Related
Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally include signed boot images. Of course this does not mean that all signed boot images are using AVB, many OEMs have their own signature verification scheme.
Note: AOSP is moving towards the use of avbtool (taken from Brillo), the following is the old way for signing boot images.
Bootloaders might or might not accept unsigned boot images, and might or might not accept boot images signed with our own keys (rather than the OEM's keys). This depends on the device, bootloader version, and bootloader unlock state.
For example, with the bootloader unlocked, the Google Pixel (and XL) devices accepted unsigned boot images up to (but not including) the May 2017 release. From the May 2017 release onwards, the boot images must be signed if flashed (booted works without), but may be signed with your own key rather than the OEM's.
Note: The situation changes when you re-lock the bootloader. I have not tested this, but documentation implies that (one of) the keys used in the current boot image must be used for future flashes until it is unlocked again.
Generating custom signing keys
The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.
Code:
# private key
openssl genrsa -f4 -out verifiedboot.pem 2048
openssl pkcs8 -in verifiedboot.pem -topk8 -outform DER -out verifiedboot.pk8 -nocrypt
# public key
openssl req -new -x509 -sha256 -key verifiedboot.pem -out verifiedboot.x509.pem
openssl x509 -outform DER -in verifiedboot.x509.pem -out verifiedboot.x509.der
For future signings, you do not need the .pem files, and they can safely be deleted once the .pk8 and .der files are generated. In AOSP's implementation, they were never even written to disk in the first place.
Security-wise, documentation states it is advisable to use a different set of keys for each device you support; though obviously this doesn't matter much if the device is running with the bootloader in unlocked state.
Signing the boot image
Download the attached BootSignature.jar file (built from AOSP sources), and sign the boot image using the keys generated above with the following commands:
Code:
java -jar BootSignature.jar /boot boot.img verifiedboot.pk8 verifiedboot.x509.der boot_signed.img
java -jar BootSignature.jar -verify boot_signed.img
Instead of /boot, /recovery and other values may be used. Their use should be obvious.
From Android
Attached is also BootSignature_Android.jar, which is a version ProGuard-reduced against SDK 21 and then dexed. Provided /system is mounted as is usual on Android (on the Pixel (XL), TWRP mounts this differently by default!), it can be used like this:
Code:
dalvikvm -cp BootSignature_Android.jar com.android.verity.BootSignature /boot boot.img verifiedboot.pk8 verifiedboot.x509.der boot_signed.img
dalvikvm -cp BootSignature_Android.jar com.android.verity.BootSignature -verify boot_signed.img
The base command can be extended as follows to make it able to run without any precompiled files present on the device:
Code:
/system/bin/dalvikvm -Xbootclasspath:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/bouncycastle.jar -Xnodex2oat -Xnoimage-dex2oat -cp BootSignature_Android.jar com.android.verity.BootSignature ...
Flashable ZIP
Attached is also VerifiedBootSigner.zip, this is a flashable ZIP for FlashFire/TWRP/etc that signs the currently flashed boot image, if it isn't signed already. You can simply flash this after installing a SuperSU version or custom boot image or whatever that doesn't sign the boot image itself already.
I've tried to make it very portable (borrowing ample script from the SuperSU ZIP, as well as its signing keys), but I have only tested it on my Pixel XL.
Note that it does depend on Android files in the system partition, so if (aside from the unsigned boot image) your system isn't functional, the ZIP may not work either.
If the boot image is already signed when you flash the ZIP, it will offer to abort or force re-sign.
If you place custom.pk8 and custom.x509.der files inside the ZIP, these keys will be used for flashing instead of SuperSU's default keys. Additionally, /tmp/avb/custom.pk8 and /tmp/avb/custom.x509.der will override any keys from the ZIP.
There is some more documentation in the update-binary file inside the ZIP as well.
Note: If you're using TWRP's manual slot selection on the Pixel (XL), you must be using TWRP-v3.1.0-RC2 or newer, or it will not work as expected.
Todo
- test what happens when the bootloader is re-locked on multiple devices supporting AVB
- test what happens when dm-verity is kept enabled on a custom/modified boot image with a different image signature than dm-verity signature
-reserved-
*finally my dream come true, btw, nice job on doing this, keep it up man*
Super great
Great write up! So I take it we can no longer distribute kernel images without first integrating them into the boot image and then signing it? That negates the whole point of being able to flash the kernel individually with fastboot!
thank God Chanifire hasnt left us entirely!!!
This gives me hope my Pixel isn't dev dead. Thank you, CF!
@Chainfire you not going to reply but still, you are responsible i have faith in Android... Development is most of the times happens because of you ....It always revolves around you ... One man army i would say. Thank you for all your works. We all owe you a lot...
Is it possible to create the signature for boot bundle with openssl alone (i.e. without this BootSignature.jar ) ?
Wasn't self-signing boot images already kind of possible?
cr2 said:
Is it possible to create the signature for boot bundle with openssl alone (i.e. without this BootSignature.jar ) ?
Click to expand...
Click to collapse
Not just with openssl, no. How the boot signature works is not properly documented, but of course you could read the source in AOSP and make your own version.
mirhl said:
Wasn't self-signing boot images already kind of possible?
Click to expand...
Click to collapse
Apart from both of these things talking about signatures, they are unrelated. However, self-signing images has been supported for quite a while on several devices, it just wasn't required. CopperheadOS - as far as I know - is the only project that has actively been using it until now.
is it possible to sign the boot image in recovery?
Hi @Chainfire ! Thank you for this great find (and for everything else what you have done for us during the last years )!!
I would like to ask one question... Do you think it would be possible to sign the boot image on the fly in recovery? For example when changing the recovery image, before flashing the boot image back?
Your instructions use "dalvikvm" on android, and I ran the command successfully under a running android system. But what about recovery ?
I would be interested in your thoughts on this
Or am I completely wrong, and images "dumped" via dd can't be signed and flashed back?
I would really appreciate if you could point me in the right direction, how it could be possible to do this. (create an executable instead of the BootSignature.jar file? leave this, because it is not possible? start a java vm under recovery? ....)
Thanks in advance!
gubacsek said:
Hi @Chainfire ! Thank you for this great find (and for everything else what you have done for us during the last years )!!
I would like to ask one question... Do you think it would be possible to sign the boot image on the fly in recovery? For example when changing the recovery image, before flashing the boot image back?
Your instructions use "dalvikvm" on android, and I ran the command successfully under a running android system. But what about recovery ?
I would be interested in your thoughts on this
Or am I completely wrong, and images "dumped" via dd can't be signed and flashed back?
I would really appreciate if you could point me in the right direction, how it could be possible to do this. (create an executable instead of the BootSignature.jar file? leave this, because it is not possible? start a java vm under recovery? ....)
Thanks in advance!
Click to expand...
Click to collapse
Yes, this is possible - I have already tested this on my PIxel XL. SuperSU ZIP will do exactly this in a future update, and @Dees_Troy is also aware of all of this, so I assume TWRP will be updated to do this sooner or later as well.
If I can find the time I'll make a ZIP that does this.
Chainfire said:
Yes, this is possible - I have already tested this on my PIxel XL. SuperSU ZIP will do exactly this in a future update, and @Dees_Troy is also aware of all of this, so I assume TWRP will be updated to do this sooner or later as well.
If I can find the time I'll make a ZIP that does this.
Click to expand...
Click to collapse
Okay! I am very curious about how you solve it... Until then, I'll experiment a bit further
Can't wait to see your result!
Thanks! And have a very nice weekend!
I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.
gubacsek said:
Okay! I am very curious about how you solve it... Until then, I'll experiment a bit further Can't wait to see your result!
Click to expand...
Click to collapse
Chainfire said:
I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.
Click to expand...
Click to collapse
Thank you so much, it worked beautifully on my VZW Pixel with the May update.
:good: working fine on the May update with May bootloader, FK, TWRP and SuperSU
Outstanding as usual!
Chainfire said:
I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.
Click to expand...
Click to collapse
I almost got it I could install TWRP and root but only by signing the boot images on my laptop...
I had a few errors (mounting /system did create a /system/system mount point, and I tried to copy the dalvikvm binary to the zip ), and I wouldn't ever have thought of clearing LD_LIBRARY_PATH
Thank you very much for this solution, and your time spent on this! I learnt a lot today
Nice job!
