Hovatek Forum DEVELOPMENT Android [Tutorial] How to create a custom signed vbmeta.img for Unisoc using AVBtool
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


[Tutorial] How to create a custom signed vbmeta.img for Unisoc using AVBtool

[Tutorial] How to create a custom signed vbmeta.img for Unisoc using AVBtool

Pages (16): 1 2 3 4 516 Next
hovatek
hovatek
hovatek
Administrator
49,570
12-03-2020, 11:51 PM
#1



If you're into rooting and flashing custom recoveries then Android Verified Boot (AVB) or dmverity is something you should be aware of.  We'd dropped a blog post on why dmverity could be causing your phone to get bricked when you try root or flash a custom recovery

A little history


Long ago, one-click root apks were a thing. Not anymore...at least till MTKsu brought back something similar to a few 64 bit Mediatek chipsets. Rooting later moved to flashing a custom recovery and SuperSU.zip...then Magisk came along.

We'd dropped a guide on how to root Android using Magisk Manager and stock boot.img and our Mediatek , Unisoc (Spreadtrum) and Qualcomm auto TWRP porters can give you a working TWRP in seconds.

All this was pretty straightforward till dmverity came along.  In the first version, you needed to patch the boot.img. Magisk already does that so no worries there. Android 9 came along with AVB in the vbmeta partition...and things became a little more interesting.

Flashing a blank vbmeta before flashing a magisk patched boot or TWRP custom recovery was the way around...till signed vbmeta came along. What this now means for device's with vbmeta-sign is that you must flash a customised but signed vbmeta before you can tamper with checked partitions.

This guide is going to show you how to do that on Unisoc / Spreadtrum (SPD)

Back to present day...


Luckily, many Unisoc OEMs were lazy enough to use the same key to sign vbmeta, this guide capitalizes on that. I used Ubuntu for this guide because AVBtool kept giving errors. I'll update the guide if a fix for Windows is found.

Requirements


Steps to create a custom signed vbmeta.img for Unisoc using AVBtool


Follow the steps below to use AVBtool to create a custom signed vbmeta image for Unisoc / Spreadtrum (SPD)


See the video below or @ https://youtu.be/hcUv9EsR4kY

  1. The files and folders you have should look something like this:

    [Image: custom-signed-vbmeta-requirements.png]

  2. With all the required files in the same folder, launch Terminal by right-clicking in the folder and clicking Open Terminal

  3. Run the avbtool info_image command against vbmeta-sign.img, copy out the output and save in a notepad. The vbmeta-sign in our example has a padded size of 16384 and DHTB checksum which needs to be added to the custom vbmeta image later on.

  4. Generate a public key from the (custom) private key you've decided to use to sign your images going forward. I'll be using an OpenSSL generated key (hovatek.pem) as my custom private key for this guide. Feel free to use rsa4096_vbmeta.pem if you like. This command will generate a file named hovatek.bin to the keys folder which will be my public key for signing any partition I wish to flash to.

    Code:

    python avbtool extract_public_key --key hovatek.pem --output keys/hovatek.bin

  5. For comparison, here's what a stock vbmeta info output looks like:

    Code:

    Minimum libavb version:   1.0
    Header Block:             256 bytes
    Authentication Block:     576 bytes
    Auxiliary Block:          13504 bytes
    Algorithm:                SHA256_RSA4096
    Rollback Index:           0
    Flags:                    0
    Release String:           'avbtool 1.1.0'
    Descriptors:
        Chain Partition descriptor:
          Partition Name:          boot
          Rollback Index Location: 1
          Public key (sha1):       ea410c1b46cdb2e40e526880ff383f083bd615d5
        Chain Partition descriptor:
          Partition Name:          system
          Rollback Index Location: 3
          Public key (sha1):       e2c66ff8a1d787d7bf898711187bff150f691d27
        Chain Partition descriptor:
          Partition Name:          vendor
          Rollback Index Location: 4
          Public key (sha1):       9885bf5bf909e5208dfd42abaf51ad9b104ee117
        Chain Partition descriptor:
          Partition Name:          product
          Rollback Index Location: 10
          Public key (sha1):       766a95798206f6e980e42414e3cb658617c27daf
        Chain Partition descriptor:
          Partition Name:          dtbo
          Rollback Index Location: 9
          Public key (sha1):       ea410c1b46cdb2e40e526880ff383f083bd615d5
        Chain Partition descriptor:
          Partition Name:          recovery
          Rollback Index Location: 2
          Public key (sha1):       d9093b9a181bdb5731b44d60a9f850dc724e2874
        Chain Partition descriptor:
          Partition Name:          l_modem
          Rollback Index Location: 5
          Public key (sha1):       e93e7d91ba1a46b81a5f15129b4dc5769bf41f26
        Chain Partition descriptor:
          Partition Name:          l_ldsp
          Rollback Index Location: 6
          Public key (sha1):       e93e7d91ba1a46b81a5f15129b4dc5769bf41f26
        Chain Partition descriptor:
          Partition Name:          l_gdsp
          Rollback Index Location: 7
          Public key (sha1):       e93e7d91ba1a46b81a5f15129b4dc5769bf41f26
        Chain Partition descriptor:
          Partition Name:          pm_sys
          Rollback Index Location: 8
          Public key (sha1):       e93e7d91ba1a46b81a5f15129b4dc5769bf41f26
        Chain Partition descriptor:
          Partition Name:          dtb
          Rollback Index Location: 11
          Public key (sha1):       ea410c1b46cdb2e40e526880ff383f083bd615d5

