Unable to remove root verification on Chrome OS v70

[Giinx]

I would like some help because I am unable to remove root verification on this version, when I run the command: *sudo /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --partitions $(( $(rootdev -s | sed -r 's/.(.)$/\1/') - 1))** everythings appears to be okay but when I restart my chromebook and try to run RootandSEpatch.sh I get the error "Error! Unable to modify system! In order to modify system files, the Chrome OS system partition needs to have been mounted writeable (i.e. rootfs verification disabled)."

I would like some help with this please.

[nolirium]

Yes, the rootfs verification check in the script got broken due to a change in Chrome OS. The RootandSEpatch.sh script has just been updated with a fix - if you try it again now, it should work this time.

[Giinx]

Yes, the rootfs verification check in the script got broken due to a change in Chrome OS. The RootandSEpatch.sh script has just been updated with a fix - if you try it again now, it should work this time.

chronos@localhost / $ curl -Ls https://raw.githubusercontent.com/nolirium/aroc/onescript/RootandSEpatch.sh | sudo sh sh: 118: Syntax error: "fi" unexpected (expecting "then")

[nolirium]

Should be fixed now.

[Giinx]

Should be fixed now.

cheers, so I did that and it still didnt work the chromebook running chromeos v70 is still unrooted for some reason even after doing this.

[nolirium]

Did you happen to notice if there were any error messages in the script's output?

Are Android apps working now (but no root), or not loading at all, or ...?

[Giinx]

Did you happen to notice if there were any error messages in the script's output?

Are Android apps working now (but no root), or not loading at all, or ...?

normal android apps that require no root work fine, everything is still working just fine as normal but everything that requires root and any root checks come up as device unrooted still, and there were no error messages but I can do it again now and screenshot the logs for you

[Giinx]

Got an error ERROR: No running Android system found. Unable to patch sepolicy.

[nolirium]

Yeah, that'll happen if for example you try to run the script twice over without rebooting between times. It's expected, in that case.

Try rebooting again, and if still working and unrooted, can you paste the following into the Chrome OS shell and see if anything comes up:

sudo su -
printf "ps | grep daemon" | android-sh

[Giinx]

I ran the script the first time then I rebooted and it wasnt rooted so I went in shell and tried again so I can check if there were any errors for you and thats the error that I got :) But I did reboot right away the first time I ran the script

[Giinx]

Yeah, that'll happen if for example you try to run the script twice over without rebooting between times. It's expected, in that case.

Try rebooting again, and if still working and unrooted, can you paste the following into the Chrome OS shell and see if anything comes up:

sudo su -
printf "ps | grep daemon" | android-sh

infinite loading on apps now wont seem to work anymore

[nolirium]

OK well, give it a couple of minutes (it takes some time after the first reboot), and then if apps are still not loading, the command to restore the unrooted Android container is

sudo mv /opt/google/containers/android/system.raw.img.bk /opt/google/containers/android/system.raw.img

If you paste that into the Chrome OS shell and then reboot, you should have the normal unrooted Android system back.

I may not be able to respond back until tomorrow now, but if you do end up unrooting and running the script again, it might be useful if you could copy the script's output to text (or screengrab), so we could check if there were any errors running the script.

[Giinx]

I keep getting ERROR: No running Android system found. Unable to patch sepolicy. thats the only error

[Giinx]

[nolirium]

But everything else (file copying etc) looks like it worked OK. Hmm...

If you do

sudo android-sh

does it get you into an Android shell like it's supposed to? (you would see the prompt change from "chronos@localhost: " to "something_cheets:")

Or does it just give an error message?

[Giinx]

it takes me to edgar_sheets:/

[nolirium]

OK that's good. Now, at the edgar_cheets prompt, can you put in ps | grep daemon and tell me what, if anything, shows up?

[Giinx]

[nolirium]

So daemonsu isn't running. Can you try to start it (see if it is present)? Again in the edgar_cheets prompt, do

daemonsu --auto-daemon

[Giinx]

[nolirium]

Try a root app now - see if it asks for permission.

