Closed toilatoiok closed 4 months ago
Can you describe how you created your custom system.img
? It sounds like the AVB metadata is missing.
If you didn't add the AVB metadata, you can do so either with avbtool add_hashtree_footer
(harder if you don't already know the proper parameters for your device) or with avbroot:
# Extract original system.img
avbroot ota extract -i ota.zip
# Unpack AVB metadata from original system.img
avbroot avb unpack -i system.img
# Replace raw.img with your custom image
# Repack system.img using your custom image + the original AVB metadata
avbroot avb pack -i system.img
I get an error of invalid signature recognition.
Can you post the exact error message or output you're getting? There shouldn't be any other steps needed.
You see an error image like this
Hmm, just to confirm, have you already followed the initial setup steps? It seems like recovery mode is not using your custom key for validation.
Ah OK. For the initial install, you must flash with fastboot from the instructions I linked. Without that, recovery mode is using the OEM key to verify the signatures instead of your own key.
After the initial install with fastboot, you should be able to sideload further OTAs without a problem.
That means only devices that have flashed the .img file can flash the ota.zip, right?
That means only devices that have flashed the .img file can flash the ota.zip, right?
That's correct. There is no way to work around that.
Ah, but I saw someone edit the OTA and patch it using your avbroot tool and I successfully flashed that OTA on many other devices.
Hmm, if the other devices were able to flash modified OTAs without the fastboot step, then those devices likely have broken signature checks. That isn't supposed to work.
Hmm, if the other devices were able to flash modified OTAs without the fastboot step, then those devices likely have broken signature checks. That isn't supposed to work.
I've seen them flash .img files ( dtb.img, boot.img ) through the Amlogic "adnl" chip.
Oh, as long as there's a way to flash .img
files directly, that's fine. It doesn't need to be fastboot specifically.
In that case, for the initial setup:
Extract the patched OTA:
avbroot ota extract \
--input /path/to/ota.zip.patched \
--directory extracted
Use the amlogic tool you mentioned to flash each .img
file. (Sorry, I'm not familiar with the tool so I don't know how it's done.)
After that, you should be able to sideload your patched OTAs.
One difficulty that occurs is that when I flash img files other than "boot.img, dtb.img", the remaining partitions all report errors because the bootloader has not been unlocked.
If that's the case, I think you're out of luck :slightly_frowning_face: I don't have any more suggestions for what else to try.
I saw in the other party's code that they loaded the file (boot.img, dtb.img), then they updated the ota.zip file that was patched with your avbroot tool!
It might work on those devices if the OTA certificates are stored inside boot.img
. (Most devices are not like this--they usually store the certificates in recovery.img
or vendor_boot.img
.)
You can check if your device is like this by extracting the ramdisk from boot.img
:
avbroot boot unpack -i boot.img
avbroot cpio unpack -i ramdisk.img.0
If cpio_tree/system/etc/security/otacerts.zip
exists, then the OTA certificate is stored in boot.img
.
I found the otacerts.zip certificate in cpio_tree/system/etc/security/
Nice, if that's the case, you might be able to try the approach you described (flashing patched boot.img
via the amlogic tool and then sideloading the OTA). I can't guarantee it'll work--it's very unusual--but I guess it's worth trying.
Nice, if that's the case, you might be able to try the approach you described (flashing patched
boot.img
via the amlogic tool and then sideloading the OTA). I can't guarantee it'll work--it's very unusual--but I guess it's worth trying.
You can use avbroot ota extract -i ota.zip.patched
to extract the boot.img
from the patched OTA. (avbroot automatically signs boot.img
with your key during avbroot ota patch
.)
You can use
avbroot ota extract -i ota.zip.patched
to extract theboot.img
from the patched OTA. (avbroot automatically signsboot.img
with your key duringavbroot ota patch
.)
I want to ask again, is the order like this?
If it's in that order, it has nothing to do with the signature we found in the boot.img file - the file that will be flashed before updating the ota.zip.patch in recovery (otacerts.zip).
I think it should be like this:
system.img
/product.img
/whatever.avbroot ota patch
. Both boot.img
and the whole OTA zip will be signed with your own key.boot.img
from the patched OTA. This boot.img
contains a modified system/etc/security/otacerts.zip
with your key, so that your patched OTAs can be sideloaded.boot.img
.Thank you very much, I did it your way! Thank you again!
Hello friends ! I got the error : Invalid VBMeta header magic: [0, 0, 0, 0] , while trying to replace the system.img partition.