Can not remove root verification on Chrome OS v70

[jbardi]

The process no longer works on Chrome OS v70 stable.

Technically this issue is not related to your script, because I have to remove root verification before I can even attempt to run your script, but I was hoping you may have an idea of how I might fix no longer being able to remove root verification since the v70 upgrade.

After upgrading to v70 the --remove_rootfs_verification no longer works. v70 installed to the alternate rootfs using kernal B on partition 4, and running rootdev -s shows me /dev/mmcblk0p5, so I ran the following command:

sudo /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --partitions 4

When run, it shows the proper output as below:

make_dev_ssd.sh: INFO: Kernel B: Disabled rootfs verification. make_dev_ssd.sh: INFO: Backup of Kernel B is stored in: /mnt/stateful_partition/backups/kernel_B_20181101_143134.bin make_dev_ssd.sh: INFO: Kernel B: Re-signed with developer keys successfully. make_dev_ssd.sh: INFO: Successfully re-signed 1 of 1 kernel(s) on device /dev/mmcblk0

However, when I reboot and then attempt to run the RootandSEpatch.sh it tells me that it is read only and that I have to remove root verification. I have tried over and over, and its a catch 22 as it never really removes root verification. I've been using your root script since version 63 I believe, but this is the first time I have been unable to remove root verification.

I have also tried the dev tool to remove verificaton as suggested in another forum:

sudo /usr/libexec/debugd/helpers/dev_features_rootfs_verification

That command is supposed to determin the rootfs and kernel pair being used and remove the root verificaton from the correct partition.

When typing the mount command, it shows that the partition is mounted rw, but it still does not work. This is the output of the mount command for the rootfs that is running on partition 4:

/dev/mmcblk0p5 on / type ext2 (rw,relatime,seclabel)

I am running an ASUS Chromebook Flip C302

[mmirg]

I don't believe this is a problem of disabling root verification but rather that CrOS no longer mounts the root directory as writeable. I modified my script to touch /etc to verify whether root verification is disabled and the rest continues to run properly. At least until you update to CrOS 71 and more of the filesystem becomes unwriteable.

[jbardi]

Awesome!! Since you verified the rootfs verification was not the problem and the script can still write to the necessary directories, I simply removed the rootfs check from my script altogether and everything worked perfectly. If v71 stable is finally unable to be rooted, I'll be stuck on v70 for the foreseeable future.

Thanks for the information, I can relax now, at least for the next 6 weeks until v71 lol

[mmirg]

CrOS v71 can still be rooted with the scripts but I'm yet to figure out how to enable an rw root filesystem in the Android container. I don't know that this is a problem per se (beyond the conceptual injustice and not being able to use one's device as they like) as I'm under the impression that this is the norm for Android now and that contemporary superuser toolkits like Magisk use bind mounts and other techniques to bypass the ability to write directly to the root filesystem. It's not clear to me to what degree this type of approach is portable to the containerized Android in Chrome OS.

On November 1, 2018 11:26:27 PM UTC, jbardi notifications@github.com wrote:

Since you verified the rootfs verification was not the problem and the script can still write to the necessary directories, I simply removed the rootfs check from my script altogether and everything worked perfectly. If v71 stable is finally unable to be rooted, I'll be stuck on v70 for the foreseeable future.

Thanks for the information, I can relax now, at least for the next 6 weeks until v71 lol

[jbardi]

Yeah, my Chromebook is the only device I have that still uses that standard superuser process. All of my other devices exclusively use systemless root, which has many more benefits beyond the obvious. I would love to see a way to implement Magisk into the Android container.

[nolirium]

I don't believe this is a problem of disabling root verification but rather that CrOS no longer mounts the root directory as writeable. I modified my script to touch /etc to verify whether root verification is disabled and the rest continues to run properly.

Oh, interesting, so you are both saying that CrOS isn't letting the "touch /.this" command succeed any more? I wonder if this could be specific to Intel/x64 (maybe Crostini supporting?) devices at the moment, as it doesn't seem to be occurring on my armv7 Chromebook in v72 dev currently? (Although to be certain I would perhaps need to wipe it and then go through the various channels to actually check and confirm).

In any case, perhaps I should switch out the script's current rootfs check with something like the below, which, if I understand correctly, would work on your device/s at the moment?

check_writeable_rootfs() {

if [  -e /etc/aroc_writable_test ]; then
rm /etc/aroc_writable_test
fi

touch /etc/aroc_writable_test  2> /dev/null

  if [ ! -e /etc/aroc_writable_test ]; then
  echo "Error!"
  echo "Unable to modify system!"
  echo "You can disable rootfs verification by running the following command, then rebooting."
  echo "sudo /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --partitions $(( $(rootdev -s | sed -r 's/.*(.)$/\1/') - 1))"
  echo "Please run the "remove_rootfs_verification" command now, then reboot and run this script again."
  exit 1
fi

rm /etc/aroc_writable_test

}

[mmirg]

Yup, that's pretty much what I'm doing now. I noticed that /etc isn't writeable without root fs verification removed so I chose that as a candidate directory. Thanks for the update.