Hovatek Forum DEVELOPMENT Android [Please help] Flashing AVB Unlocked Device (secureboot?)
Can't login? Please, reset your password.
Hovatek is recruiting! Apply Now


[Please help] Flashing AVB Unlocked Device (secureboot?)

[Please help] Flashing AVB Unlocked Device (secureboot?)

Pages (2): 1 2 Next
Whiterat
Whiterat
Whiterat
Enthusiastic Member
10
05-07-2021, 11:37 PM
#1



Hi,

Working on an MT8167S smart clock at the moment (Android Things, A/B partition)

I have the avb unlock credentials (bundle with puk private key, puk public key and pik public key) which works:

Code:

./at_auth_unlock.py cube_unlock_credentials_v2.zip
Product ID SHA256 hash = 511d37b1ced91711c81558ca0aa69ac54885805395166888c6ce80368a8117c0
Found matching unlock credentials: unlock_credentials_v2.zip
Device successfully AVB unlocked
Successfully cleared the factory partition persistent digest.

The bootrom is also susceptible to mtk-bypass and I have a full backup from spft.

Device is insecure and unlocked:
Code:

(bootloader)     at-attest-uuid: 78A2A067D9B44096A08A834BB45A56C2
(bootloader)     at-attest-dh: 1:P256,2:curve25519
(bootloader)     slot-unbootable:b: yes
(bootloader)     slot-unbootable:a: no
(bootloader)     slot-retry-count:b: 0
(bootloader)     slot-retry-count:a: 0
(bootloader)     slot-successful:b: no
(bootloader)     slot-successful:a: yes
(bootloader)     slot-count: 2
(bootloader)     current-slot: a
(bootloader)     max-download-size: 0x6000000
(bootloader)     partition-size:userdata: 0x13fe56e00
(bootloader)     partition-type:userdata: ext4
(bootloader)     partition-size:oem_b: 0x1f400000
(bootloader)     partition-type:oem_b: raw
(bootloader)     has-slot:oem: yes
(bootloader)     partition-size:oem_a: 0x1f400000
(bootloader)     partition-type:oem_a: raw
(bootloader)     partition-size:factory_bootloader: 0x1000000
(bootloader)     partition-type:factory_bootloader: raw
(bootloader)     partition-size:factory: 0x2000000
(bootloader)     partition-type:factory: raw
(bootloader)     partition-size:oem_bootloader_b: 0x400000
(bootloader)     partition-type:oem_bootloader_b: raw
(bootloader)     has-slot:oem_bootloader: yes
(bootloader)     partition-size:oem_bootloader_a: 0x400000
(bootloader)     partition-type:oem_bootloader_a: raw
(bootloader)     partition-size:vendor_b: 0x4000000
(bootloader)     partition-type:vendor_b: ext4
(bootloader)     has-slot:vendor: yes
(bootloader)     partition-size:vendor_a: 0x4000000
(bootloader)     partition-type:vendor_a: ext4
(bootloader)     partition-size:vbmeta_b: 0x10000
(bootloader)     partition-type:vbmeta_b: raw
(bootloader)     has-slot:vbmeta: yes
(bootloader)     partition-size:vbmeta_a: 0x10000
(bootloader)     partition-type:vbmeta_a: raw
(bootloader)     partition-size:system_b: 0x20000000
(bootloader)     partition-type:system_b: ext4
(bootloader)     has-slot:system: yes
(bootloader)     partition-size:system_a: 0x20000000
(bootloader)     partition-type:system_a: ext4
(bootloader)     partition-size:boot_b: 0x2000000
(bootloader)     partition-type:boot_b: raw
(bootloader)     has-slot:boot: yes
(bootloader)     partition-size:boot_a: 0x2000000
(bootloader)     partition-type:boot_a: raw
(bootloader)     partition-size:tee_b: 0x500000
(bootloader)     partition-type:tee_b: raw
(bootloader)     has-slot:tee: yes
(bootloader)     partition-size:tee_a: 0x500000
(bootloader)     partition-type:tee_a: raw
(bootloader)     partition-size:lk_b: 0x60000
(bootloader)     partition-type:lk_b: raw
(bootloader)     has-slot:lk: yes
(bootloader)     partition-size:lk_a: 0x60000
(bootloader)     partition-type:lk_a: raw
(bootloader)     partition-size:logo: 0x800000
(bootloader)     partition-type:logo: raw
(bootloader)     partition-size:metadata: 0x2000000
(bootloader)     partition-type:metadata: raw
(bootloader)     partition-size:frp: 0x100000
(bootloader)     partition-type:frp: raw
(bootloader)     partition-size:para: 0x80000
(bootloader)     partition-type:para: raw
(bootloader)     partition-size:seccfg: 0x40000
(bootloader)     partition-type:seccfg: raw
(bootloader)     partition-size:dkb: 0x200000
(bootloader)     partition-type:dkb: raw
(bootloader)     partition-size:kb: 0x200000
(bootloader)     partition-type:kb: raw
(bootloader)     partition-size:misc: 0x100000
(bootloader)     partition-type:misc: raw
(bootloader)     partition-size:nvram: 0x500000
(bootloader)     partition-type:nvram: raw
(bootloader)     partition-size:proinfo: 0x300000
(bootloader)     partition-type:proinfo: raw
(bootloader)     partition-size:preloader: 0x40000
(bootloader)     partition-type:preloader: raw
(bootloader)     serialno: xx
(bootloader)     warranty: no
(bootloader)     unlocked: yes
(bootloader)     secure: no
(bootloader)     kernel: lk
(bootloader)     variant: mt8167s_som
(bootloader)     product: mt8167s
(bootloader)     logical-block-size: 0x200
(bootloader)     erase-block-size: 0x80000
(bootloader)     version-baseband: N/A
(bootloader)     version-bootloader: POLK0.5
(bootloader)     version-preloader: 00
(bootloader)     version: 0.5

