Invalid VBMeta header magic: [0, 0, 0, 0]

[toilatoiok]

Hello friends ! I got the error : Invalid VBMeta header magic: [0, 0, 0, 0] , while trying to replace the system.img partition.

• Have you ever encountered this error? Can you tell me how to fix it?
• Thank you very much

[chenxiaolong]

Can you describe how you created your custom system.img? It sounds like the AVB metadata is missing.

If you didn't add the AVB metadata, you can do so either with avbtool add_hashtree_footer (harder if you don't already know the proper parameters for your device) or with avbroot:

# Extract original system.img
avbroot ota extract -i ota.zip

# Unpack AVB metadata from original system.img
avbroot avb unpack -i system.img

# Replace raw.img with your custom image

# Repack system.img using your custom image + the original AVB metadata
avbroot avb pack -i system.img

[toilatoiok]

• I did it your way and successfully replaced the system.img partition.
• But the problem is that after updating ota.zip, I get an error of invalid signature recognition.
• Maybe I missed another step, right?
• I hope you can guide me, thank you very much!

[chenxiaolong]

I get an error of invalid signature recognition.

Can you post the exact error message or output you're getting? There shouldn't be any other steps needed.

[toilatoiok]

You see an error image like this

[chenxiaolong]

Hmm, just to confirm, have you already followed the initial setup steps? It seems like recovery mode is not using your custom key for validation.

[toilatoiok]

• Steps that I took:
• I am processing ota.zip for android box device.
• I unacked system.img then repacked it again.
• Re-pact ota.zip and install it and get a signature error.

[chenxiaolong]

Ah OK. For the initial install, you must flash with fastboot from the instructions I linked. Without that, recovery mode is using the OEM key to verify the signatures instead of your own key.

After the initial install with fastboot, you should be able to sideload further OTAs without a problem.

[toilatoiok]

That means only devices that have flashed the .img file can flash the ota.zip, right?

• Is there any other way to get the digital signature from the original ota.zip file to make a new valid ota.zip version?

[chenxiaolong]

That means only devices that have flashed the .img file can flash the ota.zip, right?

That's correct. There is no way to work around that.

[toilatoiok]

Ah, but I saw someone edit the OTA and patch it using your avbroot tool and I successfully flashed that OTA on many other devices.

[chenxiaolong]

Hmm, if the other devices were able to flash modified OTAs without the fastboot step, then those devices likely have broken signature checks. That isn't supposed to work.

[toilatoiok]

Hmm, if the other devices were able to flash modified OTAs without the fastboot step, then those devices likely have broken signature checks. That isn't supposed to work.

• I've seen them flash .img files ( dtb.img, boot.img ) through the Amlogic "adnl" chip.
• Is this related to the fastboot flashing step as you mentioned?
• Can the flsh through adnl parse them be signed by your avbroot tool?
• If you can choose, can I contact you via telegram?

[chenxiaolong]

I've seen them flash .img files ( dtb.img, boot.img ) through the Amlogic "adnl" chip.

Oh, as long as there's a way to flash .img files directly, that's fine. It doesn't need to be fastboot specifically.

In that case, for the initial setup:

1. Extract the patched OTA:

   avbroot ota extract \
       --input /path/to/ota.zip.patched \
       --directory extracted

2. Use the amlogic tool you mentioned to flash each .img file. (Sorry, I'm not familiar with the tool so I don't know how it's done.)

After that, you should be able to sideload your patched OTAs.

[toilatoiok]

One difficulty that occurs is that when I flash img files other than "boot.img, dtb.img", the remaining partitions all report errors because the bootloader has not been unlocked.

• If possible, I can send you those command lines

[chenxiaolong]

If that's the case, I think you're out of luck :slightly_frowning_face: I don't have any more suggestions for what else to try.

[toilatoiok]

• I saw in the other party's code that they loaded the file (boot.img, dtb.img), then they updated the ota.zip file that was patched with your avbroot tool!
• According to the way I just presented, what do you think the solution will be like?

[chenxiaolong]

I saw in the other party's code that they loaded the file (boot.img, dtb.img), then they updated the ota.zip file that was patched with your avbroot tool!

It might work on those devices if the OTA certificates are stored inside boot.img. (Most devices are not like this--they usually store the certificates in recovery.img or vendor_boot.img.)

You can check if your device is like this by extracting the ramdisk from boot.img:

avbroot boot unpack -i boot.img
avbroot cpio unpack -i ramdisk.img.0

If cpio_tree/system/etc/security/otacerts.zip exists, then the OTA certificate is stored in boot.img.

[toilatoiok]

I found the otacerts.zip certificate in cpio_tree/system/etc/security/

[chenxiaolong]

Nice, if that's the case, you might be able to try the approach you described (flashing patched boot.img via the amlogic tool and then sideloading the OTA). I can't guarantee it'll work--it's very unusual--but I guess it's worth trying.

[toilatoiok]

Nice, if that's the case, you might be able to try the approach you described (flashing patched boot.img via the amlogic tool and then sideloading the OTA). I can't guarantee it'll work--it's very unusual--but I guess it's worth trying.

• I'm talking about my friend's boot.img file, which they flashed before updating their ota.zip.
• But now after unpacking the ota.zip and repacking it, how do I sign the boot.img file to make it valid? I still don't really understand that issue with the avbroot tool. Could you please guide me to understand better? Thank you !

[chenxiaolong]

You can use avbroot ota extract -i ota.zip.patched to extract the boot.img from the patched OTA. (avbroot automatically signs boot.img with your key during avbroot ota patch.)

[toilatoiok]

You can use avbroot ota extract -i ota.zip.patched to extract the boot.img from the patched OTA. (avbroot automatically signs boot.img with your key during avbroot ota patch.)

• I want to ask again, is the order like this?

  1. Unpack ota.zip
  2. Replace what you want in " system.img, or product.img...".
  3. Then patch again with avb.key, ota.key , ota.crt.

• If it's in that order, it has nothing to do with the signature we found in the boot.img file - the file that will be flashed before updating the ota.zip.patch in recovery (otacerts.zip).

[chenxiaolong]

I think it should be like this:

1. Unpack ota.zip.
2. Make modifications to system.img/product.img/whatever.
3. Patch with avbroot ota patch. Both boot.img and the whole OTA zip will be signed with your own key.
4. Extract boot.img from the patched OTA. This boot.img contains a modified system/etc/security/otacerts.zip with your key, so that your patched OTAs can be sideloaded.
5. Flash boot.img.
6. Reboot to recovery mode to sideload patched OTA.

[toilatoiok]

Thank you very much, I did it your way! Thank you again!