• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Android 12 Upgrade Discussion

Search This thread

andybones

Forum Moderator
Staff member
May 18, 2010
14,722
14,993
Google Pixel 5
Can't get my device to pass attestation now. Installed the latest universal fix 2.1.1. There are currently no Android 12 fingerprints for props config. It's failing both basicIntegrity and ctsProfile, does say eval type is basic. Magisk is hidden. gPay and Play Services are 'hidden', cache and storage were cleared. Phone was rebooted. Funnily enough the banking apps work, but gPay does not.
Just a few helpful things to check, as many things can Trigger SN,

And it may be possible that one of the Magisk betas need to be used to get it passing, but tbh I haven't read enough about SN/A12 just quite yet, but this thread, if you haven't seen it yet, has a bunch of information on the state of Magisk, and those having issues passing SN with A12.
 

]grimm[

Senior Member
Feb 22, 2011
91
26
Pixel 4a 5G. Was running rooted A11 before the update, never installed any betas.
1. Dirty flashed the non-Verizon OTA image via recovery sideload, didn't wipe anything
2. Patched boot.img from the latest factory image with Magisk, flashed it
3. Got into a bootloop with "Failed to load/verify boot images"
4. Reverted everything by flashing the full factory image (without -w), booted into the system
5. Went back to fastboot, flashed vbmeta.img with --disable- flags but no --slot=all
6. Flashed the patched boot.img again, tried to boot
7. Saw the corrupt system screen, decided not to format data
8. Repeated step 4

So now I have a working system and no root.
I followed a very similar initial set of steps on my Pixel 5 that was running Android 11 with magisk prior to updating to Android 12 without wiping data.

Flashing vbmeta.img to one or both slots with the --disable- flags (or updating with the same flags and not wiping) causes my phone to enter a corrupt state. I am able to boot again if I flash vbmeta.img without any flags and ensure that I also flash stock boot.img. However, I am still able to enter a working rooted environment by booting magisk_patched_boot.img without vbmeta having been flashed with any flags. I am not able to use magisk to install directly after booting the patched image so I am effectively stuck in a state where I can boot into a rooted image using fastboot but will revert to an unrooted environment if I have to reboot my device. I have not wiped my device.

GPay worked for about a half dozen contactless transactions throughout the day while running a rooted environment (with the understanding that a few transaction over a relatively brief period of time are not strong evidence of future functionality.)
 

ZeoFateX

Member
Apr 5, 2011
21
9
Google Pixel 5
Weird that it worked on the 12 Beta 5.
Yeah not sure. Maybe I need to reflash again and make sure everything was done in the correct order. You are definitely passing. Did you have to run props config and stuff or no?

Edit: Weird. Disabled LSposed and Props Config modules, rebooted and I'm passing now. Only Riru and Universal SafetyNet Fix installed.
 
Last edited:
  • Like
Reactions: V0latyle

warrencoakley

Senior Member
May 1, 2014
915
164
45
Dublin
Pixel 4a 5G stock come from Android 11.

When I used adb and flashed the img and then the patched Magisk img it got stuck at the fastboot screen. The only way to get out of it was to re-flash the factory img again.

The only way i was was able to obtain root was to wipe and re-flash. Such a pain. Hours re-loading apps, logging back in etc.

I decided to try a different method so to speak so I followed this guy's way and it worked flawlessly. Took me half the time actually as I use to take the factory img, boot img, radio and bootloader out and flash individually.

Anyway I'm rooted (for now) My concern is the security updates to come if I will obtain route or need to wipe everytime (which there is no way in hell I'll be doing) Just got to wait and see.

Here is the YouTube video:

 
Last edited by a moderator:
Pixel 4a 5G stock come from Android 11.

When I used adb and flashed the img and then the patched Magisk img it got stuck at the fastboot screen. The only way to get out of it was to re-flash the factory img again.

The only way i was was able to obtain root was to wipe and re-flash. Such a pain. Hours re-loading apps, logging back in etc.

I decided to try a different method so to speak so I followed this guy's way and it worked flawlessly. Took me half the time actually as I use to take the factory img, boot img, radio and bootloader out and flash individually.

Anyway I'm rooted (for now) My concern is the security updates to come if I will obtain route or need to wipe everytime (which there is no way in hell I'll be doing) Just got to wait and see.

Here is the YouTube video:

This data corruption issue did not appear on the 12 Beta, which is what this guy is showing. Also, if you did it exactly as he showed, you wiped data.

It's also unclear as to whether Boot Verification was implemented on the 4a.

It does seem to make a difference on the upgrade path taken. I installed the OTA yesterday on 12 beta 5. When I got home, I tried to use the Android Flash tool, and still ended up with the corrupted data error.