I've tried creating a vbmeta with flags=2 (disabled) and flashed to b partition:

Code:

./avbtool110 make_vbmeta_image --flags 2 --padding_size 4096 --output vbmeta_disabled.img
$ fastboot --set-active=b
Setting current slot to 'b'                        OKAY [  0.012s]
Finished. Total time: 0.014s
$ fastboot flash vbmeta ../vbmeta_disabled.img --disable-verity --disable-verification
Sending 'vbmeta_b' (4 KB)                          OKAY [  0.012s]
Writing 'vbmeta_b'                                 OKAY [  0.008s]
Finished. Total time: 0.031s

But I still cannot flash/boot a modified boot image without the partition being marked as unbootable.
Is to do with MTK secureboot?

Any ideas on next steps?

Thanks.
X3non
X3non
X3non
Recognized Contributor
22,062
06-07-2021, 10:51 AM
#2
(05-07-2021, 11:37 PM)Whiterat ...
But I still cannot flash/boot a modified boot image without the partition being marked as unbootable.
Is to do with MTK secureboot?

Any ideas on next steps?

Thanks.

mtk secure boot has nothing to do with it, trace back your steps to figure out what triggers the unbootable slot
i.e either go from flashing stock boot backwards or flash back stock firmware then repeat the steps above while checking the slots status
Whiterat
Whiterat
Whiterat
Enthusiastic Member
10
06-07-2021, 10:59 AM
#3
I split and rebuilt boot.img (without rebuilding the ramdisk or making any modifications) and apart from the lack of AVB footer it's identical byte for byte to the original image(minus AVB footer).

And still fails to boot that slot :/
X3non
X3non
X3non
Recognized Contributor
22,062
07-07-2021, 10:37 AM
#4
(06-07-2021, 10:59 AM)Whiterat I split and rebuilt boot.img (without rebuilding the ramdisk or making any modifications) and apart from the lack of AVB footer it's identical byte for byte to the original image(minus AVB footer).

And still fails to boot that slot :/

if i understand you, with your custom made vbmeta and stock boot, the slot is bootable
is this correct?
Whiterat
Whiterat
Whiterat
Enthusiastic Member
10
07-07-2021, 11:10 AM
#5



with avb unlocked, custom vbmeta and stock boot but with vbmeta signature stripped from stock boot image it will not boot
X3non
X3non
X3non
Recognized Contributor
22,062
08-07-2021, 12:51 PM
#6
(07-07-2021, 11:10 AM)Whiterat with avb unlocked, custom vbmeta and stock boot but with vbmeta signature stripped from stock boot image it will not boot

how did you unpack / repack boot, using the latest android image kitchen tool? or some other tool
if you used latest AIK then maybe empty vbmeta isn't the way to go, you might need to make a custom vbmeta (with a custom key for boot partition) then sign boot.img
Whiterat
Whiterat
Whiterat
Enthusiastic Member
10
10-07-2021, 10:33 PM
#7
Just used unpackbootimg & mkbootimg without modifying the ramdisk.
So effectively just sliced and stuck together again - minus avb footer.