[Giinx]

opening root checkers and supersu and theyre all still saying that device is unrooted, should I try to reboot and then check?

[Giinx]

[nolirium]

Something's not right, clearly. Maybe we should try to patch the SE Linux policy file manually, to rule out SE Linux being the problem (since one of your screenshots showed the rooting script erroring out at the point, right near the end where it's supposed to patch the sepolicy file).

Here's a script which is just the SE Linux policy patching part. (you can run it in the Chrome OS shell)

curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/Test/sepatchtest.sh | sudo sh

[Giinx]

[nolirium]

Maybe you could double check the contents of /system/xbin in Android:

sudo android-sh
ls -alt /system/xbin

Also in the Android shell (the edgar_cheets prompt), could you do

su --version

(It should say "2.82:SUPERSU")

And also at the edgar_cheets prompt, if you just do

su

and see if you get an error there or if the edgar_cheets prompt changes at all (if any number shows up).

[Giinx]

Would turning this on make a difference? Just wondering.

[Giinx]

update on your last comment btw

[nolirium]

Would turning this on make a difference? Just wondering.

It shouldn't do any harm, but unless something has changed very recently, it shouldn't affect Android either way.

[Giinx]

would turning that on fix our issue or what do you recommend?

[nolirium]

would turning that on fix our issue or what do you recommend?

At the moment we don't know what the exact cause of the issue is, but turning on Linux apps is unlikely to affect it. Feel free to try it though, it shouldn't do any harm...

update on your last comment btw

So, it looks like the files for SuperSU are all present and correct. The "1|edgar_cheets" that appears at the front of your last command indicates an error, but at least Android is booting and the files appear to be in the right place.

I'm going to go look through some of the comments from my blog, as I remember some people had similar problems a while ago, with various causes (and resolutions). I'm thinking perhaps the modification to init.rc is at fault, but perhaps it's something else entirely.

One last easy thing that comes to mind to maybe try is to disable enforcing SELinux completely (then reboot).

sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config

[Giinx]

sed: couldn't open temporary file /etc/selinux/sedczIHPC: Permission denied

[nolirium]

Oh, forgot to mention that you'll need to sudo su beforehand for that one to work

[Giinx]

sweet dude it's working now we got it done!! 👍 after running that command I rebooted got back on opened supersu updated the packages rebooted once again and now it's working fine it seems like I'll keep u updated, let me know if u want me to test out some more stuff tho

[nolirium]

Good stuff! Glad we could get it sorted.

I'll still have to try and work out out why it wasn't working initially. Possibly the script still needs tweaking somewhat.

For the moment though, it might be helpful towards figuring out the initial cause if you could do one more thing now, which is to redo the SE Linux patching command mini script in the Chrome OS shell, and see if it succeeds this time :

curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/Test/sepatchtest.sh | sudo sh

(If it tells you to reboot, just ignore that).

[Giinx]

OK just an update before I do what you told me to do, after I took the screenshot that I showed u I rebooted and now that I'm back on it it seems like apps aren't opening anymore it's just an infinite loading loop

[Giinx]

Just ran the script that u sent me btw

[nolirium]

Just ran the script that u sent me btw

Well, that appears to have worked, which is something.

Did the previous command stick? If you type

sudo su
grep SELINUX= /etc/selinux/config 

into the Chrome OS shell, does it show 'Permissive' or 'Enforcing'?

How are you rebooting, by the way? I mean, are you just typing reboot into the shell, or using the power button, or something else? (I only ask as I remember one person who was pressing Esc+Refresh+Power instead of a regular reboot every time, which was messing things up in strange ways).

[Giinx]

I reboot by pressing the power button + the spin button on my keyboard and I did what u told me ran the command it says permissive

[nolirium]

When you say the spin button, do you mean the 'refresh' key (F3)? If so... Don't do that.