Magisk Canary is not necessary; I successfully rooted using Magisk 23.0.

So the remaining issue seems to be rooting without wiping data.

Who's been able to gain root on Android 12 after upgrading without a data wipe?
 
Last edited:

paratox

Senior Member
Feb 18, 2010
1,113
376
Would it be possible to boot a patched boot.img for temporary root that i would need for app backups (swift backup) without data loss?
When i tried it i got the error "(bootloader) boot.img missing cmdline or OS version".
I´m afraid i did the OTA update without thinking about backups. 😅
 
Would it be possible to boot a patched boot.img for temporary root that i would need for app backups (swift backup) without data loss?
When i tried it i got the error "(bootloader) boot.img missing cmdline or OS version".
I´m afraid i did the OTA update without thinking about backups. 😅
If vbmeta and boot are untouched, then yes...just make sure it's the boot image for that build, as I tried this with the 12 Beta 5 boot image, and I got the corrupted data error.

You can potentially run your phone this way, just remember that you'll lose root if you reboot.
 

roundaway

Senior Member
Dec 9, 2009
217
33
USA
Pixel 4a 5G and took the OTA. Ran into the corrupt data and reflashed vbmeta.img and the boot.img. Rebooted to System. Then rebooted to bootloader and ran fastboot boot magisk_patched.img (or whatever name you gave the patched boot.img) and am temporarily rooted. This way I was able to get TitaniumBackup to do it's thing and then copied the data to a desktop.

Hoping for a no data wiping solution just to save the pain of an initial setup.
 
  • Like
Reactions: kfhughes

HumorBaby

Member
Oct 22, 2021
13
14
Google Pixel 5
Pixel 5:
I have successfully (seemingly) gone from a 12b5 to release 12 without a data wipe. Root, safetynet, GPay, are unaffected after 2 reboots so far.

I went in prepared to have to wipe after flashing vbmeta with the disable flags, but I didn't need to. Maybe the trick is to sideload OTA upgrade, then flash vbmeta and patched boot image without rebooting in between??

Anyway, here are the details:

Just like @V0latyle and others , I started from 12b5 (clean wipe flash coming from Android 11), rooted, then set up Riru, LSPosed, etc. for safetynet+GPay.

Back when I did the clean wipe 11 -> 12b5, I had used --disable-verification and --disable-verity in flash-all.sh:
Bash:
...
fastboot --disable-verification --disable-verity -w update image-...
...

Process to upgrade to release:
- Download release factory AND OTA images
- Extract vbmeta.img and boot.img from the factory image
- Patch boot.img using Magisk App on 12b5 phone and pull back to my PC
- sideload OTA without reboot, switch to fastboot mode
- flash vbmeta.img
- flash magisk_patched_boot.img
- reboot, breath sigh of relief after successful boot (and reboot) with root+data intact

pseudo-commands:
Code:
$ adb reboot sideload
$ adb sideload redfin-ota-sp1a.210812.015-2596fc07.zip
## Once OTA upgrade is complete, you should be dropped into recovery menu.
## Pick "Boot to fastboot"
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
## Disable verity and verification for consistency
$ fastboot flash boot magisk_patched-23001_BLAHB.img
$ fastboot reboot
 
  • Like
Reactions: V0latyle
Pixel 5:
I have successfully (seemingly) gone from a 12b5 to release 12 without a data wipe. Root, safetynet, GPay, are unaffected after 2 reboots so far.

I went in prepared to have to wipe after flashing vbmeta with the disable flags, but I didn't need to. Maybe the trick is to sideload OTA upgrade, then flash vbmeta and patched boot image without rebooting in between??

Anyway, here are the details:

Just like @V0latyle and others , I started from 12b5 (clean wipe flash coming from Android 11), rooted, then set up Riru, LSPosed, etc. for safetynet+GPay.

Back when I did the clean wipe 11 -> 12b5, I had used --disable-verification and --disable-verity in flash-all.sh:
Bash:
...
fastboot --disable-verification --disable-verity -w update image-...
...

Process to upgrade to release:
- Download release factory AND OTA images
- Extract vbmeta.img and boot.img from the factory image
- Patch boot.img using Magisk App on 12b5 phone and pull back to my PC
- sideload OTA without reboot, switch to fastboot mode
- flash vbmeta.img
- flash magisk_patched_boot.img
- reboot, breath sigh of relief after successful boot (and reboot) with root+data intact

pseudo-commands:
Code:
$ adb reboot sideload
$ adb sideload redfin-ota-sp1a.210812.015-2596fc07.zip
## Once OTA upgrade is complete, you should be dropped into recovery menu.
## Pick "Boot to fastboot"
$ fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img
## Disable verity and verification for consistency
$ fastboot flash boot magisk_patched-23001_BLAHB.img
$ fastboot reboot
Interesting. Thank you for sharing this.

