Themes / Apps / Mods [DEV][EOL] Vbmeta Patcher, Devinfo Patcher, and Boot Image Tool

[capntrips]

The original purpose of these three apps was to help deal with the changes in Android 12 when taking an OTA. Most of the functionality has been superseded by the newest builds of Magisk.

Vbmeta Patcher is still useful when migrating from Magisk builds before 23016, and Boot Image Tool can still be used for downloading backups of newly installed boot images or restoring missing backups for Magisk.

I'll leave the links and descriptions below, but future development of these apps is unlikely.

Spoiler: Links and Descriptions

Vbmeta Patcher is an Android app that toggles the disable flags of the vbmeta partitions.

Devinfo Patcher is an Android app that marks the inactive slot as successful on devices with a valid devinfo partition.

Boot Image Tool is an Android app that helps juggle boot images for OTAs.

Spoiler: OTA Instructions for Magisk 23017+

1. Uninstall -> Restore Images in the Magisk app.
2. Take the OTA in System Update. Do NOT reboot.
3. Install -> Install to Inactive Slot in the Magisk app.
4. Reboot (NOT in System Update).

Latest Updates

2022-05-01 Boot Image Tool v1.0.0-alpha03
2021-11-19 Devinfo Patcher v1.0.0-alpha02
2021-11-19 Vbmeta Patcher v1.0.0-alpha04

 

[gokart2]

Nice work and idea!

 

[Hecke92]

Amazing bro, thank you! So excited to see development starting off for this nice phone.
Any address to donate to?

 

[vandyman]

Nice program, good job. Thanks..

 

[capntrips]

Any address to donate to?

I look at it as my contribution back to the community. If you really want to make a monetary contribution, I suggest Code.org or EFF.

 

[bush911]

Because of your developers, Android has become more exciting！
I

 

[bzz11g]

this is really cool, thank you!
hope someone make twrp for our device or find the way to flash patched_boot.img without PC

 

[pa.pn2]

Why dont you flash the factory image to both slots directly?
I did that with the pixel 4 Xl all the time.
Someone postet the steps to flash factory images , including the commands to disable verification for vbmeta.
Whats the advantage to do it via OTA?

 

[capntrips]

Why dont you flash the factory image to both slots directly?

The downside to flashing to both slots is you lose the fallback, if something goes wrong.

Whats the advantage to do it via OTA?

As long as we need another device to fastboot boot the patched image, there isn't a huge advantage to doing it this way. For me, it's just more convenient to do everything on the phone, then I can reboot to fastboot and boot the patched image the next time I'm at the computer.

If we can get flashing to the inactive slot working, then that would completely eliminate the need for another device, which is the ultimate goal here.

 

[capntrips]

When Magisk installs to the inactive slot, it downloads a nearly 3 year old bootctl binary to set the inactive slot as active then to mark boot successful on the next reboot. I can't find any documentation on the source used for that binary, but I suspect that it doesn't know about the devinfo partition.

During the update process, update_engine sets various flags (including the active slot flag and the successful boot flag) via the boot control interface. The Pixel 6 has two implementations of that interface, 1.0, which sets the flags directly on the boot partitions, and 1.2, which sets the flags on the devinfo partition, with a fallback to the 1.0 method in the absence of a valid devinfo partition.

I wonder if simply replacing the bootctl binary with one built against a newer version of Android would be enough to resolve the problem.

 

[capntrips]

This sounds to me like Virtual A/B devices were the reason for the removal of patching the inactive slot:

Broken display logic for "Install to Inactive Slot (After OTA)" option · Issue #3963 · topjohnwu/Magisk

mi11 miui12.5 After installing magisk22.0/22001, the "install to another slot" option disappears. Reinstall magisk and system still can't enable this feature. DEVICE DESCRIPTION Model...

github.com

Pixel 6 is Full A/B, unless I'm missing something. I wonder if the old method with a new bootctl binary would work on Pixel 6. I managed to build bootctl against the aosp_oriole-userdebug (android-12.0.0_r12) source. It at least prints the right values. I have not attempted to use it to make changes.

 

[capntrips]

I made a build of the latest Magisk with bootctl built against the Pixel 5a source, enabled installing Magisk to the inactive slot on a Pixel 5a, and was able to take the November OTA on a Pixel 5a without a computer and without losing root.

