Oppo Find X (Stock Pie and greater) needs AVB 2.0 image signing

[0x192]

First, I'd like to thank you all for your hard-work (and especially @topjohnwu). Magisk is great ! This is the first time I don't manage to root a phone with Magisk.

Device model : Oppo Find X PAFM00 ROM: Stock ROM (ColorOS 6 / Android Pie)

Oppo Find X is not A/B and is system-as-root (SAR) so the only method is to patch recovery.img.

1) I patched recovery.img with Magisk Manager Stable/Canary ---> no error 2) I flashed _patchedrecovery.img --> no error 3) I rebooted through recovery as explained in the install guide ---> no bootloop

Issue : Magisk is not installed and the device is not rooted.

I can't grab Magisk log from /cache/ as the device is not rooted.

---

stock recovery.img patched recovery.img logcat.log (just in case)

[a447948814]

It's like this： https://github.com/topjohnwu/Magisk/issues/2514

[0x192]

@a447948814

I don't think so. Oppo Find X doesn't have dynamic partitions.

[osm0sis]

Did you try patching the boot.img? Some devices accept the added ramdisk after Magisk patches the kernel, even when they don't have one to begin with.

[carodiohp34]

first ,we tried to patching boot.img, but at reboot we had message error "the current image (boot/recovery) have been destroyed and can not boot. please flash the correct image or contact customer service to fix it".

[osm0sis]

I think we'll need @topjohnwu to take a look at this one. I don't see anything in that logcat, but I could be missing something.

[osm0sis]

Have you checked xda? Has anyone else managed to root your device? Does any older version of Magisk work?

[carodiohp34]

yes, i'm on xda but since coloros6 , nobody was active. when i had my phone (oppo find X) it was with coloros5.2 (android oreo ). i rooted it . it worked fine. i updated my phone to coloros6 and now the root doesn't work. 0x192 helped me to found a solution, we did many tests and now, we are at this point . we tested many Magisk Manager version. one thing other, i hadn't the button combinaison to access to recovery. i just access to fastboot to push "power + vol- ". "power + vol+" do nothing.

[osm0sis]

Please provide a dmesg and logcat of the device booting to the patched recovery (patched with latest Canary), then hopefully @topjohnwu can take a look for you.

[carodiohp34]

Logcat is in the first message.

[osm0sis]

And now a dmesg? Plus I specifically said the latest Canary, which wasn't out when that was posted.

Please provide what is required to debug this and potentially add support for your device, or I'll be forced to close it for not enough information.

[carodiohp34]

Ok, I contact 0x192 to know how to do the manipulation. It is he who guides me in the process. Thank you.

[carodiohp34]

logcat.log

when i did the manip to extract dmesg ,it told me "acceed denied" . i have the latest canary. thanks

[0x192]

@osm0sis

Logcat changed with the lastest canary. I'm not skilled enough to help but the keystore error intrigues me :

E//system/bin/keystore( 1503): Keymaster reported error: -10003 E//system/bin/keystore( 1503): NOTE: This is an error in the vendor specific error range.

[shakalaca]

@0x192 what's the content in /sbin after boot with patched recovery ? and can you upload output of 'getprop' ? :)

[0x192]

We have something VERY weird. @carodiohp34 has an empty /sbin directory ! That's seems crazy to me but in a adb shell, ls -a /sbin really returns nothing !

I guess I should have checked the content of this directory before opening this issue.

How can an Android phone works correctly without /sbin ?

At this point, I don't think getprop really matters but here it is.

[osm0sis]

Are you sure it wasn't just that you don't have permissions? E.g.

:/ $ ls -a /sbin
ls: /sbin: Permission denied
1|:/ $

What happens if you type magisk on the command line after booting up with the patched recovery?

[0x192]

Are you sure it wasn't just that you don't have permissions? E.g.

That's what I thought first but no. :/ $ ls -a /sbin returns . and .. so no permission issue.

What happens if you type magisk on the command line after booting up with the patched recovery?

I guess if there is no .magisk in the /sbin, magisk will be an unrecognized command. Let's wait for the @carodiohp34's response.

[shakalaca]

From the output 'getprop' I know that services of Magisk were not created, plus the /sbin is emtpy so there might be something wrong during early_mount stage. @0x192 @carodiohp34 what's the output of 'mount' with / without magisk patched ?