I had taken the automatic OTA. So maybe you're onto something. We will have to have someone test this, as long as they're not afraid of potentially having to wipe.

Just for sh!ts and giggles, see if you can boot the patched 12b5 boot image?
 
Last edited:
Nope, booting the patched 12b5 gives me the "data corrupted" error during boot that I assume many others are seeing. Rebooting by choosing "Try Again" gets me back to my rooted release 12 as expected.
But you can boot either the stock boot image, or the patched boot image, as long as they're from the new build. It almost sounds like there's a third element involved in verified boot besides dm-verity and vbmeta verification.

Looking at the details on Android Verified Boot, the only other element I can find is rollback protection - but from what I can see, that's disabled on an unlocked bootloader. There's a corrupted data screen for EIO mode, but we already get the UNLOCKED screen during boot.

Here's the odd thing:

The corrupted data message we have been seeing seems to appear in recovery - which resides in the /boot partition along with the kernel.

In the details on how dm-verity works, it says that the protection lives in the kernel.
If verification fails, the device generates an I/O error indicating the block cannot be read. It will appear as if the filesystem has been corrupted, as is expected.
So maybe we need to use the --disable-verity flag when flashing /boot as well? I'm just guessing here, but perhaps there's some sort of check where dm-verity looks for verification to be enabled on /vbmeta, and if it doesn't find it, goes into recovery mode with the "corrupted data" message.

The problem with this theory is that it happens with older boot images too, such as the beta, where we did NOT see this issue.

I did find this thread which details how Magisk can be used to disable dm-verity: (Magisk 23.0 does not appear to be able to do this)
  1. Copy the stock boot.img of your device to your phone's internal storage or SD card
  2. On your phone, launch magisk manager app
  3. If you're not using the latest version, you'll have to update the app first before proceeding
  4. Click "Advanced settings" > Untick the checkbox beside "Preserve AVB 2.0/dm-verity"
  5. Select Install > Install > Patch Boot Image File >
  6. Navigate to the location of the stock boot.img you copied earlier on, then Select it. Note that if you are using a samsung device then you should select the firmware of your device in .tar format instead of boot.img
  7. Magisk Manager should begin downloading the magisk zip file used for patching
  8. Once download is complete, MagiskManager will automatically patch the file and store it under SDcard/Download/magisk_patched.img[.tar]
  9. You can now flash the magisk_patched boot using fastboot to remove dm_verity from your device

Ultimately, someone is going to have to be the guinea pig and test some ideas while we try to sort this out. Volunteers?
 
Last edited:

HumorBaby

Member
Oct 22, 2021
13
14
Google Pixel 5
So maybe we need to use the --disable-verity flag when flashing /boot as well? I'm just guessing here, but perhaps there's some sort of check where dm-verity looks for verification to be enabled on /vbmeta, and if it doesn't find it, goes into recovery mode with the "corrupted data" message.

The --disable-verity flag only applies when flashing vbmeta (for Pixel 5, which has a vbmeta partition)
(using it when flashing boot won't do anything)
 
Last edited:

HumorBaby

Member
Oct 22, 2021
13
14
Google Pixel 5
  • Like
Reactions: V0latyle
Yeah that's just the file I quoted to find a balance between the latest platform-tools version and the version that most people are probably running.

Here is the same in the latest master version:

Despite being in Android source tree, these tools are relatively independent of the android version anyway.
Well, the question still remains on disabling verity in the kernel. It sounds like the only way to do this currently is hex modification of the image itself, because I can't find the option to disable AVB in Magisk.

Boot image verity seems to be the most likely explanation, given how the device ends up in recovery mode after boot fails.

I did notice on the 12 Beta 5 that if /vbmeta was empty, bootloader would come up with the same "unable to verify/load boot images".
 
So Magisk Canary was released yesterday:

Magisk 23010

Someone who is temp rooting want to patch their boot image with this and see what happens?

Also, Magisk Hide is no longer, so here's what you have to do to pass Safetynet (the check is no longer in Magisk so you'll have to use an external app)

In Magisk:
Remove Universal Safetynet Fix and Riru, if you have them installed, Reboot.
Launch Magisk again
Settings > Magisk:
Enable Zygisk
Enable Enforce Denylist
Enable for Google Play Services components: (I just enabled for all subcomponents)
com.google.android.gms
com.google.android.gms.unstable

That should be enough to pass Safetynet. Don't forget to hide other apps such as banking, GPay, DRM (Netflix, Amazon Prime Video, etc)
 
Last edited:

killchain

Senior Member
Oct 6, 2012
326
71
30
Google Pixel 4a 5G
So Magisk Canary was released yesterday:

Magisk 23010

Someone who is temp rooting want to patch their boot image with this and see what happens?