The steps were

1. Restore boot in the Magisk app.
2. Restore vbmeta in Vbmeta Patcher.
3. Take the OTA in System Update. Do NOT reboot.
4. Patch vbmeta in Vbmeta Patcher.
5. Install Magisk to the Inactive Slot in the Magisk App.

Until a few other people have tested it, this process should be considered experimental. Should anyone attempt it, I would suggest backing up any critical data.

I did not test the process with the old bootctl, but that one wouldn't work for Pixel 6, anyway. I'm not yet sure if the Pixel 5a build will work for Pixel 6, either. If not, I also have a version of it built against the Pixel 6 source.

Note: Since 23016, there's no longer a need to patch the vbmeta partition.

 

[capntrips]

The tests done in this post made some faulty assumptions, so I removed the results to avoid confusion.

 

[bzz11g]

The Pixel 6 build of Magisk using the Pixel 5a version of bootctl did not work, so I pulled the download. It got stuck in a bootloop, so I had to set my slot back to B in fastboot.

I'll make another build using the Pixel 6 verson of bootctl, shortly, and try again.

Edit: As with the previous build, it got stuck in a bootloop. Unfortunately, it takes forever to run tests, since the optimizing apps step takes about an hour, but I'll continue working on it over the next few days.

Google released an extraordinary firmware .037
there is a good opportunity to test your program. Unfortunately, my phone is still on the way.

 

[capntrips]

Google released an extraordinary firmware .037
there is a good opportunity to test your program. Unfortunately, my phone is still on the way.

The post you quoted are the results of testing the upgrade from .036 to .037. The steps from the OP should work fine, but the ultimate goal is to be able to take the OTA and remain rooted without the need for a computer to fastboot boot the first time.

 

[shoey63]

Would this work?
- restore boot with magisk
- restore vbmeta with Vbmeta patcher
- take ota update
- use Boot Image Tool to pull boot.img from opposite slot
- patch it with magisk
- use dd command to flash back to opposite slot
- patch vbmeta on opposite slot with Vbmeta patcher
- reboot
- profit?

 

[capntrips]

Would this work?
- restore boot with magisk
- restore vbmeta with Vbmeta patcher
- take ota update
- use Boot Image Tool to pull boot.img from opposite slot
- patch it with magisk
- use dd command to flash back to opposite slot
- patch vbmeta on opposite slot with Vbmeta patcher
- reboot
- profit?

This is effectively the same thing that Magisk does, just without the bootctl bits. I tried it anyway, just in case, and it bootlooped.

On a related note, if you let it bootloop more than 3 times, turns out it will automatically switch back to the old slot. Doesn't really save time if you're already plugged into a computer, but handy if you have something else you can be doing for those few minutes.

 

[capntrips]

I manually toggled the successful bit for the inactive slot in devinfo and it booted right up.

I'll make a Devinfo Patcher to go along with Vbmeta Patcher and release it in the next few days.

Depending on what we can get the Magisk devs to support, I may make an all in one tool. I would rather not have to maintain ongoing Magisk builds, so hopefully we can at least get the option to enable flashing to the inactive slot.

Edit: I submitted my findings to the Magisk devs. We'll see what they'll be willing to support.

 

[IamTheBRAVE]

Are these tools only for the pixel 6 or could it work on other A/B devices?

 

[capntrips]

Are these tools only for the pixel 6 or could it work on other A/B devices?

I made an effort to make them relatively device agnostic, but no testing has been done on anything but a Pixel 6 and to a much lesser extent, a Pixel 5a.

The only value that immediately comes to mind that may be somewhat specific to Pixel 6 is the 8192 byte vbmeta image size used to calculate the SHA1 hash, but it shouldn't affect its ability to read and patch the flags. I should probably try to figure out how to calculate the size, at some point.

All of the code for reading the data is in the DeviceState and SlotState files in each app, and I made an effort to link to the relevant code in the Android source for each function, if you want to check it against the sources for your own device.

If you try them out, let me know how it goes.

Edit: It looks like the size should be easy enough to calculate (fixed header size of 256 bytes + authentication_data_block_size + auxiliary_data_block_size). I'll make an effort to get that fixed after I release Devinfo Patcher.

Edit 2: This is done and is included in v1.0.0-alpha04.