Chainfire said:
Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally include signed boot images. Of course this does not mean that all signed boot images are using AVB, many OEMs have their own signature verification scheme.
Note: AOSP is moving towards the use of avbtool (taken from Brillo), the following is the old way for signing boot images.
Bootloaders might or might not accept unsigned boot images, and might or might not accept boot images signed with our own keys (rather than the OEM's keys). This depends on the device, bootloader version, and bootloader unlock state.
For example, with the bootloader unlocked, the Google Pixel (and XL) devices accepted unsigned boot images up to (but not including) the May 2017 release. From the May 2017 release onwards, the boot images must be signed if flashed (booted works without), but may be signed with your own key rather than the OEM's.
Note: The situation changes when you re-lock the bootloader. I have not tested this, but documentation implies that (one of) the keys used in the current boot image must be used for future flashes until it is unlocked again.
Generating custom signing keys
The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.
For future signings, you do not need the .pem files, and they can safely be deleted once the .pk8 and .der files are generated. In AOSP's implementation, they were never even written to disk in the first place.
Security-wise, documentation states it is advisable to use a different set of keys for each device you support; though obviously this doesn't matter much if the device is running with the bootloader in unlocked state.
Signing the boot image
Download the attached BootSignature.jar file (built from AOSP sources), and sign the boot image using the keys generated above with the following commands:
Instead of /boot, /recovery and other values may be used. Their use should be obvious.
From Android
Attached is also BootSignature_Android.jar, which is a version ProGuard-reduced against SDK 21 and then dexed. Provided /system is mounted as is usual on Android (on the Pixel (XL), TWRP mounts this differently by default!), it can be used like this:
Flashable ZIP
Attached is also VerifiedBootSigner.zip, this is a flashable ZIP for FlashFire/TWRP/etc that signs the currently flashed boot image, if it isn't signed already. You can simply flash this after installing a SuperSU version or custom boot image or whatever that doesn't sign the boot image itself already.
I've tried to make it very portable (borrowing ample script from the SuperSU ZIP, as well as its signing keys), but I have only tested it on my Pixel XL.
Note that it does depend on Android files in the system partition, so if (aside from the unsigned boot image) your system isn't functional, the ZIP may not work either.
Todo
- test what happens when the bootloader is re-locked on multiple devices supporting AVB
- test what happens when dm-verity is kept enabled on a custom/modified boot image with a different image signature than dm-verity signature
Click to expand...
Click to collapse
So are Samsungs latest devices now using this. Reason I ask is because in the S8 and Tab S3 stock firmware there is a META-DATA folder in the AP firmware tar. Inside is a fota.zip containing various folders with all sorts of utilities and files, one of which is BootSignature.jar.
It seems it is required to flash the META-DATA folder with the boot.img in ODIN or it will not boot. So I'm guessing the boot.img is being signed as part of the flashing process?
ashyx said:
So are Samsungs latest devices now using this. Reason I ask is because in the S8 and Tab S3 stock firmware there is a META-DATA folder in the AP firmware tar. Inside is a fota.zip containing various folders with all sorts of utilities and files, one of which is BootSignature.jar.
It seems it is required to flash the META-DATA folder with the boot.img in ODIN or it will not boot. So I'm guessing the boot.img is being signed as part of the flashing process?
Click to expand...
Click to collapse
Possibly. Which S8 are you talking about? I thought there was already working TWRP for S8 Exynos that didn't require anything special?
Chainfire said:
Possibly. Which S8 are you talking about? I thought there was already working TWRP for S8 Exynos that didn't require anything special?
Click to expand...
Click to collapse
New S8. Qualcomm Snapdragon 835 MSM8998 bootloader locked versions.
It's got an eng kernel available, but it's a no go with your s7 script due to no adb write access.
https://forum.xda-developers.com/galaxy-s8/how-to/rd-carrier-switch-root-snapdragon-t3597473/page54
Hi everyone, I am a RMX2071 owner and I was experimenting with GSI images, I have installed the AOSP 10 GSI (AOSP 10.0 v222) Source: https://github.com/phhusson/treble_experimentations/releases/tag/v222
Seems like it works except for the fingerprint (it doesn't work) and the camera that could be better. I'm not a developer nor I'm familiar with Android modding. I have bricked my phone several times during the attempt. This is not an advice or guide, everything you do is at your own risk.
I had unlocked bootloader and TWRP (Source: https://forum.xda-developers.com/realme-x50-pro/how-to/recovery-lr-team-twrp-3-4-1b-0616-t4123353)
This is what I did:
I have downloaded the latest firmware for my device from realmeupdater (https://realmeupdater.com/)
It was an OZIP file, I have unpacked with this tool (https://github.com/bkerler/oppo_ozip_decrypt)
Now I have a zip file
I have downloaded a GSI .img image (I have tried many, the one listed is the one that works best for now)
I have used this tool (https://github.com/xpirt/img2sdat) to convert .img to three .dat files: system.new.dat, system.patch.dat, system.transfer.list
I have used this other tool (https://github.com/VarunSaiTeja/Brotli-Rom-Manager) to convert system.new.dat into system.new.dat.br
I have deleted this three files from the the official rom zip, using 7zip: system.new.dat.br, system.patch.dat, system.transfer.list
I have added to the official rom zip the files just created: system.new.dat.br, system.patch.dat, system.transfer.list
I have put the zip on a flash drive. I have booted in recovery, wiped everything, flashed the zip, closed AVB2.0 from advanced menu, booted into system.
There could be many bugs I have only tested for some hours, I'm sharing this because some expert could find a way to make fingerprint work, modify the top bar to accommodate the camera hole and find a better camera app.
I'm uploading the zip I have created, I'll post it soon.
Pic: https://mega.nz/file/8ApUXYBJ#kYBqwpDfMEF_MdxLCnTQCtITA8rV6YlENWCkkPzMM1E
link to the modified zip: https://mega.nz/file/gN5gjKTB#pkQHQotBhY7IocGZWj9iwwWEoTM9x5APSVYsTgH4Pak
You flash this gsi zip with twrp ?
I did try before to install GSIs on this phone without success, if thats it, ill try it and see what i can do
Just wondering again; What either in theory or practice prevents from using an Android 11 GSI with this phone?
I don't understand the Project Treble/GSI mechanism enough.
Shouldn't every device from Android 9 (shipped with, that is) able to run a stock android image? i.e. why would this not work - https://developer.android.com/topic/generic-system-image
Saitb said:
Pic: https://mega.nz/file/8ApUXYBJ#kYBqwpDfMEF_MdxLCnTQCtITA8rV6YlENWCkkPzMM1E
link to the modified zip: https://mega.nz/file/gN5gjKTB#pkQHQotBhY7IocGZWj9iwwWEoTM9x5APSVYsTgH4Pak
Click to expand...
Click to collapse
Any update?
after return x50 pro in service center they bring it broken. cán someone help me run unblock bootloader on android 11 , downgrade to android 10 with https://c.realme.com/in/post-details/1294219896854413312
in only work for android 10. i find reverse engineer maybe hacker can change it to work in android https://bgzashtita.es/android/Downloads.rar it is reverse engineer that need to be made work for abdroid 11.
here my friend yestarday call realme and put livestream on youtube. realme lie it is for indian
here photos:
Jordi Ba
https://bgzashtita.es/android/photo/IMG2...035605.jpg
https://bgzashtita.es/android/photo/IMG2...040043.jpg
https://bgzashtita.es/android/photo/IMG2...040100.jpg
https://bgzashtita.es/android/photo/IMG2...040300.jpg
https://bgzashtita.es/android/photo/IMG2...052200.jpg
https://bgzashtita.es/android/photo/IMG2...052208.jpg
https://bgzashtita.es/android/photo/IMG2...052223.jpg
https://bgzashtita.es/android/photo/IMG2...052244.jpg
repacksuper
===========
Copyleft uluruman 2021-2022
(for LINUX/WSL only)
This is the minimalistic set of tools + a script for Linux for the automated
ground-up repacking and flashing of the Samsung Galaxy super.img, replacing
the stock Android system with something much less intrusive and obtrusive
(e.g. LineageOS). Or just some other GSI (Generic System Image).
Additional included scripts (since v1.1) simplify flashing of stock firmware or
separate image files under Linux using Heimdall.