Tested that already yesterday, didn't work.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    1635805647408.png


    We finally figured it out.

    Turns out that once dm-verity and vbmeta verification are disabled, you CANNOT let the system boot with them enabled. If /vbmeta gets flashed, such as during an OTA or a factory image, and you let it boot into system, disabling verity/verification is going to require a wipe.

    Unfortunately, for those of you upgrading from Android 11, there is simply no way around this - for permanent root, verity/verification must be disabled, and to disable verity/verification, /data must be clean.

    I will be updating my guides shortly.
    1
    Well, I just had a thought....
    What if...someone were to reflash vbmeta while they're still on Android 11, then perform the update and reflash vbmeta again before booting?

    We need a guinea pig
    Do you mean having vbmeta disabled previously on A11, then flashing the factory image and disabling vbmeta before booting? That works.
    1
    Hmm that's weird I'm on the same build and rooted and haven't got that message at all
    1
    Hmm that's weird I'm on the same build and rooted and haven't got that message at all
    I might have to dirty flash the factory image again, then re patch the boot image AFTER the "update".

    Also, I'll compare my bootloader and baseband version to what's in the zip.
    1
    I've done it manually as well as by using the flash tool.

    Manually, you just add
    --disable-verity --disable-verification
    when flashing vbmeta.

    So like this:
    fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img

    Via Android Flash Tool, you just check the boxes.

    I assume your bootloader is unlocked?
    Thanks. I tried that. Not sure how to verify but I didn't get an error. And yes my bootloader is unlocked.
  • 3
    I have a pixel 5, was running Android 11 with oct. 5 security update.
    1. I flashed the non verizon factory image from the google factory image repository.
    2. then patched my boot image
    3. then tried to flash magisk patched boot
    4. it kept going to bootloader saying error from @V0latyle where the boot image did not match because I didn't disable the flag.
    5. I reflashed the non verizon factory image for pixel 5.
    6. I went through the initial google setup and then adb back into bootloader.
    7. I tried using the disable flags command in the flash-all.bat file from the factory image. It failed and went to recovery and said I had a corrupt system image in recovery mode.
    8. I factory reset and reflashed factory image without flags in the flash-all.bat file
    9. Went through google initial setup
    10. adb back into fastboot.
    11. pushed the disable flag commaned with --slot=all
    12. patched magisk image
    13. booted into A12 with root.
    14. So far root has taken for everything and no issues.
    2
    1635805647408.png


    We finally figured it out.

    Turns out that once dm-verity and vbmeta verification are disabled, you CANNOT let the system boot with them enabled. If /vbmeta gets flashed, such as during an OTA or a factory image, and you let it boot into system, disabling verity/verification is going to require a wipe.

    Unfortunately, for those of you upgrading from Android 11, there is simply no way around this - for permanent root, verity/verification must be disabled, and to disable verity/verification, /data must be clean.

    I will be updating my guides shortly.
    2
    Gdamn, I really want to run lawnchair but rooting android is such a pain in the butt these days.

    Also, I kinda like my gpay - wish I had sideloaded the OTA rather than clean flashed :/

    Hopefully you guys can figure something out, watching this thread anxiously
    1
    Current status as of October 21: Data wipe required for permanent root. Patched boot image can be live booted after upgrade for temporary root.

    Update 10-29: I have
    posted a thread over in the Android Development forum so that developers can hopefully take a look at what might be causing our boot issues. Please don't post there but feel free to check for updates.

    Since some of us are running into issues with root after upgrading to Android 12, I'd like to invite everyone to share their results here.

    Please be as descriptive as possible, and include at the very least the following information:
    * What software you were running before the update
    * What method you used to update:
    - Automatic OTA
    - Manual OTA
    - Android Flash Tool
    - Manual factory image
    * Whether or not you wiped /data or did a factory reset
    * Any issues you ran into during the process
    * Your current state (bootloop, bootloader error, recovery error, system with or without root)

    Hopefully this will help us narrow down on exactly what is causing some of the problems.
    1
    During the 11-->12 OTA, I managed to keep root by:
    flash boot patched_image, reboot (FAIL)
    boot patched_image, reboot (FAIL)
    flash boot stock_image, reboot (OK, no root)
    boot patched_image, reboot (ok, have root).
    Following these steps with the Nov. OTA, the final step seems to silently fail and boot with the stock image (no root).
    Is this the expected behavior and I'll have to gain root the hard way?
    [ Pixel 5a ]
    Yes. There is currently no way to be able to keep your data AND root after upgrading to Android 12....with the exception of booting the patched image for temporary root.