Just use the power button (or type reboot in a root shell).

Pressing the power and refresh keys both together can potentially do a hard reset if you keep them held down for too long, which can really mess things up if you've just made some changes, as the system will completely 'forget' the changes.

[Giinx]

I didn't hold it down for too long though I only pressed them twice together once and it restarts, what should I do now though? because when I do reboot in a root shell it says command not found

[Giinx]

after checking im pretty sure power button + refresh key is fine btw Im only clicking it for a millisecond

[nolirium]

after checking im pretty sure power button + refresh key is fine btw Im only clicking it for a millisecond

Yeah, it was probably fine then - you would have had to have been holding them down for a moment to hard reset, and IIRC the screen normally flashes white briefly, so you'd have probably noticed. But there's no need to press the refresh button anyway, so...

when I do reboot in a root shell it says command not found

Were you doing it in a root shell, or as chronos@localhost, though?

Just to clarify, within the Chrome OS shell terminal:

This is the Chrome OS regular user shell prompt: chronos@localhost / $

This is the Chrome OS root user shell prompt: localhost / #

(If you try to run a command and you get a permission error, or if it says command not found, sometimes it's because you're in the shell as a regular user (in this case, chronos). If so, you can change to root with sudo su).

Apologies if this is all stating the obvious.

Anyway... Are you still in the same situation? Have you rebooted (either way) since you ran the last script?

[Giinx]

yup still having the same issue guess its time to reset and start over.. god.

[Giinx]

did a powerwash and now I cant get playstore working again it's getting really annoying, even though I ran the command to restore the unrooted android container

[nolirium]

did a powerwash and now I cant get playstore working again it's getting really annoying, even though I ran the command to restore the unrooted android container

So Android isn't loading at all after a powerwash? What is happening, just the loading graphic constantly spinning? You might try taking a look at logcat if you can get into android-sh from the Chrome OS root shell

printf logcat | android-sh

just to see if it is looping or frozen (normally it's constantly updating).

You could also try double checking that the restore command worked (by listing the files in /opt/google/containers/android)

ls -alt /opt/google/containers/android/

The nuclear option would be to either switch release channel, or do a restore with the Recovery Utility. Recovery should pretty much always work, as it'll download the whole OS again, and the release channel change usually works (but in certain situations can fail). A powerwash only deletes user files, mainly.

[Giinx]

google services just wont work anymore for some reason I attached 2 pictures of how the playstore is behaving, if I close it and try to reopen it, it simply doesnt open and goes into infinite loop

[Giinx]

Should I try going into the dev channel?

[nolirium]

In your first image there, you are trying to run the command printf logcat | android-sh as chronos, but it needs to be done in a root Chrome OS shell (do sudo su first).

Should I try going into the dev channel?

That should work, but first you could maybe just try toggling between Enforcing and Permissive SELinux again, then rebooting.

Again in a root Chrome OS shell, If you do grep SELINUX= /etc/selinux/config again, if it still shows as 'Permissive', you can change it back to 'Enforcing' (its original state) with:

sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config

[Giinx]

alright give me a bit I'll get it sorted now I'll go into dev channel then back to stable that should work and then when google services work again I'll go through all the steps again to root it okay? I'll keep you updated

[nolirium]

alright give me a bit I'll get it sorted now I'll go into dev channel then back to stable that should work and then when google services work again I'll go through all the steps again to root it okay? I'll keep you updated.

Seems like a good plan. Although, without wanting to add a whole other layer of potential confusion, I should also just mention in case you weren't aware that Chrome OS uses an A/B partition system for updates, i.e. lets say you start off on partition 3, the next update sets a kernel flag so you will be using partition 5 after rebooting, and after the next update on partition 3, and so on.

They do this so they can apply updates smoothly, and in normal use for the most part it works fine, but occasionally it can lead to messed up/confusing situations when removing root verification/modifying system files & rebooting. Going stable>dev>stable should be fine, but I thought I'd mention the A/B partition system just in case.