Theoretically should work for any Samsung A-series phones, and may be even for
some others. Tested on SM-A127F/DSN made in India and Vietnam and SM-A325F/DS
made in India, on Debian Linux 11 x64. There are reports of successful flashing
of SM-A127M, SM-A032M and SM-A226B.
Why this method?
----------------
Repacking of super.img is the only method which allows changing of the phone's
operating system without screwing up the Verified Boot (VB) protection
mechanism. Keeping the VB allows you to be sure that everything besides the
platform was indeed compiled by Samsung and wasn't tampered with, no matter from
where you downloaded your stock firmware.
The other reason is that although there are alternative methods of changing the
OS, for phones with dynamic partitioning and no working version of TWRP
available they may be even more complicated than repacking of super.img
externally by this script.
Requirements
------------
Install the following tools from the official repositories of your Linux distro:
simg2img xz-utils lz4 unzip gzip jq file
Basic instructions
------------------
repacksuper.sh: main script for changing your phone's operating system
heimdall_flash_stock.sh: script for flashing stock firmware under Linux
heimdall_flash.sh: script for flashing any custom image file under Linux
Just run a script without any arguments to see help.
Extra tools used (x64 binaries and sources included)
----------------------------------------------------
GitHub - LonelyFool/lpunpack_and_lpmake: android super.img tools
android super.img tools. Contribute to LonelyFool/lpunpack_and_lpmake development by creating an account on GitHub.
github.com
GitHub - amo13/Heimdall: Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy devices. This is a fork of the original repository with a few crucial pull requests merged.
Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy devices. This is a fork of the original repository with a few crucial pull requests merged....
github.com
Additional notes
----------------
The included binaries for the lpunpack, lpmake and Heimdall were compiled for
the x86_64 architecture. If your PC architecture is different (e.g. x86 32-bit
or ARM) you have to compile these tools yourself. The full source code is
included (or otherwise available on GitHub).
Spoiler: Changelog
0.9: Initial release
0.91: Non-sparse new system is now correctly moved into the super dir
0.91a: Bug in the new system file format checking fixed
0.91b: Better support for spaces in paths
0.92: Added checking for system requirements and an optional parameter for
setting of the final tar archive name.
0.92a: Fixed file ownership issues inside the tar distribution archive
0.93: Added support for SM-A325F. Several minor improvements.
0.94: Added support for gzip-packed GSI images. Packing into .tar is now done
without question if the command line parameter is given. Tar parameter
now can include the full path. Without the full path the default tar
location is now the same as the GSI. Several other minor changes.
1.0: Finally added working native Linux flashing using Heimdall (HUGE thanks
to amo13 and Benjamin Dobell). Two new options: using empty product.img
and silent (non-interactive) mode. Colored text. Bugfixes and minor
changes.
1.01: Option to specify the SUPER partition name manually (needed for flashing
SM-A127F with Heimdall). Now it is possible to place output .img and .tar
files in any directory and give them any name. Text terminology a bit
clarified, help text expanded. Done many internal optimizations,
additional sanity checks and minor changes.
1.02: Support for SM-A032F/M and similar firmwares with non-packed super.img.
Support for firmwares with/without additional partitions. Support for
arbitrary partition group names. Very experimental option to use empty
system_ext.img for additional privacy (applicable to some phone models/
regions). Lots of minor fixes.
1.03: Multiple .img files are now supported in GSI archive files (one of them
should be system.img in that case), e.g. Android AOSP zip files are now
supported directly. The logic of flashing with Heimdall now includes more
complex cases, such as flashing in two steps with a reboot. Unnecessary
code in GZ unpacking removed. Some other small fixes and optimizations.
1.1: New scripts heimdall_flash_stock.sh and heimdall_flash.sh added.
Lots of refactoring in repacksuper.sh (because of that there may be some
bugs left), improved and clarified UI logic, changes in where the files are
now placed (see help for details), direct work with stock Zip firmware
files, lots of minor changes.
1.11: Colored text now should be correctly displayed in almost any shell that
supports it except if it's explicitly disabled with NO_COLOR.
1.11.1: heimdall_flash.sh now can flash Super partitions unconditionally in one
step when using both the -s parameter and manually specifying parition
name (e.g. SUPER for SM-A127F).
1.12: The heimdall_flash_stock.sh script was significantly upgraded with lots of
new features. Now it theoretically allows upgrading of stock firmware
without erasing user data, keeping the GSI and custom recovery, etc.
(although it's not that straightforward, read the help for details).
A couple of fixes in the other scripts.
1.12.1: changed unlz4 to lz4 -d, as some distros don't have the needed symlink
1.13: In repacksuper.sh support added for the Vendor DLKM and ODM DLKM
partitions, as well as the experimental -v option to add or replace Vendor
DLKM with a custom image. A couple of minor fixes.
1.14: Greatly improved logic of heimdall_flash.sh, now it's possible to specify
both or either custom partition name and custom file name, and acquiring
PIT from device is done only when it's needed. Versioning scheme of the
scripts was unified: the script that was updated receives the updated
version number of the whole pack, the rest retain the old numbers.
1.15: up_param_tool.sh script was added: it allows altering of the boot
sequence images (logo, "not official" warning, etc.), as well as the
Recovery and Download internal graphics. Happy hacking, but please pay
attention to the warning displayed after extracting the JPEG files.
A couple of minor fixes in the other scripts.
1.15.1: Bug with failing LZ4 uncompression fixed in repacksuper.sh and
heimdall_flash_stock.sh.
1.15.2: Added the Ctrl+C trap in heimdall_flash_stock.sh, so now the temporarily
renamed files are correctly renamed back in case of flashing being
aborted with Ctrl+C. Upgraded Heimdall with the git pull requests, but
it seems those still do not cure the relatively rare issue when flashing
specific files gets completely stuck at some point.
1.15.3: The "file" tool used to identify PIT files was replaced with direct
reading of the file header as the first method proved to be unreliable.
1.15.4: Fixed a bug in heimdall_flash.sh (missing g flag in sed)
1.15.5: Fixed the compatibility issue with the older LZ4 compressors
1.15.6: Fixed compatibility issues with systems where /bin/sh is Bash, such as
ArchLinux
1.15.7: repacksuper.sh: fixed using the existing "repacksuper" dir as source,
also in this mode you can now specify "-" as new system image to reuse
everything inside the "super" subdir. New experimental -w parameter.
All scripts: the Ctrl+C trap now switched on and off the correct way.
Several other fixes.
1.15.8: Fixed using the heimdall_flash_stock dirs as source for repacksuper.sh.
A couple of other fixes.
1.15.9: heimdall_flash_stock.sh: fixed skipping of duplicate partitions (e.g.
vbmeta) for some shells; fixed upgrade-flashing of Galaxy A32 (default
behavior).
Spoiler: Known issues
During the script run you can see several "Invalid sparse file format at header
magic" warnings, just ignore them.
For some firmware files Heimdall may not work at all (freeze indefinitely or
exit with an error), in that case you have to resort to Odin. In many cases
Heimdall freezes when uploading files for some time, but that does not mean it
is completely frozen, just be patient.
In LineageOS, Dot OS and some other GSIs I tried on SM-127F the touch screen
remains not responsive for about 6 seconds after waking up. The problem is not
present at least with SM-127F/DSN phones made in India, but present at least in
those made in Vietnam. Another problem in the most, if not all, GSIs is that the
MTP USB file transfer does not work (at least on Linux) because of the "wrong"
(Samsung's instead of Google's) default MPT driver used by the kernel.
Both of the aforementioned problems can be solved by installing the fixed and
recompiled kernel.
For the last problem alternative solutions include using apps such as
Warpinator, Syncthing or ftpd.
Spoiler: Food for thought
When choosing a GSI to install I really don't recommend using ones which include
GApps and therefore use any of the Google services. Don't let corporations
gather your data. You bought the phone and from now on it should be all yours,
with all of its data, like a PC in the good old days. You own your device, and
nobody has the right to stick their nose into how you use your phone, gather any
statistics and push you any ads. You always have a choice to turn down
privacy-unfriendly stuff, the price of that "inconvenience" is actually
ridiculous. From my point of view, there is simply no point in using non-stock
systems if they are still littered with the privacy-unfriendly bloatware.
For the step-by-step guide (slightly outdated) read this and this post. Also be sure to read this post concerning the importance of optics.img. Concerning the up_param_tool.sh be sure to read this post.
The included binaries for the lpunpack, lpmake and Heimdall were compiled for the x86_64 architecture. If your PC architecture is different (e.g. x86 32-bit or ARM) you have to compile these tools yourself. The full source code is included (or otherwise available on GitHub).
Latest stable combinations of stock firmware and LineageOS (updated February 5, 2023):
SM-A127F: A127FXXU7BVI4 + LineageOS 20.0-td 20230115 arm64 bvS
SM-A325F: A325FXXU2CVK3+ LineageOS 20.0-td 20230115 arm64 bvS
Some recommendations (updated February 5, 2023):
If you are a newbie and don't know how to do unlock the bootloader and other such stuff, here is a good guide by LAST_krypton (follow the "Unlocking the booloader" section) or a shorter guide by cldkrs.
First flash the phone with the whole set of stock firmware using the heimdall_flash_stock.sh (Linux only) script with the -d parameter: the latter forces flashing the unsafe partitions, which are needed for complete re-flashing.
If you're on Windows use Odin instead. Although there is a "leaked" Linux version of Odin, it's still closed-source (of course), so I don't recommend using it on your main Linux PC. For using the Windows version of Odin on Linux you have to either use Windows in QEMU (tested and works) or probably Wine (untested). When using QEMU remember to add the SUBSYSTEM=="usb", ATTRS{idVendor}=="04e8", ATTRS{idProduct}=="685d", MODE:="0666" line to the udev rules (e.g. /etc/udev/rules.d/30-qemu.rules) to enable the write access to the phone.
Sometimes Heimdall cannot flash the stock firmware and gets stuck at some particular file. Although you can successfully flash such a firmware using Odin, I recommend to better to find another firmware, may be one release older, because that may indicate some sort of incompatibility with your particular version of the phone.
The stock firmware comes in different revision numbers (also known as the baseband version), which are upgraded about once a year. Generally it should be beneficial to use the latest revision, but note that once you have upgraded it to a later revision there is no way back (at least known to me). In case you want to experiment with flashing of special kernels and other flavors provided by the XDA developers, if possible, you should probably stick to the very first revision.
If you already have the bootloader unlocked (OEM unlock) then after flashing the stock firmware there is no need to set up the Android, just go straight into the download mode again and flash the repacked super.img.
When downloading LineageOS or any other GSI select the normal arm64 bvS version, not vndklite version.
After flashing the OS go into the Recovery mode (hold volume up and power when rebooting) straight away and do the Factory reset. If you cannot get into the Recovery mode be sure to connect the USB cable before trying to.
If flashing with Heimdall completely freezes at some point make sure you've downloaded and repacked the correct arm64 b or a/b GSI and not arm and not a or a-only variant. If "sw rev check fail" message appears on the screen at some point just ignore it.
You can forcefully reboot your phone at any time, even if it seems bricked, by holding the volume down and power buttons for several seconds.
To upgrade your system to the recent version of the same OS just repackage it again using the same script and flash it normally. If the phone does not boot, get into the Recovery mode and try wiping the Cache partition (all your apps and settings should remain intact).
Most probably you don't need TWRP or any other 3rd party recovery tool at all, as the stock recovery tool works fine for just the factory reset after flashing the super file.
Try to avoid using Magisk if you just want to install another OS and nothing else. It is also not needed for LineageOS bvS version as it already has the su utility integrated, you just need to install the additional Superuser app by Pierre-Hugues HUSSON from the F-Droid store (although it's very old it works just fine).
It's possible that SM-127F/DSN internally is not A12 but actually M12, at least most of the tools and kernels made for M12 work on SM-127F/DSN while those made specifically for SM-125 and even other SM-127 versions do not. Therefore you can find more relevant info and tools in the corresponding XDA thread (my script is still remains relevant though).
I should test this for a127f
Bugs fixed: v0.91 & v0.91a
Bug fixed: v0.91b
Added the "file" utility to the list of requirements, updated readme.txt.
Thanks A LOT, this works! I am finally able to run LineageOS on my phone!
For Windows 10+ users: WSL runs this script just fine with a few additional steps.
1. Install WSL 2 and any Linux distribution from Microsoft Store
2. Run the distribution to finish setup
3. Install the required packages from the post (sudo apt install for Ubuntu/Debian)
4. Shift + Right Click in the folder where you have the script, the AP and the GSI packages
5. Open Linux shell there
6. Unpack & run script as stated in its help
Voila!
Wow ! Great job! I want to try it, but i'm getting many "Invalid sparse file format at header magic" while running the script, is it OK to flah the super.tar anyway?
jadfa said:
Wow ! Great job! I want to try it, but i'm getting many "Invalid sparse file format at header magic" while running the script, is it OK to flah the super.tar anyway?
Click to expand...
Click to collapse
It is totally OK
jadfa said:
Wow ! Great job! I want to try it, but i'm getting many "Invalid sparse file format at header magic" while running the script, is it OK to flah the super.tar anyway?
Click to expand...
Click to collapse
Yes, it is fine. These are just warnings produced by lpmake, they can not be suppressed. I could only suppress all the stdout/stderr from lpmake but it's no good in case of more serious warnings.
Updated to v0.92 with a couple of minor improvements.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
What should I do next with the raw file?
"Unknown super file format" is this how it should be?
ANDARXapi said:
View attachment 5490897What should I do next with the raw file?
"Unknown super file format" is this how it should be?
Click to expand...
Click to collapse
Of course not. The format of each file is checked using the "file" utility, it should return the string "Android super image". Try to run file /home/toor/APfilles/super.stock.raw . What is the response? And try doing it all without sudo. There is no need in root privileges.
uluruman said:
Of course not. The format of each file is checked using the "file" utility, it should return the string "Android super image". Try to run file /home/toor/APfilles/super.stock.raw . What is the response? And try doing it all without sudo. There is no need in root privileges.
Click to expand...
Click to collapse
The raw file opens as a picture
uluruman said:
Of course not. The format of each file is checked using the "file" utility, it should return the string "Android super image". Try to run file /home/toor/APfilles/super.stock.raw . What is the response? And try doing it all without sudo. There is no need in root privileges.
Click to expand...
Click to collapse
run without sudo: 168: ./lpunpack_and_lpmake/lpunpack: Permission denied Cannot correctly unpack the super file. Exiting ...
I managed to fix the script, you just need to give chmod +x rights to the files in the folder "lpunpack_and_lpmake": lpunpack, lpmake, lpflash, lpdump, lpadd
ANDARXapi said:
I managed to fix the script, you just need to give chmod +x rights to the files in the folder "lpunpack_and_lpmake": lpunpack, lpmake, lpflash, lpdump, lpadd
Click to expand...
Click to collapse
Hmmm. I have updated it, may be it'll help. Could you please test the latest version (v0.92a)? I want to work it out of the box for everyone, without sudo or any tweaks.
uluruman said:
Hmmm. I have updated it, may be it'll help. Could you please test the latest version (v0.92a)? I want to work it out of the box for everyone, without sudo or any tweaks.
Click to expand...
Click to collapse
Okay, I'll test it tomorrow, today I want to relax at the computer all day
uluruman said:
Hmmm. I have updated it, may be it'll help. Could you please test the latest version (v0.92a)? I want to work it out of the box for everyone, without sudo or any tweaks.
Click to expand...
Click to collapse
Checked, it works right away
Is there a way to install magisk and root?
Since a lot of people will have their Galaxy S22 Ultra soon and I myself am thinking about either getting an S21 Ultra or S22 Ultra, I wanted to summarise a lot of information I found out during researching as Samsung devices are quite different from OnePlus or Google devices in that they don't support fastboot but only ODIN.
If you've enjoyed it or it has helped you, a thumbs or or thanks is always appreciated! Feel free to share and link to this thread for newbies to Samsung devices like I am
Which ODIN version to use?There are a lot of ODIN versions out there. Even reputable sources seem to copy & paste files without checking them first. The lastest version is v3.14.1. Any newer version as of now is a hoax as they simply renamed the version to v3.14.4 without any changes
How to check if you have a trustworthy version?
First of all: it should be version v3.14.1.
In the ZIP file there is a file called "odin.ini". The second line should be"Title=odin“. If not, some website has changed that.
In the same .ini file there should NOT be a:
[UIOption]
LED=0
(Someone apparently ticked that checkbox in ODIN, saved it and uploaded it. The default .ini file does not contain it unless you checked it yourself in ODIN.)
