If you're seeing the "mtk-su failed critical init step 3" error, it typically means the exploit is having trouble initializing the root process on your MediaTek device. This is often due to recent security patches or incorrect execution permissions. Troubleshooting "Critical Init Step 3"
Repeat Permissions: Sometimes the initialization fails simply because the binary wasn't correctly flagged as executable in that specific session. Try re-running chmod 755 mtk-su directly before attempting the exploit again.
Verify Device Compatibility: MTK-SU targets specific MediaTek processors (e.g., MT6737, MT6765, MT8163). If your device has a newer security patch (post-March 2020), the kernel vulnerability it relies on may have been patched, leading to initialization failures.
Check for "Expert Root" Mode: If you are using a wrapper app like MTK Easy SU, ensure you haven't enabled "Expert Mode" unless you have the specific recovery images required for your model, as this can cause the process to fail at early steps.
Restart and Clear: A simple system restart can clear hung processes in the /data/local/tmp directory that might be blocking the exploit from hooking into the kernel. Common Fixes from the Community
Persistent Retries: Users on GitLab and XDA Developers have noted that running the command multiple times—sometimes up to three or four—eventually allows the exploit to bypass the initialization hurdle.
Update the Binary: Ensure you are using the latest version of the mtk-su binary. Older versions frequently fail on devices with slightly updated firmware.
Environment Check: Make sure you are running the command from the correct directory (usually /data/local/tmp) where you have read/write/execute permissions as a shell user.
What is the specific model and Android security patch date of your device?
The error "mtk-su: failed critical init step 3" typically indicates that the MediaTek temporary root exploit is unable to gain the necessary permissions or establish the required environment to proceed with the privilege escalation. This specific step is often tied to a failure in setting up the command-line environment or a permission denial within the /data/local/tmp directory. What is mtk-su?
The mtk-su binary (and its wrapper app, MTK Easy SU) is a tool designed to provide "temporary root" access to devices powered by MediaTek chips. It exploits a vulnerability known as CVE-2020-0069, which allows unprivileged local users to read and write kernel memory. Unlike traditional rooting, this method is "bootless," meaning it does not modify the system or boot partitions and is lost upon a device reboot. Common Causes for Step 3 Failure
Permission Issues: The binary may not have the correct execution permissions (chmod 755) or is being run from a directory where execution is restricted.
Incompatible Firmware: Many manufacturers (like Amazon for Fire Tablets) patched the CVE-2020-0069 vulnerability in security updates released after March 2020. If your device is running newer firmware, the exploit will fail.
SELinux Interference: Secure Enhanced Linux (SELinux) might be blocking the exploit's attempt to transition into a new security context.
Processor Architecture Mismatch: Using a 32-bit binary on a 64-bit system (or vice versa) can lead to initialization errors. Troubleshooting and Fixes
If you encounter "failed critical init step 3," try the following steps in order: permission denied mtk-su (#3) · Issue - GitLab
"mtk-su failed critical init step 3" is a common failure message in the MediaTek-su (mtk-su)
tool, typically occurring when the software exploit used to gain temporary root access is blocked by the device's system. Core Cause: System Patching The primary reason for this error is a security patch
or firmware update. MediaTek-su relies on a specific vulnerability in MediaTek chipsets (often referred to as a "rootkit" or exploit) to bypass security measures. Firmware Updates : Many manufacturers released updates after March 2020 mtk-su failed critical init step 3
that specifically patched the vulnerabilities used by mtk-su. Newer Hardware
: Newer devices (like the Fire HD 8 10th Gen) may have hardware-level protections or kernel versions that are inherently immune to the specific exploit mtk-su uses. Potential Fixes and Workarounds
If you encounter this error, the exploit is likely failing because it cannot initialize its required environment. You can try these community-suggested steps: Re-run the Command
: In some cases, the exploit fails inconsistently. Some users report that running chmod 755 mtk-su
followed by the execution command multiple times (up to three or more) eventually worked. Check File Permissions : Ensure the
binary has the correct execution permissions. It must be pushed to /data/local/tmp/
, as this is typically the only writeable directory allowed for such operations. Use a Different Version : If you are using an older version, try or the latest available build from reputable sources like XDA Developers Mtk Easy Su GitHub repository Downgrade Firmware
: If the device was recently updated, the only definitive way to use mtk-su may be to flash an older, vulnerable firmware version. Note that this carries a high risk of "bricking" the device if not done correctly. Warning on Security
The error "mtk-su failed critical init step 3" typically occurs when the mtk-su tool—a script used for gaining bootless root access on MediaTek-based Android devices—encounters an environment it cannot exploit. Key Causes
Patched Vulnerability: The most common reason for this specific failure is that your device has received a security patch (often from March 2020 or later) that fixes the MediaTek-su vulnerability (CVE-2020-0069) the tool relies on.
Unsupported Firmware/Kernel: The tool may not support your specific firmware version or kernel architecture, especially on newer 64-bit devices that have moved beyond the targeted exploit range.
Incorrect Permissions: The mtk-su binary must have proper execution permissions. If it's missing these, the initialization steps will fail immediately. Potential Fixes & Workarounds
Re-run Command: Users have reported that sometimes simply re-executing the script or the chmod command multiple times can bypass transient initialization failures. Command: chmod 755 mtk-su followed by ./mtk-su.
Verify Binary Permissions: Ensure the file is in a directory that allows execution, such as /data/local/tmp, and that you have granted it the necessary 755 permissions via ADB.
Check for Asset Updates: If you are using the Mtk Easy SU app, ensure you have an active internet connection to download necessary "assets" before clicking "Activate Root".
