FORUMS

Signing boot images for Android Verified Boot (AVB) [v8]

11,421 posts
Thanks Meter: 88,250
 
By Chainfire, Moderator Emeritus / Senior Recognized Developer - Where is my shirt? on 3rd May 2017, 11:16 AM
Post Reply Email Thread
7th May 2020, 08:27 AM |#361  
Senior Member
Thanks Meter: 11,705
 
Donate to Me
More
Quote:
Originally Posted by akshay.ku

Recovery log:attached.

The attached log doesn't contain any attempt of flashing a zip - I guess you've uploaded the wrong log.
7th May 2020, 12:34 PM |#362  
Junior Member
Flag Fort Lauderdale
Thanks Meter: 1
 
More
Android 8.0
Android 8.0 and higher includes a reference implementation of Verified Boot called Android Verified Boot (AVB) or Verified Boot 2.0.
The Following User Says Thank You to EldonBroady For This Useful Post: [ View ] Gift EldonBroady Ad-Free
7th May 2020, 09:05 PM |#363  
akshay.ku's Avatar
Senior Member
Flag banglore
Thanks Meter: 5
 
More
Quote:
Originally Posted by nvertigo67

The attached log doesn't contain any attempt of flashing a zip - I guess you've uploaded the wrong log.

I got only that log
I'm now on stock ROM
Installed twrp
It was not decrypted due to no screen lock
Rebooted
Flashed magisk again from twrp
After reboot and setting up lock screen
Twrp is getting encrypted
So thinking something like decryption zip can work



Sent from my Pixel using Tapatalk
8th May 2020, 10:31 AM |#364  
Senior Member
Thanks Meter: 11,705
 
Donate to Me
More
Quote:
Originally Posted by akshay.ku

I got only that log

A log not containing the flash you complain about is useless. Get the log right after flashing a zip without reboot or anything.

Quote:
Originally Posted by akshay.ku

I'm now on stock ROM
Installed twrp
It was not decrypted due to no screen lock

No passphrase doesn't mean unencrypted (decryption is done on each boot with "default_password"). Never mix unencrypted and decrypted!

Quote:
Originally Posted by akshay.ku

Rebooted
Flashed magisk again from twrp
After reboot and setting up lock screen
Twrp is getting encrypted
So thinking something like decryption zip can work



Sent from my Pixel using Tapatalk

Again: decryption is done on each boot. unencrypted means no encryption on the userdata partiotion. twrp is not encrypted, the userdata partition is. The only way to unencrypt userdata is formating. For decryption ypu don't need a zip, but the decryption passphrase (which is "default_password" if you don't set it otherwise - roms and twrp know of "default_password", that's why they don't ask). Some roms have forced encryption (which means the userdata partition is encrypted on the first boot if the rom finds userdata unencrypted, as long as you don't disable forced encryption in fstab).

Non of the above is related to a signed boot partition/image by any means and shouldn't be discussed in this thread.
The Following User Says Thank You to nvertigo67 For This Useful Post: [ View ] Gift nvertigo67 Ad-Free
20th May 2020, 08:29 AM |#365  
osm0sis's Avatar
Recognized Developer / Recognized Contributor
Flag Halifax
Thanks Meter: 31,340
 
Donate to Me
More
Turns out it's simple enough of an executable that it can be compiled from the command line!

The only trick was getting the bouncycastle dependencies in there, which an IDE would usually handle (extracting and including only the necessary ones), but I worked around that by just taking them directly out of the latest prebuilt boot_signer.jar from Android CI.

Code:
git clone --depth 1 https://android.googlesource.com/platform/system/extras aosp-system-extras
cd aosp-system-extras

# download boot_signer-support-images-with-dt.patch from https://issuetracker.google.com/issues/143810860 to current directory

patch --forward -p1 < boot_signer-support-images-with-dt.patch
cd verity
rm -rf build boot_signer*.jar
mkdir build prebuilt

# download latest AOSP boot_signer.jar and dx.jar from Android CI per https://forum.xda-developers.com/sho...postcount=2272 to prebuilt directory

unzip prebuilt/boot_signer.jar 'org/*' -d build
javac -cp build -d build *.java
jar -cvfm boot_signer.jar BootSignature.mf -C build .
java -jar prebuilt/dx.jar --dex --output=boot_signer-dexed.jar boot_signer.jar
Fresh compiles with my patch to support bootimg hdr "v0" with dt section attached. Note boot_signer.jar is the actual correct name for this when built in AOSP, not BootSignature.jar, and I'll be updating my own projects accordingly.
Attached Files
File Type: jar boot_signer.jar - [Click for QR Code] (1.63 MB, 12 views)
File Type: jar boot_signer-dexed.jar - [Click for QR Code] (574.5 KB, 18 views)
The Following 3 Users Say Thank You to osm0sis For This Useful Post: [ View ]
22nd May 2020, 09:46 PM |#366  
akshay.ku's Avatar
Senior Member
Flag banglore
Thanks Meter: 5
 
More
Quote:
Originally Posted by nvertigo67

A log not containing the flash you complain about is useless. Get the log right after flashing a zip without reboot or anything.







No passphrase doesn't mean unencrypted (decryption is done on each boot with "default_password"). Never mix unencrypted and decrypted!







Again: decryption is done on each boot. unencrypted means no encryption on the userdata partiotion. twrp is not encrypted, the userdata partition is. The only way to unencrypt userdata is formating. For decryption ypu don't need a zip, but the decryption passphrase (which is "default_password" if you don't set it otherwise - roms and twrp know of "default_password", that's why they don't ask). Some roms have forced encryption (which means the userdata partition is encrypted on the first boot if the rom finds userdata unencrypted, as long as you don't disable forced encryption in fstab).



Non of the above is related to a signed boot partition/image by any means and shouldn't be discussed in this thread.

Thank you for sharing the info.


Sent from my SM-G770F using Tapatalk
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes