Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rmx3231 #1

Closed
Denzy7 opened this issue Dec 30, 2023 · 9 comments
Closed

rmx3231 #1

Denzy7 opened this issue Dec 30, 2023 · 9 comments

Comments

@Denzy7
Copy link

Denzy7 commented Dec 30, 2023

rmx3231 uses android 11 but padded to 00 40 00 00. should i use padding for android 9?

$ hexdump -C vbmeta-sign.img | tail
00003c90  e1 9f 67 a1 01 48 bb 07  00 00 00 00 00 00 00 00  |..g..H..........|
00003ca0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000ffe00  44 48 54 42 00 00 00 00  16 b4 77 28 b0 86 25 e1  |DHTB......w(..%.|
000ffe10  f7 eb 56 fc 9b cb 5c 3e  f4 a7 c6 12 a9 70 e9 bf  |..V...\>.....p..|
000ffe20  b5 3e 1c 00 29 02 ee 70  00 02 00 00 00 00 00 00  |.>..)..p........|
000ffe30  00 40 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.@..............|
000ffe40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00100000
@TomKing062
Copy link
Owner

TomKing062 commented Dec 30, 2023
edited
Loading

use android 9
actually it is the (alignment with 0x1000) size of vbmeta generated by avbtool, can be different with original vbmeta

@Denzy7
Copy link
Author

Denzy7 commented Jan 2, 2024

ok. its now padded. how do i sign boot.img?

@Denzy7
Copy link
Author

Denzy7 commented Jan 2, 2024
edited
Loading

I used pacextractor to extract stock boot.img which i patched with magisk.
python avbtool info_image --image boot.img had this to say:

Footer version:           1.0
Image size:               67108864 bytes
Original image size:      29313024 bytes
VBMeta offset:            29315072
VBMeta size:              2304 bytes
--
Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     576 bytes
Auxiliary Block:          1472 bytes
Public key (sha1):        9405a8f24d5b71da4420fa3edc5a5bd2e7420446
Algorithm:                SHA256_RSA4096
Rollback Index:           0
Flags:                    0
Rollback Index Location:  0
Release String:           'avbtool 1.1.0'
Descriptors:
    Hash descriptor:
      Image Size:            29313024 bytes
      Hash Algorithm:        sha256
      Partition Name:        boot
      Salt:                  90aa4abfa3c379688515ae02967afc4c00ed47b531652d3881822b0f7fd0e8b8
      Digest:                a675a9a930b0d9019643df49c395e3d7670299356ed26d7e9ac7f33ed821ccfa
      Flags:                 0
    Prop: com.android.build.boot.fingerprint -> 'realme/RMX3231/RMX3231:11/RP1A.201005.001/1660721239064:user/release-keys'
    Prop: com.android.build.boot.os_version -> '11'

i then patch it with magisk, sign with python avbtool add_hash_footer --image boot_magisk_patched.img --partition_name boot --partition_size 67108864 --key rsa4096_vbmeta.pem --algorith SHA256_RSA4096

then this is the output of signed magisk boot.img:

Footer version:           1.0
Image size:               67108864 bytes
Original image size:      29550592 bytes
VBMeta offset:            29552640
VBMeta size:              2112 bytes
--
Minimum libavb version:   1.0
Header Block:             256 bytes
Authentication Block:     576 bytes
Auxiliary Block:          1280 bytes
Public key (sha1):        2597c218aae470a130f61162feaae70afd97f011
Algorithm:                SHA256_RSA4096
Rollback Index:           0
Flags:                    0
Rollback Index Location:  0
Release String:           'avbtool 1.2.0'
Descriptors:
    Hash descriptor:
      Image Size:            29550592 bytes
      Hash Algorithm:        sha256
      Partition Name:        boot
      Salt:                  d81c698452c19c17b0b3a111503b8ba5b309794ae37b324ccea9112398c3aca1
      Digest:                58d0d485cbf84be59a356d3e201fb96e09a38a08b3a23990c97e06f339d13726
      Flags:                 0

hovatek guide

but flashing it with research download causes it to get stuck at vbmeta. even using the extracted vbmeta from pacextractor also gets stuck. here is the rom i used

[edit]
also realme refused to provide in depth apk to unlock bootloader for rmx3231 could this be the issue?

@TomKing062
Copy link
Owner

on android 10(+), after unlock bootloader, trustos only check boot is signed, and will not check signer of boot. boot can be flash with researchdown or fastbootd or spd_dump

sign vbmeta is not a necessity to get root, there is a way to boot with custom signed vbmeta, but not work on 9863s yet, TomKing062/CVE-2022-38691_38692#1

@Denzy7
Copy link
Author

Denzy7 commented Jan 4, 2024

i flashed magisk boot.img with research tool and got boot loop with stock vbmeta that came with stock rom. plus i cant use fastboot with locked bootloader since realme haven't given us in depth tesk apk i want to try spd_dump but idk if it will work anyway

@TomKing062
Copy link
Owner

https://github.com/TomKing062/CVE-2022-38694_unlock_bootloader/releases

@Denzy7
Copy link
Author

Denzy7 commented Jan 4, 2024

so will this work on 9863 otherwise my main concern is root. how can i root this phone??

@TomKing062
Copy link
Owner

bl unlocked, patched boot signed, what else get in the way ?

@Denzy7
Copy link
Author

Denzy7 commented Jan 5, 2024

it worked bro! i however had to flash stock vbmeta with disable flags and flash magisk boot with fastboot (which caused bootloop?) then flash stock vbmeta with download tool. thanks alot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TomKing062 @Denzy7