Hovatek
  • Private Support
  • Blog
  • Home
Login Register Ask Question Hello There, Guest!
Login
Username:
Password: Lost Password?
 

OR

       

We're hiring: Lagos Residents only! APPLY
Telegram Channel: Join @ t.me/Hovatek


  1. Hovatek Forum
  2. DEVELOPMENT
  3. Android
 
Thread Rating:
  • 1 Vote(s) - 5 Average

Thread Modes

[Tutorial] How to extract public keys from a vbmeta image

X3non
Hovatek Representative
Posts: 19,758
Threads: 562
Joined: Jul 2014
Reputation: 326
#1

12-03-2020, 11:16 PM


This is a step by step guide showing how to extract public signing keys from a vbmeta image. This will come handy if you plan to make a vbmeta image and still retain the public keys for certain partitions

Requirements

  • Your VBmeta image (extract from the firmware of your device)
  • Download HxD Hex Editor @ https://mh-nexus.de/en/hxd/
  • Verify the partition names, partitions with public key and algorithm within your VBmeta image using this guide

If you verified the contents of your vbmeta and it matches with the contents of the one we used for [ Login / Register to download free] . It'll be the same as what you'll get if you manually extract the public keys yourself


Steps on how to extract public keys from a vbmeta image


Follow the steps below to extract public keys from a vbmeta image


See the video below or @ https://youtu.be/ICWBq-Bxsb4


  1. Launch HxD hex editor tool

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-20.jpg]

  2. Click File > Open

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-21.jpg]

  3. Navigate to the location of the vbmeta image, select it and click Open

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-22.jpg]

  4. Scroll down slowly using the scroll bar or arrow keys on your keyboard until you find the first partition name. Partition names within a vbmeta image will be gotten using the link to verify the contents of vbmeta in the requirements section

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-23.jpg]

  5. Start highlighting everything just after the partition name. When highlighting, ensure to use the middle section (hex view section)

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-1.jpg]

  6. Highlight downwards till you reach a section filled with mostly 00s, you're to stop highlighting just before the 00s

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-2.jpg]

  7. Right click on the highlighted item then click Copy

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-3.jpg]

  8. Click File > New

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-4.jpg]

  9. Right click on the middle section (hex view) then click on Paste insert

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-5.jpg]

  10. Click on File > Save

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-6.jpg]

  11. In the window that opens next, input the file name you wish to save the public key with then click Save

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-7.jpg]

  12. You can right click on the tab and click Close

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-8.jpg]

  13. Repeat the same procedure for all partitions on the list till you get to the last partition (in my case, DTB is the last partition)
  14. Place your cursor just in front of the partition name i.e DTB in my case. Take note of the

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-9.jpg]

  15. Click Search > Find

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-10.jpg]

  16. Click Hex-values tab

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-11.jpg]

  17. Input the search value below and click OK. (My vbmeta uses RSA4096 so i'm searching for 00 00 10 00)
    Code:
    search for : 00 00 10 00
    search direction : forward

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-12.jpg]

  18. If your vbmeta uses RSA2048 or you don't find anything after searching for the values in the last step, you can try searching for either
    Code:
    00 00 08 00
    or
    00 00

  19. It'll find the value just in front of the partition name

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-13.jpg]

  20. Click Search > Find again

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-14.jpg]

  21. It'll find the values a second time, you're to start highlighting just before the second found item but this time you'll highlight upwards.
    Note that if there's any 00s in front, you're to skip them (in my case, i have a single 00 just in front of 00 00 10 00, so i've skipped it)

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-15.jpg]

  22. Highlight upwards until you get to DTB which is the last partition name
  23. Right click on the highlighted item > Copy and paste into a new file then save (just like you did for the previous items)

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-16.jpg]

  24. The last partition could be a bit tricky so after saving, place your cursor at the end of the file and confirm the offset at the bottom left hand corner (in my case it's 408)

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-18.jpg]

  25. Open the other keys you saved and confirm that they all have the same final offset value (in my case it's 408). If yes then you're all good
  26. The files you saved are the public keys used by your device to verify the other partitions e.g boot, recovery e.t.c

    [Image: How-to-extract-public-keys-from-a-vbmeta-image-19.jpg]



Important Notice
  • New partitions tend to begin with HEX 00 00 10 00 so ensure to do a Search All for this hex to see all available partitions and know where each stops
  • Ensure to read through and understand before proceeding, you don't want to make a mistake while doing this
  • If you verified the contents of your vbmeta and it matches with the content of ours we used in writing this guide, then you can simply download the keys we've already generated to save your time.
  • Credits goes to Petercxy

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
(This post was last modified: 07-01-2021, 08:33 AM by hovatek.)
Find
Reply
guest765
Enthusiastic Member
Posts: 14
Threads: 3
Joined: Sep 2020
Reputation: 0
#2

06-09-2020, 06:34 PM
Hi, the keys I have extracted have wildly different offset numbers except for recovery and system (they are both 208). The verification output is very different from yours too. Am I right in thinking that only the chain partitions need to have the same offset?