[carodiohp34]

i post the mount files after patched the recovery file and reboot the phone . mount.txt

[mirsella]

for me on miui the flashing process was fine without error, but magisk manager said magisk was not installed. I fixed it by doing a clean flash on my ROM. afaik since coloros is heavily modified like miui, doing a fastboot flash can fix it

[shakalaca]

The first recovery.img @0x192 provided is TWRP: omni_findx-eng 8.1.0 OPM4.171019.021.Y1 eng.wuxian.20180924.093540 test-keys

and from the logcat the fingerprint is: OPPO/PAFM00/PAFM00:10/QKQ1.191008.001/1584340226:user/release-keys

so this is Android 10 with TWRP installed, right ? or there are two different settings ?

[carodiohp34]

we extract the recovery.img (omni findx...) of the coloros5.2 rom. When i had this rom on my find X, it was rooted. when i update to coloros6, i asked 0x192 to help me to root the phone. and we had problems. Now i have the coloros7 (android 10) on my phone. i uploaded the files after patched recovery yesterday. but i haven't TWRP installed. perhaps 0x192 told you much more. he knows subjects more than me. (this phone is mine)

[shakalaca]

we extract the recovery.img (omni findx...) of the coloros5.2 rom. When i had this rom on my find X, it was rooted. when i update to coloros6, i asked 0x192 to help me to root the phone. and we had problems. Now i have the coloros7 (android 10) on my phone. i uploaded the files after patched recovery yesterday. but i haven't TWRP installed. perhaps 0x192 told you much more. he knows subjects more than me. (this phone is mine)

That's fine, could you upload recovery.img you are using right now ? :)

[carodiohp34]

I don't know how to extract the new recovery. We don't find it in the coloros7. Ozip file. We found the coloros5.2 because there was a recovery. img file but not in the coloros7. Ozip. If You know Where this file is...

[0x192]

@shakalaca

This phone is weird. @carodiohp34 managed to root it with an unofficial TWRP + SuperSU (patched for the device) back when it run ColorOS 5.2 (Oreo). After upgrading to ColorOS 6 (Pie) by flashing the official firmware, TWRP was replaced by the official recovery and the root was lost (normal behavior).

@carodiohp34 asked me for help because SuperSU was not updated for Android 9+ so he obviously couldn't to root his device.

The weird thing is that the device is not A/B and SAR (verified via ADB) so how the hell is it possible that he succeeded to root the phone by flashing SuperSU on TWRP ??

As for the recovery.img, we dumped the /recovery partition while running rooted ColorOS 5. All OTA firmwares are incremental and none include the recovery.img so this was the only way to fetch it.

So basically we can't upload the current recovery.img :/

so this is Android 10 with TWRP installed, right ? or there are two different settings ?

The unofficial TWRP used was only patched for Android 8 (ColorOS 5). So right now either the phone has ColorOS 5.2 patched (with Magisk) official recovery or the not patched official recovery.

Maybe the recovery.img we have (from ColorOS 5.2) and use for patching is no longer compatible with newer ColorOS firmwares BUT given that none of the OTA updates includes recovery.img I let myself think that the recovery wasn't updated.

Another weird thing again, @carodiohp34 told me recently that the layout of the recovery changed after upgrading to ColorOS 7 so it's means that the recovery.img was updated. Yet no recovery.img on the OTA zip file...

[osm0sis]

On older versions of Android, recovery gets created using boot.img and an image patch to create the ramdisk on every boot by recovery-from-boot.p.

How did you get the unofficial TWRP to boot before? No way to get it to boot now?

Is the device bootloader unlocked or have you just been hacking images to pass bootloader checks on previous OS versions?

It sounds like the latter, which unfortunately makes this device-specific and outside the scope of Magisk to resolve, though we'll help how we can here.

[carodiohp34]

bootloader is unlocked.

[osm0sis]

Then why can't you get that unofficial TWRP to boot anymore?

[carodiohp34]

i don't know if i can use this TWRP with android 10. it worked with android 9. if i can use it with android 10 , i'll use it. i prefer to wait 0x192 to explain the problem. :)

[osm0sis]

What do you mean if? Test it. It might not be able to decrypt userdata, but it might be able to flash Magisk over your stock recovery.

I recommend trying the 20302 Canary zip since we've had some reports of other regressions with recovery mode starting at 20303 that we're trying to track down.

https://github.com/topjohnwu/magisk_files/commit/6207bf227496c7bd1601c29b7bb40433cef4ed28

[osm0sis]

It might be worth trying 20405 as well since all the init logic had a rewrite.

[carodiohp34]

excuse for waiting, but i,haved no news about @0x192 . i prefer wait about him to do the manipulation. thanks !! :) :)

[aditgani21]

same issue on vivo y17 (SAR devices) android pie😭

[bareahmad]

Root

[osm0sis]

Well sounds like you guys aren't willing to try and help fix this, so it's an abandoned issue and I'm closing it.

