Rooting the Retroid Pocket 5: A Thorny Path to SSH and scanmem
Getting ROOT on the Retroid Pocket 5 (on firmware .189) turned out to be a bit more complicated than the Reddit manual suggested.
The Goal: Get root access, set up a bash environment (Termux), spin up an SSH server, and use scanmem to poke around in game/emulator memory.
It seemed simple and predictable, but the Chinese console with its A/B partition scheme threw a few interesting curveballs. Initially, I planned to use the "No-PC" method with scripts executed right from the console's settings menu (the Run script as Root feature).
Step 1: A Successful Backup
Everything started according to the instructions:
1. I pushed the rp5_backup_boot.sh script to the device. It worked perfectly, creating a bootbackup folder and dumping the partitions via dd.
mkdir -p /storage/emulated/0/bootbackup dd if=/dev/block/by-name/boot_a of=/storage/emulated/0/bootbackup/boot_a-backup-$(date +%F-%T) dd if=/dev/block/by-name/boot_b of=/storage/emulated/0/bootbackup/boot_b-backup-$(date +%F-%T)
2. The output gave me the files boot_a-backup-[date] and boot_b-backup-[date], each about 100.7 MB in size.
Problem 1: Magisk Outputs a 0-Byte File
What happened: When trying to patch the original backup (boot_a) via the Magisk app directly on the console, it spit out a magisk_patched_*.img file that was exactly 0 bytes. The Magisk packager simply crashed during the image repack on the device itself (lack of permissions, memory, or an architecture conflict).
Solution: I moved the build process off the console. I transferred the original backup to my Galaxy S25+, where the local Magisk patched the file without any issues and produced a healthy image of the same 100.7 MB.
Problem 2: Touchscreen Inversion After Flashing
What happened: After flashing the patched image, the console's touchscreen went crazy: left-right swipes registered as up-down, and vice versa.
Cause: The popular rp5_flash_magisk.sh script floating around the net turned out to be horribly written. It just grabbed the first patched image it found and forcefully flashed it to both slots at once: boot_a and boot_b.
The broken rp5_flash_magisk.sh script
dd if=$(ls /storage/emulated/0/Download/magisk_patched-* 2>/dev/null | head -n 1) of=/dev/block/by-name/boot_a dd if=$(ls /storage/emulated/0/Download/magisk_patched-* 2>/dev/null | head -n 1) of=/dev/block/by-name/boot_b mkdir -p /storage/emulated/0/bootbackup mv $(ls /storage/emulated/0/Download/magisk_patched-* 2>/dev/null | head -n 1) /storage/emulated/0/bootbackup/magisk_patched-flashed.$(date +%F-%T) rm $(ls /storage/emulated/0/Download/magisk_patched-* 2>/dev/null | head -n 1)
Solution: I hooked up a USB mouse (just to be able to navigate the interface) and wrote my own rollback script, which used dd to put the original backups back in their rightful places. The screen came back to life.
# Restoring the original boot_a (build 189) dd if=/storage/emulated/0/bootbackup/boot_a-backup-2026-03-07-16:45:01 of=/dev/block/by-name/boot_a # Restoring the original boot_b (build 189) dd if=/storage/emulated/0/bootbackup/boot_b-backup-2026-03-07-16:45:02 of=/dev/block/by-name/boot_b
Problem 3: The A/B Slot Trap
What happened: Deciding to ditch the janky scripts, I switched to flashing via fastboot from my Fedora machine. I patched boot_a, flashed it with the command fastboot flash boot magisk_patched.img... and the screen broke again!
Cause: The terminal gave away the answer during the flash: Sending 'boot_b'. It turned out the currently active slot on the console was slot B. But I stubbornly kept patching the dump from slot A and pouring it into the active slot B. Because the kernel and driver versions between slots get out of sync after OTA updates, the touchscreen driver was losing its mind.
The Right Algorithm (Summary)
After stepping on all the rakes, I figured out the only correct and safe path:
1. Back up both slots using the RP5's built-in Run script as root feature, utilizing the original rp5_backup_boot.sh script.
2. Connect the console to the PC and check the active slot: fastboot getvar current-slot (in my case, it was slot b).
3. Take the backup of the strictly active slot (boot_b-backup-...).
4. Transfer it to another Android smartphone, patch it in Magisk, and transfer the resulting image back to the PC.
5. Flash the patched image to the correct slot via terminal:
fastboot flash boot magisk_patched.img
6. Reboot: fastboot reboot.
Result: A perfectly working screen and full Root access.
Setting Up the Workspace and Compiling scanmem
It seemed root was obtained, all that was left was installing Termux (strictly from F-Droid) and scanmem. But it turned out the scanner isn't in the official repos. Had to build it manually from source.
Install the required packages, set a password (passwd), and spin up the SSH daemon (sshd) to avoid typing on the onscreen keyboard:
pkg update -y && pkg upgrade -y pkg install -y root-repo openssh tsu git clang make autoconf automake libtool readline intltool gettext passwd sshd
Set the console aside, open a terminal on the desktop, and connect to port 8022 (you can find the IP by running ifconfig wlan0 on the console):
ssh -p 8022 username@console_IP_address
Clone the repo, strictly disable the GUI build, and compile the binary:
git clone [https://github.com/scanmem/scanmem.git](https://github.com/scanmem/scanmem.git) cd scanmem ./autogen.sh ./configure --prefix=$PREFIX --enable-gui=no make make install
The SSH and Root Permission Trap
After a successful installation, one last surprise awaited. When trying to run the scanner via sudo over SSH, Termux threw an error: "No superuser binary detected. Are you rooted?".
What happened: Magisk honestly intercepted the privilege escalation request from Termux, but showed the confirmation dialog on the physical screen of the console. Since I was sitting at my PC monitor via SSH, I simply didn't see this window. The request timed out.
The correct way to launch via SSH:
1. Pick up the console and unlock the screen.
2. In the PC terminal, enter the classic command:
su
3. Immediately look at the console screen — the Magisk prompt will appear. Tap "Grant" and make sure to check "Forever".
4. The terminal prompt on the PC will change from $ to #. We are in a root-shell.
5. Now launch the scanner directly, without any sudo:
scanmem
That's it! Full memory access granted. You can search for addresses, change parameters, and hack games.
---
/android/