In the ZIP file there should NOT be a file called "cpprest141_2_10.dll“. This is a Microsoft file that is not malicious, but doesn't belong in there.
Since most ODIN files are copy and paste, it should be easy to identify whether you have the right version or not. (Source)
ODIN: AP, BL, CP, CSCPeople love to spread information without questioning it. So I came across thing like "BL" stands for bloatware etc. No, it does not.
BL (Bootloader)
This contains all bootloader relevant files (like the BIOS on your PC). This is quite essential as a broken bootloader can brick your device permanently.
AP (Application Processor or PDA)
This contains Android and all relevant files you might know from other device manufacturers. As of now, most devices use a "payload.bin" inside the firmware ZIP. This is exactly that but you can simply unzip the .tar file without needing any tool like Payload Dumper. Though, unzipping it does not help you at all since you can't flash the .img file separately.
CP (Core Processor)
CP contains modem files. On other devices it is included in the payload.bin as "modem.img". Here it is inside CP.tar
CSC (Consumer Software Customization)
CSC contains the country and carrier specific stuff like which apps are pre-installed, which bands are available, 4G/5G, VoWiFi, VoLTE etc. Nowadays it is a multi-CSC but more on that later.
PIT (Partition Information Table)
This contains the partitions if you ever need to re-partition your device. It can be used in the PIT section in ODIN but on newer devices it is contained within the CSC.tar file. So you probably never ever have to worry about it.
(Source)
What is the deal with CSC and Home_CSC?
CSC and Home_CSC are pretty similar. They mostly contain similar files and are flashed by selecting them in the CSC slot. You never ever have or can flash both simultaneously!
CSC
Flashes the CSC part including the PIT file, meaning it will wipe the device entirely and reformat the super partition containing everything from /boot, /system and /vendor
Home_CSC
Flashes the CSC but without the PIT file, meaning it will simply update the firmware but NOT wipe your device. This is what to use for an update. Use the other CSC for a full wipe
What about F. Reset Time, Auto Reboot and Userdata in ODIN?You should not have to check any boxes if you just want to root. Some people claim to disable "auto reboot". That is a relict from the past and is copy & pasted. Disabling auto reboot will prevent the device from rebooting automatically after an ODIN flash. For stock firmwares and rooting it is not necessary. If you do not want to reboot automatically (because of a custom recovery etc.) you may disable it. But you don't need to do it for rooting.
F. Reset Time is enabled automatically and resets the flashing counter. There is no reason to not do it afaik. So you don't need to deal with that.
Userdata is not used on newer devices as it is included in the AP file and used if you use the CSC file to wipe your device. It should be left empty on newer devices.
(Source)
Multi-CSC and why changing the CSC is mostly deprecatedA lot of questions are asked everyday about the CSC. There are different CSCs for different countries and carriers. Here in Austria we have ATO (Open Austria) for unbranded devices, MAX for T-Mobile devices (now called Magenta here) and so on. Nowadays, there are multi CSC firmware like OXM. They contain many CSC codes within it.
If you go into Settings > About phone > Software information > Service provider software revision you'll find different CSC codes: AAA/BBB/CCC/DDD
AAA is the current CSC
BBB is the best CSC for SIM card 1
CCC is the best CSC for SIM card 2 (if dual SIM is possible)
DDD is the factory CSC that cannot be changed
e.g. DBT/MAX/MOB/ATO meaning DBT (Open Germany) is the current CSC, MAX (Magenta Austria) is the CSC for SIM card 1, MOB (A1 Austria) for SIM card 2 and the device has a factory CSC for Open Austria.
(Source)
With Android 12 changing the CSC is afaik impossible.
If the multi CSC contains both CSC codes (like if I want to switch from MAX to ATO), flashing the same multi CSC firmware in ODIN will do nothing as it is the same firmware.
Very important: the multi CSC firmware is the same for every CSC included. If I were to download ATO and MAX firmwares, I will get the same OXM file with the same SHA256 hash (checked it myself). Flashing it would either update your phone (Home_CSC) or wipe it (CSC) and not change the CSC as it will find your current CSC in the multi CSC and leave it as-is.
A device with XEF (France) will always be XEF even with a different SIM card. Despite showing "XEF" it will use the appropriate settings for the carrier as long as the multi-CSC (e. g. OXM) contains the necessary files.
Some builds are released only for a certain amount of CSC codes or with a different minor revision (see down below under "Firmware" for an explanation). For example: MAX has minor revision 5, but ATO has 7 now. I could flash ATO revision 7 on my MAX device, but wouldn't receive any OTA updates until I have a firmware that exists for MAX (so either I have to flash minor revision 5 or wait until the next update). Multiple CSCs can be asynchronous despite having the same base firmware. MAX could have more minor updates (e. g. the carrier wanted something fixed) while others are fine at revision 1. That's why some CSC codes have more updates listed and some receive the update earlier.
DBT for example could be the first to get the new March security patch and other CSCs will follow. Though other CSC codes might have a higher minor revision as there were changes being made afterwards. In some cases DBT will receive another update with these changes, in other cases DBT revision 3 is the latest while other CSC codes are at revision 9. The changelogs are almost always equal though so there is no information to the public on what has changed.
Think of it like an upgrade path. Major steps are always synced, but minor ones can be CSC specific until a new update syncs them again.
More information can be read here: Source
Multi-CSC Release Cycle
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Multi-CSC firmwares are a "master" firmware that contains multiple CSCs. For the S21 Ultra it is called "OXM in Europe. Inside that firmware can be different regions like DBT, AUT, HUI and so on. An update usually isn't released at the same time for everyone. In this example graph above you can see how the release usually goes:
One or a few "open" CSCs for unlocked devices starts rolling out, usually DBT (Open Germany)
Other open CSCs and carrier CSCs (e. g. ATL for Vodafone Spain) start rolling out)
After that, sometimes specific carrier patches are released that increment the firmware version but is only available for a specific CSC code.
At the end of the month, sometimes minor bug fixes are also released to one or multiple CSC codes.
Next month we start that cycle again. All patches that have been released along the way are now integrated and released. (Example: HUI got an update at the end of the month, but that fix is not included in any other firmware. Next month that patch will be included along with the new security patch for every CSC).
Think of it like a GitHub project. You publish a stable release for everyone, fix a bug for a specific device, release that bug fix as a minor release only for those affected, then on the next stable release upstream that fix to the release. Doesn't make sense to include a minor hotfix immediately for a 2019 MacBook Pro if the fix is only for the 2022 MacBook Air, right?
In that regard: you can always flash any OXM firmware on a device using OXM. I could flash a DBT (Open Germany) firmware on an ATL (Vodafone Spain) device and it will work. I can even grab the security patch release at the beginning of the month before it is widely rolled out and flash it using ODIN.
People saying how happy they are because they get their updates early or others who complain about waiting weeks for it. The latters ones could fix it by manually flashing the released firmware. But keep in mind: if you still can receive software updates on your device (e. g. not rooted) then you need to be on an update path that is supported.
Say I update to the carrier fix release intended only for HUI on my DBT device. It'll work and I can update next month with ODIN as usual. BUT: Samsung's on-device software update won't show any update. Why? Because it checks DBT and if I'm on a minor release not intended for DBT, it won't give me an update path. It will search for an update from release A to release B but by flashing the carrier fix only for HUI, I'm between those. Something like A1. Since DBT doesn't have an update path from A1 to B, it won't show any updates until I'm back on B (and ready for B > C next month and so on).
Tripping KNOXIf you unlock your bootloader, KNOW will be tripped. I'm simply gonna quote another post here as it explains the impact very well (and I hereby explicitly state that I'm not affiliated in the service the source advertises. I do not vouch for or endorse the use of UNSAMLOCK).
- Knox will be tripped after a custom binary flash.
- Samsung Pass, Samsung Pay will never work after root. Safetynet, Samsung Health and Secure folder could be fixed.
(Source)
Click to expand...
Click to collapse
So if you flash a signed Samsung firmware, it shouldn't trip KNOX. If you flash an unsigned firmware, it will trip it. But as a general rule of advice: signed firmware are flashable in ODIN with a locked bootloader. If you unlock the bootloader, you are at risk of tripping KNOX and you are responsible for that happening either way. No matter what I or someone else says on XDA or any other website. So never unlock the bootloader if you can't accept tripping KNOX.
