Kojuda
commented
3 years ago (Forgotten vbmeta.img in the previous post)
Open Kojuda opened 3 years ago
Kojuda
commented
3 years ago (Forgotten vbmeta.img in the previous post)
Kojuda
commented
3 years ago It seems the Windows version hasn't the pipe problem, but cannot read a file that must be created by the script :
bkerler
commented
3 years ago Can you share the boot.img ? Might have a look then
Kojuda
commented
3 years ago Thank you !
If the problem really originates from unpacking initfs, the broken pipe might be linked since it's exactly at the same place ( p.stdin.write(rdcpio) ) :
Kojuda
commented
3 years ago Maybe it's because the Android phone is A/B device. (Fairphone 3)
Inside makeramdisk.py :
The script is writing hdrsize if the header version is superior than 0 :
But this variable is read from the image only if a header version of 2 is detected :
According to the bootimg.h, hdrsize is part of header version 1 too : (https://android.googlesource.com/platform/system/tools/mkbootimg/+/refs/heads/master/include/bootimg/bootimg.h)
I should signal another thing, the init file is extracted from rd.gz as init@0755 under /system/bin and not under / as init@0750 :
Kojuda
commented
3 years ago I have managed to modifiy the program in order to complete the process.
First, according to bootimg.h, I have modified this part of makeramdisk.py :
I have changed the path to the folder /keys. The program was searching it under android_universal\root\scripts\Library\utils\keys (that doesn't exist) while this folder already existed under /root/keys
I have set up the arg use_persistent_digest to True for the function add_hash_footer (avbtool3.py) :
and convert the salt :
Because this one was created from reading /dev/urandom that doesn't exist on Windows.
So now the program terminates and creates a boot.img.signed. But when I flash it, I cannot retrieve any thing linked to the patch. (None of the .sh's are under /sbin, init.rc doesn't have the "on eary-init" that will import init.shell.rc... etc through TWRP) So nothing seems to work, any idea ? Note : I failed to correct the error concerning init @0750.
Kojuda
commented
3 years ago 
I presume the difference between the two mods (0750 vs 0755) is normal. I will adapt the script to patch this init@0755 because it seems the A/B devices have normally their init under /system/bin :
Modification :
Now the patching is working, but once patched, I don't have any open ports for netcat. If I browse through the filesystem with TWRP, I cannot find any traces of the modification.
Kojuda
commented
3 years ago In fact, it seems the kernel doesn't load the ramdisk at all. (I have tried boot_a and boot_b)
I think it is linked to the boot method in some ways since the init is clearly under /system/bin but the device was not originally under Android 10. What would explain this behavior ? @bkerler
Hello,
I have tried your program on Ubuntu 20.04 with Python 3.9.5 then 3.7.5. There is a broken pipe error that pops out when the ramdisk is unpacking to tmp.
Have you any idea to circumvent the problem ? (Already tried to add signal(SIGPIPE, SIG_DFL) but as you may know, this doesn't really fix the error)
EDIT : boot.img frop Fairphone 3, Android 10, A/B device.