Hardware Incompatibility: If your device uses a non-vulnerable chipset (like some newer MT67xx series), the tool will likely continue to fail at this step. permission denied mtk-su (#3) · Issue - GitLab
The cursor blinked in the terminal window, a steady, rhythmic pulse against the black background. It was 3:00 AM. The coffee on Elias’s desk had gone cold hours ago, leaving a scummy ring on the "I <3 Linux" coaster.
Elias rubbed his eyes, staring at the output log of his latest attempt to root the MediaTek tablet. He had done this a hundred times. MTK devices were tricky, fickle beasts, but he knew their language. He knew how to coax the bootloader open, how to whisper the right exploits to the processor. If you're seeing the "mtk-su failed critical init
He hit Enter.
The script rolled. Lines of code cascaded down the screen, green text flying like Matrix rain.
[+] Sending payload...
[+] Handshake complete.
[+] Initializing mtk-su...
This was the moment of truth. The mtk-su tool was the skeleton key. Once it ran, he would have root access. He would be king of the silicon.
Then, the scrolling stopped. The cursor froze.
[!] ERROR: mtk-su failed critical init step 3.
Elias stared. He blinked. He read the line again.
"Step 3," he muttered. "Why step 3?"
He scrolled up. Step 1 was memory allocation—passed. Step 2 was kernel address resolution—passed. Step 3 was the handshake with the Security World, the Trusted Execution Environment (TEE).
He ran it again. Same result.
[!] ERROR: mtk-su failed critical init step 3.
He rebooted the device. He changed the USB cable. He sacrificed a gum wrapper to the tech gods. He ran it a third time.
[!] ERROR: mtk-su failed critical init step 3.
Frustration began to curdle in his gut. This wasn't a syntax error. This wasn't a driver issue. This was a hard fail. It was like putting a key into a lock, turning it, and having the lock vanish into thin air.
He opened the source code for mtk-su. He wasn't the original author—the tool was an open-source legend in the modding community—but he knew C++ well enough. He navigated to the init function.
case 3:
// Establish secure channel to TEE
if (tee_response != ACK)
return CRITICAL_FAIL;
It was a simple check. The tool was sending a signal to the secure part of the processor, the part that handled fingerprints and encryption, and the processor was essentially saying, "I’m not listening."
Elias leaned back. Why would the TEE ignore a handshake?
He pulled up the tablet's specs. It was a cheap, generic brand—a "Raven X7." Nothing special. But then, he noticed something in the kernel log, a tiny line he had missed earlier, timestamped milliseconds before the crash. It was a simple check
TEE: External Source Detected. Lockout Engaged.
"External source?" Elias whispered. "It’s just an exploit. I’m injecting from the USB host."
He dug deeper. He found the patch notes for the specific chipset revision. Buried in a changelog from a month ago was a security update: *"Update 1.05: Critical patch for Step 3 vulnerability
The error "mtk-su failed critical init step 3" typically indicates that the mtk-su exploit tool—used to gain temporary root access on MediaTek-based Android devices—cannot initialize its environment on your specific hardware or firmware version. Summary of the Error
This specific failure usually occurs during the initial stages of the exploit when it attempts to set up memory mappings or bypass security checks.
Firmware Patching: Amazon and other manufacturers frequently patch the vulnerabilities mtk-su relies on via OTA updates.
Kernel Mismatch: The exploit is highly dependent on specific kernel vulnerabilities (like CVE-2020-0069); if your kernel is too new, it will fail at an early "init step".
Read-Only Restrictions: On many modern devices (Android 6.0+), Verified Boot and dm-verity may block the necessary modifications even if the exploit technically "runs". User Experiences & Community Consensus
Users often encounter this while attempting to root Amazon Fire tablets or budget MediaTek phones, frequently finding that the method no longer works on their specific build. Troubleshooting Attempts
“I reissued the chmod 755 mtk-su a third time and it eventually worked. i think chris says, he doesnt know why it happens but he did mention briefly that it does.” about.gitlab.com
“I managed to push the file onto the tablet, but when I tried to run the program I got that error message... it no longer works on Fire HD 8 10th.” Reddit · r/kindlefire · 5 years ago Potential Fixes
If you are encountering this error, you can try these steps reported by the community:
Check Permissions: Ensure you have given the file executable permissions by running chmod 755 mtk-su before execution.
Directory Location: Make sure you have pushed the file to /data/local/tmp/, as this is often the only writable directory for this process.
Version Check: Ensure you are using the correct architecture (32-bit vs 64-bit) for your device, as using the wrong one can cause "critical error" or "ELF" messages.
App Alternatives: If you are using the manual CLI tool, try the mtk-easy-su GUI which automates some of these steps, though it may still fail if the device is patched.
mtk-su failing at step 3 does NOT mean your device is unrootable – just that this specific exploit won’t work. For newer devices, unlock the bootloader (if allowed by the manufacturer) and use Magisk. For locked bootloaders on patched kernels, temp root via mtk-su is no longer possible.
If you share your device model, Android version, and security patch date in the comments, I can help determine if there’s any workaround for your specific case.
Newer Linux kernels (4.14, 4.19, and 5.x) have introduced Kernel Control Flow Integrity (kCFI) and stricter memory permissions. These features make it significantly harder to successfully execute step 3. The exploit might attempt to write to a read-only section of kernel memory, causing the operation to fail silently or return an error code that mtk-su interprets as a failure.
Open ADB shell or a terminal emulator and run:
getprop ro.board.platform
uname -a
getprop ro.build.version.security_patch
mt68xx, mt67xx, mt81xx, mt96xx, etc. Dimensity platforms are not supported.