TomKing062
commented
11 months ago use android 9 actually it is the (alignment with 0x1000) size of vbmeta generated by avbtool, can be different with original vbmeta
Closed Denzy7 closed 11 months ago
TomKing062
commented
11 months ago use android 9 actually it is the (alignment with 0x1000) size of vbmeta generated by avbtool, can be different with original vbmeta
Denzy7
commented
11 months ago ok. its now padded. how do i sign boot.img?
Denzy7
commented
11 months ago I used pacextractor to extract stock boot.img which i patched with magisk.
python avbtool info_image --image boot.img had this to say:
Footer version: 1.0
Image size: 67108864 bytes
Original image size: 29313024 bytes
VBMeta offset: 29315072
VBMeta size: 2304 bytes
--
Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 576 bytes
Auxiliary Block: 1472 bytes
Public key (sha1): 9405a8f24d5b71da4420fa3edc5a5bd2e7420446
Algorithm: SHA256_RSA4096
Rollback Index: 0
Flags: 0
Rollback Index Location: 0
Release String: 'avbtool 1.1.0'
Descriptors:
Hash descriptor:
Image Size: 29313024 bytes
Hash Algorithm: sha256
Partition Name: boot
Salt: 90aa4abfa3c379688515ae02967afc4c00ed47b531652d3881822b0f7fd0e8b8
Digest: a675a9a930b0d9019643df49c395e3d7670299356ed26d7e9ac7f33ed821ccfa
Flags: 0
Prop: com.android.build.boot.fingerprint -> 'realme/RMX3231/RMX3231:11/RP1A.201005.001/1660721239064:user/release-keys'
Prop: com.android.build.boot.os_version -> '11'i then patch it with magisk, sign with python avbtool add_hash_footer --image boot_magisk_patched.img --partition_name boot --partition_size 67108864 --key rsa4096_vbmeta.pem --algorith SHA256_RSA4096
then this is the output of signed magisk boot.img:
Footer version: 1.0
Image size: 67108864 bytes
Original image size: 29550592 bytes
VBMeta offset: 29552640
VBMeta size: 2112 bytes
--
Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 576 bytes
Auxiliary Block: 1280 bytes
Public key (sha1): 2597c218aae470a130f61162feaae70afd97f011
Algorithm: SHA256_RSA4096
Rollback Index: 0
Flags: 0
Rollback Index Location: 0
Release String: 'avbtool 1.2.0'
Descriptors:
Hash descriptor:
Image Size: 29550592 bytes
Hash Algorithm: sha256
Partition Name: boot
Salt: d81c698452c19c17b0b3a111503b8ba5b309794ae37b324ccea9112398c3aca1
Digest: 58d0d485cbf84be59a356d3e201fb96e09a38a08b3a23990c97e06f339d13726
Flags: 0but flashing it with research download causes it to get stuck at vbmeta. even using the extracted vbmeta from pacextractor also gets stuck. here is the rom i used
[edit] also realme refused to provide in depth apk to unlock bootloader for rmx3231 could this be the issue?
TomKing062
commented
11 months ago on android 10(+), after unlock bootloader, trustos only check boot is signed, and will not check signer of boot. boot can be flash with researchdown or fastbootd or spd_dump
sign vbmeta is not a necessity to get root, there is a way to boot with custom signed vbmeta, but not work on 9863s yet, https://github.com/TomKing062/CVE-2022-38691_38692/issues/1
Denzy7
commented
11 months ago i flashed magisk boot.img with research tool and got boot loop with stock vbmeta that came with stock rom. plus i cant use fastboot with locked bootloader since realme haven't given us in depth tesk apk i want to try spd_dump but idk if it will work anyway
TomKing062
commented
11 months ago Denzy7
commented
11 months ago so will this work on 9863 otherwise my main concern is root. how can i root this phone??
TomKing062
commented
11 months ago bl unlocked, patched boot signed, what else get in the way ?
Denzy7
commented
11 months ago it worked bro! i however had to flash stock vbmeta with disable flags and flash magisk boot with fastboot (which caused bootloop?) then flash stock vbmeta with download tool. thanks alot
rmx3231 uses android 11 but padded to 00 40 00 00. should i use padding for android 9?