have i to update my phone Pixel 7 to last version before to use the avbroot and patching

[lordman-1135]

hello, my phone google pixel 7 work now with android 14.0.0 (AP1A.240305.019.A1, Mar 2024), and i checked the wibsite of developers.google.com and there are a new updates (AP2A.240605.024, Jun 2024) .have i to update my phone to last version of updates befor to begin this project or it is not important.

[chenxiaolong]

The only thing to be aware of is that when you first start using avbroot, you have to patch and flash the same OTA version as what you have installed.

Other than that, it doesn't matter which version you start with. You can either:

• Update to the 240605 and then patch 240605.
• Or stay on 240305 and patch 240305. Then after initial installation, patch and flash 240605.

Update first should be a bit easier.

[lordman-1135]

When i patch the full OTA zip. which commund have to use?:

avbroot ota patch \ --input /path/to/ota.zip \ --key-avb /path/to/avb.key \ --key-ota /path/to/ota.key \ --cert-ota /path/to/ota.crt \

Or:

avbroot ota patch \ --input /path/to/ota.zip \ --privkey-avb /path/to/avb.key \ --privkey-ota /path/to/ota.key \ --cert-ota /path/to/ota.crt \

The difference is addition (priv) in secound commund

[chenxiaolong]

They're both equivalent. Old versions of avbroot used the "privkey" options. Newer versions use "key", but still support the old "privkey" options for backwards compatibility.

[lordman-1135]

ok thank you. i work with Windows 11,after to patched full OTA zip, i extracted it and i try now to flash images from extracted file. i rebooted my Pixel 7 to fastboot mod(its unlocked now), and when i run the commund (fastboot flashall --skip-reboot) from CMD, i have this error: "fastboot: error: ANDROID_PRODUCT_OUT not set" how i can solve it

images which i have after patched the OTA zip showed in this photo:

[chenxiaolong]

Hmm, I'm not really familiar with powershell, but looking online, I think this is the way to set the ANDROID_PRODUCT_OUT environment variable:

$env:ANDROID_PRODUCT_OUT = "extracted"

[lordman-1135]

Have i to flash all images which extracred from full OTA patched?, or only boot.img, vbmeta.img, vendor_boot.img?

[chenxiaolong]

Flashing all of them is recommended to be safe, but flashing only init_boot, system, vbmeta, vbmeta_system, and vendor_boot should also work.

[lordman-1135]

after to look bootloder and reboot phone , magisk worked as well, but Momo app still detect that boot loder is unlocked. lsposed module not wotk too

this photo after to try to open lsposed:

[chenxiaolong]

Based on what you posted from the Key Attestation app, everything looks good (Device locked: true and Verified boot state: Self-signed). This information comes from hardware attestation, so it's definitely correct (cannot be faked).

I'm not familiar with Momo or what it checks for. Maybe it only reports locked when the bootloader is locked with the official keys?

I'm also not sure why LSPosed would crash, sorry.

[lordman-1135]

i dont know what the Momo App checks for. anway after to lock the bootloader, the Apps still detect that the bootloder unlocked, not only Momo App, there are other apps not work in my phone because they detect the unlocking bootloader. that mean this method Actually dont lock the bootloder and its not useful, or you can update this project to solve this problem?

[chenxiaolong]

I'm guessing all of these apps are checking for both locked + using official keys ("green" state instead of "yellow" state). If you're only looking to hide the bootloader lock status from apps, avbroot won't help. There's no way to hide the use of custom keys.

[lordman-1135]

i hided the Magisk App, but momo App still say the bootloader unlocked, i treid with lineageOS 21, but the same preoblem the bootloder is locked from fastboot, but practically is unlocked, Momo app show that and there are some Apps dont works too because that.

what is the useful if i lock the bootloder from fastboot, and In fact it stays unlocked.

[pascallj]

The bootloader is not unlocked. The fact that Momo reports it as unlocked, is probably because they can detect that it is locked, but with a custom key. The purpose of locking the bootloader is a security measure.

When the bootloader is unlocked, someone can change the system without you knowing. If they attempt to do so when the bootloader is locked, they will have to unlock and therefore at least your data will be wiped.

The fact that apps can detect that the bootloader is locked with a custom key, has nothing to do with avbroot and is beyond the scope of avbroot (at least chenxiaolong has mentioned something along those lines).

There might be some ways to hide the bootloader status with LSPosed if I remember correctly but I am not sure.

Apps can also check for the Play Integrity status which also might be a sign of an unlocked/locked-with-custom-key bootloader. This can at least for now be solved with PlayIntegrityFix (passing STRONG integrity is also being worked on and somewhat working).