[X3non]

This is a step by step guide showing how to extract public signing keys from a vbmeta image. This will come handy if you plan to make a vbmeta image and still retain the public keys for certain partitions

Requirements

• Your VBmeta image (extract from the firmware of your device)
  
• Download HxD Hex Editor @ https://mh-nexus.de/en/hxd/
  
• Verify the partition names, partitions with public key and algorithm within your VBmeta image using this guide
  

If you verified the contents of your vbmeta and it matches with the contents of the one we used for [ Login / Register to download free] . It'll be the same as what you'll get if you manually extract the public keys yourself

Steps on how to extract public keys from a vbmeta image

Follow the steps below to extract public keys from a vbmeta image

See the video below or @ https://youtu.be/ICWBq-Bxsb4

1. Launch HxD hex editor tool
   
   
   
   
2. Click File > Open
   
   
   
   
3. Navigate to the location of the vbmeta image, select it and click Open
   
   
   
   
4. Scroll down slowly using the scroll bar or arrow keys on your keyboard until you find the first partition name. Partition names within a vbmeta image will be gotten using the link to verify the contents of vbmeta in the requirements section
   
   
   
   
5. Start highlighting everything just after the partition name. When highlighting, ensure to use the middle section (hex view section)
   
   
   
   
6. Highlight downwards till you reach a section filled with mostly 00s, you're to stop highlighting just before the 00s
   
   
   
   
7. Right click on the highlighted item then click Copy
   
   
   
   
8. Click File > New
   
   
   
   
9. Right click on the middle section (hex view) then click on Paste insert
   
   
   
   
10. Click on File > Save
    
    
    
    
11. In the window that opens next, input the file name you wish to save the public key with then click Save
    
    
    
    
12. You can right click on the tab and click Close
    
    
    
    
13. Repeat the same procedure for all partitions on the list till you get to the last partition (in my case, DTB is the last partition)
    
14. Place your cursor just in front of the partition name i.e DTB in my case. Take note of the
    
    
    
    
15. Click Search > Find
    
    
    
    
16. Click Hex-values tab
    
    
    
    
17. Input the search value below and click OK. (My vbmeta uses RSA4096 so i'm searching for 00 00 10 00)
    
    Code:

    search for : 00 00 10 00
search direction : forward
    
    
    
    
18. If your vbmeta uses RSA2048 or you don't find anything after searching for the values in the last step, you can try searching for either
    
    Code:

    00 00 08 00
or
00 00
    
    
19. It'll find the value just in front of the partition name
    
    
    
    
20. Click Search > Find again
    
    
    
    
21. It'll find the values a second time, you're to start highlighting just before the second found item but this time you'll highlight upwards.
    Note that if there's any 00s in front, you're to skip them (in my case, i have a single 00 just in front of 00 00 10 00, so i've skipped it)
    
    
    
    
22. Highlight upwards until you get to DTB which is the last partition name
    
23. Right click on the highlighted item > Copy and paste into a new file then save (just like you did for the previous items)
    
    
    
    
24. The last partition could be a bit tricky so after saving, place your cursor at the end of the file and confirm the offset at the bottom left hand corner (in my case it's 408)
    
    
    
    
25. Open the other keys you saved and confirm that they all have the same final offset value (in my case it's 408). If yes then you're all good
    
26. The files you saved are the public keys used by your device to verify the other partitions e.g boot, recovery e.t.c
    
    
    

Important Notice

• New partitions tend to begin with HEX 00 00 10 00 so ensure to do a Search All for this hex to see all available partitions and know where each stops
  
• Ensure to read through and understand before proceeding, you don't want to make a mistake while doing this
  
• If you verified the contents of your vbmeta and it matches with the content of ours we used in writing this guide, then you can simply download the keys we've already generated to save your time.
  
• Credits goes to Petercxy
  

[guest765]

Hi, the keys I have extracted have wildly different offset numbers except for recovery and system (they are both 208). The verification output is very different from yours too. Am I right in thinking that only the chain partitions need to have the same offset?

TIA

Code:

Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     320 bytes
Auxiliary Block:          2432 bytes
Algorithm:                SHA256_RSA2048
Rollback Index:           0
Flags:                    0
Release String:           'avbtool 1.1.0'
Descriptors:
    Chain Partition descriptor:
      Partition Name:          recovery
      Rollback Index Location: 1
      Public key (sha1):       0aa0987116fc792f36bc909b0a4d530413f02a54
    Chain Partition descriptor:
      Partition Name:          system
      Rollback Index Location: 2
      Public key (sha1):       fa41159a5d696abdef93176a07d0b0d001263f01
    Hashtree descriptor:
      Version of dm-verity:  1
      Image Size:            299536384 bytes
      Tree Offset:           299536384
      Tree Size:             2367488 bytes
      Data Block Size:       4096 bytes
      Hash Block Size:       4096 bytes
      FEC num roots:         0
      FEC offset:            0
      FEC size:              0 bytes
      Hash Algorithm:        sha1
      Partition Name:        vendor
      Salt:                  a8e93fa28d41067338c5bee0665a377ff148c048fc64fa5674373324a5a44907
      Root Digest:           3f2acb5619b3cfa2feeb972ca8df5670bc3f8876
      Flags:                 0
    Hash descriptor:
      Image Size:            32480 bytes
      Hash Algorithm:        sha256
      Partition Name:        dtbo
      Salt:                  a8e93fa28d41067338c5bee0665a377ff148c048fc64fa5674373324a5a44907
      Digest:                c0783c1edff92bf2e9af9ce370b930c245a5c60a047597c7d5a0dbf832943258
      Flags:                 0
    Hash descriptor:
      Image Size:            6729728 bytes
      Hash Algorithm:        sha256
      Partition Name:        boot
      Salt:                  a8e93fa28d41067338c5bee0665a377ff148c048fc64fa5674373324a5a44907
      Digest:                1c0fc132d5903f7a3722ba338438bb5121ed26486789005505a4c40f608c8e55
      Flags:                 0

[X3non]

Hi, the keys I have extracted have wildly different offset numbers except for recovery and system (they are both 208). The verification output is very different from yours too. Am I right in thinking that only the chain partitions need to have the same offset?
TIA
...

your vbmeta uses rsa2048 private keys unlike the one shown in the guide here that uses rsa4096. yours is bound to be different
and yes, chain partitions will have same offset unless a different size of rsa private key is used (which we haven't seen such). in your case all keys are rsa2048

[ch3mn3y]

One question. With first partition (boot) You say to copy what is AFTER the partition name, but with dtb You included partition name? Why?
With other, nonboot partition, should I go which way?
I'm just little lost...

EDIT: OK, had to reread it again, but now I understand what is written there

[mohamedfaky]

Hello, i'm trying to extract public keys from my vbmeta but facing some issues.. first the structure of vbmeta is quite weird and different that what expected to be.. i have no problem with that for now, the real issue here is that i can't find another 00 00 08 00 at the end of last partition's public key.. OEM's vbmeta uses SHA256_RSA2048 as encrypting algorithm and i can find only 00 00 08 00 at the beginning of vendor which is the last partition here, so i can't decide where is the end of public key.. i'm trying to get public keys to build a new vbmeta with custom recovery key to be able to use it safely when i relock my bootloader.

[hovatek]

Hello, i'm trying to extract public keys from my vbmeta but facing some issues.. first the structure of vbmeta is quite weird and different that what expected to be.. i have no problem with that for now, the real issue here is that i can't find another 00 00 08 00 at the end of last partition's public key.. OEM's vbmeta uses SHA256_RSA2048 as encrypting algorithm and i can find only 00 00 08 00 at the beginning of vendor which is the last partition here, so i can't decide where is the end of public key.. i'm trying to get public keys to build a new vbmeta with custom recovery key to be able to use it safely when i relock my bootloader.

Create a new thread by clicking Ask Question at the top and provide a link to the vbmeta.img

[liOnux.fr]

Thanks a lot for this tuto !
But there are some differences in the names of 3 partitions between Hovatek keys and the command line used to sign a custom vbmeta image :
Real names are l_gdsp , l_ldsp , l_modem and not gdsp , ldsp , lmodem.
If people use the tutorials as they are, then the flashing is blocked on "writing...". Some forum members have had this problem.

[X3non]

Thanks a lot for this tuto !
But there are errors in the names of 3 partitions :
Real names are l_gdsp , l_ldsp , l_modem and not gdsp , ldsp , lmodem.
If we use the Hovatek keys, then the flashing is blocked on "writing...". Some forum members have had this problem.

the file names must not be the exact partition name, anything will work so long as you can tell that file A should be for partition A

[liOnux.fr]

Thanks a lot for this tuto !
But there are errors in the names of 3 partitions :
Real names are l_gdsp , l_ldsp , l_modem and not gdsp , ldsp , lmodem.
If we use the Hovatek keys, then the flashing is blocked on "writing...". Some forum members have had this problem.

the file names must not be the exact partition name, anything will work so long as you can tell that file A should be for partition A

Exactely, that's why people have to change the names of partitions in the command given here : @ [ Login / Register to download free]
Thank you again for all your work :-)

[LoPaTkA_Boli]

25. Open the other keys you saved and confirm that they all have the same final offset value (in my case it's 408). If yes then you're all good

What to do if the offset value may be other an couple files? I need to delete 00 (empty) value from the top? If i did that than offset value will be 408 (in my case too).

Update:
my mistake. I copyed key with name of partition. Change it.