Some OEMs (Xiaomi, Huawei) enforce extra SELinux rules. In that case, you might need to run:
adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh --user
or first set adb shell setenforce 0 (temporarily, requires root or engineering build).
While ADB shell has elevated access, it cannot arbitrarily modify files inside /Android/data/ on Android 11+ without specific setup. However, executing existing binaries or reading configuration files is often permitted. This creates a vector for data exfiltration (reading app private data) if apps do not set correct file permissions (chmod 600/700).
There are two common ways to execute this script. Some OEMs (Xiaomi, Huawei) enforce extra SELinux rules
Method A: Running it directly via Shell If the file has execute permissions, you can run:
./startsh
If you get a "Permission denied" error, try Method B.
Method B: Running via sh command
This is the safer method if the file is not marked as executable: or first set adb shell setenforce 0 (temporarily,
sh startsh
The magic begins with a single USB connection. Using Android Debug Bridge (ADB) , we run a one-time command:
adb shell sh /sdcard/start.sh
But start.sh cannot just run ls /storage/emulated/0/Android/data/com.example.app—it will fail due to permission denial. That is where Moeshizuku enters the scene.
adb shell sh /data/user_de/0/moe.shizuku.privileged.api/start.sh
Note: The actual script location is inside the app's private data directory (/data/data/ or /data/user_de/), not in emulated storage. If you get a "Permission denied" error, try Method B
The typical command structure derived from the keywords is:
adb shell sh /storage/emulated/0/Android/data/moeshizukuprivilegedapi/startsh
adb connect 192.168.1.100:XXXXX