  6. Generate a vbmeta-sign-custom.img file by running the command below. Note that I intend to flash a custom file to recovery partition so instead of using recovery's public key extracted from vbmeta-sign.img, I'll use my newly generated public key for recovery. Feel free to do same for other partitions you intend to flash to

    Code:

    python avbtool make_vbmeta_image --key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 2 --chain_partition boot:1:keys/key_boot.bin --chain_partition system:3:keys/key_system.bin --chain_partition vendor:4:keys/key_vendor.bin --chain_partition product:10:keys/key_product.bin --chain_partition dtbo:9:keys/key_dtbo.bin --chain_partition recovery:2:keys/hovatek.bin --chain_partition l_modem:5:keys/key_l_modem.bin --chain_partition l_ldsp:6:keys/key_l_ldsp.bin --chain_partition l_gdsp:7:keys/key_l_gdsp.bin --chain_partition pm_sys:8:keys/key_pm_sys.bin --chain_partition dtb:11:keys/key_dtb.bin --padding_size 16384 --output vbmeta-sign-custom.img

    Note:
    • Some vbmeta images contain additional props. Those can be added as key:value pairs e.g
      Code:

      --prop com.android.build.vendor.os_version:13
    • When modifying partitions like product.img (which is in /super partition), you sign the modified product.img, add it to super.img then create the corresponding vbmeta (vbmeta_product) and flash both. One additional flag is
      Code:

      --include_descriptors_from_image product.img
    • The value for --algorithm was obtained from reading the info of vbmeta-sign. You need to modify this command to match the partitions and indexes in your own vbmeta-sign.
    • Check the requirements above for how to obtain your value for --padding_size
    • Leave the flag as 0 if you've not swapped any public key with a custom one and as 2 if you have

  7. Now I have a 16kb vbmeta-sign-custom.img file. I now need to add DHTB back to the same position as in vbmeta-sign.img . vbmeta_pad.py is the script for that. Run the code below:

    Code:

    python vbmeta_pad.py

  8. vbmeta-sign-custom.img should now become a 1MB file like vbmeta-sign.img . Now, you can flash vbmeta-sign-custom.img via fastboot

Important Notice
  • For models with fastbootd support, you might need to flash vbmeta in fastbootd if flashing in fastboot freezes or gives errors.
  • Your boottloader will only accept images signed with the key from which you generated your custom public key
  • If you must flash back your stock rom, ensure to flash back your stock vbmeta-sign.img first
  • Avoid trying to flash images which haven't been signed with the keys your bootloader is expecting to avoid an endless wait in Research Download tool or stuck at writing in fastboot
  • Credits goes to Petercxy

Video Transcript
Quote:In this video tutorial, I'll be explaining how to create a custom signed vmbeta image. These are the files you're going to need: the public keys, you can extract these ones from the stock vbmeta, I'll link to a guide on how to do that. I also have my AVBtool. I have my hovatek.pem. Its a private key which I created with OpenSSL, I'll link to that also. I have my rsa.pem which is my key used to sign my vbmeta image. Once you launch terminal as I did while talking, you run this command. this command is to run a check on the stock vbmeta image so I can get the information I need for future commands like the algorithm used and hashes.

Next, I'm going to create a public key using my private key. I'm using hovatek.pem. You can decide to use the rsa.pem as your private key also even though you're using it to sign vbmeta image. When I run this command, its going to create a file named hovatek.bin in the keys folder. This public key is going to be used to sign any partition I intend to flash a custom image to in the future. I'm going to be signing.. I'm going to be flashing to only recovery so I'm going to be signing only the recovery partition using this public key OK? Now, I'm going to run this command. This command is going to create my custom signed vbmeta image.

Now, I'm using the default public keys (extracted) from my stock vbmeta but for recovery, I'm going to replace the public key with my hovatek.bin public key. That means if I want to flash a recovery image to the recovery partition, I'll need to sign that recovery image using the hovatek.pem . I'll link to a guide on how to do that. Now, this command is going to create a vbmeta image which is 16kb. That's because the stock also has a padded size of 16kb but the overall size of stock is 1MB. That's because there's some Checksum that needs to be applied to a certain position. That's what this script is for, vbmeta_pad.py.

So you run this command also and this is going to generate a 1MB file. This is very identical to the stock. I'm going to run a command to see the information about or of this custom vbmeta image. When you compare it to the stock, you're going to see that its very identical; maybe the flag will just be different, which is 2 to disable verity checks and the hash for recovery partition is going to be different. Every other thing is going to be identical to what I have in stock and they're both the same signature.