Code:

./mkbootimg \
    --kernel boot.img-zImage \
    --ramdisk boot.img-ramdisk.gz \
    --cmdline "bootopt=64S3,32N2,64N2 buildvariant=user" \
    --board ''\
    --base 0x40078000 \
    --pagesize 2048 \
    --kernel_offset 0x00008000 \
    --ramdisk_offset 0x14f88000 \
    --second_offset 0x00e88000 \
    --tags_offset 0x0df88000 \
    --os_version 8.1.0 \
    --os_patch_level 2019-02 \
    -o test.img

33554432 Jun 25 01:43 boot.img
12832768 Jul 10 22:26 test.img

$ dd if=boot.img bs=12832768 count=1 | sha256sum
1+0 records in
1+0 records out
12832768 bytes (13 MB, 12 MiB) copied, 0.0890766 s, 144 MB/s
2d8728be2c3120b72be296231f2cc81f8a05da69f0b0d754ba4d8d10f5a467f3  -

$ sha256sum test.img
2d8728be2c3120b72be296231f2cc81f8a05da69f0b0d754ba4d8d10f5a467f3  test.img

$ hexdump -C -s 12832768 boot.img
00c3d000  41 56 42 30 00 00 00 01  00 00 00 00 00 00 00 00  |AVB0............|
00c3d010  00 00 00 00 00 00 00 00  00 00 01 00 00 00 00 00  |................|
00c3d020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00c3d040  00 00 00 00 00 00 00 c8  00 00 00 00 00 00 00 00  |................|
*
00c3d060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 c8  |................|
00c3d070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00c3d080  61 76 62 74 6f 6f 6c 20  31 2e 31 2e 30 00 00 00  |avbtool 1.1.0...|
00c3d090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00c3d100  00 00 00 00 00 00 00 02  00 00 00 00 00 00 00 b8  |................|
00c3d110  00 00 00 00 00 c3 d0 00  73 68 61 32 35 36 00 00  |........sha256..|
00c3d120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00c3d130  00 00 00 00 00 00 00 00  00 00 00 04 00 00 00 20  |............... |
00c3d140  00 00 00 20 00 00 00 00  00 00 00 00 00 00 00 00  |... ............|
00c3d150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00c3d180  00 00 00 00 62 6f 6f 74  95 a7 e0 6b 2e fa 4c e1  |....boot...k..L.|
00c3d190  21 8f 2d 24 f9 cf 78 ff  f7 c0 81 96 3d 2f 6e 83  |!.-$..x.....=/n.|
00c3d1a0  b5 e7 8c ee 56 3b 3e 19  38 da ca b0 93 3f 4a bb  |....V;>.8....?J.|
00c3d1b0  90 4e 32 5f 28 e7 41 ce  f6 5f 56 4e e9 82 ef fa  |.N2_(.A.._VN....|
00c3d1c0  f7 ce 87 6c 8e 8c 03 67  00 00 00 00 00 00 00 00  |...l...g........|
00c3d1d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
01ffffc0  41 56 42 66 00 00 00 01  00 00 00 00 00 00 00 00  |AVBf............|
01ffffd0  00 c3 d0 00 00 00 00 00  00 c3 d0 00 00 00 00 00  |................|
01ffffe0  00 00 02 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
01fffff0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
02000000
This post was last modified: 10-07-2021, 10:34 PM by Whiterat.
Whiterat
Whiterat
Whiterat
Enthusiastic Member
10
11-07-2021, 01:56 AM
#8
Seemingly lk is still verifying partitions even though it's avb unlocked.

But unlocked avb seems to stop preloader verifying lk, so I patched lk to always return "AVB_SLOT_VERIFY_RESULT_OK" and I can now at least boot with modified boot/system/oem/etc.

Not sure how much I can achieve with "Android Things" as an OS, really does seem cut back.
X3non
X3non
X3non
Recognized Contributor
22,062
12-07-2021, 12:04 PM
#9
(11-07-2021, 01:56 AM)Whiterat ...Not sure how much I can achieve with "Android Things" as an OS, really does seem cut back.

not sure either, the OS is been dropped by google but curious, were you able to get root using magisk on this OS?
Whiterat
Whiterat
Whiterat
Enthusiastic Member
10
12-07-2021, 01:12 PM
#10



(12-07-2021, 12:04 PM)X3non
(11-07-2021, 01:56 AM)Whiterat ...Not sure how much I can achieve with "Android Things" as an OS, really does seem cut back.

not sure either, the OS is been dropped by google but curious, were you able to get root using magisk on this OS?

I don't have another android device to run magisk on to patch the boot image to be honest.

I made a few changes to enable adb - but because the device is using usb A-A cable I suspect it's operating as host and the gadget config for adb isn't working.
Pages (2): 1 2 Next
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
YtWhTl
live chat
whatsapp telegram instagram