People say it is a physical fuse that is blown. I can't confirm if this is true but it could also simply be a part of security key stored within the device and deleted when unlocked. Since there is no way of backing it up, it will be lost for good (much like the /persist partition on devices that contains sensor data and is unique and never deleted or else your device becomes messed up permanently). There is no way of knowing but keep that in mind.
Firmware
Firmware versions
The firmware numbers actually have meaning. Something like "G998BXXU4BVB1/G998BOXM4BVB1/G998BXXU4BVB1" means build version/CSC version/baseband version.
The first letters are the model version (G998B = S21 Ultra). The last letters (e. g. G998BXXU4BVB1) can be read as follows:
U4 B V B 1
↓ ↓ ↓
Boot loader version
Android version
Year
Month
Minor revision
For this example that means:
U4: bootloader version 4 (you can't use any firmware with a lower version than what you have)
B: Android version 2 (for the S21 Ultra that shipped with Android 11, B is Android 12)
V: 2022 (W = 2023, X = 2024, etc.)
B: February (A = January,..., L = December)
1: minor revision 1 (this is a hexadecimal that can be 1–F, with F being version 16)
The firmware information including the colour coding comes from the CheckFirm app (Source). The provided information and the colour coding is awesome so I took that information and condensed it even further.
How do I check for firmware updates?
There are websites out there listing/hosting the firmware files that are easy to find. Other methods are:
CheckFirm: https://play.google.com/store/apps/details?id=com.illusion.checkfirm
You can try to scan for a new firmware. It uses other users to find a new firmware but according to the dev, it might be able to scan automatically in the future (though no ETA)
Use Samsung's own version.xml: https://fota-cloud-dn.ospserver.net/firmware/DBT/SM-G998B/version.xml
This is an example (replace DBT with the CSC code and SM-G998B with your model version. It will list all firmwares with the newest firmware number at the top.
Use Samsung's changelog: https://doc.samsungmobile.com/sm-g998b/dbt/doc.html
This is an example (replace DBT with the CSC code and SM-G998B with your model version.
Or ultimately use a firmware downloader like Frija on Windows, SamloaderKotlin on Windows, macOS, Linux or Android (thanks @alecxs) or something that requires a bit of setup though works on non-Windows devices aswell like samfirm.js (NodeJS) or Samloader (Python).
(Thanks to topjohnwu for listing those firmware downloading options: source)
Rooting, OTA updates while being rooted and what not to doThere is a lot of misunderstanding regarding rooting and OTA updates afterwards. I'm not explaining how to root your device. There are a lot of XDA threads out there. But I'm going to explain some important information that is not explained well very often.
When is your bootloader acutally unlocked?
Simply toggling "OEM unlock", going into download mode and unlocking the bootloader will not actually unlock it. There is a reason why after enabling the bootloader unlock in download mode, you should go to the developer settings and "confirm" it.
By opening up the developer settings and checking the "OEM unlock" toggle, the bootloader actually becomes unleashed and accepts non-signed images. Meaning an AP file modified by Magisk will now be accepted. If you do not do this, it will not.
If you flash in ODIN, always flash AP, CP, BL and CSC!
As explained by topjohnwu: if you just flash the modified AP file to root your device without selecting CP, BL or CSC, ODIN could shrink the /data partition. Always flash all of them (not like on other devices "fastboot boot boot.img" but everything!
OTA updates are gone...sort of
If you are rooted, you can't use Samsung's built in OTA updater anymore. That's why you should update your firmware before rooting. You can and may update it via ODIN though:
Patch the AP file in Magisk
Flash the modified AP, CP, BL and Home_CSC (HOME_CSC NOT and I repeat NOT the normal CSC)
Let it reboot and you're up-to-date
(Source)
Do not restore the stock boot image!
topjohnwu also states to not flash the stock boot image (stock AP) as it could brick your device. There should be no reason to unroot (you can leave Magisk and simply not use it). If you flash the stock AP, your device won't boot (probably because it fails to verify the unmodified system). I could flash the modified AP (with CP, BL and Home_CSC) back and it worked fine but YMMV. And what if you've installed some module and you're bootlooping now?
I'm in a bootloop!
Since TWRP never supported decryption on Samsung devices (thanks @alecxs) and you probably don't want to stay unencrypted, you can't use TWRP. There are two ways of fixing a bootloop caused by a Magisk module:
Via ADB debugging:
Use adb on your PC (lot of tutorials out there), and type in:
adb shell
magisk --remove-modules
However: that requires you to have adb debugging enabled and to have your PC already confirmed as a computer that is allowed to connect via adb. If you have not done this, do this:
Boot into safe mode:
Much like Cydia Substrate back on the iPhone, you may disable Magisk and its modules during boot:
If you use the device's hardware keys to boot into safe mode by pressing certain keys during booting (look it up, it varies from device to device. It can be volume up/down etc.), Magisk will disable all modules and you can remove them safely without every having to need TWRP, enable ADB debugging beforehand or needing to start from scratch. Everything is explained in the source link down below.
(Source)
Does my device have a ramdisk or not?
Most threads you find about this were at a time when some devices had it and other didn't. To stop you from searching hours about whether this is the case for the S21 or S22 series: they have a ramdisk and system-as-root. There is no need for hijacking the /recovery partition and always boot into recovery to boot into the system with root. You can just root your device with the patched AP file and you're good to go!
Just please stop wiping /cache in recovery!There is no use in wiping /cache in recovery. It is simply a cache partition for updates and is not used on a live system. There is no use in doing that and you're just wasting your time. But there is a cache that can be wiped and rebuilt: the dalvik-cache. (Source)
Dalvik cache/ARTThis is no Samsung specific but actually very good to know:
Android converts system apps in the background since Android 10 I believe. Meaning that the system apps are only really optimised, if the Dalvik cache has been built. This doesn't apply to user apps from the Play Store as they are re-compiled during installation. When does Android do this?
If your device is at 100%, plugged in and not in use. But if you're like me and not charging your device past 80%, it will not be built(!)
To force it, the easiest solution is to use Galaxy App Booster which does exactly that: https://galaxystore.samsung.com/pre...session_id=W_2323c8f409a1da0534d7dcad55e671fb
Or you can force it with root or via adb without root, you can use "adb shell" and then enter:
Code:
cmd package bg-dexopt-job
after an update and it will populate /data/dalvik-cache with arm and arm64 folders.
After an update, you can (but don't have to) delete the folders "arm" and "arm64" inside /data/dalvik-cache (DON'T DELETE the "dalvik-cache" folder itself), reboot and then execute the command above in a terminal with root access. This is the only relevant caching that Android does. It has nothing to do with /cache.
You may also check the folder: usually there are about 200+ files inside arm64. If you've only got a few dozens, the cache probably hasn't been built yet. Keep in mind that since Android 11 building the cache doesn't take a few minutes like Android 10 but sometimes half an hour or an hour as it uses few resources to not slow the device down during optimisation. That makes it quite user-transparent.
Fix Netflix, Amazon Prime,... playback issuesOn my OnePlus 7T Pro I had no issues using any of these services (if MagiskHide or now Zygisk is active). Though on my S21 Ultra it always failed to play whatever I did. Turns out that Widevine L1 is good as long as you're not rooted. It works with an unlocked bootloader but fails if you have installed Magisk no matter what you do.
Turns out there is a Magisk module called liboemcrypto disabler by @ianmacd which essentially removes the file and forces Widevine L3 for as long as the module is active. With this module I could get every streaming app to work again including my cable company's own TV app. You won't have anything higher than SD quality but I have to admit that Netflix and Amazon Prime look okay. It definitely is better than nothing and I just found this by coincidence.
So if you experience playback issues while being rooted, give this module a try
Note: Since the Magisk repo is obsolete, the only flashable ZIP I've found is from a fork found here: https://github.com/ScRuFFy7/liboemcryptodisabler. You can create the module yourself though, but for a flash-and-forget-ZIP this is the only ZIP I could find.
General InformationLast, but not least: Samsung devices aren't A/B devices. There is no mirrored partition or anything else. You just have your good old super partition and if it is messed up, you need to reflash it. No A/B stuff here.
I may update this thread in the future
Reserved
Reserved 2
Macusercom said:
Reserved 2
Click to expand...
Click to collapse
Spoiler: Hey!!
Macusercom said:
Reserved 2
Click to expand...
Click to collapse
Hi
Good info for new samsung usres!
Have you any report anyone have rooted Exynos as well SD with routine magisk patched methos? I have seen another thread how to root but I think no one yet confirmed (unless I have missed)
dr.ketan said:
Hi
Good info for new samsung usres!
Have you any report anyone have rooted Exynos as well SD with routine magisk patched methos? I have seen another thread how to root but I think no one yet confirmed (unless I have missed)
Click to expand...
Click to collapse
Thanks!
I don't think so. We'll have to wait and see if a new Magisk update is needed but since Android 12 works fine on the S21 Ultra, I don't think the S22 Ultra wouldn't work. But as of now, I have not read anything about a successful root but also nothing about not being successful.
Macusercom said:
Thanks!
I don't think so. We'll have to wait and see if a new Magisk update is needed but since Android 12 works fine on the S21 Ultra, I don't think the S22 Ultra wouldn't work. But as of now, I have not read anything about a successful root but also nothing about not being successful.
Click to expand...
Click to collapse
Thanks for info. Yes, I don't expect too that it won't work but we never know when samsung give us surprises!
One major thing I have noted on S22 is system partition is now having f2fs format instead of ext4 and as of now we can't extract stock firmware because of this. (I don't know if any available tool can do it)
dr.ketan said:
Thanks for info. Yes, I don't expect too that it won't work but we never know when samsung give us surprises!
One major thing I have noted on S22 is system partition is now having f2fs format instead of ext4 and as of now we can't extract stock firmware because of this. (I don't know if any available tool can do it)
Click to expand...
Click to collapse
Dr. ketan: Does f2fs format affect magisk root?
donkeyman1234 said:
Dr. ketan: Does f2fs format affect magisk root?
Click to expand...
Click to collapse
No, it shouldn't.
Glad to hear that.
dr.ketan said:
No, it shouldn't.
Click to expand...
Click to collapse
dr.ketan said:
Thanks for info. Yes, I don't expect too that it won't work but we never know when samsung give us surprises!
One major thing I have noted on S22 is system partition is now having f2fs format instead of ext4 and as of now we can't extract stock firmware because of this. (I don't know if any available tool can do it)
Click to expand...
Click to collapse
I've just checked the AP file of the S22 Ultra firmware. Magisk is able to patch the boot.img and goes straight through.
Not(e) S22 Ultra specific, but good to know (sorry for the pun )
Magisk can patch the extracted boot.img without lz4
Magisk can't patch boot.img.lz4
Magisk can patch the AP.tar that included boot.img.lz4 and stores it without compressing in the modified AP.tar
Hasn't f2fs been adopted way earlier with the Note 10? I can't seem to extract the S21 Ultra or S22 Ultra firmware with EXT4 extractor in any case. I can just decompress lz4
Macusercom said:
I've just checked the AP file of the S22 Ultra firmware. Magisk is able to patch the boot.img and goes straight through.
Not(e) S22 Ultra specific, but good to know (sorry for the pun )
Magisk can patch the extracted boot.img without lz4
Magisk can't patch boot.img.lz4
Magisk can patch the AP.tar that included boot.img.lz4 and stores it without compressing in the modified AP.tar
Hasn't f2fs been adopted way earlier with the Note 10? I can't seem to extract the S21 Ultra or S22 Ultra firmware with EXT4 extractor in any case. I can just decompress lz4
Click to expand...
Click to collapse
Yes, file can be patched with magisk, still we need to confirm if patched file working fine or not as no one yet confirm it (at least in my knowledge)
F2fs adopted earlier was for "data" this is first time for "system" (and also for "vendor")
Since oneui 4.0 recent update I have seen S21 also added support for system f2fs (fstab showing both) but yet still system is ext4 formatted and that's why no issue extracting S21 firmware (just two days ago I released rom with latest base VB1 Feb security patch)
dr.ketan said:
Yes, file can be patched with magisk, still we need to confirm if patched file working fine or not as no one yet confirm it (at least in my knowledge)
F2fs adopted earlier was for "data" this is first time for "system" (and also for "vendor")
Since oneui 4.0 recent update I have seen S21 also added support for system f2fs (fstab showing both) but yet still system is ext4 formatted and that's why no issue extracting S21 firmware (just two days ago I released rom with latest base VB1 Feb security patch)
Click to expand...
Click to collapse
Also, Samsung removed the system_ext folder and put it into its own img file. I mounted both system.img/system_ext.img, and copied both into an N20U system folder created by superr kitchen for my N20U. I was able to deodex framework-res.apk ans SystemUI.apk. I made mods to SystemUI, but cannot test as I do not have an S22U.
gcrutchr said:
Also, Samsung removed the system_ext folder and put it into its own img file. I mounted both system.img/system_ext.img, and copied both into an N20U system folder created by superr kitchen for my N20U. I was able to deodex framework-res.apk ans SystemUI.apk. I made mods to SystemUI, but cannot test as I do not have an S22U.
Click to expand...
Click to collapse
What you have used to extract system.img of S22?
dr.ketan said:
What you have used to extract system.img of S22?
Click to expand...
Click to collapse
superr kitchen. will extract .img files but will not extract contents
gcrutchr said:
superr kitchen. will extract .img files but will not extract contents
Click to expand...
Click to collapse
What I mean is how you have extracted SystemUI and Framework-res , as kitchen not able to extract it
dr.ketan said:
What I mean is how you have extracted SystemUI and Framework-res , as kitchen not able to extract it
Click to expand...
Click to collapse
I used Fedora to mount both .img files.
After copy S22 system.img/system_ext contents into N20U folder, I used superr to deodex system folder. Then copy SystemUI.apk and framework-res.apk to my development folder
sudo mount -o loop system_ext.img tmp
sudo mount -o loop system.img tmp2
As a general information in case anyone was wondering. Root on the S22 Ultra GM-S908B variant has been confirmed: https://forum.xda-developers.com/t/...-firmware-noob-friendly.4404283/post-86473679
Just to update : Today have got hand on demo and I can confirm indian users will get S908E and also OEM unlock option already available in dev settings out of box.
Question: I'm looking to get a newer laptop and was looking at the Surface Pro 7 or 8. I know ODIN won't work on the Surface Pro X, but has anyone used it on a SP7/8? I can't see why it won't work. It uses the same i5 processor and 64-bit OS as a full size/normal laptop.
This is the Android 10 recovery image by HCT (version 10.3.1) patched to skip signature checking on .zip files
Tested on MTCE_LM (Eunavi). Use at your own risk
It can be flashed from a root shell (either adb or via terminal emulator) by performing the following steps
1. upload recovery via adb
Code:
adb push hct_recovery_patched.img /sdcard/
2. flash recovery
Code:
# backup current recovery
dd if=/dev/block/by-name/recovery of=/sdcard/recovery_backup.img
# write new recovery
dd if=/sdcard/hct_recovery_patched.img of=/dev/block/by-name/recovery
NOTE: If you do not disable the "flash_recovery" service in /init.rc, AND you have a stock kernel, recovery will be restored to the original version after rebooting.
There are 3 ways to avoid this:
- Flash magisk (or a modified kernel) while in recovery. The patch will then fail to apply and recovery won't be overwritten
- Disable "flash_recovery" by doing "adb remount" and editing /init.rc (comment out the following)
Code:
service flash_recovery /system/bin/install-recovery.sh
class main
oneshot
- Neuter the service by either:
- removing /system/bin/install-recovery.sh- replacing /system/bin/install-recovery.sh with a dummy script- removing /system/recovery-from-boot.p
Woo-hoo, after hundreds of rubbish posts in the MTCD forums, we have a real development post!
Great work and thanks for sharing this, these forums need more like you.
Thanks for the kind comment!
I have to admit that it was frustrating to see the lack of information sharing on this forum, and the pervasive pay-per-use model.
I spent a lot of time just getting Android 10 installed (starting from Android 9), and i had to bring the head unit to my desk as working in the car was rather hard and all i achieved was a brick.
I unfortunately had to bring it back in the car now (can't sit on my desk forever) but, now that i figured out how to make bootable recoveries, i was wondering how hard it could be to have TWRP or at least a hassle-free recovery to install Android 10 from Android 9.
As a first step, this recovery makes it possible to install Magisk or other zip files without doing it manually within adb.
Cheers!
Your work is really good!
Thanks a lot for it.
Now you can also modify ROM's without signatur errors when installing.