You're going to need the keys your OEM used to sign your stock vbmeta if not this guide is not going to work. Unisoc uses the same key across, at least so far uses the same key across their models so I have my vbmeta. You can now flash it using fastboot.
This post was last modified: 19-11-2023, 10:08 AM by hovatek.

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
mainframe
mainframe
mainframe
Newbie
2
30-05-2020, 10:55 AM
#2
Thanks for a great indepth guide. I was wondering how can i determine the padding used the stock image? The guide uses a 16k padding because the stock has that aswel, but can i check/verify the padding?

Thanks.
X3non
X3non
X3non
Recognized Contributor
22,062
30-05-2020, 10:12 PM
#3
(30-05-2020, 10:55 AM)mainframe Thanks for a great indepth guide. I was wondering how can i determine the padding used the stock image? The guide uses a 16k padding because the stock has that aswel, but can i check/verify the padding?

Thanks.

open the original vbmeta using hxd
search for text-string : DHTB
after the DHTB section you'll find a string similar to the ss below

[Image: attachment.php?aid=7851]

convert that to little endian using the link @ https://www.scadacore.com/tools/programm...converter/


PS. if you have
00 50 00 00 then padding size = 20480
00 40 00 00 then padding size = 16384
00 30 00 00 then padding size = 12288
This post was last modified: 26-12-2020, 02:54 PM by hovatek.
Attached Files
.jpg
padding.JPG
Size: 62.95 KB / Downloads: 8,456
alim07
alim07
alim07
Enthusiastic Member
7
25-07-2020, 12:06 PM
#4
created vbmeta according to the instructions on one phone successfully on the other, too, but one of them is not stitched timeout, but on another phone model it is stitched.  Both android 9 sc9863a, what is the reason for the assembly?  bootlader not unlocked token not working
This post was last modified: 25-07-2020, 12:10 PM by alim07.
X3non
X3non
X3non
Recognized Contributor
22,062
27-07-2020, 09:19 AM
#5



(25-07-2020, 12:06 PM)alim07 created vbmeta according to the instructions on one phone successfully on the other, too, but one of them is not stitched timeout, but on another phone model it is stitched.  Both android 9 sc9863a, what is the reason for the assembly?  bootlader not unlocked token not working

create a new thread for your device issue by clicking "Ask Question" at the top
in the new thread, state your device model and what problem(s) you're experiencing
Ejike Dex
Ejike Dex
Ejike Dex
Enthusiastic Member
13
14-08-2020, 04:47 PM
#6
Hey guys thanks for this amazing site and all the informative resources. I followed your guide and was able to generate a  signed vbmeta image .
My question now is, when flashing it via fastboot? is the command below correct or am I mistaking something?

Code:

fastboot flash boot vbmeta_custom.img
hovatek
hovatek
hovatek
Administrator
49,570
14-08-2020, 07:21 PM
#7
(14-08-2020, 04:47 PM)Ejike Dex Hey guys thanks for this amazing site and all the informative resources. I followed your guide and was able to generate a  signed vbmeta image .
My question now is, when flashing it via fastboot? is the command below correct or am I mistaking something?

Code:

fastboot flash boot vbmeta_custom.img

Your command would flash vbmeta to boot partition.
It should be

Code:

fastboot flash vbmeta vbmeta_custom.img

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
Ejike Dex
Ejike Dex
Ejike Dex
Enthusiastic Member
13
14-08-2020, 10:33 PM
#8
(14-08-2020, 07:21 PM)hovatek
(14-08-2020, 04:47 PM)Ejike Dex Hey guys thanks for this amazing site and all the informative resources. I followed your guide and was able to generate a  signed vbmeta image .
My question now is, when flashing it via fastboot? is the command below correct or am I mistaking something?

Code:

fastboot flash boot vbmeta_custom.img

Your command would flash vbmeta to boot partition.
It should be

Code:

fastboot flash vbmeta vbmeta_custom.img

Thank you very much. I am guessing after this I just have to flash a patched recovery image to the boot partition right? Flashing an Itel S15 running android 9 pie
X3non
X3non
X3non
Recognized Contributor
22,062
15-08-2020, 11:22 AM
#9
(14-08-2020, 10:33 PM)Ejike Dex Thank you very much. I am guessing after this I just have to flash a patched recovery image to the boot partition right? Flashing an Itel S15 running android 9 pie

i take it you plan to achieve root
you can try flashing magisk patched boot OR magisk canary patched boot into boot partition
OR
magisk patched recovery into recovery partition then reboot to recovery mode to get root access on the phone

you're not to flash recovery into boot or vice versa
akramkhan
akramkhan
akramkhan
Junior Member
24
19-08-2020, 04:48 PM
#10



@X3non
I tried to flash magisk patched img via fastboot and it was successful but unfortunately i am getting bootloop and worst is that i can't get into fastboot mode unless i flash stock rom via aftersale software my device is Tecno Pouvior 4 Pro, please advise. thanks
Pages (16): 1 2 3 4 516 Next
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram