -b all -v threadtime > logcat.txt
     adb shell dmesg > dmesg.txt
     

   • Search for “mtk-su” or “avc: denied” lines indicating permission or integrity failures.

6. Fix permissions and context

   • Ensure su binary ownership and mode:

     adb shell
     su
     chown 0:0 /system/bin/su   # or /sbin/su depending location
     chmod 6755 /system/bin/su
     restorecon /system/bin/su
     

   • Use correct SELinux file context (restorecon sets it if policy exists).

7. Replace init scripts/daemon if needed

   • Some MediaTek devices rely on init scripts. If mtk-su expects a helper daemon, verify any required init.rc entry or helper binary is present and compatible.

8. Test with custom recovery

   • Boot to TWRP or similar and install a known-working root package (Magisk or a tested mtk-su package) for your device. Magisk often handles modern boot and AVB changes more reliably.

9. Check for verified boot / AVB / dm-verity

   • If AVB/dm-verity enforces integrity, replacing su may trigger failure. You may need to patch boot image (Magisk) rather than modifying /system.

10. If still failing — collect and share:

• Device model, Android version, kernel version (uname -a), exact mtk-su binary version, relevant snippets from logcat and dmesg (lines showing mtk-su, avc denial, or init errors). With those I can give targeted steps.

If you want, tell me your device model and Android build (example: "Xiaomi X, Android 11, kernel 4.9"), and I’ll suggest the most likely binary or Magisk/boot-patch approach.

Related searches sent.

The error "mtk-su: failed critical init step 3" typically indicates that the MediaTek temporary root exploit is unable to gain the necessary permissions or establish the required environment to proceed with the privilege escalation. This specific step is often tied to a failure in setting up the command-line environment or a permission denial within the /data/local/tmp directory. What is mtk-su?

The mtk-su binary (and its wrapper app, MTK Easy SU) is a tool designed to provide "temporary root" access to devices powered by MediaTek chips. It exploits a vulnerability known as CVE-2020-0069, which allows unprivileged local users to read and write kernel memory. Unlike traditional rooting, this method is "bootless," meaning it does not modify the system or boot partitions and is lost upon a device reboot. Common Causes for Step 3 Failure

Permission Issues: The binary may not have the correct execution permissions (chmod 755) or is being run from a directory where execution is restricted.

Incompatible Firmware: Many manufacturers (like Amazon for Fire Tablets) patched the CVE-2020-0069 vulnerability in security updates released after March 2020. If your device is running newer firmware, the exploit will fail.

SELinux Interference: Secure Enhanced Linux (SELinux) might be blocking the exploit's attempt to transition into a new security context. mtk-su failed critical init step 3

Processor Architecture Mismatch: Using a 32-bit binary on a 64-bit system (or vice versa) can lead to initialization errors. Troubleshooting and Fixes

If you encounter "failed critical init step 3," try the following steps in order: permission denied mtk-su (#3) · Issue - GitLab

The error "mtk-su failed critical init step 3" typically occurs when the mtk-su tool—a script used for gaining bootless root access on MediaTek-based Android devices—encounters an environment it cannot exploit. Key Causes

Patched Vulnerability: The most common reason for this specific failure is that your device has received a security patch (often from March 2020 or later) that fixes the MediaTek-su vulnerability (CVE-2020-0069) the tool relies on.

Unsupported Firmware/Kernel: The tool may not support your specific firmware version or kernel architecture, especially on newer 64-bit devices that have moved beyond the targeted exploit range.

Incorrect Permissions: The mtk-su binary must have proper execution permissions. If it's missing these, the initialization steps will fail immediately. Potential Fixes & Workarounds

Re-run Command: Users have reported that sometimes simply re-executing the script or the chmod command multiple times can bypass transient initialization failures. Command: chmod 755 mtk-su followed by ./mtk-su.

Verify Binary Permissions: Ensure the file is in a directory that allows execution, such as /data/local/tmp, and that you have granted it the necessary 755 permissions via ADB.

Check for Asset Updates: If you are using the Mtk Easy SU app, ensure you have an active internet connection to download necessary "assets" before clicking "Activate Root". Quick fix checklist — "mtk-su failed critical init

Hardware Incompatibility: If your device uses a non-vulnerable chipset (like some newer MT67xx series), the tool will likely continue to fail at this step. permission denied mtk-su (#3) · Issue - GitLab

The error "mtk-su failed critical init step 3" typically occurs when attempting to gain temporary root or execute privileged commands on MediaTek (MTK) Android devices using the mtk-su exploit tool.

1. Android Security Patch Level (The #1 Culprit)

This is by far the most common cause. mtk-su was designed to work on devices with security patches before March 2020. Google and MediaTek officially patched CVE-2020-0069 in the March 2020 Android Security Bulletin.

• If your patch date is April 2020 or later → The vulnerability is almost certainly fixed. Step 3 will fail 99% of the time.
• If your patch is from February 2020 or earlier → The exploit should work, but not always. Some OEMs backported security fixes.

Check your patch level: Settings → About Phone → Android Security Update

5. Running on a 32-bit Shell with a 64-bit Kernel

If your device has a 64-bit kernel but you are running a 32-bit shell environment (common when using some terminal emulators from the Play Store), the exploit may miscalculate memory offsets, leading to a step 3 failure. Always use a 64-bit terminal or ADB from a 64-bit platform tools build.

3. Look for Alternative Exploits

Some newer MediaTek devices are vulnerable to other exploits such as:

• CVE-2021-0438 (MediaTek cmdq driver)
• CVE-2022-21781 (MediaTek ATCMD)

Tools like exploit or mtkclient (which uses brom mode, not an exploit) may serve your needs, though they are more complex.

Is There a Workaround? (The Harsh Truth)

The short answer is no. If step 3 fails due to a MediaTek security patch, there is no magical command line flag or updated binary that will fix it. diplomatic stopped actively developing mtk-su around early 2021, publicly stating that the vulnerabilities were effectively dead on modern firmware.

Some users have reported success on newer patches by using modified forks of mtk-su that target different IOCTL codes or different drivers (e.g., mtk-mem or kpm). However, these are rare, device-specific, and often unstable. They are not universal solutions. Backup

🤔 What does “critical init step 3” mean?

mtk-su works by exploiting a vulnerability in older MediaTek kernels. Step 3 refers to the part where the tool tries to elevate privileges. When it fails at this stage, it means the kernel has likely been patched or the device’s security level is too high for that version of mtk-su.

Common causes & fixes

| Cause | Explanation | Possible solution | |-------|-------------|--------------------| | Patched kernel | Security update fixed the exploit | Use a different rooting method (Magisk, unlocked bootloader). mtk-su works only on older Android versions (typically 9–10, early 11). | | Incompatible SoC | Not all MediaTek chips support mtk-su (e.g., Helio G95, P90, Dimensity series may fail) | Check the developer’s supported list. Dimensity series rarely work. | | SELinux enforcing | Step 3 may require permissive SELinux | If your kernel is vulnerable but SELinux blocks, you cannot change this without root. | | Incorrect shell context | Running from a non-ADB shell or restricted user | Run from adb shell or a terminal emulator with proper privileges. | | Mitigations enabled | Some vendors added extra checks | No fix — vendor hardened the kernel. |