TIA

Code:
Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     320 bytes
Auxiliary Block:          2432 bytes
Algorithm:                SHA256_RSA2048
Rollback Index:           0
Flags:                    0
Release String:           'avbtool 1.1.0'
Descriptors:
    Chain Partition descriptor:
      Partition Name:          recovery
      Rollback Index Location: 1
      Public key (sha1):       0aa0987116fc792f36bc909b0a4d530413f02a54
    Chain Partition descriptor:
      Partition Name:          system
      Rollback Index Location: 2
      Public key (sha1):       fa41159a5d696abdef93176a07d0b0d001263f01
    Hashtree descriptor:
      Version of dm-verity:  1
      Image Size:            299536384 bytes
      Tree Offset:           299536384
      Tree Size:             2367488 bytes
      Data Block Size:       4096 bytes
      Hash Block Size:       4096 bytes
      FEC num roots:         0
      FEC offset:            0
      FEC size:              0 bytes
      Hash Algorithm:        sha1
      Partition Name:        vendor
      Salt:                  a8e93fa28d41067338c5bee0665a377ff148c048fc64fa5674373324a5a44907
      Root Digest:           3f2acb5619b3cfa2feeb972ca8df5670bc3f8876
      Flags:                 0
    Hash descriptor:
      Image Size:            32480 bytes
      Hash Algorithm:        sha256
      Partition Name:        dtbo
      Salt:                  a8e93fa28d41067338c5bee0665a377ff148c048fc64fa5674373324a5a44907
      Digest:                c0783c1edff92bf2e9af9ce370b930c245a5c60a047597c7d5a0dbf832943258
      Flags:                 0
    Hash descriptor:
      Image Size:            6729728 bytes
      Hash Algorithm:        sha256
      Partition Name:        boot
      Salt:                  a8e93fa28d41067338c5bee0665a377ff148c048fc64fa5674373324a5a44907
      Digest:                1c0fc132d5903f7a3722ba338438bb5121ed26486789005505a4c40f608c8e55
      Flags:                 0
Find
Reply
X3non
Hovatek Representative
Posts: 19,758
Threads: 562
Joined: Jul 2014
Reputation: 326
#3

07-09-2020, 01:10 PM
(06-09-2020, 06:34 PM)guest765 Wrote:  Hi, the keys I have extracted have wildly different offset numbers except for recovery and system (they are both 208). The verification output is very different from yours too. Am I right in thinking that only the chain partitions need to have the same offset?
TIA
...

your vbmeta uses rsa2048 private keys unlike the one shown in the guide here that uses rsa4096. yours is bound to be different
and yes, chain partitions will have same offset unless a different size of rsa private key is used (which we haven't seen such). in your case all keys are rsa2048

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
Find
Reply
ch3mn3y
Enthusiastic Member
Posts: 6
Threads: 0
Joined: Aug 2020
Reputation: 0
#4

13-09-2020, 08:34 AM
One question. With first partition (boot) You say to copy what is AFTER the partition name, but with dtb You included partition name? Why?
With other, nonboot partition, should I go which way?
I'm just little lost...

EDIT: OK, had to reread it again, but now I understand what is written there Smile
(This post was last modified: 13-09-2020, 08:43 AM by ch3mn3y.)
Find
Reply
mohamedfaky
Newbie
Posts: 2
Threads: 1
Joined: Dec 2020
Reputation: 0
#5
Bug 

04-12-2020, 06:15 AM
Hello, i'm trying to extract public keys from my vbmeta but facing some issues.. first the structure of vbmeta is quite weird and different that what expected to be.. i have no problem with that for now, the real issue here is that i can't find another 00 00 08 00 at the end of last partition's public key.. OEM's vbmeta uses SHA256_RSA2048 as encrypting algorithm and i can find only 00 00 08 00 at the beginning of vendor which is the last partition here, so i can't decide where is the end of public key.. i'm trying to get public keys to build a new vbmeta with custom recovery key to be able to use it safely when i relock my bootloader.



Attached Files
.png Screenshot (10).png Size: 118.63 KB  Downloads: 18
.png Screenshot (11).png Size: 211.25 KB  Downloads: 18
Find
Reply
hovatek
Administrator
*******
Posts: 46,916
Threads: 1,193
Joined: Oct 2013
Reputation: 422
#6

05-12-2020, 07:58 AM
(04-12-2020, 06:15 AM)mohamedfaky Wrote:  Hello, i'm trying to extract public keys from my vbmeta but facing some issues.. first the structure of vbmeta is quite weird and different that what expected to be.. i have no problem with that for now, the real issue here is that i can't find another 00 00 08 00 at the end of last partition's public key.. OEM's vbmeta uses SHA256_RSA2048 as encrypting algorithm and i can find only 00 00 08 00 at the beginning of vendor which is the last partition here, so i can't decide where is the end of public key.. i'm trying to get public keys to build a new vbmeta with custom recovery key to be able to use it safely when i relock my bootloader.

Create a new thread by clicking Ask Question at the top and provide a link to the vbmeta.img

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
Website Find
Reply
« Next Oldest | Next Newest »


Possibly Related Threads…
Thread / Author Replies Views Last Post
How to create a custom signed vbmeta.img for Unisoc using AVBtool
hovatek
40
22,132
Last Post by X3non
13-04-2021, 12:21 PM
vbmeta.img for Unisoc sc9863a android 10
vano1678
1
128
Last Post by X3non
05-04-2021, 10:44 AM
How to extract recovery.img from recovery.img.lz4
hovatek
0
151
Last Post by hovatek
22-03-2021, 10:39 AM
what is next step? after flashing vbmeta
Hasan Mahmud BD
37
2,995
Last Post by hovatek
13-03-2021, 02:21 PM
Unisoc custom signed vbmeta
Prince2
4
373
Last Post by X3non
05-03-2021, 10:21 AM

  • View a Printable Version


Users browsing this thread: 1 Guest(s)
  1. Hovatek Forum
  2. DEVELOPMENT
  3. Android

About

The Hovatek Forum is a free Tech. Support Forum. We provide solutions to all your device related problems and questions. We'll love to have you participate in discussions here whether you're a Newbie or Experienced.

         

Forum Team

Powered By MyBB. Crafted by EreeCorp.




Linear Mode
Threaded Mode

Share

Share Tweet Share Share Pin