[wchdsk]

Get same problem and solved Need to add hash footer by avbtool

Model : Oppo Find X PAHM00 ROM: Stock ROM ColorOS 7.1 (Android 10) bootloader unlocked by deeptesting

Process : Get the boot.img from official OTA zip patch it by Magisk Manager generate private key by OpenSSL and add hash footer by avbtool flash patched boot image and Magisk installed

Even with unlocked bootloader it still check partition hash in footer

[osm0sis]

@wchdsk great find!

Can you check if it's actually matching the hash? Copy a hash over from stock signed boot.img to your magisk_patched.img using a hex editor and please see if it'll boot.

[wchdsk]

@osm0sis Worked and I had try several ways :

1. Modify some string in magisk_patched_signed.img but not resign it---- booted
2. Replace magisk_patched_signed.img hash footer by the one from stock boot.img ---- booted
3. Resize magisk_patched.img to 0x4000000, add AVB0 (from stock boot.img) to any blank place. add AVBf (from stock boot.img) to end of image and fix offset ---- booted

bootloader may only check if the partition was signed when unlocked

[osm0sis]

Cool, so even if actually AVB 2.0 signing isn't possible on device (Python requirement) making some dummy additions to fake it will still be accepted by these "unlocked" but "enforcing" bootloaders. Could be a viable workaround worth implementing. :+1:

CC: @topjohnwu

[effek70]

I have a Oppo Find X PAFM00, 2nd hand unit. I wiped and also format the data, then after reboot before installing the new apps/data, its asking the password for oppo id of the previous owner (which is i have no idea where he is now, and the contact number that he gave it to me, cannot be reached). Now... my question is why is it asking for the previous owner password since i wiped, erase and format the data? I try to flash the stock rom in the recovery, but it will stop in the midle and failed? here's some pictures in the recovery. Thanks..

[makemefeelgr8]

Process : Get the boot.img from official OTA zip patch it by Magisk Manager generate private key by OpenSSL and add hash footer by avbtool flash patched boot image and Magisk installed

Thanks, it did work for me. I was able to install magisk without boot.img from OTA. Let me provide more details:

1. Create a backup of boot partition using TWRP.
2. Patch it using Magisk Manager (recovery mode unchecked).
3. Split resulting file in two 32Mb ones (I used split -b 32M magisk_boot.img command. Linux, WSL, cygwin and git bash should have it). Remove the 2nd file (it's just filled with zeroes, no actual data there).
4. Generate private key using openssl openssl genrsa -out rsa.private 1024
5. Use avbtool to add hash footer to the 1st half of split file. Windows version did not work for me, so I ended up using a WSL one: avbtool add_hash_footer --image "/mnt/c/android/magisk_split_boot.img" --partition_size 67108864 --partition_name boot --key "/mnt/c/android/rsa.private"
6. Flash generated boot image with fastboot.

The process is pretty straightforward, so it would be great if it could be automated with Magisk Manager.

[effek70]

Wow 👏 !!! Thanks you so much. Its really great. Much appreciated for the info.

On Fri, Feb 5, 2021, 5:59 PM makemefeelgr8, notifications@github.com wrote:

Process : Get the boot.img from official OTA zip patch it by Magisk Manager generate private key by OpenSSL and add hash footer by avbtool flash patched boot image and Magisk installed

Thanks, it did work for me. I was able to install magisk without boot.img from OTA. Let me provide more details:

1. Create a backup of boot partition using TWRP.
2. Patch it using Magisk Manager (recovery mode unchecked).
3. Split resulting file in two 32Mb ones (I used split -b 32M magisk_boot.img command. Linux, WSL, cygwin and git bash should have it). Remove the 2nd file (it's just filled with zeroes, no actual data there).
4. Generate private key using openssl openssl genrsa -out rsa.private 1024
5. Use avbtool to add hash footer to the 1st half of split file. Windows version did not work for me, so I ended up using a WSL one: avbtool add_hash_footer --image "/mnt/c/android/magisk_split_boot.img" --partition_size 67108864 --partition_name boot --key "/mnt/c/android/rsa.private"
6. Flash generated boot image with fastboot.

The process is pretty straightforward, so it would be great if it could be automated with Magisk Manager.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/topjohnwu/Magisk/issues/2491#issuecomment-773928239, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALIISSA2EFNWROTLBIE22ODS5O6QFANCNFSM4K45EDTA .

[osm0sis]

Try with 22003? This is possibly resolved in https://github.com/topjohnwu/Magisk/commit/027ec7026252bf1615c19205855ae58a79f1225e

[topjohnwu]

It should be, closed