Wouldn't it be good if we had an app like the ModInstaller ?
So a one click installation of the recovery without shell or adb.
I have now built an app.
And now need help.
Namely, in the app is the recovery and the script.
Unfortunately, the flash process is not started.
It always comes only the first message from the script.
The app is open source and the script and the recovery are in res/raw.
In the attach you will find the finished app and pictures.
If someone has a solution, he can write me or make a pull request on Github.
Source code:
GitHub - jamal2362/RK33XX-Custom-Recovery-Installer: Application for flashing custom recovery on Rockchip Android Head-Units.
Application for flashing custom recovery on Rockchip Android Head-Units. - GitHub - jamal2362/RK33XX-Custom-Recovery-Installer: Application for flashing custom recovery on Rockchip Android Head-Units.
github.com
The script:
RK33XX-Custom-Recovery-Installer/script at master · jamal2362/RK33XX-Custom-Recovery-Installer
Application for flashing custom recovery on Rockchip Android Head-Units. - RK33XX-Custom-Recovery-Installer/script at master · jamal2362/RK33XX-Custom-Recovery-Installer
github.com
First of all, congrats for the work!
DISCLAIMER:
I don't own ModInstaller, i have never bought a copy of it and i don't intend to do so.
Analysis is purely done from Youtube videos, open source code analysis and existing and openly available binary images.
I was working to figure out how to make a FLOSS alternative to ModInstaller.
The issues i found in all my attempts are the following:
- A6 recovery is the only one that can boot from SD Card (which can then be used to flash A9 -> A10 with the 2SD trick)
- (it took me a long time to pull these information together and unbrick my unit)- The A6 recovery is unable to directly flash A10 RKAF/RKFW images (sdupdate.img) due to the code being too old
- a failure will be observed while writing super.img. This happens because the device needs to be repartitioned, and the A6 recovery is not doing it correctly- A9 recovery is buggy. Booting it with no system installed will result in a black screen.
- it will only boot succesfully after being written by the A6 flash tool, which writes the "misc" partition with the recovery commands to run (the "hint" i get from this is that the misc partition is important)- A10 recovery can't be loaded by the A6 recovery. I always got a black screen after flash. Is it a flash issue? is it an issue with the recovery itself? hard to know
Theory: maybe the recovery could be written over the kernel partition? ("boot")
This way, the recovery will always run after being flashed instead of requiring an explicit "enter recovery" trigger (buttons, misc partition, etc.)
Besides these experiments, in parallel, i did some bug fixing to this repository: https://github.com/liftoff-sr/rockchip-tool/commits/master (i'm "smx-smx")
That allows me to unpack nad repack "sdupdate.img" , "reduced recovery images" and "full IMG files".
With those tools. i tried to swap "recovery.img" in the A6 image, but i always got the black screen upon booting from SD.
Either A9/A10 breaks sdboot or the bootloader crashes before it gets there.
Since this also happens when being flashed, this could either be a bug in the flashing program or a bug in the boot stack (which fails to run recovery perhaps due to a dirty state of the internal flash). It's hard to know for sure without having a UART connection with the board.
BUT, we have an alternative, in the form of the recovery built-in ISP flash tool.
This is the code that reads "sdupdate.img" from the SD Card and flashes it
After reading the recovery source code, i realised that this code can only be triggered correctly when booting from the SD card.
It detects this state by reading /proc/cmdline and probing for specific values (https://github.com/rockchip-android...6f72b7d3123dab27135ac41d55029/sdboot.cpp#L206)
This means the bootloader can (and will) pass those arguments under specific conditions (https://github.com/rockchip-linux/u...c873f178c/arch/arm/mach-rockchip/board.c#L358)
If you check here https://github.com/rockchip-linux/u...3f178c/arch/arm/mach-rockchip/boot_mode.c#L47 you can see the magic word that needs to be written to the "misc" partition in order to trigger that code.
Note that, besides the well known "sdboot", "usbboot" is also possible.
I'm not sure if the ROM can physically boot from USB, but the bootloader and recovery do support (according to code) passing the flag to enable flashing from USB.
So, recapping, there are these ways we can try:
a - try to overwrite "boot" with "recovery" (but it might not work due to the partitioning layout, e.g. jumping from A6 -> A10)
- note: uboot might also need to be written when doing this.
b - making a modified "sdupdate.img" that flashes recovery on top of boot, and all the other core partitions like "misc", "uboot", "trust", "vbmeta"
c - writing "misc" from android in order to triggers the "rkfwupdate" mode
d - taking a dump of the first portion of the flash in various states (A6, A8, A9, A10), and having a "dd" that writes it back to the beginning of the flash (i suspect this is how ModInstaller does it)
Considering cases "b" and "c" depend on a recovery that can write them correctly (and the A6 one is buggy), this leaves us with "a" and "d"
Considering that ModInstaller does it in one shot, and doesn't seem to matter about the partitioning layout, i believe "d" might be the most viable option...
Using the "rockchip-tool" repository i linked from github, the partition table can be dumped from any .img file
You can observe "Image/parameter.txt" from the extracted firmware
This is the partition table from A6's recovery:
[email protected](uboot)
[email protected](trust)
[email protected](misc)
[email protected](resource)
[email protected](kernel)
[email protected](dtb)
[email protected](dtbo)
[email protected](vbmeta)
[email protected](boot)
[email protected](recovery)
[email protected](backup)
[email protected](security)
[email protected](cache)
[email protected](system)
[email protected](metadata)
[email protected](vendor)
[email protected](oem)
[email protected](frp)
[email protected](userdata)
And this is the partition table from A9's recovery
[email protected](uboot)
[email protected](trust)
[email protected](misc)
[email protected](resource)
[email protected](kernel)
[email protected](dtb)
[email protected](dtbo)
[email protected](vbmeta)
[email protected](boot)
[email protected](recovery)
[email protected](backup)
[email protected](security)
[email protected](cache)
[email protected](system)
[email protected](metadata)
[email protected](vendor)
[email protected](oem)
[email protected](frp)
[email protected](userdata)
Notice how uboot, trust, misc, resource, kernel, dtb, and others live in the same space. (2000, 4000, 6000, 8000, 10000, ...)
What we could do is create a raw blob that spans that address range, and "dd" it directly to /dev/mmcblk0 at the right offset.
So i would focus on converting recovery images to raw blobs, with recovery-as-kernel so it boots straight away on the first try.
Bump a real thread.
Is it possible to convert it to a file installed by SDDiskTool?
marchnz said:
Bump a real thread.
Click to expand...
Click to collapse
I created a flashing tool to flash recovery within Android, using Rockchip's own code: https://forum.xda-developers.com/t/...chip-firmware-flash-tool-for-android.4458299/
blala said:
I created a flashing tool to flash recovery within Android, using Rockchip's own code: https://forum.xda-developers.com/t/...chip-firmware-flash-tool-for-android.4458299/
Click to expand...
Click to collapse
This file hct_recovery.patched.img does not appear to be installed via rkupdate
sadaghiani said:
Is it possible to convert it to a file installed by SDDiskTool?
Click to expand...
Click to collapse
It needs to be converted, yes
I'll take a look this afternoon
blala said:
It needs to be converted, yes
I'll take a look this afternoon
Click to expand...
Click to collapse
Is it possible to create a boot image that includes moded recovery & magisk and moded kernel ?
If by image you mean firmware image then yes, it can be done with https://github.com/liftoff-sr/rockchip-tool
But what i would recommend is the modded recovery only, with the magisk .zip to use in Recovery
Otherwise you risk flashing a kernel that doesn't match with kernel modules or is otherwise not fully compatible with the installed system
blala said:
If by image you mean firmware image then yes, it can be done with https://github.com/liftoff-sr/rockchip-tool
But what i would recommend is the modded recovery only, with the magisk .zip to use in Recovery
Otherwise you risk flashing a kernel that doesn't match with kernel modules or is otherwise not fully compatible with the installed system
Click to expand...
Click to collapse
boot.img file included recovery+magisk+kernel
Flashing a boot.img (Kernel, for example) in an Android mobile phone via adb shell
Flashing a boot.img (Kernel, for example) in an Android mobile phone via adb shell - script.sh
gist.github.com
MTCD has separate boot and recovery partitions.
Perhaps you can adapt both recovery/kernel to be in the same image but the bootloader won't know about that (and will always boot from "recovery" partition)